From 87f5883f2455fb115457b65f267f17de305c053c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 31 Jul 2017 23:07:30 +0300 Subject: [PATCH 0001/2384] Initial commit --- .gitignore | 3 + README.md | 166 +++ ansible.cfg | 2 + examples/host-vars.yml | 19 + examples/hosts | 2 + inventory/.gitkeep | 0 .../files/synapse_port_db_with_patch | 941 ++++++++++++++++++ .../files/yum.repos.d/docker-ce.repo | 62 ++ .../tasks/import_media_store.yml | 32 + .../matrix-server/tasks/import_sqlite_db.yml | 78 ++ roles/matrix-server/tasks/main.yml | 45 + roles/matrix-server/tasks/register_user.yml | 20 + roles/matrix-server/tasks/setup_base.yml | 46 + roles/matrix-server/tasks/setup_main.yml | 20 + .../matrix-server/tasks/setup_nginx_proxy.yml | 41 + roles/matrix-server/tasks/setup_postgres.yml | 34 + roles/matrix-server/tasks/setup_riot_web.yml | 30 + roles/matrix-server/tasks/setup_ssl.yml | 37 + roles/matrix-server/tasks/setup_synapse.yml | 87 ++ roles/matrix-server/tasks/start.yml | 13 + .../cron.d/matrix-periodic-restarter.j2 | 11 + .../cron.d/ssl-certificate-renewal.j2 | 14 + .../env/env-postgres-pgsql-docker.j2 | 3 + .../env/env-postgres-server-docker.j2 | 3 + .../nginx-conf.d/matrix-riot-web.conf.j2 | 21 + .../nginx-conf.d/matrix-synapse.conf.j2 | 21 + .../templates/riot-web/config.json.j2 | 15 + .../templates/riot-web/riot.im.conf.j2 | 3 + .../systemd/matrix-nginx-proxy.service.j2 | 27 + .../systemd/matrix-postgres.service.j2 | 24 + .../systemd/matrix-riot-web.service.j2 | 19 + .../systemd/matrix-synapse.service.j2 | 26 + .../usr-local-bin/matrix-postgres-cli.j2 | 3 + .../matrix-synapse-register-user.j2 | 11 + setup.yml | 10 + vars/vars.yml | 41 + 36 files changed, 1930 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 ansible.cfg create mode 100644 examples/host-vars.yml create mode 100644 examples/hosts create mode 100644 inventory/.gitkeep create mode 100644 roles/matrix-server/files/synapse_port_db_with_patch create mode 100644 roles/matrix-server/files/yum.repos.d/docker-ce.repo create mode 100644 roles/matrix-server/tasks/import_media_store.yml create mode 100644 roles/matrix-server/tasks/import_sqlite_db.yml create mode 100644 roles/matrix-server/tasks/main.yml create mode 100644 roles/matrix-server/tasks/register_user.yml create mode 100644 roles/matrix-server/tasks/setup_base.yml create mode 100644 roles/matrix-server/tasks/setup_main.yml create mode 100644 roles/matrix-server/tasks/setup_nginx_proxy.yml create mode 100644 roles/matrix-server/tasks/setup_postgres.yml create mode 100644 roles/matrix-server/tasks/setup_riot_web.yml create mode 100644 roles/matrix-server/tasks/setup_ssl.yml create mode 100644 roles/matrix-server/tasks/setup_synapse.yml create mode 100644 roles/matrix-server/tasks/start.yml create mode 100644 roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 create mode 100644 roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 create mode 100644 roles/matrix-server/templates/env/env-postgres-pgsql-docker.j2 create mode 100644 roles/matrix-server/templates/env/env-postgres-server-docker.j2 create mode 100644 roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 create mode 100644 roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 create mode 100644 roles/matrix-server/templates/riot-web/config.json.j2 create mode 100644 roles/matrix-server/templates/riot-web/riot.im.conf.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-postgres.service.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-synapse.service.j2 create mode 100644 roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 create mode 100644 roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 create mode 100644 setup.yml create mode 100644 vars/vars.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..d373e258 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/inventory/* +!/inventory/.gitkeep +!/inventory/host_vars/.gitkeep diff --git a/README.md b/README.md new file mode 100644 index 00000000..132244ff --- /dev/null +++ b/README.md @@ -0,0 +1,166 @@ +# Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker + +## Purpose + +This Ansible playbook is meant to easily let you run your own [Matrix](http://matrix.org/) homeserver. + +That is, it lets you join the Matrix network with your own `@:` identifier, all hosted on your own server. + +Using this playbook, you can get the following services configured on your server: + +- a [Matrix Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network + +- a [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse - providing better performance than the default [SQLite](https://sqlite.org/) database + +- a [STUN server](https://github.com/coturn/coturn) for WebRTC audio/video calls + +- a [Riot](https://riot.im/) web UI + +- free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI + +Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. + + +## What's different about this Ansible playbook? + +This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) Ansile deployment, but: + +- this one is a complete Ansible playbook (instead of just a role), so it should be **easier to run** - especially for folks not familiar with Ansible + +- this one **can be re-ran many times** without causing trouble + +- this one **runs everything in Docker containers** (like [silviof/docker-matrix](https://hub.docker.com/r/silviof/docker-matrix/) and [silviof/matrix-riot-docker](https://hub.docker.com/r/silviof/matrix-riot-docker/)), so it's likely more predictable + +- this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you + +Special thanks goes to: + +- [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) - for the inspiration + +- [silviof/docker-matrix](https://hub.docker.com/r/silviof/docker-matrix/) - for packaging Matrix Synapse as a Docker image + +- [silviof/matrix-riot-docker](https://hub.docker.com/r/silviof/matrix-riot-docker/) - for packaging Riot as a Docker image + + +## Prerequisites + +- **CentOS server** with no services running on port 80/443 (making this run on non-CentOS servers should be possible in the future) + +- the [Ansible](http://ansible.com/) program, which is used to run this playbook and configures everything for you + +- properly configured DNS SRV record for `` (details in [Configuring DNS](#Configuring-DNS) below) + +- `matrix.` domain name pointing to your new server - this is where the Matrix Synapse server will live (details in [Configuring DNS](#Configuring-DNS) below) + +- `riot.` domain name pointing to your new server - this is where the Riot web UI will live (details in [Configuring DNS](#Configuring-DNS) below) + + +## Configuring DNS + +In order to use an identifier like `@:`, you don't actually need +to install anything on the actual `` server. + +All services created by this playbook are meant to be installed on their own server (such as `matrix.`). + +In order to do this, you must first instruct the Matrix network of this by setting up a DNS SRV record (think of it as a "redirect"). +The SRV record should look like this: +- Name: `_matrix._tcp` (use this text as-is) +- Content: `10 0 8448 matrix.` (replace `` with your own) + +Once you've set up this DNS SRV record, you should create 2 other domain names (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` is fine). + +This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`, even though everything is installed elsewhere (not on ``). + + +## Configuration + +Once you have your server and you have [configured your DNS records](#Configuring-DNS), you can proceed with configuring this playbook, so that it knows what to install and where. + +You can follow these steps: + +- create a directory to hold your configuration (`mkdir inventory/matrix.`) + +- copy the sample configuration file (`cp examples/host-vars.yml inventory/matrix./vars.yml`) + +- edit the configuration file (`inventory/matrix./vars.yml`) to your liking + +- copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) + +- edit the inventory hosts file (`inventory/hosts`) to your liking + + +## Installing + +Once you have your server and you have [configured your DNS records](#Configuring-DNS), you can proceed with installing. + +To make use of this playbook, you should invoke the `setup.yml` playbook multiple times, with different tags. + + +### Configuring a server + +Run this as-is to set up a server. +This doesn't start any services just yet (another step does this later - below). +Feel free to re-run this any time you think something is off with the server configuration. + + ansible-playbook -i inventory/hosts setup.yml --tags=setup-main + + +### Restoring an existing SQLite database (from another installation) + +Run this if you'd like to import your database from a previous default installation of Matrix Synapse. +(don't forget to import your `media_store` files as well - see below). + +While this playbook always sets up PostgreSQL, by default, a Matrix Synapse installation would run +using an SQLite database. + +If you have such a Matrix Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you. + +Run this command (make sure to replace `` with a file path on your local machine): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='local_path_homeserver_db=' --tags=import-sqlite-db + +**Note**: `` must be a file path to a `homeserver.db` file on your local machine (not on the server!). This file is copied to the server and imported. + + +### Restoring `media_store` data files from an existing installation + +Run this if you'd like to import your `media_store` files from a previous installation of Matrix Synapse. + +Run this command (make sure to replace `` with a path on your local machine): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='local_path_media_store=' --tags=import-media-store + +**Note**: `` must be a file path to a `media_store` directory on your local machine (not on the server!). This directory's contents are then copied to the server. + + +### Starting the services + +Run this as-is to start all the services and to ensure they'll run on system startup later on. + + ansible-playbook -i inventory/hosts setup.yml --tags=start + + +### Registering a user + +Run this to create a new user account on your Matrix server. + +You can do it via this Ansible playbook (make sure to edit the `` and `` part below): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password=' --tags=register-user + +**or** using the command-line after **SSH**-ing to your server (requires that [all services have been started](#Starting-the-services)): + + matrix-synapse-register-user + +**Note**: `` is just a plain username (like `john`), not your full `@:` identifier. + + +## Deficiencies + +This Ansible playbook can be improved in the following ways: + +- setting up automatic backups to one or more storage providers + +- enabling TURN support for the Coturn server - see https://github.com/silvio/docker-matrix#coturn-server + +- [importing an old SQLite database](#Restoring-an-existing-SQLite=database-from-another-installation) likely works because of a patch, but may be fragile until [this](https://github.com/matrix-org/synapse/issues/2287) is fixed \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 00000000..48bc18c4 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +retry_files_enabled = False diff --git a/examples/host-vars.yml b/examples/host-vars.yml new file mode 100644 index 00000000..d7abcb93 --- /dev/null +++ b/examples/host-vars.yml @@ -0,0 +1,19 @@ +# This is something which is provided to Let's Encrypt +# when retrieving the SSL certificates for ``. +# +# In case SSL renewal fails at some point, you'll also get +# an email notification there. +# +# Example value: someone@example.com +host_specific_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE + +# This is your bare domain name (``, +# but it nevertheless requires to know the bare domain name +# (for configuration purposes). +# +# Example value: example.com +host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE \ No newline at end of file diff --git a/examples/hosts b/examples/hosts new file mode 100644 index 00000000..75d68ef6 --- /dev/null +++ b/examples/hosts @@ -0,0 +1,2 @@ +[matrix-servers] +matrix. ansible_host= ansible_ssh_user=root diff --git a/inventory/.gitkeep b/inventory/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/roles/matrix-server/files/synapse_port_db_with_patch b/roles/matrix-server/files/synapse_port_db_with_patch new file mode 100644 index 00000000..e74c754a --- /dev/null +++ b/roles/matrix-server/files/synapse_port_db_with_patch @@ -0,0 +1,941 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# Copyright 2015, 2016 OpenMarket Ltd +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from twisted.internet import defer, reactor +from twisted.enterprise import adbapi + +from synapse.storage._base import LoggingTransaction, SQLBaseStore +from synapse.storage.engines import create_engine +from synapse.storage.prepare_database import prepare_database + +import argparse +import curses +import logging +import sys +import time +import traceback +import yaml + + +logger = logging.getLogger("synapse_port_db") + + +BOOLEAN_COLUMNS = { + "events": ["processed", "outlier", "contains_url"], + "rooms": ["is_public"], + "event_edges": ["is_state"], + "presence_list": ["accepted"], + "presence_stream": ["currently_active"], + "public_room_list_stream": ["visibility"], + "device_lists_outbound_pokes": ["sent"], + "users_who_share_rooms": ["share_private"], +} + + +APPEND_ONLY_TABLES = [ + "event_content_hashes", + "event_reference_hashes", + "event_signatures", + "event_edge_hashes", + "events", + "event_json", + "state_events", + "room_memberships", + "feedback", + "topics", + "room_names", + "rooms", + "local_media_repository", + "local_media_repository_thumbnails", + "remote_media_cache", + "remote_media_cache_thumbnails", + "redactions", + "event_edges", + "event_auth", + "received_transactions", + "sent_transactions", + "transaction_id_to_pdu", + "users", + "state_groups", + "state_groups_state", + "event_to_state_groups", + "rejections", + "event_search", + "presence_stream", + "push_rules_stream", + "current_state_resets", + "ex_outlier_stream", + "cache_invalidation_stream", + "public_room_list_stream", + "state_group_edges", + "stream_ordering_to_exterm", +] + + +end_error_exec_info = None + + +class Store(object): + """This object is used to pull out some of the convenience API from the + Storage layer. + + *All* database interactions should go through this object. + """ + def __init__(self, db_pool, engine): + self.db_pool = db_pool + self.database_engine = engine + + _simple_insert_txn = SQLBaseStore.__dict__["_simple_insert_txn"] + _simple_insert = SQLBaseStore.__dict__["_simple_insert"] + + _simple_select_onecol_txn = SQLBaseStore.__dict__["_simple_select_onecol_txn"] + _simple_select_onecol = SQLBaseStore.__dict__["_simple_select_onecol"] + _simple_select_one = SQLBaseStore.__dict__["_simple_select_one"] + _simple_select_one_txn = SQLBaseStore.__dict__["_simple_select_one_txn"] + _simple_select_one_onecol = SQLBaseStore.__dict__["_simple_select_one_onecol"] + _simple_select_one_onecol_txn = SQLBaseStore.__dict__[ + "_simple_select_one_onecol_txn" + ] + + _simple_update_one = SQLBaseStore.__dict__["_simple_update_one"] + _simple_update_one_txn = SQLBaseStore.__dict__["_simple_update_one_txn"] + + def runInteraction(self, desc, func, *args, **kwargs): + def r(conn): + try: + i = 0 + N = 5 + while True: + try: + txn = conn.cursor() + return func( + LoggingTransaction(txn, desc, self.database_engine, [], []), + *args, **kwargs + ) + except self.database_engine.module.DatabaseError as e: + if self.database_engine.is_deadlock(e): + logger.warn("[TXN DEADLOCK] {%s} %d/%d", desc, i, N) + if i < N: + i += 1 + conn.rollback() + continue + raise + except Exception as e: + logger.debug("[TXN FAIL] {%s} %s", desc, e) + raise + + return self.db_pool.runWithConnection(r) + + def execute(self, f, *args, **kwargs): + return self.runInteraction(f.__name__, f, *args, **kwargs) + + def execute_sql(self, sql, *args): + def r(txn): + txn.execute(sql, args) + return txn.fetchall() + return self.runInteraction("execute_sql", r) + + def insert_many_txn(self, txn, table, headers, rows): + sql = "INSERT INTO %s (%s) VALUES (%s)" % ( + table, + ", ".join(k for k in headers), + ", ".join("%s" for _ in headers) + ) + + try: + txn.executemany(sql, rows) + except: + logger.exception( + "Failed to insert: %s", + table, + ) + raise + + +class Porter(object): + def __init__(self, **kwargs): + self.__dict__.update(kwargs) + + @defer.inlineCallbacks + def setup_table(self, table): + if table in APPEND_ONLY_TABLES: + # It's safe to just carry on inserting. + row = yield self.postgres_store._simple_select_one( + table="port_from_sqlite3", + keyvalues={"table_name": table}, + retcols=("forward_rowid", "backward_rowid"), + allow_none=True, + ) + + total_to_port = None + if row is None: + if table == "sent_transactions": + forward_chunk, already_ported, total_to_port = ( + yield self._setup_sent_transactions() + ) + backward_chunk = 0 + else: + yield self.postgres_store._simple_insert( + table="port_from_sqlite3", + values={ + "table_name": table, + "forward_rowid": 1, + "backward_rowid": 0, + } + ) + + forward_chunk = 1 + backward_chunk = 0 + already_ported = 0 + else: + forward_chunk = row["forward_rowid"] + backward_chunk = row["backward_rowid"] + + if total_to_port is None: + already_ported, total_to_port = yield self._get_total_count_to_port( + table, forward_chunk, backward_chunk + ) + else: + def delete_all(txn): + txn.execute( + "DELETE FROM port_from_sqlite3 WHERE table_name = %s", + (table,) + ) + txn.execute("TRUNCATE %s CASCADE" % (table,)) + + yield self.postgres_store.execute(delete_all) + + yield self.postgres_store._simple_insert( + table="port_from_sqlite3", + values={ + "table_name": table, + "forward_rowid": 1, + "backward_rowid": 0, + } + ) + + forward_chunk = 1 + backward_chunk = 0 + + already_ported, total_to_port = yield self._get_total_count_to_port( + table, forward_chunk, backward_chunk + ) + + defer.returnValue( + (table, already_ported, total_to_port, forward_chunk, backward_chunk) + ) + + @defer.inlineCallbacks + def handle_table(self, table, postgres_size, table_size, forward_chunk, + backward_chunk): + if not table_size: + return + + self.progress.add_table(table, postgres_size, table_size) + + # Patch from: https://github.com/matrix-org/synapse/issues/2287 + if table == "user_directory_search": + # FIXME: actually port it, but for now we can leave it blank + # and have the server regenerate it. + # you will need to set the values of user_directory_stream_pos + # to be ('X', null) to force a regen + return + + if table == "event_search": + yield self.handle_search_table( + postgres_size, table_size, forward_chunk, backward_chunk + ) + return + + forward_select = ( + "SELECT rowid, * FROM %s WHERE rowid >= ? ORDER BY rowid LIMIT ?" + % (table,) + ) + + backward_select = ( + "SELECT rowid, * FROM %s WHERE rowid <= ? ORDER BY rowid LIMIT ?" + % (table,) + ) + + do_forward = [True] + do_backward = [True] + + while True: + def r(txn): + forward_rows = [] + backward_rows = [] + if do_forward[0]: + txn.execute(forward_select, (forward_chunk, self.batch_size,)) + forward_rows = txn.fetchall() + if not forward_rows: + do_forward[0] = False + + if do_backward[0]: + txn.execute(backward_select, (backward_chunk, self.batch_size,)) + backward_rows = txn.fetchall() + if not backward_rows: + do_backward[0] = False + + if forward_rows or backward_rows: + headers = [column[0] for column in txn.description] + else: + headers = None + + return headers, forward_rows, backward_rows + + headers, frows, brows = yield self.sqlite_store.runInteraction( + "select", r + ) + + if frows or brows: + if frows: + forward_chunk = max(row[0] for row in frows) + 1 + if brows: + backward_chunk = min(row[0] for row in brows) - 1 + + rows = frows + brows + self._convert_rows(table, headers, rows) + + def insert(txn): + self.postgres_store.insert_many_txn( + txn, table, headers[1:], rows + ) + + self.postgres_store._simple_update_one_txn( + txn, + table="port_from_sqlite3", + keyvalues={"table_name": table}, + updatevalues={ + "forward_rowid": forward_chunk, + "backward_rowid": backward_chunk, + }, + ) + + yield self.postgres_store.execute(insert) + + postgres_size += len(rows) + + self.progress.update(table, postgres_size) + else: + return + + @defer.inlineCallbacks + def handle_search_table(self, postgres_size, table_size, forward_chunk, + backward_chunk): + select = ( + "SELECT es.rowid, es.*, e.origin_server_ts, e.stream_ordering" + " FROM event_search as es" + " INNER JOIN events AS e USING (event_id, room_id)" + " WHERE es.rowid >= ?" + " ORDER BY es.rowid LIMIT ?" + ) + + while True: + def r(txn): + txn.execute(select, (forward_chunk, self.batch_size,)) + rows = txn.fetchall() + headers = [column[0] for column in txn.description] + + return headers, rows + + headers, rows = yield self.sqlite_store.runInteraction("select", r) + + if rows: + forward_chunk = rows[-1][0] + 1 + + # We have to treat event_search differently since it has a + # different structure in the two different databases. + def insert(txn): + sql = ( + "INSERT INTO event_search (event_id, room_id, key," + " sender, vector, origin_server_ts, stream_ordering)" + " VALUES (?,?,?,?,to_tsvector('english', ?),?,?)" + ) + + rows_dict = [ + dict(zip(headers, row)) + for row in rows + ] + + txn.executemany(sql, [ + ( + row["event_id"], + row["room_id"], + row["key"], + row["sender"], + row["value"], + row["origin_server_ts"], + row["stream_ordering"], + ) + for row in rows_dict + ]) + + self.postgres_store._simple_update_one_txn( + txn, + table="port_from_sqlite3", + keyvalues={"table_name": "event_search"}, + updatevalues={ + "forward_rowid": forward_chunk, + "backward_rowid": backward_chunk, + }, + ) + + yield self.postgres_store.execute(insert) + + postgres_size += len(rows) + + self.progress.update("event_search", postgres_size) + + else: + return + + def setup_db(self, db_config, database_engine): + db_conn = database_engine.module.connect( + **{ + k: v for k, v in db_config.get("args", {}).items() + if not k.startswith("cp_") + } + ) + + prepare_database(db_conn, database_engine, config=None) + + db_conn.commit() + + @defer.inlineCallbacks + def run(self): + try: + sqlite_db_pool = adbapi.ConnectionPool( + self.sqlite_config["name"], + **self.sqlite_config["args"] + ) + + postgres_db_pool = adbapi.ConnectionPool( + self.postgres_config["name"], + **self.postgres_config["args"] + ) + + sqlite_engine = create_engine(sqlite_config) + postgres_engine = create_engine(postgres_config) + + self.sqlite_store = Store(sqlite_db_pool, sqlite_engine) + self.postgres_store = Store(postgres_db_pool, postgres_engine) + + yield self.postgres_store.execute( + postgres_engine.check_database + ) + + # Step 1. Set up databases. + self.progress.set_state("Preparing SQLite3") + self.setup_db(sqlite_config, sqlite_engine) + + self.progress.set_state("Preparing PostgreSQL") + self.setup_db(postgres_config, postgres_engine) + + # Step 2. Get tables. + self.progress.set_state("Fetching tables") + sqlite_tables = yield self.sqlite_store._simple_select_onecol( + table="sqlite_master", + keyvalues={ + "type": "table", + }, + retcol="name", + ) + + postgres_tables = yield self.postgres_store._simple_select_onecol( + table="information_schema.tables", + keyvalues={}, + retcol="distinct table_name", + ) + + tables = set(sqlite_tables) & set(postgres_tables) + + self.progress.set_state("Creating tables") + + logger.info("Found %d tables", len(tables)) + + def create_port_table(txn): + txn.execute( + "CREATE TABLE port_from_sqlite3 (" + " table_name varchar(100) NOT NULL UNIQUE," + " forward_rowid bigint NOT NULL," + " backward_rowid bigint NOT NULL" + ")" + ) + + # The old port script created a table with just a "rowid" column. + # We want people to be able to rerun this script from an old port + # so that they can pick up any missing events that were not + # ported across. + def alter_table(txn): + txn.execute( + "ALTER TABLE IF EXISTS port_from_sqlite3" + " RENAME rowid TO forward_rowid" + ) + txn.execute( + "ALTER TABLE IF EXISTS port_from_sqlite3" + " ADD backward_rowid bigint NOT NULL DEFAULT 0" + ) + + try: + yield self.postgres_store.runInteraction( + "alter_table", alter_table + ) + except Exception as e: + logger.info("Failed to create port table: %s", e) + + try: + yield self.postgres_store.runInteraction( + "create_port_table", create_port_table + ) + except Exception as e: + logger.info("Failed to create port table: %s", e) + + self.progress.set_state("Setting up") + + # Set up tables. + setup_res = yield defer.gatherResults( + [ + self.setup_table(table) + for table in tables + if table not in ["schema_version", "applied_schema_deltas"] + and not table.startswith("sqlite_") + ], + consumeErrors=True, + ) + + # Process tables. + yield defer.gatherResults( + [ + self.handle_table(*res) + for res in setup_res + ], + consumeErrors=True, + ) + + self.progress.done() + except: + global end_error_exec_info + end_error_exec_info = sys.exc_info() + logger.exception("") + finally: + reactor.stop() + + def _convert_rows(self, table, headers, rows): + bool_col_names = BOOLEAN_COLUMNS.get(table, []) + + bool_cols = [ + i for i, h in enumerate(headers) if h in bool_col_names + ] + + def conv(j, col): + if j in bool_cols: + return bool(col) + return col + + for i, row in enumerate(rows): + rows[i] = tuple( + conv(j, col) + for j, col in enumerate(row) + if j > 0 + ) + + @defer.inlineCallbacks + def _setup_sent_transactions(self): + # Only save things from the last day + yesterday = int(time.time() * 1000) - 86400000 + + # And save the max transaction id from each destination + select = ( + "SELECT rowid, * FROM sent_transactions WHERE rowid IN (" + "SELECT max(rowid) FROM sent_transactions" + " GROUP BY destination" + ")" + ) + + def r(txn): + txn.execute(select) + rows = txn.fetchall() + headers = [column[0] for column in txn.description] + + ts_ind = headers.index('ts') + + return headers, [r for r in rows if r[ts_ind] < yesterday] + + headers, rows = yield self.sqlite_store.runInteraction( + "select", r, + ) + + self._convert_rows("sent_transactions", headers, rows) + + inserted_rows = len(rows) + if inserted_rows: + max_inserted_rowid = max(r[0] for r in rows) + + def insert(txn): + self.postgres_store.insert_many_txn( + txn, "sent_transactions", headers[1:], rows + ) + + yield self.postgres_store.execute(insert) + else: + max_inserted_rowid = 0 + + def get_start_id(txn): + txn.execute( + "SELECT rowid FROM sent_transactions WHERE ts >= ?" + " ORDER BY rowid ASC LIMIT 1", + (yesterday,) + ) + + rows = txn.fetchall() + if rows: + return rows[0][0] + else: + return 1 + + next_chunk = yield self.sqlite_store.execute(get_start_id) + next_chunk = max(max_inserted_rowid + 1, next_chunk) + + yield self.postgres_store._simple_insert( + table="port_from_sqlite3", + values={ + "table_name": "sent_transactions", + "forward_rowid": next_chunk, + "backward_rowid": 0, + } + ) + + def get_sent_table_size(txn): + txn.execute( + "SELECT count(*) FROM sent_transactions" + " WHERE ts >= ?", + (yesterday,) + ) + size, = txn.fetchone() + return int(size) + + remaining_count = yield self.sqlite_store.execute( + get_sent_table_size + ) + + total_count = remaining_count + inserted_rows + + defer.returnValue((next_chunk, inserted_rows, total_count)) + + @defer.inlineCallbacks + def _get_remaining_count_to_port(self, table, forward_chunk, backward_chunk): + frows = yield self.sqlite_store.execute_sql( + "SELECT count(*) FROM %s WHERE rowid >= ?" % (table,), + forward_chunk, + ) + + brows = yield self.sqlite_store.execute_sql( + "SELECT count(*) FROM %s WHERE rowid <= ?" % (table,), + backward_chunk, + ) + + defer.returnValue(frows[0][0] + brows[0][0]) + + @defer.inlineCallbacks + def _get_already_ported_count(self, table): + rows = yield self.postgres_store.execute_sql( + "SELECT count(*) FROM %s" % (table,), + ) + + defer.returnValue(rows[0][0]) + + @defer.inlineCallbacks + def _get_total_count_to_port(self, table, forward_chunk, backward_chunk): + remaining, done = yield defer.gatherResults( + [ + self._get_remaining_count_to_port(table, forward_chunk, backward_chunk), + self._get_already_ported_count(table), + ], + consumeErrors=True, + ) + + remaining = int(remaining) if remaining else 0 + done = int(done) if done else 0 + + defer.returnValue((done, remaining + done)) + + +############################################## +###### The following is simply UI stuff ###### +############################################## + + +class Progress(object): + """Used to report progress of the port + """ + def __init__(self): + self.tables = {} + + self.start_time = int(time.time()) + + def add_table(self, table, cur, size): + self.tables[table] = { + "start": cur, + "num_done": cur, + "total": size, + "perc": int(cur * 100 / size), + } + + def update(self, table, num_done): + data = self.tables[table] + data["num_done"] = num_done + data["perc"] = int(num_done * 100 / data["total"]) + + def done(self): + pass + + +class CursesProgress(Progress): + """Reports progress to a curses window + """ + def __init__(self, stdscr): + self.stdscr = stdscr + + curses.use_default_colors() + curses.curs_set(0) + + curses.init_pair(1, curses.COLOR_RED, -1) + curses.init_pair(2, curses.COLOR_GREEN, -1) + + self.last_update = 0 + + self.finished = False + + self.total_processed = 0 + self.total_remaining = 0 + + super(CursesProgress, self).__init__() + + def update(self, table, num_done): + super(CursesProgress, self).update(table, num_done) + + self.total_processed = 0 + self.total_remaining = 0 + for table, data in self.tables.items(): + self.total_processed += data["num_done"] - data["start"] + self.total_remaining += data["total"] - data["num_done"] + + self.render() + + def render(self, force=False): + now = time.time() + + if not force and now - self.last_update < 0.2: + # reactor.callLater(1, self.render) + return + + self.stdscr.clear() + + rows, cols = self.stdscr.getmaxyx() + + duration = int(now) - int(self.start_time) + + minutes, seconds = divmod(duration, 60) + duration_str = '%02dm %02ds' % (minutes, seconds,) + + if self.finished: + status = "Time spent: %s (Done!)" % (duration_str,) + else: + + if self.total_processed > 0: + left = float(self.total_remaining) / self.total_processed + + est_remaining = (int(now) - self.start_time) * left + est_remaining_str = '%02dm %02ds remaining' % divmod(est_remaining, 60) + else: + est_remaining_str = "Unknown" + status = ( + "Time spent: %s (est. remaining: %s)" + % (duration_str, est_remaining_str,) + ) + + self.stdscr.addstr( + 0, 0, + status, + curses.A_BOLD, + ) + + max_len = max([len(t) for t in self.tables.keys()]) + + left_margin = 5 + middle_space = 1 + + items = self.tables.items() + items.sort( + key=lambda i: (i[1]["perc"], i[0]), + ) + + for i, (table, data) in enumerate(items): + if i + 2 >= rows: + break + + perc = data["perc"] + + color = curses.color_pair(2) if perc == 100 else curses.color_pair(1) + + self.stdscr.addstr( + i + 2, left_margin + max_len - len(table), + table, + curses.A_BOLD | color, + ) + + size = 20 + + progress = "[%s%s]" % ( + "#" * int(perc * size / 100), + " " * (size - int(perc * size / 100)), + ) + + self.stdscr.addstr( + i + 2, left_margin + max_len + middle_space, + "%s %3d%% (%d/%d)" % (progress, perc, data["num_done"], data["total"]), + ) + + if self.finished: + self.stdscr.addstr( + rows - 1, 0, + "Press any key to exit...", + ) + + self.stdscr.refresh() + self.last_update = time.time() + + def done(self): + self.finished = True + self.render(True) + self.stdscr.getch() + + def set_state(self, state): + self.stdscr.clear() + self.stdscr.addstr( + 0, 0, + state + "...", + curses.A_BOLD, + ) + self.stdscr.refresh() + + +class TerminalProgress(Progress): + """Just prints progress to the terminal + """ + def update(self, table, num_done): + super(TerminalProgress, self).update(table, num_done) + + data = self.tables[table] + + print "%s: %d%% (%d/%d)" % ( + table, data["perc"], + data["num_done"], data["total"], + ) + + def set_state(self, state): + print state + "..." + + +############################################## +############################################## + + +if __name__ == "__main__": + parser = argparse.ArgumentParser( + description="A script to port an existing synapse SQLite database to" + " a new PostgreSQL database." + ) + parser.add_argument("-v", action='store_true') + parser.add_argument( + "--sqlite-database", required=True, + help="The snapshot of the SQLite database file. This must not be" + " currently used by a running synapse server" + ) + parser.add_argument( + "--postgres-config", type=argparse.FileType('r'), required=True, + help="The database config file for the PostgreSQL database" + ) + parser.add_argument( + "--curses", action='store_true', + help="display a curses based progress UI" + ) + + parser.add_argument( + "--batch-size", type=int, default=1000, + help="The number of rows to select from the SQLite table each" + " iteration [default=1000]", + ) + + args = parser.parse_args() + + logging_config = { + "level": logging.DEBUG if args.v else logging.INFO, + "format": "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(message)s" + } + + if args.curses: + logging_config["filename"] = "port-synapse.log" + + logging.basicConfig(**logging_config) + + sqlite_config = { + "name": "sqlite3", + "args": { + "database": args.sqlite_database, + "cp_min": 1, + "cp_max": 1, + "check_same_thread": False, + }, + } + + postgres_config = yaml.safe_load(args.postgres_config) + + if "database" in postgres_config: + postgres_config = postgres_config["database"] + + if "name" not in postgres_config: + sys.stderr.write("Malformed database config: no 'name'") + sys.exit(2) + if postgres_config["name"] != "psycopg2": + sys.stderr.write("Database must use 'psycopg2' connector.") + sys.exit(3) + + def start(stdscr=None): + if stdscr: + progress = CursesProgress(stdscr) + else: + progress = TerminalProgress() + + porter = Porter( + sqlite_config=sqlite_config, + postgres_config=postgres_config, + progress=progress, + batch_size=args.batch_size, + ) + + reactor.callWhenRunning(porter.run) + + reactor.run() + + if args.curses: + curses.wrapper(start) + else: + start() + + if end_error_exec_info: + exc_type, exc_value, exc_traceback = end_error_exec_info + traceback.print_exception(exc_type, exc_value, exc_traceback) diff --git a/roles/matrix-server/files/yum.repos.d/docker-ce.repo b/roles/matrix-server/files/yum.repos.d/docker-ce.repo new file mode 100644 index 00000000..56242d98 --- /dev/null +++ b/roles/matrix-server/files/yum.repos.d/docker-ce.repo @@ -0,0 +1,62 @@ +[docker-ce-stable] +name=Docker CE Stable - $basearch +baseurl=https://download.docker.com/linux/centos/7/$basearch/stable +enabled=1 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/centos/gpg + +[docker-ce-stable-debuginfo] +name=Docker CE Stable - Debuginfo $basearch +baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/stable +enabled=0 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/centos/gpg + +[docker-ce-stable-source] +name=Docker CE Stable - Sources +baseurl=https://download.docker.com/linux/centos/7/source/stable +enabled=0 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/centos/gpg + +[docker-ce-edge] +name=Docker CE Edge - $basearch +baseurl=https://download.docker.com/linux/centos/7/$basearch/edge +enabled=0 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/centos/gpg + +[docker-ce-edge-debuginfo] +name=Docker CE Edge - Debuginfo $basearch +baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/edge +enabled=0 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/centos/gpg + +[docker-ce-edge-source] +name=Docker CE Edge - Sources +baseurl=https://download.docker.com/linux/centos/7/source/edge +enabled=0 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/centos/gpg + +[docker-ce-test] +name=Docker CE Test - $basearch +baseurl=https://download.docker.com/linux/centos/7/$basearch/test +enabled=0 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/centos/gpg + +[docker-ce-test-debuginfo] +name=Docker CE Test - Debuginfo $basearch +baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/test +enabled=0 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/centos/gpg + +[docker-ce-test-source] +name=Docker CE Test - Sources +baseurl=https://download.docker.com/linux/centos/7/source/test +enabled=0 +gpgcheck=1 +gpgkey=https://download.docker.com/linux/centos/gpg diff --git a/roles/matrix-server/tasks/import_media_store.yml b/roles/matrix-server/tasks/import_media_store.yml new file mode 100644 index 00000000..955309c0 --- /dev/null +++ b/roles/matrix-server/tasks/import_media_store.yml @@ -0,0 +1,32 @@ +--- + +- name: Fail if playbook called incorrectly + fail: msg="The `local_path_media_store` variable needs to be provided to this playbook, via --extra-vars" + when: "local_path_media_store is not defined or local_path_media_store.startswith('<')" + +- name: Check if the provided media store directory exists + stat: path="{{ local_path_media_store }}" + delegate_to: 127.0.0.1 + become: false + register: local_path_media_store_stat + +- name: Fail if provided media_store directory doesn't exist on the local machine + fail: msg="File cannot be found on the local machine at {{ local_path_media_store }}" + when: "not local_path_media_store_stat.stat.exists or not local_path_media_store_stat.stat.isdir" + +- name: Ensure matrix-synapse is stopped + service: name=matrix-synapse state=stopped daemon_reload=yes + register: stopping_result + +- name: Ensure provided media_store directory is copied to the server + synchronize: + src: "{{ local_path_media_store }}/" + dest: "{{ matrix_synapse_data_path }}/media_store" + delete: yes + +- name: Ensure Matrix Synapse is started (if it previously was) + service: name="{{ item }}" state=started daemon_reload=yes + when: stopping_result.changed + with_items: + - matrix-synapse + - matrix-nginx-proxy diff --git a/roles/matrix-server/tasks/import_sqlite_db.yml b/roles/matrix-server/tasks/import_sqlite_db.yml new file mode 100644 index 00000000..5809acd8 --- /dev/null +++ b/roles/matrix-server/tasks/import_sqlite_db.yml @@ -0,0 +1,78 @@ +--- + +- name: Fail if playbook called incorrectly + fail: msg="The `local_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" + when: "local_path_homeserver_db is not defined or local_path_homeserver_db.startswith('<')" + +- name: Check if the provided SQLite homeserver.db file exists + stat: path="{{ local_path_homeserver_db }}" + delegate_to: 127.0.0.1 + become: false + register: local_path_homeserver_db_stat + +- name: Fail if provided SQLite homeserver.db file doesn't exist + fail: msg="File cannot be found on the local machine at {{ local_path_homeserver_db }}" + when: not local_path_homeserver_db_stat.stat.exists + +- name: Ensure scratchpad directory exists + file: + path: "{{ matrix_scratchpad_dir }}" + state: directory + mode: 0755 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure provided SQLite homeserver.db file is copied to scratchpad directory on the server + synchronize: + src: "{{ local_path_homeserver_db }}" + dest: "{{ matrix_scratchpad_dir }}/homeserver.db" + +- name: Ensure matrix-postgres is stopped + service: name=matrix-postgres state=stopped daemon_reload=yes + +- name: Ensure postgres data is wiped out + file: + path: "{{ matrix_postgres_data_path }}" + state: absent + +- name: Ensure postgres data path exists + file: + path: "{{ matrix_postgres_data_path }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure matrix-postgres is started + service: name=matrix-postgres state=restarted daemon_reload=yes + +- name: Wait a while, so that Postgres can manage to start + pause: seconds=7 + +# Fixes a problem with porting the `user_directory_search` table. +# https://github.com/matrix-org/synapse/issues/2287 +- name: Ensure synapse_port_db_with_patch exists + copy: + src: "{{ role_path }}/files/synapse_port_db_with_patch" + dest: "{{ matrix_scratchpad_dir }}/synapse_port_db_with_patch" + +- name: Importing SQLite database into Postgres + docker_container: + name: matrix-synapse-migrate + image: "{{ docker_matrix_image }}" + detach: no + cleanup: yes + entrypoint: /usr/bin/python + command: "/usr/local/bin/synapse_port_db_with_patch --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml" + user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" + volumes: + - "{{ matrix_synapse_data_path }}:/data" + - "{{ matrix_scratchpad_dir }}:/scratchpad" + - "{{ matrix_scratchpad_dir }}/synapse_port_db_with_patch:/usr/local/bin/synapse_port_db_with_patch" + links: + - "matrix-postgres:postgres" + +- name: Ensure scratchpad directory is deleted + file: + path: "{{ matrix_scratchpad_dir }}" + state: absent \ No newline at end of file diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml new file mode 100644 index 00000000..aa501bb6 --- /dev/null +++ b/roles/matrix-server/tasks/main.yml @@ -0,0 +1,45 @@ +--- + +- include: tasks/setup_base.yml + tags: + - setup-main + +- include: tasks/setup_main.yml + tags: + - setup-main + +- include: tasks/setup_ssl.yml + tags: + - setup-main + +- include: tasks/setup_postgres.yml + tags: + - setup-main + +- include: tasks/setup_synapse.yml + tags: + - setup-main + +- include: tasks/setup_riot_web.yml + tags: + - setup-main + +- include: tasks/setup_nginx_proxy.yml + tags: + - setup-main + +- include: tasks/start.yml + tags: + - start + +- include: tasks/register_user.yml + tags: + - register-user + +- include: tasks/import_sqlite_db.yml + tags: + - import-sqlite-db + +- include: tasks/import_media_store.yml + tags: + - import-media-store \ No newline at end of file diff --git a/roles/matrix-server/tasks/register_user.yml b/roles/matrix-server/tasks/register_user.yml new file mode 100644 index 00000000..38f3a2a9 --- /dev/null +++ b/roles/matrix-server/tasks/register_user.yml @@ -0,0 +1,20 @@ +--- + +- name: Fail if playbook called incorrectly + fail: msg="The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: msg="The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Ensure matrix-synapse is started + service: name=matrix-synapse state=started daemon_reload=yes + register: start_result + +- name: Wait a while, so that Matrix Synapse can manage to start + pause: seconds=7 + when: start_result.changed + +- name: Register user + shell: "matrix-synapse-register-user {{ username }} {{ password }}" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_base.yml b/roles/matrix-server/tasks/setup_base.yml new file mode 100644 index 00000000..fb5dce2e --- /dev/null +++ b/roles/matrix-server/tasks/setup_base.yml @@ -0,0 +1,46 @@ +--- + +- name: Ensure Docker repository is enabled (CentOS) + template: + src: "{{ role_path }}/files/yum.repos.d/{{ item }}" + dest: "/etc/yum.repos.d/{{ item }}" + owner: "root" + group: "root" + mode: 0644 + with_items: + - docker-ce.repo + when: ansible_distribution == 'CentOS' + +- name: Ensure Docker's RPM key is trusted + rpm_key: + state: present + key: https://download.docker.com/linux/centos/gpg + when: ansible_distribution == 'CentOS' + +- name: Ensure yum packages are installed (base) + yum: name="{{ item }}" state=latest update_cache=yes + with_items: + - bash-completion + - docker-ce + - docker-python + - ntp + when: ansible_distribution == 'CentOS' + +- name: Ensure Docker is started and autoruns + service: name=docker state=started enabled=yes + +- name: Ensure firewalld is started and autoruns + service: name=firewalld state=started enabled=yes + +- name: Ensure ntpd is started and autoruns + service: name=ntpd state=started enabled=yes + +- name: Ensure SELinux disabled + selinux: state=disabled + +- name: Ensure correct hostname set + hostname: name="{{ hostname_matrix }}" + +- name: Ensure timezone is UTC + timezone: + name: UTC \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_main.yml b/roles/matrix-server/tasks/setup_main.yml new file mode 100644 index 00000000..2c3cec4e --- /dev/null +++ b/roles/matrix-server/tasks/setup_main.yml @@ -0,0 +1,20 @@ +--- + +- name: Ensure Matrix group is created + group: + name: "{{ matrix_user_username }}" + gid: "{{ matrix_user_gid }}" + state: present + +- name: Ensure Matrix user is created + user: + name: "{{ matrix_user_username }}" + uid: "{{ matrix_user_uid }}" + state: present + group: "{{ matrix_user_username }}" + +- name: Ensure environment variables data path exists + file: + path: "{{ matrix_environment_variables_data_path }}" + state: directory + mode: 0700 \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup_nginx_proxy.yml new file mode 100644 index 00000000..307d8a24 --- /dev/null +++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml @@ -0,0 +1,41 @@ +--- + +- name: Ensure Matrix nginx-proxy paths exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: root + group: root + with_items: + - "{{ matrix_nginx_proxy_data_path }}" + - "{{ matrix_nginx_proxy_confd_path }}" + +- name: Ensure nginx Docker image is pulled + docker_image: + name: "{{ docker_nginx_image }}" + +- name: Ensure Matrix Synapse proxy vhost configured + template: + src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}" + mode: 0644 + with_items: + - "matrix-synapse.conf" + - "matrix-riot-web.conf" + +- name: Allow access to nginx proxy ports in firewalld + firewalld: + service: "{{ item }}" + state: enabled + immediate: yes + permanent: yes + with_items: + - "http" + - "https" + +- name: Ensure matrix-nginx-proxy.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" + dest: "/etc/systemd/system/matrix-nginx-proxy.service" + mode: 0644 diff --git a/roles/matrix-server/tasks/setup_postgres.yml b/roles/matrix-server/tasks/setup_postgres.yml new file mode 100644 index 00000000..94fad7b8 --- /dev/null +++ b/roles/matrix-server/tasks/setup_postgres.yml @@ -0,0 +1,34 @@ +--- + +- name: Ensure postgres data path exists + file: + path: "{{ matrix_postgres_data_path }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure postgres Docker image is pulled + docker_image: + name: "{{ docker_postgres_image }}" + +- name: Ensure Postgres environment variables file created + template: + src: "{{ role_path }}/templates/env/{{ item }}.j2" + dest: "{{ matrix_environment_variables_data_path }}/{{ item }}" + mode: 0640 + with_items: + - "env-postgres-pgsql-docker" + - "env-postgres-server-docker" + +- name: Ensure matrix-postgres-cli script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" + dest: "/usr/local/bin/matrix-postgres-cli" + mode: 0750 + +- name: Ensure matrix-postgres.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" + dest: "/etc/systemd/system/matrix-postgres.service" + mode: 0644 \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_riot_web.yml b/roles/matrix-server/tasks/setup_riot_web.yml new file mode 100644 index 00000000..9d11a037 --- /dev/null +++ b/roles/matrix-server/tasks/setup_riot_web.yml @@ -0,0 +1,30 @@ +--- + +- name: Ensure Matrix riot-web paths exists + file: + path: "{{ matrix_nginx_riot_web_data_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure riot-web Docker image is pulled + docker_image: + name: "{{ docker_riot_image }}" + +- name: Ensure Matrix riot-web configured + template: + src: "{{ role_path }}/templates/riot-web/{{ item }}.j2" + dest: "{{ matrix_nginx_riot_web_data_path }}/{{ item }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "riot.im.conf" + - "config.json" + +- name: Ensure matrix-riot-web.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-riot-web.service.j2" + dest: "/etc/systemd/system/matrix-riot-web.service" + mode: 0644 \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml new file mode 100644 index 00000000..6b6db343 --- /dev/null +++ b/roles/matrix-server/tasks/setup_ssl.yml @@ -0,0 +1,37 @@ +--- + +- name: Allow access to HTTP/HTTPS in firewalld + firewalld: + service: "{{ item }}" + state: enabled + immediate: yes + permanent: yes + with_items: + - http + - https + +- name: Ensure acmetool Docker image is pulled + docker_image: + name: willwill/acme-docker + +- name: Ensure SSL certificates path exists + file: + path: "{{ ssl_certs_path }}" + state: directory + mode: 0770 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure SSL certificates are marked as wanted in acmetool + shell: >- + /usr/bin/docker run --rm --name acmetool-host-grab -p 80:80 + -v {{ ssl_certs_path }}:/certs + -e ACME_EMAIL={{ ssl_support_email }} + willwill/acme-docker + acmetool want {{ hostname_matrix }} {{ hostname_riot }} --xlog.severity=debug + +- name: Ensure periodic SSL renewal cronjob configured + template: + src: "{{ role_path }}/templates/cron.d/ssl-certificate-renewal.j2" + dest: "/etc/cron.d/ssl-certificate-renewal" + mode: 0600 diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml new file mode 100644 index 00000000..8359e0f3 --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -0,0 +1,87 @@ +--- + +- name: Ensure Matrix Synapse data path exists + file: + path: "{{ matrix_synapse_data_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure Matrix Docker image is pulled + docker_image: + name: "{{ docker_matrix_image }}" + +- name: Generate initial Matrix config + docker_container: + name: matrix-config + image: "{{ docker_matrix_image }}" + detach: no + cleanup: yes + command: generate + env: + SERVER_NAME: "{{ hostname_matrix }}" + REPORT_STATS: "no" + user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" + volumes: + - "{{ matrix_synapse_data_path }}:/data" + +- name: Augment Matrix config (configure SSL fullchain location) + lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + args: + regexp: "^tls_certificate_path:" + line: 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"' + +- name: Augment Matrix config (configure SSL private key location) + lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + args: + regexp: "^tls_private_key_path:" + line: 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"' + +- name: Augment Matrix config (configure server name) + lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + args: + regexp: "^server_name:" + line: 'server_name: "{{ hostname_identity }}"' + +- name: Augment Matrix config (change database from SQLite to Postgres) + lineinfile: + dest: "{{ matrix_synapse_data_path }}/homeserver.yaml" + regexp: '(.*)name: "sqlite3"' + line: '\1name: "psycopg2"' + backrefs: yes + +- name: Augment Matrix config (add the Postgres connection parameters) + lineinfile: + dest: "{{ matrix_synapse_data_path }}/homeserver.yaml" + regexp: '(.*)database: "(.*)homeserver.db"' + line: '\1user: "{{ matrix_postgres_connection_username }}"\n\1password: "{{ matrix_postgres_connection_password }}"\n\1database: "homeserver"\n\1host: "postgres"\n\1cp_min: 5\n\1cp_max: 10' + backrefs: yes + +- name: Allow access to Matrix ports in firewalld + firewalld: + port: "{{ item }}/tcp" + state: enabled + immediate: yes + permanent: yes + with_items: + - 3478 # Coturn + - 8448 # Matrix federation + +- name: Ensure matrix-synapse.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2" + dest: "/etc/systemd/system/matrix-synapse.service" + mode: 0644 + +- name: Ensure matrix-synapse-register-user script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" + dest: "/usr/local/bin/matrix-synapse-register-user" + mode: 0750 + +- name: Ensure periodic restarting of Matrix is configured (for SSL renewal) + template: + src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2" + dest: "/etc/cron.d/matrix-periodic-restarter" + mode: 0600 diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml new file mode 100644 index 00000000..31ec3abc --- /dev/null +++ b/roles/matrix-server/tasks/start.yml @@ -0,0 +1,13 @@ +--- + +- name: Ensure matrix-postgres autoruns and is restarted + service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes + +- name: Ensure matrix-synapse autoruns and is restarted + service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes + +- name: Ensure matrix-riot-web autoruns and is restarted + service: name=matrix-riot-web enabled=yes state=restarted daemon_reload=yes + +- name: Ensure matrix-nginx-proxy autoruns and is restarted + service: name=matrix-nginx-proxy enabled=yes state=restarted daemon_reload=yes diff --git a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 new file mode 100644 index 00000000..174eb36b --- /dev/null +++ b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 @@ -0,0 +1,11 @@ +MAILTO="{{ ssl_support_email }}" + +# This periodically restarts the Matrix services +# to ensure they're using the latest SSL certificate +# in case it got renewed by the `ssl-certificate-renewal` cronjob +# (which happens once every ~2-3 months). +# +# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`, +# both would be restarted. + +{{ matrix_services_restart_cron_time_definition }} root /usr/bin/systemctl restart matrix-synapse.service diff --git a/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 new file mode 100644 index 00000000..09e0734d --- /dev/null +++ b/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 @@ -0,0 +1,14 @@ +MAILTO="{{ ssl_support_email }}" + +# The goal of this cronjob is to ask acmetool to check +# the current SSL certificates and to see if some need renewal. +# It so, it would attempt to renew. +# +# Various services depend on these certificates and would need to be restarted. +# This is not our concern here. We simply make sure the certificates are up to date. +# Restarting of services happens on its own different schedule (other cronjobs). +# +# acmetool is supposed to bind to port :80 (forwarded to the host) and solve the challenge directly. +# We can afford to do that, because all our services run on other ports. + +15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-once -p 80:80 -v {{ ssl_certs_path }}:/certs -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug diff --git a/roles/matrix-server/templates/env/env-postgres-pgsql-docker.j2 b/roles/matrix-server/templates/env/env-postgres-pgsql-docker.j2 new file mode 100644 index 00000000..c503450a --- /dev/null +++ b/roles/matrix-server/templates/env/env-postgres-pgsql-docker.j2 @@ -0,0 +1,3 @@ +PGUSER={{ matrix_postgres_connection_username }} +PGPASSWORD={{ matrix_postgres_connection_password }} +PGDATABASE={{ matrix_postgres_db_name }} \ No newline at end of file diff --git a/roles/matrix-server/templates/env/env-postgres-server-docker.j2 b/roles/matrix-server/templates/env/env-postgres-server-docker.j2 new file mode 100644 index 00000000..f9ff4dc3 --- /dev/null +++ b/roles/matrix-server/templates/env/env-postgres-server-docker.j2 @@ -0,0 +1,3 @@ +POSTGRES_USER={{ matrix_postgres_connection_username }} +POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} +POSTGRES_DB={{ matrix_postgres_db_name }} \ No newline at end of file diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 new file mode 100644 index 00000000..d20be373 --- /dev/null +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -0,0 +1,21 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ hostname_riot }}; + + server_tokens off; + root /dev/null; + + ssl on; + ssl_certificate /acmetool-certs/live/{{ hostname_riot }}/fullchain; + ssl_certificate_key /acmetool-certs/live/{{ hostname_riot }}/privkey; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + location / { + proxy_pass http://riot:8765; + proxy_set_header X-Forwarded-For $remote_addr; + } +} \ No newline at end of file diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 new file mode 100644 index 00000000..04283f36 --- /dev/null +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -0,0 +1,21 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ hostname_matrix }}; + + server_tokens off; + root /dev/null; + + ssl on; + ssl_certificate /acmetool-certs/live/{{ hostname_matrix }}/fullchain; + ssl_certificate_key /acmetool-certs/live/{{ hostname_matrix }}/privkey; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + location /_matrix { + proxy_pass http://synapse:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } +} \ No newline at end of file diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 new file mode 100644 index 00000000..6f300b4d --- /dev/null +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -0,0 +1,15 @@ +{ + "default_hs_url": "https://{{ hostname_matrix }}", + "default_is_url": "https://vector.im", + "brand": "Riot", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "enableLabs": true, + "roomDirectory": { + "servers": [ + "matrix.org" + ] + }, + "welcomeUserId": "@riot-bot:matrix.org" +} \ No newline at end of file diff --git a/roles/matrix-server/templates/riot-web/riot.im.conf.j2 b/roles/matrix-server/templates/riot-web/riot.im.conf.j2 new file mode 100644 index 00000000..0d0922ed --- /dev/null +++ b/roles/matrix-server/templates/riot-web/riot.im.conf.j2 @@ -0,0 +1,3 @@ +-p 8765 +-A 0.0.0.0 +-c 3500 \ No newline at end of file diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 new file mode 100644 index 00000000..c7e8e900 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -0,0 +1,27 @@ +[Unit] +Description=Matrix nginx proxy server +After=docker.service +Requires=docker.service +Requires=matrix-synapse.service +After=matrix-synapse.service +Requires=matrix-riot-web.service +After=matrix-riot-web.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy +ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy +ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ + -p 443:443 \ + --link matrix-synapse:synapse \ + --link matrix-riot-web:riot \ + -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \ + -v {{ ssl_certs_path }}:/acmetool-certs \ + {{ docker_nginx_image }} +ExecStop=-/usr/bin/docker kill matrix-nginx-proxy +ExecStop=-/usr/bin/docker rm matrix-nginx-proxy +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 new file mode 100644 index 00000000..846d7355 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 @@ -0,0 +1,24 @@ +[Unit] +Description=Matrix Postgres server +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker stop matrix-postgres +ExecStartPre=-/usr/bin/docker rm matrix-postgres +ExecStartPre=-/usr/bin/mkdir {{ matrix_postgres_data_path }} +ExecStartPre=-/usr/bin/chown {{ matrix_user_uid }}:{{ matrix_user_gid }} {{ matrix_postgres_data_path }} +ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \ + -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ + -v /etc/passwd:/etc/passwd:ro \ + {{ docker_postgres_image }} +ExecStop=-/usr/bin/docker stop matrix-postgres +ExecStop=-/usr/bin/docker rm matrix-postgres +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 new file mode 100644 index 00000000..2abcc7e0 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -0,0 +1,19 @@ +[Unit] +Description=Matrix Riot web server +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-riot-web +ExecStartPre=-/usr/bin/docker rm matrix-riot-web +ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ + -v {{ matrix_nginx_riot_web_data_path }}:/data \ + {{ docker_riot_image }} +ExecStop=-/usr/bin/docker kill matrix-riot-web +ExecStop=-/usr/bin/docker rm matrix-riot-web +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 new file mode 100644 index 00000000..7ec7a062 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -0,0 +1,26 @@ +[Unit] +Description=Matrix Synapse server +After=docker.service +Requires=docker.service +Requires=matrix-postgres.service +After=matrix-postgres.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-synapse +ExecStartPre=-/usr/bin/docker rm matrix-synapse +ExecStartPre=-/usr/bin/chown {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R +ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ + --link matrix-postgres:postgres \ + -p 8448:8448 \ + -p 3478:3478 \ + -v {{ matrix_synapse_data_path }}:/data \ + -v {{ ssl_certs_path }}:/acmetool-certs \ + {{ docker_matrix_image }} +ExecStop=-/usr/bin/docker kill matrix-synapse +ExecStop=-/usr/bin/docker rm matrix-synapse +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 new file mode 100644 index 00000000..083c5df2 --- /dev/null +++ b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -0,0 +1,3 @@ +#!/bin/bash + +docker run --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker -it --link=matrix-postgres:postgres postgres:9.6.3-alpine psql -h postgres \ No newline at end of file diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 new file mode 100644 index 00000000..efc6e737 --- /dev/null +++ b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 @@ -0,0 +1,11 @@ +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" " + exit 1 +fi + +user=$1 +password=$2 + +docker exec matrix-synapse register_new_matrix_user -u $user -p $password -a -c /data/homeserver.yaml https://localhost:8448 \ No newline at end of file diff --git a/setup.yml b/setup.yml new file mode 100644 index 00000000..d09f727e --- /dev/null +++ b/setup.yml @@ -0,0 +1,10 @@ +--- +- name: "Set up a Matrix server" + hosts: "{{ target if target is defined else 'matrix-servers' }}" + become: true + + vars_files: + - vars/vars.yml + + roles: + - matrix-server diff --git a/vars/vars.yml b/vars/vars.yml new file mode 100644 index 00000000..c7df7635 --- /dev/null +++ b/vars/vars.yml @@ -0,0 +1,41 @@ +# The bare hostname which represents your identity. +# This is something like "example.com". +# Note: this playbook does not touch the server referenced here. +hostname_identity: "{{ host_specific_hostname_identity }}" + +# This is where your data lives and what we set up here. +# This and the Riot hostname (see below) are expected to be on the same server. +hostname_matrix: "matrix.{{ hostname_identity }}" + +# This is where you access the web UI from and what we set up here. +# This and the Matrix hostname (see above) are expected to be on the same server. +hostname_riot: "riot.{{ hostname_identity }}" + +ssl_certs_path: /etc/pki/acmetool-certs +ssl_support_email: "{{ host_specific_ssl_support_email }}" + +matrix_user_username: "matrix" +matrix_user_uid: 991 +matrix_user_gid: 991 + +matrix_postgres_connection_username: "synapse" +matrix_postgres_connection_password: "synapse-password" +matrix_postgres_db_name: "homeserver" + +matrix_base_data_path: "/matrix" +matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables" +matrix_synapse_data_path: "{{ matrix_base_data_path }}/synapse" +matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" +matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" +matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" +matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" +matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" + +docker_postgres_image: "postgres:9.6.3-alpine" +docker_matrix_image: "silviof/docker-matrix" +docker_nginx_image: "nginx:1.13.3-alpine" +docker_riot_image: "silviof/matrix-riot-docker" + +# Specifies when to restart the Matrix services so that +# a new SSL certificate could go into effect (UTC time). +matrix_services_restart_cron_time_definition: "15 4 3 * *" \ No newline at end of file From 81077e6cdff187df59cd61fc3f3334a2bb3b5480 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Aug 2017 11:11:29 +0300 Subject: [PATCH 0002/2384] Allow regular users to be created as well (not only admins) --- README.md | 4 ++-- roles/matrix-server/tasks/register_user.yml | 6 +++++- .../usr-local-bin/matrix-synapse-register-user.j2 | 15 +++++++++++---- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 132244ff..cb0eaf39 100644 --- a/README.md +++ b/README.md @@ -146,11 +146,11 @@ Run this to create a new user account on your Matrix server. You can do it via this Ansible playbook (make sure to edit the `` and `` part below): - ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password=' --tags=register-user + ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password= admin=' --tags=register-user **or** using the command-line after **SSH**-ing to your server (requires that [all services have been started](#Starting-the-services)): - matrix-synapse-register-user + matrix-synapse-register-user **Note**: `` is just a plain username (like `john`), not your full `@:` identifier. diff --git a/roles/matrix-server/tasks/register_user.yml b/roles/matrix-server/tasks/register_user.yml index 38f3a2a9..cfd76867 100644 --- a/roles/matrix-server/tasks/register_user.yml +++ b/roles/matrix-server/tasks/register_user.yml @@ -8,6 +8,10 @@ fail: msg="The `password` variable needs to be provided to this playbook, via --extra-vars" when: "password is not defined or password == ''" +- name: Fail if playbook called incorrectly + fail: msg="The `admin` variable needs to be provided to this playbook, via --extra-vars" + when: "admin is not defined or admin not in ['yes', 'no']" + - name: Ensure matrix-synapse is started service: name=matrix-synapse state=started daemon_reload=yes register: start_result @@ -17,4 +21,4 @@ when: start_result.changed - name: Register user - shell: "matrix-synapse-register-user {{ username }} {{ password }}" \ No newline at end of file + shell: "matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" \ No newline at end of file diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 index efc6e737..50341320 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 @@ -1,11 +1,18 @@ #!/bin/bash -if [ $# -ne 2 ]; then - echo "Usage: "$0" " - exit 1 +if [ $# -ne 3 ]; then + echo "Usage: "$0" " + exit 1 fi user=$1 password=$2 +admin=$3 -docker exec matrix-synapse register_new_matrix_user -u $user -p $password -a -c /data/homeserver.yaml https://localhost:8448 \ No newline at end of file +extraFlags="" + +if [ "$admin" -eq "1" ]; then + extraFlags=$extraFlags" -a" +fi + +docker exec matrix-synapse register_new_matrix_user -u $user -p $password $extraFlags -c /data/homeserver.yaml https://localhost:8448 \ No newline at end of file From 7b980525a4b3f376e4114459a4dc856fe5f988ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Aug 2017 12:36:54 +0300 Subject: [PATCH 0003/2384] Fix README anchors --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index cb0eaf39..83370687 100644 --- a/README.md +++ b/README.md @@ -48,11 +48,11 @@ Special thanks goes to: - the [Ansible](http://ansible.com/) program, which is used to run this playbook and configures everything for you -- properly configured DNS SRV record for `` (details in [Configuring DNS](#Configuring-DNS) below) +- properly configured DNS SRV record for `` (details in [Configuring DNS](#configuring-dns) below) -- `matrix.` domain name pointing to your new server - this is where the Matrix Synapse server will live (details in [Configuring DNS](#Configuring-DNS) below) +- `matrix.` domain name pointing to your new server - this is where the Matrix Synapse server will live (details in [Configuring DNS](#configuring-dns) below) -- `riot.` domain name pointing to your new server - this is where the Riot web UI will live (details in [Configuring DNS](#Configuring-DNS) below) +- `riot.` domain name pointing to your new server - this is where the Riot web UI will live (details in [Configuring DNS](#configuring-dns) below) ## Configuring DNS @@ -74,7 +74,7 @@ This playbook can then install all the services on that new server and you'll be ## Configuration -Once you have your server and you have [configured your DNS records](#Configuring-DNS), you can proceed with configuring this playbook, so that it knows what to install and where. +Once you have your server and you have [configured your DNS records](#configuring-dns), you can proceed with configuring this playbook, so that it knows what to install and where. You can follow these steps: @@ -91,7 +91,7 @@ You can follow these steps: ## Installing -Once you have your server and you have [configured your DNS records](#Configuring-DNS), you can proceed with installing. +Once you have your server and you have [configured your DNS records](#configuring-dns), you can proceed with installing. To make use of this playbook, you should invoke the `setup.yml` playbook multiple times, with different tags. @@ -148,7 +148,7 @@ You can do it via this Ansible playbook (make sure to edit the `` ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password= admin=' --tags=register-user -**or** using the command-line after **SSH**-ing to your server (requires that [all services have been started](#Starting-the-services)): +**or** using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)): matrix-synapse-register-user From 13eaee2463f4dd534609179c1fa90212625b6048 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 6 Aug 2017 18:26:06 +0300 Subject: [PATCH 0004/2384] Enable TURN support and UDP for STUN --- roles/matrix-server/tasks/setup_synapse.yml | 18 +++++++++++++++--- .../systemd/matrix-synapse.service.j2 | 2 ++ vars/vars.yml | 8 +++++++- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 8359e0f3..82555a5f 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -58,15 +58,27 @@ line: '\1user: "{{ matrix_postgres_connection_username }}"\n\1password: "{{ matrix_postgres_connection_password }}"\n\1database: "homeserver"\n\1host: "postgres"\n\1cp_min: 5\n\1cp_max: 10' backrefs: yes +- name: Augment Matrix config (configure Coturn) + lineinfile: "dest={{ matrix_synapse_data_path }}/turnserver.conf" + args: + regexp: "^{{ item.variable }}=" + line: '{{ item.variable }}={{ item.value }}' + with_items: + - {'variable': 'min-port', 'value': "{{ matrix_coturn_turn_udp_min_port }}"} + - {'variable': 'max-port', 'value': "{{ matrix_coturn_turn_udp_max_port }}"} + - {'variable': 'external-ip', 'value': "{{ matrix_coturn_turn_external_ip_address }}"} + - name: Allow access to Matrix ports in firewalld firewalld: - port: "{{ item }}/tcp" + port: "{{ item }}" state: enabled immediate: yes permanent: yes with_items: - - 3478 # Coturn - - 8448 # Matrix federation + - '8448/tcp' # Matrix federation + - '3478/tcp' # STUN + - '3478/udp' # STUN + - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN - name: Ensure matrix-synapse.service installed template: diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 7ec7a062..8b60fd9a 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -14,6 +14,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --link matrix-postgres:postgres \ -p 8448:8448 \ -p 3478:3478 \ + -p 3478:3478/udp \ + -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ -v {{ matrix_synapse_data_path }}:/data \ -v {{ ssl_certs_path }}:/acmetool-certs \ {{ docker_matrix_image }} diff --git a/vars/vars.yml b/vars/vars.yml index c7df7635..7466a2a3 100644 --- a/vars/vars.yml +++ b/vars/vars.yml @@ -38,4 +38,10 @@ docker_riot_image: "silviof/matrix-riot-docker" # Specifies when to restart the Matrix services so that # a new SSL certificate could go into effect (UTC time). -matrix_services_restart_cron_time_definition: "15 4 3 * *" \ No newline at end of file +matrix_services_restart_cron_time_definition: "15 4 3 * *" + +# UDP port-range to use for TURN +matrix_coturn_turn_udp_min_port: 49152 +matrix_coturn_turn_udp_max_port: 49172 + +matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" From 0d1a2071debc88ac79c604073df7e25fc7074fed Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 6 Aug 2017 18:40:16 +0300 Subject: [PATCH 0005/2384] Ensure playbook works if running at SSL-renewal time matrix-nginx-proxy will be occupying port 80 soon, so that we can be more user-friendly and have http->https forwarding for the Riot hostname. During the playbook run, acmetool also expects to use port 80 for domain verification. During an initial playbook run, this wouldn't cause trouble because matrix-nginx-proxy is not installed yet. However, on subsequent playbook runs, it would cause trouble. This ensures that if matrix-nginx-proxy is available and running, it would be stopped before running acmetool and started right after. --- roles/matrix-server/tasks/setup_ssl.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml index 6b6db343..3cffbfdd 100644 --- a/roles/matrix-server/tasks/setup_ssl.yml +++ b/roles/matrix-server/tasks/setup_ssl.yml @@ -22,6 +22,14 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" +- name: Check matrix-nginx-proxy state + service: name=matrix-nginx-proxy + register: matrix_nginx_proxy_state + +- name: Ensure matrix-nginx-proxy is stopped (if previously installed & started) + service: name=matrix-nginx-proxy state=stopped + when: "matrix_nginx_proxy_state.status.ActiveState == 'active'" + - name: Ensure SSL certificates are marked as wanted in acmetool shell: >- /usr/bin/docker run --rm --name acmetool-host-grab -p 80:80 @@ -30,6 +38,10 @@ willwill/acme-docker acmetool want {{ hostname_matrix }} {{ hostname_riot }} --xlog.severity=debug +- name: Ensure matrix-nginx-proxy is started (if previously installed & started) + service: name=matrix-nginx-proxy state=started + when: "matrix_nginx_proxy_state.status.ActiveState == 'active'" + - name: Ensure periodic SSL renewal cronjob configured template: src: "{{ role_path }}/templates/cron.d/ssl-certificate-renewal.j2" From a3ecb7bfd998a48d57c4a210f1a24a1d2578c67d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 6 Aug 2017 19:10:50 +0300 Subject: [PATCH 0006/2384] Add http->http redirection for Matrix/Riot Doing this means that matrix-nginx-proxy now starts occupying port 80, which necessitates that SSL renewal happens slightly differently. --- roles/matrix-server/tasks/main.yml | 5 +++++ .../templates/cron.d/ssl-certificate-renewal.j2 | 15 +++++++++++---- .../nginx-conf.d/matrix-riot-web.conf.j2 | 16 ++++++++++++++++ .../nginx-conf.d/matrix-synapse.conf.j2 | 16 ++++++++++++++++ .../systemd/matrix-nginx-proxy.service.j2 | 1 + 5 files changed, 49 insertions(+), 4 deletions(-) diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index aa501bb6..25cad895 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -11,22 +11,27 @@ - include: tasks/setup_ssl.yml tags: - setup-main + - setup-ssl - include: tasks/setup_postgres.yml tags: - setup-main + - setup-postgres - include: tasks/setup_synapse.yml tags: - setup-main + - setup-synapse - include: tasks/setup_riot_web.yml tags: - setup-main + - setup-riot-web - include: tasks/setup_nginx_proxy.yml tags: - setup-main + - setup-nginx-proxy - include: tasks/start.yml tags: diff --git a/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 index 09e0734d..cf67917f 100644 --- a/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 @@ -2,13 +2,20 @@ MAILTO="{{ ssl_support_email }}" # The goal of this cronjob is to ask acmetool to check # the current SSL certificates and to see if some need renewal. -# It so, it would attempt to renew. +# If so, it would attempt to renew. # # Various services depend on these certificates and would need to be restarted. # This is not our concern here. We simply make sure the certificates are up to date. # Restarting of services happens on its own different schedule (other cronjobs). # -# acmetool is supposed to bind to port :80 (forwarded to the host) and solve the challenge directly. -# We can afford to do that, because all our services run on other ports. +# +# How renewal works? +# +# acmetool will fail to bind to port :80 (because matrix-nginx-proxy is running there), +# and will fall back to its "webroot" validation method. +# +# Thus, it would put validation files in `/var/run/acme/acme-challenge`. +# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy, +# because it aliases `/.well-known/acme-challenge` to that same directory. -15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-once -p 80:80 -v {{ ssl_certs_path }}:/certs -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug +15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index d20be373..ac6d735c 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -1,3 +1,19 @@ +server { + listen 80; + server_name {{ hostname_riot }}; + + server_tokens off; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /acmetool-certs/run/acme-challenge; + } + + location / { + return 301 https://$http_host$request_uri; + } +} + server { listen 443 ssl http2; listen [::]:443 ssl http2; diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 04283f36..4db628f6 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -1,3 +1,19 @@ +server { + listen 80; + server_name {{ hostname_matrix }}; + + server_tokens off; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /acmetool-certs/run/acme-challenge; + } + + location / { + return 301 https://$http_host$request_uri; + } +} + server { listen 443 ssl http2; listen [::]:443 ssl http2; diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index c7e8e900..3b9cfbbb 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -12,6 +12,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ + -p 80:80 \ -p 443:443 \ --link matrix-synapse:synapse \ --link matrix-riot-web:riot \ From 91bb06e4bea8f1b84cbb724f42c027dbdec649bf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 6 Aug 2017 19:21:18 +0300 Subject: [PATCH 0007/2384] Update README --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 83370687..eacc8992 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,8 @@ Special thanks goes to: - `riot.` domain name pointing to your new server - this is where the Riot web UI will live (details in [Configuring DNS](#configuring-dns) below) +- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix federation HTTPS webserver), `49152-49172/udp` (TURN over UDP). + ## Configuring DNS @@ -107,6 +109,8 @@ Feel free to re-run this any time you think something is off with the server con ### Restoring an existing SQLite database (from another installation) +**WARNING**: while this Ansible playbook supports importing an SQLite database from a previous installation, the actual program doing the migration (`synapse_port_db`, part of Matrix Synapse) may be buggy and not work for you. + Run this if you'd like to import your database from a previous default installation of Matrix Synapse. (don't forget to import your `media_store` files as well - see below). @@ -161,6 +165,4 @@ This Ansible playbook can be improved in the following ways: - setting up automatic backups to one or more storage providers -- enabling TURN support for the Coturn server - see https://github.com/silvio/docker-matrix#coturn-server - - [importing an old SQLite database](#Restoring-an-existing-SQLite=database-from-another-installation) likely works because of a patch, but may be fragile until [this](https://github.com/matrix-org/synapse/issues/2287) is fixed \ No newline at end of file From 02bdb7c7bc63c2854564879c4abea072e4a8c957 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Aug 2017 14:29:14 +0300 Subject: [PATCH 0008/2384] Ensure firewalld is installed and Docker launcher after firewalld Some CentOS 7 hosts may not have firewalld installed. We shouldn't expect it to be, but should ensure by ourselves that it is. Docker likes to mess around with iptables forwarding rules, so it ought to start after firewalld. --- roles/matrix-server/tasks/setup_base.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/tasks/setup_base.yml b/roles/matrix-server/tasks/setup_base.yml index fb5dce2e..598be601 100644 --- a/roles/matrix-server/tasks/setup_base.yml +++ b/roles/matrix-server/tasks/setup_base.yml @@ -23,15 +23,16 @@ - bash-completion - docker-ce - docker-python + - firewalld - ntp when: ansible_distribution == 'CentOS' -- name: Ensure Docker is started and autoruns - service: name=docker state=started enabled=yes - - name: Ensure firewalld is started and autoruns service: name=firewalld state=started enabled=yes +- name: Ensure Docker is started and autoruns + service: name=docker state=started enabled=yes + - name: Ensure ntpd is started and autoruns service: name=ntpd state=started enabled=yes From b074030d59ea81f5668d5d0277228bcd4f5abdbf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Aug 2017 14:31:01 +0300 Subject: [PATCH 0009/2384] Fix problem detecting matrix-nginx-proxy state when it is not installed --- roles/matrix-server/tasks/setup_ssl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml index 3cffbfdd..1b4bf043 100644 --- a/roles/matrix-server/tasks/setup_ssl.yml +++ b/roles/matrix-server/tasks/setup_ssl.yml @@ -28,7 +28,7 @@ - name: Ensure matrix-nginx-proxy is stopped (if previously installed & started) service: name=matrix-nginx-proxy state=stopped - when: "matrix_nginx_proxy_state.status.ActiveState == 'active'" + when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'" - name: Ensure SSL certificates are marked as wanted in acmetool shell: >- @@ -40,7 +40,7 @@ - name: Ensure matrix-nginx-proxy is started (if previously installed & started) service: name=matrix-nginx-proxy state=started - when: "matrix_nginx_proxy_state.status.ActiveState == 'active'" + when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'" - name: Ensure periodic SSL renewal cronjob configured template: From fc3386dff73646ddd6806a3994157ef184f14e86 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Aug 2017 08:21:34 +0300 Subject: [PATCH 0010/2384] Fix matrix-synapse-register-user for when the non-admin case It was trying to omit the `-a` flag, but that wasn't enough, because the underlying `register_new_matrix_user` command prompts interactively if it doesn't see the `-a` flag (it doesn't default to non-admin). We need to answer such interactive prompts. --- .../usr-local-bin/matrix-synapse-register-user.j2 | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 index 50341320..43e7d8d0 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 @@ -9,10 +9,9 @@ user=$1 password=$2 admin=$3 -extraFlags="" - if [ "$admin" -eq "1" ]; then - extraFlags=$extraFlags" -a" -fi - -docker exec matrix-synapse register_new_matrix_user -u $user -p $password $extraFlags -c /data/homeserver.yaml https://localhost:8448 \ No newline at end of file + docker exec matrix-synapse register_new_matrix_user -a -u $user -p $password -c /data/homeserver.yaml https://localhost:8448 +else + # If `-a` is not passed, we need to answer to an "admin: yes/no" question + echo 'no' | docker exec -i matrix-synapse register_new_matrix_user -u $user -p $password $extraFlags -c /data/homeserver.yaml https://localhost:8448 +fi \ No newline at end of file From 7d74dced282a9b0eaf075e26417f5a986f1b2032 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 12 Aug 2017 10:36:34 +0300 Subject: [PATCH 0011/2384] Disable TURN for guests and enable URL previews --- roles/matrix-server/tasks/setup_synapse.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 82555a5f..3da3c791 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -44,6 +44,25 @@ regexp: "^server_name:" line: 'server_name: "{{ hostname_identity }}"' +- name: Augment Matrix config (disable TURN for guests) + lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + args: + regexp: "^turn_allow_guests:" + line: 'turn_allow_guests: False' + +- name: Augment Matrix config (enable URL previews) + lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + args: + regexp: "^url_preview_enabled:" + line: 'url_preview_enabled: True' + +- name: Augment Matrix config (specify URL previews blacklist) + lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + args: + regexp: "^url_preview_ip_range_blacklist:" + line: 'url_preview_ip_range_blacklist: ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"]' + insertafter: '^# url_preview_ip_range_blacklist:$' + - name: Augment Matrix config (change database from SQLite to Postgres) lineinfile: dest: "{{ matrix_synapse_data_path }}/homeserver.yaml" From 887d14884effeea645441f42b71c74ee95a416dd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 12 Aug 2017 11:06:57 +0300 Subject: [PATCH 0012/2384] Do not generate a new Matrix Synapse config, if one already exists Otherwise certains values in the config file, such as `macaroon_secret_key`, would be regenerated, which is not something that we want. If `macaroon_secret_key` is regenerated, all users' auth tokens will become invalid (effectively logging out all users). --- roles/matrix-server/tasks/setup_synapse.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 3da3c791..5a797b74 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -12,6 +12,11 @@ docker_image: name: "{{ docker_matrix_image }}" +- name: Check if a Matrix Synapse configuration exists + stat: + path: "{{ matrix_synapse_data_path }}/homeserver.yaml" + register: matrix_synapse_config_stat + - name: Generate initial Matrix config docker_container: name: matrix-config @@ -25,6 +30,7 @@ user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" volumes: - "{{ matrix_synapse_data_path }}:/data" + when: "not matrix_synapse_config_stat.stat.exists" - name: Augment Matrix config (configure SSL fullchain location) lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" From 1cd227b6991467ebb461193343430be3209383a3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 12 Aug 2017 15:39:21 +0300 Subject: [PATCH 0013/2384] Increase max body size for the nginx proxy Otherwise, we can't support large media file uploads. --- .../nginx-conf.d/matrix-riot-web.conf.j2 | 2 +- .../nginx-conf.d/matrix-synapse.conf.j2 | 22 ++++++++++++------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index ac6d735c..779aad0a 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -34,4 +34,4 @@ server { proxy_pass http://riot:8765; proxy_set_header X-Forwarded-For $remote_addr; } -} \ No newline at end of file +} diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 4db628f6..be3988e1 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -15,10 +15,10 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl http2; + listen [::]:443 ssl http2; - server_name {{ hostname_matrix }}; + server_name {{ hostname_matrix }}; server_tokens off; root /dev/null; @@ -30,8 +30,14 @@ server { ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; - location /_matrix { - proxy_pass http://synapse:8008; - proxy_set_header X-Forwarded-For $remote_addr; - } -} \ No newline at end of file + location /_matrix { + proxy_pass http://synapse:8008; + proxy_set_header X-Forwarded-For $remote_addr; + + # These are intentionally large. + # Note that Synapse enforces its own limits, which are smaller. + client_body_buffer_size 25M; + client_max_body_size 100M; + proxy_max_temp_file_size 0; + } +} From ce3c31eb414ff8105069cf65d31682c4245bc7b2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 12 Aug 2017 18:32:24 +0300 Subject: [PATCH 0014/2384] Adjust x_forwarded setting for the plain (8008) port Port 8008 is forwarded in our case, so unless we adjust `x_forwaded` for it, Docker's local network IPs are logged/displayed for devices. The TLS port (8448) is not proxied in our setup, so its `x_forwarded` setting remains `false`. --- roles/matrix-server/tasks/setup_synapse.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 5a797b74..56f927e4 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -69,6 +69,14 @@ line: 'url_preview_ip_range_blacklist: ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"]' insertafter: '^# url_preview_ip_range_blacklist:$' +# We only wish to do this for the 8008 port and not for the 8448 port +# (2nd instance of `x_forwarded` found in the config) +- name: Augment Matrix config (mark 8008 plain traffic as forwarded) + replace: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + args: + regexp: "8008((?:.|\n)*)x_forwarded(.*)" + replace: '8008\g<1>x_forwarded: true' + - name: Augment Matrix config (change database from SQLite to Postgres) lineinfile: dest: "{{ matrix_synapse_data_path }}/homeserver.yaml" From b046052aedeee0ad3ca2d19a5c89dbd33a784ea3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Aug 2017 12:00:47 +0300 Subject: [PATCH 0015/2384] Switch from playbook vars to role defaults By using role defauts, we can have inventory variables which overide the defaults. --- README.md | 2 +- vars/vars.yml => roles/matrix-server/defaults/main.yml | 2 +- setup.yml | 3 --- 3 files changed, 2 insertions(+), 5 deletions(-) rename vars/vars.yml => roles/matrix-server/defaults/main.yml (96%) diff --git a/README.md b/README.md index eacc8992..8fc23d42 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ You can follow these steps: - copy the sample configuration file (`cp examples/host-vars.yml inventory/matrix./vars.yml`) -- edit the configuration file (`inventory/matrix./vars.yml`) to your liking +- edit the configuration file (`inventory/matrix./vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults.main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. - copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) diff --git a/vars/vars.yml b/roles/matrix-server/defaults/main.yml similarity index 96% rename from vars/vars.yml rename to roles/matrix-server/defaults/main.yml index 7466a2a3..a7aafc17 100644 --- a/vars/vars.yml +++ b/roles/matrix-server/defaults/main.yml @@ -44,4 +44,4 @@ matrix_services_restart_cron_time_definition: "15 4 3 * *" matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 -matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" +matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" \ No newline at end of file diff --git a/setup.yml b/setup.yml index d09f727e..d0364f76 100644 --- a/setup.yml +++ b/setup.yml @@ -3,8 +3,5 @@ hosts: "{{ target if target is defined else 'matrix-servers' }}" become: true - vars_files: - - vars/vars.yml - roles: - matrix-server From 2bb8bb96d47ee755d54e32188582830ea027686e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 Aug 2017 12:07:03 +0300 Subject: [PATCH 0016/2384] Add support for configuring max_upload_size --- roles/matrix-server/defaults/main.yml | 4 +++- roles/matrix-server/tasks/setup_synapse.yml | 6 ++++++ .../templates/nginx-conf.d/matrix-synapse.conf.j2 | 4 +--- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index a7aafc17..1b1c5876 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -44,4 +44,6 @@ matrix_services_restart_cron_time_definition: "15 4 3 * *" matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 -matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" \ No newline at end of file +matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" + +matrix_max_upload_size_mb: 10 \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 56f927e4..5057feb3 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -101,6 +101,12 @@ - {'variable': 'max-port', 'value': "{{ matrix_coturn_turn_udp_max_port }}"} - {'variable': 'external-ip', 'value': "{{ matrix_coturn_turn_external_ip_address }}"} +- name: Augment Matrix config (set max upload size) + lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + args: + regexp: "^max_upload_size:" + line: 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"' + - name: Allow access to Matrix ports in firewalld firewalld: port: "{{ item }}" diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index be3988e1..a11d11ac 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -34,10 +34,8 @@ server { proxy_pass http://synapse:8008; proxy_set_header X-Forwarded-For $remote_addr; - # These are intentionally large. - # Note that Synapse enforces its own limits, which are smaller. client_body_buffer_size 25M; - client_max_body_size 100M; + client_max_body_size {{ matrix_max_upload_size_mb }}M; proxy_max_temp_file_size 0; } } From ea91ef7fb257a0c45ffa378adf59f04a96ccdcc6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Sep 2017 12:12:31 +0300 Subject: [PATCH 0017/2384] Move media_store & logs out of /data. Allow logging to be configured The goal is to allow these to be on separate partitions (including remote ones in the future). Because the `silviof/docker-matrix` image chowns everything to MATRIX_UID:MATRIX_GID on startup, we definitely don't want to include `media_store` in it. If it's on a remote FS, it would cause a slow startup. Also, adding some safety checks to the "import media store" task, after passing a wrong path to it on multiple occassions and wondering what's wrong. Also, making logging configurable. The default of keeping 10x100MB log files is likely excessive and people may want to change that. --- roles/matrix-server/defaults/main.yml | 9 +- .../tasks/import_media_store.yml | 18 +++- .../matrix-server/tasks/import_sqlite_db.yml | 4 +- roles/matrix-server/tasks/setup_synapse.yml | 82 ++++++++++--------- .../systemd/matrix-synapse.service.j2 | 4 +- 5 files changed, 72 insertions(+), 45 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 1b1c5876..9f298373 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -24,7 +24,10 @@ matrix_postgres_db_name: "homeserver" matrix_base_data_path: "/matrix" matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables" -matrix_synapse_data_path: "{{ matrix_base_data_path }}/synapse" +matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" +matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" +matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" +matrix_synapse_media_store_path: "{{ matrix_synapse_base_path }}/media-store" matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" @@ -46,4 +49,6 @@ matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" -matrix_max_upload_size_mb: 10 \ No newline at end of file +matrix_max_upload_size_mb: 10 +matrix_max_log_file_size_mb: 100 +matrix_max_log_files_count: 10 \ No newline at end of file diff --git a/roles/matrix-server/tasks/import_media_store.yml b/roles/matrix-server/tasks/import_media_store.yml index 955309c0..be7a878a 100644 --- a/roles/matrix-server/tasks/import_media_store.yml +++ b/roles/matrix-server/tasks/import_media_store.yml @@ -14,6 +14,22 @@ fail: msg="File cannot be found on the local machine at {{ local_path_media_store }}" when: "not local_path_media_store_stat.stat.exists or not local_path_media_store_stat.stat.isdir" +- name: Check if media store contains local_content + stat: path="{{ local_path_media_store }}/local_content" + delegate_to: 127.0.0.1 + become: false + register: local_path_media_store_local_content_stat + +- name: Check if media store contains remote_content + stat: path="{{ local_path_media_store }}/remote_content" + delegate_to: 127.0.0.1 + become: false + register: local_path_media_store_remote_content_stat + +- name: Fail if media_store directory doesn't look okay (lacking remote and local content) + fail: msg="{{ local_path_media_store }} contains neither local_content nor remote_content. It's most likely a mistake and is not a media store directory." + when: "not local_path_media_store_local_content_stat.stat.exists and not local_path_media_store_remote_content_stat.stat.exists" + - name: Ensure matrix-synapse is stopped service: name=matrix-synapse state=stopped daemon_reload=yes register: stopping_result @@ -21,7 +37,7 @@ - name: Ensure provided media_store directory is copied to the server synchronize: src: "{{ local_path_media_store }}/" - dest: "{{ matrix_synapse_data_path }}/media_store" + dest: "{{ matrix_synapse_media_store_path }}" delete: yes - name: Ensure Matrix Synapse is started (if it previously was) diff --git a/roles/matrix-server/tasks/import_sqlite_db.yml b/roles/matrix-server/tasks/import_sqlite_db.yml index 5809acd8..0390e195 100644 --- a/roles/matrix-server/tasks/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import_sqlite_db.yml @@ -66,7 +66,9 @@ command: "/usr/local/bin/synapse_port_db_with_patch --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" volumes: - - "{{ matrix_synapse_data_path }}:/data" + - "{{ matrix_synapse_config_dir_path }}:/data" + - "{{ matrix_synapse_run_path }}:/matrix-run" + - "{{ matrix_synapse_media_store_path }}:/matrix-media-store" - "{{ matrix_scratchpad_dir }}:/scratchpad" - "{{ matrix_scratchpad_dir }}/synapse_port_db_with_patch:/usr/local/bin/synapse_port_db_with_patch" links: diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 5057feb3..91329ba5 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -1,12 +1,17 @@ --- -- name: Ensure Matrix Synapse data path exists +- name: Ensure Matrix Synapse paths exists file: - path: "{{ matrix_synapse_data_path }}" + path: "{{ item }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_synapse_base_path }}" + - "{{ matrix_synapse_config_dir_path }}" + - "{{ matrix_synapse_run_path }}" + - "{{ matrix_synapse_media_store_path }}" - name: Ensure Matrix Docker image is pulled docker_image: @@ -14,7 +19,7 @@ - name: Check if a Matrix Synapse configuration exists stat: - path: "{{ matrix_synapse_data_path }}/homeserver.yaml" + path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" register: matrix_synapse_config_stat - name: Generate initial Matrix config @@ -29,41 +34,44 @@ REPORT_STATS: "no" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" volumes: - - "{{ matrix_synapse_data_path }}:/data" + - "{{ matrix_synapse_config_dir_path }}:/data" when: "not matrix_synapse_config_stat.stat.exists" -- name: Augment Matrix config (configure SSL fullchain location) - lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" - args: - regexp: "^tls_certificate_path:" - line: 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"' - -- name: Augment Matrix config (configure SSL private key location) - lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" - args: - regexp: "^tls_private_key_path:" - line: 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"' - -- name: Augment Matrix config (configure server name) - lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" - args: - regexp: "^server_name:" - line: 'server_name: "{{ hostname_identity }}"' +- name: Ensure self-signed certificates are removed + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt" + - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key" -- name: Augment Matrix config (disable TURN for guests) - lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" +- name: Augment Matrix log config + lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" args: - regexp: "^turn_allow_guests:" - line: 'turn_allow_guests: False' + regexp: "{{ item.regexp }}" + line: '{{ item.line }}' + with_items: + - {"regexp": "^ filename:", "line": ' filename: /matrix-run/homeserver.log'} + - {"regexp": "^ maxBytes:", "line": ' maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }}'} + - {"regexp": "^ backupCount:", "line": ' backupCount: {{ matrix_max_log_files_count }}'} -- name: Augment Matrix config (enable URL previews) - lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" +- name: Augment Matrix config + lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" args: - regexp: "^url_preview_enabled:" - line: 'url_preview_enabled: True' + regexp: "{{ item.regexp }}" + line: '{{ item.line }}' + with_items: + - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'} + - {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'} + - {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'} + - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'} + - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'} + - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'} + - {"regexp": "^max_upload_size:", "line": 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"'} + - {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-media-store"'} - name: Augment Matrix config (specify URL previews blacklist) - lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" args: regexp: "^url_preview_ip_range_blacklist:" line: 'url_preview_ip_range_blacklist: ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"]' @@ -72,27 +80,27 @@ # We only wish to do this for the 8008 port and not for the 8448 port # (2nd instance of `x_forwarded` found in the config) - name: Augment Matrix config (mark 8008 plain traffic as forwarded) - replace: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" + replace: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" args: regexp: "8008((?:.|\n)*)x_forwarded(.*)" replace: '8008\g<1>x_forwarded: true' - name: Augment Matrix config (change database from SQLite to Postgres) lineinfile: - dest: "{{ matrix_synapse_data_path }}/homeserver.yaml" + dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" regexp: '(.*)name: "sqlite3"' line: '\1name: "psycopg2"' backrefs: yes - name: Augment Matrix config (add the Postgres connection parameters) lineinfile: - dest: "{{ matrix_synapse_data_path }}/homeserver.yaml" + dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" regexp: '(.*)database: "(.*)homeserver.db"' line: '\1user: "{{ matrix_postgres_connection_username }}"\n\1password: "{{ matrix_postgres_connection_password }}"\n\1database: "homeserver"\n\1host: "postgres"\n\1cp_min: 5\n\1cp_max: 10' backrefs: yes - name: Augment Matrix config (configure Coturn) - lineinfile: "dest={{ matrix_synapse_data_path }}/turnserver.conf" + lineinfile: "dest={{ matrix_synapse_config_dir_path }}/turnserver.conf" args: regexp: "^{{ item.variable }}=" line: '{{ item.variable }}={{ item.value }}' @@ -101,12 +109,6 @@ - {'variable': 'max-port', 'value': "{{ matrix_coturn_turn_udp_max_port }}"} - {'variable': 'external-ip', 'value': "{{ matrix_coturn_turn_external_ip_address }}"} -- name: Augment Matrix config (set max upload size) - lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml" - args: - regexp: "^max_upload_size:" - line: 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"' - - name: Allow access to Matrix ports in firewalld firewalld: port: "{{ item }}" diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 8b60fd9a..c1f7b1f6 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -16,7 +16,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -p 3478:3478 \ -p 3478:3478/udp \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ - -v {{ matrix_synapse_data_path }}:/data \ + -v {{ matrix_synapse_config_dir_path }}:/data \ + -v {{ matrix_synapse_run_path }}:/matrix-run \ + -v {{ matrix_synapse_media_store_path }}:/matrix-media-store \ -v {{ ssl_certs_path }}:/acmetool-certs \ {{ docker_matrix_image }} ExecStop=-/usr/bin/docker kill matrix-synapse From a6760f44692ee9799d5b36c94864da4a7d7616c5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Sep 2017 12:23:22 +0300 Subject: [PATCH 0018/2384] Ensure media store files are owned by the correct user/group after importing --- roles/matrix-server/tasks/import_media_store.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/roles/matrix-server/tasks/import_media_store.yml b/roles/matrix-server/tasks/import_media_store.yml index be7a878a..525a03e5 100644 --- a/roles/matrix-server/tasks/import_media_store.yml +++ b/roles/matrix-server/tasks/import_media_store.yml @@ -10,8 +10,8 @@ become: false register: local_path_media_store_stat -- name: Fail if provided media_store directory doesn't exist on the local machine - fail: msg="File cannot be found on the local machine at {{ local_path_media_store }}" +- name: Fail if provided media store directory doesn't exist on the local machine + fail: msg="{{ local_path_media_store }} cannot be found on the local machine" when: "not local_path_media_store_stat.stat.exists or not local_path_media_store_stat.stat.isdir" - name: Check if media store contains local_content @@ -26,7 +26,7 @@ become: false register: local_path_media_store_remote_content_stat -- name: Fail if media_store directory doesn't look okay (lacking remote and local content) +- name: Fail if media store directory doesn't look okay (lacking remote and local content) fail: msg="{{ local_path_media_store }} contains neither local_content nor remote_content. It's most likely a mistake and is not a media store directory." when: "not local_path_media_store_local_content_stat.stat.exists and not local_path_media_store_remote_content_stat.stat.exists" @@ -34,12 +34,18 @@ service: name=matrix-synapse state=stopped daemon_reload=yes register: stopping_result -- name: Ensure provided media_store directory is copied to the server +- name: Ensure provided media store directory is copied to the server synchronize: src: "{{ local_path_media_store }}/" dest: "{{ matrix_synapse_media_store_path }}" delete: yes +- name: Ensure media store permissions are correct + file: + path: "{{ matrix_synapse_media_store_path }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + - name: Ensure Matrix Synapse is started (if it previously was) service: name="{{ item }}" state=started daemon_reload=yes when: stopping_result.changed From 0f723c9574746fc40ebb7678dbb6cfe09ec2feb2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Sep 2017 12:24:04 +0300 Subject: [PATCH 0019/2384] Ensure media store files are owned by the correct user/group after importing (recursively) --- roles/matrix-server/tasks/import_media_store.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-server/tasks/import_media_store.yml b/roles/matrix-server/tasks/import_media_store.yml index 525a03e5..51d34ec4 100644 --- a/roles/matrix-server/tasks/import_media_store.yml +++ b/roles/matrix-server/tasks/import_media_store.yml @@ -45,6 +45,7 @@ path: "{{ matrix_synapse_media_store_path }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + recurse: yes - name: Ensure Matrix Synapse is started (if it previously was) service: name="{{ item }}" state=started daemon_reload=yes From 9b97ab6a90abba8ee48dd1715e1e5a3311ee9b86 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Sep 2017 12:27:32 +0300 Subject: [PATCH 0020/2384] Do not wastefully preserve owner/group when importing media store files --- roles/matrix-server/tasks/import_media_store.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-server/tasks/import_media_store.yml b/roles/matrix-server/tasks/import_media_store.yml index 51d34ec4..f6cd95f9 100644 --- a/roles/matrix-server/tasks/import_media_store.yml +++ b/roles/matrix-server/tasks/import_media_store.yml @@ -39,6 +39,9 @@ src: "{{ local_path_media_store }}/" dest: "{{ matrix_synapse_media_store_path }}" delete: yes + # It's wasteful to preserve owner/group now. We chown below anyway. + owner: no + group: no - name: Ensure media store permissions are correct file: From 9c68b057b0616c65948257869accaa5c771258be Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Sep 2017 18:26:41 +0300 Subject: [PATCH 0021/2384] Add support for storing Matrix Synapse's media_store to Amazon S3 --- README.md | 44 ++++++++++++++++- roles/matrix-server/defaults/main.yml | 12 +++-- .../tasks/import_media_store.yml | 26 +++++++++- roles/matrix-server/tasks/main.yml | 5 ++ roles/matrix-server/tasks/setup_s3fs.yml | 49 +++++++++++++++++++ roles/matrix-server/tasks/setup_synapse.yml | 19 ++++++- roles/matrix-server/tasks/start.yml | 4 ++ .../templates/s3fs-credentials.j2 | 1 + .../templates/systemd/matrix-s3fs.service.j2 | 35 +++++++++++++ .../systemd/matrix-synapse.service.j2 | 4 ++ 10 files changed, 192 insertions(+), 7 deletions(-) create mode 100644 roles/matrix-server/tasks/setup_s3fs.yml create mode 100644 roles/matrix-server/templates/s3fs-credentials.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-s3fs.service.j2 diff --git a/README.md b/README.md index 8fc23d42..42971461 100644 --- a/README.md +++ b/README.md @@ -10,11 +10,13 @@ Using this playbook, you can get the following services configured on your serve - a [Matrix Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network +- (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for your Matrix Synapse's content repository (`media_store`) files using [s3fs-fuse](https://github.com/s3fs-fuse/s3fs-fuse) + - a [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse - providing better performance than the default [SQLite](https://sqlite.org/) database -- a [STUN server](https://github.com/coturn/coturn) for WebRTC audio/video calls +- a [STUN/TURN server](https://github.com/coturn/coturn) for WebRTC audio/video calls -- a [Riot](https://riot.im/) web UI +- a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default - free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI @@ -33,6 +35,8 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you +- this one optionally can store the `media_store` content repository files on [Amazon S3](https://aws.amazon.com/s3/) + Special thanks goes to: - [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) - for the inspiration @@ -91,6 +95,42 @@ You can follow these steps: - edit the inventory hosts file (`inventory/hosts`) to your liking +## Amazon S3 configuration (optional) + +If you'd like to store Matrix Synapse's content repository (`media_store`) files on Amazon S3, +you can let this playbook configure [s3fs-fuse](https://github.com/s3fs-fuse/s3fs-fuse) for you. + +You'll need an Amazon S3 bucket and some IAM user credentials (access key + secret key) with full write access to the bucket. Example security policy: + +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Stmt1400105486000", + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::your-bucket-name", + "arn:aws:s3:::your-bucket-name/*" + ] + } + ] +} +``` + +You then need to enable S3 support in your configuration file (`inventory/matrix./vars.yml`). +It would be something like this: + +``` +matrix_s3_media_store_bucket_name: "your-bucket-name" +matrix_s3_media_store_aws_access_key: "access-key-goes-here" +matrix_s3_media_store_aws_secret_key: "secret-key-goes-here" +``` + + ## Installing Once you have your server and you have [configured your DNS records](#configuring-dns), you can proceed with installing. diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9f298373..47910501 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -35,9 +35,10 @@ matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" docker_postgres_image: "postgres:9.6.3-alpine" -docker_matrix_image: "silviof/docker-matrix" +docker_matrix_image: "silviof/docker-matrix:latest" docker_nginx_image: "nginx:1.13.3-alpine" -docker_riot_image: "silviof/matrix-riot-docker" +docker_riot_image: "silviof/matrix-riot-docker:latest" +docker_s3fs_image: "xueshanf/s3fs:latest" # Specifies when to restart the Matrix services so that # a new SSL certificate could go into effect (UTC time). @@ -51,4 +52,9 @@ matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_max_upload_size_mb: 10 matrix_max_log_file_size_mb: 100 -matrix_max_log_files_count: 10 \ No newline at end of file +matrix_max_log_files_count: 10 + +matrix_s3_media_store_enabled: false +matrix_s3_media_store_bucket_name: "your-bucket-name" +matrix_s3_media_store_aws_access_key: "your-aws-access-key" +matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" \ No newline at end of file diff --git a/roles/matrix-server/tasks/import_media_store.yml b/roles/matrix-server/tasks/import_media_store.yml index f6cd95f9..7b191be4 100644 --- a/roles/matrix-server/tasks/import_media_store.yml +++ b/roles/matrix-server/tasks/import_media_store.yml @@ -42,13 +42,37 @@ # It's wasteful to preserve owner/group now. We chown below anyway. owner: no group: no + # The default of times=yes does not work when s3fs is used. + times: "{{ False if matrix_s3_media_store_enabled else True }}" + perms: "{{ False if matrix_s3_media_store_enabled else True }}" -- name: Ensure media store permissions are correct +# This is for the generic case and fails for remote file systems, +# because the base path (matrix_synapse_media_store_path) is a mount point. +- name: Ensure media store permissions are correct (generic case) file: path: "{{ matrix_synapse_media_store_path }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" recurse: yes + when: "not matrix_s3_media_store_enabled" + +- name: Determine media store subdirectories + find: paths="{{ local_path_media_store }}" file_type=directory + delegate_to: 127.0.0.1 + become: false + register: media_store_directories_result + when: "matrix_s3_media_store_enabled" + +# This is the s3fs special case. We chown the subdirectories one by one, +# without touching the base directory. +- name: Ensure media store permissions are correct (s3fs) + file: + path: "{{ matrix_synapse_media_store_path }}/{{ item.path|basename }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + recurse: yes + with_items: "{{ media_store_directories_result.files }}" + when: "matrix_s3_media_store_enabled" - name: Ensure Matrix Synapse is started (if it previously was) service: name="{{ item }}" state=started daemon_reload=yes diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 25cad895..9d54d86c 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -1,5 +1,10 @@ --- +- include: tasks/setup_s3fs.yml + tags: + - setup-main + - setup-s3fs + - include: tasks/setup_base.yml tags: - setup-main diff --git a/roles/matrix-server/tasks/setup_s3fs.yml b/roles/matrix-server/tasks/setup_s3fs.yml new file mode 100644 index 00000000..f3312195 --- /dev/null +++ b/roles/matrix-server/tasks/setup_s3fs.yml @@ -0,0 +1,49 @@ +# +# Tasks related to setting up s3fs +# + +- name: Ensure S3fs Docker image is pulled + docker_image: + name: "{{ docker_s3fs_image }}" + when: matrix_s3_media_store_enabled + +- name: Ensure s3fs-credentials file created + template: + src: "{{ role_path }}/templates/s3fs-credentials.j2" + dest: "{{ matrix_base_data_path }}/s3fs-credentials" + owner: root + mode: 0600 + when: matrix_s3_media_store_enabled + +- name: Ensure matrix-s3fs.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-s3fs.service.j2" + dest: "/etc/systemd/system/matrix-s3fs.service" + mode: 0644 + when: matrix_s3_media_store_enabled + +# +# Tasks related to getting rid of s3fs (if it was previously enabled) +# +- name: Ensure matrix-s3fs is stopped + service: name=matrix-s3fs state=stopped daemon_reload=yes + register: stopping_result + when: "not matrix_s3_media_store_enabled" + +- name: Ensure matrix-s3fs.service doesn't exist + file: + path: "{{ matrix_base_data_path }}/s3fs-credentials" + state: absent + when: "not matrix_s3_media_store_enabled" + +- name: Ensure s3fs-credentials doesn't exist + file: + path: "{{ matrix_base_data_path }}/s3fs-credentials" + state: absent + when: "not matrix_s3_media_store_enabled" + +- name: Ensure S3fs Docker image doesn't exist + docker_image: + name: "{{ docker_s3fs_image }}" + state: absent + when: "not matrix_s3_media_store_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 91329ba5..e53dbc50 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -11,7 +11,24 @@ - "{{ matrix_synapse_base_path }}" - "{{ matrix_synapse_config_dir_path }}" - "{{ matrix_synapse_run_path }}" - - "{{ matrix_synapse_media_store_path }}" + # We handle matrix_synapse_media_store_path below, not here, + # because if it's using S3fs and it's already mounted (from before), + # trying to chown/chmod it here will cause trouble. + +- name: Check Matrix Synapse media store path + stat: path="{{ matrix_synapse_media_store_path }}" + register: local_path_media_store_stat + +# This is separate and conditional, to ensure we don't execute it +# if the path already exists (and is likely used by an s3fs mount). +- name: Ensure Matrix media store path exists + file: + path: "{{ matrix_synapse_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "not local_path_media_store_stat.stat.exists" - name: Ensure Matrix Docker image is pulled docker_image: diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 31ec3abc..110244ee 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -3,6 +3,10 @@ - name: Ensure matrix-postgres autoruns and is restarted service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes +- name: Ensure matrix-s3fs autoruns and is restarted + service: name=matrix-s3fs enabled=yes state=restarted daemon_reload=yes + when: matrix_s3_media_store_enabled + - name: Ensure matrix-synapse autoruns and is restarted service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes diff --git a/roles/matrix-server/templates/s3fs-credentials.j2 b/roles/matrix-server/templates/s3fs-credentials.j2 new file mode 100644 index 00000000..51e9365f --- /dev/null +++ b/roles/matrix-server/templates/s3fs-credentials.j2 @@ -0,0 +1 @@ +{{ matrix_s3_media_store_aws_access_key }}:{{ matrix_s3_media_store_aws_secret_key }} \ No newline at end of file diff --git a/roles/matrix-server/templates/systemd/matrix-s3fs.service.j2 b/roles/matrix-server/templates/systemd/matrix-s3fs.service.j2 new file mode 100644 index 00000000..51212fb7 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-s3fs.service.j2 @@ -0,0 +1,35 @@ +[Unit] +Description=Matrix S3fs media store +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill %n +ExecStartPre=-/usr/bin/docker rm %n +ExecStartPre=-/usr/bin/mkdir /tmp/matrix-s3fs-cache +ExecStart=/usr/bin/docker run --rm --name %n \ + -v {{ matrix_base_data_path }}/s3fs-credentials:/s3fs-credentials \ + --security-opt apparmor:unconfined \ + --cap-add mknod \ + --cap-add sys_admin \ + --device=/dev/fuse \ + -v {{ matrix_synapse_media_store_path }}:/media-store:shared \ + -v /tmp/matrix-s3fs-cache:/s3fs-cache \ + {{ docker_s3fs_image }} \ + /usr/bin/s3fs -f \ + -o allow_other \ + -o use_cache=/s3fs-cache \ + -o storage_class=standard_ia \ + -o passwd_file=/s3fs-credentials \ + {{ matrix_s3_media_store_bucket_name }} /media-store +TimeoutStartSec=5min +ExecStop=-/usr/bin/docker stop %n +ExecStop=-/usr/bin/docker kill %n +ExecStop=-/usr/bin/docker rm %n +ExecStop=-/usr/bin/rm -rf /tmp/matrix-s3fs-cache +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index c1f7b1f6..8752f1c3 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -4,6 +4,10 @@ After=docker.service Requires=docker.service Requires=matrix-postgres.service After=matrix-postgres.service +{% if matrix_s3_media_store_enabled %} +After=matrix-s3fs.service +Requires=matrix-s3fs.service +{% endif %} [Service] Type=simple From 0f43abb91dbce8ce3afd6b0b24dd2e29850c4c46 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Sep 2017 10:47:12 +0300 Subject: [PATCH 0022/2384] Do not assume /usr/local/bin is always on the PATH --- README.md | 2 +- roles/matrix-server/tasks/register_user.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 42971461..16fea42c 100644 --- a/README.md +++ b/README.md @@ -194,7 +194,7 @@ You can do it via this Ansible playbook (make sure to edit the `` **or** using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)): - matrix-synapse-register-user + /usr/local/bin/matrix-synapse-register-user **Note**: `` is just a plain username (like `john`), not your full `@:` identifier. diff --git a/roles/matrix-server/tasks/register_user.yml b/roles/matrix-server/tasks/register_user.yml index cfd76867..f77ee08d 100644 --- a/roles/matrix-server/tasks/register_user.yml +++ b/roles/matrix-server/tasks/register_user.yml @@ -21,4 +21,4 @@ when: start_result.changed - name: Register user - shell: "matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" \ No newline at end of file + shell: "/usr/local/bin/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" \ No newline at end of file From 49e5dad86d5d1bf31924cd020c897cb6be16572d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Sep 2017 10:50:31 +0300 Subject: [PATCH 0023/2384] Do not do the S3 setup so early It was never intended to be there, but was while testing/development and got forgotten later. --- roles/matrix-server/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 9d54d86c..088bd495 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -1,10 +1,5 @@ --- -- include: tasks/setup_s3fs.yml - tags: - - setup-main - - setup-s3fs - - include: tasks/setup_base.yml tags: - setup-main @@ -23,6 +18,11 @@ - setup-main - setup-postgres +- include: tasks/setup_s3fs.yml + tags: + - setup-main + - setup-s3fs + - include: tasks/setup_synapse.yml tags: - setup-main From ac5919269646d9f19db1bbf8453d60a04fc35740 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Sep 2017 14:18:12 +0300 Subject: [PATCH 0024/2384] Do not leave containers behind after matrix-postgres-cli usage --- .../templates/usr-local-bin/matrix-postgres-cli.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 index 083c5df2..383a78fc 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -1,3 +1,9 @@ #!/bin/bash -docker run --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker -it --link=matrix-postgres:postgres postgres:9.6.3-alpine psql -h postgres \ No newline at end of file +docker run \ + -it \ + --rm \ + --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ + --link=matrix-postgres:postgres \ + {{ docker_postgres_image }} \ + psql -h postgres From f6be25a6ae05780282a4fc4f121fadcd7d454766 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Sep 2017 16:34:40 +0300 Subject: [PATCH 0025/2384] Fix idempotency problem when getting rid of S3 setup --- roles/matrix-server/tasks/setup_s3fs.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/tasks/setup_s3fs.yml b/roles/matrix-server/tasks/setup_s3fs.yml index f3312195..b37cc568 100644 --- a/roles/matrix-server/tasks/setup_s3fs.yml +++ b/roles/matrix-server/tasks/setup_s3fs.yml @@ -25,16 +25,21 @@ # # Tasks related to getting rid of s3fs (if it was previously enabled) # + +- name: Check existance of matrix-s3fs service + stat: path="/etc/systemd/system/matrix-s3fs.service" + register: matrix_s3fs_service_stat + - name: Ensure matrix-s3fs is stopped service: name=matrix-s3fs state=stopped daemon_reload=yes register: stopping_result - when: "not matrix_s3_media_store_enabled" + when: "not matrix_s3_media_store_enabled and matrix_s3fs_service_stat.stat.exists" - name: Ensure matrix-s3fs.service doesn't exist file: - path: "{{ matrix_base_data_path }}/s3fs-credentials" + path: "/etc/systemd/system/matrix-s3fs.service" state: absent - when: "not matrix_s3_media_store_enabled" + when: "not matrix_s3_media_store_enabled and matrix_s3fs_service_stat.stat.exists" - name: Ensure s3fs-credentials doesn't exist file: From ab1a9fd87e4f9a424abe381bfd30bf09243eb266 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Sep 2017 16:53:24 +0300 Subject: [PATCH 0026/2384] Add support for using an external PostgreSQL server --- README.md | 29 +++++++++- roles/matrix-server/defaults/main.yml | 6 +- .../matrix-server/tasks/import_sqlite_db.yml | 2 +- roles/matrix-server/tasks/setup_postgres.yml | 57 ++++++++++++++++--- roles/matrix-server/tasks/setup_synapse.yml | 9 ++- .../systemd/matrix-synapse.service.j2 | 6 +- .../usr-local-bin/matrix-postgres-cli.j2 | 6 +- 7 files changed, 95 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 16fea42c..620c4e1f 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Using this playbook, you can get the following services configured on your serve - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for your Matrix Synapse's content repository (`media_store`) files using [s3fs-fuse](https://github.com/s3fs-fuse/s3fs-fuse) -- a [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse - providing better performance than the default [SQLite](https://sqlite.org/) database +- (optional default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse - providing better performance than the default [SQLite](https://sqlite.org/) database. Using an external PostgreSQL server [is possible](#using-an-external-postgresql-server-optional) as well - a [STUN/TURN server](https://github.com/coturn/coturn) for WebRTC audio/video calls @@ -35,7 +35,9 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you -- this one optionally can store the `media_store` content repository files on [Amazon S3](https://aws.amazon.com/s3/) +- this one optionally can store the `media_store` content repository files on [Amazon S3](https://aws.amazon.com/s3/) (but defaults to storing files on the server's filesystem) + +- this one optionally allows you to use an external PostgreSQL server for Matrix Synapse's database (but defaults to running one in a container) Special thanks goes to: @@ -97,6 +99,9 @@ You can follow these steps: ## Amazon S3 configuration (optional) +By default, this playbook configures your server to store Matrix Synapse's content repository (`media_store`) files on the local filesystem. +If that's alright, you can skip ahead. + If you'd like to store Matrix Synapse's content repository (`media_store`) files on Amazon S3, you can let this playbook configure [s3fs-fuse](https://github.com/s3fs-fuse/s3fs-fuse) for you. @@ -131,6 +136,26 @@ matrix_s3_media_store_aws_secret_key: "secret-key-goes-here" ``` +## Using an external PostgreSQL server (optional) + +By default, this playbook would set up a PostgreSQL database server on your machine, running in a Docker container. +If that's alright, you can skip ahead. + +If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file (`inventory/matrix./vars.yml`). +It should be something like this: + +``` +matrix_postgres_use_external: true +matrix_postgres_connection_hostname: "your-postgres-server-hostname" +matrix_postgres_connection_username: "your-postgres-server-username" +matrix_postgres_connection_password: "your-postgres-server-password" +matrix_postgres_db_name: "your-postgres-server-database-name" +``` + +The database (as specified in `matrix_postgres_db_name`) must exist and be accessible with the given credentials. +It must be empty or contain a valid Matrix Synapse database. If empty, Matrix Synapse would populate it the first time it runs. + + ## Installing Once you have your server and you have [configured your DNS records](#configuring-dns), you can proceed with installing. diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 47910501..8ae0ff85 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -18,6 +18,10 @@ matrix_user_username: "matrix" matrix_user_uid: 991 matrix_user_gid: 991 +# The defaults below cause a postgres server to be configured (running within a container). +# Using an external server is possible by tweaking all of the parameters below. +matrix_postgres_use_external: false +matrix_postgres_connection_hostname: "postgres" matrix_postgres_connection_username: "synapse" matrix_postgres_connection_password: "synapse-password" matrix_postgres_db_name: "homeserver" @@ -57,4 +61,4 @@ matrix_max_log_files_count: 10 matrix_s3_media_store_enabled: false matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" -matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" \ No newline at end of file +matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" diff --git a/roles/matrix-server/tasks/import_sqlite_db.yml b/roles/matrix-server/tasks/import_sqlite_db.yml index 0390e195..4bd860d5 100644 --- a/roles/matrix-server/tasks/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import_sqlite_db.yml @@ -72,7 +72,7 @@ - "{{ matrix_scratchpad_dir }}:/scratchpad" - "{{ matrix_scratchpad_dir }}/synapse_port_db_with_patch:/usr/local/bin/synapse_port_db_with_patch" links: - - "matrix-postgres:postgres" + - "matrix-postgres:{{ matrix_postgres_connection_hostname }}" - name: Ensure scratchpad directory is deleted file: diff --git a/roles/matrix-server/tasks/setup_postgres.yml b/roles/matrix-server/tasks/setup_postgres.yml index 94fad7b8..04b186fa 100644 --- a/roles/matrix-server/tasks/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup_postgres.yml @@ -1,13 +1,10 @@ --- -- name: Ensure postgres data path exists - file: - path: "{{ matrix_postgres_data_path }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" +# +# Generic tasks, no matter what kind of server we're using (internal/external) +# +# Even if we don't run the internal server, we still need this for running the CLI - name: Ensure postgres Docker image is pulled docker_image: name: "{{ docker_postgres_image }}" @@ -27,8 +24,52 @@ dest: "/usr/local/bin/matrix-postgres-cli" mode: 0750 +# +# Tasks related to setting up an internal postgres server +# + +- name: Ensure postgres data path exists + file: + path: "{{ matrix_postgres_data_path }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "not matrix_postgres_use_external" + - name: Ensure matrix-postgres.service installed template: src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" dest: "/etc/systemd/system/matrix-postgres.service" - mode: 0644 \ No newline at end of file + mode: 0644 + when: "not matrix_postgres_use_external" + +# +# Tasks related to getting rid of the internal postgres server (if it was previously enabled) +# + +- name: Check existance of matrix-postgres service + stat: path="/etc/systemd/system/matrix-postgres.service" + register: matrix_postgres_service_stat + when: matrix_postgres_use_external + +- name: Ensure matrix-postgres is stopped + service: name=matrix-postgres state=stopped daemon_reload=yes + when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists" + +- name: Ensure matrix-postgres.service doesn't exist + file: + path: "/etc/systemd/system/matrix-postgres.service" + state: absent + when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists" + +- name: Check existance of matrix-postgres local data path + stat: path="{{ matrix_postgres_data_path }}" + register: matrix_postgres_data_path_stat + when: matrix_postgres_use_external + +# We just want to notify the user. Deleting data is too destructive. +- name: Notify if matrix-postgres local data remains + debug: + msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete that." + when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index e53dbc50..64cae5fb 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -109,12 +109,11 @@ line: '\1name: "psycopg2"' backrefs: yes -- name: Augment Matrix config (add the Postgres connection parameters) - lineinfile: +- name: Augment Matrix config (set the Postgres connection parameters) + replace: dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" - regexp: '(.*)database: "(.*)homeserver.db"' - line: '\1user: "{{ matrix_postgres_connection_username }}"\n\1password: "{{ matrix_postgres_connection_password }}"\n\1database: "homeserver"\n\1host: "postgres"\n\1cp_min: 5\n\1cp_max: 10' - backrefs: yes + regexp: '(.*)name: "psycopg2"((?:.|\n)*?)\n\n' + replace: '\1name: "psycopg2"\n\1args:\n\1\1user: "{{ matrix_postgres_connection_username }}"\n\1\1password: "{{ matrix_postgres_connection_password }}"\n\1\1database: "{{ matrix_postgres_db_name }}"\n\1\1host: "{{ matrix_postgres_connection_hostname }}"\n\1\1cp_min: 5\n\1\1cp_max: 10\n\n' - name: Augment Matrix config (configure Coturn) lineinfile: "dest={{ matrix_synapse_config_dir_path }}/turnserver.conf" diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 8752f1c3..6690a1fe 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -2,8 +2,10 @@ Description=Matrix Synapse server After=docker.service Requires=docker.service +{% if not matrix_postgres_use_external %} Requires=matrix-postgres.service After=matrix-postgres.service +{% endif %} {% if matrix_s3_media_store_enabled %} After=matrix-s3fs.service Requires=matrix-s3fs.service @@ -15,7 +17,9 @@ ExecStartPre=-/usr/bin/docker kill matrix-synapse ExecStartPre=-/usr/bin/docker rm matrix-synapse ExecStartPre=-/usr/bin/chown {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ - --link matrix-postgres:postgres \ + {% if not matrix_postgres_use_external %} + --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ + {% endif %} -p 8448:8448 \ -p 3478:3478 \ -p 3478:3478/udp \ diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 index 383a78fc..2e6a15ce 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -4,6 +4,8 @@ docker run \ -it \ --rm \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ - --link=matrix-postgres:postgres \ + {% if not matrix_postgres_use_external %} + --link=matrix-postgres:{{ matrix_postgres_connection_hostname }} \ + {% endif %} {{ docker_postgres_image }} \ - psql -h postgres + psql -h {{ matrix_postgres_connection_hostname }} \ No newline at end of file From f422e379c275e3005f8f8cdd2167228cc8ecd5ee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 Sep 2017 00:58:22 +0300 Subject: [PATCH 0027/2384] Do not try to start postgres when it's external --- roles/matrix-server/tasks/start.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 110244ee..43072b40 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -2,6 +2,7 @@ - name: Ensure matrix-postgres autoruns and is restarted service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes + when: "not matrix_postgres_use_external" - name: Ensure matrix-s3fs autoruns and is restarted service: name=matrix-s3fs enabled=yes state=restarted daemon_reload=yes From 7c049be11ac171981015d79ea0692bf619c90cc5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 Sep 2017 22:16:51 +0300 Subject: [PATCH 0028/2384] Update postgres and nginx --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 8ae0ff85..db6d6d8f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -38,9 +38,9 @@ matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" -docker_postgres_image: "postgres:9.6.3-alpine" +docker_postgres_image: "postgres:9.6.5-alpine" docker_matrix_image: "silviof/docker-matrix:latest" -docker_nginx_image: "nginx:1.13.3-alpine" +docker_nginx_image: "nginx:1.13.5-alpine" docker_riot_image: "silviof/matrix-riot-docker:latest" docker_s3fs_image: "xueshanf/s3fs:latest" From 13ab9eb238165c36cce996d3e6a25fa1d7cbdaf3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 Sep 2017 22:55:05 +0300 Subject: [PATCH 0029/2384] Do not touch hostname and timezone Let's let the admin set them as they wish. We don't care what they are anyway. If other things run on the same server, it's also better not to hijack these for our own purposes, especially when we don't need to. The timedatectl call also seems to fail on Ubuntu 17.04 for some reason (missing timezones information file?). --- roles/matrix-server/tasks/setup_base.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/roles/matrix-server/tasks/setup_base.yml b/roles/matrix-server/tasks/setup_base.yml index 598be601..1caa89e5 100644 --- a/roles/matrix-server/tasks/setup_base.yml +++ b/roles/matrix-server/tasks/setup_base.yml @@ -38,10 +38,3 @@ - name: Ensure SELinux disabled selinux: state=disabled - -- name: Ensure correct hostname set - hostname: name="{{ hostname_matrix }}" - -- name: Ensure timezone is UTC - timezone: - name: UTC \ No newline at end of file From ded7c274f6859b2cb65892ad5e867c556f339785 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 Sep 2017 23:24:05 +0300 Subject: [PATCH 0030/2384] Add support for Debian (9+) and Ubuntu (16.04+) --- README.md | 4 +- roles/matrix-server/tasks/setup_base.yml | 44 ++++++++++++++++++- .../matrix-server/tasks/setup_nginx_proxy.yml | 1 + roles/matrix-server/tasks/setup_ssl.yml | 1 + roles/matrix-server/tasks/setup_synapse.yml | 1 + .../systemd/matrix-synapse.service.j2 | 2 +- 6 files changed, 49 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 620c4e1f..f323e9bd 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,8 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one **can be re-ran many times** without causing trouble +- works on both **CentOS** (7.0+) and Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+) + - this one **runs everything in Docker containers** (like [silviof/docker-matrix](https://hub.docker.com/r/silviof/docker-matrix/) and [silviof/matrix-riot-docker](https://hub.docker.com/r/silviof/matrix-riot-docker/)), so it's likely more predictable - this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you @@ -50,7 +52,7 @@ Special thanks goes to: ## Prerequisites -- **CentOS server** with no services running on port 80/443 (making this run on non-CentOS servers should be possible in the future) +- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server with no services running on port 80/443 - the [Ansible](http://ansible.com/) program, which is used to run this playbook and configures everything for you diff --git a/roles/matrix-server/tasks/setup_base.yml b/roles/matrix-server/tasks/setup_base.yml index 1caa89e5..99065a37 100644 --- a/roles/matrix-server/tasks/setup_base.yml +++ b/roles/matrix-server/tasks/setup_base.yml @@ -17,7 +17,7 @@ key: https://download.docker.com/linux/centos/gpg when: ansible_distribution == 'CentOS' -- name: Ensure yum packages are installed (base) +- name: Ensure yum packages are installed (CentOS) yum: name="{{ item }}" state=latest update_cache=yes with_items: - bash-completion @@ -27,14 +27,54 @@ - ntp when: ansible_distribution == 'CentOS' +- name: Ensure APT usage dependencies are installed (Debian) + apt: + name: "{{ item }}" + state: present + update_cache: yes + with_items: + - apt-transport-https + - ca-certificates + when: ansible_os_family == 'Debian' + +- name: Ensure Docker's APT key is trusted (Debian) + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + state: present + register: add_repository_key + ignore_errors: true + when: ansible_os_family == 'Debian' + +- name: Ensure Docker repository is enabled (Debian) + apt_repository: + repo: "deb https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable" + state: present + update_cache: yes + when: ansible_os_family == 'Debian' + +- name: Ensure APT packages are installed (Debian) + apt: name="{{ item }}" state=latest update_cache=yes + with_items: + - bash-completion + - docker-ce + - python-docker + - ntp + when: ansible_os_family == 'Debian' + - name: Ensure firewalld is started and autoruns service: name=firewalld state=started enabled=yes + when: ansible_os_family == 'RedHat' - name: Ensure Docker is started and autoruns service: name=docker state=started enabled=yes - name: Ensure ntpd is started and autoruns - service: name=ntpd state=started enabled=yes + service: + name: "{{ 'ntpd' if ansible_os_family == 'RedHat' else 'ntp' }}" + state: started + enabled: yes - name: Ensure SELinux disabled selinux: state=disabled + when: ansible_os_family == 'RedHat' \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup_nginx_proxy.yml index 307d8a24..1839684d 100644 --- a/roles/matrix-server/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml @@ -33,6 +33,7 @@ with_items: - "http" - "https" + when: ansible_os_family == 'RedHat' - name: Ensure matrix-nginx-proxy.service installed template: diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml index 1b4bf043..c9b7afe0 100644 --- a/roles/matrix-server/tasks/setup_ssl.yml +++ b/roles/matrix-server/tasks/setup_ssl.yml @@ -9,6 +9,7 @@ with_items: - http - https + when: ansible_os_family == 'RedHat' - name: Ensure acmetool Docker image is pulled docker_image: diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 64cae5fb..bd5ddc7b 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -136,6 +136,7 @@ - '3478/tcp' # STUN - '3478/udp' # STUN - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN + when: ansible_os_family == 'RedHat' - name: Ensure matrix-synapse.service installed template: diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 6690a1fe..fd755d36 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -15,7 +15,7 @@ Requires=matrix-s3fs.service Type=simple ExecStartPre=-/usr/bin/docker kill matrix-synapse ExecStartPre=-/usr/bin/docker rm matrix-synapse -ExecStartPre=-/usr/bin/chown {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R +ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if not matrix_postgres_use_external %} --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ From cb323f5b4cb8429e4ac0506a9384217df103ff84 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 Sep 2017 23:50:14 +0300 Subject: [PATCH 0031/2384] Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl Moving keeps everything in the /matrix directory, so that we wouldn't contaminate anything else on the system or risk clashing with something else. Also retrieving certificates separately for the Riot and Matrix domains, which should help in multiple ways: - allows them to be very different (completely separate base domain..) - allows for Riot to be disabled for the playbook some time later and still have the code not break --- examples/host-vars.yml | 2 +- roles/matrix-server/defaults/main.yml | 5 ++--- roles/matrix-server/tasks/setup_main.yml | 12 +++++++++++- roles/matrix-server/tasks/setup_postgres.yml | 6 +++--- roles/matrix-server/tasks/setup_s3fs.yml | 4 ++-- roles/matrix-server/tasks/setup_ssl.yml | 15 +++++++++------ roles/matrix-server/tasks/setup_synapse.yml | 1 - .../templates/cron.d/matrix-periodic-restarter.j2 | 4 ++-- ...newal.j2 => matrix-ssl-certificate-renewal.j2} | 4 ++-- .../systemd/matrix-nginx-proxy.service.j2 | 2 +- .../templates/systemd/matrix-synapse.service.j2 | 4 ++-- 11 files changed, 35 insertions(+), 24 deletions(-) rename roles/matrix-server/templates/cron.d/{ssl-certificate-renewal.j2 => matrix-ssl-certificate-renewal.j2} (76%) diff --git a/examples/host-vars.yml b/examples/host-vars.yml index d7abcb93..ef911ecf 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -5,7 +5,7 @@ # an email notification there. # # Example value: someone@example.com -host_specific_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE +host_specific_matrix_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE # This is your bare domain name (`- /usr/bin/docker run --rm --name acmetool-host-grab -p 80:80 - -v {{ ssl_certs_path }}:/certs - -e ACME_EMAIL={{ ssl_support_email }} + -v {{ matrix_ssl_certs_path }}:/certs + -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker - acmetool want {{ hostname_matrix }} {{ hostname_riot }} --xlog.severity=debug + acmetool want {{ item }} --xlog.severity=debug + with_items: + - "{{ hostname_matrix }}" + - "{{ hostname_riot }}" - name: Ensure matrix-nginx-proxy is started (if previously installed & started) service: name=matrix-nginx-proxy state=started @@ -45,6 +48,6 @@ - name: Ensure periodic SSL renewal cronjob configured template: - src: "{{ role_path }}/templates/cron.d/ssl-certificate-renewal.j2" - dest: "/etc/cron.d/ssl-certificate-renewal" + src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2" + dest: "/etc/cron.d/matrix-ssl-certificate-renewal" mode: 0600 diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index bd5ddc7b..7cb42728 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -8,7 +8,6 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_synapse_base_path }}" - "{{ matrix_synapse_config_dir_path }}" - "{{ matrix_synapse_run_path }}" # We handle matrix_synapse_media_store_path below, not here, diff --git a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 index 174eb36b..719ca253 100644 --- a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 @@ -1,8 +1,8 @@ -MAILTO="{{ ssl_support_email }}" +MAILTO="{{ matrix_ssl_support_email }}" # This periodically restarts the Matrix services # to ensure they're using the latest SSL certificate -# in case it got renewed by the `ssl-certificate-renewal` cronjob +# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob # (which happens once every ~2-3 months). # # Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`, diff --git a/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 similarity index 76% rename from roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 rename to roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index cf67917f..3769bf1a 100644 --- a/roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -1,4 +1,4 @@ -MAILTO="{{ ssl_support_email }}" +MAILTO="{{ matrix_ssl_support_email }}" # The goal of this cronjob is to ask acmetool to check # the current SSL certificates and to see if some need renewal. @@ -18,4 +18,4 @@ MAILTO="{{ ssl_support_email }}" # These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy, # because it aliases `/.well-known/acme-challenge` to that same directory. -15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug +15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index 3b9cfbbb..5a47939b 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -17,7 +17,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ --link matrix-synapse:synapse \ --link matrix-riot-web:riot \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \ - -v {{ ssl_certs_path }}:/acmetool-certs \ + -v {{ matrix_ssl_certs_path }}:/acmetool-certs \ {{ docker_nginx_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index fd755d36..e14e8d23 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -15,7 +15,7 @@ Requires=matrix-s3fs.service Type=simple ExecStartPre=-/usr/bin/docker kill matrix-synapse ExecStartPre=-/usr/bin/docker rm matrix-synapse -ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R +ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if not matrix_postgres_use_external %} --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ @@ -27,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_media_store_path }}:/matrix-media-store \ - -v {{ ssl_certs_path }}:/acmetool-certs \ + -v {{ matrix_ssl_certs_path }}:/acmetool-certs \ {{ docker_matrix_image }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse From b3a869873401df69b26348430bb6316a3472a900 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 12 Sep 2017 00:37:18 +0300 Subject: [PATCH 0032/2384] Update README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f323e9bd..31030241 100644 --- a/README.md +++ b/README.md @@ -230,6 +230,8 @@ You can do it via this Ansible playbook (make sure to edit the `` This Ansible playbook can be improved in the following ways: +- not expecting to run its own nginx server overtaking port 80/443, thus allowing own/custom proxying to be configured + - setting up automatic backups to one or more storage providers - [importing an old SQLite database](#Restoring-an-existing-SQLite=database-from-another-installation) likely works because of a patch, but may be fragile until [this](https://github.com/matrix-org/synapse/issues/2287) is fixed \ No newline at end of file From 6962bfcc4238104922a1d334dcd579f28726df27 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 12 Sep 2017 12:41:44 +0300 Subject: [PATCH 0033/2384] Add support for not taking over a server (no matrix-nginx-proxy) and disabling Riot --- README.md | 62 +++++++++++++++++-- roles/matrix-server/defaults/main.yml | 11 ++++ .../matrix-server/tasks/setup_nginx_proxy.yml | 44 +++++++++++-- roles/matrix-server/tasks/setup_riot_web.yml | 41 +++++++++++- roles/matrix-server/tasks/setup_ssl.yml | 13 +++- roles/matrix-server/tasks/start.yml | 2 + .../cron.d/matrix-ssl-certificate-renewal.j2 | 5 +- .../nginx-conf.d/matrix-riot-web.conf.j2 | 8 +-- .../nginx-conf.d/matrix-synapse.conf.j2 | 8 +-- .../systemd/matrix-nginx-proxy.service.j2 | 2 +- .../systemd/matrix-riot-web.service.j2 | 3 + .../systemd/matrix-synapse.service.j2 | 3 + 12 files changed, 178 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 31030241..862925dd 100644 --- a/README.md +++ b/README.md @@ -16,10 +16,12 @@ Using this playbook, you can get the following services configured on your serve - a [STUN/TURN server](https://github.com/coturn/coturn) for WebRTC audio/video calls -- a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default +- (optional default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default - free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI +- (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](#using-your-own-webserver-instead-of-this-playbooks-nginx-proxy-optional) + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. @@ -33,13 +35,17 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - works on both **CentOS** (7.0+) and Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+) +- this one keeps mostly everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place + +- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can disable that and configure your own webserver (proxy) + - this one **runs everything in Docker containers** (like [silviof/docker-matrix](https://hub.docker.com/r/silviof/docker-matrix/) and [silviof/matrix-riot-docker](https://hub.docker.com/r/silviof/matrix-riot-docker/)), so it's likely more predictable - this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you - this one optionally can store the `media_store` content repository files on [Amazon S3](https://aws.amazon.com/s3/) (but defaults to storing files on the server's filesystem) -- this one optionally allows you to use an external PostgreSQL server for Matrix Synapse's database (but defaults to running one in a container) +- this one optionally **allows you to use an external PostgreSQL server** for Matrix Synapse's database (but defaults to running one in a container) Special thanks goes to: @@ -52,7 +58,7 @@ Special thanks goes to: ## Prerequisites -- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server with no services running on port 80/443 +- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. This playbook can take over your whole server or co-exist with other services that you have there. - the [Ansible](http://ansible.com/) program, which is used to run this playbook and configures everything for you @@ -158,6 +164,33 @@ The database (as specified in `matrix_postgres_db_name`) must exist and be acces It must be empty or contain a valid Matrix Synapse database. If empty, Matrix Synapse would populate it the first time it runs. +## Using your own webserver, instead of this playbook's nginx proxy (optional) + +By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443. +If that's alright, you can skip ahead. + +If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that, +and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can. + +All it takes is editing your configuration file (`inventory/matrix./vars.yml`): + +``` +matrix_nginx_proxy_enabled: false +``` + +**Note**: even if you do this, in order [to install](#installing), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards. + +**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` + +**If your own webserver is not nginx**, you can still take a look at the sample files in `/matrix/nginx-proxy/conf.d`, and: + +- ensure you set up (separate) vhosts that proxy for both Riot (`localhost:8765`) and Matrix Synapse (`localhost:8008`) + +- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" is an alias to the `/matrix/ssl/run/acme-challenge` directory (for automated SSL renewal to work) + +- ensure that you restart/reload your webserver once in a while, so that renewed SSL certificates would take effect (once a month should be enough) + + ## Installing Once you have your server and you have [configured your DNS records](#configuring-dns), you can proceed with installing. @@ -226,12 +259,31 @@ You can do it via this Ansible playbook (make sure to edit the `` **Note**: `` is just a plain username (like `john`), not your full `@:` identifier. +## Uninstalling + +**Note**: If you have some trouble with your installation configuration, you can just re-run the playbook and it will try to set things up again. You don't need to uninstall and install fresh. + +However, if you've installed this on some server where you have other stuff you wish to preserve, and now want get rid of Matrix, it's enough to do these: + +- ensure all Matrix services are stopped (`systemctl stop 'matrix*'`) + +- delete the Matrix-related systemd .service files (`rm -f /etc/systemd/system/matrix*`) and reload systemd (`systemctl daemon-reload`) + +- delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*'`) + +- delete some helper scripts (`rm -f /usr/local/bin/matrix*`) + +- delete some cached Docker images (or just delete them all: `docker rmi $(docker images -aq)`) + +- uninstall Docker itself, if necessary + +- delete the `/matrix` directory (`rm -rf /matrix`) + + ## Deficiencies This Ansible playbook can be improved in the following ways: -- not expecting to run its own nginx server overtaking port 80/443, thus allowing own/custom proxying to be configured - - setting up automatic backups to one or more storage providers - [importing an old SQLite database](#Restoring-an-existing-SQLite=database-from-another-installation) likely works because of a patch, but may be fragile until [this](https://github.com/matrix-org/synapse/issues/2287) is fixed \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index d61af287..9139b913 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -61,3 +61,14 @@ matrix_s3_media_store_enabled: false matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" + +# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. +# If you wish to connect to your Matrix server by other means, +# you may wish to disable this. +matrix_riot_web_enabled: true + +# By default, this playbook sets up its own nginx proxy server on port 80/443. +# This is fine if you're dedicating the whole server to Matrix. +# But in case that's not the case, you may wish to prevent that +# and take care of proxying by yourself. +matrix_nginx_proxy_enabled: true diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup_nginx_proxy.yml index 1839684d..0363d062 100644 --- a/roles/matrix-server/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml @@ -1,5 +1,15 @@ --- +# +# Generic tasks that we always want to happen, regardless +# if the user wants matrix-nginx-proxy or not. +# +# If the user would set up their own nginx proxy server, +# the config files from matrix-nginx-proxy can be reused. +# +# It doesn't hurt to put them in place, even if they turn out +# to be unnecessary. +# - name: Ensure Matrix nginx-proxy paths exists file: path: "{{ item }}" @@ -11,10 +21,6 @@ - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" -- name: Ensure nginx Docker image is pulled - docker_image: - name: "{{ docker_nginx_image }}" - - name: Ensure Matrix Synapse proxy vhost configured template: src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2" @@ -24,6 +30,14 @@ - "matrix-synapse.conf" - "matrix-riot-web.conf" +# +# Tasks related to setting up matrix-nginx-proxy +# +- name: Ensure nginx Docker image is pulled + docker_image: + name: "{{ docker_nginx_image }}" + when: matrix_nginx_proxy_enabled + - name: Allow access to nginx proxy ports in firewalld firewalld: service: "{{ item }}" @@ -33,10 +47,30 @@ with_items: - "http" - "https" - when: ansible_os_family == 'RedHat' + when: "ansible_os_family == 'RedHat' and matrix_nginx_proxy_enabled" - name: Ensure matrix-nginx-proxy.service installed template: src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" dest: "/etc/systemd/system/matrix-nginx-proxy.service" mode: 0644 + when: matrix_nginx_proxy_enabled + +# +# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) +# + +- name: Check existence of matrix-nginx-proxy service + stat: path="/etc/systemd/system/matrix-nginx-proxy.service" + register: matrix_nginx_proxy_service_stat + +- name: Ensure matrix-nginx-proxy is stopped + service: name=matrix-nginx-proxy state=stopped daemon_reload=yes + register: stopping_result + when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" + +- name: Ensure matrix-nginx-proxy.service doesn't exist + file: + path: "/etc/systemd/system/matrix-nginx-proxy.service" + state: absent + when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" diff --git a/roles/matrix-server/tasks/setup_riot_web.yml b/roles/matrix-server/tasks/setup_riot_web.yml index 9d11a037..fd4023ab 100644 --- a/roles/matrix-server/tasks/setup_riot_web.yml +++ b/roles/matrix-server/tasks/setup_riot_web.yml @@ -1,5 +1,9 @@ --- +# +# Tasks related to setting up riot-web +# + - name: Ensure Matrix riot-web paths exists file: path: "{{ matrix_nginx_riot_web_data_path }}" @@ -7,10 +11,12 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + when: matrix_riot_web_enabled - name: Ensure riot-web Docker image is pulled docker_image: name: "{{ docker_riot_image }}" + when: matrix_riot_web_enabled - name: Ensure Matrix riot-web configured template: @@ -22,9 +28,42 @@ with_items: - "riot.im.conf" - "config.json" + when: matrix_riot_web_enabled - name: Ensure matrix-riot-web.service installed template: src: "{{ role_path }}/templates/systemd/matrix-riot-web.service.j2" dest: "/etc/systemd/system/matrix-riot-web.service" - mode: 0644 \ No newline at end of file + mode: 0644 + when: matrix_riot_web_enabled + +# +# Tasks related to getting rid of riot-web (if it was previously enabled) +# + +- name: Check existence of matrix-riot-web service + stat: path="/etc/systemd/system/matrix-riot-web.service" + register: matrix_riot_web_service_stat + +- name: Ensure matrix-riot-web is stopped + service: name=matrix-riot-web state=stopped daemon_reload=yes + register: stopping_result + when: "not matrix_riot_web_enabled and matrix_riot_web_service_stat.stat.exists" + +- name: Ensure matrix-riot-web.service doesn't exist + file: + path: "/etc/systemd/system/matrix-riot-web.service" + state: absent + when: "not matrix_riot_web_enabled and matrix_riot_web_service_stat.stat.exists" + +- name: Ensure Matrix riot-web paths doesn't exist + file: + path: "{{ matrix_nginx_riot_web_data_path }}" + state: absent + when: "not matrix_riot_web_enabled" + +- name: Ensure riot-web Docker image doesn't exist + docker_image: + name: "{{ docker_riot_image }}" + state: absent + when: "not matrix_riot_web_enabled" diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml index 21242392..d6c297ba 100644 --- a/roles/matrix-server/tasks/setup_ssl.yml +++ b/roles/matrix-server/tasks/setup_ssl.yml @@ -1,5 +1,14 @@ --- +- name: Determine domains to obtain certificates for (Matrix) + set_fact: + domains_to_obtain_certificate_for: "['{{ hostname_matrix }}']" + +- name: Determine domains to obtain certificates for (Riot) + set_fact: + domains_to_obtain_certificate_for: "{{ domains_to_obtain_certificate_for + [hostname_riot] }}" + when: matrix_riot_web_enabled + - name: Allow access to HTTP/HTTPS in firewalld firewalld: service: "{{ item }}" @@ -38,9 +47,7 @@ -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool want {{ item }} --xlog.severity=debug - with_items: - - "{{ hostname_matrix }}" - - "{{ hostname_riot }}" + with_items: "{{ domains_to_obtain_certificate_for }}" - name: Ensure matrix-nginx-proxy is started (if previously installed & started) service: name=matrix-nginx-proxy state=started diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 43072b40..3b1cafb0 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -13,6 +13,8 @@ - name: Ensure matrix-riot-web autoruns and is restarted service: name=matrix-riot-web enabled=yes state=restarted daemon_reload=yes + when: matrix_riot_web_enabled - name: Ensure matrix-nginx-proxy autoruns and is restarted service: name=matrix-nginx-proxy enabled=yes state=restarted daemon_reload=yes + when: matrix_nginx_proxy_enabled diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index 3769bf1a..47d2cbe9 100644 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -11,11 +11,14 @@ MAILTO="{{ matrix_ssl_support_email }}" # # How renewal works? # -# acmetool will fail to bind to port :80 (because matrix-nginx-proxy is running there), +# acmetool will fail to bind to port :80 (because matrix-nginx-proxy or some other server is running there), # and will fall back to its "webroot" validation method. # # Thus, it would put validation files in `/var/run/acme/acme-challenge`. # These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy, # because it aliases `/.well-known/acme-challenge` to that same directory. +# +# When a custom proxy server (not matrix-nginx-proxy provided by this playbook), +# you'd need to make sure you alias these files corretly or SSL renewal would not work. 15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 779aad0a..b96fd5a6 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -6,7 +6,7 @@ server { location /.well-known/acme-challenge { default_type "text/plain"; - alias /acmetool-certs/run/acme-challenge; + alias {{ matrix_ssl_certs_path }}/run/acme-challenge; } location / { @@ -24,14 +24,14 @@ server { root /dev/null; ssl on; - ssl_certificate /acmetool-certs/live/{{ hostname_riot }}/fullchain; - ssl_certificate_key /acmetool-certs/live/{{ hostname_riot }}/privkey; + ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain; + ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; location / { - proxy_pass http://riot:8765; + proxy_pass http://{{ 'riot' if matrix_nginx_proxy_enabled else 'localhost' }}:8765; proxy_set_header X-Forwarded-For $remote_addr; } } diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index a11d11ac..a9e3b1ee 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -6,7 +6,7 @@ server { location /.well-known/acme-challenge { default_type "text/plain"; - alias /acmetool-certs/run/acme-challenge; + alias {{ matrix_ssl_certs_path }}/run/acme-challenge; } location / { @@ -24,14 +24,14 @@ server { root /dev/null; ssl on; - ssl_certificate /acmetool-certs/live/{{ hostname_matrix }}/fullchain; - ssl_certificate_key /acmetool-certs/live/{{ hostname_matrix }}/privkey; + ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/fullchain; + ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/privkey; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; location /_matrix { - proxy_pass http://synapse:8008; + proxy_pass http://{{ 'synapse' if matrix_nginx_proxy_enabled else 'localhost' }}:8008; proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index 5a47939b..c105c63b 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -17,7 +17,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ --link matrix-synapse:synapse \ --link matrix-riot-web:riot \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \ - -v {{ matrix_ssl_certs_path }}:/acmetool-certs \ + -v {{ matrix_ssl_certs_path }}:{{ matrix_ssl_certs_path }} \ {{ docker_nginx_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index 2abcc7e0..510ba10d 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -9,6 +9,9 @@ ExecStartPre=-/usr/bin/docker kill matrix-riot-web ExecStartPre=-/usr/bin/docker rm matrix-riot-web ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ -v {{ matrix_nginx_riot_web_data_path }}:/data \ + {% if not matrix_nginx_proxy_enabled %} + -p 127.0.0.1:8765:8765 \ + {% endif %} {{ docker_riot_image }} ExecStop=-/usr/bin/docker kill matrix-riot-web ExecStop=-/usr/bin/docker rm matrix-riot-web diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index e14e8d23..a647db03 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -21,6 +21,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ {% endif %} -p 8448:8448 \ + {% if not matrix_nginx_proxy_enabled %} + -p 127.0.0.1:8008:8008 \ + {% endif %} -p 3478:3478 \ -p 3478:3478/udp \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ From 3a5f82267b18a36dfee213d42c76fd8197ead20f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Sep 2017 15:08:54 +0300 Subject: [PATCH 0034/2384] Do not use Let's Encrypt certificate for Synapse's federation port As described here ( https://github.com/matrix-org/synapse/issues/2438#issuecomment-327424711 ), using own SSL certificates for the federation port is more fragile, as renewing them could cause federation outages. The recommended setup is to use the self-signed certificates generated by Synapse. On the 443 port (matrix-nginx-proxy) side, we still use the Let's Encrypt certificates, which ensures API consumers work without having to trust "our own CA". Having done this, we also don't need to ever restart Synapse anymore, as no new SSL certificates need to be applied there. It's just matrix-nginx-proxy that needs to be restarted, and it doesn't even need a full restart as an "nginx reload" does the job of swithing to the new SSL certificates. --- roles/matrix-server/defaults/main.yml | 8 ++++---- roles/matrix-server/tasks/setup_nginx_proxy.yml | 13 +++++++++++++ roles/matrix-server/tasks/setup_synapse.yml | 16 ---------------- .../matrix-nginx-proxy-periodic-restarter.j2 | 8 ++++++++ .../cron.d/matrix-periodic-restarter.j2 | 11 ----------- .../cron.d/matrix-ssl-certificate-renewal.j2 | 2 +- .../systemd/matrix-nginx-proxy.service.j2 | 1 + .../templates/systemd/matrix-synapse.service.j2 | 2 -- 8 files changed, 27 insertions(+), 34 deletions(-) create mode 100644 roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 delete mode 100644 roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9139b913..30800a01 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -43,10 +43,6 @@ docker_nginx_image: "nginx:1.13.5-alpine" docker_riot_image: "silviof/matrix-riot-docker:latest" docker_s3fs_image: "xueshanf/s3fs:latest" -# Specifies when to restart the Matrix services so that -# a new SSL certificate could go into effect (UTC time). -matrix_services_restart_cron_time_definition: "15 4 3 * *" - # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 @@ -72,3 +68,7 @@ matrix_riot_web_enabled: true # But in case that's not the case, you may wish to prevent that # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true + +# Specifies when to reload the matrix-nginx-proxy service so that +# a new SSL certificate could go into effect (UTC time). +matrix_nginx_proxy_reload_cron_time_definition: "15 4 3 * *" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup_nginx_proxy.yml index 0363d062..57108064 100644 --- a/roles/matrix-server/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml @@ -56,6 +56,13 @@ mode: 0644 when: matrix_nginx_proxy_enabled +- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal) + template: + src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2" + dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" + mode: 0600 + when: matrix_nginx_proxy_enabled + # # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) # @@ -74,3 +81,9 @@ path: "/etc/systemd/system/matrix-nginx-proxy.service" state: absent when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" + +- name: Ensure periodic restarting of matrix-nginx-proxy is removed + file: + path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" + state: absent + when: "not matrix_nginx_proxy_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 7cb42728..9c15d8c2 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -53,14 +53,6 @@ - "{{ matrix_synapse_config_dir_path }}:/data" when: "not matrix_synapse_config_stat.stat.exists" -- name: Ensure self-signed certificates are removed - file: - path: "{{ item }}" - state: absent - with_items: - - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt" - - "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key" - - name: Augment Matrix log config lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" args: @@ -78,8 +70,6 @@ line: '{{ item.line }}' with_items: - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'} - - {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'} - - {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'} - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'} - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'} - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'} @@ -148,9 +138,3 @@ src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 - -- name: Ensure periodic restarting of Matrix is configured (for SSL renewal) - template: - src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2" - dest: "/etc/cron.d/matrix-periodic-restarter" - mode: 0600 diff --git a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 new file mode 100644 index 00000000..e8dfb72b --- /dev/null +++ b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 @@ -0,0 +1,8 @@ +MAILTO="{{ matrix_ssl_support_email }}" + +# This periodically reloads the matrix-nginx-proxy service +# to ensure it's using the latest SSL certificate +# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob +# (which happens once every ~2-3 months). + +{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service diff --git a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 deleted file mode 100644 index 719ca253..00000000 --- a/roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2 +++ /dev/null @@ -1,11 +0,0 @@ -MAILTO="{{ matrix_ssl_support_email }}" - -# This periodically restarts the Matrix services -# to ensure they're using the latest SSL certificate -# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob -# (which happens once every ~2-3 months). -# -# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`, -# both would be restarted. - -{{ matrix_services_restart_cron_time_definition }} root /usr/bin/systemctl restart matrix-synapse.service diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index 47d2cbe9..fa0c98ad 100644 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -19,6 +19,6 @@ MAILTO="{{ matrix_ssl_support_email }}" # because it aliases `/.well-known/acme-challenge` to that same directory. # # When a custom proxy server (not matrix-nginx-proxy provided by this playbook), -# you'd need to make sure you alias these files corretly or SSL renewal would not work. +# you'd need to make sure you alias these files correctly or SSL renewal would not work. 15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index c105c63b..975b6edb 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -21,6 +21,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ {{ docker_nginx_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy +ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index a647db03..717bd3a8 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -15,7 +15,6 @@ Requires=matrix-s3fs.service Type=simple ExecStartPre=-/usr/bin/docker kill matrix-synapse ExecStartPre=-/usr/bin/docker rm matrix-synapse -ExecStartPre=-{{ '/usr/bin/chown' if ansible_os_family == 'RedHat' else '/bin/chown' }} {{ matrix_user_username }}:{{ matrix_user_username }} {{ matrix_ssl_certs_path }} -R ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if not matrix_postgres_use_external %} --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ @@ -30,7 +29,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_media_store_path }}:/matrix-media-store \ - -v {{ matrix_ssl_certs_path }}:/acmetool-certs \ {{ docker_matrix_image }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse From 2906ec3045799183db0de631cc60cee73d9dcaef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 1 Oct 2017 11:26:20 +0300 Subject: [PATCH 0035/2384] Fix SSL-renewal problem caused by incorrect permissions --- roles/matrix-server/tasks/setup_ssl.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml index d6c297ba..c7f5da98 100644 --- a/roles/matrix-server/tasks/setup_ssl.yml +++ b/roles/matrix-server/tasks/setup_ssl.yml @@ -24,11 +24,18 @@ docker_image: name: willwill/acme-docker +# Granting +rx to others as well, because the `nginx` user from within +# matrix-nginx-proxy needs to be able to read the acme-challenge files inside +# for renewal purposes. +# +# This should not be causing security trouble outside of the container, +# as the parent directory (/matrix) does not allow "others" to access it or any of its children. +# Still, it works when the /ssl subtree is mounted in the container. - name: Ensure SSL certificates path exists file: path: "{{ matrix_ssl_certs_path }}" state: directory - mode: 0770 + mode: 0775 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" From 767b321f6004c0323ee4bab6f23983b4b961f177 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 1 Oct 2017 11:36:30 +0300 Subject: [PATCH 0036/2384] Do not mount certain Docker volumes as read-write unnecessarily --- .../templates/systemd/matrix-nginx-proxy.service.j2 | 4 ++-- .../templates/systemd/matrix-riot-web.service.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index 975b6edb..384a834c 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -16,8 +16,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ -p 443:443 \ --link matrix-synapse:synapse \ --link matrix-riot-web:riot \ - -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \ - -v {{ matrix_ssl_certs_path }}:{{ matrix_ssl_certs_path }} \ + -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ + -v {{ matrix_ssl_certs_path }}:{{ matrix_ssl_certs_path }}:ro \ {{ docker_nginx_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index 510ba10d..7cc17c9f 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -8,7 +8,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-riot-web ExecStartPre=-/usr/bin/docker rm matrix-riot-web ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ - -v {{ matrix_nginx_riot_web_data_path }}:/data \ + -v {{ matrix_nginx_riot_web_data_path }}:/data:ro \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8765:8765 \ {% endif %} From 7133418dc3c4275fb37d7afc05d469fa1a7e8249 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 14 Oct 2017 09:55:09 +0300 Subject: [PATCH 0037/2384] Fix README omission related to S3 setup --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 862925dd..40918fab 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,7 @@ You then need to enable S3 support in your configuration file (`inventory/matrix It would be something like this: ``` +matrix_s3_media_store_enabled: true matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "access-key-goes-here" matrix_s3_media_store_aws_secret_key: "secret-key-goes-here" From 1c2d59ae91278bb48adf3cdfe6bfe401c80d1ad4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Oct 2017 20:10:18 +0300 Subject: [PATCH 0038/2384] Stop using patched synapse_port_db script The non-working script is supposed to be fixed by https://github.com/matrix-org/synapse/pull/2375 To have it work, we'd need an updated Docker image of `silviof/matrix-riot-docker:latest`, which is not yet available at the time of this commit. Still, the previous patched synapse_port_db didn't work well either, so it's not like we're regressing much by getting rid of it. --- README.md | 4 - .../files/synapse_port_db_with_patch | 941 ------------------ .../matrix-server/tasks/import_sqlite_db.yml | 10 +- 3 files changed, 1 insertion(+), 954 deletions(-) delete mode 100644 roles/matrix-server/files/synapse_port_db_with_patch diff --git a/README.md b/README.md index 40918fab..12c6f972 100644 --- a/README.md +++ b/README.md @@ -210,8 +210,6 @@ Feel free to re-run this any time you think something is off with the server con ### Restoring an existing SQLite database (from another installation) -**WARNING**: while this Ansible playbook supports importing an SQLite database from a previous installation, the actual program doing the migration (`synapse_port_db`, part of Matrix Synapse) may be buggy and not work for you. - Run this if you'd like to import your database from a previous default installation of Matrix Synapse. (don't forget to import your `media_store` files as well - see below). @@ -286,5 +284,3 @@ However, if you've installed this on some server where you have other stuff you This Ansible playbook can be improved in the following ways: - setting up automatic backups to one or more storage providers - -- [importing an old SQLite database](#Restoring-an-existing-SQLite=database-from-another-installation) likely works because of a patch, but may be fragile until [this](https://github.com/matrix-org/synapse/issues/2287) is fixed \ No newline at end of file diff --git a/roles/matrix-server/files/synapse_port_db_with_patch b/roles/matrix-server/files/synapse_port_db_with_patch deleted file mode 100644 index e74c754a..00000000 --- a/roles/matrix-server/files/synapse_port_db_with_patch +++ /dev/null @@ -1,941 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- -# Copyright 2015, 2016 OpenMarket Ltd -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from twisted.internet import defer, reactor -from twisted.enterprise import adbapi - -from synapse.storage._base import LoggingTransaction, SQLBaseStore -from synapse.storage.engines import create_engine -from synapse.storage.prepare_database import prepare_database - -import argparse -import curses -import logging -import sys -import time -import traceback -import yaml - - -logger = logging.getLogger("synapse_port_db") - - -BOOLEAN_COLUMNS = { - "events": ["processed", "outlier", "contains_url"], - "rooms": ["is_public"], - "event_edges": ["is_state"], - "presence_list": ["accepted"], - "presence_stream": ["currently_active"], - "public_room_list_stream": ["visibility"], - "device_lists_outbound_pokes": ["sent"], - "users_who_share_rooms": ["share_private"], -} - - -APPEND_ONLY_TABLES = [ - "event_content_hashes", - "event_reference_hashes", - "event_signatures", - "event_edge_hashes", - "events", - "event_json", - "state_events", - "room_memberships", - "feedback", - "topics", - "room_names", - "rooms", - "local_media_repository", - "local_media_repository_thumbnails", - "remote_media_cache", - "remote_media_cache_thumbnails", - "redactions", - "event_edges", - "event_auth", - "received_transactions", - "sent_transactions", - "transaction_id_to_pdu", - "users", - "state_groups", - "state_groups_state", - "event_to_state_groups", - "rejections", - "event_search", - "presence_stream", - "push_rules_stream", - "current_state_resets", - "ex_outlier_stream", - "cache_invalidation_stream", - "public_room_list_stream", - "state_group_edges", - "stream_ordering_to_exterm", -] - - -end_error_exec_info = None - - -class Store(object): - """This object is used to pull out some of the convenience API from the - Storage layer. - - *All* database interactions should go through this object. - """ - def __init__(self, db_pool, engine): - self.db_pool = db_pool - self.database_engine = engine - - _simple_insert_txn = SQLBaseStore.__dict__["_simple_insert_txn"] - _simple_insert = SQLBaseStore.__dict__["_simple_insert"] - - _simple_select_onecol_txn = SQLBaseStore.__dict__["_simple_select_onecol_txn"] - _simple_select_onecol = SQLBaseStore.__dict__["_simple_select_onecol"] - _simple_select_one = SQLBaseStore.__dict__["_simple_select_one"] - _simple_select_one_txn = SQLBaseStore.__dict__["_simple_select_one_txn"] - _simple_select_one_onecol = SQLBaseStore.__dict__["_simple_select_one_onecol"] - _simple_select_one_onecol_txn = SQLBaseStore.__dict__[ - "_simple_select_one_onecol_txn" - ] - - _simple_update_one = SQLBaseStore.__dict__["_simple_update_one"] - _simple_update_one_txn = SQLBaseStore.__dict__["_simple_update_one_txn"] - - def runInteraction(self, desc, func, *args, **kwargs): - def r(conn): - try: - i = 0 - N = 5 - while True: - try: - txn = conn.cursor() - return func( - LoggingTransaction(txn, desc, self.database_engine, [], []), - *args, **kwargs - ) - except self.database_engine.module.DatabaseError as e: - if self.database_engine.is_deadlock(e): - logger.warn("[TXN DEADLOCK] {%s} %d/%d", desc, i, N) - if i < N: - i += 1 - conn.rollback() - continue - raise - except Exception as e: - logger.debug("[TXN FAIL] {%s} %s", desc, e) - raise - - return self.db_pool.runWithConnection(r) - - def execute(self, f, *args, **kwargs): - return self.runInteraction(f.__name__, f, *args, **kwargs) - - def execute_sql(self, sql, *args): - def r(txn): - txn.execute(sql, args) - return txn.fetchall() - return self.runInteraction("execute_sql", r) - - def insert_many_txn(self, txn, table, headers, rows): - sql = "INSERT INTO %s (%s) VALUES (%s)" % ( - table, - ", ".join(k for k in headers), - ", ".join("%s" for _ in headers) - ) - - try: - txn.executemany(sql, rows) - except: - logger.exception( - "Failed to insert: %s", - table, - ) - raise - - -class Porter(object): - def __init__(self, **kwargs): - self.__dict__.update(kwargs) - - @defer.inlineCallbacks - def setup_table(self, table): - if table in APPEND_ONLY_TABLES: - # It's safe to just carry on inserting. - row = yield self.postgres_store._simple_select_one( - table="port_from_sqlite3", - keyvalues={"table_name": table}, - retcols=("forward_rowid", "backward_rowid"), - allow_none=True, - ) - - total_to_port = None - if row is None: - if table == "sent_transactions": - forward_chunk, already_ported, total_to_port = ( - yield self._setup_sent_transactions() - ) - backward_chunk = 0 - else: - yield self.postgres_store._simple_insert( - table="port_from_sqlite3", - values={ - "table_name": table, - "forward_rowid": 1, - "backward_rowid": 0, - } - ) - - forward_chunk = 1 - backward_chunk = 0 - already_ported = 0 - else: - forward_chunk = row["forward_rowid"] - backward_chunk = row["backward_rowid"] - - if total_to_port is None: - already_ported, total_to_port = yield self._get_total_count_to_port( - table, forward_chunk, backward_chunk - ) - else: - def delete_all(txn): - txn.execute( - "DELETE FROM port_from_sqlite3 WHERE table_name = %s", - (table,) - ) - txn.execute("TRUNCATE %s CASCADE" % (table,)) - - yield self.postgres_store.execute(delete_all) - - yield self.postgres_store._simple_insert( - table="port_from_sqlite3", - values={ - "table_name": table, - "forward_rowid": 1, - "backward_rowid": 0, - } - ) - - forward_chunk = 1 - backward_chunk = 0 - - already_ported, total_to_port = yield self._get_total_count_to_port( - table, forward_chunk, backward_chunk - ) - - defer.returnValue( - (table, already_ported, total_to_port, forward_chunk, backward_chunk) - ) - - @defer.inlineCallbacks - def handle_table(self, table, postgres_size, table_size, forward_chunk, - backward_chunk): - if not table_size: - return - - self.progress.add_table(table, postgres_size, table_size) - - # Patch from: https://github.com/matrix-org/synapse/issues/2287 - if table == "user_directory_search": - # FIXME: actually port it, but for now we can leave it blank - # and have the server regenerate it. - # you will need to set the values of user_directory_stream_pos - # to be ('X', null) to force a regen - return - - if table == "event_search": - yield self.handle_search_table( - postgres_size, table_size, forward_chunk, backward_chunk - ) - return - - forward_select = ( - "SELECT rowid, * FROM %s WHERE rowid >= ? ORDER BY rowid LIMIT ?" - % (table,) - ) - - backward_select = ( - "SELECT rowid, * FROM %s WHERE rowid <= ? ORDER BY rowid LIMIT ?" - % (table,) - ) - - do_forward = [True] - do_backward = [True] - - while True: - def r(txn): - forward_rows = [] - backward_rows = [] - if do_forward[0]: - txn.execute(forward_select, (forward_chunk, self.batch_size,)) - forward_rows = txn.fetchall() - if not forward_rows: - do_forward[0] = False - - if do_backward[0]: - txn.execute(backward_select, (backward_chunk, self.batch_size,)) - backward_rows = txn.fetchall() - if not backward_rows: - do_backward[0] = False - - if forward_rows or backward_rows: - headers = [column[0] for column in txn.description] - else: - headers = None - - return headers, forward_rows, backward_rows - - headers, frows, brows = yield self.sqlite_store.runInteraction( - "select", r - ) - - if frows or brows: - if frows: - forward_chunk = max(row[0] for row in frows) + 1 - if brows: - backward_chunk = min(row[0] for row in brows) - 1 - - rows = frows + brows - self._convert_rows(table, headers, rows) - - def insert(txn): - self.postgres_store.insert_many_txn( - txn, table, headers[1:], rows - ) - - self.postgres_store._simple_update_one_txn( - txn, - table="port_from_sqlite3", - keyvalues={"table_name": table}, - updatevalues={ - "forward_rowid": forward_chunk, - "backward_rowid": backward_chunk, - }, - ) - - yield self.postgres_store.execute(insert) - - postgres_size += len(rows) - - self.progress.update(table, postgres_size) - else: - return - - @defer.inlineCallbacks - def handle_search_table(self, postgres_size, table_size, forward_chunk, - backward_chunk): - select = ( - "SELECT es.rowid, es.*, e.origin_server_ts, e.stream_ordering" - " FROM event_search as es" - " INNER JOIN events AS e USING (event_id, room_id)" - " WHERE es.rowid >= ?" - " ORDER BY es.rowid LIMIT ?" - ) - - while True: - def r(txn): - txn.execute(select, (forward_chunk, self.batch_size,)) - rows = txn.fetchall() - headers = [column[0] for column in txn.description] - - return headers, rows - - headers, rows = yield self.sqlite_store.runInteraction("select", r) - - if rows: - forward_chunk = rows[-1][0] + 1 - - # We have to treat event_search differently since it has a - # different structure in the two different databases. - def insert(txn): - sql = ( - "INSERT INTO event_search (event_id, room_id, key," - " sender, vector, origin_server_ts, stream_ordering)" - " VALUES (?,?,?,?,to_tsvector('english', ?),?,?)" - ) - - rows_dict = [ - dict(zip(headers, row)) - for row in rows - ] - - txn.executemany(sql, [ - ( - row["event_id"], - row["room_id"], - row["key"], - row["sender"], - row["value"], - row["origin_server_ts"], - row["stream_ordering"], - ) - for row in rows_dict - ]) - - self.postgres_store._simple_update_one_txn( - txn, - table="port_from_sqlite3", - keyvalues={"table_name": "event_search"}, - updatevalues={ - "forward_rowid": forward_chunk, - "backward_rowid": backward_chunk, - }, - ) - - yield self.postgres_store.execute(insert) - - postgres_size += len(rows) - - self.progress.update("event_search", postgres_size) - - else: - return - - def setup_db(self, db_config, database_engine): - db_conn = database_engine.module.connect( - **{ - k: v for k, v in db_config.get("args", {}).items() - if not k.startswith("cp_") - } - ) - - prepare_database(db_conn, database_engine, config=None) - - db_conn.commit() - - @defer.inlineCallbacks - def run(self): - try: - sqlite_db_pool = adbapi.ConnectionPool( - self.sqlite_config["name"], - **self.sqlite_config["args"] - ) - - postgres_db_pool = adbapi.ConnectionPool( - self.postgres_config["name"], - **self.postgres_config["args"] - ) - - sqlite_engine = create_engine(sqlite_config) - postgres_engine = create_engine(postgres_config) - - self.sqlite_store = Store(sqlite_db_pool, sqlite_engine) - self.postgres_store = Store(postgres_db_pool, postgres_engine) - - yield self.postgres_store.execute( - postgres_engine.check_database - ) - - # Step 1. Set up databases. - self.progress.set_state("Preparing SQLite3") - self.setup_db(sqlite_config, sqlite_engine) - - self.progress.set_state("Preparing PostgreSQL") - self.setup_db(postgres_config, postgres_engine) - - # Step 2. Get tables. - self.progress.set_state("Fetching tables") - sqlite_tables = yield self.sqlite_store._simple_select_onecol( - table="sqlite_master", - keyvalues={ - "type": "table", - }, - retcol="name", - ) - - postgres_tables = yield self.postgres_store._simple_select_onecol( - table="information_schema.tables", - keyvalues={}, - retcol="distinct table_name", - ) - - tables = set(sqlite_tables) & set(postgres_tables) - - self.progress.set_state("Creating tables") - - logger.info("Found %d tables", len(tables)) - - def create_port_table(txn): - txn.execute( - "CREATE TABLE port_from_sqlite3 (" - " table_name varchar(100) NOT NULL UNIQUE," - " forward_rowid bigint NOT NULL," - " backward_rowid bigint NOT NULL" - ")" - ) - - # The old port script created a table with just a "rowid" column. - # We want people to be able to rerun this script from an old port - # so that they can pick up any missing events that were not - # ported across. - def alter_table(txn): - txn.execute( - "ALTER TABLE IF EXISTS port_from_sqlite3" - " RENAME rowid TO forward_rowid" - ) - txn.execute( - "ALTER TABLE IF EXISTS port_from_sqlite3" - " ADD backward_rowid bigint NOT NULL DEFAULT 0" - ) - - try: - yield self.postgres_store.runInteraction( - "alter_table", alter_table - ) - except Exception as e: - logger.info("Failed to create port table: %s", e) - - try: - yield self.postgres_store.runInteraction( - "create_port_table", create_port_table - ) - except Exception as e: - logger.info("Failed to create port table: %s", e) - - self.progress.set_state("Setting up") - - # Set up tables. - setup_res = yield defer.gatherResults( - [ - self.setup_table(table) - for table in tables - if table not in ["schema_version", "applied_schema_deltas"] - and not table.startswith("sqlite_") - ], - consumeErrors=True, - ) - - # Process tables. - yield defer.gatherResults( - [ - self.handle_table(*res) - for res in setup_res - ], - consumeErrors=True, - ) - - self.progress.done() - except: - global end_error_exec_info - end_error_exec_info = sys.exc_info() - logger.exception("") - finally: - reactor.stop() - - def _convert_rows(self, table, headers, rows): - bool_col_names = BOOLEAN_COLUMNS.get(table, []) - - bool_cols = [ - i for i, h in enumerate(headers) if h in bool_col_names - ] - - def conv(j, col): - if j in bool_cols: - return bool(col) - return col - - for i, row in enumerate(rows): - rows[i] = tuple( - conv(j, col) - for j, col in enumerate(row) - if j > 0 - ) - - @defer.inlineCallbacks - def _setup_sent_transactions(self): - # Only save things from the last day - yesterday = int(time.time() * 1000) - 86400000 - - # And save the max transaction id from each destination - select = ( - "SELECT rowid, * FROM sent_transactions WHERE rowid IN (" - "SELECT max(rowid) FROM sent_transactions" - " GROUP BY destination" - ")" - ) - - def r(txn): - txn.execute(select) - rows = txn.fetchall() - headers = [column[0] for column in txn.description] - - ts_ind = headers.index('ts') - - return headers, [r for r in rows if r[ts_ind] < yesterday] - - headers, rows = yield self.sqlite_store.runInteraction( - "select", r, - ) - - self._convert_rows("sent_transactions", headers, rows) - - inserted_rows = len(rows) - if inserted_rows: - max_inserted_rowid = max(r[0] for r in rows) - - def insert(txn): - self.postgres_store.insert_many_txn( - txn, "sent_transactions", headers[1:], rows - ) - - yield self.postgres_store.execute(insert) - else: - max_inserted_rowid = 0 - - def get_start_id(txn): - txn.execute( - "SELECT rowid FROM sent_transactions WHERE ts >= ?" - " ORDER BY rowid ASC LIMIT 1", - (yesterday,) - ) - - rows = txn.fetchall() - if rows: - return rows[0][0] - else: - return 1 - - next_chunk = yield self.sqlite_store.execute(get_start_id) - next_chunk = max(max_inserted_rowid + 1, next_chunk) - - yield self.postgres_store._simple_insert( - table="port_from_sqlite3", - values={ - "table_name": "sent_transactions", - "forward_rowid": next_chunk, - "backward_rowid": 0, - } - ) - - def get_sent_table_size(txn): - txn.execute( - "SELECT count(*) FROM sent_transactions" - " WHERE ts >= ?", - (yesterday,) - ) - size, = txn.fetchone() - return int(size) - - remaining_count = yield self.sqlite_store.execute( - get_sent_table_size - ) - - total_count = remaining_count + inserted_rows - - defer.returnValue((next_chunk, inserted_rows, total_count)) - - @defer.inlineCallbacks - def _get_remaining_count_to_port(self, table, forward_chunk, backward_chunk): - frows = yield self.sqlite_store.execute_sql( - "SELECT count(*) FROM %s WHERE rowid >= ?" % (table,), - forward_chunk, - ) - - brows = yield self.sqlite_store.execute_sql( - "SELECT count(*) FROM %s WHERE rowid <= ?" % (table,), - backward_chunk, - ) - - defer.returnValue(frows[0][0] + brows[0][0]) - - @defer.inlineCallbacks - def _get_already_ported_count(self, table): - rows = yield self.postgres_store.execute_sql( - "SELECT count(*) FROM %s" % (table,), - ) - - defer.returnValue(rows[0][0]) - - @defer.inlineCallbacks - def _get_total_count_to_port(self, table, forward_chunk, backward_chunk): - remaining, done = yield defer.gatherResults( - [ - self._get_remaining_count_to_port(table, forward_chunk, backward_chunk), - self._get_already_ported_count(table), - ], - consumeErrors=True, - ) - - remaining = int(remaining) if remaining else 0 - done = int(done) if done else 0 - - defer.returnValue((done, remaining + done)) - - -############################################## -###### The following is simply UI stuff ###### -############################################## - - -class Progress(object): - """Used to report progress of the port - """ - def __init__(self): - self.tables = {} - - self.start_time = int(time.time()) - - def add_table(self, table, cur, size): - self.tables[table] = { - "start": cur, - "num_done": cur, - "total": size, - "perc": int(cur * 100 / size), - } - - def update(self, table, num_done): - data = self.tables[table] - data["num_done"] = num_done - data["perc"] = int(num_done * 100 / data["total"]) - - def done(self): - pass - - -class CursesProgress(Progress): - """Reports progress to a curses window - """ - def __init__(self, stdscr): - self.stdscr = stdscr - - curses.use_default_colors() - curses.curs_set(0) - - curses.init_pair(1, curses.COLOR_RED, -1) - curses.init_pair(2, curses.COLOR_GREEN, -1) - - self.last_update = 0 - - self.finished = False - - self.total_processed = 0 - self.total_remaining = 0 - - super(CursesProgress, self).__init__() - - def update(self, table, num_done): - super(CursesProgress, self).update(table, num_done) - - self.total_processed = 0 - self.total_remaining = 0 - for table, data in self.tables.items(): - self.total_processed += data["num_done"] - data["start"] - self.total_remaining += data["total"] - data["num_done"] - - self.render() - - def render(self, force=False): - now = time.time() - - if not force and now - self.last_update < 0.2: - # reactor.callLater(1, self.render) - return - - self.stdscr.clear() - - rows, cols = self.stdscr.getmaxyx() - - duration = int(now) - int(self.start_time) - - minutes, seconds = divmod(duration, 60) - duration_str = '%02dm %02ds' % (minutes, seconds,) - - if self.finished: - status = "Time spent: %s (Done!)" % (duration_str,) - else: - - if self.total_processed > 0: - left = float(self.total_remaining) / self.total_processed - - est_remaining = (int(now) - self.start_time) * left - est_remaining_str = '%02dm %02ds remaining' % divmod(est_remaining, 60) - else: - est_remaining_str = "Unknown" - status = ( - "Time spent: %s (est. remaining: %s)" - % (duration_str, est_remaining_str,) - ) - - self.stdscr.addstr( - 0, 0, - status, - curses.A_BOLD, - ) - - max_len = max([len(t) for t in self.tables.keys()]) - - left_margin = 5 - middle_space = 1 - - items = self.tables.items() - items.sort( - key=lambda i: (i[1]["perc"], i[0]), - ) - - for i, (table, data) in enumerate(items): - if i + 2 >= rows: - break - - perc = data["perc"] - - color = curses.color_pair(2) if perc == 100 else curses.color_pair(1) - - self.stdscr.addstr( - i + 2, left_margin + max_len - len(table), - table, - curses.A_BOLD | color, - ) - - size = 20 - - progress = "[%s%s]" % ( - "#" * int(perc * size / 100), - " " * (size - int(perc * size / 100)), - ) - - self.stdscr.addstr( - i + 2, left_margin + max_len + middle_space, - "%s %3d%% (%d/%d)" % (progress, perc, data["num_done"], data["total"]), - ) - - if self.finished: - self.stdscr.addstr( - rows - 1, 0, - "Press any key to exit...", - ) - - self.stdscr.refresh() - self.last_update = time.time() - - def done(self): - self.finished = True - self.render(True) - self.stdscr.getch() - - def set_state(self, state): - self.stdscr.clear() - self.stdscr.addstr( - 0, 0, - state + "...", - curses.A_BOLD, - ) - self.stdscr.refresh() - - -class TerminalProgress(Progress): - """Just prints progress to the terminal - """ - def update(self, table, num_done): - super(TerminalProgress, self).update(table, num_done) - - data = self.tables[table] - - print "%s: %d%% (%d/%d)" % ( - table, data["perc"], - data["num_done"], data["total"], - ) - - def set_state(self, state): - print state + "..." - - -############################################## -############################################## - - -if __name__ == "__main__": - parser = argparse.ArgumentParser( - description="A script to port an existing synapse SQLite database to" - " a new PostgreSQL database." - ) - parser.add_argument("-v", action='store_true') - parser.add_argument( - "--sqlite-database", required=True, - help="The snapshot of the SQLite database file. This must not be" - " currently used by a running synapse server" - ) - parser.add_argument( - "--postgres-config", type=argparse.FileType('r'), required=True, - help="The database config file for the PostgreSQL database" - ) - parser.add_argument( - "--curses", action='store_true', - help="display a curses based progress UI" - ) - - parser.add_argument( - "--batch-size", type=int, default=1000, - help="The number of rows to select from the SQLite table each" - " iteration [default=1000]", - ) - - args = parser.parse_args() - - logging_config = { - "level": logging.DEBUG if args.v else logging.INFO, - "format": "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(message)s" - } - - if args.curses: - logging_config["filename"] = "port-synapse.log" - - logging.basicConfig(**logging_config) - - sqlite_config = { - "name": "sqlite3", - "args": { - "database": args.sqlite_database, - "cp_min": 1, - "cp_max": 1, - "check_same_thread": False, - }, - } - - postgres_config = yaml.safe_load(args.postgres_config) - - if "database" in postgres_config: - postgres_config = postgres_config["database"] - - if "name" not in postgres_config: - sys.stderr.write("Malformed database config: no 'name'") - sys.exit(2) - if postgres_config["name"] != "psycopg2": - sys.stderr.write("Database must use 'psycopg2' connector.") - sys.exit(3) - - def start(stdscr=None): - if stdscr: - progress = CursesProgress(stdscr) - else: - progress = TerminalProgress() - - porter = Porter( - sqlite_config=sqlite_config, - postgres_config=postgres_config, - progress=progress, - batch_size=args.batch_size, - ) - - reactor.callWhenRunning(porter.run) - - reactor.run() - - if args.curses: - curses.wrapper(start) - else: - start() - - if end_error_exec_info: - exc_type, exc_value, exc_traceback = end_error_exec_info - traceback.print_exception(exc_type, exc_value, exc_traceback) diff --git a/roles/matrix-server/tasks/import_sqlite_db.yml b/roles/matrix-server/tasks/import_sqlite_db.yml index 4bd860d5..b56fb293 100644 --- a/roles/matrix-server/tasks/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import_sqlite_db.yml @@ -49,13 +49,6 @@ - name: Wait a while, so that Postgres can manage to start pause: seconds=7 -# Fixes a problem with porting the `user_directory_search` table. -# https://github.com/matrix-org/synapse/issues/2287 -- name: Ensure synapse_port_db_with_patch exists - copy: - src: "{{ role_path }}/files/synapse_port_db_with_patch" - dest: "{{ matrix_scratchpad_dir }}/synapse_port_db_with_patch" - - name: Importing SQLite database into Postgres docker_container: name: matrix-synapse-migrate @@ -63,14 +56,13 @@ detach: no cleanup: yes entrypoint: /usr/bin/python - command: "/usr/local/bin/synapse_port_db_with_patch --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml" + command: "/usr/local/bin/synapse_port_db --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" volumes: - "{{ matrix_synapse_config_dir_path }}:/data" - "{{ matrix_synapse_run_path }}:/matrix-run" - "{{ matrix_synapse_media_store_path }}:/matrix-media-store" - "{{ matrix_scratchpad_dir }}:/scratchpad" - - "{{ matrix_scratchpad_dir }}/synapse_port_db_with_patch:/usr/local/bin/synapse_port_db_with_patch" links: - "matrix-postgres:{{ matrix_postgres_connection_hostname }}" From 19e191f0bd1f368ac16235f6d487daa64a8e1a8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 16 Oct 2017 08:42:27 +0300 Subject: [PATCH 0039/2384] Do not assign Docker container name for certificate renewal Prevents clashes with other services like this one. --- .../templates/cron.d/matrix-ssl-certificate-renewal.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index fa0c98ad..999e7c85 100644 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -21,4 +21,4 @@ MAILTO="{{ matrix_ssl_support_email }}" # When a custom proxy server (not matrix-nginx-proxy provided by this playbook), # you'd need to make sure you alias these files correctly or SSL renewal would not work. -15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug +15 4 */5 * * root /usr/bin/docker run --rm --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug From dd5cabf6585b3ef56463b9148b6d02dbe07e4b11 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Oct 2017 13:01:11 +0900 Subject: [PATCH 0040/2384] Make /matrix owned by matrix:matrix --- roles/matrix-server/tasks/setup_main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-server/tasks/setup_main.yml b/roles/matrix-server/tasks/setup_main.yml index 75ab6c87..e16e20db 100644 --- a/roles/matrix-server/tasks/setup_main.yml +++ b/roles/matrix-server/tasks/setup_main.yml @@ -27,4 +27,5 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: + - "{{ matrix_base_data_path }}" - "{{ matrix_synapse_base_path }}" \ No newline at end of file From 57e4f12ad3182e9fdd105d1e88c9d2075fd5c72e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Oct 2017 15:29:19 +0900 Subject: [PATCH 0041/2384] Add support for using a pre-configured Macaroon secret key --- roles/matrix-server/defaults/main.yml | 4 ++++ roles/matrix-server/tasks/setup_synapse.yml | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 30800a01..da4e71d0 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -43,6 +43,10 @@ docker_nginx_image: "nginx:1.13.5-alpine" docker_riot_image: "silviof/matrix-riot-docker:latest" docker_s3fs_image: "xueshanf/s3fs:latest" +# To avoid Synapse's macaroon secret key from changing every time +# a new config is built from scratch, you can specify one here. +matrix_synapse_macaroon_secret_key: null + # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 9c15d8c2..362dc047 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -76,6 +76,15 @@ - {"regexp": "^max_upload_size:", "line": 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"'} - {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-media-store"'} +- name: Augment Matrix config (configure Macaroon secret) + lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" + args: + regexp: "{{ item.regexp }}" + line: '{{ item.line }}' + with_items: + - {"regexp": "^macaroon_secret_key:", "line": 'macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"'} + when: "matrix_synapse_macaroon_secret_key is not none" + - name: Augment Matrix config (specify URL previews blacklist) lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" args: From f476e49e64c4068d924f7e261cfeab009d4920bc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Nov 2017 10:38:38 +0200 Subject: [PATCH 0042/2384] Make SSL renewal time configurable and nginx-proxy reload time adequate The matrix-nginx-proxy was reloaded on the 3rd day of the month (`15 4 3 * *`), which makes no sense - it's too infrequently. It's in line with the renewal time now (+5 minutes). --- roles/matrix-server/defaults/main.yml | 7 +++++-- .../templates/cron.d/matrix-ssl-certificate-renewal.j2 | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index da4e71d0..827d146a 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -73,6 +73,9 @@ matrix_riot_web_enabled: true # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true +# Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt. +matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" + # Specifies when to reload the matrix-nginx-proxy service so that -# a new SSL certificate could go into effect (UTC time). -matrix_nginx_proxy_reload_cron_time_definition: "15 4 3 * *" \ No newline at end of file +# a new SSL certificate could go into effect. +matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" \ No newline at end of file diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index 999e7c85..42b7a71a 100644 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -21,4 +21,4 @@ MAILTO="{{ matrix_ssl_support_email }}" # When a custom proxy server (not matrix-nginx-proxy provided by this playbook), # you'd need to make sure you alias these files correctly or SSL renewal would not work. -15 4 */5 * * root /usr/bin/docker run --rm --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug +{{ matrix_ssl_renew_cron_time_definition }} root /usr/bin/docker run --rm --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug From d14ef08d5b85ba5ac99aae03d4799010dccd357e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Dec 2017 12:07:27 +0100 Subject: [PATCH 0043/2384] Fix SSL certificate renewal for the custom-proxy-server case When using matrix-nginx-proxy, the file permissions are organized in a way that matrix-nginx-proxy could read the challenge files produced by acmetool. However, when another own/external webserver was used (like nginx with our generated sample configuration), this could not work. From on we're proxying the HTTP requests to port :402 in such a case, which fixes the problem. --- .../templates/nginx-conf.d/matrix-riot-web.conf.j2 | 10 ++++++++++ .../templates/nginx-conf.d/matrix-synapse.conf.j2 | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index b96fd5a6..30ce8a75 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -5,8 +5,18 @@ server { server_tokens off; location /.well-known/acme-challenge { + {# + The proxy can access the files directly. + An external server likely does not have permission to read these files, + so we'll just proxy to acme's :402 port. + #} + + {%- if matrix_nginx_proxy_enabled -%} default_type "text/plain"; alias {{ matrix_ssl_certs_path }}/run/acme-challenge; + {%- else -%} + proxy_pass http://localhost:402; + {% endif %} } location / { diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index a9e3b1ee..cc2eb21a 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -5,8 +5,18 @@ server { server_tokens off; location /.well-known/acme-challenge { + {# + The proxy can access the files directly. + An external server likely does not have permission to read these files, + so we'll just proxy to acme's :402 port. + #} + + {%- if matrix_nginx_proxy_enabled -%} default_type "text/plain"; alias {{ matrix_ssl_certs_path }}/run/acme-challenge; + {%- else -%} + proxy_pass http://localhost:402; + {% endif %} } location / { From 534f78f9d0e628f45f36397c2c433f78032860f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Dec 2017 22:53:43 +0200 Subject: [PATCH 0044/2384] Update Docker image versions --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 827d146a..c0202596 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -37,9 +37,9 @@ matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" -docker_postgres_image: "postgres:9.6.5-alpine" +docker_postgres_image: "postgres:9.6.6-alpine" docker_matrix_image: "silviof/docker-matrix:latest" -docker_nginx_image: "nginx:1.13.5-alpine" +docker_nginx_image: "nginx:1.13.7-alpine" docker_riot_image: "silviof/matrix-riot-docker:latest" docker_s3fs_image: "xueshanf/s3fs:latest" From 4e09499286458d93717069efb20dcb8ca911efd4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 10 Jan 2018 12:10:56 +0200 Subject: [PATCH 0045/2384] Fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 12c6f972..9926af57 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ Basically, this playbook aims to get you up-and-running with all the basic neces ## What's different about this Ansible playbook? -This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) Ansile deployment, but: +This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) Ansible deployment, but: - this one is a complete Ansible playbook (instead of just a role), so it should be **easier to run** - especially for folks not familiar with Ansible From bfca91ac1f7f121d378cbb403bb412391dabd4b7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 10 Jan 2018 22:11:32 +0200 Subject: [PATCH 0046/2384] Switch Matrix Docker images (silviof -> AVENTER-UG) Silvio announced that he's no longer maintaining his images, so we're jumping to AVENTER-UG's fork. --- README.md | 4 ++-- roles/matrix-server/defaults/main.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9926af57..9d578060 100644 --- a/README.md +++ b/README.md @@ -51,9 +51,9 @@ Special thanks goes to: - [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) - for the inspiration -- [silviof/docker-matrix](https://hub.docker.com/r/silviof/docker-matrix/) - for packaging Matrix Synapse as a Docker image +- [silviof/docker-matrix](https://hub.docker.com/r/silviof/docker-matrix/) - for packaging Matrix Synapse as a Docker image. Note: due to maintenance issues, we're now using [AVENTER-UG/docker-matrix](https://github.com/AVENTER-UG/docker-matrix)'s fork. -- [silviof/matrix-riot-docker](https://hub.docker.com/r/silviof/matrix-riot-docker/) - for packaging Riot as a Docker image +- [silviof/matrix-riot-docker](https://hub.docker.com/r/silviof/matrix-riot-docker/) - for packaging Riot as a Docker image. Note: due to maintenance issues, we're now using [AVENTER-UG/docker-matrix-riot](https://github.com/AVENTER-UG/docker-matrix-riot)'s fork. ## Prerequisites diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index c0202596..3a763e2a 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -38,9 +38,9 @@ matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" docker_postgres_image: "postgres:9.6.6-alpine" -docker_matrix_image: "silviof/docker-matrix:latest" -docker_nginx_image: "nginx:1.13.7-alpine" -docker_riot_image: "silviof/matrix-riot-docker:latest" +docker_matrix_image: "avhost/docker-matrix:v0.26.0" +docker_nginx_image: "nginx:1.13.8-alpine" +docker_riot_image: "avhost/docker-matrix-riot:latest" docker_s3fs_image: "xueshanf/s3fs:latest" # To avoid Synapse's macaroon secret key from changing every time From edd97d33c14be4ca050e64ba6b5357c3d61df172 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 Jan 2018 15:57:01 +0200 Subject: [PATCH 0047/2384] Fix README instructions typo about Ansible host_vars --- README.md | 6 +++--- inventory/host_vars/.gitkeep | 0 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 inventory/host_vars/.gitkeep diff --git a/README.md b/README.md index 9d578060..27177dc8 100644 --- a/README.md +++ b/README.md @@ -94,11 +94,11 @@ Once you have your server and you have [configured your DNS records](#configurin You can follow these steps: -- create a directory to hold your configuration (`mkdir inventory/matrix.`) +- create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) -- copy the sample configuration file (`cp examples/host-vars.yml inventory/matrix./vars.yml`) +- copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix./vars.yml`) -- edit the configuration file (`inventory/matrix./vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults.main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. +- edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults.main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. - copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) diff --git a/inventory/host_vars/.gitkeep b/inventory/host_vars/.gitkeep new file mode 100644 index 00000000..e69de29b From db686c3f8ea9a5ea6a1156362eb9d6f60d5e9ed6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 13 Feb 2018 23:17:56 +0200 Subject: [PATCH 0048/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 3a763e2a..7b9ebf46 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -37,7 +37,7 @@ matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" -docker_postgres_image: "postgres:9.6.6-alpine" +docker_postgres_image: "postgres:9.6.7-alpine" docker_matrix_image: "avhost/docker-matrix:v0.26.0" docker_nginx_image: "nginx:1.13.8-alpine" docker_riot_image: "avhost/docker-matrix-riot:latest" @@ -78,4 +78,4 @@ matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. -matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" \ No newline at end of file +matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" From efc78fb9d349b225a8ddb0523cc5b3a0e536011c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Feb 2018 21:36:08 +0200 Subject: [PATCH 0049/2384] Switch from s3fs to Goofys Improves performance of media store operations. --- README.md | 11 +-- roles/matrix-server/defaults/main.yml | 5 +- .../tasks/import_media_store.yml | 24 ++----- roles/matrix-server/tasks/main.yml | 5 ++ roles/matrix-server/tasks/setup_base.yml | 2 + roles/matrix-server/tasks/setup_goofys.yml | 70 +++++++++++++++++++ roles/matrix-server/tasks/setup_s3fs.yml | 31 +------- roles/matrix-server/tasks/setup_synapse.yml | 9 ++- roles/matrix-server/tasks/start.yml | 4 +- .../matrix-server/templates/env/env-goofys.j2 | 2 + .../systemd/matrix-goofys.service.j2 | 32 +++++++++ .../templates/systemd/matrix-s3fs.service.j2 | 35 ---------- .../systemd/matrix-synapse.service.j2 | 12 +++- 13 files changed, 144 insertions(+), 98 deletions(-) create mode 100644 roles/matrix-server/tasks/setup_goofys.yml create mode 100644 roles/matrix-server/templates/env/env-goofys.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-goofys.service.j2 delete mode 100644 roles/matrix-server/templates/systemd/matrix-s3fs.service.j2 diff --git a/README.md b/README.md index 27177dc8..c3c58929 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ Using this playbook, you can get the following services configured on your serve - a [Matrix Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network -- (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for your Matrix Synapse's content repository (`media_store`) files using [s3fs-fuse](https://github.com/s3fs-fuse/s3fs-fuse) +- (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for your Matrix Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) - (optional default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse - providing better performance than the default [SQLite](https://sqlite.org/) database. Using an external PostgreSQL server [is possible](#using-an-external-postgresql-server-optional) as well @@ -111,11 +111,11 @@ By default, this playbook configures your server to store Matrix Synapse's conte If that's alright, you can skip ahead. If you'd like to store Matrix Synapse's content repository (`media_store`) files on Amazon S3, -you can let this playbook configure [s3fs-fuse](https://github.com/s3fs-fuse/s3fs-fuse) for you. +you can let this playbook configure [Goofys](https://github.com/kahing/goofys) for you. You'll need an Amazon S3 bucket and some IAM user credentials (access key + secret key) with full write access to the bucket. Example security policy: -``` +```json { "Version": "2012-10-17", "Statement": [ @@ -137,11 +137,12 @@ You'll need an Amazon S3 bucket and some IAM user credentials (access key + secr You then need to enable S3 support in your configuration file (`inventory/matrix./vars.yml`). It would be something like this: -``` +```yaml matrix_s3_media_store_enabled: true matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "access-key-goes-here" matrix_s3_media_store_aws_secret_key: "secret-key-goes-here" +matrix_s3_media_store_region: "eu-central-1" ``` @@ -153,7 +154,7 @@ If that's alright, you can skip ahead. If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file (`inventory/matrix./vars.yml`). It should be something like this: -``` +```yaml matrix_postgres_use_external: true matrix_postgres_connection_hostname: "your-postgres-server-hostname" matrix_postgres_connection_username: "your-postgres-server-username" diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 7b9ebf46..7008f110 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -30,7 +30,8 @@ matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" -matrix_synapse_media_store_path: "{{ matrix_synapse_base_path }}/media-store" +matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" +matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" @@ -42,6 +43,7 @@ docker_matrix_image: "avhost/docker-matrix:v0.26.0" docker_nginx_image: "nginx:1.13.8-alpine" docker_riot_image: "avhost/docker-matrix-riot:latest" docker_s3fs_image: "xueshanf/s3fs:latest" +docker_goofys_image: "cloudproto/goofys:latest" # To avoid Synapse's macaroon secret key from changing every time # a new config is built from scratch, you can specify one here. @@ -61,6 +63,7 @@ matrix_s3_media_store_enabled: false matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" +matrix_s3_media_store_region: "eu-central-1" # By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. # If you wish to connect to your Matrix server by other means, diff --git a/roles/matrix-server/tasks/import_media_store.yml b/roles/matrix-server/tasks/import_media_store.yml index 7b191be4..13515b33 100644 --- a/roles/matrix-server/tasks/import_media_store.yml +++ b/roles/matrix-server/tasks/import_media_store.yml @@ -42,12 +42,11 @@ # It's wasteful to preserve owner/group now. We chown below anyway. owner: no group: no - # The default of times=yes does not work when s3fs is used. times: "{{ False if matrix_s3_media_store_enabled else True }}" perms: "{{ False if matrix_s3_media_store_enabled else True }}" -# This is for the generic case and fails for remote file systems, -# because the base path (matrix_synapse_media_store_path) is a mount point. +# This is for the generic case and fails in other cases (remote file systems), +# because in such cases the base path (matrix_synapse_media_store_path) is a mount point. - name: Ensure media store permissions are correct (generic case) file: path: "{{ matrix_synapse_media_store_path }}" @@ -56,23 +55,8 @@ recurse: yes when: "not matrix_s3_media_store_enabled" -- name: Determine media store subdirectories - find: paths="{{ local_path_media_store }}" file_type=directory - delegate_to: 127.0.0.1 - become: false - register: media_store_directories_result - when: "matrix_s3_media_store_enabled" - -# This is the s3fs special case. We chown the subdirectories one by one, -# without touching the base directory. -- name: Ensure media store permissions are correct (s3fs) - file: - path: "{{ matrix_synapse_media_store_path }}/{{ item.path|basename }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - recurse: yes - with_items: "{{ media_store_directories_result.files }}" - when: "matrix_s3_media_store_enabled" +# We don't chown for Goofys, because due to the way it's mounted, +# all files become owned by whoever needs to own them. - name: Ensure Matrix Synapse is started (if it previously was) service: name="{{ item }}" state=started daemon_reload=yes diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 088bd495..8904cb53 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -23,6 +23,11 @@ - setup-main - setup-s3fs +- include: tasks/setup_goofys.yml + tags: + - setup-main + - setup-goofys + - include: tasks/setup_synapse.yml tags: - setup-main diff --git a/roles/matrix-server/tasks/setup_base.yml b/roles/matrix-server/tasks/setup_base.yml index 99065a37..04342536 100644 --- a/roles/matrix-server/tasks/setup_base.yml +++ b/roles/matrix-server/tasks/setup_base.yml @@ -25,6 +25,7 @@ - docker-python - firewalld - ntp + - fuse when: ansible_distribution == 'CentOS' - name: Ensure APT usage dependencies are installed (Debian) @@ -60,6 +61,7 @@ - docker-ce - python-docker - ntp + - fuse when: ansible_os_family == 'Debian' - name: Ensure firewalld is started and autoruns diff --git a/roles/matrix-server/tasks/setup_goofys.yml b/roles/matrix-server/tasks/setup_goofys.yml new file mode 100644 index 00000000..ab2a6365 --- /dev/null +++ b/roles/matrix-server/tasks/setup_goofys.yml @@ -0,0 +1,70 @@ +# +# Tasks related to setting up Goofys +# + +- name: Ensure Goofys Docker image is pulled + docker_image: + name: "{{ docker_goofys_image }}" + when: matrix_s3_media_store_enabled + +# This will throw a Permission Denied error if already mounted +- name: Check Matrix Goofys external storage mountpoint path + stat: path="{{ matrix_synapse_media_store_path }}" + register: local_path_matrix_synapse_media_store_path_stat + ignore_errors: yes + when: matrix_s3_media_store_enabled + +- name: Ensure Matrix Goofys external storage mountpoint exists + file: + path: "{{ matrix_synapse_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_uid }}" + group: "{{ matrix_user_gid }}" + when: "matrix_s3_media_store_enabled and not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists" + +- name: Ensure goofys environment variables file created + template: + src: "{{ role_path }}/templates/env/env-goofys.j2" + dest: "{{ matrix_environment_variables_data_path }}/goofys" + owner: root + mode: 0600 + when: matrix_s3_media_store_enabled + +- name: Ensure matrix-goofys.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-goofys.service.j2" + dest: "/etc/systemd/system/matrix-goofys.service" + mode: 0644 + when: matrix_s3_media_store_enabled + +# +# Tasks related to getting rid of goofys (if it was previously enabled) +# + +- name: Check existence of matrix-goofys service + stat: path="/etc/systemd/system/matrix-goofys.service" + register: matrix_goofys_service_stat + +- name: Ensure matrix-goofys is stopped + service: name=matrix-goofys state=stopped daemon_reload=yes + register: stopping_result + when: "not matrix_s3_media_store_enabled and matrix_goofys_service_stat.stat.exists" + +- name: Ensure matrix-goofys.service doesn't exist + file: + path: "/etc/systemd/system/matrix-goofys.service" + state: absent + when: "not matrix_s3_media_store_enabled and matrix_goofys_service_stat.stat.exists" + +- name: Ensure goofys environment variables file doesn't exist + file: + path: "{{ matrix_environment_variables_data_path }}/goofys" + state: absent + when: "not matrix_s3_media_store_enabled" + +- name: Ensure Goofys Docker image doesn't exist + docker_image: + name: "{{ docker_goofys_image }}" + state: absent + when: "not matrix_s3_media_store_enabled" diff --git a/roles/matrix-server/tasks/setup_s3fs.yml b/roles/matrix-server/tasks/setup_s3fs.yml index 15fe590b..49f64990 100644 --- a/roles/matrix-server/tasks/setup_s3fs.yml +++ b/roles/matrix-server/tasks/setup_s3fs.yml @@ -1,29 +1,5 @@ # -# Tasks related to setting up s3fs -# - -- name: Ensure S3fs Docker image is pulled - docker_image: - name: "{{ docker_s3fs_image }}" - when: matrix_s3_media_store_enabled - -- name: Ensure s3fs-credentials file created - template: - src: "{{ role_path }}/templates/s3fs-credentials.j2" - dest: "{{ matrix_base_data_path }}/s3fs-credentials" - owner: root - mode: 0600 - when: matrix_s3_media_store_enabled - -- name: Ensure matrix-s3fs.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-s3fs.service.j2" - dest: "/etc/systemd/system/matrix-s3fs.service" - mode: 0644 - when: matrix_s3_media_store_enabled - -# -# Tasks related to getting rid of s3fs (if it was previously enabled) +# Tasks related to getting rid of s3fs (if it was previously installed) # - name: Check existence of matrix-s3fs service @@ -33,22 +9,19 @@ - name: Ensure matrix-s3fs is stopped service: name=matrix-s3fs state=stopped daemon_reload=yes register: stopping_result - when: "not matrix_s3_media_store_enabled and matrix_s3fs_service_stat.stat.exists" + when: "matrix_s3fs_service_stat.stat.exists" - name: Ensure matrix-s3fs.service doesn't exist file: path: "/etc/systemd/system/matrix-s3fs.service" state: absent - when: "not matrix_s3_media_store_enabled and matrix_s3fs_service_stat.stat.exists" - name: Ensure s3fs-credentials doesn't exist file: path: "{{ matrix_base_data_path }}/s3fs-credentials" state: absent - when: "not matrix_s3_media_store_enabled" - name: Ensure S3fs Docker image doesn't exist docker_image: name: "{{ docker_s3fs_image }}" state: absent - when: "not matrix_s3_media_store_enabled" diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 362dc047..2c67a676 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -10,16 +10,19 @@ with_items: - "{{ matrix_synapse_config_dir_path }}" - "{{ matrix_synapse_run_path }}" + - "{{ matrix_synapse_storage_path }}" # We handle matrix_synapse_media_store_path below, not here, # because if it's using S3fs and it's already mounted (from before), # trying to chown/chmod it here will cause trouble. +# This will throw a Permission Denied error if already mounted using fuse - name: Check Matrix Synapse media store path stat: path="{{ matrix_synapse_media_store_path }}" register: local_path_media_store_stat + ignore_errors: yes # This is separate and conditional, to ensure we don't execute it -# if the path already exists (and is likely used by an s3fs mount). +# if the path already exists or we failed to check, because it's mounted using fuse. - name: Ensure Matrix media store path exists file: path: "{{ matrix_synapse_media_store_path }}" @@ -27,7 +30,7 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" - when: "not local_path_media_store_stat.stat.exists" + when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - name: Ensure Matrix Docker image is pulled docker_image: @@ -74,7 +77,7 @@ - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'} - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'} - {"regexp": "^max_upload_size:", "line": 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"'} - - {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-media-store"'} + - {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-storage/media-store"'} - name: Augment Matrix config (configure Macaroon secret) lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 3b1cafb0..058f4c7a 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -4,8 +4,8 @@ service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes when: "not matrix_postgres_use_external" -- name: Ensure matrix-s3fs autoruns and is restarted - service: name=matrix-s3fs enabled=yes state=restarted daemon_reload=yes +- name: Ensure matrix-goofys autoruns and is restarted + service: name=matrix-goofys enabled=yes state=restarted daemon_reload=yes when: matrix_s3_media_store_enabled - name: Ensure matrix-synapse autoruns and is restarted diff --git a/roles/matrix-server/templates/env/env-goofys.j2 b/roles/matrix-server/templates/env/env-goofys.j2 new file mode 100644 index 00000000..a9e4b692 --- /dev/null +++ b/roles/matrix-server/templates/env/env-goofys.j2 @@ -0,0 +1,2 @@ +AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} +AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} \ No newline at end of file diff --git a/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 b/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 new file mode 100644 index 00000000..9107ca9a --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Matrix Goofys media store +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill %n +ExecStartPre=-/usr/bin/docker rm %n +ExecStart=/usr/bin/docker run --rm --name %n \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -v /etc/passwd:/etc/passwd:ro \ + -v /etc/group:/etc/group:ro \ + --security-opt apparmor:unconfined \ + --cap-add mknod \ + --cap-add sys_admin \ + --device=/dev/fuse \ + -v {{ matrix_synapse_media_store_path }}:/s3:shared \ + --env-file={{ matrix_environment_variables_data_path }}/goofys \ + --entrypoint /bin/sh \ + {{ docker_goofys_image }} \ + -c 'goofys -f --storage-class=STANDARD_IA --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' +TimeoutStartSec=5min +ExecStop=-/usr/bin/docker stop %n +ExecStop=-/usr/bin/docker kill %n +ExecStop=-/usr/bin/docker rm %n +ExecStop=-/bin/fusermount -u {{ matrix_synapse_media_store_path }} +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-s3fs.service.j2 b/roles/matrix-server/templates/systemd/matrix-s3fs.service.j2 deleted file mode 100644 index 51212fb7..00000000 --- a/roles/matrix-server/templates/systemd/matrix-s3fs.service.j2 +++ /dev/null @@ -1,35 +0,0 @@ -[Unit] -Description=Matrix S3fs media store -After=docker.service -Requires=docker.service - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker kill %n -ExecStartPre=-/usr/bin/docker rm %n -ExecStartPre=-/usr/bin/mkdir /tmp/matrix-s3fs-cache -ExecStart=/usr/bin/docker run --rm --name %n \ - -v {{ matrix_base_data_path }}/s3fs-credentials:/s3fs-credentials \ - --security-opt apparmor:unconfined \ - --cap-add mknod \ - --cap-add sys_admin \ - --device=/dev/fuse \ - -v {{ matrix_synapse_media_store_path }}:/media-store:shared \ - -v /tmp/matrix-s3fs-cache:/s3fs-cache \ - {{ docker_s3fs_image }} \ - /usr/bin/s3fs -f \ - -o allow_other \ - -o use_cache=/s3fs-cache \ - -o storage_class=standard_ia \ - -o passwd_file=/s3fs-credentials \ - {{ matrix_s3_media_store_bucket_name }} /media-store -TimeoutStartSec=5min -ExecStop=-/usr/bin/docker stop %n -ExecStop=-/usr/bin/docker kill %n -ExecStop=-/usr/bin/docker rm %n -ExecStop=-/usr/bin/rm -rf /tmp/matrix-s3fs-cache -Restart=always -RestartSec=5 - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 717bd3a8..fd8ddb4a 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -7,14 +7,20 @@ Requires=matrix-postgres.service After=matrix-postgres.service {% endif %} {% if matrix_s3_media_store_enabled %} -After=matrix-s3fs.service -Requires=matrix-s3fs.service +After=matrix-goofys.service +Requires=matrix-goofys.service {% endif %} [Service] Type=simple ExecStartPre=-/usr/bin/docker kill matrix-synapse ExecStartPre=-/usr/bin/docker rm matrix-synapse +{% if matrix_s3_media_store_enabled %} +# Allow for some time before starting, so that media store can mount. +# Mounting can happen later too, but if we start writing, +# we'd write files to the local filesystem and fusermount will complain. +ExecStartPre=/bin/sleep 5 +{% endif %} ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if not matrix_postgres_use_external %} --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ @@ -28,7 +34,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ - -v {{ matrix_synapse_media_store_path }}:/matrix-media-store \ + -v {{ matrix_synapse_storage_path }}:/matrix-storage:slave \ {{ docker_matrix_image }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse From 5d9ddd1627b7bc68e360217c06df3918092a6b04 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 16 Mar 2018 10:22:09 +0200 Subject: [PATCH 0050/2384] Update Docker images --- roles/matrix-server/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 7008f110..507e2f01 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -38,9 +38,9 @@ matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" -docker_postgres_image: "postgres:9.6.7-alpine" -docker_matrix_image: "avhost/docker-matrix:v0.26.0" -docker_nginx_image: "nginx:1.13.8-alpine" +docker_postgres_image: "postgres:9.6.8-alpine" +docker_matrix_image: "avhost/docker-matrix:v0.26.1" +docker_nginx_image: "nginx:1.13.9-alpine" docker_riot_image: "avhost/docker-matrix-riot:latest" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" From af54d60b0f6af29081dfd3a904de918a1098cf73 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 3 Apr 2018 18:49:05 +0300 Subject: [PATCH 0051/2384] Update Docker images --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 507e2f01..d1558e2f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -39,8 +39,8 @@ matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" docker_postgres_image: "postgres:9.6.8-alpine" -docker_matrix_image: "avhost/docker-matrix:v0.26.1" -docker_nginx_image: "nginx:1.13.9-alpine" +docker_matrix_image: "avhost/docker-matrix:v0.27.2" +docker_nginx_image: "nginx:1.13.10-alpine" docker_riot_image: "avhost/docker-matrix-riot:latest" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" From 7de11261b1d950ae07b835377f02e31b6e68ca30 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Apr 2018 18:51:32 +0200 Subject: [PATCH 0052/2384] Update Docker images --- roles/matrix-server/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index d1558e2f..b51df988 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -39,9 +39,9 @@ matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" docker_postgres_image: "postgres:9.6.8-alpine" -docker_matrix_image: "avhost/docker-matrix:v0.27.2" -docker_nginx_image: "nginx:1.13.10-alpine" -docker_riot_image: "avhost/docker-matrix-riot:latest" +docker_matrix_image: "avhost/docker-matrix:v0.27.3" +docker_nginx_image: "nginx:1.13.12-alpine" +docker_riot_image: "avhost/docker-matrix-riot:v0.14.0" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" From a367172b67e5b30ed6cdca9ee226212887d041e0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 28 Apr 2018 13:38:44 +0300 Subject: [PATCH 0053/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index b51df988..601c0aeb 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -39,9 +39,9 @@ matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" docker_postgres_image: "postgres:9.6.8-alpine" -docker_matrix_image: "avhost/docker-matrix:v0.27.3" +docker_matrix_image: "avhost/docker-matrix:v0.28.0" docker_nginx_image: "nginx:1.13.12-alpine" -docker_riot_image: "avhost/docker-matrix-riot:v0.14.0" +docker_riot_image: "avhost/docker-matrix-riot:v0.14.1" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" From bd580d3b9a44f48fe118c5cde1183cea2328e3b3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 May 2018 14:31:00 +0300 Subject: [PATCH 0054/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 601c0aeb..f5d98edc 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -39,9 +39,9 @@ matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" docker_postgres_image: "postgres:9.6.8-alpine" -docker_matrix_image: "avhost/docker-matrix:v0.28.0" +docker_matrix_image: "avhost/docker-matrix:v0.28.1" docker_nginx_image: "nginx:1.13.12-alpine" -docker_riot_image: "avhost/docker-matrix-riot:v0.14.1" +docker_riot_image: "avhost/docker-matrix-riot:v0.14.2" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" From 67a98e51d9c72f827aab1ccb76fa4351a2a010f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 May 2018 14:31:43 +0300 Subject: [PATCH 0055/2384] Make the riot-web container run without root privileges --- .../templates/systemd/matrix-riot-web.service.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index 7cc17c9f..07582556 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -8,7 +8,9 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-riot-web ExecStartPre=-/usr/bin/docker rm matrix-riot-web ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ - -v {{ matrix_nginx_riot_web_data_path }}:/data:ro \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -v {{ matrix_nginx_riot_web_data_path }}/config.json:/riot-web/webapp/config.json:ro \ + -v {{ matrix_nginx_riot_web_data_path }}/riot.im.conf:/data/riot.im.conf:ro \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8765:8765 \ {% endif %} From 3af3ef48fce1a7f738e3ce4f315836f6b89f8a67 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 May 2018 13:15:17 +0300 Subject: [PATCH 0056/2384] Make .log.config modifications respect whitespace A `.log.config` file may be generated with a different level of indentation depending on which (Docker image, etc.) generates it. With this patch, we tolerate different levels of indentation (2 spaces, 4 spaces, etc.) and don't break the configuration. --- roles/matrix-server/tasks/setup_synapse.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 2c67a676..6a8898a3 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -61,10 +61,11 @@ args: regexp: "{{ item.regexp }}" line: '{{ item.line }}' + backrefs: '{{ item.backrefs }}' with_items: - - {"regexp": "^ filename:", "line": ' filename: /matrix-run/homeserver.log'} - - {"regexp": "^ maxBytes:", "line": ' maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }}'} - - {"regexp": "^ backupCount:", "line": ' backupCount: {{ matrix_max_log_files_count }}'} + - {"regexp": '^(\s+)filename:', "line": '\1filename: /matrix-run/homeserver.log', backrefs: yes} + - {"regexp": '^(\s+)maxBytes:', "line": '\1maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }}', backrefs: yes} + - {"regexp": '^(\s+)backupCount:', "line": '\1backupCount: {{ matrix_max_log_files_count }}', backrefs: yes} - name: Augment Matrix config lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" From b3e62126db57c1acfde931022f06781414a3e12d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 May 2018 21:58:53 +0300 Subject: [PATCH 0057/2384] Switch Docker image to official one Switching from from avhost/docker-matrix (silviof/docker-matrix) to matrixdotorg/synapse. The avhost/docker-matrix (silviof/docker-matrix) image used to bundle in the coturn STUN/TURN server, so as part of the move, we're separating this to a separately-ran service (matrix-coturn.service, powered by instrumentisto/coturn-docker-image) --- examples/host-vars.yml | 6 ++- roles/matrix-server/defaults/main.yml | 11 ++++- roles/matrix-server/tasks/main.yml | 6 +++ roles/matrix-server/tasks/setup_coturn.yml | 42 +++++++++++++++++++ roles/matrix-server/tasks/setup_synapse.yml | 22 +++++----- roles/matrix-server/tasks/start.yml | 3 ++ .../templates/coturn/turnserver.conf.j2 | 15 +++++++ .../systemd/matrix-coturn.service.j2 | 25 +++++++++++ .../systemd/matrix-synapse.service.j2 | 6 +-- 9 files changed, 119 insertions(+), 17 deletions(-) create mode 100644 roles/matrix-server/tasks/setup_coturn.yml create mode 100644 roles/matrix-server/templates/coturn/turnserver.conf.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-coturn.service.j2 diff --git a/examples/host-vars.yml b/examples/host-vars.yml index ef911ecf..da7ce947 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -16,4 +16,8 @@ host_specific_matrix_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE # (for configuration purposes). # # Example value: example.com -host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE \ No newline at end of file +host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE + +# A shared secret (between Synapse and Coturn) used for authentication. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_coturn_turn_static_auth_secret: "" \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index f5d98edc..5af92385 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -36,25 +36,34 @@ matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" +matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" +matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" docker_postgres_image: "postgres:9.6.8-alpine" -docker_matrix_image: "avhost/docker-matrix:v0.28.1" +docker_matrix_image: "matrixdotorg/synapse:v0.30.0" docker_nginx_image: "nginx:1.13.12-alpine" docker_riot_image: "avhost/docker-matrix-riot:v0.14.2" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" +docker_coturn_image: "instrumentisto/coturn:4.5.0.7" # To avoid Synapse's macaroon secret key from changing every time # a new config is built from scratch, you can specify one here. matrix_synapse_macaroon_secret_key: null + +# A shared secret (between Synapse and Coturn) used for authentication. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_coturn_turn_static_auth_secret: "" + # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" + matrix_max_upload_size_mb: 10 matrix_max_log_file_size_mb: 100 matrix_max_log_files_count: 10 diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 8904cb53..0e54396a 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -28,10 +28,16 @@ - setup-main - setup-goofys +- include: tasks/setup_coturn.yml + tags: + - setup-main + - setup-coturn + - include: tasks/setup_synapse.yml tags: - setup-main - setup-synapse + - setup-coturn - include: tasks/setup_riot_web.yml tags: diff --git a/roles/matrix-server/tasks/setup_coturn.yml b/roles/matrix-server/tasks/setup_coturn.yml new file mode 100644 index 00000000..11b48d4a --- /dev/null +++ b/roles/matrix-server/tasks/setup_coturn.yml @@ -0,0 +1,42 @@ +--- + +- name: Fail if Coturn secret is missing + fail: + msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable" + when: "matrix_coturn_turn_static_auth_secret == ''" + +- name: Ensure Coturn image is pulled + docker_image: + name: "{{ docker_coturn_image }}" + +- name: Ensure Coturn configuration path exists + file: + path: "{{ matrix_coturn_base_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure turnserver.conf installed + template: + src: "{{ role_path }}/templates/coturn/turnserver.conf.j2" + dest: "{{ matrix_coturn_config_path }}" + mode: 0644 + +- name: Ensure matrix-coturn.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" + dest: "/etc/systemd/system/matrix-coturn.service" + mode: 0644 + +- name: Allow access to Coturn ports in firewalld + firewalld: + port: "{{ item }}" + state: enabled + immediate: yes + permanent: yes + with_items: + - '3478/tcp' # STUN + - '3478/udp' # STUN + - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN + when: ansible_os_family == 'RedHat' \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 6a8898a3..70db567b 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -49,8 +49,9 @@ cleanup: yes command: generate env: - SERVER_NAME: "{{ hostname_matrix }}" - REPORT_STATS: "no" + SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" + SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" + SYNAPSE_REPORT_STATS: "no" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" volumes: - "{{ matrix_synapse_config_dir_path }}:/data" @@ -74,6 +75,7 @@ line: '{{ item.line }}' with_items: - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'} + - {"regexp": "^uploads_path:", "line": 'uploads_path: "/matrix-run/uploads"'} - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'} - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'} - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'} @@ -117,15 +119,14 @@ regexp: '(.*)name: "psycopg2"((?:.|\n)*?)\n\n' replace: '\1name: "psycopg2"\n\1args:\n\1\1user: "{{ matrix_postgres_connection_username }}"\n\1\1password: "{{ matrix_postgres_connection_password }}"\n\1\1database: "{{ matrix_postgres_db_name }}"\n\1\1host: "{{ matrix_postgres_connection_hostname }}"\n\1\1cp_min: 5\n\1\1cp_max: 10\n\n' -- name: Augment Matrix config (configure Coturn) - lineinfile: "dest={{ matrix_synapse_config_dir_path }}/turnserver.conf" +- name: Augment Matrix config (configure TURN) + lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" args: - regexp: "^{{ item.variable }}=" - line: '{{ item.variable }}={{ item.value }}' + regexp: "{{ item.regexp }}" + line: '{{ item.line }}' with_items: - - {'variable': 'min-port', 'value': "{{ matrix_coturn_turn_udp_min_port }}"} - - {'variable': 'max-port', 'value': "{{ matrix_coturn_turn_udp_max_port }}"} - - {'variable': 'external-ip', 'value': "{{ matrix_coturn_turn_external_ip_address }}"} + - {"regexp": "^turn_uris:", "line": 'turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"]'} + - {"regexp": "^turn_shared_secret:", "line": 'turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret }}"'} - name: Allow access to Matrix ports in firewalld firewalld: @@ -135,9 +136,6 @@ permanent: yes with_items: - '8448/tcp' # Matrix federation - - '3478/tcp' # STUN - - '3478/udp' # STUN - - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN when: ansible_os_family == 'RedHat' - name: Ensure matrix-synapse.service installed diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 058f4c7a..2ee6d2ba 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -8,6 +8,9 @@ service: name=matrix-goofys enabled=yes state=restarted daemon_reload=yes when: matrix_s3_media_store_enabled +- name: Ensure matrix-coturn autoruns and is restarted + service: name=matrix-coturn enabled=yes state=restarted daemon_reload=yes + - name: Ensure matrix-synapse autoruns and is restarted service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes diff --git a/roles/matrix-server/templates/coturn/turnserver.conf.j2 b/roles/matrix-server/templates/coturn/turnserver.conf.j2 new file mode 100644 index 00000000..2298d182 --- /dev/null +++ b/roles/matrix-server/templates/coturn/turnserver.conf.j2 @@ -0,0 +1,15 @@ +lt-cred-mech +use-auth-secret +static-auth-secret={{ matrix_coturn_turn_static_auth_secret }} +realm=turn.{{ hostname_matrix }} +cert=/matrix-config/{{ hostname_matrix }}.tls.crt +pkey=/matrix-config/{{ hostname_matrix }}.tls.key +dh-file=/matrix-config/{{ hostname_matrix }}.tls.dh +cipher-list="HIGH" +min-port={{ matrix_coturn_turn_udp_min_port }} +max-port={{ matrix_coturn_turn_udp_max_port }} +external-ip={{ matrix_coturn_turn_external_ip_address }} +log-file=stdout +pidfile=/var/tmp/turnserver.pid +userdb=/var/tmp/turnserver.db +no-cli \ No newline at end of file diff --git a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 new file mode 100644 index 00000000..df5d74f2 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 @@ -0,0 +1,25 @@ +[Unit] +Description=Matrix Coturn server +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-coturn +ExecStartPre=-/usr/bin/docker rm matrix-coturn +ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -p 3478:3478 \ + -p 3478:3478/udp \ + -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ + -v {{ matrix_synapse_config_dir_path }}:/matrix-config:ro \ + -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ + {{ docker_coturn_image }} \ + -c /turnserver.conf +ExecStop=-/usr/bin/docker kill matrix-coturn +ExecStop=-/usr/bin/docker rm matrix-coturn +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index fd8ddb4a..c9beb406 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -10,6 +10,8 @@ After=matrix-postgres.service After=matrix-goofys.service Requires=matrix-goofys.service {% endif %} +After=matrix-coturn.service +Requires=matrix-coturn.service [Service] Type=simple @@ -29,12 +31,10 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8008:8008 \ {% endif %} - -p 3478:3478 \ - -p 3478:3478/udp \ - -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_storage_path }}:/matrix-storage:slave \ + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \ {{ docker_matrix_image }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse From f1b4730e82611c051cdcba10cb721b2cb0acd0f4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 26 May 2018 12:25:05 +0300 Subject: [PATCH 0058/2384] Update Docker images --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 5af92385..9ba39dd2 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -43,7 +43,7 @@ matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" docker_postgres_image: "postgres:9.6.8-alpine" docker_matrix_image: "matrixdotorg/synapse:v0.30.0" docker_nginx_image: "nginx:1.13.12-alpine" -docker_riot_image: "avhost/docker-matrix-riot:v0.14.2" +docker_riot_image: "avhost/docker-matrix-riot:v0.15.4" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" docker_coturn_image: "instrumentisto/coturn:4.5.0.7" From cbee084ac19b663b965847f60e95a0c020c7111b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 May 2018 14:47:09 +0300 Subject: [PATCH 0059/2384] Use Postgres 10.x by default (only for new installs) This playbook just tries to avoid trying to setup a Postgres 10 database with existing 9.x files, as that makes Postgres complain. Due to this, existing installs (still on 9.x) are detected and left on Postgres 9.x. They need to be upgraded to Postgres 10.x manually. --- roles/matrix-server/defaults/main.yml | 7 ++++- roles/matrix-server/tasks/setup_postgres.yml | 31 ++++++++++++++++++- .../systemd/matrix-postgres.service.j2 | 2 +- .../usr-local-bin/matrix-postgres-cli.j2 | 2 +- 4 files changed, 38 insertions(+), 4 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9ba39dd2..de7e01dd 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -40,7 +40,11 @@ matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" -docker_postgres_image: "postgres:9.6.8-alpine" + +docker_postgres_image_v9: "postgres:9.6.8-alpine" +docker_postgres_image_v10: "postgres:10.4-alpine" +docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" + docker_matrix_image: "matrixdotorg/synapse:v0.30.0" docker_nginx_image: "nginx:1.13.12-alpine" docker_riot_image: "avhost/docker-matrix-riot:v0.15.4" @@ -48,6 +52,7 @@ docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" docker_coturn_image: "instrumentisto/coturn:4.5.0.7" + # To avoid Synapse's macaroon secret key from changing every time # a new config is built from scratch, you can specify one here. matrix_synapse_macaroon_secret_key: null diff --git a/roles/matrix-server/tasks/setup_postgres.yml b/roles/matrix-server/tasks/setup_postgres.yml index c52e0b6a..a231b902 100644 --- a/roles/matrix-server/tasks/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup_postgres.yml @@ -4,10 +4,39 @@ # Generic tasks, no matter what kind of server we're using (internal/external) # +- name: Determine existing Postgres version (check PG_VERSION file) + stat: + path: "{{ matrix_postgres_data_path }}/PG_VERSION" + register: result_pg_version_stat + +- name: Determine existing Postgres version (read PG_VERSION file) + slurp: + src: "{{ matrix_postgres_data_path }}/PG_VERSION" + register: result_pg_version + when: "result_pg_version_stat.stat.exists" + +- name: Determine existing Postgres version (default to empty) + set_fact: + pg_version: "" + +- name: Determine existing Postgres version (make sense of PG_VERSION file) + set_fact: + pg_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" + when: "result_pg_version_stat.stat.exists" + +- name: Determine Postgres version to use (default to latest) + set_fact: + docker_postgres_image_to_use: "{{ docker_postgres_image_latest }}" + +- name: Determine Postgres version to use (use 9.x, if detected) + set_fact: + docker_postgres_image_to_use: "{{ docker_postgres_image_v9 }}" + when: "pg_version.startswith('9.')" + # Even if we don't run the internal server, we still need this for running the CLI - name: Ensure postgres Docker image is pulled docker_image: - name: "{{ docker_postgres_image }}" + name: "{{ docker_postgres_image_to_use }}" - name: Ensure Postgres environment variables file created template: diff --git a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 index 846d7355..f0bc4bd4 100644 --- a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 @@ -14,7 +14,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ -v /etc/passwd:/etc/passwd:ro \ - {{ docker_postgres_image }} + {{ docker_postgres_image_to_use }} ExecStop=-/usr/bin/docker stop matrix-postgres ExecStop=-/usr/bin/docker rm matrix-postgres Restart=always diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 index 2e6a15ce..f2379276 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -7,5 +7,5 @@ docker run \ {% if not matrix_postgres_use_external %} --link=matrix-postgres:{{ matrix_postgres_connection_hostname }} \ {% endif %} - {{ docker_postgres_image }} \ + {{ docker_postgres_image_to_use }} \ psql -h {{ matrix_postgres_connection_hostname }} \ No newline at end of file From d107ab2540cec51696482baaed08314e7c833e7a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 May 2018 20:40:42 +0300 Subject: [PATCH 0060/2384] Add support for upgrading Postgres Since cbee084ac19b6, this playbook supports Postgres 10.x, but keeps existing Postgres-9.x installs on 9.x. This playbook can now also be ran with `--tags=upgrade-postgres` to make it upgrade from Postgres 9.x to 10.x (or other versions in the future). --- README.md | 22 ++++ roles/matrix-server/tasks/main.yml | 4 + roles/matrix-server/tasks/setup_postgres.yml | 4 + .../matrix-server/tasks/upgrade_postgres.yml | 123 ++++++++++++++++++ 4 files changed, 153 insertions(+) create mode 100644 roles/matrix-server/tasks/upgrade_postgres.yml diff --git a/README.md b/README.md index c3c58929..62a593bd 100644 --- a/README.md +++ b/README.md @@ -259,6 +259,28 @@ You can do it via this Ansible playbook (make sure to edit the `` **Note**: `` is just a plain username (like `john`), not your full `@:` identifier. +### Upgrading Postgres + +If you're not using an external Postgres server, this playbook initially installs Postgres for you. + +Once installed like that, this playbook attempts to preserve the Postgres version it starts with. +This is because newer Postgres versions cannot start with data generated by an older Postgres version. +An upgrade must be performed. + +This playbook can upgrade your existing Postgres setup with the following command: + + ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres + +**The old Postgres data directory is backed up** (by renaming to `/matrix/postgres-auto-upgrade-backup`). +It stays around forever, until you **manually decide to delete it**. + +As part of the upgrade, the database is dumped to `/tmp`, upgraded and then restored from that dump. +To use a different directory, pass some extra flags to the command above, like this: `--extra-vars="postgres_dump_dir=/directory/to/dump/here"` + +**ONLY one database is migrated** (the one specified in `matrix_postgres_db_name`, named `homeserver` by default). +If you've created other databases in that database instance (something this playbook never does and never advises), data will be lost. + + ## Uninstalling **Note**: If you have some trouble with your installation configuration, you can just re-run the playbook and it will try to set things up again. You don't need to uninstall and install fresh. diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 0e54396a..2df3b60d 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -13,6 +13,10 @@ - setup-main - setup-ssl +- include: tasks/upgrade_postgres.yml + tags: + - upgrade-postgres + - include: tasks/setup_postgres.yml tags: - setup-main diff --git a/roles/matrix-server/tasks/setup_postgres.yml b/roles/matrix-server/tasks/setup_postgres.yml index a231b902..92f125e0 100644 --- a/roles/matrix-server/tasks/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup_postgres.yml @@ -33,6 +33,10 @@ docker_postgres_image_to_use: "{{ docker_postgres_image_v9 }}" when: "pg_version.startswith('9.')" +- debug: + msg: "NOTE: Your setup is on an old Postgres version ({{ docker_postgres_image_to_use }}), while {{ docker_postgres_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" + when: "docker_postgres_image_to_use != docker_postgres_image_latest" + # Even if we don't run the internal server, we still need this for running the CLI - name: Ensure postgres Docker image is pulled docker_image: diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml new file mode 100644 index 00000000..db6d75ac --- /dev/null +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -0,0 +1,123 @@ +--- + +- name: Set default postgres_dump_dir, if not provided + set_fact: + postgres_dump_dir: "/tmp" + when: "postgres_dump_dir|default('') == ''" + +- name: Set postgres_dump_name, if not provided + set_fact: + postgres_dump_name: "matrix-postgres.out" + when: "postgres_dump_name|default('') == ''" + +- set_fact: + postgres_auto_upgrade_backup_data_path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" + +- name: Fail, if trying to upgrade external Postgres database + fail: + msg: "Your configuration indicates that you're using an external Postgres database. Refusing to try and upgrade that." + when: "matrix_postgres_use_external" + +- name: Check Postgres auto-upgrade backup data directory + stat: + path: "{{ postgres_auto_upgrade_backup_data_path }}" + register: result_auto_upgrade_path + +- name: Abort, if existing Postgres auto-upgrade data path detected + fail: + msg: "Detected that a left-over {{ postgres_auto_upgrade_backup_data_path }} exists. You should rename it to {{ matrix_postgres_data_path }} if the previous upgrade went wrong, or delete it if it went well." + when: "result_auto_upgrade_path.stat.exists" + +- name: Determine existing Postgres version (check PG_VERSION file) + stat: + path: "{{ matrix_postgres_data_path }}/PG_VERSION" + register: result_pg_version_stat + +- name: Abort, if no existing Postgres version detected + fail: msg="Could not find existing Postgres installation" + when: "not result_pg_version_stat.stat.exists" + +- name: Determine existing Postgres version (read PG_VERSION file) + slurp: + src: "{{ matrix_postgres_data_path }}/PG_VERSION" + register: result_pg_version + +- name: Determine existing Postgres version (default to empty) + set_fact: + pg_version: "" + +- name: Determine existing Postgres version (make sense of PG_VERSION file) + set_fact: + pg_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" + +- name: Determine Postgres version to use (default to latest) + set_fact: + docker_postgres_image_to_use: "{{ docker_postgres_image_latest }}" + +- name: Determine Postgres version to use (use 9.x, if detected) + set_fact: + docker_postgres_image_to_use: "{{ docker_postgres_image_v9 }}" + when: "pg_version.startswith('9.')" + +- name: Abort, if already at latest Postgres version + fail: msg="You are already running the latest Postgres version supported. Nothing to do" + when: "docker_postgres_image_to_use == docker_postgres_image_latest" + +- name: Ensure matrix-synapse is stopped + service: name=matrix-synapse state=stopped + +- name: Ensure matrix-postgres is started + service: name=matrix-postgres state=started daemon_reload=yes + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: 5 + delegate_to: 127.0.0.1 + become: false + +- name: Perform Postgres database dump + command: | + /usr/bin/docker run --rm --name matrix-postgres-dump \ + --link matrix-postgres:postgres \ + --env-file=/matrix/environment-variables/env-postgres-pgsql-docker \ + -v {{ postgres_dump_dir }}:/out \ + {{ docker_postgres_image_to_use }} pg_dump -h postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} + +- name: Ensure matrix-postgres is stopped + service: name=matrix-postgres state=stopped + +- name: Rename existing Postgres data directory + command: "mv {{ matrix_postgres_data_path }} {{ postgres_auto_upgrade_backup_data_path }}" + +- debug: + msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation." + +- include: tasks/setup_postgres.yml + +- name: Ensure matrix-postgres autoruns and is restarted + service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: 5 + delegate_to: 127.0.0.1 + become: false + +- name: Perform Postgres database import + command: | + /usr/bin/docker run --rm --name matrix-postgres-import \ + --link matrix-postgres:postgres \ + --env-file=/matrix/environment-variables/env-postgres-pgsql-docker \ + -v {{ postgres_dump_dir }}:/in:ro \ + {{ docker_postgres_image_to_use }} psql -h postgres -f /in/{{ postgres_dump_name }} + +- name: Delete Postgres database dump file + file: + path: "{{ postgres_dump_dir }}/{{ postgres_dump_name }}" + state: absent + +- name: Ensure matrix-synapse is started + service: name=matrix-synapse state=started daemon_reload=yes + +- debug: + msg: "NOTE: Your old Postgres data directory is preserved at `{{ postgres_auto_upgrade_backup_data_path }}`. You might want to get rid of it once you've confirmed that all is well." From 7527929824994fef8d57cde1fb6829c9fe9e18d3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 May 2018 20:53:02 +0300 Subject: [PATCH 0061/2384] Update README to reflect recent changes --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 62a593bd..8e65d3bf 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can disable that and configure your own webserver (proxy) -- this one **runs everything in Docker containers** (like [silviof/docker-matrix](https://hub.docker.com/r/silviof/docker-matrix/) and [silviof/matrix-riot-docker](https://hub.docker.com/r/silviof/matrix-riot-docker/)), so it's likely more predictable +- this one **runs everything in Docker containers** (like [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) and [avhost/docker-matrix-riot](https://hub.docker.com/r/avhost/docker-matrix-riot/)), so it's likely more predictable and less fragile - this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you @@ -51,9 +51,9 @@ Special thanks goes to: - [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) - for the inspiration -- [silviof/docker-matrix](https://hub.docker.com/r/silviof/docker-matrix/) - for packaging Matrix Synapse as a Docker image. Note: due to maintenance issues, we're now using [AVENTER-UG/docker-matrix](https://github.com/AVENTER-UG/docker-matrix)'s fork. +- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - for packaging Matrix Synapse as a Docker image -- [silviof/matrix-riot-docker](https://hub.docker.com/r/silviof/matrix-riot-docker/) - for packaging Riot as a Docker image. Note: due to maintenance issues, we're now using [AVENTER-UG/docker-matrix-riot](https://github.com/AVENTER-UG/docker-matrix-riot)'s fork. +- [avhost/docker-matrix-riot](https://hub.docker.com/r/avhost/docker-matrix-riot/) - for packaging Riot as a Docker image ## Prerequisites From 8d774db3bcf6316ef269656a4e095615112d075e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 May 2018 09:25:30 +0300 Subject: [PATCH 0062/2384] Indicate that Ubuntu Bionic (18.04) is not supported yet We have 2 blockers that prevent us from adding support: - the Docker CE repository does not publish a `docker-ce` package in the `stable` channel. It's still in `edge` (can be worked around by using `edge`, but we'd better not) - Docker bind propagation has troubles on Docker CE 18.05, which breaks matrix-synapse.service from starting, as it wants to do a `:slave` mount. See https://github.com/moby/moby/issues/37032 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8e65d3bf..7987255c 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Special thanks goes to: ## Prerequisites -- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. This playbook can take over your whole server or co-exist with other services that you have there. +- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (anything 16.04+, except 18.04 for now) server. This playbook can take over your whole server or co-exist with other services that you have there. - the [Ansible](http://ansible.com/) program, which is used to run this playbook and configures everything for you From 3390165113ddd9f7628ebbcf23fcec594c5cfef3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 May 2018 09:48:53 +0300 Subject: [PATCH 0063/2384] Document the Docker images being used --- README.md | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 7987255c..886a736e 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can disable that and configure your own webserver (proxy) -- this one **runs everything in Docker containers** (like [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) and [avhost/docker-matrix-riot](https://hub.docker.com/r/avhost/docker-matrix-riot/)), so it's likely more predictable and less fragile +- this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](#docker-images-used-by-this-playbook)) - this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you @@ -47,14 +47,6 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one optionally **allows you to use an external PostgreSQL server** for Matrix Synapse's database (but defaults to running one in a container) -Special thanks goes to: - -- [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) - for the inspiration - -- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - for packaging Matrix Synapse as a Docker image - -- [avhost/docker-matrix-riot](https://hub.docker.com/r/avhost/docker-matrix-riot/) - for packaging Riot as a Docker image - ## Prerequisites @@ -302,6 +294,23 @@ However, if you've installed this on some server where you have other stuff you - delete the `/matrix` directory (`rm -rf /matrix`) +## Docker images used by this playbook + +This playbook sets up your server using the following Docker images: + +- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Matrix Synapse](https://github.com/matrix-org/synapse) server + +- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server + +- [avhost/docker-matrix-riot](https://hub.docker.com/r/avhost/docker-matrix-riot/) - the [Riot.im](https://about.riot.im/) web client (optional) + +- [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) + +- [cloudproto/goofys](https://hub.docker.com/r/cloudproto/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) + +- [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) + + ## Deficiencies This Ansible playbook can be improved in the following ways: From 2fa4ced6a74a956d0bcc332cc8920762e4eed58b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 May 2018 09:58:36 +0300 Subject: [PATCH 0064/2384] Add support information --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 886a736e..8bfa04ce 100644 --- a/README.md +++ b/README.md @@ -316,3 +316,10 @@ This playbook sets up your server using the following Docker images: This Ansible playbook can be improved in the following ways: - setting up automatic backups to one or more storage providers + + +## Support + +Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) + +Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) \ No newline at end of file From 62d1b13c91f7b46e2713f1f67c1b493fa3f50693 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 May 2018 11:23:17 +0300 Subject: [PATCH 0065/2384] Minor improvements to the Postgres-upgrade tasks --- roles/matrix-server/tasks/upgrade_postgres.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index db6d75ac..8337d6eb 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -79,7 +79,7 @@ command: | /usr/bin/docker run --rm --name matrix-postgres-dump \ --link matrix-postgres:postgres \ - --env-file=/matrix/environment-variables/env-postgres-pgsql-docker \ + --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/out \ {{ docker_postgres_image_to_use }} pg_dump -h postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} @@ -107,9 +107,9 @@ command: | /usr/bin/docker run --rm --name matrix-postgres-import \ --link matrix-postgres:postgres \ - --env-file=/matrix/environment-variables/env-postgres-pgsql-docker \ + --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/in:ro \ - {{ docker_postgres_image_to_use }} psql -h postgres -f /in/{{ postgres_dump_name }} + {{ docker_postgres_image_latest }} psql -h postgres -f /in/{{ postgres_dump_name }} - name: Delete Postgres database dump file file: From 5399e2b6bbc90cff8c27039b2942871d0f76c192 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 May 2018 13:38:41 +0300 Subject: [PATCH 0066/2384] Do not require (but want) matrix-coturn.service in matrix-synapse It's not really a requirement, as it can function without it. Also, restarting matrix-coturn doesn't need to restart matrix-synapse. --- .../matrix-server/templates/systemd/matrix-synapse.service.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index c9beb406..19f4341c 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -10,8 +10,7 @@ After=matrix-postgres.service After=matrix-goofys.service Requires=matrix-goofys.service {% endif %} -After=matrix-coturn.service -Requires=matrix-coturn.service +Wants=matrix-coturn.service [Service] Type=simple From 1670a2093713e86f566bdff2abf0a3d2066d3b31 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 30 May 2018 15:36:09 +0300 Subject: [PATCH 0067/2384] Clean up riot-web UI (disable custom URLs and guest usage) This playbook does not set up guest access in Synapse anyway, so until the need comes (or someone asks for it), guest access is removed from riot-web's UI too. As for supporting custom URLs, this is also not something that seems like it'd be useful to most deployments. --- roles/matrix-server/templates/riot-web/config.json.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 index 6f300b4d..ea2fed53 100644 --- a/roles/matrix-server/templates/riot-web/config.json.j2 +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -1,6 +1,8 @@ { "default_hs_url": "https://{{ hostname_matrix }}", "default_is_url": "https://vector.im", + "disable_custom_urls": true, + "disable_guests": false, "brand": "Riot", "integrations_ui_url": "https://scalar.vector.im/", "integrations_rest_url": "https://scalar.vector.im/api", From 47446a2b2611b7eff3285907bc620d1a0dacfb8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Jun 2018 17:21:04 +0300 Subject: [PATCH 0068/2384] Fix README typos --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8bfa04ce..ec9bb636 100644 --- a/README.md +++ b/README.md @@ -206,7 +206,7 @@ Feel free to re-run this any time you think something is off with the server con Run this if you'd like to import your database from a previous default installation of Matrix Synapse. (don't forget to import your `media_store` files as well - see below). -While this playbook always sets up PostgreSQL, by default, a Matrix Synapse installation would run +While this playbook always sets up PostgreSQL, by default a Matrix Synapse installation would run using an SQLite database. If you have such a Matrix Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you. @@ -283,7 +283,7 @@ However, if you've installed this on some server where you have other stuff you - delete the Matrix-related systemd .service files (`rm -f /etc/systemd/system/matrix*`) and reload systemd (`systemctl daemon-reload`) -- delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*'`) +- delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*`) - delete some helper scripts (`rm -f /usr/local/bin/matrix*`) @@ -322,4 +322,4 @@ This Ansible playbook can be improved in the following ways: Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) -Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) \ No newline at end of file +Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) From ff8f1bc65ff63b3797e45eb1181c357b7e526ae4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Jun 2018 17:35:29 +0300 Subject: [PATCH 0069/2384] Upgrade Docker images --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index de7e01dd..cc3d7654 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -41,12 +41,12 @@ matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" -docker_postgres_image_v9: "postgres:9.6.8-alpine" +docker_postgres_image_v9: "postgres:9.6.9-alpine" docker_postgres_image_v10: "postgres:10.4-alpine" docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" docker_matrix_image: "matrixdotorg/synapse:v0.30.0" -docker_nginx_image: "nginx:1.13.12-alpine" +docker_nginx_image: "nginx:1.15.0-alpine" docker_riot_image: "avhost/docker-matrix-riot:v0.15.4" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" From 4ebf6bbf273c2feb9a9b04992f5f53b591b17147 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Jun 2018 10:14:36 +0300 Subject: [PATCH 0070/2384] Upgrade Synapse (0.30.0 -> 0.31.0) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index cc3d7654..e0df1ac5 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -45,7 +45,7 @@ docker_postgres_image_v9: "postgres:9.6.9-alpine" docker_postgres_image_v10: "postgres:10.4-alpine" docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" -docker_matrix_image: "matrixdotorg/synapse:v0.30.0" +docker_matrix_image: "matrixdotorg/synapse:v0.31.0" docker_nginx_image: "nginx:1.15.0-alpine" docker_riot_image: "avhost/docker-matrix-riot:v0.15.4" docker_s3fs_image: "xueshanf/s3fs:latest" From a5877eadd488db08c2be8e22ffc0e4ec599d0443 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jun 2018 18:25:12 +0300 Subject: [PATCH 0071/2384] Upgrade Synapse (0.31.0 -> 0.31.1) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index e0df1ac5..018fed54 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -45,7 +45,7 @@ docker_postgres_image_v9: "postgres:9.6.9-alpine" docker_postgres_image_v10: "postgres:10.4-alpine" docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" -docker_matrix_image: "matrixdotorg/synapse:v0.31.0" +docker_matrix_image: "matrixdotorg/synapse:v0.31.1" docker_nginx_image: "nginx:1.15.0-alpine" docker_riot_image: "avhost/docker-matrix-riot:v0.15.4" docker_s3fs_image: "xueshanf/s3fs:latest" From 6335485ad315724e1a2aaa039ad22f838692f80c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 15 Jun 2018 00:00:01 +0300 Subject: [PATCH 0072/2384] Upgrade Synapse (0.31.1 -> 0.31.2) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 018fed54..b7c1b1fd 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -45,7 +45,7 @@ docker_postgres_image_v9: "postgres:9.6.9-alpine" docker_postgres_image_v10: "postgres:10.4-alpine" docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" -docker_matrix_image: "matrixdotorg/synapse:v0.31.1" +docker_matrix_image: "matrixdotorg/synapse:v0.31.2" docker_nginx_image: "nginx:1.15.0-alpine" docker_riot_image: "avhost/docker-matrix-riot:v0.15.4" docker_s3fs_image: "xueshanf/s3fs:latest" From be93e97627f894516f47acb121fe78de10959109 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jun 2018 09:33:06 +0300 Subject: [PATCH 0073/2384] Revert "Indicate that Ubuntu Bionic (18.04) is not supported yet" This reverts commit 8d774db3bcf6316ef269656a4e095615112d075e. Docker is released in the Docker CE stable repository now. Additionally, it's version 18.03, which doesn't suffer any of the problems we've observed with 18.05 (edge/nightly). --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ec9bb636..dd0a40bd 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM ## Prerequisites -- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (anything 16.04+, except 18.04 for now) server. This playbook can take over your whole server or co-exist with other services that you have there. +- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. This playbook can take over your whole server or co-exist with other services that you have there. - the [Ansible](http://ansible.com/) program, which is used to run this playbook and configures everything for you From 776b374f41d1a54fc637d96a8e3d80cf9d21e1d3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jun 2018 09:42:27 +0300 Subject: [PATCH 0074/2384] Indicate that some distributions require a manual python install --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dd0a40bd..853cd09a 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,9 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. This playbook can take over your whole server or co-exist with other services that you have there. -- the [Ansible](http://ansible.com/) program, which is used to run this playbook and configures everything for you +- [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). + +- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you - properly configured DNS SRV record for `` (details in [Configuring DNS](#configuring-dns) below) From 1725c3e698a02600a733e31969817b4b7320bcee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jun 2018 09:44:38 +0300 Subject: [PATCH 0075/2384] Upgrade riot-web (0.15.4 -> 0.15.5) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index b7c1b1fd..01285d4e 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -47,7 +47,7 @@ docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" docker_matrix_image: "matrixdotorg/synapse:v0.31.2" docker_nginx_image: "nginx:1.15.0-alpine" -docker_riot_image: "avhost/docker-matrix-riot:v0.15.4" +docker_riot_image: "avhost/docker-matrix-riot:v0.15.5" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" docker_coturn_image: "instrumentisto/coturn:4.5.0.7" From 053328be086f40d59e4115eac9d3d945ebca6ebd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 26 Jun 2018 20:40:48 +0300 Subject: [PATCH 0076/2384] Fix nginx failing to start on certain low-cache CPUs --- roles/matrix-server/tasks/setup_nginx_proxy.yml | 3 ++- .../matrix-server/templates/nginx-conf.d/nginx-http.conf.j2 | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-server/templates/nginx-conf.d/nginx-http.conf.j2 diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup_nginx_proxy.yml index 57108064..3ce87493 100644 --- a/roles/matrix-server/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml @@ -21,12 +21,13 @@ - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" -- name: Ensure Matrix Synapse proxy vhost configured +- name: Ensure Matrix nginx-proxy configured template: src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2" dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}" mode: 0644 with_items: + - "nginx-http.conf" - "matrix-synapse.conf" - "matrix-riot-web.conf" diff --git a/roles/matrix-server/templates/nginx-conf.d/nginx-http.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/nginx-http.conf.j2 new file mode 100644 index 00000000..ed171cfa --- /dev/null +++ b/roles/matrix-server/templates/nginx-conf.d/nginx-http.conf.j2 @@ -0,0 +1,5 @@ +# The default is aligned to the CPU's cache size, +# which can sometimes be too low to handle our 2 vhosts (Synapse and Riot). +# +# Thus, we ensure a larger bucket size value is used. +server_names_hash_bucket_size 64; \ No newline at end of file From add8169c3381fbbbb82ded175050ebc8a784046e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 26 Jun 2018 20:43:57 +0300 Subject: [PATCH 0077/2384] Remove deprecated "ssl" directive from nginx configuration --- .../matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 | 1 - .../matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 | 1 - 2 files changed, 2 deletions(-) diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 30ce8a75..24c149fb 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -33,7 +33,6 @@ server { server_tokens off; root /dev/null; - ssl on; ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain; ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index cc2eb21a..aba7c319 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -33,7 +33,6 @@ server { server_tokens off; root /dev/null; - ssl on; ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/fullchain; ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/privkey; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; From 839b401b28b14b581fb4cec22ee4b67d9dfff305 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 26 Jun 2018 21:05:59 +0300 Subject: [PATCH 0078/2384] Set up Synapse configuration using a template (not line/regexp replacements) Until now, we were starting from a fresh configuration, as generated by Synapse and manipulating it with regex and line replacements, until we made it work. This is more fragile and less predictable, so we're moving to a static configuration file generated from a Jinja template. The upside is that configuration will be stable and predictable. The downside of this new approach is that any manual configuration changes after the playbook is done, will be thrown away on future playbook invocations. There are 2 ways to work around the need for manual configuration changes though: - making them part of this playbook and its default template configuration files (which benefits everyone) - going your own way for a given host and overriding the template files that gets used (that is, the `matrix_synapse_template_synapse_homeserver` or `matrix_synapse_template_synapse_log` variables) --- examples/host-vars.yml | 6 +- roles/matrix-server/defaults/main.yml | 28 +- roles/matrix-server/tasks/setup_synapse.yml | 104 +-- .../templates/synapse/homeserver.yaml.j2 | 697 ++++++++++++++++++ .../templates/synapse/synapse.log.config.j2 | 37 + 5 files changed, 783 insertions(+), 89 deletions(-) create mode 100644 roles/matrix-server/templates/synapse/homeserver.yaml.j2 create mode 100644 roles/matrix-server/templates/synapse/synapse.log.config.j2 diff --git a/examples/host-vars.yml b/examples/host-vars.yml index da7ce947..8d60daf5 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -20,4 +20,8 @@ host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE # A shared secret (between Synapse and Coturn) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_coturn_turn_static_auth_secret: "" \ No newline at end of file +matrix_coturn_turn_static_auth_secret: "" + +# A secret used to protect access keys issued by the server. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_synapse_macaroon_secret_key: "" \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 01285d4e..d3051b26 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -27,11 +27,29 @@ matrix_base_data_path: "/matrix" matrix_ssl_certs_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}" matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables" + matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" + +# Specifies which template files to use when configuring Synapse. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars//`) +# and then change the specific host's `vars.yaml` file like this: +# matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars//homeserver.yaml.j2" +matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2" +matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2" + +matrix_synapse_macaroon_secret_key: "" +matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" +matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" + +matrix_max_upload_size_mb: 10 +matrix_max_log_file_size_mb: 100 +matrix_max_log_files_count: 10 + matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" @@ -53,11 +71,6 @@ docker_goofys_image: "cloudproto/goofys:latest" docker_coturn_image: "instrumentisto/coturn:4.5.0.7" -# To avoid Synapse's macaroon secret key from changing every time -# a new config is built from scratch, you can specify one here. -matrix_synapse_macaroon_secret_key: null - - # A shared secret (between Synapse and Coturn) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: "" @@ -68,11 +81,6 @@ matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" - -matrix_max_upload_size_mb: 10 -matrix_max_log_file_size_mb: 100 -matrix_max_log_files_count: 10 - matrix_s3_media_store_enabled: false matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 70db567b..2716c179 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -1,5 +1,10 @@ --- +- name: Fail if Macaroon key is missing + fail: + msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" + when: "matrix_synapse_macaroon_secret_key == ''" + - name: Ensure Matrix Synapse paths exists file: path: "{{ item }}" @@ -41,6 +46,8 @@ path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" register: matrix_synapse_config_stat +# We do this mostly so that the keys would get generated. +# We'll replace the rest of the configuration with our own templates below. - name: Generate initial Matrix config docker_container: name: matrix-config @@ -57,86 +64,17 @@ - "{{ matrix_synapse_config_dir_path }}:/data" when: "not matrix_synapse_config_stat.stat.exists" -- name: Augment Matrix log config - lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" - args: - regexp: "{{ item.regexp }}" - line: '{{ item.line }}' - backrefs: '{{ item.backrefs }}' - with_items: - - {"regexp": '^(\s+)filename:', "line": '\1filename: /matrix-run/homeserver.log', backrefs: yes} - - {"regexp": '^(\s+)maxBytes:', "line": '\1maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }}', backrefs: yes} - - {"regexp": '^(\s+)backupCount:', "line": '\1backupCount: {{ matrix_max_log_files_count }}', backrefs: yes} - -- name: Augment Matrix config - lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" - args: - regexp: "{{ item.regexp }}" - line: '{{ item.line }}' - with_items: - - {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'} - - {"regexp": "^uploads_path:", "line": 'uploads_path: "/matrix-run/uploads"'} - - {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'} - - {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'} - - {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'} - - {"regexp": "^max_upload_size:", "line": 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"'} - - {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-storage/media-store"'} - -- name: Augment Matrix config (configure Macaroon secret) - lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" - args: - regexp: "{{ item.regexp }}" - line: '{{ item.line }}' - with_items: - - {"regexp": "^macaroon_secret_key:", "line": 'macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"'} - when: "matrix_synapse_macaroon_secret_key is not none" - -- name: Augment Matrix config (specify URL previews blacklist) - lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" - args: - regexp: "^url_preview_ip_range_blacklist:" - line: 'url_preview_ip_range_blacklist: ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"]' - insertafter: '^# url_preview_ip_range_blacklist:$' - -# We only wish to do this for the 8008 port and not for the 8448 port -# (2nd instance of `x_forwarded` found in the config) -- name: Augment Matrix config (mark 8008 plain traffic as forwarded) - replace: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" - args: - regexp: "8008((?:.|\n)*)x_forwarded(.*)" - replace: '8008\g<1>x_forwarded: true' - -- name: Augment Matrix config (change database from SQLite to Postgres) - lineinfile: - dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" - regexp: '(.*)name: "sqlite3"' - line: '\1name: "psycopg2"' - backrefs: yes - -- name: Augment Matrix config (set the Postgres connection parameters) - replace: +- name: Ensure Matrix homeserver config installed + template: + src: "{{ matrix_synapse_template_synapse_homeserver }}" dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" - regexp: '(.*)name: "psycopg2"((?:.|\n)*?)\n\n' - replace: '\1name: "psycopg2"\n\1args:\n\1\1user: "{{ matrix_postgres_connection_username }}"\n\1\1password: "{{ matrix_postgres_connection_password }}"\n\1\1database: "{{ matrix_postgres_db_name }}"\n\1\1host: "{{ matrix_postgres_connection_hostname }}"\n\1\1cp_min: 5\n\1\1cp_max: 10\n\n' - -- name: Augment Matrix config (configure TURN) - lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml" - args: - regexp: "{{ item.regexp }}" - line: '{{ item.line }}' - with_items: - - {"regexp": "^turn_uris:", "line": 'turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"]'} - - {"regexp": "^turn_shared_secret:", "line": 'turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret }}"'} + mode: 0644 -- name: Allow access to Matrix ports in firewalld - firewalld: - port: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - '8448/tcp' # Matrix federation - when: ansible_os_family == 'RedHat' +- name: Ensure Matrix log config installed + template: + src: "{{ matrix_synapse_template_synapse_log }}" + dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" + mode: 0644 - name: Ensure matrix-synapse.service installed template: @@ -149,3 +87,13 @@ src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 + +- name: Allow access to Matrix ports in firewalld + firewalld: + port: "{{ item }}" + state: enabled + immediate: yes + permanent: yes + with_items: + - '8448/tcp' # Matrix federation + when: ansible_os_family == 'RedHat' diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 new file mode 100644 index 00000000..9b339516 --- /dev/null +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -0,0 +1,697 @@ +# vim:ft=yaml +# PEM encoded X509 certificate for TLS. +# You can replace the self-signed certificate that synapse +# autogenerates on launch with your own SSL certificate + key pair +# if you like. Any required intermediary certificates can be +# appended after the primary certificate in hierarchical order. +tls_certificate_path: "/data/{{ hostname_matrix }}.tls.crt" + +# PEM encoded private key for TLS +tls_private_key_path: "/data/{{ hostname_matrix }}.tls.key" + +# PEM dh parameters for ephemeral keys +tls_dh_params_path: "/data/{{ hostname_matrix }}.tls.dh" + +# Don't bind to the https port +no_tls: False + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handled directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +tls_fingerprints: [] +# tls_fingerprints: [{"sha256": ""}] + + +## Server ## + +# The domain name of the server, with optional explicit port. +# This is used by remote servers to connect to this server, +# e.g. matrix.org, localhost:8080, etc. +# This is also the last part of your UserID. +server_name: "{{ hostname_identity }}" + +# When running as a daemon, the file to store the pid in +pid_file: /homeserver.pid + +# CPU affinity mask. Setting this restricts the CPUs on which the +# process will be scheduled. It is represented as a bitmask, with the +# lowest order bit corresponding to the first logical CPU and the +# highest order bit corresponding to the last logical CPU. Not all CPUs +# may exist on a given system but a mask may specify more CPUs than are +# present. +# +# For example: +# 0x00000001 is processor #0, +# 0x00000003 is processors #0 and #1, +# 0xFFFFFFFF is all processors (#0 through #31). +# +# Pinning a Python process to a single CPU is desirable, because Python +# is inherently single-threaded due to the GIL, and can suffer a +# 30-40% slowdown due to cache blow-out and thread context switching +# if the scheduler happens to schedule the underlying threads across +# different cores. See +# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. +# +# cpu_affinity: 0xFFFFFFFF + +# Whether to serve a web client from the HTTP/HTTPS root resource. +web_client: False + +# The root directory to server for the above web client. +# If left undefined, synapse will serve the matrix-angular-sdk web client. +# Make sure matrix-angular-sdk is installed with pip if web_client is True +# and web_client_location is undefined +# web_client_location: "/path/to/web/root" + +# The public-facing base URL for the client API (not including _matrix/...) +# public_baseurl: https://example.com:8448/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +soft_file_limit: 0 + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# gc_thresholds: [700, 10, 10] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is -1, means no upper limit. +# filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# block_non_admin_invites: True + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. +# +# federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +listeners: + # Main HTTPS listener + # For when matrix traffic is sent directly to synapse. + - + # The port to listen for HTTPS requests on. + port: 8448 + + # Local addresses to listen on. + # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6 + # addresses by default. For most other OSes, this will only listen + # on IPv6. + bind_addresses: + - '::' + - '0.0.0.0' + + # This is a 'http' listener, allows us to specify 'resources'. + type: http + + tls: true + + # Use the X-Forwarded-For (XFF) header as the client IP and not the + # actual client IP. + x_forwarded: false + + # List of HTTP resources to serve on this listener. + resources: + - + # List of resources to host on this listener. + names: + - client # The client-server APIs, both v1 and v2 + - webclient # The bundled webclient. + + # Should synapse compress HTTP responses to clients that support it? + # This should be disabled if running synapse behind a load balancer + # that can do automatic compression. + compress: true + + - names: [federation] # Federation APIs + compress: false + + # optional list of additional endpoints which can be loaded via + # dynamic modules + # additional_resources: + # "/_matrix/my/custom/endpoint": + # module: my_module.CustomRequestHandler + # config: {} + + # Unsecure HTTP listener, + # For when matrix traffic passes through loadbalancer that unwraps TLS. + - port: 8008 + tls: false + bind_addresses: ['::', '0.0.0.0'] + type: http + + x_forwarded: true + + resources: + - names: [client, webclient] + compress: true + - names: [federation] + compress: false + + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # - port: 9000 + # bind_addresses: ['::1', '127.0.0.1'] + # type: manhole + + +# Database configuration +database: + # The database engine name + name: "psycopg2" + args: + user: "{{ matrix_postgres_connection_username }}" + password: "{{ matrix_postgres_connection_password }}" + database: "{{ matrix_postgres_db_name }}" + host: "{{ matrix_postgres_connection_hostname }}" + cp_min: 5 + cp_max: 10 + +# Number of events to cache in memory. +event_cache_size: "10K" + + + +# A yaml python logging config file +log_config: "/data/{{ hostname_matrix }}.log.config" + + +## Ratelimiting ## + +# Number of messages a client can send per second +rc_messages_per_second: 0.2 + +# Number of message a client can send before being throttled +rc_message_burst_count: 10.0 + +# The federation window size in milliseconds +federation_rc_window_size: 1000 + +# The number of federation requests from a single server in a window +# before the server will delay processing the request. +federation_rc_sleep_limit: 10 + +# The duration in milliseconds to delay processing events from +# remote servers by if they go over the sleep limit. +federation_rc_sleep_delay: 500 + +# The maximum number of concurrent federation requests allowed +# from a single server +federation_rc_reject_limit: 50 + +# The number of federation requests to concurrently process from a +# single server +federation_rc_concurrent: 3 + + + +# Directory where uploaded images and attachments are stored. +media_store_path: "/matrix-storage/media-store" + +# Media storage providers allow media to be stored in different +# locations. +# media_storage_providers: +# - module: file_system +# # Whether to write new local files. +# store_local: false +# # Whether to write new remote media +# store_remote: false +# # Whether to block upload requests waiting for write to this +# # provider to complete +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +# Directory where in-progress uploads are stored. +uploads_path: "/matrix-run/uploads" + +# The largest allowed upload size in bytes +max_upload_size: "{{ matrix_max_upload_size_mb }}M" + +# Maximum number of pixels that will be thumbnailed +max_image_pixels: "32M" + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +dynamic_thumbnails: false + +# List of thumbnail to precalculate when an image is uploaded. +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale + +# Is the preview URL API enabled? If enabled, you *must* specify +# an explicit url_preview_ip_range_blacklist of IPs that the spider is +# denied from accessing. +url_preview_enabled: True + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +url_preview_ip_range_blacklist: +- '127.0.0.0/8' +- '10.0.0.0/8' +- '172.16.0.0/12' +- '192.168.0.0/16' +- '100.64.0.0/10' +- '169.254.0.0/16' +- '::1/128' +- 'fe80::/64' +- 'fc00::/7' +# +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +# url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +# url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +max_spider_size: "10M" + + + + +## Captcha ## +# See docs/CAPTCHA_SETUP for full details of configuring this. + +# This Home Server's ReCAPTCHA public key. +recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This Home Server's ReCAPTCHA private key. +recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Enables ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. +enable_registration_captcha: False + +# A secret key used to bypass the captcha test entirely. +#captcha_bypass_secret: "YOUR_SECRET_HERE" + +# The API endpoint to use for verifying m.login.recaptcha responses. +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + + +## Turn ## + +# The public URIs of the TURN server to give to clients +turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"] + +# The shared secret used to compute passwords for the TURN server +turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret }}" + +# The Username and password if the TURN server needs them and +# does not use a token +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +turn_user_lifetime: "1h" + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +turn_allow_guests: False + + +## Registration ## + +# Enable registration for new users. +enable_registration: False + +# The user must provide all of the below types of 3PID when registering. +# +# registrations_require_3pid: +# - email +# - msisdn + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +# allowed_local_3pids: +# - medium: email +# pattern: ".*@matrix\.org" +# - medium: email +# pattern: ".*@vector\.im" +# - medium: msisdn +# pattern: "\+44" + +# If set, allows registration by anyone who also has the shared +# secret, even if registration is otherwise disabled. +registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}" + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +allow_guest_access: False + +# The list of identity servers trusted to verify third party +# identifiers by this server. +trusted_third_party_id_servers: + - matrix.org + - vector.im + - riot.im + +# Users who register on this homeserver will automatically be joined +# to these rooms +#auto_join_rooms: +# - "#example:example.com" + + +## Metrics ### + +# Enable collection and rendering of performance metrics +enable_metrics: False +report_stats: False + + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + + +# A list of application service config file to use +app_service_config_files: [] + + +macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" + +# Used to enable access token expiration. +expire_access_token: False + +# a secret which is used to calculate HMACs for form values, to stop +# falsification of values +form_secret: "{{ matrix_synapse_form_secret }}" + +## Signing Keys ## + +# Path to the signing key to sign messages with +signing_key_path: "/data/{{ hostname_matrix }}.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. E.g. it has lost its private key +old_signing_keys: {} +# "ed25519:auto": +# # Base64 encoded public key +# key: "The public part of your old signing key." +# # Millisecond POSIX timestamp when the key expired. +# expired_ts: 123456789123 + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +key_refresh_interval: "1d" # 1 Day. + +# The trusted servers to download signing keys from. +perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + + +# Enable SAML2 for registration and login. Uses pysaml2 +# config_path: Path to the sp_conf.py configuration file +# idp_redirect_url: Identity provider URL which will redirect +# the user back to /login/saml2 with proper info. +# See pysaml2 docs for format of config. +#saml2_config: +# enabled: true +# config_path: "/data/sp_conf.py" +# idp_redirect_url: "http://{{ hostname_matrix }}/idp" + + + +# Enable CAS for registration and login. +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homeserver.domain.com:8448" +# #required_attributes: +# # name: value + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +# jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + + + +# Enable password for login. +password_config: + enabled: true + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + #pepper: "" + + + +# Enable sending emails for notification events +# Defining a custom URL for Riot is only needed if email notifications +# should contain links to a self-hosted installation of Riot; when set +# the "app_name" setting is ignored. +# +# If your SMTP server requires authentication, the optional smtp_user & +# smtp_pass variables should be used +# +#email: +# enable_notifs: false +# smtp_host: "localhost" +# smtp_port: 25 +# smtp_user: "exampleusername" +# smtp_pass: "examplepassword" +# require_transport_security: False +# notif_from: "Your Friendly %(app)s Home Server " +# app_name: Matrix +# template_dir: res/templates +# notif_template_html: notif_mail.html +# notif_template_text: notif_mail.txt +# notif_for_new_users: True +# riot_base_url: "http://localhost/riot" + + +# password_providers: +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" + + + +# Clients requesting push notifications can either have the body of +# the message sent in the notification poke along with other details +# like the sender, or just the event ID and room ID (`event_id_only`). +# If clients choose the former, this option controls whether the +# notification request includes the content of the event (other details +# like the sender are still included). For `event_id_only` push, it +# has no effect. + +# For modern android devices the notification content will still appear +# because it is loaded by the app. iPhone, however will send a +# notification saying only that a message arrived and who it came from. +# +#push: +# include_content: true + + +# spam_checker: +# module: "my_custom_project.SuperSpamChecker" +# config: +# example_option: 'things' + + +# Whether to allow non server admins to create groups on this server +enable_group_creation: false + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# group_creation_prefix: "unofficial/" + + + +# User Directory configuration +# +# 'search_all_users' defines whether to search all users visible to your HS +# when searching the user directory, rather than limiting to users visible +# in public rooms. Defaults to false. If you set it True, you'll have to run +# UPDATE user_directory_stream_pos SET stream_id = NULL; +# on your database to tell it to rebuild the user_directory search indexes. +# +#user_directory: +# search_all_users: false + + +# User Consent configuration +# +# Parts of this section are required if enabling the 'consent' resource under +# 'listeners', in particular 'template_dir' and 'version'. +# +# 'template_dir' gives the location of the templates for the HTML forms. +# This directory should contain one subdirectory per language (eg, 'en', 'fr'), +# and each language directory should contain the policy document (named as +# '.html') and a success page (success.html). +# +# 'version' specifies the 'current' version of the policy document. It defines +# the version to be served by the consent resource if there is no 'v' +# parameter. +# +# 'server_notice_content', if enabled, will send a user a "Server Notice" +# asking them to consent to the privacy policy. The 'server_notices' section +# must also be configured for this to work. Notices will *not* be sent to +# guest users unless 'send_server_notice_to_guests' is set to true. +# +# 'block_events_error', if set, will block any attempts to send events +# until the user consents to the privacy policy. The value of the setting is +# used as the text of the error. +# +# user_consent: +# template_dir: res/templates/privacy +# version: 1.0 +# server_notice_content: +# msgtype: m.text +# body: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# send_server_notice_to_guests: True +# block_events_error: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# + + +# Server Notices room configuration +# +# Uncomment this section to enable a room which can be used to send notices +# from the server to users. It is a special room which cannot be left; notices +# come from a special "notices" user id. +# +# If you uncomment this section, you *must* define the system_mxid_localpart +# setting, which defines the id of the user which will be used to send the +# notices. +# +# It's also possible to override the room name, the display name of the +# "notices" user, and the avatar for the user. +# +# server_notices: +# system_mxid_localpart: notices +# system_mxid_display_name: "Server Notices" +# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" +# room_name: "Server Notices" diff --git a/roles/matrix-server/templates/synapse/synapse.log.config.j2 b/roles/matrix-server/templates/synapse/synapse.log.config.j2 new file mode 100644 index 00000000..f424d4be --- /dev/null +++ b/roles/matrix-server/templates/synapse/synapse.log.config.j2 @@ -0,0 +1,37 @@ + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /matrix-run/homeserver.log + maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }} + backupCount: {{ matrix_max_log_files_count }} + filters: [context] + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: INFO + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + +root: + level: INFO + handlers: [file, console] From e4d0a68460832d1715b9d3307478fdca58e1ce64 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 30 Jun 2018 18:51:25 +0300 Subject: [PATCH 0079/2384] Update riot-web (0.15.5 -> 0.15.6) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index d3051b26..7de254af 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -65,7 +65,7 @@ docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" docker_matrix_image: "matrixdotorg/synapse:v0.31.2" docker_nginx_image: "nginx:1.15.0-alpine" -docker_riot_image: "avhost/docker-matrix-riot:v0.15.5" +docker_riot_image: "avhost/docker-matrix-riot:v0.15.6" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" docker_coturn_image: "instrumentisto/coturn:4.5.0.7" From ae7e8e61c653e304441318c01301edbf80b9fe4b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 20 Jul 2018 08:28:02 -0400 Subject: [PATCH 0080/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 7de254af..17776b9e 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -63,9 +63,9 @@ docker_postgres_image_v9: "postgres:9.6.9-alpine" docker_postgres_image_v10: "postgres:10.4-alpine" docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" -docker_matrix_image: "matrixdotorg/synapse:v0.31.2" -docker_nginx_image: "nginx:1.15.0-alpine" -docker_riot_image: "avhost/docker-matrix-riot:v0.15.6" +docker_matrix_image: "matrixdotorg/synapse:v0.33.0" +docker_nginx_image: "nginx:1.15.1-alpine" +docker_riot_image: "avhost/docker-matrix-riot:v0.15.7" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" docker_coturn_image: "instrumentisto/coturn:4.5.0.7" From 6cb14be162d9664f8fba147c12279c49ef9912ad Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Jul 2018 16:18:17 +0300 Subject: [PATCH 0081/2384] Upgrade dependencies --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 17776b9e..bee9a43e 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -64,8 +64,8 @@ docker_postgres_image_v10: "postgres:10.4-alpine" docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" docker_matrix_image: "matrixdotorg/synapse:v0.33.0" -docker_nginx_image: "nginx:1.15.1-alpine" -docker_riot_image: "avhost/docker-matrix-riot:v0.15.7" +docker_nginx_image: "nginx:1.15.2-alpine" +docker_riot_image: "avhost/docker-matrix-riot:v0.16.0" docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" docker_coturn_image: "instrumentisto/coturn:4.5.0.7" From f6950612a513d514ff189f41c9f3ec1b27ff5231 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 2 Aug 2018 21:26:25 +0300 Subject: [PATCH 0082/2384] Upgrade dependencies --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index bee9a43e..d3a3a685 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -63,7 +63,7 @@ docker_postgres_image_v9: "postgres:9.6.9-alpine" docker_postgres_image_v10: "postgres:10.4-alpine" docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" -docker_matrix_image: "matrixdotorg/synapse:v0.33.0" +docker_matrix_image: "matrixdotorg/synapse:v0.33.1" docker_nginx_image: "nginx:1.15.2-alpine" docker_riot_image: "avhost/docker-matrix-riot:v0.16.0" docker_s3fs_image: "xueshanf/s3fs:latest" From cdf4eefdf9b81fc59f936206fd6fb6056de43ff5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Aug 2018 15:08:46 +0300 Subject: [PATCH 0083/2384] Fix typos --- roles/matrix-server/tasks/setup_nginx_proxy.yml | 2 +- roles/matrix-server/tasks/setup_riot_web.yml | 2 +- roles/matrix-server/tasks/setup_synapse.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup_nginx_proxy.yml index 3ce87493..c8365c2b 100644 --- a/roles/matrix-server/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml @@ -10,7 +10,7 @@ # It doesn't hurt to put them in place, even if they turn out # to be unnecessary. # -- name: Ensure Matrix nginx-proxy paths exists +- name: Ensure Matrix nginx-proxy paths exist file: path: "{{ item }}" state: directory diff --git a/roles/matrix-server/tasks/setup_riot_web.yml b/roles/matrix-server/tasks/setup_riot_web.yml index fd4023ab..d965217c 100644 --- a/roles/matrix-server/tasks/setup_riot_web.yml +++ b/roles/matrix-server/tasks/setup_riot_web.yml @@ -4,7 +4,7 @@ # Tasks related to setting up riot-web # -- name: Ensure Matrix riot-web paths exists +- name: Ensure Matrix riot-web path exists file: path: "{{ matrix_nginx_riot_web_data_path }}" state: directory diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index 2716c179..d8aabf06 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -5,7 +5,7 @@ msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" when: "matrix_synapse_macaroon_secret_key == ''" -- name: Ensure Matrix Synapse paths exists +- name: Ensure Matrix Synapse paths exist file: path: "{{ item }}" state: directory From b88fe971d64009ff533568e433e856d3285280b3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Aug 2018 15:39:57 +0300 Subject: [PATCH 0084/2384] Fix matrix-nginx-proxy.service dependency on riot-web, if riot-web disabled --- .../templates/systemd/matrix-nginx-proxy.service.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index 384a834c..579a1881 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -4,8 +4,10 @@ After=docker.service Requires=docker.service Requires=matrix-synapse.service After=matrix-synapse.service +{% if matrix_riot_web_enabled %} Requires=matrix-riot-web.service After=matrix-riot-web.service +{% endif %} [Service] Type=simple @@ -15,7 +17,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ -p 80:80 \ -p 443:443 \ --link matrix-synapse:synapse \ + {% if matrix_riot_web_enabled %} --link matrix-riot-web:riot \ + {% endif %} -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_certs_path }}:{{ matrix_ssl_certs_path }}:ro \ {{ docker_nginx_image }} From 3fd6fd647f85ca5cb07550b3d1361b00ea321f32 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Aug 2018 08:23:36 +0300 Subject: [PATCH 0085/2384] Put all containers in their own isolated Docker network (matrix) Moving away from using the default bridge network to using our own. This isolates our services from other Docker containers running on the default network on the same host. The benefits are that: - isolation is a little better - we no longer share a default bridge network with any other containers that might be running on the host - there are no longer hard dependencies - we do service discovery by DNS name, and not via explicit `--link` usage during container start, so containers can start out of order and fail without bringing down others with them (`matrix-nginx-proxy` can continue running, even if one of the other services dies) In the future, when other services get introduced, the increased resilience and simplicity will help as well. --- CHANGELOG.md | 6 ++++++ roles/matrix-server/defaults/main.yml | 4 +++- roles/matrix-server/tasks/setup_main.yml | 7 ++++++- .../templates/nginx-conf.d/matrix-riot-web.conf.j2 | 11 ++++++++++- .../templates/nginx-conf.d/matrix-synapse.conf.j2 | 11 ++++++++++- .../templates/systemd/matrix-nginx-proxy.service.j2 | 11 +++-------- .../templates/systemd/matrix-postgres.service.j2 | 1 + .../templates/systemd/matrix-riot-web.service.j2 | 1 + .../templates/systemd/matrix-synapse.service.j2 | 4 +--- .../templates/usr-local-bin/matrix-postgres-cli.j2 | 4 +--- 10 files changed, 42 insertions(+), 18 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..9820a620 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,6 @@ +# 2018-08-08 + + +## Docker container linking + +Changed the way the Docker containers are linked together. The ones that need to communicate with others operate in a `matrix` network now and not in the default bridge network. \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index d3a3a685..170b1390 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -18,7 +18,7 @@ matrix_user_gid: 991 # The defaults below cause a postgres server to be configured (running within a container). # Using an external server is possible by tweaking all of the parameters below. matrix_postgres_use_external: false -matrix_postgres_connection_hostname: "postgres" +matrix_postgres_connection_hostname: "matrix-postgres" matrix_postgres_connection_username: "synapse" matrix_postgres_connection_password: "synapse-password" matrix_postgres_db_name: "homeserver" @@ -70,6 +70,8 @@ docker_s3fs_image: "xueshanf/s3fs:latest" docker_goofys_image: "cloudproto/goofys:latest" docker_coturn_image: "instrumentisto/coturn:4.5.0.7" +# The Docker network that all services would be put into +matrix_docker_network: "matrix" # A shared secret (between Synapse and Coturn) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). diff --git a/roles/matrix-server/tasks/setup_main.yml b/roles/matrix-server/tasks/setup_main.yml index e16e20db..71a6b96c 100644 --- a/roles/matrix-server/tasks/setup_main.yml +++ b/roles/matrix-server/tasks/setup_main.yml @@ -28,4 +28,9 @@ group: "{{ matrix_user_username }}" with_items: - "{{ matrix_base_data_path }}" - - "{{ matrix_synapse_base_path }}" \ No newline at end of file + - "{{ matrix_synapse_base_path }}" + +- name: Ensure Matrix network is created in Docker + docker_network: + name: "{{ matrix_docker_network }}" + driver: bridge diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 24c149fb..c24daeda 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -40,7 +40,16 @@ server { ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; location / { - proxy_pass http://{{ 'riot' if matrix_nginx_proxy_enabled else 'localhost' }}:8765; + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-riot-web:8765"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for people to use outside of our container setup #} + proxy_pass http://localhost:8765; + {% endif %} + proxy_set_header X-Forwarded-For $remote_addr; } } diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index aba7c319..56c78657 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -40,7 +40,16 @@ server { ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; location /_matrix { - proxy_pass http://{{ 'synapse' if matrix_nginx_proxy_enabled else 'localhost' }}:8008; + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:8008"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for people to use outside of our container setup #} + proxy_pass http://localhost:8008; + {% endif %} + proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index 579a1881..c37b209f 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -2,11 +2,9 @@ Description=Matrix nginx proxy server After=docker.service Requires=docker.service -Requires=matrix-synapse.service -After=matrix-synapse.service +Wants=matrix-synapse.service {% if matrix_riot_web_enabled %} -Requires=matrix-riot-web.service -After=matrix-riot-web.service +Wants=matrix-riot-web.service {% endif %} [Service] @@ -14,12 +12,9 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ + --network {{ matrix_docker_network }} \ -p 80:80 \ -p 443:443 \ - --link matrix-synapse:synapse \ - {% if matrix_riot_web_enabled %} - --link matrix-riot-web:riot \ - {% endif %} -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_certs_path }}:{{ matrix_ssl_certs_path }}:ro \ {{ docker_nginx_image }} diff --git a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 index f0bc4bd4..60edf39b 100644 --- a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 @@ -11,6 +11,7 @@ ExecStartPre=-/usr/bin/mkdir {{ matrix_postgres_data_path }} ExecStartPre=-/usr/bin/chown {{ matrix_user_uid }}:{{ matrix_user_gid }} {{ matrix_postgres_data_path }} ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --network {{ matrix_docker_network }} \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ -v /etc/passwd:/etc/passwd:ro \ diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index 07582556..ee2035c6 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -11,6 +11,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ -v {{ matrix_nginx_riot_web_data_path }}/config.json:/riot-web/webapp/config.json:ro \ -v {{ matrix_nginx_riot_web_data_path }}/riot.im.conf:/data/riot.im.conf:ro \ + --network {{ matrix_docker_network }} \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8765:8765 \ {% endif %} diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 19f4341c..7eb70e36 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -23,9 +23,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-synapse ExecStartPre=/bin/sleep 5 {% endif %} ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ - {% if not matrix_postgres_use_external %} - --link matrix-postgres:{{ matrix_postgres_connection_hostname }} \ - {% endif %} + --network {{ matrix_docker_network }} \ -p 8448:8448 \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8008:8008 \ diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 index f2379276..d821c4bb 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -4,8 +4,6 @@ docker run \ -it \ --rm \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ - {% if not matrix_postgres_use_external %} - --link=matrix-postgres:{{ matrix_postgres_connection_hostname }} \ - {% endif %} + --network {{ matrix_docker_network }} \ {{ docker_postgres_image_to_use }} \ psql -h {{ matrix_postgres_connection_hostname }} \ No newline at end of file From 336785d1edc479c2feb27e46169b0a744812074b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Aug 2018 09:03:37 +0300 Subject: [PATCH 0086/2384] Rename Ansible playbook tag (setup-main -> setup-all) --- CHANGELOG.md | 6 ++++++ README.md | 2 +- roles/matrix-server/tasks/main.yml | 20 ++++++++++---------- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9820a620..6ce28721 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # 2018-08-08 +## Renaming Ansible playbook tag + +The command for executing the whole playbook has changed. +The `setup-main` tag got renamed to `setup-all`. + + ## Docker container linking Changed the way the Docker containers are linked together. The ones that need to communicate with others operate in a `matrix` network now and not in the default bridge network. \ No newline at end of file diff --git a/README.md b/README.md index 853cd09a..da4a4a2b 100644 --- a/README.md +++ b/README.md @@ -200,7 +200,7 @@ Run this as-is to set up a server. This doesn't start any services just yet (another step does this later - below). Feel free to re-run this any time you think something is off with the server configuration. - ansible-playbook -i inventory/hosts setup.yml --tags=setup-main + ansible-playbook -i inventory/hosts setup.yml --tags=setup-all ### Restoring an existing SQLite database (from another installation) diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 2df3b60d..9a87b23d 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -2,15 +2,15 @@ - include: tasks/setup_base.yml tags: - - setup-main + - setup-all - include: tasks/setup_main.yml tags: - - setup-main + - setup-all - include: tasks/setup_ssl.yml tags: - - setup-main + - setup-all - setup-ssl - include: tasks/upgrade_postgres.yml @@ -19,38 +19,38 @@ - include: tasks/setup_postgres.yml tags: - - setup-main + - setup-all - setup-postgres - include: tasks/setup_s3fs.yml tags: - - setup-main + - setup-all - setup-s3fs - include: tasks/setup_goofys.yml tags: - - setup-main + - setup-all - setup-goofys - include: tasks/setup_coturn.yml tags: - - setup-main + - setup-all - setup-coturn - include: tasks/setup_synapse.yml tags: - - setup-main + - setup-all - setup-synapse - setup-coturn - include: tasks/setup_riot_web.yml tags: - - setup-main + - setup-all - setup-riot-web - include: tasks/setup_nginx_proxy.yml tags: - - setup-main + - setup-all - setup-nginx-proxy - include: tasks/start.yml From 700602eed3d789c1efbb4da0140f62d89b0f43e2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Aug 2018 09:17:18 +0300 Subject: [PATCH 0087/2384] Rename a bunch of playbook variables for better consistency --- CHANGELOG.md | 16 +++++++++++++ roles/matrix-server/defaults/main.yml | 24 +++++++++---------- .../matrix-server/tasks/import_sqlite_db.yml | 4 ++-- roles/matrix-server/tasks/setup_coturn.yml | 4 ++-- roles/matrix-server/tasks/setup_goofys.yml | 4 ++-- .../matrix-server/tasks/setup_nginx_proxy.yml | 4 ++-- roles/matrix-server/tasks/setup_postgres.yml | 10 ++++---- roles/matrix-server/tasks/setup_riot_web.yml | 4 ++-- roles/matrix-server/tasks/setup_s3fs.yml | 2 +- roles/matrix-server/tasks/setup_synapse.yml | 4 ++-- .../matrix-server/tasks/upgrade_postgres.yml | 10 ++++---- .../nginx-conf.d/matrix-synapse.conf.j2 | 2 +- .../templates/synapse/homeserver.yaml.j2 | 2 +- .../templates/synapse/synapse.log.config.j2 | 4 ++-- .../systemd/matrix-coturn.service.j2 | 2 +- .../systemd/matrix-goofys.service.j2 | 2 +- .../systemd/matrix-nginx-proxy.service.j2 | 2 +- .../systemd/matrix-postgres.service.j2 | 2 +- .../systemd/matrix-riot-web.service.j2 | 2 +- .../systemd/matrix-synapse.service.j2 | 2 +- .../usr-local-bin/matrix-postgres-cli.j2 | 4 ++-- 21 files changed, 63 insertions(+), 47 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ce28721..6b28c2f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,22 @@ # 2018-08-08 +## (BC Break) Renaming playbook variables + +The following playbook variables were renamed: + +- from `matrix_max_upload_size_mb` to `matrix_synapse_max_upload_size_mb` +- from `matrix_max_log_file_size_mb` to `matrix_synapse_max_log_file_size_mb` +- from `matrix_max_log_files_count` to `matrix_synapse_max_log_files_count` +- from `docker_matrix_image` to `matrix_docker_image_synapse` +- from `docker_nginx_image` to `matrix_docker_image_nginx` +- from `docker_riot_image` to `matrix_docker_image_riot` +- from `docker_goofys_image` to `matrix_docker_image_goofys` +- from `docker_coturn_image` to `matrix_docker_image_coturn` + +If you're overriding any of them in your `vars.yml` file, you'd need to change to the new names. + + ## Renaming Ansible playbook tag The command for executing the whole playbook has changed. diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 170b1390..f1d3899f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -46,9 +46,9 @@ matrix_synapse_macaroon_secret_key: "" matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" -matrix_max_upload_size_mb: 10 -matrix_max_log_file_size_mb: 100 -matrix_max_log_files_count: 10 +matrix_synapse_max_upload_size_mb: 10 +matrix_synapse_max_log_file_size_mb: 100 +matrix_synapse_max_log_files_count: 10 matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" @@ -59,16 +59,16 @@ matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" -docker_postgres_image_v9: "postgres:9.6.9-alpine" -docker_postgres_image_v10: "postgres:10.4-alpine" -docker_postgres_image_latest: "{{ docker_postgres_image_v10 }}" +matrix_docker_image_postgres_v9: "postgres:9.6.9-alpine" +matrix_docker_image_postgres_v10: "postgres:10.4-alpine" +matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" -docker_matrix_image: "matrixdotorg/synapse:v0.33.1" -docker_nginx_image: "nginx:1.15.2-alpine" -docker_riot_image: "avhost/docker-matrix-riot:v0.16.0" -docker_s3fs_image: "xueshanf/s3fs:latest" -docker_goofys_image: "cloudproto/goofys:latest" -docker_coturn_image: "instrumentisto/coturn:4.5.0.7" +matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.1" +matrix_docker_image_nginx: "nginx:1.15.2-alpine" +matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.0" +matrix_docker_image_s3fs: "xueshanf/s3fs:latest" +matrix_docker_image_goofys: "cloudproto/goofys:latest" +matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-server/tasks/import_sqlite_db.yml b/roles/matrix-server/tasks/import_sqlite_db.yml index b56fb293..1757087c 100644 --- a/roles/matrix-server/tasks/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import_sqlite_db.yml @@ -52,7 +52,7 @@ - name: Importing SQLite database into Postgres docker_container: name: matrix-synapse-migrate - image: "{{ docker_matrix_image }}" + image: "{{ matrix_docker_image_synapse }}" detach: no cleanup: yes entrypoint: /usr/bin/python @@ -69,4 +69,4 @@ - name: Ensure scratchpad directory is deleted file: path: "{{ matrix_scratchpad_dir }}" - state: absent \ No newline at end of file + state: absent diff --git a/roles/matrix-server/tasks/setup_coturn.yml b/roles/matrix-server/tasks/setup_coturn.yml index 11b48d4a..8739d3a2 100644 --- a/roles/matrix-server/tasks/setup_coturn.yml +++ b/roles/matrix-server/tasks/setup_coturn.yml @@ -7,7 +7,7 @@ - name: Ensure Coturn image is pulled docker_image: - name: "{{ docker_coturn_image }}" + name: "{{ matrix_docker_image_coturn }}" - name: Ensure Coturn configuration path exists file: @@ -39,4 +39,4 @@ - '3478/tcp' # STUN - '3478/udp' # STUN - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN - when: ansible_os_family == 'RedHat' \ No newline at end of file + when: ansible_os_family == 'RedHat' diff --git a/roles/matrix-server/tasks/setup_goofys.yml b/roles/matrix-server/tasks/setup_goofys.yml index ab2a6365..bcca60f3 100644 --- a/roles/matrix-server/tasks/setup_goofys.yml +++ b/roles/matrix-server/tasks/setup_goofys.yml @@ -4,7 +4,7 @@ - name: Ensure Goofys Docker image is pulled docker_image: - name: "{{ docker_goofys_image }}" + name: "{{ matrix_docker_image_goofys }}" when: matrix_s3_media_store_enabled # This will throw a Permission Denied error if already mounted @@ -65,6 +65,6 @@ - name: Ensure Goofys Docker image doesn't exist docker_image: - name: "{{ docker_goofys_image }}" + name: "{{ matrix_docker_image_goofys }}" state: absent when: "not matrix_s3_media_store_enabled" diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup_nginx_proxy.yml index c8365c2b..dfcb96af 100644 --- a/roles/matrix-server/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup_nginx_proxy.yml @@ -36,7 +36,7 @@ # - name: Ensure nginx Docker image is pulled docker_image: - name: "{{ docker_nginx_image }}" + name: "{{ matrix_docker_image_nginx }}" when: matrix_nginx_proxy_enabled - name: Allow access to nginx proxy ports in firewalld @@ -87,4 +87,4 @@ file: path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" state: absent - when: "not matrix_nginx_proxy_enabled" \ No newline at end of file + when: "not matrix_nginx_proxy_enabled" diff --git a/roles/matrix-server/tasks/setup_postgres.yml b/roles/matrix-server/tasks/setup_postgres.yml index 92f125e0..8242fa4e 100644 --- a/roles/matrix-server/tasks/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup_postgres.yml @@ -26,21 +26,21 @@ - name: Determine Postgres version to use (default to latest) set_fact: - docker_postgres_image_to_use: "{{ docker_postgres_image_latest }}" + matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_latest }}" - name: Determine Postgres version to use (use 9.x, if detected) set_fact: - docker_postgres_image_to_use: "{{ docker_postgres_image_v9 }}" + matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_v9 }}" when: "pg_version.startswith('9.')" - debug: - msg: "NOTE: Your setup is on an old Postgres version ({{ docker_postgres_image_to_use }}), while {{ docker_postgres_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" - when: "docker_postgres_image_to_use != docker_postgres_image_latest" + msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_docker_image_postgres_to_use }}), while {{ matrix_docker_image_postgres_latest }} is supported. You can upgrade using --tags=upgrade-postgres" + when: "matrix_docker_image_postgres_to_use != matrix_docker_image_postgres_latest" # Even if we don't run the internal server, we still need this for running the CLI - name: Ensure postgres Docker image is pulled docker_image: - name: "{{ docker_postgres_image_to_use }}" + name: "{{ matrix_docker_image_postgres_to_use }}" - name: Ensure Postgres environment variables file created template: diff --git a/roles/matrix-server/tasks/setup_riot_web.yml b/roles/matrix-server/tasks/setup_riot_web.yml index d965217c..ab67a4c0 100644 --- a/roles/matrix-server/tasks/setup_riot_web.yml +++ b/roles/matrix-server/tasks/setup_riot_web.yml @@ -15,7 +15,7 @@ - name: Ensure riot-web Docker image is pulled docker_image: - name: "{{ docker_riot_image }}" + name: "{{ matrix_docker_image_riot }}" when: matrix_riot_web_enabled - name: Ensure Matrix riot-web configured @@ -64,6 +64,6 @@ - name: Ensure riot-web Docker image doesn't exist docker_image: - name: "{{ docker_riot_image }}" + name: "{{ matrix_docker_image_riot }}" state: absent when: "not matrix_riot_web_enabled" diff --git a/roles/matrix-server/tasks/setup_s3fs.yml b/roles/matrix-server/tasks/setup_s3fs.yml index 49f64990..f3120809 100644 --- a/roles/matrix-server/tasks/setup_s3fs.yml +++ b/roles/matrix-server/tasks/setup_s3fs.yml @@ -23,5 +23,5 @@ - name: Ensure S3fs Docker image doesn't exist docker_image: - name: "{{ docker_s3fs_image }}" + name: "{{ matrix_docker_image_s3fs }}" state: absent diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index d8aabf06..eb254e75 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -39,7 +39,7 @@ - name: Ensure Matrix Docker image is pulled docker_image: - name: "{{ docker_matrix_image }}" + name: "{{ matrix_docker_image_synapse }}" - name: Check if a Matrix Synapse configuration exists stat: @@ -51,7 +51,7 @@ - name: Generate initial Matrix config docker_container: name: matrix-config - image: "{{ docker_matrix_image }}" + image: "{{ matrix_docker_image_synapse }}" detach: no cleanup: yes command: generate diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index 8337d6eb..cdb39c70 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -52,16 +52,16 @@ - name: Determine Postgres version to use (default to latest) set_fact: - docker_postgres_image_to_use: "{{ docker_postgres_image_latest }}" + matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_latest }}" - name: Determine Postgres version to use (use 9.x, if detected) set_fact: - docker_postgres_image_to_use: "{{ docker_postgres_image_v9 }}" + matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_v9 }}" when: "pg_version.startswith('9.')" - name: Abort, if already at latest Postgres version fail: msg="You are already running the latest Postgres version supported. Nothing to do" - when: "docker_postgres_image_to_use == docker_postgres_image_latest" + when: "matrix_docker_image_postgres_to_use == matrix_docker_image_postgres_latest" - name: Ensure matrix-synapse is stopped service: name=matrix-synapse state=stopped @@ -81,7 +81,7 @@ --link matrix-postgres:postgres \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/out \ - {{ docker_postgres_image_to_use }} pg_dump -h postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} + {{ matrix_docker_image_postgres_to_use }} pg_dump -h postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} - name: Ensure matrix-postgres is stopped service: name=matrix-postgres state=stopped @@ -109,7 +109,7 @@ --link matrix-postgres:postgres \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/in:ro \ - {{ docker_postgres_image_latest }} psql -h postgres -f /in/{{ postgres_dump_name }} + {{ matrix_docker_image_postgres_latest }} psql -h postgres -f /in/{{ postgres_dump_name }} - name: Delete Postgres database dump file file: diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 56c78657..25276fa4 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -53,7 +53,7 @@ server { proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; - client_max_body_size {{ matrix_max_upload_size_mb }}M; + client_max_body_size {{ matrix_synapse_max_upload_size_mb }}M; proxy_max_temp_file_size 0; } } diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 9b339516..3f908aae 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -257,7 +257,7 @@ media_store_path: "/matrix-storage/media-store" uploads_path: "/matrix-run/uploads" # The largest allowed upload size in bytes -max_upload_size: "{{ matrix_max_upload_size_mb }}M" +max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # Maximum number of pixels that will be thumbnailed max_image_pixels: "32M" diff --git a/roles/matrix-server/templates/synapse/synapse.log.config.j2 b/roles/matrix-server/templates/synapse/synapse.log.config.j2 index f424d4be..2b779653 100644 --- a/roles/matrix-server/templates/synapse/synapse.log.config.j2 +++ b/roles/matrix-server/templates/synapse/synapse.log.config.j2 @@ -15,8 +15,8 @@ handlers: class: logging.handlers.RotatingFileHandler formatter: precise filename: /matrix-run/homeserver.log - maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }} - backupCount: {{ matrix_max_log_files_count }} + maxBytes: {{ matrix_synapse_max_log_file_size_mb * 1024 * 1024 }} + backupCount: {{ matrix_synapse_max_log_files_count }} filters: [context] console: class: logging.StreamHandler diff --git a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 index df5d74f2..89cffa22 100644 --- a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 @@ -14,7 +14,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ -v {{ matrix_synapse_config_dir_path }}:/matrix-config:ro \ -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ - {{ docker_coturn_image }} \ + {{ matrix_docker_image_coturn }} \ -c /turnserver.conf ExecStop=-/usr/bin/docker kill matrix-coturn ExecStop=-/usr/bin/docker rm matrix-coturn diff --git a/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 b/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 index 9107ca9a..2273e3ed 100644 --- a/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 @@ -18,7 +18,7 @@ ExecStart=/usr/bin/docker run --rm --name %n \ -v {{ matrix_synapse_media_store_path }}:/s3:shared \ --env-file={{ matrix_environment_variables_data_path }}/goofys \ --entrypoint /bin/sh \ - {{ docker_goofys_image }} \ + {{ matrix_docker_image_goofys }} \ -c 'goofys -f --storage-class=STANDARD_IA --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min ExecStop=-/usr/bin/docker stop %n diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index c37b209f..ccf24942 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -17,7 +17,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ -p 443:443 \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_certs_path }}:{{ matrix_ssl_certs_path }}:ro \ - {{ docker_nginx_image }} + {{ matrix_docker_image_nginx }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload diff --git a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 index 60edf39b..458fd22a 100644 --- a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 @@ -15,7 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ -v /etc/passwd:/etc/passwd:ro \ - {{ docker_postgres_image_to_use }} + {{ matrix_docker_image_postgres_to_use }} ExecStop=-/usr/bin/docker stop matrix-postgres ExecStop=-/usr/bin/docker rm matrix-postgres Restart=always diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index ee2035c6..347cdfed 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -15,7 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8765:8765 \ {% endif %} - {{ docker_riot_image }} + {{ matrix_docker_image_riot }} ExecStop=-/usr/bin/docker kill matrix-riot-web ExecStop=-/usr/bin/docker rm matrix-riot-web Restart=always diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 7eb70e36..4b716547 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -32,7 +32,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_storage_path }}:/matrix-storage:slave \ -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \ - {{ docker_matrix_image }} + {{ matrix_docker_image_synapse }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse Restart=always diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 index d821c4bb..bcb5db8c 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -5,5 +5,5 @@ docker run \ --rm \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ --network {{ matrix_docker_network }} \ - {{ docker_postgres_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} \ No newline at end of file + {{ matrix_docker_image_postgres_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} From 30c53cdea2055bf2ab6e7727a0a12295d9ba9eab Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Aug 2018 10:07:02 +0300 Subject: [PATCH 0088/2384] Split README into a bunch of files in docs/ --- README.md | 254 +----------------- docs/README.md | 17 ++ docs/configuring-dns.md | 19 ++ .../configuring-playbook-external-postgres.md | 18 ++ docs/configuring-playbook-own-webserver.md | 25 ++ docs/configuring-playbook-s3.md | 39 +++ docs/configuring-playbook.md | 30 +++ docs/importing-sqlite.md | 15 ++ docs/installing.md | 33 +++ docs/maintenance-upgrading-postgres.md | 20 ++ docs/maintenance-upgrading-services.md | 15 ++ docs/prerequisites.md | 17 ++ docs/registering-users.md | 13 + docs/restoring-media-store.md | 9 + docs/uninstalling.md | 21 ++ 15 files changed, 300 insertions(+), 245 deletions(-) create mode 100644 docs/README.md create mode 100644 docs/configuring-dns.md create mode 100644 docs/configuring-playbook-external-postgres.md create mode 100644 docs/configuring-playbook-own-webserver.md create mode 100644 docs/configuring-playbook-s3.md create mode 100644 docs/configuring-playbook.md create mode 100644 docs/importing-sqlite.md create mode 100644 docs/installing.md create mode 100644 docs/maintenance-upgrading-postgres.md create mode 100644 docs/maintenance-upgrading-services.md create mode 100644 docs/prerequisites.md create mode 100644 docs/registering-users.md create mode 100644 docs/restoring-media-store.md create mode 100644 docs/uninstalling.md diff --git a/README.md b/README.md index da4a4a2b..6ce36ecc 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Using this playbook, you can get the following services configured on your serve - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for your Matrix Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) -- (optional default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse - providing better performance than the default [SQLite](https://sqlite.org/) database. Using an external PostgreSQL server [is possible](#using-an-external-postgresql-server-optional) as well +- (optional default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse. [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) is also possible. - a [STUN/TURN server](https://github.com/coturn/coturn) for WebRTC audio/video calls @@ -29,15 +29,15 @@ Basically, this playbook aims to get you up-and-running with all the basic neces This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) Ansible deployment, but: -- this one is a complete Ansible playbook (instead of just a role), so it should be **easier to run** - especially for folks not familiar with Ansible +- this one is a complete Ansible playbook (instead of just a role), so it's **easier to run** - especially for folks not familiar with Ansible - this one **can be re-ran many times** without causing trouble - works on both **CentOS** (7.0+) and Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+) -- this one keeps mostly everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place +- this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place -- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can disable that and configure your own webserver (proxy) +- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can also [use your own webserver](docs/configuring-playbook-own-webserver.md) - this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](#docker-images-used-by-this-playbook)) @@ -48,252 +48,16 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one optionally **allows you to use an external PostgreSQL server** for Matrix Synapse's database (but defaults to running one in a container) -## Prerequisites +## Installation -- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. This playbook can take over your whole server or co-exist with other services that you have there. +To configure and install Matrix on your own server, follow the [README in the docs/ directory](docs/README.md). -- [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). -- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you +## Changes -- properly configured DNS SRV record for `` (details in [Configuring DNS](#configuring-dns) below) +This playbook evolves over time, sometimes with backward-incompatible changes. -- `matrix.` domain name pointing to your new server - this is where the Matrix Synapse server will live (details in [Configuring DNS](#configuring-dns) below) - -- `riot.` domain name pointing to your new server - this is where the Riot web UI will live (details in [Configuring DNS](#configuring-dns) below) - -- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix federation HTTPS webserver), `49152-49172/udp` (TURN over UDP). - - -## Configuring DNS - -In order to use an identifier like `@:`, you don't actually need -to install anything on the actual `` server. - -All services created by this playbook are meant to be installed on their own server (such as `matrix.`). - -In order to do this, you must first instruct the Matrix network of this by setting up a DNS SRV record (think of it as a "redirect"). -The SRV record should look like this: -- Name: `_matrix._tcp` (use this text as-is) -- Content: `10 0 8448 matrix.` (replace `` with your own) - -Once you've set up this DNS SRV record, you should create 2 other domain names (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` is fine). - -This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`, even though everything is installed elsewhere (not on ``). - - -## Configuration - -Once you have your server and you have [configured your DNS records](#configuring-dns), you can proceed with configuring this playbook, so that it knows what to install and where. - -You can follow these steps: - -- create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) - -- copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix./vars.yml`) - -- edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults.main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. - -- copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) - -- edit the inventory hosts file (`inventory/hosts`) to your liking - - -## Amazon S3 configuration (optional) - -By default, this playbook configures your server to store Matrix Synapse's content repository (`media_store`) files on the local filesystem. -If that's alright, you can skip ahead. - -If you'd like to store Matrix Synapse's content repository (`media_store`) files on Amazon S3, -you can let this playbook configure [Goofys](https://github.com/kahing/goofys) for you. - -You'll need an Amazon S3 bucket and some IAM user credentials (access key + secret key) with full write access to the bucket. Example security policy: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Stmt1400105486000", - "Effect": "Allow", - "Action": [ - "s3:*" - ], - "Resource": [ - "arn:aws:s3:::your-bucket-name", - "arn:aws:s3:::your-bucket-name/*" - ] - } - ] -} -``` - -You then need to enable S3 support in your configuration file (`inventory/matrix./vars.yml`). -It would be something like this: - -```yaml -matrix_s3_media_store_enabled: true -matrix_s3_media_store_bucket_name: "your-bucket-name" -matrix_s3_media_store_aws_access_key: "access-key-goes-here" -matrix_s3_media_store_aws_secret_key: "secret-key-goes-here" -matrix_s3_media_store_region: "eu-central-1" -``` - - -## Using an external PostgreSQL server (optional) - -By default, this playbook would set up a PostgreSQL database server on your machine, running in a Docker container. -If that's alright, you can skip ahead. - -If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file (`inventory/matrix./vars.yml`). -It should be something like this: - -```yaml -matrix_postgres_use_external: true -matrix_postgres_connection_hostname: "your-postgres-server-hostname" -matrix_postgres_connection_username: "your-postgres-server-username" -matrix_postgres_connection_password: "your-postgres-server-password" -matrix_postgres_db_name: "your-postgres-server-database-name" -``` - -The database (as specified in `matrix_postgres_db_name`) must exist and be accessible with the given credentials. -It must be empty or contain a valid Matrix Synapse database. If empty, Matrix Synapse would populate it the first time it runs. - - -## Using your own webserver, instead of this playbook's nginx proxy (optional) - -By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443. -If that's alright, you can skip ahead. - -If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that, -and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can. - -All it takes is editing your configuration file (`inventory/matrix./vars.yml`): - -``` -matrix_nginx_proxy_enabled: false -``` - -**Note**: even if you do this, in order [to install](#installing), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards. - -**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` - -**If your own webserver is not nginx**, you can still take a look at the sample files in `/matrix/nginx-proxy/conf.d`, and: - -- ensure you set up (separate) vhosts that proxy for both Riot (`localhost:8765`) and Matrix Synapse (`localhost:8008`) - -- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" is an alias to the `/matrix/ssl/run/acme-challenge` directory (for automated SSL renewal to work) - -- ensure that you restart/reload your webserver once in a while, so that renewed SSL certificates would take effect (once a month should be enough) - - -## Installing - -Once you have your server and you have [configured your DNS records](#configuring-dns), you can proceed with installing. - -To make use of this playbook, you should invoke the `setup.yml` playbook multiple times, with different tags. - - -### Configuring a server - -Run this as-is to set up a server. -This doesn't start any services just yet (another step does this later - below). -Feel free to re-run this any time you think something is off with the server configuration. - - ansible-playbook -i inventory/hosts setup.yml --tags=setup-all - - -### Restoring an existing SQLite database (from another installation) - -Run this if you'd like to import your database from a previous default installation of Matrix Synapse. -(don't forget to import your `media_store` files as well - see below). - -While this playbook always sets up PostgreSQL, by default a Matrix Synapse installation would run -using an SQLite database. - -If you have such a Matrix Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you. - -Run this command (make sure to replace `` with a file path on your local machine): - - ansible-playbook -i inventory/hosts setup.yml --extra-vars='local_path_homeserver_db=' --tags=import-sqlite-db - -**Note**: `` must be a file path to a `homeserver.db` file on your local machine (not on the server!). This file is copied to the server and imported. - - -### Restoring `media_store` data files from an existing installation - -Run this if you'd like to import your `media_store` files from a previous installation of Matrix Synapse. - -Run this command (make sure to replace `` with a path on your local machine): - - ansible-playbook -i inventory/hosts setup.yml --extra-vars='local_path_media_store=' --tags=import-media-store - -**Note**: `` must be a file path to a `media_store` directory on your local machine (not on the server!). This directory's contents are then copied to the server. - - -### Starting the services - -Run this as-is to start all the services and to ensure they'll run on system startup later on. - - ansible-playbook -i inventory/hosts setup.yml --tags=start - - -### Registering a user - -Run this to create a new user account on your Matrix server. - -You can do it via this Ansible playbook (make sure to edit the `` and `` part below): - - ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password= admin=' --tags=register-user - -**or** using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)): - - /usr/local/bin/matrix-synapse-register-user - -**Note**: `` is just a plain username (like `john`), not your full `@:` identifier. - - -### Upgrading Postgres - -If you're not using an external Postgres server, this playbook initially installs Postgres for you. - -Once installed like that, this playbook attempts to preserve the Postgres version it starts with. -This is because newer Postgres versions cannot start with data generated by an older Postgres version. -An upgrade must be performed. - -This playbook can upgrade your existing Postgres setup with the following command: - - ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres - -**The old Postgres data directory is backed up** (by renaming to `/matrix/postgres-auto-upgrade-backup`). -It stays around forever, until you **manually decide to delete it**. - -As part of the upgrade, the database is dumped to `/tmp`, upgraded and then restored from that dump. -To use a different directory, pass some extra flags to the command above, like this: `--extra-vars="postgres_dump_dir=/directory/to/dump/here"` - -**ONLY one database is migrated** (the one specified in `matrix_postgres_db_name`, named `homeserver` by default). -If you've created other databases in that database instance (something this playbook never does and never advises), data will be lost. - - -## Uninstalling - -**Note**: If you have some trouble with your installation configuration, you can just re-run the playbook and it will try to set things up again. You don't need to uninstall and install fresh. - -However, if you've installed this on some server where you have other stuff you wish to preserve, and now want get rid of Matrix, it's enough to do these: - -- ensure all Matrix services are stopped (`systemctl stop 'matrix*'`) - -- delete the Matrix-related systemd .service files (`rm -f /etc/systemd/system/matrix*`) and reload systemd (`systemctl daemon-reload`) - -- delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*`) - -- delete some helper scripts (`rm -f /usr/local/bin/matrix*`) - -- delete some cached Docker images (or just delete them all: `docker rmi $(docker images -aq)`) - -- uninstall Docker itself, if necessary - -- delete the `/matrix` directory (`rm -rf /matrix`) +When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up with what's new. ## Docker images used by this playbook diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 00000000..621644b5 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,17 @@ +# Table of Contents + +- [Prerequisites](prerequisites.md) + +- [Configuring your DNS server](configuring-dns.md) + +- [Configuring this Ansible playbook](configuring-playbook.md) + +- [Installing](installing.md) + +- [Registering users](registering-users.md) + +- [Maintenance / upgrading services](maintenance-upgrading-services.md) + +- [Maintenance / upgrading PostgreSQL](maintenance-upgrading-postgres.md) + +- [Uninstalling](uninstalling.md) \ No newline at end of file diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md new file mode 100644 index 00000000..8d9d60a1 --- /dev/null +++ b/docs/configuring-dns.md @@ -0,0 +1,19 @@ +# Configuring your DNS server + +To set up Matrix on your domain, you'd need to do some DNS configuration. + +To use an identifier like `@:`, you don't actually need +to install anything on the actual `` server. + +All services created by this playbook are meant to be installed on their own server (such as `matrix.`). + +To accomplish such a "redirect", you need to instruct the Matrix network of this by setting up a DNS SRV record. +The SRV record should look like this: +- Name: `_matrix._tcp` (use this text as-is) +- Content: `10 0 8448 matrix.` (replace `` with your own) + +Once you've set up this DNS SRV record, you should create 2 other domain names (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` is fine). + +This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`, even though everything is installed elsewhere (not on ``). + +When ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). \ No newline at end of file diff --git a/docs/configuring-playbook-external-postgres.md b/docs/configuring-playbook-external-postgres.md new file mode 100644 index 00000000..2c93ebc3 --- /dev/null +++ b/docs/configuring-playbook-external-postgres.md @@ -0,0 +1,18 @@ +# Using an external PostgreSQL server (optional) + +By default, this playbook would set up a PostgreSQL database server on your machine, running in a Docker container. +If that's alright, you can skip this. + +If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file (`inventory/matrix./vars.yml`). +It should be something like this: + +```yaml +matrix_postgres_use_external: true +matrix_postgres_connection_hostname: "your-postgres-server-hostname" +matrix_postgres_connection_username: "your-postgres-server-username" +matrix_postgres_connection_password: "your-postgres-server-password" +matrix_postgres_db_name: "your-postgres-server-database-name" +``` + +The database (as specified in `matrix_postgres_db_name`) must exist and be accessible with the given credentials. +It must be empty or contain a valid Matrix Synapse database. If empty, Matrix Synapse would populate it the first time it runs. \ No newline at end of file diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md new file mode 100644 index 00000000..ba6d8938 --- /dev/null +++ b/docs/configuring-playbook-own-webserver.md @@ -0,0 +1,25 @@ +# Using your own webserver, instead of this playbook's nginx proxy (optional) + +By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443. +If that's alright, you can skip this. + +If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that, +and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can. + +All it takes is editing your configuration file (`inventory/matrix./vars.yml`): + +``` +matrix_nginx_proxy_enabled: false +``` + +**Note**: even if you do this, in order [to install](#installing), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards. + +**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` + +**If your own webserver is not nginx**, you can still take a look at the sample files in `/matrix/nginx-proxy/conf.d`, and: + +- ensure you set up (separate) vhosts that proxy for both Riot (`localhost:8765`) and Matrix Synapse (`localhost:8008`) + +- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" is an alias to the `/matrix/ssl/run/acme-challenge` directory (for automated SSL renewal to work) + +- ensure that you restart/reload your webserver once in a while, so that renewed SSL certificates would take effect (once a month should be enough) \ No newline at end of file diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md new file mode 100644 index 00000000..ceb3bd13 --- /dev/null +++ b/docs/configuring-playbook-s3.md @@ -0,0 +1,39 @@ +# Amazon S3 configuration (optional) + +By default, this playbook configures your server to store Matrix Synapse's content repository (`media_store`) files on the local filesystem. +If that's alright, you can skip this. + +If you'd like to store Matrix Synapse's content repository (`media_store`) files on Amazon S3, +you can let this playbook configure [Goofys](https://github.com/kahing/goofys) for you. + +You'll need an Amazon S3 bucket and some IAM user credentials (access key + secret key) with full write access to the bucket. Example security policy: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Stmt1400105486000", + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::your-bucket-name", + "arn:aws:s3:::your-bucket-name/*" + ] + } + ] +} +``` + +You then need to enable S3 support in your configuration file (`inventory/matrix./vars.yml`). +It would be something like this: + +```yaml +matrix_s3_media_store_enabled: true +matrix_s3_media_store_bucket_name: "your-bucket-name" +matrix_s3_media_store_aws_access_key: "access-key-goes-here" +matrix_s3_media_store_aws_secret_key: "secret-key-goes-here" +matrix_s3_media_store_region: "eu-central-1" +``` \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md new file mode 100644 index 00000000..19ff357d --- /dev/null +++ b/docs/configuring-playbook.md @@ -0,0 +1,30 @@ +# Configuration the Ansible playbook + +Once you have your server and you have [configured your DNS records](configuring-dns.md#configuring-dns), you can proceed with configuring this playbook, so that it knows what to install and where. + +You can follow these steps: + +- create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) + +- copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix./vars.yml`) + +- edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults.main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. + +- copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) + +- edit the inventory hosts file (`inventory/hosts`) to your liking + + +For a basic Matrix installation, that's all you need. +For a more custom setup, see the [Other configuration options](#other-configuration-options) below. + +When you're done with all the configuration you'd like to do, continue with [Installing](installing.md). + + +## Other configuration options + +- [Amazon S3 configuration](configuring-playbook-s3.md) (optional) + +- [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) + +- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional) \ No newline at end of file diff --git a/docs/importing-sqlite.md b/docs/importing-sqlite.md new file mode 100644 index 00000000..1ae66623 --- /dev/null +++ b/docs/importing-sqlite.md @@ -0,0 +1,15 @@ +# Importing an existing SQLite database from another installation (optional) + +Run this if you'd like to import your database from a previous default installation of Matrix Synapse. +(don't forget to import your `media_store` files as well - see below). + +While this playbook always sets up PostgreSQL, by default a Matrix Synapse installation would run +using an SQLite database. + +If you have such a Matrix Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you. + +Run this command (make sure to replace `` with a file path on your local machine): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='local_path_homeserver_db=' --tags=import-sqlite-db + +**Note**: `` must be a file path to a `homeserver.db` file on your local machine (not on the server!). This file is copied to the server and imported. \ No newline at end of file diff --git a/docs/installing.md b/docs/installing.md new file mode 100644 index 00000000..e6a33f6f --- /dev/null +++ b/docs/installing.md @@ -0,0 +1,33 @@ +# Installing + +If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playook.md), you can start the installation procedure. + +Run this as-is to set up a server: + +```bash +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all +``` + +This **doesn't start any services just yet** (another step does this later - below). + +Feel free to **re-run this any time** you think something is off with the server configuration. + + +# Things you might want to do after installing + +After installing, but before starting the services, you may want to do additional things like: + +- [Importing an existing SQLite database (from another installation)](importing-sqlite.md) (optional) + +- [Restoring `media_store` data files from an existing installation](restoring-media-store.md) (optional) + + +# Starting the services + +When you're ready to start the Matrix services (and set them up to auto-start in the future): + +```bash +ansible-playbook -i inventory/hosts setup.yml --tags=start +``` + +Now that the services are running, you might want to [create your first user account](registering-users.md) \ No newline at end of file diff --git a/docs/maintenance-upgrading-postgres.md b/docs/maintenance-upgrading-postgres.md new file mode 100644 index 00000000..6e6a1b3b --- /dev/null +++ b/docs/maintenance-upgrading-postgres.md @@ -0,0 +1,20 @@ +# Upgrading PostgreSQL + +If you're not using an external Postgres server, this playbook initially installs Postgres for you. + +Once installed like that, this playbook attempts to preserve the Postgres version it starts with. +This is because newer Postgres versions cannot start with data generated by an older Postgres version. +An upgrade must be performed. + +This playbook can upgrade your existing Postgres setup with the following command: + + ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres + +**The old Postgres data directory is backed up** (by renaming to `/matrix/postgres-auto-upgrade-backup`). +It stays around forever, until you **manually decide to delete it**. + +As part of the upgrade, the database is dumped to `/tmp`, upgraded and then restored from that dump. +To use a different directory, pass some extra flags to the command above, like this: `--extra-vars="postgres_dump_dir=/directory/to/dump/here"` + +**ONLY one database is migrated** (the one specified in `matrix_postgres_db_name`, named `homeserver` by default). +If you've created other databases in that database instance (something this playbook never does and never advises), data will be lost. \ No newline at end of file diff --git a/docs/maintenance-upgrading-services.md b/docs/maintenance-upgrading-services.md new file mode 100644 index 00000000..9190f61b --- /dev/null +++ b/docs/maintenance-upgrading-services.md @@ -0,0 +1,15 @@ +# Upgrading the Matrix services + +This playbook not only installs the various Matrix services for you, but can also upgrade them as new versions are made available. + +To upgrade the services: + +- update your playbook directory (`git pull`), so you'd obtain everything new we've done + +- take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incomptabile changes that you need to take care of + +- re-run the [playbook setup](installing.md): `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all` + +- restart the services: `ansible-playbook -i inventory/hosts setup.yml --tags=start` + +**Note**: major version upgrades are not done to the internal PostgreSQL database. To upgrade that one, refer to the [upgrading PostgreSQL document](maintenance-upgrading-postgres.md). \ No newline at end of file diff --git a/docs/prerequisites.md b/docs/prerequisites.md new file mode 100644 index 00000000..2b5a90bc --- /dev/null +++ b/docs/prerequisites.md @@ -0,0 +1,17 @@ +# Prerequisites + +- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. This playbook can take over your whole server or co-exist with other services that you have there. + +- [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). + +- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you + +- properly configured DNS SRV record for `` (details in [Configuring DNS](configuring-dns.md#configuring-dns) below) + +- `matrix.` domain name pointing to your new server - this is where the Matrix Synapse server will live (details in [Configuring DNS](configuring-dns.md#configuring-dns) below) + +- `riot.` domain name pointing to your new server - this is where the Riot web UI will live (details in [Configuring DNS](configuring-dns.md#configuring-dns) below) + +- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix federation HTTPS webserver), `49152-49172/udp` (TURN over UDP). + +When ready to proceed, continue with [Configuring DNS](configuring-dns.md). \ No newline at end of file diff --git a/docs/registering-users.md b/docs/registering-users.md new file mode 100644 index 00000000..99105285 --- /dev/null +++ b/docs/registering-users.md @@ -0,0 +1,13 @@ +# Registering users + +Run this to create a new user account on your Matrix server. + +You can do it via this Ansible playbook (make sure to edit the `` and `` part below): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password= admin=' --tags=register-user + +**or** using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)): + + /usr/local/bin/matrix-synapse-register-user + +**Note**: `` is just a plain username (like `john`), not your full `@:` identifier. \ No newline at end of file diff --git a/docs/restoring-media-store.md b/docs/restoring-media-store.md new file mode 100644 index 00000000..62bddcd9 --- /dev/null +++ b/docs/restoring-media-store.md @@ -0,0 +1,9 @@ +# Restoring `media_store` data files from an existing installation (optional) + +Run this if you'd like to import your `media_store` files from a previous installation of Matrix Synapse. + +Run this command (make sure to replace `` with a path on your local machine): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='local_path_media_store=' --tags=import-media-store + +**Note**: `` must be a file path to a `media_store` directory on your local machine (not on the server!). This directory's contents are then copied to the server. \ No newline at end of file diff --git a/docs/uninstalling.md b/docs/uninstalling.md new file mode 100644 index 00000000..3693ac1b --- /dev/null +++ b/docs/uninstalling.md @@ -0,0 +1,21 @@ +# Uninstalling + +**Note**: If you have some trouble with your installation configuration, you can just [re-run the playbook](installing.md) and it will try to set things up again. You don't need to uninstall and install fresh. + +However, if you've installed this on some server where you have other stuff you wish to preserve, and now want get rid of Matrix, it's enough to do these: + +- ensure all Matrix services are stopped (`systemctl stop 'matrix*'`) + +- delete the Matrix-related systemd .service files (`rm -f /etc/systemd/system/matrix*`) and reload systemd (`systemctl daemon-reload`) + +- delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*`) + +- delete some helper scripts (`rm -f /usr/local/bin/matrix*`) + +- delete some cached Docker images (or just delete them all: `docker rmi $(docker images -aq)`) + +- delete the Docker network: `docker network rm matrix` + +- uninstall Docker itself, if necessary + +- delete the `/matrix` directory (`rm -rf /matrix`) \ No newline at end of file From f254aaf44a09706e6e95763ab3045658138abe59 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Aug 2018 10:10:16 +0300 Subject: [PATCH 0089/2384] Improve wording a bit --- docs/configuring-playbook-s3.md | 2 +- docs/configuring-playbook.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md index ceb3bd13..e0687d8d 100644 --- a/docs/configuring-playbook-s3.md +++ b/docs/configuring-playbook-s3.md @@ -1,4 +1,4 @@ -# Amazon S3 configuration (optional) +# Storing Matrix media files on Amazon S3 (optional) By default, this playbook configures your server to store Matrix Synapse's content repository (`media_store`) files on the local filesystem. If that's alright, you can skip this. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 19ff357d..9b7d36b4 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -23,7 +23,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins ## Other configuration options -- [Amazon S3 configuration](configuring-playbook-s3.md) (optional) +- [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) From 084a0a0e532e0eb4a1ca5307b9973b8940440b03 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Aug 2018 10:47:03 +0300 Subject: [PATCH 0090/2384] Minor consistency improvement --- .../templates/systemd/matrix-nginx-proxy.service.j2 | 2 +- .../matrix-server/templates/systemd/matrix-postgres.service.j2 | 2 +- .../matrix-server/templates/systemd/matrix-riot-web.service.j2 | 2 +- roles/matrix-server/templates/systemd/matrix-synapse.service.j2 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index ccf24942..c97478f1 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -12,7 +12,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ - --network {{ matrix_docker_network }} \ + --network={{ matrix_docker_network }} \ -p 80:80 \ -p 443:443 \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ diff --git a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 index 458fd22a..1e619913 100644 --- a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 @@ -11,7 +11,7 @@ ExecStartPre=-/usr/bin/mkdir {{ matrix_postgres_data_path }} ExecStartPre=-/usr/bin/chown {{ matrix_user_uid }}:{{ matrix_user_gid }} {{ matrix_postgres_data_path }} ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --network {{ matrix_docker_network }} \ + --network={{ matrix_docker_network }} \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ -v /etc/passwd:/etc/passwd:ro \ diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index 347cdfed..07c0b7c7 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -11,7 +11,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ -v {{ matrix_nginx_riot_web_data_path }}/config.json:/riot-web/webapp/config.json:ro \ -v {{ matrix_nginx_riot_web_data_path }}/riot.im.conf:/data/riot.im.conf:ro \ - --network {{ matrix_docker_network }} \ + --network={{ matrix_docker_network }} \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8765:8765 \ {% endif %} diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 4b716547..4f76ef3f 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -23,7 +23,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-synapse ExecStartPre=/bin/sleep 5 {% endif %} ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ - --network {{ matrix_docker_network }} \ + --network={{ matrix_docker_network }} \ -p 8448:8448 \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8008:8008 \ From cab54879d16f442c302391d7eaa47bc2581d8629 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Aug 2018 09:44:11 +0300 Subject: [PATCH 0091/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index f1d3899f..85a04235 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -59,11 +59,11 @@ matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" -matrix_docker_image_postgres_v9: "postgres:9.6.9-alpine" -matrix_docker_image_postgres_v10: "postgres:10.4-alpine" +matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" +matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" -matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.1" +matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.2" matrix_docker_image_nginx: "nginx:1.15.2-alpine" matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.0" matrix_docker_image_s3fs: "xueshanf/s3fs:latest" From 21da2f572b8df82c79c45742d73e3a54750fae19 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Aug 2018 14:11:41 +0300 Subject: [PATCH 0092/2384] Add email-sending support --- CHANGELOG.md | 10 ++++ docs/configuring-playbook-email.md | 21 +++++++ docs/configuring-playbook.md | 2 + roles/matrix-server/defaults/main.yml | 13 +++++ roles/matrix-server/tasks/main.yml | 5 ++ roles/matrix-server/tasks/setup_mailer.yml | 56 +++++++++++++++++++ roles/matrix-server/tasks/start.yml | 4 ++ .../matrix-server/templates/env/env-mailer.j2 | 8 +++ .../templates/synapse/homeserver.yaml.j2 | 30 +++++----- .../systemd/matrix-mailer.service.j2 | 20 +++++++ .../systemd/matrix-synapse.service.j2 | 3 + 11 files changed, 157 insertions(+), 15 deletions(-) create mode 100644 docs/configuring-playbook-email.md create mode 100644 roles/matrix-server/tasks/setup_mailer.yml create mode 100644 roles/matrix-server/templates/env/env-mailer.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-mailer.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b28c2f6..1956ac8e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +# 2018-08-14 + +## Email-sending support + +The playbook now configures an email-sending service (postfix) by default. +Additional details are available in [Adjusting email-sending settings](docs/configuring-playbook-email.md). + +With this, Matrix Synapse is able to send email notifications for missed messages, etc. + + # 2018-08-08 diff --git a/docs/configuring-playbook-email.md b/docs/configuring-playbook-email.md new file mode 100644 index 00000000..b308b6b4 --- /dev/null +++ b/docs/configuring-playbook-email.md @@ -0,0 +1,21 @@ +# Adjusting email-sending settings (optional) + +By default, this playbook sets up a [postfix](http://www.postfix.org/) email server through which all Matrix services send emails. + +The email server would attempt to deliver emails directly to their final destination. +This may or may not work, depending on your domain configuration (SPF settings, etc.) + +By default, emails are sent from `matrix@` (as specified by the `matrix_mailer_sender_address` playbook variable). + +Furthmore, if you'd like to relay email through another SMTP server, feel free to redefine a few more playbook variables. +Example: + +```yaml +matrix_mailer_sender_address: "another.sender@example.com" +matrix_mailer_relay_use: true +matrix_mailer_relay_host_name: "mail.example.com" +matrix_mailer_relay_host_port: 587 +matrix_mailer_relay_auth: true +matrix_mailer_relay_auth_username: "another.sender@example.com" +matrix_mailer_relay_auth_password: "some-password" +``` \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 9b7d36b4..682afa54 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -23,6 +23,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ## Other configuration options +- [Adjusting email-sending settings](configuring-playbook-email.md) (optional) + - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 85a04235..56674332 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -69,6 +69,7 @@ matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.0" matrix_docker_image_s3fs: "xueshanf/s3fs:latest" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" +matrix_docker_image_mailer: "panubo/postfix:latest" # The Docker network that all services would be put into matrix_docker_network: "matrix" @@ -89,6 +90,18 @@ matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" matrix_s3_media_store_region: "eu-central-1" +# By default, this playbook sets up a postfix mailer server (running in a container). +# This is so that Matrix Synapse can send email reminders for unread messages. +matrix_mailer_enabled: true + +matrix_mailer_sender_address: "matrix@{{ hostname_identity }}" +matrix_mailer_relay_use: false +matrix_mailer_relay_host_name: "mail.example.com" +matrix_mailer_relay_host_port: 587 +matrix_mailer_relay_auth: false +matrix_mailer_relay_auth_username: "" +matrix_mailer_relay_auth_password: "" + # By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. # If you wish to connect to your Matrix server by other means, # you may wish to disable this. diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 9a87b23d..2808d003 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -37,6 +37,11 @@ - setup-all - setup-coturn +- include: tasks/setup_mailer.yml + tags: + - setup-all + - setup-mailer + - include: tasks/setup_synapse.yml tags: - setup-all diff --git a/roles/matrix-server/tasks/setup_mailer.yml b/roles/matrix-server/tasks/setup_mailer.yml new file mode 100644 index 00000000..7f8df8d5 --- /dev/null +++ b/roles/matrix-server/tasks/setup_mailer.yml @@ -0,0 +1,56 @@ +--- + +# +# Tasks related to setting up the mailer +# + +- name: Ensure mailer environment variables file created + template: + src: "{{ role_path }}/templates/env/{{ item }}.j2" + dest: "{{ matrix_environment_variables_data_path }}/{{ item }}" + mode: 0640 + with_items: + - "env-mailer" + +- name: Ensure mailer image is pulled + docker_image: + name: "{{ matrix_docker_image_mailer }}" + when: matrix_mailer_enabled + +- name: Ensure matrix-mailer.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mailer.service.j2" + dest: "/etc/systemd/system/matrix-mailer.service" + mode: 0644 + when: matrix_mailer_enabled + +# +# Tasks related to getting rid of the mailer (if it was previously enabled) +# + +- name: Check existence of matrix-mailer service + stat: path="/etc/systemd/system/matrix-mailer.service" + register: matrix_mailer_service_stat + +- name: Ensure matrix-mailer is stopped + service: name=matrix-mailer state=stopped daemon_reload=yes + register: stopping_result + when: "not matrix_mailer_enabled and matrix_mailer_service_stat.stat.exists" + +- name: Ensure matrix-mailer.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mailer.service" + state: absent + when: "not matrix_mailer_enabled and matrix_mailer_service_stat.stat.exists" + +- name: Ensure Matrix mailer environment variables path doesn't exist + file: + path: "{{ matrix_environment_variables_data_path }}/env-mailer" + state: absent + when: "not matrix_mailer_enabled" + +- name: Ensure mailer Docker image doesn't exist + docker_image: + name: "{{ matrix_docker_image_mailer }}" + state: absent + when: "not matrix_mailer_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 2ee6d2ba..80469456 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -11,6 +11,10 @@ - name: Ensure matrix-coturn autoruns and is restarted service: name=matrix-coturn enabled=yes state=restarted daemon_reload=yes +- name: Ensure matrix-mailer autoruns and is restarted + service: name=matrix-mailer enabled=yes state=restarted daemon_reload=yes + when: matrix_mailer_enabled + - name: Ensure matrix-synapse autoruns and is restarted service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes diff --git a/roles/matrix-server/templates/env/env-mailer.j2 b/roles/matrix-server/templates/env/env-mailer.j2 new file mode 100644 index 00000000..67f867e5 --- /dev/null +++ b/roles/matrix-server/templates/env/env-mailer.j2 @@ -0,0 +1,8 @@ +MAILNAME=matrix-mailer +{% if matrix_mailer_relay_use %} +RELAYHOST={{ matrix_mailer_relay_host_name }}:{{ matrix_mailer_relay_host_port }} +{% endif %} +{% if matrix_mailer_relay_auth %} +RELAYHOST_AUTH=yes +RELAYHOST_PASSWORDMAP={{ matrix_mailer_relay_host_name }}:{{ matrix_mailer_relay_auth_username }}:{{ matrix_mailer_relay_auth_password }} +{% endif %} \ No newline at end of file diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 3f908aae..fa0e396b 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -86,7 +86,7 @@ web_client: False # web_client_location: "/path/to/web/root" # The public-facing base URL for the client API (not including _matrix/...) -# public_baseurl: https://example.com:8448/ +public_baseurl: https://{{ hostname_matrix }}/ # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the @@ -563,20 +563,20 @@ password_config: # If your SMTP server requires authentication, the optional smtp_user & # smtp_pass variables should be used # -#email: -# enable_notifs: false -# smtp_host: "localhost" -# smtp_port: 25 -# smtp_user: "exampleusername" -# smtp_pass: "examplepassword" -# require_transport_security: False -# notif_from: "Your Friendly %(app)s Home Server " -# app_name: Matrix -# template_dir: res/templates -# notif_template_html: notif_mail.html -# notif_template_text: notif_mail.txt -# notif_for_new_users: True -# riot_base_url: "http://localhost/riot" +{% if matrix_mailer_enabled %} +email: + enable_notifs: true + smtp_host: "matrix-mailer" + smtp_port: 587 + require_transport_security: false + notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" + app_name: Matrix + template_dir: /synapse/res/templates + notif_template_html: notif_mail.html + notif_template_text: notif_mail.txt + notif_for_new_users: True + riot_base_url: "https://{{ hostname_riot }}" +{% endif %} # password_providers: diff --git a/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 new file mode 100644 index 00000000..310d5502 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 @@ -0,0 +1,20 @@ +[Unit] +Description=Matrix mailer +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mailer +ExecStartPre=-/usr/bin/docker rm matrix-mailer +ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_environment_variables_data_path }}/env-mailer \ + {{ matrix_docker_image_mailer }} +ExecStop=-/usr/bin/docker kill matrix-mailer +ExecStop=-/usr/bin/docker rm matrix-mailer +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 4f76ef3f..9918a21a 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -10,6 +10,9 @@ After=matrix-postgres.service After=matrix-goofys.service Requires=matrix-goofys.service {% endif %} +{% if matrix_mailer_enabled %} +Wants=matrix-mailer.service +{% endif %} Wants=matrix-coturn.service [Service] From 1c71cb110eb934d55486fabf14f451d830dc8dac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Aug 2018 14:50:10 +0300 Subject: [PATCH 0093/2384] Change SSL certificate obtaining a bit --- roles/matrix-server/tasks/setup_ssl.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml index c7f5da98..167b739b 100644 --- a/roles/matrix-server/tasks/setup_ssl.yml +++ b/roles/matrix-server/tasks/setup_ssl.yml @@ -49,8 +49,9 @@ - name: Ensure SSL certificates are marked as wanted in acmetool shell: >- - /usr/bin/docker run --rm --name acmetool-host-grab -p 80:80 + /usr/bin/docker run --rm --name acmetool --net=host -v {{ matrix_ssl_certs_path }}:/certs + -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool want {{ item }} --xlog.severity=debug From f3267479b8835e87278f7e47e3f2db26f4f79d88 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Aug 2018 09:01:41 +0300 Subject: [PATCH 0094/2384] Update README --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6ce36ecc..ffc824f9 100644 --- a/README.md +++ b/README.md @@ -14,11 +14,13 @@ Using this playbook, you can get the following services configured on your serve - (optional default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse. [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) is also possible. -- a [STUN/TURN server](https://github.com/coturn/coturn) for WebRTC audio/video calls +- a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls + +- free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI - (optional default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default -- free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI +- (optional default) a [Postfix](http://postfix.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](#using-your-own-webserver-instead-of-this-playbooks-nginx-proxy-optional) @@ -74,6 +76,8 @@ This playbook sets up your server using the following Docker images: - [cloudproto/goofys](https://hub.docker.com/r/cloudproto/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) +- [panubo/postfix](https://hub.docker.com/r/panubo/postfix/) - the [Postfix](http://postfix.org/) email server (optional) + - [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) From dcf19154b264b267ddd2063ee935ad4865a3103b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Aug 2018 09:02:29 +0300 Subject: [PATCH 0095/2384] Update README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ffc824f9..ee5d8e03 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Using this playbook, you can get the following services configured on your serve - (optional default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default -- (optional default) a [Postfix](http://postfix.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) +- (optional default) a [Postfix](http://www.postfix.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](#using-your-own-webserver-instead-of-this-playbooks-nginx-proxy-optional) @@ -76,7 +76,7 @@ This playbook sets up your server using the following Docker images: - [cloudproto/goofys](https://hub.docker.com/r/cloudproto/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) -- [panubo/postfix](https://hub.docker.com/r/panubo/postfix/) - the [Postfix](http://postfix.org/) email server (optional) +- [panubo/postfix](https://hub.docker.com/r/panubo/postfix/) - the [Postfix](http://www.postfix.org/) email server (optional) - [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) From 617712000ebd5c1c2a0898e625184545684af947 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Aug 2018 10:19:31 +0300 Subject: [PATCH 0096/2384] Minor wording improvements --- docs/configuring-playbook-own-webserver.md | 2 +- docs/configuring-playbook.md | 2 +- .../templates/nginx-conf.d/matrix-riot-web.conf.j2 | 2 +- .../matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index ba6d8938..112e8918 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -12,7 +12,7 @@ All it takes is editing your configuration file (`inventory/matrix. matrix_nginx_proxy_enabled: false ``` -**Note**: even if you do this, in order [to install](#installing), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards. +**Note**: even if you do this, in order [to install](installing.md), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards. **If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 682afa54..a83d2742 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -1,4 +1,4 @@ -# Configuration the Ansible playbook +# Configuring the Ansible playbook Once you have your server and you have [configured your DNS records](configuring-dns.md#configuring-dns), you can proceed with configuring this playbook, so that it knows what to install and where. diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index c24daeda..43067514 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -46,7 +46,7 @@ server { set $backend "matrix-riot-web:8765"; proxy_pass http://$backend; {% else %} - {# Generic configuration for people to use outside of our container setup #} + {# Generic configuration for use outside of our container setup #} proxy_pass http://localhost:8765; {% endif %} diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 25276fa4..300705a0 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -46,7 +46,7 @@ server { set $backend "matrix-synapse:8008"; proxy_pass http://$backend; {% else %} - {# Generic configuration for people to use outside of our container setup #} + {# Generic configuration for use outside of our container setup #} proxy_pass http://localhost:8008; {% endif %} From 74093dfb155f2c41108cbea427d7a7ff05f08869 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Aug 2018 10:23:22 +0300 Subject: [PATCH 0097/2384] Add mxisd Identity Server support --- CHANGELOG.md | 8 ++ README.md | 4 + docs/configuring-dns.md | 8 +- docs/configuring-playbook-mxisd.md | 33 +++++++++ docs/configuring-playbook.md | 2 + roles/matrix-server/defaults/main.yml | 43 ++++++++++- roles/matrix-server/tasks/main.yml | 5 ++ roles/matrix-server/tasks/setup_mxisd.yml | 74 +++++++++++++++++++ roles/matrix-server/tasks/start.yml | 4 + .../templates/mxisd/mxisd.yaml.j2 | 19 +++++ .../nginx-conf.d/matrix-synapse.conf.j2 | 14 ++++ .../templates/riot-web/config.json.j2 | 2 +- .../templates/synapse/homeserver.yaml.j2 | 6 +- .../templates/systemd/matrix-mxisd.service.j2 | 29 ++++++++ .../systemd/matrix-nginx-proxy.service.j2 | 3 + 15 files changed, 247 insertions(+), 7 deletions(-) create mode 100644 docs/configuring-playbook-mxisd.md create mode 100644 roles/matrix-server/tasks/setup_mxisd.yml create mode 100644 roles/matrix-server/templates/mxisd/mxisd.yaml.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 1956ac8e..f079951d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2018-08-15 + +## mxisd Identity Server support + +The playbook now sets up an [mxisd](https://github.com/kamax-io/mxisd) Identity Server for you by default. +Additional details are available in [Adjusting mxisd Identity Server configuration](docs/configuring-playbook-mxisd.md). + + # 2018-08-14 ## Email-sending support diff --git a/README.md b/README.md index ee5d8e03..843d8008 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,8 @@ Using this playbook, you can get the following services configured on your serve - (optional default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default +- (optional default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server + - (optional default) a [Postfix](http://www.postfix.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](#using-your-own-webserver-instead-of-this-playbooks-nginx-proxy-optional) @@ -72,6 +74,8 @@ This playbook sets up your server using the following Docker images: - [avhost/docker-matrix-riot](https://hub.docker.com/r/avhost/docker-matrix-riot/) - the [Riot.im](https://about.riot.im/) web client (optional) +- [kamax/mxisd](https://hub.docker.com/r/kamax/mxisd/) - the [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server (optional) + - [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) - [cloudproto/goofys](https://hub.docker.com/r/cloudproto/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 8d9d60a1..434416ad 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -12,8 +12,12 @@ The SRV record should look like this: - Name: `_matrix._tcp` (use this text as-is) - Content: `10 0 8448 matrix.` (replace `` with your own) -Once you've set up this DNS SRV record, you should create 2 other domain names (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` is fine). +To make the [mxisd](https://github.com/kamax-io/mxisd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: +- Name: `_matrix-identity._tcp` (use this text as-is) +- Content: `10 0 443 matrix.` (replace `` with your own) -This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`, even though everything is installed elsewhere (not on ``). +Once you've set up these DNS SRV records, you should create 2 other domain names (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` is fine). + +This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`. When ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). \ No newline at end of file diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-mxisd.md new file mode 100644 index 00000000..ae6be2c2 --- /dev/null +++ b/docs/configuring-playbook-mxisd.md @@ -0,0 +1,33 @@ +# Adjusting mxisd Identity Server configuration (optional) + +By default, this playbook configures an [mxisd](https://github.com/kamax-io/mxisd) Identity Server for you. + +This server is private by default, potentially at the expense of user discoverability. + + +## Matrix.org lookup forwarding + +To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information). + +Enabling this is discouraged and you'd better [learn more](https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups) before proceeding. + +Enabling matrix.org forwarding can happen with the following configuration: + +```yaml +matrix_mxisd_matrixorg_forwarding_enabled: true +``` + + +## Additional features + +What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services. + +Still, mxisd can do much more. +You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more details. + +You can override the `matrix_mxisd_template_config` variable and use your own custom configuration template. + + +## Troubleshooting + +If email address validation emails sent by mxisd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index a83d2742..58f2133b 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -29,4 +29,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) +- [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) + - [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional) \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 56674332..429c57fc 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -46,6 +46,16 @@ matrix_synapse_macaroon_secret_key: "" matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" +# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled +matrix_synapse_id_servers_public: ['vector.im', 'riot.im', 'matrix.org'] + +# These are the identity servers that would be trusted by Synapse if mxisd IS enabled +matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']" + +# The final list of identity servers to use for Synapse. +# The first one would also be used as riot-web's default identity server. +matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" + matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 matrix_synapse_max_log_files_count: 10 @@ -58,7 +68,6 @@ matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" - matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" @@ -70,6 +79,7 @@ matrix_docker_image_s3fs: "xueshanf/s3fs:latest" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" matrix_docker_image_mailer: "panubo/postfix:latest" +matrix_docker_image_mxisd: "kamax/mxisd:1.1.1" # The Docker network that all services would be put into matrix_docker_network: "matrix" @@ -84,14 +94,17 @@ matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" + matrix_s3_media_store_enabled: false matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" matrix_s3_media_store_region: "eu-central-1" + # By default, this playbook sets up a postfix mailer server (running in a container). # This is so that Matrix Synapse can send email reminders for unread messages. +# Other services (like mxisd), however, also use that mailer to send emails through it. matrix_mailer_enabled: true matrix_mailer_sender_address: "matrix@{{ hostname_identity }}" @@ -102,11 +115,39 @@ matrix_mailer_relay_auth: false matrix_mailer_relay_auth_username: "" matrix_mailer_relay_auth_password: "" + +# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`). +# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, +# you may wish to disable this. +matrix_mxisd_enabled: true + +matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" +matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" +matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" + +# Your identity server is private by default. +# To ensure maximum discovery, you can make your identity server +# also forward lookups to the central matrix.org Identity server +# (at the cost of potentially leaking all your contacts information). +# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups +matrix_mxisd_matrixorg_forwarding_enabled: false + +# Specifies which template files to use when configuring mxisd. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars//`) +# and then change the specific host's `vars.yaml` file like this: +# matrix_mxisd_template_config: "{{ playbook_dir }}/inventory/host_vars//mxisd.yaml.j2" +matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" + + # By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. # If you wish to connect to your Matrix server by other means, # you may wish to disable this. matrix_riot_web_enabled: true +matrix_riot_web_default_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" + + # By default, this playbook sets up its own nginx proxy server on port 80/443. # This is fine if you're dedicating the whole server to Matrix. # But in case that's not the case, you may wish to prevent that diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 2808d003..c1447b23 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -42,6 +42,11 @@ - setup-all - setup-mailer +- include: tasks/setup_mxisd.yml + tags: + - setup-all + - setup-mxisd + - include: tasks/setup_synapse.yml tags: - setup-all diff --git a/roles/matrix-server/tasks/setup_mxisd.yml b/roles/matrix-server/tasks/setup_mxisd.yml new file mode 100644 index 00000000..5c10c9ad --- /dev/null +++ b/roles/matrix-server/tasks/setup_mxisd.yml @@ -0,0 +1,74 @@ +--- + +# +# Tasks related to setting up mxisd +# + +- name: Fail if mailer is not enabled + fail: + msg: "You need to enable the mailer service (matrix_mailer_enabled) to install mxisd" + when: "matrix_mxisd_enabled and not matrix_mailer_enabled" + +- name: Ensure mxisd paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_mxisd_config_path }}" + - "{{ matrix_mxisd_data_path }}" + when: matrix_mxisd_enabled + +- name: Ensure mxisd image is pulled + docker_image: + name: "{{ matrix_docker_image_mxisd }}" + when: matrix_mxisd_enabled + +- name: Ensure mxisd config installed + template: + src: "{{ matrix_mxisd_template_config }}" + dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_mxisd_enabled + +- name: Ensure matrix-mxisd.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" + dest: "/etc/systemd/system/matrix-mxisd.service" + mode: 0644 + when: matrix_mxisd_enabled + +# +# Tasks related to getting rid of mxisd (if it was previously enabled) +# + +- name: Check existence of matrix-mxisd service + stat: path="/etc/systemd/system/matrix-mxisd.service" + register: matrix_mxisd_service_stat + +- name: Ensure matrix-mxisd is stopped + service: name=matrix-mxisd state=stopped daemon_reload=yes + register: stopping_result + when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists" + +- name: Ensure matrix-mxisd.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mxisd.service" + state: absent + when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists" + +- name: Ensure Matrix mxisd paths don't exist + file: + path: "{{ matrix_mxisd_base_path }}" + state: absent + when: "not matrix_mxisd_enabled" + +- name: Ensure mxisd Docker image doesn't exist + docker_image: + name: "{{ matrix_docker_image_mxisd }}" + state: absent + when: "not matrix_mxisd_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 80469456..c2cedca4 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -15,6 +15,10 @@ service: name=matrix-mailer enabled=yes state=restarted daemon_reload=yes when: matrix_mailer_enabled +- name: Ensure matrix-mxisd autoruns and is restarted + service: name=matrix-mxisd enabled=yes state=restarted daemon_reload=yes + when: matrix_mxisd_enabled + - name: Ensure matrix-synapse autoruns and is restarted service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes diff --git a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 new file mode 100644 index 00000000..99c2d3d6 --- /dev/null +++ b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 @@ -0,0 +1,19 @@ +matrix.domain: {{ hostname_identity }} +server.name: {{ hostname_matrix }} + +key.path: /var/mxisd/sign.key + +storage.provider.sqlite.database: /var/mxisd/mxisd.db + +threepid.medium.email.identity.from: {{ matrix_mailer_sender_address }} +threepid.medium.email.connectors.smtp.host: matrix-mailer +threepid.medium.email.connectors.smtp.port: 587 +threepid.medium.email.connectors.smtp.tls: 0 + +synapseSql.enabled: true +synapseSql.type: postgresql +synapseSql.connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} + +{% if matrix_mxisd_matrixorg_forwarding_enabled %} +forward.servers: ['matrix-org'] +{% endif %} \ No newline at end of file diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 300705a0..706a41a5 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -39,6 +39,20 @@ server { ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + {% if matrix_mxisd_enabled %} + location /_matrix/identity { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mxisd:8090"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://localhost:8090; + {% endif %} + } + {% endif %} + location /_matrix { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 index ea2fed53..abb7f0e1 100644 --- a/roles/matrix-server/templates/riot-web/config.json.j2 +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -1,6 +1,6 @@ { "default_hs_url": "https://{{ hostname_matrix }}", - "default_is_url": "https://vector.im", + "default_is_url": "{{ matrix_riot_web_default_identity_server_url }}", "disable_custom_urls": true, "disable_guests": false, "brand": "Riot", diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index fa0e396b..64020d33 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -446,9 +446,9 @@ allow_guest_access: False # The list of identity servers trusted to verify third party # identifiers by this server. trusted_third_party_id_servers: - - matrix.org - - vector.im - - riot.im +{% for server in matrix_synapse_trusted_third_party_id_servers %} + - {{ server }} +{% endfor %} # Users who register on this homeserver will automatically be joined # to these rooms diff --git a/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 new file mode 100644 index 00000000..637965c0 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 @@ -0,0 +1,29 @@ +[Unit] +Description=Matrix mxisd identity server +After=docker.service +Requires=docker.service +{% if not matrix_postgres_use_external %} +Requires=matrix-postgres.service +After=matrix-postgres.service +{% endif %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mxisd +ExecStartPre=-/usr/bin/docker rm matrix-mxisd +ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --network={{ matrix_docker_network }} \ + {% if not matrix_nginx_proxy_enabled %} + -p 127.0.0.1:8090:8090 \ + {% endif %} + -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ + -v {{ matrix_mxisd_data_path }}:/var/mxisd \ + {{ matrix_docker_image_mxisd }} +ExecStop=-/usr/bin/docker kill matrix-mxisd +ExecStop=-/usr/bin/docker rm matrix-mxisd +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index c97478f1..dc096d51 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -6,6 +6,9 @@ Wants=matrix-synapse.service {% if matrix_riot_web_enabled %} Wants=matrix-riot-web.service {% endif %} +{% if matrix_mxisd_enabled %} +Wants=matrix-mxisd.service +{% endif %} [Service] Type=simple From 1a97a3001940bc247ab9b80f4774777c0bf13206 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Aug 2018 11:41:36 +0300 Subject: [PATCH 0098/2384] Update README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 843d8008..91fbcb6f 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,8 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one is a complete Ansible playbook (instead of just a role), so it's **easier to run** - especially for folks not familiar with Ansible +- this one installs and hooks together **a lot more Matrix-related services** for you (see above) + - this one **can be re-ran many times** without causing trouble - works on both **CentOS** (7.0+) and Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+) From a302a7d7489eca3c16f8ba0b046fa6f7fbb07730 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 07:27:02 +0300 Subject: [PATCH 0099/2384] Only run federation on 8448 and client on 80 This disables federation on the 80 port, as it's not necessary. We also disable the old Angular webclient. For the federation port (8448), we disable the client APIs as those are not necessary. Those can even cause trouble if one doesn't know about them and thinks that guarding the client APIs at the 80 port is enough. --- CHANGELOG.md | 12 ++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 15 +-------------- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f079951d..10ff3ae9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2018-08-17 + +## Disabling some unnecessary Synapse services + +The following services are not necessary, so they have been disabled: +- on the federation port (8448): the `client` service +- on the http port (80): the old Angular `webclient` and the `federation` service + +Federation runs only on the federation port (8448) now. +The Client APIs run only on the http port (80) now. + + # 2018-08-15 ## mxisd Identity Server support diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 64020d33..106c8f16 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -143,17 +143,6 @@ listeners: # List of HTTP resources to serve on this listener. resources: - - - # List of resources to host on this listener. - names: - - client # The client-server APIs, both v1 and v2 - - webclient # The bundled webclient. - - # Should synapse compress HTTP responses to clients that support it? - # This should be disabled if running synapse behind a load balancer - # that can do automatic compression. - compress: true - - names: [federation] # Federation APIs compress: false @@ -174,10 +163,8 @@ listeners: x_forwarded: true resources: - - names: [client, webclient] + - names: [client] compress: true - - names: [federation] - compress: false # Turn on the twisted ssh manhole service on localhost on the given # port. From df79901f8b488fe707fcd424f705948b94195dda Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 08:00:38 +0300 Subject: [PATCH 0100/2384] Improve compression support --- CHANGELOG.md | 9 +++++++++ .../templates/nginx-conf.d/matrix-riot-web.conf.j2 | 3 +++ .../templates/nginx-conf.d/matrix-synapse.conf.j2 | 3 +++ roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 2 +- 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 10ff3ae9..f9401b9d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # 2018-08-17 +## Compression improvements + +Shifted Matrix Synapse compression from happening in the Matrix Synapse, +to happening in the nginx proxy that's in front of it. + +Additionally, `riot-web` also gets compressed now (in the nginx proxy), +which drops the initial page load's size from 5.31MB to 1.86MB. + + ## Disabling some unnecessary Synapse services The following services are not necessary, so they have been disabled: diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 43067514..3affc577 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -33,6 +33,9 @@ server { server_tokens off; root /dev/null; + gzip on; + gzip_types text/plain text/html application/json application/javascript text/css image/x-icon font/ttf image/gif; + ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain; ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 706a41a5..f22eebcc 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -33,6 +33,9 @@ server { server_tokens off; root /dev/null; + gzip on; + gzip_types text/plain text/html application/json; + ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/fullchain; ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/privkey; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 106c8f16..6c77af18 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -164,7 +164,7 @@ listeners: resources: - names: [client] - compress: true + compress: false # Turn on the twisted ssh manhole service on localhost on the given # port. From 7e543f32d9432d45dcea688b8fd21090415a9e75 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 09:01:06 +0300 Subject: [PATCH 0101/2384] Add LICENSE file --- LICENSE | 661 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 661 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..0ad25db4 --- /dev/null +++ b/LICENSE @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. From ea43d46b702142f5c0e5cedeba6698bef5eb7dc2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 09:02:12 +0300 Subject: [PATCH 0102/2384] Add matrix-synapse-rest-auth support --- CHANGELOG.md | 7 ++ README.md | 2 + docs/configuring-playbook-rest-auth.md | 15 +++ docs/configuring-playbook.md | 4 +- roles/matrix-server/defaults/main.yml | 26 ++++- roles/matrix-server/tasks/setup_synapse.yml | 98 +------------------ .../matrix-server/tasks/setup_synapse_ext.yml | 3 + .../tasks/setup_synapse_ext_rest_auth.yml | 45 +++++++++ .../tasks/setup_synapse_main.yml | 84 ++++++++++++++++ .../matrix-server/tasks/setup_synapse_pre.yml | 17 ++++ .../templates/synapse/homeserver.yaml.j2 | 18 +++- .../templates/synapse/synapse.log.config.j2 | 5 + .../systemd/matrix-synapse.service.j2 | 3 + 13 files changed, 229 insertions(+), 98 deletions(-) create mode 100644 docs/configuring-playbook-rest-auth.md create mode 100644 roles/matrix-server/tasks/setup_synapse_ext.yml create mode 100644 roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml create mode 100644 roles/matrix-server/tasks/setup_synapse_main.yml create mode 100644 roles/matrix-server/tasks/setup_synapse_pre.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index f9401b9d..9fddab89 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2018-08-17 +## REST auth support via matrix-synapse-rest-auth + +The playbook can now install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. + +Additional details are available in [Setting up the REST authentication password provider module](docs/configuring-playbook-rest-auth.md). + + ## Compression improvements Shifted Matrix Synapse compression from happening in the Matrix Synapse, diff --git a/README.md b/README.md index 91fbcb6f..59c64832 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,8 @@ Using this playbook, you can get the following services configured on your serve - (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](#using-your-own-webserver-instead-of-this-playbooks-nginx-proxy-optional) +- (optional) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md new file mode 100644 index 00000000..dc595b05 --- /dev/null +++ b/docs/configuring-playbook-rest-auth.md @@ -0,0 +1,15 @@ +# Setting up the REST authentication password provider module + +The playbook can now install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. + +See that project's documentation to learn what it does and why it might be useful to you. + +If you decide that you'd like to let this playbook install it for you, you need soem configuration like this: + +```yaml +matrix_synapse_ext_password_provider_rest_auth_enabled: true +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://change.me.example.com:12345" +matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false +matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true +matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false +``` \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 58f2133b..2daf5767 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -31,4 +31,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) -- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional) \ No newline at end of file +- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional) + +- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional) \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 429c57fc..25070d6f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -33,6 +33,7 @@ matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" +matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" # Specifies which template files to use when configuring Synapse. # If you'd like to have your own different configuration, feel free to copy and paste @@ -60,6 +61,29 @@ matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 matrix_synapse_max_log_files_count: 10 +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +matrix_synapse_container_additional_volumes: [] + +# A list of additional loggers to register in synapse.log.config. +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Contains definition objects like this: `{"name": "..", "level": "DEBUG"} +matrix_synapse_additional_loggers: [] + +# This is set dynamically during execution depending on whether +# any password providers have been enabled or not. +matrix_synapse_password_providers_enabled: false + +# Enable this to activate the REST auth password provider module +# See: https://github.com/kamax-io/matrix-synapse-rest-auth +matrix_synapse_ext_password_provider_rest_auth_enabled: false +matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py" +matrix_synapse_ext_password_provider_rest_auth_endpoint: "" +matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false +matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true +matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false + matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" @@ -159,4 +183,4 @@ matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. -matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" +matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index eb254e75..5c9348c3 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -1,99 +1,7 @@ --- -- name: Fail if Macaroon key is missing - fail: - msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" - when: "matrix_synapse_macaroon_secret_key == ''" +- include: tasks/setup_synapse_pre.yml -- name: Ensure Matrix Synapse paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - "{{ matrix_synapse_config_dir_path }}" - - "{{ matrix_synapse_run_path }}" - - "{{ matrix_synapse_storage_path }}" - # We handle matrix_synapse_media_store_path below, not here, - # because if it's using S3fs and it's already mounted (from before), - # trying to chown/chmod it here will cause trouble. +- include: tasks/setup_synapse_ext.yml -# This will throw a Permission Denied error if already mounted using fuse -- name: Check Matrix Synapse media store path - stat: path="{{ matrix_synapse_media_store_path }}" - register: local_path_media_store_stat - ignore_errors: yes - -# This is separate and conditional, to ensure we don't execute it -# if the path already exists or we failed to check, because it's mounted using fuse. -- name: Ensure Matrix media store path exists - file: - path: "{{ matrix_synapse_media_store_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - -- name: Ensure Matrix Docker image is pulled - docker_image: - name: "{{ matrix_docker_image_synapse }}" - -- name: Check if a Matrix Synapse configuration exists - stat: - path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" - register: matrix_synapse_config_stat - -# We do this mostly so that the keys would get generated. -# We'll replace the rest of the configuration with our own templates below. -- name: Generate initial Matrix config - docker_container: - name: matrix-config - image: "{{ matrix_docker_image_synapse }}" - detach: no - cleanup: yes - command: generate - env: - SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" - SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" - SYNAPSE_REPORT_STATS: "no" - user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" - volumes: - - "{{ matrix_synapse_config_dir_path }}:/data" - when: "not matrix_synapse_config_stat.stat.exists" - -- name: Ensure Matrix homeserver config installed - template: - src: "{{ matrix_synapse_template_synapse_homeserver }}" - dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" - mode: 0644 - -- name: Ensure Matrix log config installed - template: - src: "{{ matrix_synapse_template_synapse_log }}" - dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" - mode: 0644 - -- name: Ensure matrix-synapse.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2" - dest: "/etc/systemd/system/matrix-synapse.service" - mode: 0644 - -- name: Ensure matrix-synapse-register-user script created - template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" - dest: "/usr/local/bin/matrix-synapse-register-user" - mode: 0750 - -- name: Allow access to Matrix ports in firewalld - firewalld: - port: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - '8448/tcp' # Matrix federation - when: ansible_os_family == 'RedHat' +- include: tasks/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup_synapse_ext.yml new file mode 100644 index 00000000..dd36b09c --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_ext.yml @@ -0,0 +1,3 @@ +--- + +- include: tasks/setup_synapse_ext_rest_auth.yml \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml new file mode 100644 index 00000000..85098c0a --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml @@ -0,0 +1,45 @@ +--- + +# +# Tasks related to setting up matrix-synapse-rest-auth +# + +- name: Download matrix-synapse-rest-auth + get_url: + url: "{{ matrix_synapse_ext_password_provider_rest_auth_download_url }}" + dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- set_fact: + matrix_synapse_password_providers_enabled: true + when: "matrix_synapse_ext_password_provider_rest_auth_enabled" + +- set_fact: + matrix_synapse_container_additional_volumes: > + {{ matrix_synapse_container_additional_volumes }} + + + {{ [{'src': '{{ matrix_synapse_ext_path }}/rest_auth_provider.py', 'dst': '/usr/local/lib/python2.7/site-packages/rest_auth_provider.py', 'options': 'ro'}] }} + when: "matrix_synapse_ext_password_provider_rest_auth_enabled" + +- set_fact: + matrix_synapse_additional_loggers: > + {{ matrix_synapse_additional_loggers }} + + + {{ [{'name': 'rest_auth_provider', 'level': 'DEBUG'}] }} + when: "matrix_synapse_ext_password_provider_rest_auth_enabled" + +- debug: var="matrix_synapse_container_additional_volumes" + +- debug: var="matrix_synapse_additional_loggers" + +# +# Tasks related to getting rid of matrix-synapse-rest-auth (if it was previously enabled) +# + +- name: Ensure matrix-synapse-rest-auth doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" + state: absent + when: "not matrix_synapse_ext_password_provider_rest_auth_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse_main.yml b/roles/matrix-server/tasks/setup_synapse_main.yml new file mode 100644 index 00000000..9a5169d2 --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_main.yml @@ -0,0 +1,84 @@ +--- + +- name: Fail if Macaroon key is missing + fail: + msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" + when: "matrix_synapse_macaroon_secret_key == ''" + +# This will throw a Permission Denied error if already mounted using fuse +- name: Check Matrix Synapse media store path + stat: path="{{ matrix_synapse_media_store_path }}" + register: local_path_media_store_stat + ignore_errors: yes + +# This is separate and conditional, to ensure we don't execute it +# if the path already exists or we failed to check, because it's mounted using fuse. +- name: Ensure Matrix media store path exists + file: + path: "{{ matrix_synapse_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" + +- name: Ensure Matrix Docker image is pulled + docker_image: + name: "{{ matrix_docker_image_synapse }}" + +- name: Check if a Matrix Synapse configuration exists + stat: + path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" + register: matrix_synapse_config_stat + +# We do this mostly so that the keys would get generated. +# We'll replace the rest of the configuration with our own templates below. +- name: Generate initial Matrix config + docker_container: + name: matrix-config + image: "{{ matrix_docker_image_synapse }}" + detach: no + cleanup: yes + command: generate + env: + SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" + SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" + SYNAPSE_REPORT_STATS: "no" + user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" + volumes: + - "{{ matrix_synapse_config_dir_path }}:/data" + when: "not matrix_synapse_config_stat.stat.exists" + +- name: Ensure Matrix homeserver config installed + template: + src: "{{ matrix_synapse_template_synapse_homeserver }}" + dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" + mode: 0644 + +- name: Ensure Matrix log config installed + template: + src: "{{ matrix_synapse_template_synapse_log }}" + dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" + mode: 0644 + +- name: Ensure matrix-synapse.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2" + dest: "/etc/systemd/system/matrix-synapse.service" + mode: 0644 + +- name: Ensure matrix-synapse-register-user script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" + dest: "/usr/local/bin/matrix-synapse-register-user" + mode: 0750 + +- name: Allow access to Matrix ports in firewalld + firewalld: + port: "{{ item }}" + state: enabled + immediate: yes + permanent: yes + with_items: + - '8448/tcp' # Matrix federation + when: ansible_os_family == 'RedHat' diff --git a/roles/matrix-server/tasks/setup_synapse_pre.yml b/roles/matrix-server/tasks/setup_synapse_pre.yml new file mode 100644 index 00000000..77fa51a1 --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_pre.yml @@ -0,0 +1,17 @@ +--- + +- name: Ensure Matrix Synapse paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_synapse_config_dir_path }}" + - "{{ matrix_synapse_run_path }}" + - "{{ matrix_synapse_storage_path }}" + - "{{ matrix_synapse_ext_path }}" + # We handle matrix_synapse_media_store_path elsewhere (in setup_synapse.yml), + # because if it's using S3fs and it's already mounted (from before), + # trying to chown/chmod it here will cause trouble. diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 6c77af18..22cdef0b 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -580,7 +580,23 @@ email: # #bind_dn: # #bind_password: # #filter: "(objectClass=posixAccount)" - +{% if matrix_synapse_password_providers_enabled %} +password_providers: +{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} + - module: "rest_auth_provider.RestAuthProvider" + config: + endpoint: "{{ matrix_synapse_ext_password_provider_rest_auth_endpoint }}" + policy: + registration: + username: + enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} + login: + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} +{% endif %} +{% endif %} # Clients requesting push notifications can either have the body of diff --git a/roles/matrix-server/templates/synapse/synapse.log.config.j2 b/roles/matrix-server/templates/synapse/synapse.log.config.j2 index 2b779653..2cd6ea57 100644 --- a/roles/matrix-server/templates/synapse/synapse.log.config.j2 +++ b/roles/matrix-server/templates/synapse/synapse.log.config.j2 @@ -32,6 +32,11 @@ loggers: # information such as access tokens. level: INFO +{% for logger in matrix_synapse_additional_loggers %} + {{ logger.name }}: + level: {{ logger.level }} +{% endfor %} + root: level: INFO handlers: [file, console] diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 9918a21a..34ee8084 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -34,6 +34,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_storage_path }}:/matrix-storage:slave \ + {% for volume in matrix_synapse_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \ {{ matrix_docker_image_synapse }} ExecStop=-/usr/bin/docker kill matrix-synapse From 2b2e996cf92d6ef69db8cda4b9cb27949835956b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 09:04:20 +0300 Subject: [PATCH 0103/2384] Fix typo --- docs/configuring-playbook-rest-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index dc595b05..e393b4f5 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -4,7 +4,7 @@ The playbook can now install and configure [matrix-synapse-rest-auth](https://gi See that project's documentation to learn what it does and why it might be useful to you. -If you decide that you'd like to let this playbook install it for you, you need soem configuration like this: +If you decide that you'd like to let this playbook install it for you, you need some configuration like this: ```yaml matrix_synapse_ext_password_provider_rest_auth_enabled: true From 25becc63d58fbebd540f34c36d06bd5ed06cfa73 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 09:25:52 +0300 Subject: [PATCH 0104/2384] Minor fixups for the matrix-synapse-rest-auth handling --- roles/matrix-server/defaults/main.yml | 2 +- roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 25070d6f..e8ab727a 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -75,7 +75,7 @@ matrix_synapse_additional_loggers: [] # any password providers have been enabled or not. matrix_synapse_password_providers_enabled: false -# Enable this to activate the REST auth password provider module +# Enable this to activate the REST auth password provider module. # See: https://github.com/kamax-io/matrix-synapse-rest-auth matrix_synapse_ext_password_provider_rest_auth_enabled: false matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py" diff --git a/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml index 85098c0a..fa4c2f9e 100644 --- a/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml +++ b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml @@ -8,9 +8,11 @@ get_url: url: "{{ matrix_synapse_ext_password_provider_rest_auth_download_url }}" dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" + force: true mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + when: "matrix_synapse_ext_password_provider_rest_auth_enabled" - set_fact: matrix_synapse_password_providers_enabled: true From 21a108262f3eb34388266c041e1b6d6ac131c0a1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 09:30:41 +0300 Subject: [PATCH 0105/2384] Remove some leftover debug statements --- roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml index fa4c2f9e..d08206ca 100644 --- a/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml +++ b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml @@ -32,10 +32,6 @@ {{ [{'name': 'rest_auth_provider', 'level': 'DEBUG'}] }} when: "matrix_synapse_ext_password_provider_rest_auth_enabled" -- debug: var="matrix_synapse_container_additional_volumes" - -- debug: var="matrix_synapse_additional_loggers" - # # Tasks related to getting rid of matrix-synapse-rest-auth (if it was previously enabled) # From 832a4d71c18b22b5e637dbd371b6dbd7c2d1bdcb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 09:35:52 +0300 Subject: [PATCH 0106/2384] Default to INFO logging for matrix-synapse-rest-auth, not DEBUG --- roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml index d08206ca..37f90be7 100644 --- a/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml +++ b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml @@ -29,7 +29,7 @@ matrix_synapse_additional_loggers: > {{ matrix_synapse_additional_loggers }} + - {{ [{'name': 'rest_auth_provider', 'level': 'DEBUG'}] }} + {{ [{'name': 'rest_auth_provider', 'level': 'INFO'}] }} when: "matrix_synapse_ext_password_provider_rest_auth_enabled" # From b0f1a1c80f10bec087549de200c5826d5ce58575 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 10:44:34 +0300 Subject: [PATCH 0107/2384] Fix nginx warning: adding already-default text/html to gzip_types --- .../matrix-server/tasks/setup_synapse_ext.yml | 4 +- .../setup_synapse_ext_shared_secret_auth.yml | 43 +++++++++++++++++++ .../nginx-conf.d/matrix-riot-web.conf.j2 | 2 +- .../nginx-conf.d/matrix-synapse.conf.j2 | 2 +- .../templates/synapse/homeserver.yaml.j2 | 5 +++ 5 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml diff --git a/roles/matrix-server/tasks/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup_synapse_ext.yml index dd36b09c..e55cd195 100644 --- a/roles/matrix-server/tasks/setup_synapse_ext.yml +++ b/roles/matrix-server/tasks/setup_synapse_ext.yml @@ -1,3 +1,5 @@ --- -- include: tasks/setup_synapse_ext_rest_auth.yml \ No newline at end of file +- include: tasks/setup_synapse_ext_rest_auth.yml + +- include: tasks/setup_synapse_ext_shared_secret_auth.yml \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml b/roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml new file mode 100644 index 00000000..f96a5ce0 --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml @@ -0,0 +1,43 @@ +--- + +# +# Tasks related to setting up matrix-synapse-shared-secret-auth +# + +- name: Download matrix-synapse-shared-secret-auth + get_url: + url: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_download_url }}" + dest: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py" + force: true + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled" + +- set_fact: + matrix_synapse_password_providers_enabled: true + when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled" + +- set_fact: + matrix_synapse_container_additional_volumes: > + {{ matrix_synapse_container_additional_volumes }} + + + {{ [{'src': '{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py', 'dst': '/usr/local/lib/python2.7/site-packages/shared_secret_authenticator.py', 'options': 'ro'}] }} + when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled" + +- set_fact: + matrix_synapse_additional_loggers: > + {{ matrix_synapse_additional_loggers }} + + + {{ [{'name': 'shared_secret_authenticator', 'level': 'INFO'}] }} + when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled" + +# +# Tasks related to getting rid of matrix-synapse-shared-secret-auth (if it was previously enabled) +# + +- name: Ensure matrix-synapse-shared-secret-auth doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py" + state: absent + when: "not matrix_synapse_ext_password_provider_shared_secret_auth_enabled" \ No newline at end of file diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 3affc577..9d682980 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -34,7 +34,7 @@ server { root /dev/null; gzip on; - gzip_types text/plain text/html application/json application/javascript text/css image/x-icon font/ttf image/gif; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain; ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey; diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index f22eebcc..b636080a 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -34,7 +34,7 @@ server { root /dev/null; gzip on; - gzip_types text/plain text/html application/json; + gzip_types text/plain application/json; ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/fullchain; ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/privkey; diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 22cdef0b..4a60a6be 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -596,6 +596,11 @@ password_providers: profile: name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} {% endif %} +{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} + - module: "shared_secret_authenticator.SharedSecretAuthenticator" + config: + sharedSecret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" +{% endif %} {% endif %} From f72882fe1a5bef6284c0799366c39af2a5be7beb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 12:22:05 +0300 Subject: [PATCH 0108/2384] Fix user registration regression Regression since a302a7d7489ec, which made the Matrix Client API only available on the http port (8008) and not over the federation port (8448). --- CHANGELOG.md | 4 ++-- .../templates/usr-local-bin/matrix-synapse-register-user.j2 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9fddab89..508f0fa4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,10 +20,10 @@ which drops the initial page load's size from 5.31MB to 1.86MB. The following services are not necessary, so they have been disabled: - on the federation port (8448): the `client` service -- on the http port (80): the old Angular `webclient` and the `federation` service +- on the http port (8008, exposed over 443): the old Angular `webclient` and the `federation` service Federation runs only on the federation port (8448) now. -The Client APIs run only on the http port (80) now. +The Client APIs run only on the http port (8008) now. # 2018-08-15 diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 index 43e7d8d0..da39cca0 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 @@ -10,8 +10,8 @@ password=$2 admin=$3 if [ "$admin" -eq "1" ]; then - docker exec matrix-synapse register_new_matrix_user -a -u $user -p $password -c /data/homeserver.yaml https://localhost:8448 + docker exec matrix-synapse register_new_matrix_user -a -u $user -p $password -c /data/homeserver.yaml http://localhost:8008 else # If `-a` is not passed, we need to answer to an "admin: yes/no" question - echo 'no' | docker exec -i matrix-synapse register_new_matrix_user -u $user -p $password $extraFlags -c /data/homeserver.yaml https://localhost:8448 + echo 'no' | docker exec -i matrix-synapse register_new_matrix_user -u $user -p $password $extraFlags -c /data/homeserver.yaml http://localhost:8008 fi \ No newline at end of file From 14d7d3e670478feaf9ec3e3559dac74d73c4bd42 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Aug 2018 17:11:55 +0300 Subject: [PATCH 0109/2384] Add support for matrix-synapse-shared-secret-auth --- docs/configuring-playbook-rest-auth.md | 2 +- docs/configuring-playbook-shared-secret-auth.md | 12 ++++++++++++ docs/configuring-playbook.md | 4 +++- roles/matrix-server/defaults/main.yml | 6 ++++++ .../tasks/setup_synapse_ext_shared_secret_auth.yml | 5 +++++ 5 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 docs/configuring-playbook-shared-secret-auth.md diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index e393b4f5..e320ca49 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -1,6 +1,6 @@ # Setting up the REST authentication password provider module -The playbook can now install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. +The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. See that project's documentation to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook-shared-secret-auth.md b/docs/configuring-playbook-shared-secret-auth.md new file mode 100644 index 00000000..df5eddd8 --- /dev/null +++ b/docs/configuring-playbook-shared-secret-auth.md @@ -0,0 +1,12 @@ +# Setting up the Shared Secret Auth password provider module + +The playbook can install and configure [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) for you. + +See that project's documentation to learn what it does and why it might be useful to you. + +If you decide that you'd like to let this playbook install it for you, you need some configuration like this: + +```yaml +matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true +matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE +``` \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 2daf5767..0f7f0e51 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -33,4 +33,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional) -- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional) \ No newline at end of file +- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional) + +- [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional) \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index e8ab727a..13408d52 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -84,6 +84,12 @@ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: f matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false +# Enable this to activate the Shared Secret Auth password provider module. +# See: https://github.com/devture/matrix-synapse-shared-secret-auth +matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" + matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" diff --git a/roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml b/roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml index f96a5ce0..4f8bd7ee 100644 --- a/roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml +++ b/roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml @@ -4,6 +4,11 @@ # Tasks related to setting up matrix-synapse-shared-secret-auth # +- name: Fail if Shared Secret Auth enabled, but no secret set + fail: + msg: "Shared Secret Auth is enabled, but no secret has been set in matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret" + when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled and matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret == ''" + - name: Download matrix-synapse-shared-secret-auth get_url: url: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_download_url }}" From 3577a42f61c3cfcb2972639819ff015f42057a69 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Aug 2018 17:30:05 +0300 Subject: [PATCH 0110/2384] Update README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 59c64832..be6175af 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module +- (optional) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. From 02d5b54fa5df43285aaf38558ebd8fe7139d2c5b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Aug 2018 21:24:54 +0300 Subject: [PATCH 0111/2384] Add controls for influencing Matrix Synapse's rate-limiting --- CHANGELOG.md | 20 ++++++++++++++++++- roles/matrix-server/defaults/main.yml | 4 ++++ .../templates/synapse/homeserver.yaml.j2 | 4 ++-- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 508f0fa4..c300301a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,21 @@ +# 2018-08-20 + +## Matrix Synapse rate limit control variables + +The following new variables can now be configured to control Matrix Synapse's rate-limiting (default values are shown below). + +```yaml +matrix_synapse_rc_messages_per_second: 0.2 +matrix_synapse_rc_message_burst_count: 10.0 +``` + +## Shared Secret Auth support via matrix-synapse-shared-secret-auth + +The playbook can now install and configure [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) for you. + +Additional details are available in [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md). + + # 2018-08-17 ## REST auth support via matrix-synapse-rest-auth @@ -71,4 +89,4 @@ The `setup-main` tag got renamed to `setup-all`. ## Docker container linking -Changed the way the Docker containers are linked together. The ones that need to communicate with others operate in a `matrix` network now and not in the default bridge network. \ No newline at end of file +Changed the way the Docker containers are linked together. The ones that need to communicate with others operate in a `matrix` network now and not in the default bridge network. diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 13408d52..de030704 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -61,6 +61,10 @@ matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 matrix_synapse_max_log_files_count: 10 +# Rate limits +matrix_synapse_rc_messages_per_second: 0.2 +matrix_synapse_rc_message_burst_count: 10.0 + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 4a60a6be..97b8a994 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -197,10 +197,10 @@ log_config: "/data/{{ hostname_matrix }}.log.config" ## Ratelimiting ## # Number of messages a client can send per second -rc_messages_per_second: 0.2 +rc_messages_per_second: {{ matrix_synapse_rc_messages_per_second }} # Number of message a client can send before being throttled -rc_message_burst_count: 10.0 +rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} # The federation window size in milliseconds federation_rc_window_size: 1000 From 76e904eb702ba13078ad133a1b06640a6b7e1fea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 20 Aug 2018 21:27:19 +0300 Subject: [PATCH 0112/2384] Fix broken link in changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c300301a..c4ed7684 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ matrix_synapse_rc_message_burst_count: 10.0 The playbook can now install and configure [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) for you. -Additional details are available in [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md). +Additional details are available in [Setting up the Shared Secret Auth password provider module](docs/configuring-playbook-shared-secret-auth.md). # 2018-08-17 From 5398d80f017dc82374769af4de8955f08da41fc7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 21 Aug 2018 13:34:34 +0300 Subject: [PATCH 0113/2384] Add support for matrix-corporal --- CHANGELOG.md | 9 +++ docs/configuring-playbook-matrix-corporal.md | 37 ++++++++++ docs/configuring-playbook.md | 4 +- roles/matrix-server/defaults/main.yml | 31 ++++++++- roles/matrix-server/tasks/main.yml | 5 ++ roles/matrix-server/tasks/setup_corporal.yml | 68 +++++++++++++++++++ roles/matrix-server/tasks/start.yml | 6 +- .../templates/corporal/config.json.j2 | 30 ++++++++ .../nginx-conf.d/matrix-synapse.conf.j2 | 18 ++++- .../systemd/matrix-corporal.service.j2 | 30 ++++++++ .../systemd/matrix-nginx-proxy.service.j2 | 3 + 11 files changed, 236 insertions(+), 5 deletions(-) create mode 100644 docs/configuring-playbook-matrix-corporal.md create mode 100644 roles/matrix-server/tasks/setup_corporal.yml create mode 100644 roles/matrix-server/templates/corporal/config.json.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-corporal.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index c4ed7684..76e30490 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2018-08-21 + +## Matrix Corporal support + +The playbook can now install and configure [matrix-corporal](https://github.com/devture/matrix-corporal) for you. + +Additional details are available in [Setting up Matrix Corporal](docs/configuring-playbook-matrix-corporal.md). + + # 2018-08-20 ## Matrix Synapse rate limit control variables diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md new file mode 100644 index 00000000..f38725d8 --- /dev/null +++ b/docs/configuring-playbook-matrix-corporal.md @@ -0,0 +1,37 @@ +# Setting up Matrix Corporal + +The playbook can install and configure [matrix-corporal](https://github.com/devture/matrix-corporal) for you. + +See that project's documentation to learn what it does and why it might be useful to you. + +If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md). + +You would then need some configuration like this: + +```yaml +matrix_corporal_enabled: true + +matrix_corporal_policy_provider_config: | + { + "Type": "http", + "Uri": "https://intranet.example.com/matrix/policy", + "AuthorizationBearerToken": "SOME_SECRET", + "CachePath": "/var/cache/matrix-corporal/last-policy.json", + "ReloadIntervalSeconds": 1800 + } + +# If you also want to enable Matrix Corporal's HTTP API.. +matrix_corporal_http_api_enabled: true +matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE" + +# If you need to change the reconciliator user's id from the default (matrix-corporal).. +matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" +``` + +The following local filesystem paths are mounted in the `matrix-corporal` container and can be used in your configuration (or policy): + +- `/matrix/corporal/config` is mounted at `/etc/matrix-corporal` (read-only) + +- `/matrix/corporal/var` is mounted at `/var/matrix-corporal` (read and write) + +- `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 0f7f0e51..fe71eeb6 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -35,4 +35,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional) -- [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional) \ No newline at end of file +- [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional) + +- [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional) \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index de030704..02c6051e 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -174,6 +174,29 @@ matrix_mxisd_matrixorg_forwarding_enabled: false matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" +# Enable this to add support for matrix-corporal. +# See: https://github.com/devture/matrix-corporal +matrix_corporal_enabled: false + +matrix_corporal_docker_image: "devture/matrix-corporal:1.0" +matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" +matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" +matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" +matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" + +matrix_corporal_matrix_timeout_milliseconds: 30000 + +matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 +matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" + +matrix_corporal_http_api_enabled: false +matrix_corporal_http_api_auth_token: "" + +# Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value) +matrix_corporal_policy_provider_config: "" + +matrix_corporal_debug: false + # By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. # If you wish to connect to your Matrix server by other means, # you may wish to disable this. @@ -188,9 +211,15 @@ matrix_riot_web_default_identity_server_url: "https://{{ matrix_synapse_trusted_ # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true +# The addresses where the Matrix Client API is. +# Certain extensions (like matrix-corporal) may override this in order to capture all traffic. +matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008" +matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008" + + # Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt. matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. -matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" \ No newline at end of file +matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index c1447b23..726f58fb 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -47,6 +47,11 @@ - setup-all - setup-mxisd +- include: tasks/setup_corporal.yml + tags: + - setup-all + - setup-corporal + - include: tasks/setup_synapse.yml tags: - setup-all diff --git a/roles/matrix-server/tasks/setup_corporal.yml b/roles/matrix-server/tasks/setup_corporal.yml new file mode 100644 index 00000000..d9446efb --- /dev/null +++ b/roles/matrix-server/tasks/setup_corporal.yml @@ -0,0 +1,68 @@ +--- + +# +# Tasks related to setting up matrix-corporal +# + +- name: Fail if Shared Secret Auth extension not enabled + fail: + msg: "To use matrix-corporal, you need to enable the Shared Secret Auth module for Synapse (see matrix_synapse_ext_password_provider_shared_secret_auth_enabled)" + when: "matrix_corporal_enabled and not matrix_synapse_ext_password_provider_shared_secret_auth_enabled" + +- name: Fail if HTTP API enabled, but no token set + fail: + msg: "The Matrix Corporal HTTP API is enabled, but no auth token has been set in matrix_corporal_http_api_auth_token" + when: "matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''" + +- name: Fail if policy provider configuration not set + fail: + msg: "The Matrix Corporal policy provider configuration has not been set in matrix_corporal_policy_provider_config" + when: "matrix_corporal_enabled and matrix_corporal_policy_provider_config == ''" + +- name: Override configuration specifying where the Matrix Client API is + set_fact: + matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080" + matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080" + when: "matrix_corporal_enabled" + +- name: Ensure Matrix Corporal paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_corporal_config_dir_path }}" + - "{{ matrix_corporal_cache_dir_path }}" + - "{{ matrix_corporal_var_dir_path }}" + when: "matrix_corporal_enabled" + +- name: Ensure Matrix Corporal Docker image is pulled + docker_image: + name: "{{ matrix_corporal_docker_image }}" + when: "matrix_corporal_enabled" + +- name: Ensure Matrix Corporal config installed + template: + src: "{{ role_path }}/templates/corporal/config.json.j2" + dest: "{{ matrix_corporal_config_dir_path }}/config.json" + mode: 0644 + when: "matrix_corporal_enabled" + +- name: Ensure matrix-corporal.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-corporal.service.j2" + dest: "/etc/systemd/system/matrix-corporal.service" + mode: 0644 + when: "matrix_corporal_enabled" + +# +# Tasks related to getting rid of matrix-corporal (if it was previously enabled) +# + +- name: Ensure matrix-corporal.service doesn't exist + file: + path: "{{ role_path }}/templates/systemd/matrix-corporal.service.j2" + state: absent + when: "not matrix_corporal_enabled" diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index c2cedca4..5982ea64 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -28,4 +28,8 @@ - name: Ensure matrix-nginx-proxy autoruns and is restarted service: name=matrix-nginx-proxy enabled=yes state=restarted daemon_reload=yes - when: matrix_nginx_proxy_enabled + when: + +- name: Ensure matrix-corporal autoruns and is restarted + service: name=matrix-corporal enabled=yes state=restarted daemon_reload=yes + when: matrix_corporal_enabled diff --git a/roles/matrix-server/templates/corporal/config.json.j2 b/roles/matrix-server/templates/corporal/config.json.j2 new file mode 100644 index 00000000..f86560ba --- /dev/null +++ b/roles/matrix-server/templates/corporal/config.json.j2 @@ -0,0 +1,30 @@ +{ + "Matrix": { + "HomeserverDomainName": "{{ hostname_identity }}", + "HomeserverApiEndpoint": "http://matrix-synapse:8008", + "AuthSharedSecret": "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}", + "RegistrationSharedSecret": "{{ matrix_synapse_registration_shared_secret }}", + "TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }} + }, + + "Reconciliation": { + "UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ hostname_identity }}", + "RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }} + }, + + "HttpGateway": { + "ListenAddress": "0.0.0.0:41080" + }, + + "HttpApi": { + "Enabled": {{ 'true' if matrix_corporal_http_api_enabled else 'false' }}, + "ListenAddress": "0.0.0.0:41081", + "AuthorizationBearerToken": "{{ matrix_corporal_http_api_auth_token }}" + }, + + "PolicyProvider": {{ matrix_corporal_policy_provider_config }}, + + "Misc": { + "Debug": {{ 'true' if matrix_corporal_debug else 'false' }} + } +} diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index b636080a..74c69255 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -42,6 +42,20 @@ server { ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + {% if matrix_corporal_enabled and matrix_corporal_http_api_enabled %} + location /_matrix/corporal { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-corporal:41081"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://localhost:41081; + {% endif %} + } + {% endif %} + {% if matrix_mxisd_enabled %} location /_matrix/identity { {% if matrix_nginx_proxy_enabled %} @@ -60,11 +74,11 @@ server { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:8008"; + set $backend "{{ matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container }}"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:8008; + proxy_pass http://{{ matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container }}; {% endif %} proxy_set_header X-Forwarded-For $remote_addr; diff --git a/roles/matrix-server/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-server/templates/systemd/matrix-corporal.service.j2 new file mode 100644 index 00000000..2038bc98 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-corporal.service.j2 @@ -0,0 +1,30 @@ +[Unit] +Description=Matrix Corporal +After=docker.service +Requires=docker.service +Requires=matrix-synapse.service +After=matrix-synapse.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-corporal +ExecStartPre=-/usr/bin/docker rm matrix-corporal +ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --network={{ matrix_docker_network }} \ + {% if not matrix_nginx_proxy_enabled %} + -p 127.0.0.1:41080:41080 \ + -p 127.0.0.1:41081:41081 \ + {% endif %} + -v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \ + -v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \ + -v {{ matrix_corporal_var_dir_path }}:/var/matrix-corporal:rw \ + {{ matrix_corporal_docker_image }} \ + /matrix-corporal -config=/etc/matrix-corporal/config.json +ExecStop=-/usr/bin/docker kill matrix-corporal +ExecStop=-/usr/bin/docker rm matrix-corporal +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index dc096d51..c4c06f20 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -3,6 +3,9 @@ Description=Matrix nginx proxy server After=docker.service Requires=docker.service Wants=matrix-synapse.service +{% if matrix_corporal_enabled %} +Wants=matrix-corporal.service +{% endif %} {% if matrix_riot_web_enabled %} Wants=matrix-riot-web.service {% endif %} From 861957b6f1847c0573d272969bfca99aac761e28 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Aug 2018 08:35:30 +0300 Subject: [PATCH 0114/2384] Add missing when statement --- roles/matrix-server/tasks/start.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 5982ea64..0f8ff44c 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -28,7 +28,7 @@ - name: Ensure matrix-nginx-proxy autoruns and is restarted service: name=matrix-nginx-proxy enabled=yes state=restarted daemon_reload=yes - when: + when: matrix_nginx_proxy_enabled - name: Ensure matrix-corporal autoruns and is restarted service: name=matrix-corporal enabled=yes state=restarted daemon_reload=yes From 92e6fdd279f0422c192540f198725a7f4a7a7983 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Aug 2018 08:35:38 +0300 Subject: [PATCH 0115/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 02c6051e..5fdcfd32 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -106,9 +106,9 @@ matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" -matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.2" +matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.3" matrix_docker_image_nginx: "nginx:1.15.2-alpine" -matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.0" +matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.1" matrix_docker_image_s3fs: "xueshanf/s3fs:latest" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" From 314ff098465665f1fef32e44beeaf4078a389198 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 24 Aug 2018 10:01:25 +0300 Subject: [PATCH 0116/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 5fdcfd32..8855197b 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -108,7 +108,7 @@ matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.3" matrix_docker_image_nginx: "nginx:1.15.2-alpine" -matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.1" +matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.2" matrix_docker_image_s3fs: "xueshanf/s3fs:latest" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" @@ -178,7 +178,7 @@ matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" # See: https://github.com/devture/matrix-corporal matrix_corporal_enabled: false -matrix_corporal_docker_image: "devture/matrix-corporal:1.0" +matrix_corporal_docker_image: "devture/matrix-corporal:1.0.1" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" From 51ac3421b5fea20031a9452b2b0199c88dc4744e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 24 Aug 2018 17:13:58 +0300 Subject: [PATCH 0117/2384] Update matrix-corporal (1.0.1 -> 1.1) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 8855197b..49ea5bd5 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -178,7 +178,7 @@ matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" # See: https://github.com/devture/matrix-corporal matrix_corporal_enabled: false -matrix_corporal_docker_image: "devture/matrix-corporal:1.0.1" +matrix_corporal_docker_image: "devture/matrix-corporal:1.1" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" From e9d2e7455bd6730181da611476d8c3ebab33d436 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 26 Aug 2018 18:12:24 +0300 Subject: [PATCH 0118/2384] Update README --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index be6175af..11f02fa3 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module +- (optional) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. @@ -88,6 +90,8 @@ This playbook sets up your server using the following Docker images: - [panubo/postfix](https://hub.docker.com/r/panubo/postfix/) - the [Postfix](http://www.postfix.org/) email server (optional) +- [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional) + - [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) From d5346656e3d56010c689277ccfac2684bb35b884 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Aug 2018 08:46:21 +0300 Subject: [PATCH 0119/2384] Use 0.16.1 for riot-web, as the image for 0.16.2 is still unavailable --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 49ea5bd5..2c741411 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -108,7 +108,7 @@ matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.3" matrix_docker_image_nginx: "nginx:1.15.2-alpine" -matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.2" +matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.1" matrix_docker_image_s3fs: "xueshanf/s3fs:latest" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" From 23e4a4734b8e38c9c5174cdbc0d97d7625a1950e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Aug 2018 09:37:44 +0300 Subject: [PATCH 0120/2384] Switch from acmetool to certbot for SSL certificate retrieval --- CHANGELOG.md | 18 +++++ roles/matrix-server/defaults/main.yml | 12 +++- roles/matrix-server/tasks/setup_ssl.yml | 48 +++++-------- .../tasks/setup_ssl_for_domain.yml | 70 +++++++++++++++++++ .../cron.d/matrix-ssl-certificate-renewal.j2 | 17 +---- .../nginx-conf.d/matrix-riot-web.conf.j2 | 23 +++--- .../nginx-conf.d/matrix-synapse.conf.j2 | 23 +++--- .../systemd/matrix-nginx-proxy.service.j2 | 2 +- .../matrix-ssl-certificates-renew.j2 | 26 +++++++ 9 files changed, 164 insertions(+), 75 deletions(-) create mode 100644 roles/matrix-server/tasks/setup_ssl_for_domain.yml create mode 100644 roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 76e30490..b1533c25 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,21 @@ +# 2018-08-29 + +## Changing the way SSL certificates are retrieved + +We've been using [acmetool](https://github.com/hlandau/acme) (with the [willwill/acme-docker](https://hub.docker.com/r/willwill/acme-docker/) Docker image) until now. + +Due to the Docker image being deprecated, and for things looking bleak for acmetool's support of the newer ACME v2 API endpoint, we've switched to using [certbot](https://certbot.eff.org/) (with the [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) Docker image). + +Simply re-running the playbook will retrieve new certificates for you. +To ensure you don't leave any old files behind, though, you'd better do this: + +- `systemctl stop matrix*` +- stop your custom webserver, if you're running one (only affects you if you've installed with `matrix_nginx_proxy_enabled: false`) +- `mv /matrix/ssl /matrix/ssl-acmetool-delete-later` +- re-run the playbook's [installation](docs/installing.md) +- possibly delete `/matrix/ssl-acmetool-delete-later` + + # 2018-08-21 ## Matrix Corporal support diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 2c741411..d669077b 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -24,8 +24,7 @@ matrix_postgres_connection_password: "synapse-password" matrix_postgres_db_name: "homeserver" matrix_base_data_path: "/matrix" -matrix_ssl_certs_path: "{{ matrix_base_data_path }}/ssl" -matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}" + matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" @@ -217,9 +216,18 @@ matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse: matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008" +matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" +matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" +matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" +matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}" +matrix_ssl_certbot_docker_image: "certbot/certbot:v0.26.1" +matrix_ssl_certbot_standalone_http_port: 2402 +matrix_ssl_use_staging: false + # Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt. matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" + # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml index 167b739b..57b824d7 100644 --- a/roles/matrix-server/tasks/setup_ssl.yml +++ b/roles/matrix-server/tasks/setup_ssl.yml @@ -20,46 +20,32 @@ - https when: ansible_os_family == 'RedHat' -- name: Ensure acmetool Docker image is pulled +- name: Ensure certbot Docker image is pulled docker_image: - name: willwill/acme-docker + name: "{{ matrix_ssl_certbot_docker_image }}" -# Granting +rx to others as well, because the `nginx` user from within -# matrix-nginx-proxy needs to be able to read the acme-challenge files inside -# for renewal purposes. -# -# This should not be causing security trouble outside of the container, -# as the parent directory (/matrix) does not allow "others" to access it or any of its children. -# Still, it works when the /ssl subtree is mounted in the container. -- name: Ensure SSL certificates path exists +- name: Ensure SSL certificate paths exists file: - path: "{{ matrix_ssl_certs_path }}" + path: "{{ item }}" state: directory - mode: 0775 + mode: 0770 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_ssl_log_dir_path }}" + - "{{ matrix_ssl_config_dir_path }}" -- name: Check matrix-nginx-proxy state - service: name=matrix-nginx-proxy - register: matrix_nginx_proxy_state - -- name: Ensure matrix-nginx-proxy is stopped (if previously installed & started) - service: name=matrix-nginx-proxy state=stopped - when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'" - -- name: Ensure SSL certificates are marked as wanted in acmetool - shell: >- - /usr/bin/docker run --rm --name acmetool --net=host - -v {{ matrix_ssl_certs_path }}:/certs - -v {{ matrix_ssl_certs_path }}/run:/var/run/acme - -e ACME_EMAIL={{ matrix_ssl_support_email }} - willwill/acme-docker - acmetool want {{ item }} --xlog.severity=debug +- name: Obtain initial certificates + include_tasks: "setup_ssl_for_domain.yml" with_items: "{{ domains_to_obtain_certificate_for }}" + loop_control: + loop_var: domain_name -- name: Ensure matrix-nginx-proxy is started (if previously installed & started) - service: name=matrix-nginx-proxy state=started - when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'" +- name: Ensure SSL renewal script installed + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2" + dest: "/usr/local/bin/matrix-ssl-certificates-renew" + mode: 0750 - name: Ensure periodic SSL renewal cronjob configured template: diff --git a/roles/matrix-server/tasks/setup_ssl_for_domain.yml b/roles/matrix-server/tasks/setup_ssl_for_domain.yml new file mode 100644 index 00000000..c7bb15c1 --- /dev/null +++ b/roles/matrix-server/tasks/setup_ssl_for_domain.yml @@ -0,0 +1,70 @@ +- debug: + msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}" + +- set_fact: + domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/cert.pem" + +- name: Check if a certificate for the domain already exists + stat: + path: "{{ domain_name_certificate_path }}" + register: domain_name_certificate_path_stat + +- set_fact: + domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" + +# This will fail if there is something running on port 80 (like matrix-nginx-proxy). +# We suppress the error, as we'll try another method below. +- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly) + shell: >- + /usr/bin/docker run + --rm + --name=matrix-certbot + --net=host + -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt + -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt + {{ matrix_ssl_certbot_docker_image }} + certonly + --non-interactive + {% if matrix_ssl_use_staging %}--staging{% endif %} + --standalone + --preferred-challenges http + --agree-tos + --email={{ matrix_ssl_support_email }} + -d {{ domain_name }} + when: "domain_name_needs_cert" + register: result_certbot_direct + ignore_errors: true + +# If matrix-nginx-proxy is configured from a previous run of this playbook, +# and it's running now, it may be able to proxy requests to `matrix_ssl_certbot_standalone_http_port`. +- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy) + shell: >- + /usr/bin/docker run + --rm + --name=matrix-certbot + -p 127.0.0.1:{{ matrix_ssl_certbot_standalone_http_port }}:80 + --network={{ matrix_docker_network }} + -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt + -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt + {{ matrix_ssl_certbot_docker_image }} + certonly + --non-interactive + {% if matrix_ssl_use_staging %}--staging{% endif %} + --standalone + --preferred-challenges http + --agree-tos + --email={{ matrix_ssl_support_email }} + -d {{ domain_name }} + when: "domain_name_needs_cert and result_certbot_direct.failed" + register: result_certbot_proxy + ignore_errors: true + +- name: Fail if all SSL certificate retrieval attempts failed + fail: + msg: | + Failed to obtain a certificate directly (by listening on port 80) + and also failed to obtain by relying on the server at port 80 to proxy the request. + See above for details. + You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_certbot_standalone_http_port }} or, + more easily, stop the server on port 80 while this playbook runs. + when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed" \ No newline at end of file diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index 42b7a71a..2c7b71f2 100644 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -1,24 +1,11 @@ MAILTO="{{ matrix_ssl_support_email }}" -# The goal of this cronjob is to ask acmetool to check +# The goal of this cronjob is to ask certbot to check # the current SSL certificates and to see if some need renewal. # If so, it would attempt to renew. # # Various services depend on these certificates and would need to be restarted. # This is not our concern here. We simply make sure the certificates are up to date. # Restarting of services happens on its own different schedule (other cronjobs). -# -# -# How renewal works? -# -# acmetool will fail to bind to port :80 (because matrix-nginx-proxy or some other server is running there), -# and will fall back to its "webroot" validation method. -# -# Thus, it would put validation files in `/var/run/acme/acme-challenge`. -# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy, -# because it aliases `/.well-known/acme-challenge` to that same directory. -# -# When a custom proxy server (not matrix-nginx-proxy provided by this playbook), -# you'd need to make sure you alias these files correctly or SSL renewal would not work. -{{ matrix_ssl_renew_cron_time_definition }} root /usr/bin/docker run --rm --net=host -v {{ matrix_ssl_certs_path }}:/certs -v {{ matrix_ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ matrix_ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug +{{ matrix_ssl_renew_cron_time_definition }} root /bin/bash /usr/local/bin/matrix-ssl-certificates-renew diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 9d682980..9347f02e 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -5,17 +5,14 @@ server { server_tokens off; location /.well-known/acme-challenge { - {# - The proxy can access the files directly. - An external server likely does not have permission to read these files, - so we'll just proxy to acme's :402 port. - #} - - {%- if matrix_nginx_proxy_enabled -%} - default_type "text/plain"; - alias {{ matrix_ssl_certs_path }}/run/acme-challenge; - {%- else -%} - proxy_pass http://localhost:402; + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:80"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://localhost:{{ matrix_ssl_certbot_standalone_http_port }}; {% endif %} } @@ -36,8 +33,8 @@ server { gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain; - ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey; + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 74c69255..f7ff6255 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -5,17 +5,14 @@ server { server_tokens off; location /.well-known/acme-challenge { - {# - The proxy can access the files directly. - An external server likely does not have permission to read these files, - so we'll just proxy to acme's :402 port. - #} - - {%- if matrix_nginx_proxy_enabled -%} - default_type "text/plain"; - alias {{ matrix_ssl_certs_path }}/run/acme-challenge; - {%- else -%} - proxy_pass http://localhost:402; + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:80"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://localhost:{{ matrix_ssl_certbot_standalone_http_port }}; {% endif %} } @@ -36,8 +33,8 @@ server { gzip on; gzip_types text/plain application/json; - ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/fullchain; - ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_matrix }}/privkey; + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index c4c06f20..82a7bedf 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -22,7 +22,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ -p 80:80 \ -p 443:443 \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ - -v {{ matrix_ssl_certs_path }}:{{ matrix_ssl_certs_path }}:ro \ + -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ {{ matrix_docker_image_nginx }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 new file mode 100644 index 00000000..2fde95dd --- /dev/null +++ b/roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 @@ -0,0 +1,26 @@ +#!/bin/bash + +# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) +# need to forward requests for `/.well-known/acme-challenge` to the certbot container. +# +# This can happen inside the container network by proxying to `http://matrix-certbot:80` +# or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_certbot_standalone_http_port }}`. + +docker run \ + --rm \ + --name=matrix-certbot \ + --network="{{ matrix_docker_network }}" \ + -p 127.0.0.1:{{ matrix_ssl_certbot_standalone_http_port }}:80 \ + -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \ + -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt \ + {{ matrix_ssl_certbot_docker_image }} \ + renew \ + --non-interactive \ + {% if matrix_ssl_use_staging %} + --staging \ + {% endif %} + --quiet \ + --standalone \ + --preferred-challenges http \ + --agree-tos \ + --email={{ matrix_ssl_support_email }} From 9e91d5059fb4b2a9f59cac112dca4dbff0f337d5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Aug 2018 09:41:24 +0300 Subject: [PATCH 0121/2384] Fix wording --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b1533c25..9c1bce1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,9 +4,9 @@ We've been using [acmetool](https://github.com/hlandau/acme) (with the [willwill/acme-docker](https://hub.docker.com/r/willwill/acme-docker/) Docker image) until now. -Due to the Docker image being deprecated, and for things looking bleak for acmetool's support of the newer ACME v2 API endpoint, we've switched to using [certbot](https://certbot.eff.org/) (with the [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) Docker image). +Due to the Docker image being deprecated, and things looking bleak for acmetool's support of the newer ACME v2 API endpoint, we've switched to using [certbot](https://certbot.eff.org/) (with the [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) Docker image). -Simply re-running the playbook will retrieve new certificates for you. +Simply re-running the playbook will retrieve new certificates (via certbot) for you. To ensure you don't leave any old files behind, though, you'd better do this: - `systemctl stop matrix*` From 09a41dd3eadbc5620b712dd73b81e6cc9168ae3a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Aug 2018 09:42:59 +0300 Subject: [PATCH 0122/2384] Fix systemctl command to avoid wildcard expansion --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c1bce1c..abebb894 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ Due to the Docker image being deprecated, and things looking bleak for acmetool' Simply re-running the playbook will retrieve new certificates (via certbot) for you. To ensure you don't leave any old files behind, though, you'd better do this: -- `systemctl stop matrix*` +- `systemctl stop 'matrix*'` - stop your custom webserver, if you're running one (only affects you if you've installed with `matrix_nginx_proxy_enabled: false`) - `mv /matrix/ssl /matrix/ssl-acmetool-delete-later` - re-run the playbook's [installation](docs/installing.md) From e2c25bbb02f44d3348f127bcfa8b671dd5434b8b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Aug 2018 10:12:48 +0300 Subject: [PATCH 0123/2384] Update README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 11f02fa3..9927bad7 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,8 @@ This playbook sets up your server using the following Docker images: - [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) +- [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) + ## Deficiencies From 7428b941c8e4fe7ad4d1b2aa49530ade8409767b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Aug 2018 10:14:48 +0300 Subject: [PATCH 0124/2384] Remove old s3fs stuff We've been using Goofys for a long time instead. --- roles/matrix-server/defaults/main.yml | 1 - roles/matrix-server/tasks/main.yml | 5 ----- roles/matrix-server/tasks/setup_s3fs.yml | 27 ------------------------ 3 files changed, 33 deletions(-) delete mode 100644 roles/matrix-server/tasks/setup_s3fs.yml diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index d669077b..1082128a 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -108,7 +108,6 @@ matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.3" matrix_docker_image_nginx: "nginx:1.15.2-alpine" matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.1" -matrix_docker_image_s3fs: "xueshanf/s3fs:latest" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" matrix_docker_image_mailer: "panubo/postfix:latest" diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 726f58fb..a079674f 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -22,11 +22,6 @@ - setup-all - setup-postgres -- include: tasks/setup_s3fs.yml - tags: - - setup-all - - setup-s3fs - - include: tasks/setup_goofys.yml tags: - setup-all diff --git a/roles/matrix-server/tasks/setup_s3fs.yml b/roles/matrix-server/tasks/setup_s3fs.yml deleted file mode 100644 index f3120809..00000000 --- a/roles/matrix-server/tasks/setup_s3fs.yml +++ /dev/null @@ -1,27 +0,0 @@ -# -# Tasks related to getting rid of s3fs (if it was previously installed) -# - -- name: Check existence of matrix-s3fs service - stat: path="/etc/systemd/system/matrix-s3fs.service" - register: matrix_s3fs_service_stat - -- name: Ensure matrix-s3fs is stopped - service: name=matrix-s3fs state=stopped daemon_reload=yes - register: stopping_result - when: "matrix_s3fs_service_stat.stat.exists" - -- name: Ensure matrix-s3fs.service doesn't exist - file: - path: "/etc/systemd/system/matrix-s3fs.service" - state: absent - -- name: Ensure s3fs-credentials doesn't exist - file: - path: "{{ matrix_base_data_path }}/s3fs-credentials" - state: absent - -- name: Ensure S3fs Docker image doesn't exist - docker_image: - name: "{{ matrix_docker_image_s3fs }}" - state: absent From 49e0d0e6db46642888bf47c65cc8ac029e854f45 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Sep 2018 18:13:06 +0300 Subject: [PATCH 0125/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 1082128a..4078d4c7 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -105,9 +105,9 @@ matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" -matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.3" -matrix_docker_image_nginx: "nginx:1.15.2-alpine" -matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.1" +matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.3.1" +matrix_docker_image_nginx: "nginx:1.15.3-alpine" +matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.3" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" matrix_docker_image_mailer: "panubo/postfix:latest" From 7310498f716c08bd2e72b4e24bef9e836c29d1c2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Sep 2018 18:23:16 +0300 Subject: [PATCH 0126/2384] Update certbot --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 4078d4c7..5584e723 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -219,7 +219,7 @@ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}" -matrix_ssl_certbot_docker_image: "certbot/certbot:v0.26.1" +matrix_ssl_certbot_docker_image: "certbot/certbot:v0.27.0" matrix_ssl_certbot_standalone_http_port: 2402 matrix_ssl_use_staging: false From 88b4434da9a829fc8f883230d781abf7517b2531 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Sep 2018 13:59:29 +0300 Subject: [PATCH 0127/2384] Fix incorrect path --- roles/matrix-server/tasks/setup_corporal.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/tasks/setup_corporal.yml b/roles/matrix-server/tasks/setup_corporal.yml index d9446efb..f2729a1e 100644 --- a/roles/matrix-server/tasks/setup_corporal.yml +++ b/roles/matrix-server/tasks/setup_corporal.yml @@ -63,6 +63,6 @@ - name: Ensure matrix-corporal.service doesn't exist file: - path: "{{ role_path }}/templates/systemd/matrix-corporal.service.j2" + path: "/etc/systemd/system/matrix-corporal.service" state: absent when: "not matrix_corporal_enabled" From 6d6a6412faf962515a99962c8008282359f71308 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Sep 2018 14:49:40 +0300 Subject: [PATCH 0128/2384] Add the ability to control statistics-reporting for Synapse Closes Github issue #3 --- CHANGELOG.md | 9 +++++++++ roles/matrix-server/defaults/main.yml | 4 ++++ roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 2 +- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index abebb894..14e45a15 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2018-09-07 + +## Statistics-reporting support + +There's now a new `matrix_synapse_report_stats` playbook variable, which controls the `report_stats` configuration option for Matrix Synapse. It defaults to `false`, so no change is required to retain your privacy. + +If you'd like to start reporting statistics about your homeserver (things like number of users, number of messages sent, uptime, load, etc.) to matrix.org, you can turn on stats reporting. + + # 2018-08-29 ## Changing the way SSL certificates are retrieved diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 5584e723..57a9ebb1 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -64,6 +64,10 @@ matrix_synapse_max_log_files_count: 10 matrix_synapse_rc_messages_per_second: 0.2 matrix_synapse_rc_message_burst_count: 10.0 +# Enable this to allow Synapse to report utilization statistics about your server to matrix.org +# (things like number of users, number of messages sent, uptime, load, etc.) +matrix_synapse_report_stats: false + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 97b8a994..5f100e7d 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -447,7 +447,7 @@ trusted_third_party_id_servers: # Enable collection and rendering of performance metrics enable_metrics: False -report_stats: False +report_stats: {{ matrix_synapse_report_stats }} ## API Configuration ## From b52d91e180e4cce41a1c6455ac4cd7f4df889339 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Sep 2018 15:01:38 +0300 Subject: [PATCH 0129/2384] Add the ability to controll password-peppering for Synapse Closes Github issue #5 --- CHANGELOG.md | 7 ++++++- roles/matrix-server/defaults/main.yml | 3 +++ roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14e45a15..b23ed359 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # 2018-09-07 -## Statistics-reporting support +## Password-peppering support for Matrix Synapse + +The playbook now supports enabling password-peppering for increased security in Matrix Synapse via the `matrix_synapse_password_config_pepper` playbook variable. Using a password pepper is disabled by default (just like it used to be before this playbook variable got introduced) and is not to be enabled/disabled after initial setup, as that would invalidate all existing passwords. + + +## Statistics-reporting support for Matrix Synapse There's now a new `matrix_synapse_report_stats` playbook variable, which controls the `report_stats` configuration option for Matrix Synapse. It defaults to `false`, so no change is required to retain your privacy. diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 57a9ebb1..5143d5c1 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -68,6 +68,9 @@ matrix_synapse_rc_message_burst_count: 10.0 # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false +# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. +matrix_synapse_password_config_pepper: "" + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 5f100e7d..9ee67f1e 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -538,7 +538,7 @@ password_config: enabled: true # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! - #pepper: "" + pepper: "{{ matrix_synapse_password_config_pepper }}" From 7adcdf30407d634e755f511800339c7a448607f2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Sep 2018 16:13:50 +0300 Subject: [PATCH 0130/2384] Add the ability to control event_cache_size for Synapse I've found the previous 10K default value to be way too low on a bunch of servers I'm running, so it's now up to 100K and made configurable. --- CHANGELOG.md | 7 +++++++ roles/matrix-server/defaults/main.yml | 3 +++ roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 2 +- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b23ed359..be1364ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2018-09-07 +## Events cache size increase and configurability for Matrix Synapse + +The playbook now lets you configure Matrix Synapse's `event_cache_size` configuration via the `matrix_synapse_event_cache_size` playbook variable. + +Previously, this value was hardcoded to `"10K"`. From now on, a more reasonable default of `"100K"` is used. + + ## Password-peppering support for Matrix Synapse The playbook now supports enabling password-peppering for increased security in Matrix Synapse via the `matrix_synapse_password_config_pepper` playbook variable. Using a password pepper is disabled by default (just like it used to be before this playbook variable got introduced) and is not to be enabled/disabled after initial setup, as that would invalidate all existing passwords. diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 5143d5c1..923bd1ec 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -71,6 +71,9 @@ matrix_synapse_report_stats: false # Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" +# Controls the number of events that Matrix Synapse caches in memory. +matrix_synapse_event_cache_size: "100K" + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 9ee67f1e..f29ea692 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -186,7 +186,7 @@ database: cp_max: 10 # Number of events to cache in memory. -event_cache_size: "10K" +event_cache_size: "{{ matrix_synapse_event_cache_size }}" From 7b5f68c431692f977ca07c3358dff7c1d1efc0b2 Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Sat, 1 Sep 2018 17:51:07 +0200 Subject: [PATCH 0131/2384] Add mautrix-telegram to bridge with telegram services --- examples/host-vars.yml | 9 +- roles/matrix-server/defaults/main.yml | 11 + roles/matrix-server/tasks/main.yml | 2 +- .../matrix-server/tasks/setup_synapse_ext.yml | 4 +- .../setup_synapse_ext_mautrix_telegram.yml | 65 +++++ roles/matrix-server/tasks/start.yml | 4 + .../templates/mautrix-telegram/config.yaml.j2 | 273 ++++++++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 2 +- .../matrix-mautrix-telegram.service.j2 | 23 ++ 9 files changed, 389 insertions(+), 4 deletions(-) create mode 100644 roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml create mode 100644 roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 diff --git a/examples/host-vars.yml b/examples/host-vars.yml index 8d60daf5..c5b82c8b 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -24,4 +24,11 @@ matrix_coturn_turn_static_auth_secret: "" # A secret used to protect access keys issued by the server. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_synapse_macaroon_secret_key: "" \ No newline at end of file +matrix_synapse_macaroon_secret_key: "" + +# Mautrix telegram +# Enable telegram bridge +matrix_mautrix_telegram_enabled: false +# Get your own API keys at https://my.telegram.org/apps +matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID +matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 923bd1ec..19d8f59f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -84,6 +84,11 @@ matrix_synapse_container_additional_volumes: [] # Contains definition objects like this: `{"name": "..", "level": "DEBUG"} matrix_synapse_additional_loggers: [] +# A list of service config files +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Conatains fs paths +matrix_synapse_app_service_config_files: [] + # This is set dynamically during execution depending on whether # any password providers have been enabled or not. matrix_synapse_password_providers_enabled: false @@ -110,6 +115,7 @@ matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" +matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" @@ -122,6 +128,7 @@ matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" matrix_docker_image_mailer: "panubo/postfix:latest" matrix_docker_image_mxisd: "kamax/mxisd:1.1.1" +matrix_docker_image_mautrix_telegram: "tulir/mautrix-telegram:v0.3.0" # The Docker network that all services would be put into matrix_docker_network: "matrix" @@ -213,6 +220,10 @@ matrix_riot_web_enabled: true matrix_riot_web_default_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" +# Matrix mautrix is a Matrix <-> Telegram bridge +matrix_mautrix_telegram_enabled: false + + # By default, this playbook sets up its own nginx proxy server on port 80/443. # This is fine if you're dedicating the whole server to Matrix. # But in case that's not the case, you may wish to prevent that diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index a079674f..01f5832b 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -77,4 +77,4 @@ - include: tasks/import_media_store.yml tags: - - import-media-store \ No newline at end of file + - import-media-store diff --git a/roles/matrix-server/tasks/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup_synapse_ext.yml index e55cd195..3777df08 100644 --- a/roles/matrix-server/tasks/setup_synapse_ext.yml +++ b/roles/matrix-server/tasks/setup_synapse_ext.yml @@ -2,4 +2,6 @@ - include: tasks/setup_synapse_ext_rest_auth.yml -- include: tasks/setup_synapse_ext_shared_secret_auth.yml \ No newline at end of file +- include: tasks/setup_synapse_ext_shared_secret_auth.yml + +- include: tasks/setup_synapse_ext_mautrix_telegram.yml diff --git a/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml b/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml new file mode 100644 index 00000000..d0b1ec47 --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml @@ -0,0 +1,65 @@ +--- + +- name: Ensure Mautrix Telegram image is pulled + docker_image: + name: "{{ matrix_docker_image_mautrix_telegram }}" + when: "matrix_mautrix_telegram_enabled" + +- name: Ensure Mautrix Telegram configuration path exists + file: + path: "{{ matrix_mautrix_telegram_base_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_mautrix_telegram_enabled" + +- name: Ensure Matrix Mautrix telegram config installed + template: + src: "{{ role_path }}/templates/mautrix-telegram/config.yaml.j2" + dest: "{{ matrix_mautrix_telegram_base_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_mautrix_telegram_enabled" + +- name: Ensure matrix-mautrix-telegram.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2" + dest: "/etc/systemd/system/matrix-mautrix-telegram.service" + mode: 0644 + when: "matrix_mautrix_telegram_enabled" + +- stat: "path={{ matrix_mautrix_telegram_base_path }}/registration.yaml" + register: mautrix_registration_file + +- name: Generate matrix-mautrix-telegram registration.yaml if it doesn't exist + shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_docker_image_mautrix_telegram }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml + when: "matrix_mautrix_telegram_enabled and mautrix_registration_file.stat.exists == False" + +- set_fact: + matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml' + +- set_fact: + matrix_synapse_container_additional_volumes: > + {{ matrix_synapse_container_additional_volumes }} + + + {{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }} + when: "matrix_mautrix_telegram_enabled" + +- set_fact: + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files }} + + + {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }} + when: "matrix_mautrix_telegram_enabled" + +# +# Tasks related to getting rid of matrix-mautrix-telegram (if it was previously enabled) +# + +- name: Ensure matrix-mautrix-telegram.service doesn't exist + file: + path: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2" + state: absent + when: "not matrix_mautrix_telegram_enabled" diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 0f8ff44c..3158c0fb 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -33,3 +33,7 @@ - name: Ensure matrix-corporal autoruns and is restarted service: name=matrix-corporal enabled=yes state=restarted daemon_reload=yes when: matrix_corporal_enabled + +- name: Ensure matrix-mautrix-telegram autoruns and is restarted + service: name=matrix-mautrix-telegram enabled=yes state=restarted daemon_reload=yes + when: matrix_mautrix_telegram_enabled diff --git a/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 b/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 new file mode 100644 index 00000000..11c80125 --- /dev/null +++ b/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 @@ -0,0 +1,273 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: https://{{ hostname_matrix }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ hostname_identity }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://matrix-mautrix-telegram:8080 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:///mautrix-telegram.db + + # Public part of web server for out-of-Matrix interaction with the bridge. + # Used for things like login if the user wants to make sure the 2FA password isn't stored in + # the HS database. + public: + # Whether or not the public-facing endpoints should be enabled. + enabled: true + # The prefix to use in the public-facing endpoints. + prefix: /public + # The base URL where the public-facing endpoints are available. The prefix is not added + # implicitly. + external: https://{{ hostname_matrix }}/public + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like Dimension (https://dimension.t2bot.io/). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: false + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The unique ID of this appservice. + id: telegram + # Username of the appservice bot. + bot_username: telegrambot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Telegram bridge bot + bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Bridge config +bridge: + # Localpart template of MXIDs for Telegram users. + # {userid} is replaced with the user ID of the Telegram user. + username_template: "telegram_{userid}" + # Localpart template of room aliases for Telegram portal rooms. + # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) + alias_template: "telegram_{groupname}" + # Displayname template for Telegram users. + # {displayname} is replaced with the display name of the Telegram user. + displayname_template: "{displayname} (Telegram)" + + # Set the preferred order of user identifiers which to use in the Matrix puppet display name. + # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user + # ID is used. + # + # If the bridge is working properly, a phone number or an username should always be known, but + # the other one can very well be empty. + # + # Valid keys: + # "full name" (First and/or last name) + # "full name reversed" (Last and/or first name) + # "first name" + # "last name" + # "username" + # "phone number" + displayname_preference: + - full name + - username + - phone number + + # Show message editing as a reply to the original message. + # If this is false, message edits are not shown at all, as Matrix does not support editing yet. + edits_as_replies: false + # Highlight changed/added parts in edits. Requires lxml. + highlight_edits: false + # Whether or not Matrix bot messages (type m.notice) should be bridged. + bridge_notices: true + # Whether to bridge Telegram bot messages as m.notices or m.texts. + bot_messages_as_notices: true + # Maximum number of members to sync per portal when starting up. Other members will be + # synced when they send messages. The maximum is 10000, after which the Telegram server + # will not send any more members. + # Defaults to no local limit (-> limited to 10000 by server) + max_initial_member_sync: -1 + # Whether or not to sync the member list in channels. + # If no channel admins have logged into the bridge, the bridge won't be able to sync the member + # list regardless of this setting. + sync_channel_members: true + # The maximum number of simultaneous Telegram deletions to handle. + # A large number of simultaneous redactions could put strain on your homeserver. + max_telegram_delete: 10 + # Allow logging in within Matrix. If false, the only way to log in is using the out-of-Matrix + # login website (see appservice.public config section) + allow_matrix_login: true + # Use inline images instead of m.image to make rich captions possible. + # N.B. Inline images are not supported on all clients (e.g. Riot iOS). + inline_images: true + # Whether or not to bridge plaintext highlights. + # Only enable this if your displayname_template has some static part that the bridge can use to + # reliably identify what is a plaintext highlight. + plaintext_highlights: false + # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix. + public_portals: true + # Whether to send stickers as the new native m.sticker type or normal m.images. + # Old versions of Riot don't support the new type at all. + # Remember that proper sticker support always requires Pillow to convert webp into png. + native_stickers: true + # Whether or not to fetch and handle Telegram updates at startup from the time the bridge was down. + # WARNING: Probably buggy, might get stuck in infinite loop. + catch_up: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Telegram account. + sync_with_custom_puppets: true + + # Some config options related to Telegram message deduplication. + # The default values are usually fine, but some debug messages/warnings might recommend you + # change these. + deduplication: + # Whether or not to check the database if the message about to be sent is a duplicate. + pre_db_check: false + # The number of latest events to keep when checking for duplicates. + # You might need to increase this on high-traffic bridge instances. + cache_queue_length: 20 + + # The formats to use when sending messages to Telegram via the relay bot. + # + # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $message - The message content as HTML + message_formats: + m.text: "$sender_displayname: $message" + m.emote: "* $sender_displayname $message" + m.file: "$sender_displayname sent a file: $message" + m.image: "$sender_displayname sent an image: $message" + m.audio: "$sender_displayname sent an audio file: $message" + m.video: "$sender_displayname sent a video: $message" + m.location: "$sender_displayname sent a location: $message" + + # The formats to use when sending state events to Telegram via the relay bot. + # + # Variables from `message_formats` that have the `sender_` prefix are available without the prefix. + # In name_change events, `$prev_displayname` is the previous displayname. + # + # Set format to an empty string to disable the messages for that event. + state_event_formats: + join: "$displayname joined the room." + leave: "$displayname left the room." + name_change: "$prev_displayname changed their name to $displayname" + + # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and + # `filter-mode` management commands. + # + # Filters do not affect direct chats. + # An empty blacklist will essentially disable the filter. + filter: + # Filter mode to use. Either "blacklist" or "whitelist". + # If the mode is "blacklist", the listed chats will never be bridged. + # If the mode is "whitelist", only the listed chats can be bridged. + mode: blacklist + # The list of group/channel IDs to filter. + list: [] + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!tg" + + # Permissions for using the bridge. + # Permitted values: + # relaybot - Only use the bridge via the relaybot, no access to commands. + # user - Relaybot level + access to commands to create bridges. + # puppeting - User level + logging in with a Telegram account. + # full - Full access to use the bridge, i.e. previous levels + Matrix login. + # admin - Full access to use the bridge and some extra administration commands. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": "puppeting" + + # Options related to the message relay Telegram bot. + relaybot: + # Whether or not to allow creating portals from Telegram. + authless_portals: false + # Whether or not to allow Telegram group admins to use the bot commands. + whitelist_group_admins: false + # Whether or not to ignore incoming events sent by the relay bot. + ignore_own_incoming_events: true + # List of usernames/user IDs who are also allowed to use the bot commands. + whitelist: + - myusername + - 12345678 + +# Telegram config +telegram: + # Get your own API keys at https://my.telegram.org/apps + api_id: {{ matrix_mautrix_telegram_api_id }} + api_hash: {{ matrix_mautrix_telegram_api_hash }} + # (Optional) Create your own bot at https://t.me/BotFather + bot_token: disabled + # Telethon proxy configuration. + # You must install PySocks from pip for proxies to work. + proxy: + # Allowed types: disabled, socks4, socks5, http + type: disabled + # Proxy IP address and port. + address: 127.0.0.1 + port: 1080 + # Whether or not to perform DNS resolving remotely. + rdns: true + # Proxy authentication (optional). + username: "" + password: "" + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + precise: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: ./mautrix-telegram.log + maxBytes: 10485760 + backupCount: 10 + console: + class: logging.StreamHandler + formatter: precise + loggers: + mau: + level: DEBUG + telethon: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [file, console] diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index f29ea692..659fd740 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -461,7 +461,7 @@ room_invite_state_types: # A list of application service config file to use -app_service_config_files: [] +app_service_config_files: {{ matrix_synapse_app_service_config_files }} macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" diff --git a/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 new file mode 100644 index 00000000..99a47ee6 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -0,0 +1,23 @@ +[Unit] +Description=Matrix Mautrix Telegram server +After=docker.service +Requires=docker.service +Requires=matrix-synapse.service +After=matrix-synapse.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mautrix-telegram +ExecStartPre=-/usr/bin/docker rm matrix-mautrix-telegram +ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ + -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_telegram_base_path }}:/data:z \ + {{ matrix_docker_image_mautrix_telegram }} +ExecStop=-/usr/bin/docker kill matrix-mautrix-telegram +ExecStop=-/usr/bin/docker rm matrix-mautrix-telegram +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target From 45fb2df43f26f5740a9063a19942ca5a520211e1 Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Sun, 2 Sep 2018 16:05:14 +0200 Subject: [PATCH 0132/2384] Fix some problem with permissions Fix typo Move mautrix variable in `defaults/main.yml` exclusively --- examples/host-vars.yml | 6 ------ roles/matrix-server/defaults/main.yml | 7 +++++-- .../tasks/setup_synapse_ext_mautrix_telegram.yml | 7 +++++-- .../templates/mautrix-telegram/config.yaml.j2 | 3 ++- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/examples/host-vars.yml b/examples/host-vars.yml index c5b82c8b..d0d1a41e 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -26,9 +26,3 @@ matrix_coturn_turn_static_auth_secret: "" # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_synapse_macaroon_secret_key: "" -# Mautrix telegram -# Enable telegram bridge -matrix_mautrix_telegram_enabled: false -# Get your own API keys at https://my.telegram.org/apps -matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID -matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 19d8f59f..579df268 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -86,7 +86,7 @@ matrix_synapse_additional_loggers: [] # A list of service config files # This list gets populated dynamically based on Synapse extensions that have been enabled. -# Conatains fs paths +# Contains fs paths matrix_synapse_app_service_config_files: [] # This is set dynamically during execution depending on whether @@ -219,9 +219,12 @@ matrix_riot_web_enabled: true matrix_riot_web_default_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" - # Matrix mautrix is a Matrix <-> Telegram bridge +# Enable telegram bridge matrix_mautrix_telegram_enabled: false +# Get your own API keys at https://my.telegram.org/apps +matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID +matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH # By default, this playbook sets up its own nginx proxy server on port 80/443. diff --git a/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml b/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml index d0b1ec47..91882a8c 100644 --- a/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml +++ b/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml @@ -14,6 +14,9 @@ group: "{{ matrix_user_username }}" when: "matrix_mautrix_telegram_enabled" +- stat: "path={{ matrix_mautrix_telegram_base_path }}/config.yaml" + register: mautrix_config_file + - name: Ensure Matrix Mautrix telegram config installed template: src: "{{ role_path }}/templates/mautrix-telegram/config.yaml.j2" @@ -21,7 +24,7 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" - when: "matrix_mautrix_telegram_enabled" + when: "matrix_mautrix_telegram_enabled and mautrix_config_file.stat.exists == False" - name: Ensure matrix-mautrix-telegram.service installed template: @@ -60,6 +63,6 @@ - name: Ensure matrix-mautrix-telegram.service doesn't exist file: - path: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2" + path: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service" state: absent when: "not matrix_mautrix_telegram_enabled" diff --git a/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 b/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 index 11c80125..2f4afd55 100644 --- a/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 +++ b/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 @@ -206,7 +206,8 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - "*": "puppeting" + '{{ hostname_identity }}': puppeting + '*': relaybot # Options related to the message relay Telegram bot. relaybot: From 3cd7f097eb92ca24cae9cd903c30d6a695fc0e13 Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Sun, 2 Sep 2018 16:14:14 +0200 Subject: [PATCH 0133/2384] Add small doc on Mautrix Telegram --- docs/configuring-playbook-bridge-mautrix-telegram.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mautrix-telegram.md diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md new file mode 100644 index 00000000..95a77e21 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -0,0 +1,5 @@ +# Setting up Mautrix Telegram + +The playbook can install and configure [mautrix-telegram](https://github.com/tulir/mautrix-telegram) for you. + +See that project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you. From 6ef934a416b6fdda6b2988d7d19b4bd8b1d3ff66 Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Mon, 3 Sep 2018 10:27:26 +0200 Subject: [PATCH 0134/2384] Mautrix telegram minimum config variable requirement --- docs/configuring-playbook-bridge-mautrix-telegram.md | 7 +++++++ .../tasks/setup_synapse_ext_mautrix_telegram.yml | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 95a77e21..175a9b4b 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -3,3 +3,10 @@ The playbook can install and configure [mautrix-telegram](https://github.com/tulir/mautrix-telegram) for you. See that project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you. + +You'll need to obtain API keys from `https://my.telegram.org/apps` and then use the following playbook configuration: +``` +matrix_mautrix_telegram_enabled: true +matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID +matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH +``` diff --git a/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml b/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml index 91882a8c..b4719274 100644 --- a/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml +++ b/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml @@ -63,6 +63,6 @@ - name: Ensure matrix-mautrix-telegram.service doesn't exist file: - path: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service" + path: "/etc/systemd/system/matrix-mautrix-telegram.service" state: absent when: "not matrix_mautrix_telegram_enabled" From 620553e408257315e134cdbeb8132b4c906a2217 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Sep 2018 23:35:04 +0300 Subject: [PATCH 0135/2384] Update README --- CHANGELOG.md | 7 +++++++ docs/configuring-playbook.md | 4 +++- roles/matrix-server/defaults/main.yml | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index be1364ea..222df8c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2018-09-07 +## Mautrix Telegram bridging support + +The playbook now supports bridging with [Telegram](https://telegram.org/) by installing the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge. This playbook functionality is available thanks to [@izissise](https://github.com/izissise). + +Additional details are available in [Setting up Mautrix Telegram bridging](docs/configuring-playbook-bridge-mautrix-telegram.md). + + ## Events cache size increase and configurability for Matrix Synapse The playbook now lets you configure Matrix Synapse's `event_cache_size` configuration via the `matrix_synapse_event_cache_size` playbook variable. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index fe71eeb6..6ea515d6 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -37,4 +37,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional) -- [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional) \ No newline at end of file +- [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional) + +- [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 579df268..033e859f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -121,7 +121,7 @@ matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" -matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.3.1" +matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.4" matrix_docker_image_nginx: "nginx:1.15.3-alpine" matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.3" matrix_docker_image_goofys: "cloudproto/goofys:latest" From 2c3ce0f7269f54938639c09ceb4df743f3472775 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Sep 2018 10:21:09 +0300 Subject: [PATCH 0136/2384] Update README --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 9927bad7..6d161b6f 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server +- (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. @@ -96,6 +98,8 @@ This playbook sets up your server using the following Docker images: - [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) +- [tulir/mautrix-telegram](https://hub.docker.com/r/tulir/mautrix-telegram/) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional) + ## Deficiencies From 21916c1a3c67d79ffd7de6048676913618c51d3d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Sep 2018 11:19:39 +0300 Subject: [PATCH 0137/2384] Update matrix-corporal (1.1 -> 1.1.1) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 033e859f..00e4cf75 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -193,7 +193,7 @@ matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" # See: https://github.com/devture/matrix-corporal matrix_corporal_enabled: false -matrix_corporal_docker_image: "devture/matrix-corporal:1.1" +matrix_corporal_docker_image: "devture/matrix-corporal:1.1.1" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" From 5ea4917d5923cd79d272acb33e581c20e174473e Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 8 Sep 2018 14:38:29 -0500 Subject: [PATCH 0138/2384] Fix link to using external PostgreSQL in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6d161b6f..f6492a8b 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Using this playbook, you can get the following services configured on your serve - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for your Matrix Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) -- (optional default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse. [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) is also possible. +- (optional default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. - a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls From a3765f89cdb1768775ce5a012bfe1a10e124aff7 Mon Sep 17 00:00:00 2001 From: Devr Date: Sat, 8 Sep 2018 16:23:34 -0500 Subject: [PATCH 0139/2384] Update installing.md --- docs/installing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/installing.md b/docs/installing.md index e6a33f6f..b8e4ac08 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -1,6 +1,6 @@ # Installing -If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playook.md), you can start the installation procedure. +If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playbook.md), you can start the installation procedure. Run this as-is to set up a server: @@ -30,4 +30,4 @@ When you're ready to start the Matrix services (and set them up to auto-start in ansible-playbook -i inventory/hosts setup.yml --tags=start ``` -Now that the services are running, you might want to [create your first user account](registering-users.md) \ No newline at end of file +Now that the services are running, you might want to [create your first user account](registering-users.md) From 8bbb6f0c604598db07863f10a865aa2b4da9806a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 12 Sep 2018 20:04:15 +0300 Subject: [PATCH 0140/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 00e4cf75..954136be 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -123,7 +123,7 @@ matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.4" matrix_docker_image_nginx: "nginx:1.15.3-alpine" -matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.3" +matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.4" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" matrix_docker_image_mailer: "panubo/postfix:latest" @@ -243,7 +243,7 @@ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}" -matrix_ssl_certbot_docker_image: "certbot/certbot:v0.27.0" +matrix_ssl_certbot_docker_image: "certbot/certbot:v0.27.1" matrix_ssl_certbot_standalone_http_port: 2402 matrix_ssl_use_staging: false From 2446b4845c9feaf5f4f12cddee69b2df895e2ec2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 15 Sep 2018 11:50:02 +0300 Subject: [PATCH 0141/2384] Update matrix-corporal dependency --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 954136be..f559e0a7 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -193,7 +193,7 @@ matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" # See: https://github.com/devture/matrix-corporal matrix_corporal_enabled: false -matrix_corporal_docker_image: "devture/matrix-corporal:1.1.1" +matrix_corporal_docker_image: "devture/matrix-corporal:1.2" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" From 3fed0ec594a587188c3c3cb0e9eee67a3bfa99d7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 Sep 2018 08:18:15 +0300 Subject: [PATCH 0142/2384] Remove now-useless file --- roles/matrix-server/templates/s3fs-credentials.j2 | 1 - 1 file changed, 1 deletion(-) delete mode 100644 roles/matrix-server/templates/s3fs-credentials.j2 diff --git a/roles/matrix-server/templates/s3fs-credentials.j2 b/roles/matrix-server/templates/s3fs-credentials.j2 deleted file mode 100644 index 51e9365f..00000000 --- a/roles/matrix-server/templates/s3fs-credentials.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ matrix_s3_media_store_aws_access_key }}:{{ matrix_s3_media_store_aws_secret_key }} \ No newline at end of file From 4f4850801484f7dd36700701572e95d5013b0ee6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 Sep 2018 08:24:35 +0300 Subject: [PATCH 0143/2384] Rename variable (matrix_nginx_riot_web_data_path -> matrix_riot_web_data_path) --- CHANGELOG.md | 9 +++++++++ roles/matrix-server/defaults/main.yml | 11 +++++------ roles/matrix-server/tasks/setup_riot_web.yml | 6 +++--- .../templates/systemd/matrix-riot-web.service.j2 | 4 ++-- 4 files changed, 19 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 222df8c4..2681ef78 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2018-09-17 + +## (BC Break) Renaming playbook variables + +The following playbook variables were renamed: + +- from `matrix_nginx_riot_web_data_path` to `matrix_riot_web_data_path` + + # 2018-09-07 ## Mautrix Telegram bridging support diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index f559e0a7..9268f39a 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -111,7 +111,7 @@ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" -matrix_nginx_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" +matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" @@ -238,6 +238,10 @@ matrix_nginx_proxy_enabled: true matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008" matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008" +# Specifies when to reload the matrix-nginx-proxy service so that +# a new SSL certificate could go into effect. +matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" + matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" @@ -249,8 +253,3 @@ matrix_ssl_use_staging: false # Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt. matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" - - -# Specifies when to reload the matrix-nginx-proxy service so that -# a new SSL certificate could go into effect. -matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" diff --git a/roles/matrix-server/tasks/setup_riot_web.yml b/roles/matrix-server/tasks/setup_riot_web.yml index ab67a4c0..58f864db 100644 --- a/roles/matrix-server/tasks/setup_riot_web.yml +++ b/roles/matrix-server/tasks/setup_riot_web.yml @@ -6,7 +6,7 @@ - name: Ensure Matrix riot-web path exists file: - path: "{{ matrix_nginx_riot_web_data_path }}" + path: "{{ matrix_riot_web_data_path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" @@ -21,7 +21,7 @@ - name: Ensure Matrix riot-web configured template: src: "{{ role_path }}/templates/riot-web/{{ item }}.j2" - dest: "{{ matrix_nginx_riot_web_data_path }}/{{ item }}" + dest: "{{ matrix_riot_web_data_path }}/{{ item }}" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" @@ -58,7 +58,7 @@ - name: Ensure Matrix riot-web paths doesn't exist file: - path: "{{ matrix_nginx_riot_web_data_path }}" + path: "{{ matrix_riot_web_data_path }}" state: absent when: "not matrix_riot_web_enabled" diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index 07c0b7c7..d8e8d9be 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -9,8 +9,8 @@ ExecStartPre=-/usr/bin/docker kill matrix-riot-web ExecStartPre=-/usr/bin/docker rm matrix-riot-web ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - -v {{ matrix_nginx_riot_web_data_path }}/config.json:/riot-web/webapp/config.json:ro \ - -v {{ matrix_nginx_riot_web_data_path }}/riot.im.conf:/data/riot.im.conf:ro \ + -v {{ matrix_riot_web_data_path }}/config.json:/riot-web/webapp/config.json:ro \ + -v {{ matrix_riot_web_data_path }}/riot.im.conf:/data/riot.im.conf:ro \ --network={{ matrix_docker_network }} \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8765:8765 \ From 38e3ffa29c958ebd02d8180476f10d914fef19df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 Sep 2018 08:43:54 +0300 Subject: [PATCH 0144/2384] Rename variable (matrix_riot_web_default_identity_server_url -> matrix_identity_server_url) --- CHANGELOG.md | 1 + roles/matrix-server/defaults/main.yml | 3 ++- roles/matrix-server/templates/riot-web/config.json.j2 | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2681ef78..0d6a622e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ The following playbook variables were renamed: - from `matrix_nginx_riot_web_data_path` to `matrix_riot_web_data_path` +- from `matrix_riot_web_default_identity_server_url` to `matrix_identity_server_url` # 2018-09-07 diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9268f39a..dc4371e2 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -217,7 +217,8 @@ matrix_corporal_debug: false # you may wish to disable this. matrix_riot_web_enabled: true -matrix_riot_web_default_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" +matrix_homeserver_url: "https://{{ hostname_matrix }}" +matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" # Matrix mautrix is a Matrix <-> Telegram bridge # Enable telegram bridge diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 index abb7f0e1..ffc356dd 100644 --- a/roles/matrix-server/templates/riot-web/config.json.j2 +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -1,6 +1,6 @@ { - "default_hs_url": "https://{{ hostname_matrix }}", - "default_is_url": "{{ matrix_riot_web_default_identity_server_url }}", + "default_hs_url": "{{ matrix_homeserver_url }}", + "default_is_url": "{{ matrix_identity_server_url }}", "disable_custom_urls": true, "disable_guests": false, "brand": "Riot", From 0d0ccde286ac395d58c4457d724de76722d103e0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 Sep 2018 10:51:46 +0300 Subject: [PATCH 0145/2384] Add Service Discovery (/.well-known/matrix/client) support --- CHANGELOG.md | 7 ++ docs/README.md | 2 + docs/configuring-playbook-own-webserver.md | 6 +- docs/configuring-well-known.md | 78 +++++++++++++++++++ docs/installing.md | 9 ++- docs/registering-users.md | 8 +- roles/matrix-server/defaults/main.yml | 1 + roles/matrix-server/tasks/main.yml | 8 ++ .../matrix-server/tasks/setup_well_known.yml | 24 ++++++ .../nginx-conf.d/matrix-synapse.conf.j2 | 6 ++ .../systemd/matrix-nginx-proxy.service.j2 | 1 + .../templates/well-known/matrix-client.j2 | 8 ++ 12 files changed, 153 insertions(+), 5 deletions(-) create mode 100644 docs/configuring-well-known.md create mode 100644 roles/matrix-server/tasks/setup_well_known.yml create mode 100644 roles/matrix-server/templates/well-known/matrix-client.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d6a622e..a688911e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2018-09-17 +## Service discovery support + +The playbook now helps you set up [service discovery](https://matrix.org/docs/spec/client_server/r0.4.0.html#server-discovery) using a `/.well-known/matrix/client` file. + +Additional details are available in [Configuring service discovery via .well-known](docs/configuring-well-known.md). + + ## (BC Break) Renaming playbook variables The following playbook variables were renamed: diff --git a/docs/README.md b/docs/README.md index 621644b5..e56affaf 100644 --- a/docs/README.md +++ b/docs/README.md @@ -10,6 +10,8 @@ - [Registering users](registering-users.md) +- [Configuring service discovery via .well-known](configuring-well-known.md) + - [Maintenance / upgrading services](maintenance-upgrading-services.md) - [Maintenance / upgrading PostgreSQL](maintenance-upgrading-postgres.md) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 112e8918..437cba69 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -6,7 +6,11 @@ If that's alright, you can skip this. If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that, and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can. -All it takes is editing your configuration file (`inventory/matrix./vars.yml`): +All it takes is: + +1) making sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx` + +2) editing your configuration file (`inventory/matrix./vars.yml`): ``` matrix_nginx_proxy_enabled: false diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md new file mode 100644 index 00000000..62adcf51 --- /dev/null +++ b/docs/configuring-well-known.md @@ -0,0 +1,78 @@ +# Configuring service discovery via .well-known + + +## Introduction + +Service discovery lets various client programs which support it, to receive a full user id (e.g. `@username:example.com`) and determine where the Matrix server is automatically (e.g. `https://matrix.example.com`). + +This lets your users easily connect to your Matrix server without having to customize connection URLs. + +As [per the specification](https://matrix.org/docs/spec/client_server/r0.4.0.html#server-discovery) Matrix does service discovery using a `/.well-known/matrix/client` file hosted on the base domain (e.g. `example.com`). + +However, this playbook installs your Matrix server on another domain (e.g. `matrix.example.com`) and not on the base domain (e.g. `example.com`), so it takes a little extra manual effort to set up the file. + + +## Prerequisites + +To implement service discovery, your base domain's server (e.g. `example.com`) needs to support HTTPS. + + +## Setting it up + +To make things easy for you to set up, this playbook generates and hosts the well-known file on the Matrix domain's server (e.g. `https://matrix.example.com/.well-known/matrix/client`), even though this is the wrong place to host it. + +You have 2 options when it comes to installing the file on the base domain's server: + +1) (Option 1): **Copying the file manually** to your base domain's server + +All it takes is copying the `/.well-known/matrix/client` from the Matrix server (e.g. `matrix.example.com`) to your base domain's server (`example.com`). + +This is easy to do and possibly your only choice if you can only host static files from the base domain's server. +It is, however, a little fragile, as future updates performed by this playbook may regenerate the well-known file and you may need to notice that and copy it again. + +2) (Option 2): **Setting up reverse-proxying** of the well-known file from the base domain's server to the Matrix server. + +This option is less fragile and generally better. + +On the base domain's server (e.g. `example.com`), you can set up reverse-proxying, so that any access for the `/.well-known/matrix` location prefix is forwarded to the Matrix domain's server (e.g. `matrix.example.com`). + +**For nginx**, it would be something like this: + +```nginx +# This is your HTTPS-enabled server for DOMAIN. +server { + server_name DOMAIN; + + location /.well-known/matrix { + proxy_pass https://matrix.DOMAIN/.well-known/matrix; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # other configuration +} +``` + +**For Apache**, it would be something like this: + +```apache + + ServerName DOMAIN + + SSLProxyEngine on + + ProxyPass "https://matrix.DOMAIN/.well-known/matrix" + + + # other configuration + +``` + +Make sure to: + +- **replace `DOMAIN`** in the server configuration with your actual domain name +- and: to **do this for the HTTPS-enabled server block**, as that's where Matrix expects the file to be + + +## Confirming it works + +No matter which method you've used to set up the well-known file, if you've done it correctly you should be able to see a JSON file at a URL like this: `https://matrix./.well-known/matrix/client`. \ No newline at end of file diff --git a/docs/installing.md b/docs/installing.md index b8e4ac08..74434722 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -13,7 +13,7 @@ This **doesn't start any services just yet** (another step does this later - bel Feel free to **re-run this any time** you think something is off with the server configuration. -# Things you might want to do after installing +## Things you might want to do after installing After installing, but before starting the services, you may want to do additional things like: @@ -22,7 +22,7 @@ After installing, but before starting the services, you may want to do additiona - [Restoring `media_store` data files from an existing installation](restoring-media-store.md) (optional) -# Starting the services +## Starting the services When you're ready to start the Matrix services (and set them up to auto-start in the future): @@ -30,4 +30,7 @@ When you're ready to start the Matrix services (and set them up to auto-start in ansible-playbook -i inventory/hosts setup.yml --tags=start ``` -Now that the services are running, you might want to [create your first user account](registering-users.md) +Now that the services are running, you might want to: + +- [create your first user account](registering-users.md) +- or **finalize the installation process** by [Configuring service discovery via .well-known](configuring-well-known.md) \ No newline at end of file diff --git a/docs/registering-users.md b/docs/registering-users.md index 99105285..b934a55a 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -10,4 +10,10 @@ You can do it via this Ansible playbook (make sure to edit the `` /usr/local/bin/matrix-synapse-register-user -**Note**: `` is just a plain username (like `john`), not your full `@:` identifier. \ No newline at end of file +**Note**: `` is just a plain username (like `john`), not your full `@:` identifier. + +**You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot./`. + +----- + +If you've just installed Matrix, **to finalize the installation process**, it's best if you proceed to [Configuring service discovery via .well-known](configuring-well-known.md) \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index dc4371e2..7a8559a6 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -116,6 +116,7 @@ matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" +matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 01f5832b..36346512 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -58,10 +58,18 @@ - setup-all - setup-riot-web +- include: tasks/setup_well_known.yml + tags: + - setup-mxisd + - setup-synapse + - setup-nginx-proxy + - setup-well-known + - include: tasks/setup_nginx_proxy.yml tags: - setup-all - setup-nginx-proxy + - setup-well-known - include: tasks/start.yml tags: diff --git a/roles/matrix-server/tasks/setup_well_known.yml b/roles/matrix-server/tasks/setup_well_known.yml new file mode 100644 index 00000000..d6c4eebd --- /dev/null +++ b/roles/matrix-server/tasks/setup_well_known.yml @@ -0,0 +1,24 @@ +- set_fact: + matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" + +# We need others to be able to read these directories too, +# so that matrix-nginx-proxy's nginx user can access the files. +# +# For running with another webserver, we recommend being part of the `matrix` group. +- name: Ensure Matrix static-files path exists + file: + path: "{{ item }}" + state: directory + mode: 0755 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_well_known_file_path|dirname }}" + +- name: Ensure Matrix /.well-known/matrix/client configured + template: + src: "{{ role_path }}/templates/well-known/matrix-client.j2" + dest: "{{ matrix_well_known_file_path }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" \ No newline at end of file diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index f7ff6255..c5b537ec 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -39,6 +39,12 @@ server { ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + location /.well-known/matrix/client { + root {{ matrix_static_files_base_path }}; + expires 1m; + default_type application/json; + } + {% if matrix_corporal_enabled and matrix_corporal_http_api_enabled %} location /_matrix/corporal { {% if matrix_nginx_proxy_enabled %} diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index 82a7bedf..ef5067f6 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -23,6 +23,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ -p 443:443 \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ + -v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \ {{ matrix_docker_image_nginx }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy diff --git a/roles/matrix-server/templates/well-known/matrix-client.j2 b/roles/matrix-server/templates/well-known/matrix-client.j2 new file mode 100644 index 00000000..e3b0d767 --- /dev/null +++ b/roles/matrix-server/templates/well-known/matrix-client.j2 @@ -0,0 +1,8 @@ +{ + "m.homeserver": { + "base_url": "{{ matrix_homeserver_url }}" + }, + "m.identity_server": { + "base_url": "{{ matrix_identity_server_url }}" + } +} From 2df4349606a3e38f75dfddb1360335e49bf94752 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 20 Sep 2018 09:25:00 +0300 Subject: [PATCH 0146/2384] Fix matrix-corporal nginx configuration trouble in certain conditions If the playbook were to run with `--tags=setup-nginx-proxy`, it wouldn't go into `setup_corporal.yml`, which meant it wouldn't perform a bunch of `set_fact` calls which override important nginx proxy configuration. We run these variable overrides on each call now (tagged with `always`) to avoid such problems in the future. --- roles/matrix-server/tasks/main.yml | 4 ++++ roles/matrix-server/tasks/setup_corporal.yml | 7 ++----- .../matrix-server/tasks/setup_corporal_overrides.yml | 11 +++++++++++ 3 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 roles/matrix-server/tasks/setup_corporal_overrides.yml diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 36346512..5975a2fc 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -42,6 +42,10 @@ - setup-all - setup-mxisd +- include: tasks/setup_corporal_overrides.yml + tags: + - always + - include: tasks/setup_corporal.yml tags: - setup-all diff --git a/roles/matrix-server/tasks/setup_corporal.yml b/roles/matrix-server/tasks/setup_corporal.yml index f2729a1e..db3edc1c 100644 --- a/roles/matrix-server/tasks/setup_corporal.yml +++ b/roles/matrix-server/tasks/setup_corporal.yml @@ -19,11 +19,8 @@ msg: "The Matrix Corporal policy provider configuration has not been set in matrix_corporal_policy_provider_config" when: "matrix_corporal_enabled and matrix_corporal_policy_provider_config == ''" -- name: Override configuration specifying where the Matrix Client API is - set_fact: - matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080" - matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080" - when: "matrix_corporal_enabled" +# There are some additional initialization tasks in setup_corporal_overrides.yml, +# which need to always run, no matter what tag the playbook is running with. - name: Ensure Matrix Corporal paths exist file: diff --git a/roles/matrix-server/tasks/setup_corporal_overrides.yml b/roles/matrix-server/tasks/setup_corporal_overrides.yml new file mode 100644 index 00000000..a410f801 --- /dev/null +++ b/roles/matrix-server/tasks/setup_corporal_overrides.yml @@ -0,0 +1,11 @@ +# These overrides run with the `always` tag, +# because they're important not only for the `setup-corporal` tag, but for other tags too. +# +# We want an nginx-proxy rebuild (`--tags=setup-nginx-proxy`) to also go through here +# and be affected by these overrides. + +- name: Override configuration specifying where the Matrix Client API is + set_fact: + matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080" + matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080" + when: "matrix_corporal_enabled" \ No newline at end of file From de5f4f7a05a55455fc25a1ed0fd2f28db7eab654 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 20 Sep 2018 10:34:11 +0300 Subject: [PATCH 0147/2384] Update matrix-corporal dependency --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 7a8559a6..e3d1973f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -194,7 +194,7 @@ matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" # See: https://github.com/devture/matrix-corporal matrix_corporal_enabled: false -matrix_corporal_docker_image: "devture/matrix-corporal:1.2" +matrix_corporal_docker_image: "devture/matrix-corporal:1.2.1" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" From 4fbaa02bef7bf2403b6900bae469760164b911dd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Sep 2018 08:48:30 +0300 Subject: [PATCH 0148/2384] Update Synapse (v0.33.4 -> v0.33.5.1) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index e3d1973f..9b24ae40 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -122,7 +122,7 @@ matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" -matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.4" +matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.5.1" matrix_docker_image_nginx: "nginx:1.15.3-alpine" matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.4" matrix_docker_image_goofys: "cloudproto/goofys:latest" From 161854e6d75cbd484796bdda455c23bf5f78fed7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Sep 2018 09:11:19 +0300 Subject: [PATCH 0149/2384] Disable Docker container logging `--log-driver=none` is used for all Docker containers now. All these containers are started through systemd anyway and get logged in journald, so there's no need for Docker to be logging the same thing using the default `json-file` driver. Doing that was growing `/var/lib/docker/containers/..` infinitely until service/container restart. As a result of this, things like `docker logs matrix-synapse` won't work anymore. `journalctl -u matrix-synapse` is how one can see the logs. --- CHANGELOG.md | 11 ++++++++ .../systemd/matrix-corporal.service.j2 | 1 + .../systemd/matrix-coturn.service.j2 | 1 + .../systemd/matrix-goofys.service.j2 | 25 ++++++++++--------- .../systemd/matrix-mailer.service.j2 | 1 + .../matrix-mautrix-telegram.service.j2 | 1 + .../templates/systemd/matrix-mxisd.service.j2 | 1 + .../systemd/matrix-nginx-proxy.service.j2 | 1 + .../systemd/matrix-postgres.service.j2 | 1 + .../systemd/matrix-riot-web.service.j2 | 1 + .../systemd/matrix-synapse.service.j2 | 1 + 11 files changed, 33 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a688911e..eb406b80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2018-09-26 + +## Disabling Docker container logging + +`--log-driver=none` is used for all Docker containers now. + +All these containers are started through systemd anyway and get logged in journald, so there's no need for Docker to be logging the same thing using the default `json-file` driver. Doing that was growing `/var/lib/docker/containers/..` infinitely until service/container restart. + +As a result of this, things like `docker logs matrix-synapse` won't work anymore. `journalctl -u matrix-synapse` is how one can see the logs. + + # 2018-09-17 ## Service discovery support diff --git a/roles/matrix-server/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-server/templates/systemd/matrix-corporal.service.j2 index 2038bc98..25b02ad2 100644 --- a/roles/matrix-server/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-corporal.service.j2 @@ -10,6 +10,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-corporal ExecStartPre=-/usr/bin/docker rm matrix-corporal ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ + --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ {% if not matrix_nginx_proxy_enabled %} diff --git a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 index 89cffa22..e598ea21 100644 --- a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 @@ -8,6 +8,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-coturn ExecStartPre=-/usr/bin/docker rm matrix-coturn ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ + --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ -p 3478:3478 \ -p 3478:3478/udp \ diff --git a/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 b/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 index 2273e3ed..ef11d5c7 100644 --- a/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 @@ -8,18 +8,19 @@ Type=simple ExecStartPre=-/usr/bin/docker kill %n ExecStartPre=-/usr/bin/docker rm %n ExecStart=/usr/bin/docker run --rm --name %n \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - -v /etc/passwd:/etc/passwd:ro \ - -v /etc/group:/etc/group:ro \ - --security-opt apparmor:unconfined \ - --cap-add mknod \ - --cap-add sys_admin \ - --device=/dev/fuse \ - -v {{ matrix_synapse_media_store_path }}:/s3:shared \ - --env-file={{ matrix_environment_variables_data_path }}/goofys \ - --entrypoint /bin/sh \ - {{ matrix_docker_image_goofys }} \ - -c 'goofys -f --storage-class=STANDARD_IA --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -v /etc/passwd:/etc/passwd:ro \ + -v /etc/group:/etc/group:ro \ + --security-opt apparmor:unconfined \ + --cap-add mknod \ + --cap-add sys_admin \ + --device=/dev/fuse \ + -v {{ matrix_synapse_media_store_path }}:/s3:shared \ + --env-file={{ matrix_environment_variables_data_path }}/goofys \ + --entrypoint /bin/sh \ + {{ matrix_docker_image_goofys }} \ + -c 'goofys -f --storage-class=STANDARD_IA --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min ExecStop=-/usr/bin/docker stop %n ExecStop=-/usr/bin/docker kill %n diff --git a/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 index 310d5502..c9eb040b 100644 --- a/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 @@ -8,6 +8,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-mailer ExecStartPre=-/usr/bin/docker rm matrix-mailer ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ + --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_environment_variables_data_path }}/env-mailer \ {{ matrix_docker_image_mailer }} diff --git a/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 index 99a47ee6..20a0bbc2 100644 --- a/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -10,6 +10,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-mautrix-telegram ExecStartPre=-/usr/bin/docker rm matrix-mautrix-telegram ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ + --log-driver=none \ -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_telegram_base_path }}:/data:z \ diff --git a/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 index 637965c0..afbccbf0 100644 --- a/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 @@ -12,6 +12,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-mxisd ExecStartPre=-/usr/bin/docker rm matrix-mxisd ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ + --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ {% if not matrix_nginx_proxy_enabled %} diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index ef5067f6..a1897943 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -18,6 +18,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ + --log-driver=none \ --network={{ matrix_docker_network }} \ -p 80:80 \ -p 443:443 \ diff --git a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 index 1e619913..322961bf 100644 --- a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 @@ -10,6 +10,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-postgres ExecStartPre=-/usr/bin/mkdir {{ matrix_postgres_data_path }} ExecStartPre=-/usr/bin/chown {{ matrix_user_uid }}:{{ matrix_user_gid }} {{ matrix_postgres_data_path }} ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ + --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \ diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index d8e8d9be..36829936 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -8,6 +8,7 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-riot-web ExecStartPre=-/usr/bin/docker rm matrix-riot-web ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ + --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ -v {{ matrix_riot_web_data_path }}/config.json:/riot-web/webapp/config.json:ro \ -v {{ matrix_riot_web_data_path }}/riot.im.conf:/data/riot.im.conf:ro \ diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 34ee8084..8b014a6d 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -26,6 +26,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-synapse ExecStartPre=/bin/sleep 5 {% endif %} ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ + --log-driver=none \ --network={{ matrix_docker_network }} \ -p 8448:8448 \ {% if not matrix_nginx_proxy_enabled %} From 242f388af3ffedf5f66b3e9ace6e8f2ab4904405 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 27 Sep 2018 10:03:31 +0300 Subject: [PATCH 0150/2384] Make Synapse cache factor configurable --- CHANGELOG.md | 10 ++++++++++ roles/matrix-server/defaults/main.yml | 7 +++++++ roles/matrix-server/tasks/setup_synapse_main.yml | 7 +++++++ roles/matrix-server/templates/env/env-synapse.j2 | 2 ++ .../templates/systemd/matrix-synapse.service.j2 | 2 +- 5 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-server/templates/env/env-synapse.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index eb406b80..9e3bd14e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +# 2018-09-27 + +## Synapse Cache Factor made configurable + +The playbook now makes the Synapse cache factor configurable, through the playbook's `matrix_synapse_cache_factor` variable (having a default value of `0.5`). + +Changing that value allows you to potentially decrease RAM usage or to increase performance by caching more stuff. +Some information on it is available here: https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram + + # 2018-09-26 ## Disabling Docker container logging diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9b24ae40..ab19be38 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -74,6 +74,13 @@ matrix_synapse_password_config_pepper: "" # Controls the number of events that Matrix Synapse caches in memory. matrix_synapse_event_cache_size: "100K" +# Controls cache sizes for Matrix Synapse via the SYNAPSE_CACHE_FACTOR environment variable. +# Raise this to increase cache sizes or lower it to potentially lower memory use. +# To learn more, see: +# - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram +# - https://github.com/matrix-org/synapse/issues/3939 +matrix_synapse_cache_factor: 0.5 + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/matrix-server/tasks/setup_synapse_main.yml b/roles/matrix-server/tasks/setup_synapse_main.yml index 9a5169d2..ecc93b70 100644 --- a/roles/matrix-server/tasks/setup_synapse_main.yml +++ b/roles/matrix-server/tasks/setup_synapse_main.yml @@ -61,6 +61,13 @@ dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" mode: 0644 +- name: Ensure Synapse environment variables file created + template: + src: "{{ role_path }}/templates/env/env-synapse.j2" + dest: "{{ matrix_environment_variables_data_path }}/synapse" + owner: root + mode: 0600 + - name: Ensure matrix-synapse.service installed template: src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2" diff --git a/roles/matrix-server/templates/env/env-synapse.j2 b/roles/matrix-server/templates/env/env-synapse.j2 new file mode 100644 index 00000000..69f26700 --- /dev/null +++ b/roles/matrix-server/templates/env/env-synapse.j2 @@ -0,0 +1,2 @@ +SYNAPSE_CONFIG_PATH=/data/homeserver.yaml +SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 8b014a6d..829f7372 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -27,6 +27,7 @@ ExecStartPre=/bin/sleep 5 {% endif %} ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --log-driver=none \ + --env-file={{ matrix_environment_variables_data_path }}/synapse \ --network={{ matrix_docker_network }} \ -p 8448:8448 \ {% if not matrix_nginx_proxy_enabled %} @@ -38,7 +39,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} - -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \ {{ matrix_docker_image_synapse }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse From 7350842d9b1326b51fb2913feb25ed96c7e0ba4d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 27 Sep 2018 10:43:31 +0300 Subject: [PATCH 0151/2384] Pull in homeserver.yaml template updates --- .../templates/synapse/homeserver.yaml.j2 | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 659fd740..279fe1aa 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -74,6 +74,8 @@ pid_file: /homeserver.pid # different cores. See # https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/. # +# This setting requires the affinity package to be installed! +# # cpu_affinity: 0xFFFFFFFF # Whether to serve a web client from the HTTP/HTTPS root resource. @@ -93,6 +95,9 @@ public_baseurl: https://{{ hostname_matrix }}/ # hard limit. soft_file_limit: 0 +# Set to false to disable presence tracking on this homeserver. +use_presence: true + # The GC threshold parameters to pass to `gc.set_threshold`, if defined # gc_thresholds: [700, 10, 10] @@ -173,6 +178,33 @@ listeners: # type: manhole + # Homeserver blocking + # + # How to reach the server admin, used in ResourceLimitError + # admin_contact: 'mailto:admin@server.com' + # + # Global block config + # + # hs_disabled: False + # hs_disabled_message: 'Human readable reason for why the HS is blocked' + # hs_disabled_limit_type: 'error code(str), to help clients decode reason' + # + # Monthly Active User Blocking + # + # Enables monthly active user checking + # limit_usage_by_mau: False + # max_mau_value: 50 + # mau_trial_days: 2 + # + # Sometimes the server admin will want to ensure certain accounts are + # never blocked by mau checking. These accounts are specified here. + # + # mau_limit_reserved_threepids: + # - medium: 'email' + # address: 'reserved_user@example.com' + + + # Database configuration database: # The database engine name @@ -649,6 +681,9 @@ enable_group_creation: false # User Consent configuration # +# for detailed instructions, see +# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md +# # Parts of this section are required if enabling the 'consent' resource under # 'listeners', in particular 'template_dir' and 'version'. # From b49f4531e8ba6f8023ab019eb421fdbc804db669 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 5 Oct 2018 10:32:43 +0300 Subject: [PATCH 0152/2384] Make user presence-status tracking configurable --- CHANGELOG.md | 9 +++++++++ roles/matrix-server/defaults/main.yml | 5 +++++ roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 2 +- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e3bd14e..efe376bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2018-10-05 + +## Presence tracking made configurable + +The playbook can now enable/disable user presence-status tracking in Synapse, through the playbook's `matrix_synapse_use_presence` variable (having a default value of `true` - enabled). + +If users participate in large rooms with many other servers, disabling presence will decrease server load significantly. + + # 2018-09-27 ## Synapse Cache Factor made configurable diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index ab19be38..a154b424 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -68,6 +68,11 @@ matrix_synapse_rc_message_burst_count: 10.0 # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false +# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. +# If users participate in large rooms with many other servers, +# disabling this will decrease server load significantly. +matrix_synapse_use_presence: true + # Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 279fe1aa..5bbd86bb 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -96,7 +96,7 @@ public_baseurl: https://{{ hostname_matrix }}/ soft_file_limit: 0 # Set to false to disable presence tracking on this homeserver. -use_presence: true +use_presence: {{ matrix_synapse_use_presence|to_yaml }} # The GC threshold parameters to pass to `gc.set_threshold`, if defined # gc_thresholds: [700, 10, 10] From cc3e34b1285d4d72f831ed30a08f85db558ee8bd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 5 Oct 2018 10:59:02 +0300 Subject: [PATCH 0153/2384] Fix to_yaml silliness --- roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 5bbd86bb..db099714 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -96,7 +96,7 @@ public_baseurl: https://{{ hostname_matrix }}/ soft_file_limit: 0 # Set to false to disable presence tracking on this homeserver. -use_presence: {{ matrix_synapse_use_presence|to_yaml }} +use_presence: {{ matrix_synapse_use_presence|to_json }} # The GC threshold parameters to pass to `gc.set_threshold`, if defined # gc_thresholds: [700, 10, 10] From 2185177957a3270630d6033488e0bdfbf17e296b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Oct 2018 08:19:52 +0300 Subject: [PATCH 0154/2384] Remove `lt-cred-mech` Coturn option Coturn reports it as an option that conflicts with `use-auth-secret`. Some reasoning is here: https://github.com/coturn/coturn/commit/fa523e8d09fa944181ee438765509d97f086d6d6 --- roles/matrix-server/templates/coturn/turnserver.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-server/templates/coturn/turnserver.conf.j2 b/roles/matrix-server/templates/coturn/turnserver.conf.j2 index 2298d182..7aea813c 100644 --- a/roles/matrix-server/templates/coturn/turnserver.conf.j2 +++ b/roles/matrix-server/templates/coturn/turnserver.conf.j2 @@ -1,4 +1,3 @@ -lt-cred-mech use-auth-secret static-auth-secret={{ matrix_coturn_turn_static_auth_secret }} realm=turn.{{ hostname_matrix }} From a1c1ec9b7f109934c8ebe018d510ad3af2464244 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Oct 2018 08:24:20 +0300 Subject: [PATCH 0155/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index a154b424..897d1360 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -135,10 +135,10 @@ matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.5.1" -matrix_docker_image_nginx: "nginx:1.15.3-alpine" +matrix_docker_image_nginx: "nginx:1.15.5-alpine" matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.4" matrix_docker_image_goofys: "cloudproto/goofys:latest" -matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" +matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.8" matrix_docker_image_mailer: "panubo/postfix:latest" matrix_docker_image_mxisd: "kamax/mxisd:1.1.1" matrix_docker_image_mautrix_telegram: "tulir/mautrix-telegram:v0.3.0" From 17ea05683b272050959753bd92349dfbeab281f1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 Oct 2018 09:00:50 +0300 Subject: [PATCH 0156/2384] Fix yum/apt module invocation The old way is deprecated and would stop working after Ansible 2.11. --- roles/matrix-server/tasks/setup_base.yml | 41 +++++++++++++----------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/roles/matrix-server/tasks/setup_base.yml b/roles/matrix-server/tasks/setup_base.yml index 04342536..20ba7a1f 100644 --- a/roles/matrix-server/tasks/setup_base.yml +++ b/roles/matrix-server/tasks/setup_base.yml @@ -18,24 +18,25 @@ when: ansible_distribution == 'CentOS' - name: Ensure yum packages are installed (CentOS) - yum: name="{{ item }}" state=latest update_cache=yes - with_items: - - bash-completion - - docker-ce - - docker-python - - firewalld - - ntp - - fuse + yum: + name: + - bash-completion + - docker-ce + - docker-python + - firewalld + - ntp + - fuse + state: latest + update_cache: yes when: ansible_distribution == 'CentOS' - name: Ensure APT usage dependencies are installed (Debian) apt: - name: "{{ item }}" + name: + - apt-transport-https + - ca-certificates state: present update_cache: yes - with_items: - - apt-transport-https - - ca-certificates when: ansible_os_family == 'Debian' - name: Ensure Docker's APT key is trusted (Debian) @@ -55,13 +56,15 @@ when: ansible_os_family == 'Debian' - name: Ensure APT packages are installed (Debian) - apt: name="{{ item }}" state=latest update_cache=yes - with_items: - - bash-completion - - docker-ce - - python-docker - - ntp - - fuse + apt: + name: + - bash-completion + - docker-ce + - python-docker + - ntp + - fuse + state: latest + update_cache: yes when: ansible_os_family == 'Debian' - name: Ensure firewalld is started and autoruns From 5c63f2ecec93dcd1e266761c2edb9a2dfe1e0528 Mon Sep 17 00:00:00 2001 From: anadahz Date: Sun, 14 Oct 2018 19:52:35 +0000 Subject: [PATCH 0157/2384] Fix minor typo in install instructions --- docs/configuring-playbook.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 6ea515d6..19dab5c1 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -8,7 +8,7 @@ You can follow these steps: - copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix./vars.yml`) -- edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults.main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. +- edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults/main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. - copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) From 36658addcd688074eb9062ee71f16ed8a0bcad1b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Oct 2018 07:42:26 +0300 Subject: [PATCH 0158/2384] Work around buggy docker_network sometimes failing to work If a network like `matrix-whatever` already exists for some reason, the `docker_network` module would not create our `matrix` network. Working around it by avoiding `docker_network` and doing it manually. Fixes Github issue #12 --- roles/matrix-server/tasks/setup_main.yml | 28 ++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/roles/matrix-server/tasks/setup_main.yml b/roles/matrix-server/tasks/setup_main.yml index 71a6b96c..a4da6986 100644 --- a/roles/matrix-server/tasks/setup_main.yml +++ b/roles/matrix-server/tasks/setup_main.yml @@ -30,7 +30,27 @@ - "{{ matrix_base_data_path }}" - "{{ matrix_synapse_base_path }}" -- name: Ensure Matrix network is created in Docker - docker_network: - name: "{{ matrix_docker_network }}" - driver: bridge +# `docker_network` doesn't work as expected when the given network +# is a substring of a network that already exists. +# +# See: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/12 +# - https://github.com/ansible/ansible/issues/32926 +# +# Due to that, we employ a workaround below. +# +# - name: Ensure Matrix network is created in Docker +# docker_network: +# name: "{{ matrix_docker_network }}" +# driver: bridge + +- name: Check existence of Matrix network in Docker + shell: + cmd: "docker network ls -q --filter='name=^{{ matrix_docker_network }}$'" + register: result_check_docker_network + changed_when: false + +- name: Create Matrix network in Docker + shell: + cmd: "docker network create --driver=bridge {{ matrix_docker_network }}" + when: "result_check_docker_network.stdout == ''" \ No newline at end of file From 6cc528ba5ad784348efedd3de07e16057214cc08 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 Oct 2018 14:49:21 +0300 Subject: [PATCH 0159/2384] Upgrade Synapse (v0.33.5.1 -> v0.33.7rc2) We skipped v0.33.6 because of matrix-org/synapse#4014, but v0.33.7rc2 fixed the problem. --- roles/matrix-server/defaults/main.yml | 2 +- roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 1 - .../templates/usr-local-bin/matrix-synapse-register-user.j2 | 5 ++--- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 897d1360..5fcaa2dd 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -134,7 +134,7 @@ matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" -matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.5.1" +matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.7rc2" matrix_docker_image_nginx: "nginx:1.15.5-alpine" matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.4" matrix_docker_image_goofys: "cloudproto/goofys:latest" diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index db099714..e70b3046 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -590,7 +590,6 @@ email: require_transport_security: false notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" app_name: Matrix - template_dir: /synapse/res/templates notif_template_html: notif_mail.html notif_template_text: notif_mail.txt notif_for_new_users: True diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 index da39cca0..d47addb6 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 @@ -10,8 +10,7 @@ password=$2 admin=$3 if [ "$admin" -eq "1" ]; then - docker exec matrix-synapse register_new_matrix_user -a -u $user -p $password -c /data/homeserver.yaml http://localhost:8008 + docker exec matrix-synapse register_new_matrix_user -u $user -p $password -c /data/homeserver.yaml --admin http://localhost:8008 else - # If `-a` is not passed, we need to answer to an "admin: yes/no" question - echo 'no' | docker exec -i matrix-synapse register_new_matrix_user -u $user -p $password $extraFlags -c /data/homeserver.yaml http://localhost:8008 + docker exec matrix-synapse register_new_matrix_user -u $user -p $password -c /data/homeserver.yaml --no-admin http://localhost:8008 fi \ No newline at end of file From 9b3c88248301d6cd04b62273d0c396c61c7e79bd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 Oct 2018 15:13:13 +0300 Subject: [PATCH 0160/2384] Update riot-web (0.16.4 -> 0.17.0) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 5fcaa2dd..8c467a11 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -136,7 +136,7 @@ matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.7rc2" matrix_docker_image_nginx: "nginx:1.15.5-alpine" -matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.16.4" +matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.17.0" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.8" matrix_docker_image_mailer: "panubo/postfix:latest" From a0320346e1da615e8ac17482365ed51bc02e78b3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 Oct 2018 18:15:07 +0300 Subject: [PATCH 0161/2384] Upgrade Synapse (v0.33.7rc2 -> 0.33.7) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 8c467a11..524a4a62 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -134,7 +134,7 @@ matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" -matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.7rc2" +matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.7" matrix_docker_image_nginx: "nginx:1.15.5-alpine" matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.17.0" matrix_docker_image_goofys: "cloudproto/goofys:latest" From 39a28e52e8dc61e5baafda599949a878fcd8e2c9 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 18 Oct 2018 18:09:41 -0500 Subject: [PATCH 0162/2384] Fix link to using your own webserver --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f6492a8b..6a182354 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Using this playbook, you can get the following services configured on your serve - (optional default) a [Postfix](http://www.postfix.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) -- (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](#using-your-own-webserver-instead-of-this-playbooks-nginx-proxy-optional) +- (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) - (optional) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module From 2313907faa94663f86af81fe2f74493d526af38d Mon Sep 17 00:00:00 2001 From: anadahz Date: Fri, 19 Oct 2018 14:07:31 +0000 Subject: [PATCH 0163/2384] Add missing tag to task The setup-all should include the setup_well_known task as well --- roles/matrix-server/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 5975a2fc..b40ac188 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -64,6 +64,7 @@ - include: tasks/setup_well_known.yml tags: + - setup-all - setup-mxisd - setup-synapse - setup-nginx-proxy From 12d96f5e23cb462a632edf9089dd4af11b76e603 Mon Sep 17 00:00:00 2001 From: anadahz Date: Fri, 19 Oct 2018 14:22:27 +0000 Subject: [PATCH 0164/2384] Add sample .well-know config for Caddy --- docs/configuring-well-known.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 62adcf51..5509d0b2 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -67,6 +67,12 @@ server { ``` +**For Caddy**, it would be something like this: + +```caddy +proxy /.well-known/matrix https://matrix.DOMAIN +``` + Make sure to: - **replace `DOMAIN`** in the server configuration with your actual domain name From d0c2ef10e42a26081c3ae11868619b57241cd766 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 21 Oct 2018 12:58:25 +0300 Subject: [PATCH 0165/2384] Add self-check command --- CHANGELOG.md | 7 +++ docs/README.md | 2 + docs/configuring-well-known.md | 4 +- docs/installing.md | 3 +- docs/maintenance-checking-services.md | 13 ++++++ roles/matrix-server/tasks/main.yml | 6 +++ roles/matrix-server/tasks/self_check.yml | 18 ++++++++ .../self_check/self_check_client_api.yml | 20 ++++++++ .../tasks/self_check/self_check_corporal.yml | 21 +++++++++ .../tasks/self_check/self_check_dns.yml | 25 ++++++++++ .../self_check/self_check_federation_api.yml | 21 +++++++++ .../tasks/self_check/self_check_mxisd.yml | 20 ++++++++ .../tasks/self_check/self_check_riot_web.yml | 20 ++++++++ .../self_check/self_check_well_known.yml | 46 +++++++++++++++++++ 14 files changed, 224 insertions(+), 2 deletions(-) create mode 100644 docs/maintenance-checking-services.md create mode 100644 roles/matrix-server/tasks/self_check.yml create mode 100644 roles/matrix-server/tasks/self_check/self_check_client_api.yml create mode 100644 roles/matrix-server/tasks/self_check/self_check_corporal.yml create mode 100644 roles/matrix-server/tasks/self_check/self_check_dns.yml create mode 100644 roles/matrix-server/tasks/self_check/self_check_federation_api.yml create mode 100644 roles/matrix-server/tasks/self_check/self_check_mxisd.yml create mode 100644 roles/matrix-server/tasks/self_check/self_check_riot_web.yml create mode 100644 roles/matrix-server/tasks/self_check/self_check_well_known.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index efe376bb..d0a640eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# 2018-10-21 + +## Self-check maintenance command + +The playbook can now [check if services are configured correctly](docs/maintenance-checking-services.md). + + # 2018-10-05 ## Presence tracking made configurable diff --git a/docs/README.md b/docs/README.md index e56affaf..ffa6a1bb 100644 --- a/docs/README.md +++ b/docs/README.md @@ -12,6 +12,8 @@ - [Configuring service discovery via .well-known](configuring-well-known.md) +- [Maintenance / checking if services work](maintenance-checking-services.md) + - [Maintenance / upgrading services](maintenance-upgrading-services.md) - [Maintenance / upgrading PostgreSQL](maintenance-upgrading-postgres.md) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 5509d0b2..88189249 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -81,4 +81,6 @@ Make sure to: ## Confirming it works -No matter which method you've used to set up the well-known file, if you've done it correctly you should be able to see a JSON file at a URL like this: `https://matrix./.well-known/matrix/client`. \ No newline at end of file +No matter which method you've used to set up the well-known file, if you've done it correctly you should be able to see a JSON file at a URL like this: `https://matrix./.well-known/matrix/client`. + +You can also check if everything is configured correctly, by [checking if services work](maintenance-checking-services.md). \ No newline at end of file diff --git a/docs/installing.md b/docs/installing.md index 74434722..10e754d9 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -33,4 +33,5 @@ ansible-playbook -i inventory/hosts setup.yml --tags=start Now that the services are running, you might want to: - [create your first user account](registering-users.md) -- or **finalize the installation process** by [Configuring service discovery via .well-known](configuring-well-known.md) \ No newline at end of file +- or **finalize the installation process** by [Configuring service discovery via .well-known](configuring-well-known.md) +- or [Check if services work](maintenance-checking-services.md) \ No newline at end of file diff --git a/docs/maintenance-checking-services.md b/docs/maintenance-checking-services.md new file mode 100644 index 00000000..5a257c00 --- /dev/null +++ b/docs/maintenance-checking-services.md @@ -0,0 +1,13 @@ +# Checking if services work + +This playbook can perform a check to ensure that you've configured things correctly and that services are running. + +To perform the check, run: + +```bash +ansible-playbook -i inventory/hosts setup.yml --tags=self-check +``` + +If it's all green, everything is probably running correctly. + +Besides this self-check, you can also check your server using the [Federation Tester](https://neo.lain.haus/fed-tester/). \ No newline at end of file diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index b40ac188..cd276d68 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -91,3 +91,9 @@ - include: tasks/import_media_store.yml tags: - import-media-store + +- include: tasks/self_check.yml + delegate_to: 127.0.0.1 + become: false + tags: + - self-check diff --git a/roles/matrix-server/tasks/self_check.yml b/roles/matrix-server/tasks/self_check.yml new file mode 100644 index 00000000..001303bb --- /dev/null +++ b/roles/matrix-server/tasks/self_check.yml @@ -0,0 +1,18 @@ +--- + +- include: tasks/self_check/self_check_dns.yml + +- include: tasks/self_check/self_check_client_api.yml + +- include: tasks/self_check/self_check_federation_api.yml + +- include: tasks/self_check/self_check_riot_web.yml + when: "matrix_riot_web_enabled" + +- include: tasks/self_check/self_check_mxisd.yml + when: "matrix_mxisd_enabled" + +- include: tasks/self_check/self_check_well_known.yml + +- include: tasks/self_check/self_check_corporal.yml + when: "matrix_corporal_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_client_api.yml b/roles/matrix-server/tasks/self_check/self_check_client_api.yml new file mode 100644 index 00000000..7fae6468 --- /dev/null +++ b/roles/matrix-server/tasks/self_check/self_check_client_api.yml @@ -0,0 +1,20 @@ +--- + +- set_fact: + matrix_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions" + +- name: Check Matrix Client API + uri: + url: "{{ matrix_client_api_url_endpoint_public }}" + follow_redirects: false + register: result_matrix_client_api + ignore_errors: true + +- name: Fail if Matrix Client API not working + fail: + msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_client_api }}" + when: "result_matrix_client_api.failed or 'json' not in result_matrix_client_api" + +- name: Report working Matrix Client API + debug: + msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`) is working" \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_corporal.yml b/roles/matrix-server/tasks/self_check/self_check_corporal.yml new file mode 100644 index 00000000..86985be1 --- /dev/null +++ b/roles/matrix-server/tasks/self_check/self_check_corporal.yml @@ -0,0 +1,21 @@ +--- + +- set_fact: + corporal_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/corporal" + +- name: Check Matrix Corporal HTTP gateway + uri: + url: "{{ corporal_client_api_url_endpoint_public }}" + follow_redirects: false + return_content: true + register: result_corporal_client_api + ignore_errors: true + +- name: Fail if Matrix Corporal HTTP gateway not working + fail: + msg: "Failed checking Matrix Corporal is fronting the Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`). Is matrix-corporal running? Is port 443 open in your firewall? Full error: {{ result_corporal_client_api }}" + when: "result_corporal_client_api.failed or 'Matrix Client-Server API protected by Matrix Corporal' not in result_corporal_client_api.content" + +- name: Report working Matrix Corporal HTTP gateway + debug: + msg: "Matrix Corporal is fronting the Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`)" \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_dns.yml b/roles/matrix-server/tasks/self_check/self_check_dns.yml new file mode 100644 index 00000000..b4afce30 --- /dev/null +++ b/roles/matrix-server/tasks/self_check/self_check_dns.yml @@ -0,0 +1,25 @@ +--- + +- name: Check DNS SRV record + shell: + cmd: "dig -t srv {{ ('_matrix._tcp.' + hostname_identity + '.')|quote }}" + register: result_dig_srv + changed_when: false + ignore_errors: true + +- name: Fail if dig failed + fail: + msg: "Failed checking DNS SRV record. You likely don't have the `dig` program installed locally. Full error: {{ result_dig_srv }}" + when: "result_dig_srv.stderr != ''" + +# We expect an answer like this: +# ;; ANSWER SECTION: +# _matrix._tcp.DOMAIN. 10800 IN SRV 10 0 8448 matrix.DOMAIN. +- name: Fail if DNS SRV record incorrect + fail: + msg: "It appears the DNS SRV record for {{ hostname_identity }} is not set up correctly. See the 'Configuring DNS' documentation for this playbook. Full DNS answer was: {{ result_dig_srv.stdout }}" + when: "('8448 ' + hostname_matrix) not in result_dig_srv.stdout" + +- name: Report correct DNS SRV record + debug: + msg: "The DNS SRV record for {{ hostname_identity }} points to {{ hostname_matrix }}, as expected" \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_federation_api.yml b/roles/matrix-server/tasks/self_check/self_check_federation_api.yml new file mode 100644 index 00000000..2082cf65 --- /dev/null +++ b/roles/matrix-server/tasks/self_check/self_check_federation_api.yml @@ -0,0 +1,21 @@ +--- + +- set_fact: + matrix_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version" + +- name: Check Matrix Federation API + uri: + url: "{{ matrix_federation_api_url_endpoint_public }}" + follow_redirects: false + validate_certs: false + register: result_matrix_federation_api + ignore_errors: true + +- name: Fail if Matrix Federation API not working + fail: + msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_federation_api }}" + when: "result_matrix_federation_api.failed or 'json' not in result_matrix_federation_api" + +- name: Report working Matrix Federation API + debug: + msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`) is working" \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_mxisd.yml b/roles/matrix-server/tasks/self_check/self_check_mxisd.yml new file mode 100644 index 00000000..6c9f1e2d --- /dev/null +++ b/roles/matrix-server/tasks/self_check/self_check_mxisd.yml @@ -0,0 +1,20 @@ +--- + +- set_fact: + mxisd_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/identity/api/v1" + +- name: Check mxisd Identity Service + uri: + url: "{{ mxisd_url_endpoint_public }}" + follow_redirects: false + register: result_mxisd + ignore_errors: true + +- name: Fail if mxisd Identity Service not working + fail: + msg: "Failed checking mxisd is up at `{{ hostname_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}" + when: "result_mxisd.failed or 'json' not in result_mxisd" + +- name: Report working mxisd Identity Service + debug: + msg: "mxisd at `{{ hostname_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)" \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_riot_web.yml b/roles/matrix-server/tasks/self_check/self_check_riot_web.yml new file mode 100644 index 00000000..a32fb2cb --- /dev/null +++ b/roles/matrix-server/tasks/self_check/self_check_riot_web.yml @@ -0,0 +1,20 @@ +--- + +- set_fact: + riot_web_url_endpoint_public: "https://{{ hostname_riot }}/config.json" + +- name: Check riot-web + uri: + url: "{{ riot_web_url_endpoint_public }}" + follow_redirects: false + register: result_riot_web + ignore_errors: true + +- name: Fail if riot-web not working + fail: + msg: "Failed checking riot-web is up at `{{ hostname_riot }}` (checked endpoint: `{{ riot_web_url_endpoint_public }}`). Is Riot running? Is port 443 open in your firewall? Full error: {{ result_riot_web }}" + when: "result_riot_web.failed or 'json' not in result_riot_web" + +- name: Report working riot-web + debug: + msg: "riot-web at `{{ hostname_riot }}` is working (checked endpoint: `{{ riot_web_url_endpoint_public }}`)" \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_well_known.yml b/roles/matrix-server/tasks/self_check/self_check_well_known.yml new file mode 100644 index 00000000..2da47a45 --- /dev/null +++ b/roles/matrix-server/tasks/self_check/self_check_well_known.yml @@ -0,0 +1,46 @@ +--- + +- set_fact: + well_known_url_matrix: "https://{{ hostname_matrix }}/.well-known/matrix/client" + well_known_url_identity: "https://{{ hostname_matrix }}/.well-known/matrix/client" + + +- name: Check .well-known on the matrix hostname + uri: + url: "{{ well_known_url_matrix }}" + follow_redirects: false + register: result_well_known_matrix + ignore_errors: true + +- name: Fail if .well-known not working on the matrix hostname + fail: + msg: "Failed checking well-known is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" + when: "result_well_known_matrix.failed or 'json' not in result_well_known_matrix" + +- name: Report working .well-known on the matrix hostname + debug: + msg: "well-known is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" + + +- name: Check .well-known on the identity hostname + uri: + url: "{{ well_known_url_identity }}" + follow_redirects: false + register: result_well_known_identity + ignore_errors: true + +- name: Fail if .well-known not working on the identity hostname + fail: + msg: "Failed checking well-known is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" + when: "result_well_known_identity.failed or 'json' not in result_well_known_identity" + +- name: Report working .well-known on the identity hostname + debug: + msg: "well-known is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`)" + + +# For people who manually copy the well-known file, try to detect if it's outdated +- name: Fail if well-known is different on matrix hostname and identity hostname + fail: + msg: "The well-known files at `{{ hostname_matrix }}` and `{{ hostname_identity }}` are different. Perhaps you copied the file manually before and now it's outdated?" + when: "result_well_known_matrix.json|to_json != result_well_known_identity.json|to_json" From c7188e06f97cfb5bea03b236fb568cede7282e93 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 21 Oct 2018 13:14:47 +0300 Subject: [PATCH 0166/2384] Relocate some playbook task files to make it easier to navigate --- roles/matrix-server/tasks/main.yml | 74 +------------------ .../{self_check.yml => self_check/main.yml} | 0 roles/matrix-server/tasks/setup/main.yml | 73 ++++++++++++++++++ .../tasks/{ => setup}/setup_base.yml | 0 .../tasks/{ => setup}/setup_corporal.yml | 0 .../{ => setup}/setup_corporal_overrides.yml | 0 .../tasks/{ => setup}/setup_coturn.yml | 0 .../tasks/{ => setup}/setup_goofys.yml | 0 .../tasks/{ => setup}/setup_mailer.yml | 0 .../tasks/{ => setup}/setup_main.yml | 0 .../tasks/{ => setup}/setup_mxisd.yml | 0 .../tasks/{ => setup}/setup_nginx_proxy.yml | 0 .../tasks/{ => setup}/setup_postgres.yml | 0 .../tasks/{ => setup}/setup_riot_web.yml | 0 .../tasks/{ => setup}/setup_ssl.yml | 2 +- .../{ => setup}/setup_ssl_for_domain.yml | 0 .../tasks/setup/setup_synapse.yml | 7 ++ .../tasks/setup/setup_synapse_ext.yml | 7 ++ .../setup_synapse_ext_mautrix_telegram.yml | 0 .../setup_synapse_ext_rest_auth.yml | 0 .../setup_synapse_ext_shared_secret_auth.yml | 0 .../tasks/{ => setup}/setup_synapse_main.yml | 0 .../tasks/{ => setup}/setup_synapse_pre.yml | 0 .../tasks/{ => setup}/setup_well_known.yml | 0 roles/matrix-server/tasks/setup_synapse.yml | 7 -- .../matrix-server/tasks/setup_synapse_ext.yml | 7 -- .../matrix-server/tasks/upgrade_postgres.yml | 2 +- 27 files changed, 91 insertions(+), 88 deletions(-) rename roles/matrix-server/tasks/{self_check.yml => self_check/main.yml} (100%) create mode 100644 roles/matrix-server/tasks/setup/main.yml rename roles/matrix-server/tasks/{ => setup}/setup_base.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_corporal.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_corporal_overrides.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_coturn.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_goofys.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_mailer.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_main.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_mxisd.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_nginx_proxy.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_postgres.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_riot_web.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_ssl.yml (96%) rename roles/matrix-server/tasks/{ => setup}/setup_ssl_for_domain.yml (100%) create mode 100644 roles/matrix-server/tasks/setup/setup_synapse.yml create mode 100644 roles/matrix-server/tasks/setup/setup_synapse_ext.yml rename roles/matrix-server/tasks/{ => setup}/setup_synapse_ext_mautrix_telegram.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_synapse_ext_rest_auth.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_synapse_ext_shared_secret_auth.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_synapse_main.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_synapse_pre.yml (100%) rename roles/matrix-server/tasks/{ => setup}/setup_well_known.yml (100%) delete mode 100644 roles/matrix-server/tasks/setup_synapse.yml delete mode 100644 roles/matrix-server/tasks/setup_synapse_ext.yml diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index cd276d68..6f5b7bbe 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -1,81 +1,11 @@ --- -- include: tasks/setup_base.yml - tags: - - setup-all - -- include: tasks/setup_main.yml - tags: - - setup-all - -- include: tasks/setup_ssl.yml - tags: - - setup-all - - setup-ssl +- include: tasks/setup/main.yml - include: tasks/upgrade_postgres.yml tags: - upgrade-postgres -- include: tasks/setup_postgres.yml - tags: - - setup-all - - setup-postgres - -- include: tasks/setup_goofys.yml - tags: - - setup-all - - setup-goofys - -- include: tasks/setup_coturn.yml - tags: - - setup-all - - setup-coturn - -- include: tasks/setup_mailer.yml - tags: - - setup-all - - setup-mailer - -- include: tasks/setup_mxisd.yml - tags: - - setup-all - - setup-mxisd - -- include: tasks/setup_corporal_overrides.yml - tags: - - always - -- include: tasks/setup_corporal.yml - tags: - - setup-all - - setup-corporal - -- include: tasks/setup_synapse.yml - tags: - - setup-all - - setup-synapse - - setup-coturn - -- include: tasks/setup_riot_web.yml - tags: - - setup-all - - setup-riot-web - -- include: tasks/setup_well_known.yml - tags: - - setup-all - - setup-mxisd - - setup-synapse - - setup-nginx-proxy - - setup-well-known - -- include: tasks/setup_nginx_proxy.yml - tags: - - setup-all - - setup-nginx-proxy - - setup-well-known - - include: tasks/start.yml tags: - start @@ -92,7 +22,7 @@ tags: - import-media-store -- include: tasks/self_check.yml +- include: tasks/self_check/main.yml delegate_to: 127.0.0.1 become: false tags: diff --git a/roles/matrix-server/tasks/self_check.yml b/roles/matrix-server/tasks/self_check/main.yml similarity index 100% rename from roles/matrix-server/tasks/self_check.yml rename to roles/matrix-server/tasks/self_check/main.yml diff --git a/roles/matrix-server/tasks/setup/main.yml b/roles/matrix-server/tasks/setup/main.yml new file mode 100644 index 00000000..ac6cb782 --- /dev/null +++ b/roles/matrix-server/tasks/setup/main.yml @@ -0,0 +1,73 @@ +--- + +- include: tasks/setup/setup_base.yml + tags: + - setup-all + +- include: tasks/setup/setup_main.yml + tags: + - setup-all + +- include: tasks/setup/setup_ssl.yml + tags: + - setup-all + - setup-ssl + +- include: tasks/setup/setup_postgres.yml + tags: + - setup-all + - setup-postgres + +- include: tasks/setup/setup_goofys.yml + tags: + - setup-all + - setup-goofys + +- include: tasks/setup/setup_coturn.yml + tags: + - setup-all + - setup-coturn + +- include: tasks/setup/setup_mailer.yml + tags: + - setup-all + - setup-mailer + +- include: tasks/setup/setup_mxisd.yml + tags: + - setup-all + - setup-mxisd + +- include: tasks/setup/setup_corporal_overrides.yml + tags: + - always + +- include: tasks/setup/setup_corporal.yml + tags: + - setup-all + - setup-corporal + +- include: tasks/setup/setup_synapse.yml + tags: + - setup-all + - setup-synapse + - setup-coturn + +- include: tasks/setup/setup_riot_web.yml + tags: + - setup-all + - setup-riot-web + +- include: tasks/setup/setup_well_known.yml + tags: + - setup-all + - setup-mxisd + - setup-synapse + - setup-nginx-proxy + - setup-well-known + +- include: tasks/setup/setup_nginx_proxy.yml + tags: + - setup-all + - setup-nginx-proxy + - setup-well-known \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_base.yml b/roles/matrix-server/tasks/setup/setup_base.yml similarity index 100% rename from roles/matrix-server/tasks/setup_base.yml rename to roles/matrix-server/tasks/setup/setup_base.yml diff --git a/roles/matrix-server/tasks/setup_corporal.yml b/roles/matrix-server/tasks/setup/setup_corporal.yml similarity index 100% rename from roles/matrix-server/tasks/setup_corporal.yml rename to roles/matrix-server/tasks/setup/setup_corporal.yml diff --git a/roles/matrix-server/tasks/setup_corporal_overrides.yml b/roles/matrix-server/tasks/setup/setup_corporal_overrides.yml similarity index 100% rename from roles/matrix-server/tasks/setup_corporal_overrides.yml rename to roles/matrix-server/tasks/setup/setup_corporal_overrides.yml diff --git a/roles/matrix-server/tasks/setup_coturn.yml b/roles/matrix-server/tasks/setup/setup_coturn.yml similarity index 100% rename from roles/matrix-server/tasks/setup_coturn.yml rename to roles/matrix-server/tasks/setup/setup_coturn.yml diff --git a/roles/matrix-server/tasks/setup_goofys.yml b/roles/matrix-server/tasks/setup/setup_goofys.yml similarity index 100% rename from roles/matrix-server/tasks/setup_goofys.yml rename to roles/matrix-server/tasks/setup/setup_goofys.yml diff --git a/roles/matrix-server/tasks/setup_mailer.yml b/roles/matrix-server/tasks/setup/setup_mailer.yml similarity index 100% rename from roles/matrix-server/tasks/setup_mailer.yml rename to roles/matrix-server/tasks/setup/setup_mailer.yml diff --git a/roles/matrix-server/tasks/setup_main.yml b/roles/matrix-server/tasks/setup/setup_main.yml similarity index 100% rename from roles/matrix-server/tasks/setup_main.yml rename to roles/matrix-server/tasks/setup/setup_main.yml diff --git a/roles/matrix-server/tasks/setup_mxisd.yml b/roles/matrix-server/tasks/setup/setup_mxisd.yml similarity index 100% rename from roles/matrix-server/tasks/setup_mxisd.yml rename to roles/matrix-server/tasks/setup/setup_mxisd.yml diff --git a/roles/matrix-server/tasks/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml similarity index 100% rename from roles/matrix-server/tasks/setup_nginx_proxy.yml rename to roles/matrix-server/tasks/setup/setup_nginx_proxy.yml diff --git a/roles/matrix-server/tasks/setup_postgres.yml b/roles/matrix-server/tasks/setup/setup_postgres.yml similarity index 100% rename from roles/matrix-server/tasks/setup_postgres.yml rename to roles/matrix-server/tasks/setup/setup_postgres.yml diff --git a/roles/matrix-server/tasks/setup_riot_web.yml b/roles/matrix-server/tasks/setup/setup_riot_web.yml similarity index 100% rename from roles/matrix-server/tasks/setup_riot_web.yml rename to roles/matrix-server/tasks/setup/setup_riot_web.yml diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup/setup_ssl.yml similarity index 96% rename from roles/matrix-server/tasks/setup_ssl.yml rename to roles/matrix-server/tasks/setup/setup_ssl.yml index 57b824d7..cabffb81 100644 --- a/roles/matrix-server/tasks/setup_ssl.yml +++ b/roles/matrix-server/tasks/setup/setup_ssl.yml @@ -36,7 +36,7 @@ - "{{ matrix_ssl_config_dir_path }}" - name: Obtain initial certificates - include_tasks: "setup_ssl_for_domain.yml" + include_tasks: "tasks/setup/setup_ssl_for_domain.yml" with_items: "{{ domains_to_obtain_certificate_for }}" loop_control: loop_var: domain_name diff --git a/roles/matrix-server/tasks/setup_ssl_for_domain.yml b/roles/matrix-server/tasks/setup/setup_ssl_for_domain.yml similarity index 100% rename from roles/matrix-server/tasks/setup_ssl_for_domain.yml rename to roles/matrix-server/tasks/setup/setup_ssl_for_domain.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse.yml b/roles/matrix-server/tasks/setup/setup_synapse.yml new file mode 100644 index 00000000..ecf69fdf --- /dev/null +++ b/roles/matrix-server/tasks/setup/setup_synapse.yml @@ -0,0 +1,7 @@ +--- + +- include: tasks/setup/setup_synapse_pre.yml + +- include: tasks/setup/setup_synapse_ext.yml + +- include: tasks/setup/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml new file mode 100644 index 00000000..6c6fddda --- /dev/null +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml @@ -0,0 +1,7 @@ +--- + +- include: tasks/setup/setup_synapse_ext_rest_auth.yml + +- include: tasks/setup/setup_synapse_ext_shared_secret_auth.yml + +- include: tasks/setup/setup_synapse_ext_mautrix_telegram.yml diff --git a/roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml similarity index 100% rename from roles/matrix-server/tasks/setup_synapse_ext_mautrix_telegram.yml rename to roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml diff --git a/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_rest_auth.yml similarity index 100% rename from roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml rename to roles/matrix-server/tasks/setup/setup_synapse_ext_rest_auth.yml diff --git a/roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_shared_secret_auth.yml similarity index 100% rename from roles/matrix-server/tasks/setup_synapse_ext_shared_secret_auth.yml rename to roles/matrix-server/tasks/setup/setup_synapse_ext_shared_secret_auth.yml diff --git a/roles/matrix-server/tasks/setup_synapse_main.yml b/roles/matrix-server/tasks/setup/setup_synapse_main.yml similarity index 100% rename from roles/matrix-server/tasks/setup_synapse_main.yml rename to roles/matrix-server/tasks/setup/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/setup_synapse_pre.yml b/roles/matrix-server/tasks/setup/setup_synapse_pre.yml similarity index 100% rename from roles/matrix-server/tasks/setup_synapse_pre.yml rename to roles/matrix-server/tasks/setup/setup_synapse_pre.yml diff --git a/roles/matrix-server/tasks/setup_well_known.yml b/roles/matrix-server/tasks/setup/setup_well_known.yml similarity index 100% rename from roles/matrix-server/tasks/setup_well_known.yml rename to roles/matrix-server/tasks/setup/setup_well_known.yml diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml deleted file mode 100644 index 5c9348c3..00000000 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- include: tasks/setup_synapse_pre.yml - -- include: tasks/setup_synapse_ext.yml - -- include: tasks/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup_synapse_ext.yml deleted file mode 100644 index 3777df08..00000000 --- a/roles/matrix-server/tasks/setup_synapse_ext.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- include: tasks/setup_synapse_ext_rest_auth.yml - -- include: tasks/setup_synapse_ext_shared_secret_auth.yml - -- include: tasks/setup_synapse_ext_mautrix_telegram.yml diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index cdb39c70..34a78b27 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -92,7 +92,7 @@ - debug: msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation." -- include: tasks/setup_postgres.yml +- include: tasks/setup/setup_postgres.yml - name: Ensure matrix-postgres autoruns and is restarted service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes From 423e1e191acec3e47b1f769922698c595bd30f38 Mon Sep 17 00:00:00 2001 From: anadahz Date: Sun, 21 Oct 2018 12:04:13 +0000 Subject: [PATCH 0167/2384] Add DNS records table --- docs/configuring-dns.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 434416ad..c2068dc8 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -20,4 +20,11 @@ Once you've set up these DNS SRV records, you should create 2 other domain names This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`. +| Type | Host | Priority | Weight | Port | Target | +| ---- | ----------------------- | -------- | ------ | ---- | ---------------------- | +| SRV | `_matrix._tcp` | 10 | 0 | 8448 | `matrix.` | +| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | +| A | `matrix` | - | - | - | `server-IP` | +| A | `riot` | - | - | - | `server-IP` | + When ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). \ No newline at end of file From d5655b7527301d6c1cf720dc61b40b08a9467185 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 21 Oct 2018 16:34:00 +0300 Subject: [PATCH 0168/2384] Use CNAME for riot in the example table --- docs/configuring-dns.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index c2068dc8..49b6a057 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -20,11 +20,11 @@ Once you've set up these DNS SRV records, you should create 2 other domain names This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`. -| Type | Host | Priority | Weight | Port | Target | -| ---- | ----------------------- | -------- | ------ | ---- | ---------------------- | -| SRV | `_matrix._tcp` | 10 | 0 | 8448 | `matrix.` | -| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | -| A | `matrix` | - | - | - | `server-IP` | -| A | `riot` | - | - | - | `server-IP` | +| Type | Host | Priority | Weight | Port | Target | +| ----- | ----------------------- | -------- | ------ | ---- | ---------------------- | +| SRV | `_matrix._tcp` | 10 | 0 | 8448 | `matrix.` | +| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | +| A | `matrix` | - | - | - | `server-IP` | +| CNAME | `riot` | - | - | - | `matrix.` | When ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). \ No newline at end of file From 83a17f84394f15e6e13d902bad68aa8c457008ca Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Sun, 21 Oct 2018 23:20:37 +0200 Subject: [PATCH 0169/2384] Expose mautrix-telegram public endpoint through nginx It used to allow user to logging with their own account to the bot see: https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account for more informations --- roles/matrix-server/defaults/main.yml | 3 +++ .../templates/mautrix-telegram/config.yaml.j2 | 9 +++------ .../templates/nginx-conf.d/matrix-synapse.conf.j2 | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 524a4a62..9551893d 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -239,6 +239,9 @@ matrix_mautrix_telegram_enabled: false # Get your own API keys at https://my.telegram.org/apps matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH +# Mautrix telegram public endpoint to log in to telegram +# Use an uuid so it's not easily discoverable +matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" # By default, this playbook sets up its own nginx proxy server on port 80/443. diff --git a/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 b/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 index 2f4afd55..c1858686 100644 --- a/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 +++ b/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 @@ -35,10 +35,10 @@ appservice: # Whether or not the public-facing endpoints should be enabled. enabled: true # The prefix to use in the public-facing endpoints. - prefix: /public + prefix: {{ matrix_mautrix_telegram_public_endpoint }} # The base URL where the public-facing endpoints are available. The prefix is not added # implicitly. - external: https://{{ hostname_matrix }}/public + external: https://{{ hostname_matrix }}{{ matrix_mautrix_telegram_public_endpoint }} # Provisioning API part of the web server for automated portal creation and fetching information. # Used by things like Dimension (https://dimension.t2bot.io/). @@ -206,8 +206,7 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - '{{ hostname_identity }}': puppeting - '*': relaybot + '{{ hostname_identity }}': full # Options related to the message relay Telegram bot. relaybot: @@ -219,8 +218,6 @@ bridge: ignore_own_incoming_events: true # List of usernames/user IDs who are also allowed to use the bot commands. whitelist: - - myusername - - 12345678 # Telegram config telegram: diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index c5b537ec..03ec51a1 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -73,6 +73,20 @@ server { } {% endif %} + {% if matrix_mautrix_telegram_enabled %} + location {{ matrix_mautrix_telegram_public_endpoint }} { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-telegram:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://localhost:8080; + {% endif %} + } + {% endif %} + location /_matrix { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} From 7921799c6c3ebafc14f3629e1c1ca809ed7ea59d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Oct 2018 09:19:24 +0300 Subject: [PATCH 0170/2384] Make matrix-corporal documentation more detailed --- docs/configuring-playbook-matrix-corporal.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index f38725d8..5dae201a 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -6,6 +6,8 @@ See that project's documentation to learn what it does and why it might be usefu If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md). + +## Playbook configuration You would then need some configuration like this: ```yaml @@ -25,9 +27,20 @@ matrix_corporal_http_api_enabled: true matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE" # If you need to change the reconciliator user's id from the default (matrix-corporal).. +# In any case, you need to make sure this Matrix user is created on your server. matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" ``` +Matrix Corporal operates with a specific Matrix user on your server. +By default, it's `matrix-corporal` (controllable by the `matrix_corporal_reconciliation_user_id_local_part` setting, see above). +No matter what Matrix user id you configure to run it with, make sure that: + +- the Matrix Corporal user is created by [registering it](registering-users.md). Use a password you remember, as you'll need to log in from time to time to create or join rooms + +- the Matrix Corporal user is joined and has Admin/Moderator-level access to any rooms you want it to manage + +## Matrix Corporal files + The following local filesystem paths are mounted in the `matrix-corporal` container and can be used in your configuration (or policy): - `/matrix/corporal/config` is mounted at `/etc/matrix-corporal` (read-only) @@ -35,3 +48,5 @@ The following local filesystem paths are mounted in the `matrix-corporal` contai - `/matrix/corporal/var` is mounted at `/var/matrix-corporal` (read and write) - `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write) + +As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container path `/etc/matrix-corporal` \ No newline at end of file From 3ecb16bbefd628d10d55340f52cc55a884acd5ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Oct 2018 13:59:06 +0300 Subject: [PATCH 0171/2384] Use disable_guests=true for Riot --- CHANGELOG.md | 8 ++++++++ docs/configuring-playbook-matrix-corporal.md | 1 + roles/matrix-server/templates/riot-web/config.json.j2 | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d0a640eb..8f7d4599 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2018-10-24 + +## Disabling riot-web guests + +From now on, Riot's configuration setting `disable_guests` would be set to `true`. +The homeserver was rejecting guests anyway, so this is just a cosmetic change affecting Riot's UI. + + # 2018-10-21 ## Self-check maintenance command diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index 5dae201a..8e78ee93 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -39,6 +39,7 @@ No matter what Matrix user id you configure to run it with, make sure that: - the Matrix Corporal user is joined and has Admin/Moderator-level access to any rooms you want it to manage + ## Matrix Corporal files The following local filesystem paths are mounted in the `matrix-corporal` container and can be used in your configuration (or policy): diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 index ffc356dd..37d62f8d 100644 --- a/roles/matrix-server/templates/riot-web/config.json.j2 +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -2,7 +2,7 @@ "default_hs_url": "{{ matrix_homeserver_url }}", "default_is_url": "{{ matrix_identity_server_url }}", "disable_custom_urls": true, - "disable_guests": false, + "disable_guests": true, "brand": "Riot", "integrations_ui_url": "https://scalar.vector.im/", "integrations_rest_url": "https://scalar.vector.im/api", From caa32b6d76a8006e18333aa150eb52913e236220 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Oct 2018 16:21:21 +0300 Subject: [PATCH 0172/2384] Fix incorrect documentation It's been incorrect since 23e4a473 --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 437cba69..18d32b95 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -24,6 +24,6 @@ matrix_nginx_proxy_enabled: false - ensure you set up (separate) vhosts that proxy for both Riot (`localhost:8765`) and Matrix Synapse (`localhost:8008`) -- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" is an alias to the `/matrix/ssl/run/acme-challenge` directory (for automated SSL renewal to work) +- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" gets proxied to `http://localhost:2402` (controlled by `matrix_ssl_certbot_standalone_http_port`) for automated SSL renewal to work - ensure that you restart/reload your webserver once in a while, so that renewed SSL certificates would take effect (once a month should be enough) \ No newline at end of file From 7a94fc0e241845b18b918fd8ac12cbe819bf2d03 Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Wed, 24 Oct 2018 15:18:55 +0200 Subject: [PATCH 0173/2384] Add mautrix-whatsapp --- roles/matrix-server/defaults/main.yml | 5 ++ .../tasks/setup/setup_synapse_ext.yml | 2 + .../setup_synapse_ext_mautrix_telegram.yml | 4 +- .../setup_synapse_ext_mautrix_whatsapp.yml | 68 +++++++++++++++ roles/matrix-server/tasks/start.yml | 4 + .../templates/mautrix-whatsapp/config.yaml.j2 | 85 +++++++++++++++++++ .../matrix-mautrix-whatsapp.service.j2 | 24 ++++++ 7 files changed, 190 insertions(+), 2 deletions(-) create mode 100644 roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml create mode 100644 roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9551893d..7d23e93d 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -128,6 +128,7 @@ matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" +matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" @@ -142,6 +143,7 @@ matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.8" matrix_docker_image_mailer: "panubo/postfix:latest" matrix_docker_image_mxisd: "kamax/mxisd:1.1.1" matrix_docker_image_mautrix_telegram: "tulir/mautrix-telegram:v0.3.0" +matrix_docker_image_mautrix_whatsapp: "tulir/mautrix-whatsapp:latest" # The Docker network that all services would be put into matrix_docker_network: "matrix" @@ -243,6 +245,9 @@ matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH # Use an uuid so it's not easily discoverable matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" +# Matrix mautrix is a Matrix <-> Whatsapp bridge +# Enable whatsapp bridge +matrix_mautrix_whatsapp_enabled: false # By default, this playbook sets up its own nginx proxy server on port 80/443. # This is fine if you're dedicating the whole server to Matrix. diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml index 6c6fddda..d202d94e 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml @@ -5,3 +5,5 @@ - include: tasks/setup/setup_synapse_ext_shared_secret_auth.yml - include: tasks/setup/setup_synapse_ext_mautrix_telegram.yml + +- include: tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml index b4719274..c4daaa87 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml @@ -34,11 +34,11 @@ when: "matrix_mautrix_telegram_enabled" - stat: "path={{ matrix_mautrix_telegram_base_path }}/registration.yaml" - register: mautrix_registration_file + register: mautrix_telegram_registration_file - name: Generate matrix-mautrix-telegram registration.yaml if it doesn't exist shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_docker_image_mautrix_telegram }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml - when: "matrix_mautrix_telegram_enabled and mautrix_registration_file.stat.exists == False" + when: "matrix_mautrix_telegram_enabled and mautrix_telegram_registration_file.stat.exists == False" - set_fact: matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml' diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml new file mode 100644 index 00000000..d323c891 --- /dev/null +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml @@ -0,0 +1,68 @@ +--- + +- name: Ensure Mautrix Whatsapp image is pulled + docker_image: + name: "{{ matrix_docker_image_mautrix_whatsapp }}" + when: "matrix_mautrix_whatsapp_enabled" + +- name: Ensure Mautrix Whatsapp configuration path exists + file: + path: "{{ matrix_mautrix_whatsapp_base_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_mautrix_whatsapp_enabled" + +- stat: "path={{ matrix_mautrix_whatsapp_base_path }}/config.yaml" + register: mautrix_config_file + +- name: Ensure Matrix Mautrix whatsapp config installed + template: + src: "{{ role_path }}/templates/mautrix-whatsapp/config.yaml.j2" + dest: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_mautrix_whatsapp_enabled and mautrix_config_file.stat.exists == False" + +- name: Ensure matrix-mautrix-whatsapp.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-whatsapp.service.j2" + dest: "/etc/systemd/system/matrix-mautrix-whatsapp.service" + mode: 0644 + when: "matrix_mautrix_whatsapp_enabled" + +- stat: "path={{ matrix_mautrix_whatsapp_base_path }}/registration.yaml" + register: mautrix_whatsapp_registration_file + +- name: Generate matrix-mautrix-whatsapp registration.yaml if it doesn't exist + shell: /usr/bin/docker run --rm --name matrix-mautrix-whatsapp-gen -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z {{ matrix_docker_image_mautrix_whatsapp }} /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml + when: "matrix_mautrix_whatsapp_enabled and mautrix_whatsapp_registration_file.stat.exists == False" + +- set_fact: + matrix_synapse_app_service_config_file_mautrix_whatsapp: '/app-registration/mautrix-whatsapp.yml' + +- set_fact: + matrix_synapse_container_additional_volumes: > + {{ matrix_synapse_container_additional_volumes }} + + + {{ [{'src': '{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_whatsapp }}', 'options': 'ro'}] }} + when: "matrix_mautrix_whatsapp_enabled" + +- set_fact: + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files }} + + + {{ ["{{ matrix_synapse_app_service_config_file_mautrix_whatsapp }}"] | to_nice_json }} + when: "matrix_mautrix_whatsapp_enabled" + +# +# Tasks related to getting rid of matrix-mautrix-whatsapp (if it was previously enabled) +# + +- name: Ensure matrix-mautrix-whatsapp.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mautrix-whatsapp.service" + state: absent + when: "not matrix_mautrix_whatsapp_enabled" diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 3158c0fb..4e5373c4 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -37,3 +37,7 @@ - name: Ensure matrix-mautrix-telegram autoruns and is restarted service: name=matrix-mautrix-telegram enabled=yes state=restarted daemon_reload=yes when: matrix_mautrix_telegram_enabled + +- name: Ensure matrix-mautrix-whatsapp autoruns and is restarted + service: name=matrix-mautrix-whatsapp enabled=yes state=restarted daemon_reload=yes + when: matrix_mautrix_whatsapp_enabled diff --git a/roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 b/roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 new file mode 100644 index 00000000..5f4943ba --- /dev/null +++ b/roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 @@ -0,0 +1,85 @@ +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: https://{{ hostname_matrix }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ hostname_identity }} + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://matrix-mautrix-whatsapp:8080 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + + # Database config. + database: + # The database type. Only "sqlite3" is supported. + type: sqlite3 + # The database URI. Usually file name. https://github.com/mattn/go-sqlite3#connection-string + uri: mautrix-whatsapp.db + # Path to the Matrix room state store. + state_store_path: ./mx-state.json + + # The unique ID of this appservice. + id: whatsapp + # Appservice bot details. + bot: + # Username of the appservice bot. + username: whatsappbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: WhatsApp bridge bot + avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + +# Bridge config. Currently unused. +bridge: + # {% raw %} + # Localpart template of MXIDs for WhatsApp users. + # {{.}} is replaced with the phone number of the WhatsApp user. + username_template: whatsapp_{{.}} + # Displayname template for WhatsApp users. + # {{.Notify}} - nickname set by the WhatsApp user + # {{.Jid}} - phone number (international format) + # The following variables are also available, but will cause problems on multi-user instances: + # {{.Name}} - display name from contact list + # {{.Short}} - short display name from contact list + # {% endraw %} + displayname_template: {% raw %}"{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)"{% endraw %} + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!wa" + + # Permissions for using the bridge. + # Permitted values: + # user - Access to use the bridge to chat with a WhatsApp account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ hostname_identity }}': user + +# Logging config. +logging: + # The directory for log files. Will be created if not found. + directory: ./logs + # Available variables: .Date for the file date and .Index for different log files on the same day. + file_name_format: {% raw %}"{{.Date}}-{{.Index}}.log"{% endraw %} + # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants + file_date_format: 2006-01-02 + # Log file permissions. + file_mode: 0600 + # Timestamp format for log entries in the Go time format. + timestamp_format: Jan _2, 2006 15:04:05 + # Minimum severity for log messages. + # Options: debug, info, warn, error, fatal + print_level: debug diff --git a/roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 new file mode 100644 index 00000000..10a78d3f --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -0,0 +1,24 @@ +[Unit] +Description=Matrix Mautrix Whatsapp server +After=docker.service +Requires=docker.service +Requires=matrix-synapse.service +After=matrix-synapse.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mautrix-whatsapp +ExecStartPre=-/usr/bin/docker rm matrix-mautrix-whatsapp +ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \ + --log-driver=none \ + -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z \ + {{ matrix_docker_image_mautrix_whatsapp }} +ExecStop=-/usr/bin/docker kill matrix-mautrix-whatsapp +ExecStop=-/usr/bin/docker rm matrix-mautrix-whatsapp +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target From b3fcc641c48ee187315e06dec3848076a917b3f7 Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Wed, 24 Oct 2018 18:12:24 +0200 Subject: [PATCH 0174/2384] Add documentation and fix templates --- docs/configuring-playbook-bridge-mautrix-telegram.md | 4 +++- docs/configuring-playbook-bridge-mautrix-whatsapp.md | 12 ++++++++++++ .../templates/mautrix-whatsapp/config.yaml.j2 | 5 +++-- 3 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 docs/configuring-playbook-bridge-mautrix-whatsapp.md diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 175a9b4b..0886c60d 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -2,7 +2,7 @@ The playbook can install and configure [mautrix-telegram](https://github.com/tulir/mautrix-telegram) for you. -See that project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you. You'll need to obtain API keys from `https://my.telegram.org/apps` and then use the following playbook configuration: ``` @@ -10,3 +10,5 @@ matrix_mautrix_telegram_enabled: true matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH ``` + +You then need to start a chat with `@telegrambot:{{ hostname_identity }}` diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md new file mode 100644 index 00000000..0d70043a --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -0,0 +1,12 @@ +# Setting up Mautrix Whatsapp + +The playbook can install and configure [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) for you. + +See the project's [documentation](https://github.com/tulir/mautrix-whatsapp/wiki) to learn what it does and why it might be useful to you. + +Use the following playbook configuration: +``` +matrix_mautrix_whatsapp_enabled: true +``` + +You then need to start a chat with `@whatsappbot:{{ hostname_identity }}` diff --git a/roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 b/roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 index 5f4943ba..a29117cc 100644 --- a/roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 +++ b/roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 @@ -33,7 +33,7 @@ appservice: # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. displayname: WhatsApp bridge bot - avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr + avatar: remove # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. as_token: "This value is generated when generating the registration" @@ -42,6 +42,7 @@ appservice: # Bridge config. Currently unused. bridge: # {% raw %} + # protecting the go templates inside the raw section. # Localpart template of MXIDs for WhatsApp users. # {{.}} is replaced with the phone number of the WhatsApp user. username_template: whatsapp_{{.}} @@ -51,8 +52,8 @@ bridge: # The following variables are also available, but will cause problems on multi-user instances: # {{.Name}} - display name from contact list # {{.Short}} - short display name from contact list + displayname_template: "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)" # {% endraw %} - displayname_template: {% raw %}"{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)"{% endraw %} # The prefix for commands. Only required in non-management rooms. command_prefix: "!wa" From 67a445a74ae817992c79ebdc135c92247b98825c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Oct 2018 18:02:04 +0300 Subject: [PATCH 0175/2384] Add support for controlling Matrix federation --- CHANGELOG.md | 7 +++++ docs/configuration-playbook-federation.md | 28 +++++++++++++++++++ docs/configuring-playbook.md | 2 ++ roles/matrix-server/defaults/main.yml | 9 ++++++ .../templates/synapse/homeserver.yaml.j2 | 5 ++++ .../systemd/matrix-synapse.service.j2 | 2 ++ 6 files changed, 53 insertions(+) create mode 100644 docs/configuration-playbook-federation.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f7d4599..66c7ca73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# 2018-10-25 + +## Support for controlling Matrix federation + +The playbook can now help you with [Controlling Matrix federation](docs/configuration-playbook-federation.md), should you wish to run a more private (isolated) server. + + # 2018-10-24 ## Disabling riot-web guests diff --git a/docs/configuration-playbook-federation.md b/docs/configuration-playbook-federation.md new file mode 100644 index 00000000..02e69600 --- /dev/null +++ b/docs/configuration-playbook-federation.md @@ -0,0 +1,28 @@ +# Controlling Matrix federation + +By default, your server federates with the whole Matrix network. +That is, people on your server can communicate with people on any other Matrix server. + + +## Federating only with select servers + +To make your server only federate with servers of your choosing, add this to your configuration file (`inventory/matrix./vars.yml`): + +```yaml +matrix_synapse_federation_domain_whitelist: +- example.com +- another.com +``` + +If you wish to disable federation, you can do that with an empty list (`[]`), or better yet by completely disabling federation (see below). + + +## Disabling federation + +To completely disable federation, isolating your server from the rest of the Matrix network, add this to your configuration file (`inventory/matrix./vars.yml`): + +```yaml +matrix_synapse_federation_enabled: false +``` + +With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server. \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 19dab5c1..af9bef61 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -23,6 +23,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ## Other configuration options +- [Controlling Matrix federation](configuration-playbook-federation.md) (optional) + - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 9551893d..38d9b0f8 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -86,6 +86,15 @@ matrix_synapse_event_cache_size: "100K" # - https://github.com/matrix-org/synapse/issues/3939 matrix_synapse_cache_factor: 0.5 +# Controls whether Matrix Synapse will federate at all. +# Disable this to completely isolate your server from the rest of the Matrix network. +matrix_synapse_federation_enabled: true + +# A list of domain names that are allowed to federate with the given Matrix Synapse server. +# An empty list value (`[]`) will also effectively stop federation, but if that's the desired +# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. +matrix_synapse_federation_domain_whitelist: ~ + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index e70b3046..2b914e5e 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -119,12 +119,16 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # - lon.example.com # - nyc.example.com # - syd.example.com +{% if matrix_synapse_federation_domain_whitelist is not none %} +federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} +{% endif %} # List of ports that Synapse should listen on, their purpose and their # configuration. listeners: # Main HTTPS listener # For when matrix traffic is sent directly to synapse. + {% if matrix_synapse_federation_enabled %} - # The port to listen for HTTPS requests on. port: 8448 @@ -157,6 +161,7 @@ listeners: # "/_matrix/my/custom/endpoint": # module: my_module.CustomRequestHandler # config: {} + {% endif %} # Unsecure HTTP listener, # For when matrix traffic passes through loadbalancer that unwraps TLS. diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 829f7372..9940fd30 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -29,7 +29,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --log-driver=none \ --env-file={{ matrix_environment_variables_data_path }}/synapse \ --network={{ matrix_docker_network }} \ + {% if matrix_synapse_federation_enabled %} -p 8448:8448 \ + {% endif %} {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8008:8008 \ {% endif %} From 95a6519876823bad99182d67df0c4755f15213bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Oct 2018 18:15:56 +0300 Subject: [PATCH 0176/2384] Fix yaml syntax breakage Regression since 67a445a74ae817 --- roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 2b914e5e..90bd2120 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -126,9 +126,9 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # List of ports that Synapse should listen on, their purpose and their # configuration. listeners: +{% if matrix_synapse_federation_enabled %} # Main HTTPS listener # For when matrix traffic is sent directly to synapse. - {% if matrix_synapse_federation_enabled %} - # The port to listen for HTTPS requests on. port: 8448 @@ -161,7 +161,7 @@ listeners: # "/_matrix/my/custom/endpoint": # module: my_module.CustomRequestHandler # config: {} - {% endif %} +{% endif %} # Unsecure HTTP listener, # For when matrix traffic passes through loadbalancer that unwraps TLS. From 5e3c6ebf49ec601c2184efb6126000ff788daf95 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Oct 2018 19:44:58 +0300 Subject: [PATCH 0177/2384] Update documentation --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook.md | 4 +++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 66c7ca73..98f89115 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2018-10-26 + +## Mautrix Whatsapp bridging support + +The playbook now supports bridging with [Whatsapp](https://www.whatsapp.com/) by installing the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge. This playbook functionality is available thanks to [@izissise](https://github.com/izissise). + +Additional details are available in [Setting up Mautrix Whatsapp bridging](docs/configuring-playbook-bridge-mautrix-whatsapp.md). + + # 2018-10-25 ## Support for controlling Matrix federation diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index af9bef61..51ae3112 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -41,4 +41,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional) -- [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) \ No newline at end of file +- [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) + +- [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) \ No newline at end of file From 230f3373150f0076a74537af73ccacfe2af7f7a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Oct 2018 19:48:49 +0300 Subject: [PATCH 0178/2384] Update README --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 6a182354..e11e7461 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) +- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/) + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. @@ -100,6 +102,8 @@ This playbook sets up your server using the following Docker images: - [tulir/mautrix-telegram](https://hub.docker.com/r/tulir/mautrix-telegram/) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional) +- [tulir/mautrix-whatsapp](https://hub.docker.com/r/tulir/mautrix-whatsapp/) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) + ## Deficiencies From 8498c4c5de2d277ba21523fe39c768b492aef530 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Sun, 28 Oct 2018 15:16:21 +0000 Subject: [PATCH 0179/2384] comment out all the things --- roles/matrix-server/tasks/main.yml | 34 ++++++++++++------------ roles/matrix-server/tasks/setup/main.yml | 10 +++---- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 6f5b7bbe..7b6d5d3b 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -2,28 +2,28 @@ - include: tasks/setup/main.yml -- include: tasks/upgrade_postgres.yml - tags: - - upgrade-postgres +# - include: tasks/upgrade_postgres.yml +# tags: +# - upgrade-postgres - include: tasks/start.yml tags: - start -- include: tasks/register_user.yml - tags: - - register-user +# - include: tasks/register_user.yml +# tags: +# - register-user -- include: tasks/import_sqlite_db.yml - tags: - - import-sqlite-db +# - include: tasks/import_sqlite_db.yml +# tags: +# - import-sqlite-db -- include: tasks/import_media_store.yml - tags: - - import-media-store +# - include: tasks/import_media_store.yml +# tags: +# - import-media-store -- include: tasks/self_check/main.yml - delegate_to: 127.0.0.1 - become: false - tags: - - self-check +# - include: tasks/self_check/main.yml +# delegate_to: 127.0.0.1 +# become: false +# tags: +# - self-check diff --git a/roles/matrix-server/tasks/setup/main.yml b/roles/matrix-server/tasks/setup/main.yml index ac6cb782..55d77476 100644 --- a/roles/matrix-server/tasks/setup/main.yml +++ b/roles/matrix-server/tasks/setup/main.yml @@ -8,10 +8,10 @@ tags: - setup-all -- include: tasks/setup/setup_ssl.yml - tags: - - setup-all - - setup-ssl +# - include: tasks/setup/setup_ssl.yml +# tags: +# - setup-all +# - setup-ssl - include: tasks/setup/setup_postgres.yml tags: @@ -70,4 +70,4 @@ tags: - setup-all - setup-nginx-proxy - - setup-well-known \ No newline at end of file + - setup-well-known From 2186031be2efa390bc4cd0c482f310773a26265d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Oct 2018 20:47:56 +0200 Subject: [PATCH 0180/2384] Remove unnecessary code causing troubles on Debian-based systems It should be `/bin/mkdir` and `/bin/chown` on Ubuntu 18.04 for example. Still, it doesn't seem like we need to create and chown these directories at all, since the playbook takes care of creating them and setting appropriate permission by itself. --- .../matrix-server/templates/systemd/matrix-postgres.service.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 index 322961bf..55a00ec9 100644 --- a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 @@ -7,8 +7,6 @@ Requires=docker.service Type=simple ExecStartPre=-/usr/bin/docker stop matrix-postgres ExecStartPre=-/usr/bin/docker rm matrix-postgres -ExecStartPre=-/usr/bin/mkdir {{ matrix_postgres_data_path }} -ExecStartPre=-/usr/bin/chown {{ matrix_user_uid }}:{{ matrix_user_gid }} {{ matrix_postgres_data_path }} ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ From 4bb8d4cb606f3d2a2b5a60bd920a34dd82af995c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Oct 2018 22:38:58 +0200 Subject: [PATCH 0181/2384] Fix up well-known documentation a bit --- docs/configuring-well-known.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 88189249..ea3d32bb 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -81,6 +81,6 @@ Make sure to: ## Confirming it works -No matter which method you've used to set up the well-known file, if you've done it correctly you should be able to see a JSON file at a URL like this: `https://matrix./.well-known/matrix/client`. +No matter which method you've used to set up the well-known file, if you've done it correctly you should be able to see a JSON file at a URL like this: `https:///.well-known/matrix/client`. -You can also check if everything is configured correctly, by [checking if services work](maintenance-checking-services.md). \ No newline at end of file +You can also check if everything is configured correctly, by [checking if services work](maintenance-checking-services.md). From 67e2bf285d44c0cb392ba1e28e615053b748c03c Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Tue, 30 Oct 2018 20:43:28 +0000 Subject: [PATCH 0182/2384] A simple idea to allow playbooks to control which bit of the role to run --- roles/matrix-server/defaults/main.yml | 9 ++++++ roles/matrix-server/tasks/main.yml | 41 ++++++++++++++---------- roles/matrix-server/tasks/setup/main.yml | 10 +++--- 3 files changed, 38 insertions(+), 22 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index a45d6b95..3c0a2d2c 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -284,3 +284,12 @@ matrix_ssl_use_staging: false # Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt. matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" + +# Variables to Control which parts of the role run. +run_setup: true +run_upgrade_postgres: true +run_start: true +run_register_user: true +run_import_sqlite_db: true +run_import_media_store: true +run_self_check: true diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 7b6d5d3b..c76c2070 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -1,29 +1,36 @@ --- - include: tasks/setup/main.yml + when: run_setup -# - include: tasks/upgrade_postgres.yml -# tags: -# - upgrade-postgres +- include: tasks/upgrade_postgres.yml + tags: + - upgrade-postgres + when: run_upgrade_postgres - include: tasks/start.yml tags: - start + when: run_start -# - include: tasks/register_user.yml -# tags: -# - register-user +- include: tasks/register_user.yml + tags: + - register-user + when: run_register_user -# - include: tasks/import_sqlite_db.yml -# tags: -# - import-sqlite-db +- include: tasks/import_sqlite_db.yml + tags: + - import-sqlite-db + when: run_import_sqlite_db -# - include: tasks/import_media_store.yml -# tags: -# - import-media-store +- include: tasks/import_media_store.yml + tags: + - import-media-store + when: run_import_media_store -# - include: tasks/self_check/main.yml -# delegate_to: 127.0.0.1 -# become: false -# tags: -# - self-check +- include: tasks/self_check/main.yml + delegate_to: 127.0.0.1 + become: false + tags: + - self-check + when: run_self_check diff --git a/roles/matrix-server/tasks/setup/main.yml b/roles/matrix-server/tasks/setup/main.yml index 55d77476..ac6cb782 100644 --- a/roles/matrix-server/tasks/setup/main.yml +++ b/roles/matrix-server/tasks/setup/main.yml @@ -8,10 +8,10 @@ tags: - setup-all -# - include: tasks/setup/setup_ssl.yml -# tags: -# - setup-all -# - setup-ssl +- include: tasks/setup/setup_ssl.yml + tags: + - setup-all + - setup-ssl - include: tasks/setup/setup_postgres.yml tags: @@ -70,4 +70,4 @@ tags: - setup-all - setup-nginx-proxy - - setup-well-known + - setup-well-known \ No newline at end of file From 1955aac4bd7a18ea3aa49f4a09b16ce0d3895fc5 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 31 Oct 2018 11:47:17 -0500 Subject: [PATCH 0183/2384] Update riot-web (0.17.0 -> 0.17.3) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index a45d6b95..e2f518f2 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -146,7 +146,7 @@ matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.7" matrix_docker_image_nginx: "nginx:1.15.5-alpine" -matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.17.0" +matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.17.3" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.8" matrix_docker_image_mailer: "panubo/postfix:latest" From fb5115a544a79ef039a985f6c747b2366de43516 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Nov 2018 08:46:47 +0200 Subject: [PATCH 0184/2384] Rename playbook variables so they are consistently prefixed Pretty much all variables live in their own `matrix_` prefix now and are grouped closer together in the default variables file (`roles/matrix-server/defaults/main.yml`). --- CHANGELOG.md | 21 +++++ roles/matrix-server/defaults/main.yml | 90 +++++++++++-------- .../matrix-server/tasks/import_sqlite_db.yml | 2 +- .../tasks/setup/setup_coturn.yml | 2 +- .../tasks/setup/setup_goofys.yml | 4 +- .../tasks/setup/setup_mailer.yml | 4 +- .../matrix-server/tasks/setup/setup_mxisd.yml | 4 +- .../tasks/setup/setup_nginx_proxy.yml | 2 +- .../tasks/setup/setup_postgres.yml | 10 +-- .../tasks/setup/setup_riot_web.yml | 4 +- .../setup_synapse_ext_mautrix_telegram.yml | 4 +- .../setup_synapse_ext_mautrix_whatsapp.yml | 4 +- .../tasks/setup/setup_synapse_main.yml | 4 +- .../matrix-server/tasks/upgrade_postgres.yml | 10 +-- .../systemd/matrix-coturn.service.j2 | 2 +- .../systemd/matrix-goofys.service.j2 | 2 +- .../systemd/matrix-mailer.service.j2 | 2 +- .../matrix-mautrix-telegram.service.j2 | 2 +- .../matrix-mautrix-whatsapp.service.j2 | 2 +- .../templates/systemd/matrix-mxisd.service.j2 | 2 +- .../systemd/matrix-nginx-proxy.service.j2 | 2 +- .../systemd/matrix-postgres.service.j2 | 2 +- .../systemd/matrix-riot-web.service.j2 | 2 +- .../systemd/matrix-synapse.service.j2 | 2 +- .../usr-local-bin/matrix-postgres-cli.j2 | 2 +- 25 files changed, 114 insertions(+), 73 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 98f89115..59a6c5bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,24 @@ +# 2018-11-01 + +## (BC Break) Renaming playbook variables + +Due to the large amount of features added to this playbook lately, to keep things manageable we've had to reorganize its configuration variables a bit. + +The following playbook variables were renamed: + +- from `matrix_docker_image_mxisd` to `matrix_mxisd_docker_image` +- from `matrix_docker_image_mautrix_telegram` to `matrix_mautrix_telegram_docker_image` +- from `matrix_docker_image_mautrix_whatsapp` to `matrix_mautrix_whatsapp_docker_image` +- from `matrix_docker_image_mailer` to `matrix_mailer_docker_image` +- from `matrix_docker_image_coturn` to `matrix_coturn_docker_image` +- from `matrix_docker_image_goofys` to `matrix_s3_goofys_docker_image` +- from `matrix_docker_image_riot` to `matrix_riot_web_docker_image` +- from `matrix_docker_image_nginx` to `matrix_nginx_proxy_docker_image` +- from `matrix_docker_image_synapse` to `matrix_synapse_docker_image` +- from `matrix_docker_image_postgres_v9` to `matrix_postgres_docker_image_v9` +- from `matrix_docker_image_postgres_v10` to `matrix_postgres_docker_image_v10` +- from `matrix_docker_image_postgres_latest` to `matrix_postgres_docker_image_latest` + # 2018-10-26 ## Mautrix Whatsapp bridging support diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index e2f518f2..04e34b1c 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -11,21 +11,24 @@ hostname_matrix: "matrix.{{ hostname_identity }}" # This and the Matrix hostname (see above) are expected to be on the same server. hostname_riot: "riot.{{ hostname_identity }}" + matrix_user_username: "matrix" matrix_user_uid: 991 matrix_user_gid: 991 -# The defaults below cause a postgres server to be configured (running within a container). -# Using an external server is possible by tweaking all of the parameters below. -matrix_postgres_use_external: false -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_username: "synapse" -matrix_postgres_connection_password: "synapse-password" -matrix_postgres_db_name: "homeserver" - matrix_base_data_path: "/matrix" - matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables" +matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" +matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" + +matrix_homeserver_url: "https://{{ hostname_matrix }}" +matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" + +# The Docker network that all services would be put into +matrix_docker_network: "matrix" + + +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.33.7" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" @@ -114,6 +117,7 @@ matrix_synapse_app_service_config_files: [] # any password providers have been enabled or not. matrix_synapse_password_providers_enabled: false + # Enable this to activate the REST auth password provider module. # See: https://github.com/kamax-io/matrix-synapse-rest-auth matrix_synapse_ext_password_provider_rest_auth_enabled: false @@ -129,33 +133,26 @@ matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" + +# The defaults below cause a postgres server to be configured (running within a container). +# Using an external server is possible by tweaking all of the parameters below. +matrix_postgres_use_external: false +matrix_postgres_connection_hostname: "matrix-postgres" +matrix_postgres_connection_username: "synapse" +matrix_postgres_connection_password: "synapse-password" +matrix_postgres_db_name: "homeserver" + matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" -matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" -matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" -matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" -matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" -matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" -matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" -matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" -matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" -matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" -matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" -matrix_docker_image_postgres_v10: "postgres:10.5-alpine" -matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" +matrix_postgres_docker_image_v9: "postgres:9.6.10-alpine" +matrix_postgres_docker_image_v10: "postgres:10.5-alpine" +matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v10 }}" -matrix_docker_image_synapse: "matrixdotorg/synapse:v0.33.7" -matrix_docker_image_nginx: "nginx:1.15.5-alpine" -matrix_docker_image_riot: "avhost/docker-matrix-riot:v0.17.3" -matrix_docker_image_goofys: "cloudproto/goofys:latest" -matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.8" -matrix_docker_image_mailer: "panubo/postfix:latest" -matrix_docker_image_mxisd: "kamax/mxisd:1.1.1" -matrix_docker_image_mautrix_telegram: "tulir/mautrix-telegram:v0.3.0" -matrix_docker_image_mautrix_whatsapp: "tulir/mautrix-whatsapp:latest" -# The Docker network that all services would be put into -matrix_docker_network: "matrix" +matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8" + +matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" +matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" # A shared secret (between Synapse and Coturn) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). @@ -169,6 +166,7 @@ matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_s3_media_store_enabled: false +matrix_s3_goofys_docker_image: "cloudproto/goofys:latest" matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" @@ -180,6 +178,8 @@ matrix_s3_media_store_region: "eu-central-1" # Other services (like mxisd), however, also use that mailer to send emails through it. matrix_mailer_enabled: true +matrix_mailer_docker_image: "panubo/postfix:latest" + matrix_mailer_sender_address: "matrix@{{ hostname_identity }}" matrix_mailer_relay_use: false matrix_mailer_relay_host_name: "mail.example.com" @@ -193,7 +193,7 @@ matrix_mailer_relay_auth_password: "" # If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, # you may wish to disable this. matrix_mxisd_enabled: true - +matrix_mxisd_docker_image: "kamax/mxisd:1.1.1" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" @@ -236,17 +236,26 @@ matrix_corporal_policy_provider_config: "" matrix_corporal_debug: false + # By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. # If you wish to connect to your Matrix server by other means, # you may wish to disable this. matrix_riot_web_enabled: true -matrix_homeserver_url: "https://{{ hostname_matrix }}" -matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" +matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.3" + +matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" + + # Matrix mautrix is a Matrix <-> Telegram bridge # Enable telegram bridge matrix_mautrix_telegram_enabled: false + +matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.3.0" + +matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" + # Get your own API keys at https://my.telegram.org/apps matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH @@ -254,16 +263,27 @@ matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH # Use an uuid so it's not easily discoverable matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" + # Matrix mautrix is a Matrix <-> Whatsapp bridge # Enable whatsapp bridge matrix_mautrix_whatsapp_enabled: false +matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest" + +matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" + + # By default, this playbook sets up its own nginx proxy server on port 80/443. # This is fine if you're dedicating the whole server to Matrix. # But in case that's not the case, you may wish to prevent that # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true +matrix_nginx_proxy_docker_image: "nginx:1.15.5-alpine" + +matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" +matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" + # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008" diff --git a/roles/matrix-server/tasks/import_sqlite_db.yml b/roles/matrix-server/tasks/import_sqlite_db.yml index 1757087c..e72ff327 100644 --- a/roles/matrix-server/tasks/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import_sqlite_db.yml @@ -52,7 +52,7 @@ - name: Importing SQLite database into Postgres docker_container: name: matrix-synapse-migrate - image: "{{ matrix_docker_image_synapse }}" + image: "{{ matrix_synapse_docker_image }}" detach: no cleanup: yes entrypoint: /usr/bin/python diff --git a/roles/matrix-server/tasks/setup/setup_coturn.yml b/roles/matrix-server/tasks/setup/setup_coturn.yml index 8739d3a2..36a4c9a5 100644 --- a/roles/matrix-server/tasks/setup/setup_coturn.yml +++ b/roles/matrix-server/tasks/setup/setup_coturn.yml @@ -7,7 +7,7 @@ - name: Ensure Coturn image is pulled docker_image: - name: "{{ matrix_docker_image_coturn }}" + name: "{{ matrix_coturn_docker_image }}" - name: Ensure Coturn configuration path exists file: diff --git a/roles/matrix-server/tasks/setup/setup_goofys.yml b/roles/matrix-server/tasks/setup/setup_goofys.yml index bcca60f3..77004f0e 100644 --- a/roles/matrix-server/tasks/setup/setup_goofys.yml +++ b/roles/matrix-server/tasks/setup/setup_goofys.yml @@ -4,7 +4,7 @@ - name: Ensure Goofys Docker image is pulled docker_image: - name: "{{ matrix_docker_image_goofys }}" + name: "{{ matrix_s3_goofys_docker_image }}" when: matrix_s3_media_store_enabled # This will throw a Permission Denied error if already mounted @@ -65,6 +65,6 @@ - name: Ensure Goofys Docker image doesn't exist docker_image: - name: "{{ matrix_docker_image_goofys }}" + name: "{{ matrix_s3_goofys_docker_image }}" state: absent when: "not matrix_s3_media_store_enabled" diff --git a/roles/matrix-server/tasks/setup/setup_mailer.yml b/roles/matrix-server/tasks/setup/setup_mailer.yml index 7f8df8d5..fc8fb22f 100644 --- a/roles/matrix-server/tasks/setup/setup_mailer.yml +++ b/roles/matrix-server/tasks/setup/setup_mailer.yml @@ -14,7 +14,7 @@ - name: Ensure mailer image is pulled docker_image: - name: "{{ matrix_docker_image_mailer }}" + name: "{{ matrix_mailer_docker_image }}" when: matrix_mailer_enabled - name: Ensure matrix-mailer.service installed @@ -51,6 +51,6 @@ - name: Ensure mailer Docker image doesn't exist docker_image: - name: "{{ matrix_docker_image_mailer }}" + name: "{{ matrix_mailer_docker_image }}" state: absent when: "not matrix_mailer_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/setup_mxisd.yml b/roles/matrix-server/tasks/setup/setup_mxisd.yml index 5c10c9ad..8d6f361e 100644 --- a/roles/matrix-server/tasks/setup/setup_mxisd.yml +++ b/roles/matrix-server/tasks/setup/setup_mxisd.yml @@ -23,7 +23,7 @@ - name: Ensure mxisd image is pulled docker_image: - name: "{{ matrix_docker_image_mxisd }}" + name: "{{ matrix_mxisd_docker_image }}" when: matrix_mxisd_enabled - name: Ensure mxisd config installed @@ -69,6 +69,6 @@ - name: Ensure mxisd Docker image doesn't exist docker_image: - name: "{{ matrix_docker_image_mxisd }}" + name: "{{ matrix_mxisd_docker_image }}" state: absent when: "not matrix_mxisd_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml index dfcb96af..270c3bfa 100644 --- a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml @@ -36,7 +36,7 @@ # - name: Ensure nginx Docker image is pulled docker_image: - name: "{{ matrix_docker_image_nginx }}" + name: "{{ matrix_nginx_proxy_docker_image }}" when: matrix_nginx_proxy_enabled - name: Allow access to nginx proxy ports in firewalld diff --git a/roles/matrix-server/tasks/setup/setup_postgres.yml b/roles/matrix-server/tasks/setup/setup_postgres.yml index 8242fa4e..d2666bf5 100644 --- a/roles/matrix-server/tasks/setup/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup/setup_postgres.yml @@ -26,21 +26,21 @@ - name: Determine Postgres version to use (default to latest) set_fact: - matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_latest }}" + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest }}" - name: Determine Postgres version to use (use 9.x, if detected) set_fact: - matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_v9 }}" + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v9 }}" when: "pg_version.startswith('9.')" - debug: - msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_docker_image_postgres_to_use }}), while {{ matrix_docker_image_postgres_latest }} is supported. You can upgrade using --tags=upgrade-postgres" - when: "matrix_docker_image_postgres_to_use != matrix_docker_image_postgres_latest" + msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" + when: "matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest" # Even if we don't run the internal server, we still need this for running the CLI - name: Ensure postgres Docker image is pulled docker_image: - name: "{{ matrix_docker_image_postgres_to_use }}" + name: "{{ matrix_postgres_docker_image_to_use }}" - name: Ensure Postgres environment variables file created template: diff --git a/roles/matrix-server/tasks/setup/setup_riot_web.yml b/roles/matrix-server/tasks/setup/setup_riot_web.yml index 58f864db..dad384c1 100644 --- a/roles/matrix-server/tasks/setup/setup_riot_web.yml +++ b/roles/matrix-server/tasks/setup/setup_riot_web.yml @@ -15,7 +15,7 @@ - name: Ensure riot-web Docker image is pulled docker_image: - name: "{{ matrix_docker_image_riot }}" + name: "{{ matrix_riot_web_docker_image }}" when: matrix_riot_web_enabled - name: Ensure Matrix riot-web configured @@ -64,6 +64,6 @@ - name: Ensure riot-web Docker image doesn't exist docker_image: - name: "{{ matrix_docker_image_riot }}" + name: "{{ matrix_riot_web_docker_image }}" state: absent when: "not matrix_riot_web_enabled" diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml index c4daaa87..2ea8bb29 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml @@ -2,7 +2,7 @@ - name: Ensure Mautrix Telegram image is pulled docker_image: - name: "{{ matrix_docker_image_mautrix_telegram }}" + name: "{{ matrix_mautrix_telegram_docker_image }}" when: "matrix_mautrix_telegram_enabled" - name: Ensure Mautrix Telegram configuration path exists @@ -37,7 +37,7 @@ register: mautrix_telegram_registration_file - name: Generate matrix-mautrix-telegram registration.yaml if it doesn't exist - shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_docker_image_mautrix_telegram }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml + shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_mautrix_telegram_docker_image }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml when: "matrix_mautrix_telegram_enabled and mautrix_telegram_registration_file.stat.exists == False" - set_fact: diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml index d323c891..eb4ed171 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml @@ -2,7 +2,7 @@ - name: Ensure Mautrix Whatsapp image is pulled docker_image: - name: "{{ matrix_docker_image_mautrix_whatsapp }}" + name: "{{ matrix_mautrix_whatsapp_docker_image }}" when: "matrix_mautrix_whatsapp_enabled" - name: Ensure Mautrix Whatsapp configuration path exists @@ -37,7 +37,7 @@ register: mautrix_whatsapp_registration_file - name: Generate matrix-mautrix-whatsapp registration.yaml if it doesn't exist - shell: /usr/bin/docker run --rm --name matrix-mautrix-whatsapp-gen -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z {{ matrix_docker_image_mautrix_whatsapp }} /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml + shell: /usr/bin/docker run --rm --name matrix-mautrix-whatsapp-gen -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z {{ matrix_mautrix_whatsapp_docker_image }} /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml when: "matrix_mautrix_whatsapp_enabled and mautrix_whatsapp_registration_file.stat.exists == False" - set_fact: diff --git a/roles/matrix-server/tasks/setup/setup_synapse_main.yml b/roles/matrix-server/tasks/setup/setup_synapse_main.yml index ecc93b70..e36b417a 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_main.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_main.yml @@ -24,7 +24,7 @@ - name: Ensure Matrix Docker image is pulled docker_image: - name: "{{ matrix_docker_image_synapse }}" + name: "{{ matrix_synapse_docker_image }}" - name: Check if a Matrix Synapse configuration exists stat: @@ -36,7 +36,7 @@ - name: Generate initial Matrix config docker_container: name: matrix-config - image: "{{ matrix_docker_image_synapse }}" + image: "{{ matrix_synapse_docker_image }}" detach: no cleanup: yes command: generate diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index 34a78b27..a18df9e1 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -52,16 +52,16 @@ - name: Determine Postgres version to use (default to latest) set_fact: - matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_latest }}" + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest }}" - name: Determine Postgres version to use (use 9.x, if detected) set_fact: - matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_v9 }}" + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v9 }}" when: "pg_version.startswith('9.')" - name: Abort, if already at latest Postgres version fail: msg="You are already running the latest Postgres version supported. Nothing to do" - when: "matrix_docker_image_postgres_to_use == matrix_docker_image_postgres_latest" + when: "matrix_postgres_docker_image_to_use == matrix_postgres_docker_image_latest" - name: Ensure matrix-synapse is stopped service: name=matrix-synapse state=stopped @@ -81,7 +81,7 @@ --link matrix-postgres:postgres \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/out \ - {{ matrix_docker_image_postgres_to_use }} pg_dump -h postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} + {{ matrix_postgres_docker_image_to_use }} pg_dump -h postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} - name: Ensure matrix-postgres is stopped service: name=matrix-postgres state=stopped @@ -109,7 +109,7 @@ --link matrix-postgres:postgres \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/in:ro \ - {{ matrix_docker_image_postgres_latest }} psql -h postgres -f /in/{{ postgres_dump_name }} + {{ matrix_postgres_docker_image_latest }} psql -h postgres -f /in/{{ postgres_dump_name }} - name: Delete Postgres database dump file file: diff --git a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 index e598ea21..6c9f87ec 100644 --- a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 @@ -15,7 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ -v {{ matrix_synapse_config_dir_path }}:/matrix-config:ro \ -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ - {{ matrix_docker_image_coturn }} \ + {{ matrix_coturn_docker_image }} \ -c /turnserver.conf ExecStop=-/usr/bin/docker kill matrix-coturn ExecStop=-/usr/bin/docker rm matrix-coturn diff --git a/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 b/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 index ef11d5c7..ea54fb94 100644 --- a/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 @@ -19,7 +19,7 @@ ExecStart=/usr/bin/docker run --rm --name %n \ -v {{ matrix_synapse_media_store_path }}:/s3:shared \ --env-file={{ matrix_environment_variables_data_path }}/goofys \ --entrypoint /bin/sh \ - {{ matrix_docker_image_goofys }} \ + {{ matrix_s3_goofys_docker_image }} \ -c 'goofys -f --storage-class=STANDARD_IA --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min ExecStop=-/usr/bin/docker stop %n diff --git a/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 index c9eb040b..8b3ccf9d 100644 --- a/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 @@ -11,7 +11,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_environment_variables_data_path }}/env-mailer \ - {{ matrix_docker_image_mailer }} + {{ matrix_mailer_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mailer ExecStop=-/usr/bin/docker rm matrix-mailer Restart=always diff --git a/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 index 20a0bbc2..61f7e7f8 100644 --- a/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -14,7 +14,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_telegram_base_path }}:/data:z \ - {{ matrix_docker_image_mautrix_telegram }} + {{ matrix_mautrix_telegram_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mautrix-telegram ExecStop=-/usr/bin/docker rm matrix-mautrix-telegram Restart=always diff --git a/roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 index 10a78d3f..e90b7a9e 100644 --- a/roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -14,7 +14,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \ -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z \ - {{ matrix_docker_image_mautrix_whatsapp }} + {{ matrix_mautrix_whatsapp_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mautrix-whatsapp ExecStop=-/usr/bin/docker rm matrix-mautrix-whatsapp Restart=always diff --git a/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 index afbccbf0..fd4af2e1 100644 --- a/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 @@ -20,7 +20,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ {% endif %} -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ -v {{ matrix_mxisd_data_path }}:/var/mxisd \ - {{ matrix_docker_image_mxisd }} + {{ matrix_mxisd_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mxisd ExecStop=-/usr/bin/docker rm matrix-mxisd Restart=always diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index a1897943..4e06d19d 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -25,7 +25,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ -v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \ - {{ matrix_docker_image_nginx }} + {{ matrix_nginx_proxy_docker_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload diff --git a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 index 55a00ec9..0988f61d 100644 --- a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 @@ -14,7 +14,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ -v /etc/passwd:/etc/passwd:ro \ - {{ matrix_docker_image_postgres_to_use }} + {{ matrix_postgres_docker_image_to_use }} ExecStop=-/usr/bin/docker stop matrix-postgres ExecStop=-/usr/bin/docker rm matrix-postgres Restart=always diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index 36829936..3573c0d5 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -16,7 +16,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ {% if not matrix_nginx_proxy_enabled %} -p 127.0.0.1:8765:8765 \ {% endif %} - {{ matrix_docker_image_riot }} + {{ matrix_riot_web_docker_image }} ExecStop=-/usr/bin/docker kill matrix-riot-web ExecStop=-/usr/bin/docker rm matrix-riot-web Restart=always diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 9940fd30..78c46694 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -41,7 +41,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} - {{ matrix_docker_image_synapse }} + {{ matrix_synapse_docker_image }} ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse Restart=always diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 index bcb5db8c..6cae5e5e 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -5,5 +5,5 @@ docker run \ --rm \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ --network {{ matrix_docker_network }} \ - {{ matrix_docker_image_postgres_to_use }} \ + {{ matrix_postgres_docker_image_to_use }} \ psql -h {{ matrix_postgres_connection_hostname }} From 009bb1b77674e99dff110277383a5d414a66bec4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Nov 2018 09:45:48 +0200 Subject: [PATCH 0185/2384] Add support for configuring Postgres auto-upgrade-backup path --- docs/maintenance-upgrading-postgres.md | 8 +++++--- roles/matrix-server/tasks/upgrade_postgres.yml | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/maintenance-upgrading-postgres.md b/docs/maintenance-upgrading-postgres.md index 6e6a1b3b..c41712f3 100644 --- a/docs/maintenance-upgrading-postgres.md +++ b/docs/maintenance-upgrading-postgres.md @@ -3,15 +3,17 @@ If you're not using an external Postgres server, this playbook initially installs Postgres for you. Once installed like that, this playbook attempts to preserve the Postgres version it starts with. -This is because newer Postgres versions cannot start with data generated by an older Postgres version. +This is because newer Postgres versions cannot start with data generated by older Postgres versions. An upgrade must be performed. This playbook can upgrade your existing Postgres setup with the following command: ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres -**The old Postgres data directory is backed up** (by renaming to `/matrix/postgres-auto-upgrade-backup`). -It stays around forever, until you **manually decide to delete it**. +**The old Postgres data directory is backed up** by renaming to `/matrix/postgres-auto-upgrade-backup`, by default. +To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` + +The auto-upgrade-backup directory stays around forever, until you **manually decide to delete it**. As part of the upgrade, the database is dumped to `/tmp`, upgraded and then restored from that dump. To use a different directory, pass some extra flags to the command above, like this: `--extra-vars="postgres_dump_dir=/directory/to/dump/here"` diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index a18df9e1..e42353f1 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -12,6 +12,7 @@ - set_fact: postgres_auto_upgrade_backup_data_path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" + when: "postgres_auto_upgrade_backup_data_path|default('') == ''" - name: Fail, if trying to upgrade external Postgres database fail: From a0a4ee526e9f06d84e226fa97e6954844d883d2e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Nov 2018 09:46:52 +0200 Subject: [PATCH 0186/2384] Fix bug in Postgres dump/import causing upgrades to fail Regression since 3fd6fd647f85c --- roles/matrix-server/tasks/upgrade_postgres.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index e42353f1..0b1d262b 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -79,10 +79,10 @@ - name: Perform Postgres database dump command: | /usr/bin/docker run --rm --name matrix-postgres-dump \ - --link matrix-postgres:postgres \ + --network={{ matrix_docker_network }} \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/out \ - {{ matrix_postgres_docker_image_to_use }} pg_dump -h postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} + {{ matrix_postgres_docker_image_to_use }} pg_dump -h matrix-postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} - name: Ensure matrix-postgres is stopped service: name=matrix-postgres state=stopped @@ -107,10 +107,10 @@ - name: Perform Postgres database import command: | /usr/bin/docker run --rm --name matrix-postgres-import \ - --link matrix-postgres:postgres \ + --network={{ matrix_docker_network }} \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/in:ro \ - {{ matrix_postgres_docker_image_latest }} psql -h postgres -f /in/{{ postgres_dump_name }} + {{ matrix_postgres_docker_image_latest }} psql -h matrix-postgres -f /in/{{ postgres_dump_name }} - name: Delete Postgres database dump file file: From e417ac4922131910816adfa151068dd4d4174aa1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Nov 2018 09:48:20 +0200 Subject: [PATCH 0187/2384] Add support for Postgres 11 --- CHANGELOG.md | 8 ++++++++ roles/matrix-server/defaults/main.yml | 3 ++- roles/matrix-server/tasks/setup/setup_postgres.yml | 5 +++++ roles/matrix-server/tasks/upgrade_postgres.yml | 10 +++++++++- 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 59a6c5bd..352ec47c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2018-11-01 +## Postgres 11 support + +The playbook now installs [Postgres 11](https://www.postgresql.org/about/news/1894/) by default. + +If you have have an existing setup, it's likely running on an older Postgres version (9.x or 10.x). You can easily upgrade by following the [Maintenance / upgrading PostgreSQL](docs/maintenance-upgrading-postgres.md) guide. + + ## (BC Break) Renaming playbook variables Due to the large amount of features added to this playbook lately, to keep things manageable we've had to reorganize its configuration variables a bit. @@ -19,6 +26,7 @@ The following playbook variables were renamed: - from `matrix_docker_image_postgres_v10` to `matrix_postgres_docker_image_v10` - from `matrix_docker_image_postgres_latest` to `matrix_postgres_docker_image_latest` + # 2018-10-26 ## Mautrix Whatsapp bridging support diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index ca8dbd9a..44a4276f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -146,7 +146,8 @@ matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_docker_image_v9: "postgres:9.6.10-alpine" matrix_postgres_docker_image_v10: "postgres:10.5-alpine" -matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v10 }}" +matrix_postgres_docker_image_v11: "postgres:11.0-alpine" +matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8" diff --git a/roles/matrix-server/tasks/setup/setup_postgres.yml b/roles/matrix-server/tasks/setup/setup_postgres.yml index d2666bf5..bbaebad7 100644 --- a/roles/matrix-server/tasks/setup/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup/setup_postgres.yml @@ -33,6 +33,11 @@ matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v9 }}" when: "pg_version.startswith('9.')" +- name: Determine Postgres version to use (use 10.x, if detected) + set_fact: + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v10 }}" + when: "pg_version == '10' or pg_version.startswith('10.')" + - debug: msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" when: "matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest" diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index 0b1d262b..822bd428 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -60,10 +60,18 @@ matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v9 }}" when: "pg_version.startswith('9.')" +- name: Determine Postgres version to use (use 10.x, if detected) + set_fact: + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v10 }}" + when: "pg_version == '10' or pg_version.startswith('10.')" + - name: Abort, if already at latest Postgres version - fail: msg="You are already running the latest Postgres version supported. Nothing to do" + fail: msg="You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" when: "matrix_postgres_docker_image_to_use == matrix_postgres_docker_image_latest" +- debug: + msg: "Upgrading database from {{ matrix_postgres_docker_image_to_use }} to {{ matrix_postgres_docker_image_latest }}" + - name: Ensure matrix-synapse is stopped service: name=matrix-synapse state=stopped From 4c0970d31e980d63764c97ce0853e7e2d89fdfff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Nov 2018 10:11:08 +0200 Subject: [PATCH 0188/2384] Make postgres_start_wait_time (affecting upgrades) configurable This also raises the default from 5 seconds to 15 seconds. --- roles/matrix-server/tasks/upgrade_postgres.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index 822bd428..05cf8d54 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -10,10 +10,16 @@ postgres_dump_name: "matrix-postgres.out" when: "postgres_dump_name|default('') == ''" -- set_fact: +- name: Set postgres_auto_upgrade_backup_data_path, if not provided + set_fact: postgres_auto_upgrade_backup_data_path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" when: "postgres_auto_upgrade_backup_data_path|default('') == ''" +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + - name: Fail, if trying to upgrade external Postgres database fail: msg: "Your configuration indicates that you're using an external Postgres database. Refusing to try and upgrade that." @@ -80,7 +86,7 @@ - name: Wait a bit, so that Postgres can start wait_for: - timeout: 5 + timeout: "{{ postgres_start_wait_time }}" delegate_to: 127.0.0.1 become: false @@ -108,7 +114,7 @@ - name: Wait a bit, so that Postgres can start wait_for: - timeout: 5 + timeout: "{{ postgres_start_wait_time }}" delegate_to: 127.0.0.1 become: false From 9e8f216b9bbdf30ca0769231a6646eec53cc9481 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Nov 2018 12:50:33 +0200 Subject: [PATCH 0189/2384] Upgrade Synapse (v0.33.7 -> v0.33.8) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 44a4276f..fb79b0ac 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -28,7 +28,7 @@ matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_se matrix_docker_network: "matrix" -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.33.7" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.33.8" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" From 099558bee8af36556321fefe53a1a32cd16f0243 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Nov 2018 18:20:49 +0200 Subject: [PATCH 0190/2384] Fix doc file name inconsistency (configuration -> configuring) --- CHANGELOG.md | 2 +- ...laybook-federation.md => configuring-playbook-federation.md} | 0 docs/configuring-playbook.md | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename docs/{configuration-playbook-federation.md => configuring-playbook-federation.md} (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 352ec47c..540042cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,7 +40,7 @@ Additional details are available in [Setting up Mautrix Whatsapp bridging](docs/ ## Support for controlling Matrix federation -The playbook can now help you with [Controlling Matrix federation](docs/configuration-playbook-federation.md), should you wish to run a more private (isolated) server. +The playbook can now help you with [Controlling Matrix federation](docs/configuring-playbook-federation), should you wish to run a more private (isolated) server. # 2018-10-24 diff --git a/docs/configuration-playbook-federation.md b/docs/configuring-playbook-federation.md similarity index 100% rename from docs/configuration-playbook-federation.md rename to docs/configuring-playbook-federation.md diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 51ae3112..c073e2c9 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -23,7 +23,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins ## Other configuration options -- [Controlling Matrix federation](configuration-playbook-federation.md) (optional) +- [Controlling Matrix federation](configuring-playbook-federation) (optional) - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) From f364e080be08f7578bd83daa570c307baa83f1c6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Nov 2018 18:21:38 +0200 Subject: [PATCH 0191/2384] Add documentation about Telemetry configuration --- docs/configuring-playbook-telemetry.md | 14 ++++++++++++++ docs/configuring-playbook.md | 2 ++ 2 files changed, 16 insertions(+) create mode 100644 docs/configuring-playbook-telemetry.md diff --git a/docs/configuring-playbook-telemetry.md b/docs/configuring-playbook-telemetry.md new file mode 100644 index 00000000..cd63f0ca --- /dev/null +++ b/docs/configuring-playbook-telemetry.md @@ -0,0 +1,14 @@ +# Enabling Telemetry for your Matrix server + +By default, this playbook configures your Matrix homeserver to not send any telemetry data anywhere. + +The [matrix.org](https://matrix.org) team would really appreciate it if you could help the project out by reporting +anonymized usage statistics from your homeserver. Only very basic aggregate +data (e.g. number of users) will be reported, but it helps track the +growth of the Matrix community, and helps to make Matrix a success. + +If you'd like to **help by enabling submission of anonymized usage statistics** for your homeserver, add this to your configuration file (`inventory/matrix./vars.yml`): + +```yaml +matrix_synapse_report_stats: true +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index c073e2c9..c15b608e 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -23,6 +23,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins ## Other configuration options +- [Enabling Telemetry for your Matrix server](configuring-playbook-telemetry.md) (optional) + - [Controlling Matrix federation](configuring-playbook-federation) (optional) - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) From 3bccec63b482e7cd6f75786d9c3d40917847c2e8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Nov 2018 18:40:45 +0200 Subject: [PATCH 0192/2384] Add details about the telemetry data that gets sent (if enabled) --- docs/configuring-playbook-telemetry.md | 34 ++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-telemetry.md b/docs/configuring-playbook-telemetry.md index cd63f0ca..1b794d9c 100644 --- a/docs/configuring-playbook-telemetry.md +++ b/docs/configuring-playbook-telemetry.md @@ -3,12 +3,42 @@ By default, this playbook configures your Matrix homeserver to not send any telemetry data anywhere. The [matrix.org](https://matrix.org) team would really appreciate it if you could help the project out by reporting -anonymized usage statistics from your homeserver. Only very basic aggregate -data (e.g. number of users) will be reported, but it helps track the +anonymized usage statistics from your homeserver. Only very [basic aggregate +data](#usage-statistics-being-submitted) (e.g. number of users) will be reported, but it helps track the growth of the Matrix community, and helps to make Matrix a success. + +## Enabling Telemetry + If you'd like to **help by enabling submission of anonymized usage statistics** for your homeserver, add this to your configuration file (`inventory/matrix./vars.yml`): ```yaml matrix_synapse_report_stats: true ``` + + +## Usage statistics being submitted + +If statistics reporting is enabled, the information that gets submitted to the matrix.org team [according to the source code](https://github.com/matrix-org/synapse/blob/master/synapse/app/homeserver.py) is: + +- your homeserver's domain name + +- uptime of the homeserver program + +- [Python](https://www.python.org/) version powering your homeserver + +- total number of users on your home server (including bridged users) + +- total number of native Matrix users on your home server + +- total number of rooms on your homeserver + +- total number of daily active users on your homeserver + +- total number of daily active rooms on your homeserver + +- total number of messages sent per day + +- cache setting information + +- CPU and memory statistics for the homeserver program \ No newline at end of file From 3254a4d161021a3204b44cb4e75d1ff507bc5de5 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 1 Nov 2018 22:14:09 -0500 Subject: [PATCH 0193/2384] Disable TLS 1.0 and enable TLS 1.3 --- .../templates/nginx-conf.d/matrix-riot-web.conf.j2 | 2 +- .../matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 9347f02e..aabc6164 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -35,7 +35,7 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 03ec51a1..79815a07 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -35,7 +35,7 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; From ebab95c9ec0aa226e8c85778fb413637b5f1b1cc Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Nov 2018 18:20:05 -0500 Subject: [PATCH 0194/2384] Add new variable matrix_nginx_proxy_ssl_protocols --- CHANGELOG.md | 11 +++++++++++ roles/matrix-server/defaults/main.yml | 5 +++++ .../templates/nginx-conf.d/matrix-riot-web.conf.j2 | 2 +- .../templates/nginx-conf.d/matrix-synapse.conf.j2 | 2 +- 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 540042cd..f987c884 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2018-11-03 + +## SSL protocols used to serve Riot and Synapse + +There's now a new `matrix_nginx_proxy_ssl_protocols` playbook variable, which controls the SSL protocols used to serve Riot and Synapse. It's default value is `TLSv1.1 TLSv1.2`. This playbook previously used `TLSv1 TLSv1.1 TLSv1.2` to serve Riot and Synapse. + +You may wish to reenable TLSv1 if you need to access Riot in older browsers. + +Note: Currently the dockerized nginx doesn't support TLSv1.3. See https://github.com/nginxinc/docker-nginx/issues/190 for more details. + + # 2018-11-01 ## Postgres 11 support diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index fb79b0ac..9ab03872 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -294,6 +294,11 @@ matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008" # a new SSL certificate could go into effect. matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" +# Specifies which SSL protocols to use when serving Riot and Synapse +# Note TLSv1.3 is not yet available in dockerized nginx +# See: https://github.com/nginxinc/docker-nginx/issues/190 +matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" + matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index aabc6164..eaa87440 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -35,7 +35,7 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem; - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 79815a07..096249e0 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -35,7 +35,7 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem; - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; From ef2e330d2247035bb8f49459b2384fe731a123f5 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Nov 2018 20:14:03 -0500 Subject: [PATCH 0195/2384] Allow a few parts of Riot config.json to be configured (#24) --- CHANGELOG.md | 25 +++++++++++++++++++ roles/matrix-server/defaults/main.yml | 8 ++++++ .../templates/riot-web/config.json.j2 | 12 +++++---- 3 files changed, 40 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 540042cd..2a3a3672 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,28 @@ +# 2018-11-03 + +## Customize parts of Riot's config + +You can now customize some parts of Riot's `config.json`. These playbook variables, with these default values, have been added: + +``` +matrix_riot_web_disable_custom_urls: true +matrix_riot_web_disable_guests: true +matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" +matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" +matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api" +matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" +``` + +This now allows you use a custom integrations manager like [Dimesion](https://dimension.t2bot.io). For example, if you wish to use the Dimension instance hosted at dimension.t2bot.io, you can set the following in your vars.yml file: + +``` +matrix_riot_web_integrations_ui_url: "https://dimension.t2bot.io/riot" +matrix_riot_web_integrations_rest_url: "https://dimension.t2bot.io/api/v1/scalar" +matrix_riot_web_integrations_widgets_urls: "https://dimension.t2bot.io/widgets" +matrix_riot_web_integrations_jitsi_widget_url: "https://dimension.t2bot.io/widgets/jitsi" +``` + + # 2018-11-01 ## Postgres 11 support diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index fb79b0ac..982c3df5 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -247,6 +247,14 @@ matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.3" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" +# Riot config.json customizations +matrix_riot_web_disable_custom_urls: true +matrix_riot_web_disable_guests: true +matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" +matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" +matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api" +matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" + # Matrix mautrix is a Matrix <-> Telegram bridge diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 index 37d62f8d..98939986 100644 --- a/roles/matrix-server/templates/riot-web/config.json.j2 +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -1,11 +1,13 @@ { "default_hs_url": "{{ matrix_homeserver_url }}", "default_is_url": "{{ matrix_identity_server_url }}", - "disable_custom_urls": true, - "disable_guests": true, + "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|lower }}, + "disable_guests": {{ matrix_riot_web_disable_guests|lower }}, "brand": "Riot", - "integrations_ui_url": "https://scalar.vector.im/", - "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_ui_url": "{{ matrix_riot_web_integrations_ui_url }}", + "integrations_rest_url": "{{ matrix_riot_web_integrations_rest_url }}", + "integrations_widgets_urls": "{{ matrix_riot_web_integrations_widgets_urls }}", + "integrations_jitsi_widget_url": "{{ matrix_riot_web_integrations_jitsi_widget_url }}", "bug_report_endpoint_url": "https://riot.im/bugreports/submit", "enableLabs": true, "roomDirectory": { @@ -14,4 +16,4 @@ ] }, "welcomeUserId": "@riot-bot:matrix.org" -} \ No newline at end of file +} From ec316afdc1866d37f8ce56cc243d872f9167cb26 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 3 Nov 2018 10:15:54 +0200 Subject: [PATCH 0196/2384] Fix typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f987c884..891071cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## SSL protocols used to serve Riot and Synapse -There's now a new `matrix_nginx_proxy_ssl_protocols` playbook variable, which controls the SSL protocols used to serve Riot and Synapse. It's default value is `TLSv1.1 TLSv1.2`. This playbook previously used `TLSv1 TLSv1.1 TLSv1.2` to serve Riot and Synapse. +There's now a new `matrix_nginx_proxy_ssl_protocols` playbook variable, which controls the SSL protocols used to serve Riot and Synapse. Its default value is `TLSv1.1 TLSv1.2`. This playbook previously used `TLSv1 TLSv1.1 TLSv1.2` to serve Riot and Synapse. You may wish to reenable TLSv1 if you need to access Riot in older browsers. From 20bba449c44115a09e6e128822e952f53fffe87f Mon Sep 17 00:00:00 2001 From: TheForcer <25257144+TheForcer@users.noreply.github.com> Date: Sun, 4 Nov 2018 00:30:17 +0100 Subject: [PATCH 0197/2384] Updated "Controlling Matrix federation" link Missing file ending results in 404 --- docs/configuring-playbook.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index c15b608e..54aef726 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -25,7 +25,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Enabling Telemetry for your Matrix server](configuring-playbook-telemetry.md) (optional) -- [Controlling Matrix federation](configuring-playbook-federation) (optional) +- [Controlling Matrix federation](configuring-playbook-federation.md) (optional) - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) @@ -45,4 +45,4 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) -- [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) \ No newline at end of file +- [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) From 19257677c583162a08694b14997fc9e7a8ba31ed Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 10 Nov 2018 10:41:10 +0200 Subject: [PATCH 0198/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 59a21336..c903eb5f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -146,7 +146,7 @@ matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_docker_image_v9: "postgres:9.6.10-alpine" matrix_postgres_docker_image_v10: "postgres:10.5-alpine" -matrix_postgres_docker_image_v11: "postgres:11.0-alpine" +matrix_postgres_docker_image_v11: "postgres:11.1-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" @@ -288,7 +288,7 @@ matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_docker_image: "nginx:1.15.5-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.15.6-alpine" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" @@ -312,7 +312,7 @@ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}" -matrix_ssl_certbot_docker_image: "certbot/certbot:v0.27.1" +matrix_ssl_certbot_docker_image: "certbot/certbot:v0.28.0" matrix_ssl_certbot_standalone_http_port: 2402 matrix_ssl_use_staging: false From 12c4591a58d73cebb1413c0f32f4bf46eaac5d73 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 12 Nov 2018 08:32:13 +0200 Subject: [PATCH 0199/2384] Update mxisd --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index c903eb5f..55768c40 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -194,7 +194,7 @@ matrix_mailer_relay_auth_password: "" # If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, # you may wish to disable this. matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.1.1" +matrix_mxisd_docker_image: "kamax/mxisd:1.2.0" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" From a1609ce6e42f3fdfe012a2d2bb62a80e70dfa7d3 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 12 Nov 2018 19:11:47 -0600 Subject: [PATCH 0200/2384] Link to the restoring media store guide It isn't below anymore --- docs/importing-sqlite.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/importing-sqlite.md b/docs/importing-sqlite.md index 1ae66623..f7aa4c01 100644 --- a/docs/importing-sqlite.md +++ b/docs/importing-sqlite.md @@ -1,7 +1,7 @@ # Importing an existing SQLite database from another installation (optional) Run this if you'd like to import your database from a previous default installation of Matrix Synapse. -(don't forget to import your `media_store` files as well - see below). +(don't forget to import your `media_store` files as well - see [the restoring media store guide](restoring-media-store.md)). While this playbook always sets up PostgreSQL, by default a Matrix Synapse installation would run using an SQLite database. @@ -12,4 +12,4 @@ Run this command (make sure to replace `` with a fi ansible-playbook -i inventory/hosts setup.yml --extra-vars='local_path_homeserver_db=' --tags=import-sqlite-db -**Note**: `` must be a file path to a `homeserver.db` file on your local machine (not on the server!). This file is copied to the server and imported. \ No newline at end of file +**Note**: `` must be a file path to a `homeserver.db` file on your local machine (not on the server!). This file is copied to the server and imported. From ddec99b89974cc470ae5dd2a4ddef6a9c4b7581c Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 14 Nov 2018 13:39:52 -0600 Subject: [PATCH 0201/2384] Allow Synapse log levels to be configured (#23) --- CHANGELOG.md | 14 ++++++++++++++ roles/matrix-server/defaults/main.yml | 8 ++++++++ .../templates/synapse/synapse.log.config.j2 | 6 +++--- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9c33ca9..f13d6a68 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2018-11-14 + +## Ability to set Synapse log levels + +The playbook now allows you to set the log levels used by Synapse. The default logging levels remain the same. + +You can now override following variables with any of the supported log levels listed here: https://docs.python.org/3/library/logging.html#logging-levels + +``` +matrix_synapse_log_level: "INFO" +matrix_synapse_storage_sql_log_level: "INFO" +matrix_synapse_root_log_level: "INFO" +``` + # 2018-11-03 ## Customize parts of Riot's config diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 55768c40..fef3b0e0 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -63,6 +63,14 @@ matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 matrix_synapse_max_log_files_count: 10 +# Log levels +# Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels +# warning: setting log level to DEBUG will make synapse log sensitive information such +# as access tokens +matrix_synapse_log_level: "INFO" +matrix_synapse_storage_sql_log_level: "INFO" +matrix_synapse_root_log_level: "INFO" + # Rate limits matrix_synapse_rc_messages_per_second: 0.2 matrix_synapse_rc_message_burst_count: 10.0 diff --git a/roles/matrix-server/templates/synapse/synapse.log.config.j2 b/roles/matrix-server/templates/synapse/synapse.log.config.j2 index 2cd6ea57..b551047c 100644 --- a/roles/matrix-server/templates/synapse/synapse.log.config.j2 +++ b/roles/matrix-server/templates/synapse/synapse.log.config.j2 @@ -25,12 +25,12 @@ handlers: loggers: synapse: - level: INFO + level: {{ matrix_synapse_log_level }} synapse.storage.SQL: # beware: increasing this to DEBUG will make synapse log sensitive # information such as access tokens. - level: INFO + level: {{ matrix_synapse_storage_sql_log_level }} {% for logger in matrix_synapse_additional_loggers %} {{ logger.name }}: @@ -38,5 +38,5 @@ loggers: {% endfor %} root: - level: INFO + level: {{ matrix_synapse_root_log_level }} handlers: [file, console] From d260b17508cb6be3cf89dcdce4063a67503419f0 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 14 Nov 2018 14:34:24 -0600 Subject: [PATCH 0202/2384] Add initial version of maintenance and troubleshooting doc --- docs/README.md | 4 +++- docs/maintenance-and-troubleshooting.md | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 docs/maintenance-and-troubleshooting.md diff --git a/docs/README.md b/docs/README.md index ffa6a1bb..53ac5398 100644 --- a/docs/README.md +++ b/docs/README.md @@ -18,4 +18,6 @@ - [Maintenance / upgrading PostgreSQL](maintenance-upgrading-postgres.md) -- [Uninstalling](uninstalling.md) \ No newline at end of file +- [Maintenance and Troubleshooting](maintenance-and-troubleshooting.md) + +- [Uninstalling](uninstalling.md) diff --git a/docs/maintenance-and-troubleshooting.md b/docs/maintenance-and-troubleshooting.md new file mode 100644 index 00000000..9ef9d70b --- /dev/null +++ b/docs/maintenance-and-troubleshooting.md @@ -0,0 +1,23 @@ +# Maintenance and Troubleshooting + +## How to see the current status of your services + +You can check the status of your services by using `systemctl status`. Example: +``` +sudo systemctl status matrix-nginx-proxy + +● matrix-nginx-proxy.service - Matrix nginx proxy server + Loaded: loaded (/etc/systemd/system/matrix-nginx-proxy.service; enabled; vendor preset: enabled) + Active: active (running) since Wed 2018-11-14 19:38:35 UTC; 49min ago +``` + +You can see the logs by using journalctl. Example: +``` +sudo journalctl -fu matrix-synapse +``` + +## Postgres + +You can access the Postgres command line interface using the script installed on your server at `/usr/local/bin/matrix-postgres-cli`. + +This playbook attempts to preserve the Postgres version it starts with. When you are ready to upgrade to a new Postgres version, read through the [guide for upgrading PostgreSQL](maintenance-upgrading-postgres.md). From 5a2069fa6351293dd33502a91ffc16626ef245f9 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 16 Nov 2018 15:48:49 -0600 Subject: [PATCH 0203/2384] Fix well known self check --- roles/matrix-server/tasks/self_check/self_check_well_known.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/tasks/self_check/self_check_well_known.yml b/roles/matrix-server/tasks/self_check/self_check_well_known.yml index 2da47a45..96c3724e 100644 --- a/roles/matrix-server/tasks/self_check/self_check_well_known.yml +++ b/roles/matrix-server/tasks/self_check/self_check_well_known.yml @@ -2,7 +2,7 @@ - set_fact: well_known_url_matrix: "https://{{ hostname_matrix }}/.well-known/matrix/client" - well_known_url_identity: "https://{{ hostname_matrix }}/.well-known/matrix/client" + well_known_url_identity: "https://{{ hostname_identity }}/.well-known/matrix/client" - name: Check .well-known on the matrix hostname From 3cb3f17a90026d493737cefa85c518daa028d767 Mon Sep 17 00:00:00 2001 From: anadahz Date: Sun, 18 Nov 2018 02:00:08 +0000 Subject: [PATCH 0204/2384] Add more configured options for riot-web and homeserver. --- examples/host-vars.yml | 12 ++++++++++++ .../templates/riot-web/config.json.j2 | 14 ++++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 11 +++++++++++ 3 files changed, 37 insertions(+) diff --git a/examples/host-vars.yml b/examples/host-vars.yml index d0d1a41e..14f4b9a1 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -26,3 +26,15 @@ matrix_coturn_turn_static_auth_secret: "" # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_synapse_macaroon_secret_key: "" +# Set autojoin room(s) +# Users who register on this homeserver will automatically be joined to these rooms +matrix_autojoin_rooms: ['#room:server.tld'] + +# Enable registrations, disabled by default. +matrix_enable_reg: true + +# Disable Riot welcome bot, default enabled +riot_welcome_bot: false + +# Riot public room directory server +riot_roomdir_servers: ['server.tld'] diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 index 98939986..52004cbc 100644 --- a/roles/matrix-server/templates/riot-web/config.json.j2 +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -10,10 +10,24 @@ "integrations_jitsi_widget_url": "{{ matrix_riot_web_integrations_jitsi_widget_url }}", "bug_report_endpoint_url": "https://riot.im/bugreports/submit", "enableLabs": true, +{% if riot_roomdir_servers is defined %} +{% for server in riot_roomdir_servers %} + "roomDirectory": { + "servers": [ + "{{ server }}" + ] + }, +{% endfor %} +{% else %} "roomDirectory": { "servers": [ "matrix.org" ] +{% endif %} +{% if riot_welcome_bot|default(true)|bool %} }, "welcomeUserId": "@riot-bot:matrix.org" +{% else %} + } +{% endif %} } diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 90bd2120..ceefad03 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -432,7 +432,11 @@ turn_allow_guests: False ## Registration ## # Enable registration for new users. +{% if matrix_enable_reg|default(false)|bool %} +enable_registration: True +{% else %} enable_registration: False +{% endif %} # The user must provide all of the below types of 3PID when registering. # @@ -476,9 +480,16 @@ trusted_third_party_id_servers: # Users who register on this homeserver will automatically be joined # to these rooms +{% if matrix_autojoin_rooms is defined %} +{% for room in matrix_autojoin_rooms %} +auto_join_rooms: + - "{{ room }}" +{% endfor %} +{% else %} #auto_join_rooms: # - "#example:example.com" +{% endif %} ## Metrics ### From 0e02dbd569aa7faa34b6a4f7cdc162db2fb2a5bf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Nov 2018 09:02:12 +0200 Subject: [PATCH 0205/2384] Update dependencies --- roles/matrix-server/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index fef3b0e0..bf07d289 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -28,7 +28,7 @@ matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_se matrix_docker_network: "matrix" -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.33.8" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.33.9" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" @@ -63,9 +63,9 @@ matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 matrix_synapse_max_log_files_count: 10 -# Log levels +# Log levels # Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels -# warning: setting log level to DEBUG will make synapse log sensitive information such +# warning: setting log level to DEBUG will make synapse log sensitive information such # as access tokens matrix_synapse_log_level: "INFO" matrix_synapse_storage_sql_log_level: "INFO" @@ -251,7 +251,7 @@ matrix_corporal_debug: false # you may wish to disable this. matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.3" +matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.6" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From d13aa7316ed9d9d92098e5b2eb60682435fd2a21 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 20 Nov 2018 20:15:26 -0600 Subject: [PATCH 0206/2384] Remove riot.im from list of trusted identity servers This brings the list in line with the new default as of https://github.com/matrix-org/synapse/pull/4207 --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index bf07d289..120189fd 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -50,7 +50,7 @@ matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_ke matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" # These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled -matrix_synapse_id_servers_public: ['vector.im', 'riot.im', 'matrix.org'] +matrix_synapse_id_servers_public: ['vector.im', 'matrix.org'] # These are the identity servers that would be trusted by Synapse if mxisd IS enabled matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']" From 792bed3f5ab777c7d1ffc43b7f23a91add5897db Mon Sep 17 00:00:00 2001 From: anadahz Date: Fri, 23 Nov 2018 00:42:54 +0000 Subject: [PATCH 0207/2384] Fix add/config based on comments by @spantaleev --- examples/host-vars.yml | 13 ------------- roles/matrix-server/defaults/main.yml | 11 +++++++++++ .../templates/riot-web/config.json.j2 | 18 +++--------------- .../templates/synapse/homeserver.yaml.j2 | 18 ++++-------------- 4 files changed, 18 insertions(+), 42 deletions(-) diff --git a/examples/host-vars.yml b/examples/host-vars.yml index 14f4b9a1..80a4c13e 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -25,16 +25,3 @@ matrix_coturn_turn_static_auth_secret: "" # A secret used to protect access keys issued by the server. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_synapse_macaroon_secret_key: "" - -# Set autojoin room(s) -# Users who register on this homeserver will automatically be joined to these rooms -matrix_autojoin_rooms: ['#room:server.tld'] - -# Enable registrations, disabled by default. -matrix_enable_reg: true - -# Disable Riot welcome bot, default enabled -riot_welcome_bot: false - -# Riot public room directory server -riot_roomdir_servers: ['server.tld'] diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index fef3b0e0..220d997e 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -84,6 +84,10 @@ matrix_synapse_report_stats: false # disabling this will decrease server load significantly. matrix_synapse_use_presence: true +# Set autojoin room(s) +# Users who register on this homeserver will automatically be joined to these rooms +matrix_synapse_autojoin_rooms: [] + # Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" @@ -142,6 +146,9 @@ matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://r matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" +# Enable registration to new users. +matrix_homeserver_enable_registration: false + # The defaults below cause a postgres server to be configured (running within a container). # Using an external server is possible by tweaking all of the parameters below. matrix_postgres_use_external: false @@ -262,6 +269,10 @@ matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api" matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" +# Riot public room directory server(s) +matrix_riot_web_roomdir_servers: ['matrix.org'] +# Uncomment to enable default riot user bot +matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 index 52004cbc..7218271f 100644 --- a/roles/matrix-server/templates/riot-web/config.json.j2 +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -10,23 +10,11 @@ "integrations_jitsi_widget_url": "{{ matrix_riot_web_integrations_jitsi_widget_url }}", "bug_report_endpoint_url": "https://riot.im/bugreports/submit", "enableLabs": true, -{% if riot_roomdir_servers is defined %} -{% for server in riot_roomdir_servers %} "roomDirectory": { - "servers": [ - "{{ server }}" - ] + "servers": {{ matrix_riot_web_roomdir_servers|to_nice_yaml }} +{% if matrix_riot_web_welcome_user_id %} }, -{% endfor %} -{% else %} - "roomDirectory": { - "servers": [ - "matrix.org" - ] -{% endif %} -{% if riot_welcome_bot|default(true)|bool %} - }, - "welcomeUserId": "@riot-bot:matrix.org" + "welcomeUserId": "{{ matrix_riot_web_welcome_user_id }}" {% else %} } {% endif %} diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index ceefad03..49fa2c96 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -432,11 +432,7 @@ turn_allow_guests: False ## Registration ## # Enable registration for new users. -{% if matrix_enable_reg|default(false)|bool %} -enable_registration: True -{% else %} -enable_registration: False -{% endif %} +enable_registration: {{ matrix_homeserver_enable_registration|capitalize }} # The user must provide all of the below types of 3PID when registering. # @@ -478,17 +474,11 @@ trusted_third_party_id_servers: - {{ server }} {% endfor %} -# Users who register on this homeserver will automatically be joined -# to these rooms -{% if matrix_autojoin_rooms is defined %} -{% for room in matrix_autojoin_rooms %} -auto_join_rooms: - - "{{ room }}" -{% endfor %} -{% else %} +# Users who register on this homeserver will automatically be joined to these rooms +{% if matrix_synapse_autojoin_rooms|length >0 %} #auto_join_rooms: # - "#example:example.com" - +auto_join_rooms: {{ matrix_synapse_autojoin_rooms|to_yaml }} {% endif %} ## Metrics ### From bc15db3316c2102d3e52f4491405467f08dd9f11 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 23 Nov 2018 11:00:08 +0200 Subject: [PATCH 0208/2384] Fix a few minor things for consistency Trying to: - stay closer to naming in Synapse (autojoin -> auto_join) - not create new variable namespaces (`matrix_homeserver_`), when existing ones (`matrix_synapse_`) are more suitable - allow `null` (`~`) values for `matrix_riot_web_welcome_user_id` - render things like `auto_join_rooms` in `homeserver.yaml` more prettily - fix breakage in `config.json` where `matrix_riot_web_roomdir_servers` was rendered as YAML and not as JSON - simplify code (especially in riot-web's `config.json`), which used `if` statements that could have been omitted - avoid changing comments in `homeserver.yaml` which are not ours, so that we can keep closer to the configuration file generated by upstream --- roles/matrix-server/defaults/main.yml | 13 ++++++------- .../matrix-server/templates/riot-web/config.json.j2 | 8 ++------ .../templates/synapse/homeserver.yaml.j2 | 10 ++++++---- 3 files changed, 14 insertions(+), 17 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 6d1d5888..080470d8 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -84,9 +84,12 @@ matrix_synapse_report_stats: false # disabling this will decrease server load significantly. matrix_synapse_use_presence: true -# Set autojoin room(s) -# Users who register on this homeserver will automatically be joined to these rooms -matrix_synapse_autojoin_rooms: [] +# Controls whether people with access to the homeserver can register by themselves. +matrix_synapse_enable_registration: false + +# Users who register on this homeserver will automatically be joined to these rooms. +# Rooms are to be specified using addresses (e.g. `#address:example.com`) +matrix_synapse_auto_join_rooms: [] # Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" @@ -146,9 +149,6 @@ matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://r matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" -# Enable registration to new users. -matrix_homeserver_enable_registration: false - # The defaults below cause a postgres server to be configured (running within a container). # Using an external server is possible by tweaking all of the parameters below. matrix_postgres_use_external: false @@ -271,7 +271,6 @@ matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api" matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" # Riot public room directory server(s) matrix_riot_web_roomdir_servers: ['matrix.org'] -# Uncomment to enable default riot user bot matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 index 7218271f..6a979912 100644 --- a/roles/matrix-server/templates/riot-web/config.json.j2 +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -11,11 +11,7 @@ "bug_report_endpoint_url": "https://riot.im/bugreports/submit", "enableLabs": true, "roomDirectory": { - "servers": {{ matrix_riot_web_roomdir_servers|to_nice_yaml }} -{% if matrix_riot_web_welcome_user_id %} + "servers": {{ matrix_riot_web_roomdir_servers|to_json }} }, - "welcomeUserId": "{{ matrix_riot_web_welcome_user_id }}" -{% else %} - } -{% endif %} + "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }} } diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 49fa2c96..bc2622f8 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -432,7 +432,7 @@ turn_allow_guests: False ## Registration ## # Enable registration for new users. -enable_registration: {{ matrix_homeserver_enable_registration|capitalize }} +enable_registration: {{ matrix_synapse_enable_registration }} # The user must provide all of the below types of 3PID when registering. # @@ -474,11 +474,13 @@ trusted_third_party_id_servers: - {{ server }} {% endfor %} -# Users who register on this homeserver will automatically be joined to these rooms -{% if matrix_synapse_autojoin_rooms|length >0 %} +# Users who register on this homeserver will automatically be joined +# to these rooms #auto_join_rooms: # - "#example:example.com" -auto_join_rooms: {{ matrix_synapse_autojoin_rooms|to_yaml }} +{% if matrix_synapse_auto_join_rooms|length > 0 %} +auto_join_rooms: +{{ matrix_synapse_auto_join_rooms|to_nice_yaml }} {% endif %} ## Metrics ### From a454feb5df58d9eb9ee78020f9925ae7077c5005 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 23 Nov 2018 11:07:22 +0200 Subject: [PATCH 0209/2384] Render trusted_third_party_id_servers more prettily --- roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index bc2622f8..3c726be9 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -469,10 +469,10 @@ allow_guest_access: False # The list of identity servers trusted to verify third party # identifiers by this server. +{% if matrix_synapse_trusted_third_party_id_servers|length > 0 %} trusted_third_party_id_servers: -{% for server in matrix_synapse_trusted_third_party_id_servers %} - - {{ server }} -{% endfor %} +{{ matrix_synapse_trusted_third_party_id_servers|to_nice_yaml }} +{% endif %} # Users who register on this homeserver will automatically be joined # to these rooms From de91293d0d79f05b95301d2b748cad91855cb8d7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 23 Nov 2018 11:16:00 +0200 Subject: [PATCH 0210/2384] Update homeserver.yaml with new options and comments from upstream --- .../templates/synapse/homeserver.yaml.j2 | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 3c726be9..be894e73 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -483,6 +483,15 @@ auto_join_rooms: {{ matrix_synapse_auto_join_rooms|to_nice_yaml }} {% endif %} +# Where auto_join_rooms are specified, setting this flag ensures that the +# the rooms exist by creating them when the first user on the +# homeserver registers. +# Setting to false means that if the rooms are not manually created, +# users cannot be auto-joined since they do not exist. +autocreate_auto_join_rooms: true + + + ## Metrics ### # Enable collection and rendering of performance metrics @@ -712,6 +721,14 @@ enable_group_creation: false # until the user consents to the privacy policy. The value of the setting is # used as the text of the error. # +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". +# # user_consent: # template_dir: res/templates/privacy # version: 1.0 @@ -724,6 +741,8 @@ enable_group_creation: false # block_events_error: >- # To continue using this homeserver you must review and agree to the # terms and conditions at %(consent_uri)s +# require_at_registration: False +# policy_name: Privacy Policy # @@ -745,3 +764,19 @@ enable_group_creation: false # system_mxid_display_name: "Server Notices" # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" # room_name: "Server Notices" + + + +# The `alias_creation` option controls who's allowed to create aliases +# on this server. +# +# The format of this option is a list of rules that contain globs that +# match against user_id and the new alias (fully qualified with server +# name). The action in the first rule that matches is taken, which can +# currently either be "allow" or "deny". +# +# If no rules match the request is denied. +alias_creation_rules: + - user_id: "*" + alias: "*" + action: allow \ No newline at end of file From 5b70ec67a42cd00dc74460ab2028fb3ae4da14b9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 23 Nov 2018 11:16:40 +0200 Subject: [PATCH 0211/2384] Add support for controlling Synapse's autocreate_auto_join_rooms --- roles/matrix-server/defaults/main.yml | 4 ++++ roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 080470d8..c1701a60 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -91,6 +91,10 @@ matrix_synapse_enable_registration: false # Rooms are to be specified using addresses (e.g. `#address:example.com`) matrix_synapse_auto_join_rooms: [] +# Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created +# automatically if they don't already exist. +matrix_synapse_autocreate_auto_join_rooms: true + # Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index be894e73..67b9c966 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -488,7 +488,7 @@ auto_join_rooms: # homeserver registers. # Setting to false means that if the rooms are not manually created, # users cannot be auto-joined since they do not exist. -autocreate_auto_join_rooms: true +autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms }} From 2d3f5b21f776f014585ece283499e9c4d3575536 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 23 Nov 2018 11:21:30 +0200 Subject: [PATCH 0212/2384] Update changelog --- CHANGELOG.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f13d6a68..d961c651 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +# 2018-11-23 + +## Support for controlling public registration and room auto-join + +The playbook now lets you enable public registration for users (controlled via `matrix_synapse_enable_registration`). +By default, public registration is forbidden. + +You can also make people automatically get auto-joined to rooms (controlled via `matrix_synapse_auto_join_rooms`). + +## Support for changing the welcome user id (welcome bot) + +By default, `@riot-bot:matrix.org` is used to welcome newly registered users. +This can be changed to something else (or disabled) via the new `matrix_riot_web_welcome_user_id` variable. + + # 2018-11-14 ## Ability to set Synapse log levels @@ -12,6 +27,7 @@ matrix_synapse_storage_sql_log_level: "INFO" matrix_synapse_root_log_level: "INFO" ``` + # 2018-11-03 ## Customize parts of Riot's config From 46bc2a4412334c8043cd08eadc55d48ab94ec134 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 23 Nov 2018 13:23:01 +0200 Subject: [PATCH 0213/2384] Add information about the IRC support channel --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e11e7461..905538d9 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,8 @@ This Ansible playbook can be improved in the following ways: ## Support -Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) +- Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) -Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) +- IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) + +- Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) From 529b5b222dbde912e68f32090f2811c5ccf847e2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 25 Nov 2018 09:57:30 +0200 Subject: [PATCH 0214/2384] Update riot-web (0.17.6 -> 0.17.7) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index c1701a60..d1cebba3 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -262,7 +262,7 @@ matrix_corporal_debug: false # you may wish to disable this. matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.6" +matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.7" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 733b80683337f5628089cf996fbabe7fcaa4f939 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 26 Nov 2018 07:23:42 +0200 Subject: [PATCH 0215/2384] Annotate certain features as optional/advanced We've had some people get confused into installing Matrix Corporal and having pain with that. With this documentation change, we try to make it clearer that it's an advanced feature not to be touched unless you know what you're doing. On a similar note, we also make sure other things are properly labeled as "(optional)" and/or "(advanced)". --- docs/configuring-playbook-bridge-mautrix-telegram.md | 5 +++-- docs/configuring-playbook-bridge-mautrix-whatsapp.md | 5 +++-- docs/configuring-playbook-federation.md | 2 +- docs/configuring-playbook-matrix-corporal.md | 9 ++++++++- docs/configuring-playbook-own-webserver.md | 4 ++-- docs/configuring-playbook-rest-auth.md | 2 +- docs/configuring-playbook-shared-secret-auth.md | 2 +- docs/configuring-playbook-telemetry.md | 2 +- docs/configuring-playbook.md | 8 ++++---- 9 files changed, 24 insertions(+), 15 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 0886c60d..c814cfdd 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -1,11 +1,12 @@ -# Setting up Mautrix Telegram +# Setting up Mautrix Telegram (optional) The playbook can install and configure [mautrix-telegram](https://github.com/tulir/mautrix-telegram) for you. See the project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you. You'll need to obtain API keys from `https://my.telegram.org/apps` and then use the following playbook configuration: -``` + +```yaml matrix_mautrix_telegram_enabled: true matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index 0d70043a..241d9d9c 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -1,11 +1,12 @@ -# Setting up Mautrix Whatsapp +# Setting up Mautrix Whatsapp (optional) The playbook can install and configure [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) for you. See the project's [documentation](https://github.com/tulir/mautrix-whatsapp/wiki) to learn what it does and why it might be useful to you. Use the following playbook configuration: -``` + +```yaml matrix_mautrix_whatsapp_enabled: true ``` diff --git a/docs/configuring-playbook-federation.md b/docs/configuring-playbook-federation.md index 02e69600..1906f37d 100644 --- a/docs/configuring-playbook-federation.md +++ b/docs/configuring-playbook-federation.md @@ -1,4 +1,4 @@ -# Controlling Matrix federation +# Controlling Matrix federation (optional) By default, your server federates with the whole Matrix network. That is, people on your server can communicate with people on any other Matrix server. diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index 8e78ee93..4afb0065 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -1,7 +1,14 @@ -# Setting up Matrix Corporal +# Setting up Matrix Corporal (optional, advanced) + +------------------------------------- + +**WARNING**: This is an advanced feature! It requires prior experience with Matrix and a specific need for using [Matrix Corporal](https://github.com/devture/matrix-corporal). If you're unsure whether you have such a need, you most likely don't. + +------------------------------------- The playbook can install and configure [matrix-corporal](https://github.com/devture/matrix-corporal) for you. +In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment. See that project's documentation to learn what it does and why it might be useful to you. If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md). diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 18d32b95..5bafe142 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -1,4 +1,4 @@ -# Using your own webserver, instead of this playbook's nginx proxy (optional) +# Using your own webserver, instead of this playbook's nginx proxy (optional, advanced) By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443. If that's alright, you can skip this. @@ -12,7 +12,7 @@ All it takes is: 2) editing your configuration file (`inventory/matrix./vars.yml`): -``` +```yaml matrix_nginx_proxy_enabled: false ``` diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index e320ca49..c2363ff4 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -1,4 +1,4 @@ -# Setting up the REST authentication password provider module +# Setting up the REST authentication password provider module (optional, advanced) The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. diff --git a/docs/configuring-playbook-shared-secret-auth.md b/docs/configuring-playbook-shared-secret-auth.md index df5eddd8..26675f4c 100644 --- a/docs/configuring-playbook-shared-secret-auth.md +++ b/docs/configuring-playbook-shared-secret-auth.md @@ -1,4 +1,4 @@ -# Setting up the Shared Secret Auth password provider module +# Setting up the Shared Secret Auth password provider module (optional, advanced) The playbook can install and configure [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) for you. diff --git a/docs/configuring-playbook-telemetry.md b/docs/configuring-playbook-telemetry.md index 1b794d9c..bc954f67 100644 --- a/docs/configuring-playbook-telemetry.md +++ b/docs/configuring-playbook-telemetry.md @@ -1,4 +1,4 @@ -# Enabling Telemetry for your Matrix server +# Enabling Telemetry for your Matrix server (optional) By default, this playbook configures your Matrix homeserver to not send any telemetry data anywhere. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 54aef726..6659f662 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -35,13 +35,13 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) -- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional) +- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced) -- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional) +- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced) -- [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional) +- [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional, advanced) -- [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional) +- [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) - [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) From 5533db8a281599fc68c209ca06d75bf0deeb5929 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 26 Nov 2018 07:27:53 +0200 Subject: [PATCH 0216/2384] Add a note about trying to use local PostgreSQL instances --- docs/configuring-playbook-external-postgres.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-external-postgres.md b/docs/configuring-playbook-external-postgres.md index 2c93ebc3..dabd5382 100644 --- a/docs/configuring-playbook-external-postgres.md +++ b/docs/configuring-playbook-external-postgres.md @@ -15,4 +15,6 @@ matrix_postgres_db_name: "your-postgres-server-database-name" ``` The database (as specified in `matrix_postgres_db_name`) must exist and be accessible with the given credentials. -It must be empty or contain a valid Matrix Synapse database. If empty, Matrix Synapse would populate it the first time it runs. \ No newline at end of file +It must be empty or contain a valid Matrix Synapse database. If empty, Matrix Synapse would populate it the first time it runs. + +**Note**: the external server that you specify in `matrix_postgres_connection_hostname` must be accessible from within the container `matrix-synapse` Docker container (and possibly others). This means that it either needs to be a publicly accessible hostname or that it's a hostname on the same Docker network where all containers installed by this playbook run (a network called `matrix` by default). Using a local PostgreSQL instance on the host (running on the same machine, but not in a contianer) is not possible. \ No newline at end of file From 98b6492a08eaea2134fb625681ad7ae13afd5908 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 26 Nov 2018 10:35:08 +0200 Subject: [PATCH 0217/2384] Make it clearer that not all components are necessary --- README.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 905538d9..33edc2de 100644 --- a/README.md +++ b/README.md @@ -12,25 +12,25 @@ Using this playbook, you can get the following services configured on your serve - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for your Matrix Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) -- (optional default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. +- (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Matrix Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. - a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls - free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI -- (optional default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default +- (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default -- (optional default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server +- (optional, default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server -- (optional default) a [Postfix](http://www.postfix.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) +- (optional, default) a [Postfix](http://www.postfix.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) -- (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) +- (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) -- (optional) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module +- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module -- (optional) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module +- (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module -- (optional) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server +- (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server - (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) @@ -38,6 +38,10 @@ Using this playbook, you can get the following services configured on your serve Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. +**Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. +Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. +You can always re-run the playbook later to add or remove components. + ## What's different about this Ansible playbook? From 18e1dda4c84f78dd74fe4b0be225551115922035 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Nov 2018 16:39:57 +0200 Subject: [PATCH 0218/2384] Revert "Update riot-web (0.17.6 -> 0.17.7)" As Github issue #42 says, 0.17.7 is not available. We shouldn't have tried to use it. This reverts commit 529b5b222dbde912e68f32090f2811c5ccf847e2. --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index d1cebba3..c1701a60 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -262,7 +262,7 @@ matrix_corporal_debug: false # you may wish to disable this. matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.7" +matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.6" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 9cf9a1ec549cf6ab280f8974b41dbd2ce11c523d Mon Sep 17 00:00:00 2001 From: Thomas vO Date: Tue, 27 Nov 2018 16:40:22 +0100 Subject: [PATCH 0219/2384] [auth-ldap] add template + vars for ldap auth --- roles/matrix-server/defaults/main.yml | 12 ++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 19 ++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index c1701a60..a418f4f5 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -152,6 +152,18 @@ matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" +# Enable this to activate LDAP password provider +matrix_synapse_ext_password_provider_ldap: false +matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" +matrix_synapse_ext_password_provider_ldap_tls: true +matrix_synapse_ext_password_provider_ldap_base: "" +matrix_synapse_ext_password_provider_ldap_attr_uid: "uid" +matrix_synapse_ext_password_provider_ldap_attr_mail: "mail" +matrix_synapse_ext_password_provider_ldap_attr_name: "name" +matrix_synapse_ext_password_provider_ldap_binddn: "" +matrix_synapse_ext_password_provider_ldap_bindpwd: "" +matrix_synapse_ext_password_provider_ldap_filter: "" + # The defaults below cause a postgres server to be configured (running within a container). # Using an external server is possible by tweaking all of the parameters below. diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 67b9c966..d693b8c2 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -649,6 +649,23 @@ password_providers: config: sharedSecret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" {% endif %} +{% if matrix_synapse_ext_password_provider_ldap %} + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" + start_tls: {{ matrix_synapse_ext_password_provider_ldap_tls }} + base: "{{ matrix_synapse_ext_password_provider_ldap_base }}" + attributes: + uid: "{{ matrix_synapse_ext_password_provider_ldap_attr_uid }}" + mail: "{{ matrix_synapse_ext_password_provider_ldap_attr_mail }}" + name: "{{ matrix_synapse_ext_password_provider_ldap_attr_name }}" + bind_dn: "{{ matrix_synapse_ext_password_provider_ldap_binddn }}" + bind_password: "{{ matrix_synapse_ext_password_provider_ldap_bindpwd }}" + {% if matrix_synapse_ext_password_provider_ldap_filter %} + filter: "{{ matrix_synapse_ext_password_provider_ldap_filter }}" + {% endif %} +{% endif %} {% endif %} @@ -779,4 +796,4 @@ enable_group_creation: false alias_creation_rules: - user_id: "*" alias: "*" - action: allow \ No newline at end of file + action: allow From bbf892883120cd8f26afd3ddadedc44113be8c72 Mon Sep 17 00:00:00 2001 From: Thomas vO Date: Wed, 28 Nov 2018 09:04:09 +0100 Subject: [PATCH 0220/2384] fix template and vars for ldap auth, add setup --- roles/matrix-server/defaults/main.yml | 12 ++++++------ .../tasks/setup/setup_synapse_ext.yml | 2 ++ .../tasks/setup/setup_synapse_ext_ldap.yml | 11 +++++++++++ .../templates/synapse/homeserver.yaml.j2 | 14 ++++++-------- 4 files changed, 25 insertions(+), 14 deletions(-) create mode 100644 roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index a418f4f5..f5cab0f3 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -155,13 +155,13 @@ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" # Enable this to activate LDAP password provider matrix_synapse_ext_password_provider_ldap: false matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" -matrix_synapse_ext_password_provider_ldap_tls: true +matrix_synapse_ext_password_provider_ldap_start_tls: true matrix_synapse_ext_password_provider_ldap_base: "" -matrix_synapse_ext_password_provider_ldap_attr_uid: "uid" -matrix_synapse_ext_password_provider_ldap_attr_mail: "mail" -matrix_synapse_ext_password_provider_ldap_attr_name: "name" -matrix_synapse_ext_password_provider_ldap_binddn: "" -matrix_synapse_ext_password_provider_ldap_bindpwd: "" +matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" +matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" +matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" +matrix_synapse_ext_password_provider_ldap_bind_dn: "" +matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml index d202d94e..058cbc24 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml @@ -4,6 +4,8 @@ - include: tasks/setup/setup_synapse_ext_shared_secret_auth.yml +- include: tasks/setup/setup_synapse_ext_ldap.yml + - include: tasks/setup/setup_synapse_ext_mautrix_telegram.yml - include: tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml new file mode 100644 index 00000000..abe9d3bd --- /dev/null +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml @@ -0,0 +1,11 @@ +- set_fact: + matrix_synapse_password_providers_enabled: true + when: "matrix_synapse_ext_password_provider_ldap" + +- set_fact: + matrix_synapse_additional_loggers: > + {{ matrix_synapse_additional_loggers }} + + + {{ [{'name': 'ldap_auth_provider', 'level': 'INFO'}] }} + when: "matrix_synapse_ext_password_provider_ldap" + diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index d693b8c2..0840f5b3 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -654,17 +654,15 @@ password_providers: config: enabled: true uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" - start_tls: {{ matrix_synapse_ext_password_provider_ldap_tls }} + start_tls: "{{ matrix_synapse_ext_password_provider_ldap_start_tls }}" base: "{{ matrix_synapse_ext_password_provider_ldap_base }}" attributes: - uid: "{{ matrix_synapse_ext_password_provider_ldap_attr_uid }}" - mail: "{{ matrix_synapse_ext_password_provider_ldap_attr_mail }}" - name: "{{ matrix_synapse_ext_password_provider_ldap_attr_name }}" - bind_dn: "{{ matrix_synapse_ext_password_provider_ldap_binddn }}" - bind_password: "{{ matrix_synapse_ext_password_provider_ldap_bindpwd }}" - {% if matrix_synapse_ext_password_provider_ldap_filter %} + uid: "{{ matrix_synapse_ext_password_provider_ldap_attributes_uid }}" + mail: "{{ matrix_synapse_ext_password_provider_ldap_attributes_mail }}" + name: "{{ matrix_synapse_ext_password_provider_ldap_attributes_name }}" + bind_dn: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}" + bind_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}" filter: "{{ matrix_synapse_ext_password_provider_ldap_filter }}" - {% endif %} {% endif %} {% endif %} From 9f212adc1de03e5260ba4846c9d15a1e29e00ae7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 28 Nov 2018 11:19:19 +0200 Subject: [PATCH 0221/2384] Rename variable (matrix_synapse_ext_password_provider_ldap -> matrix_synapse_ext_password_provider_ldap_enabled) This makes it more consistent with other usage throughout the playbook. --- roles/matrix-server/defaults/main.yml | 2 +- roles/matrix-server/tasks/setup/setup_synapse_ext.yml | 2 +- ...p_synapse_ext_ldap.yml => setup_synapse_ext_ldap_auth.yml} | 4 ++-- roles/matrix-server/templates/synapse/homeserver.yaml.j2 | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) rename roles/matrix-server/tasks/setup/{setup_synapse_ext_ldap.yml => setup_synapse_ext_ldap_auth.yml} (66%) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index f5cab0f3..a6b39532 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -153,7 +153,7 @@ matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://r matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" # Enable this to activate LDAP password provider -matrix_synapse_ext_password_provider_ldap: false +matrix_synapse_ext_password_provider_ldap_enabled: false matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" matrix_synapse_ext_password_provider_ldap_start_tls: true matrix_synapse_ext_password_provider_ldap_base: "" diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml index 058cbc24..e5b3067c 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml @@ -4,7 +4,7 @@ - include: tasks/setup/setup_synapse_ext_shared_secret_auth.yml -- include: tasks/setup/setup_synapse_ext_ldap.yml +- include: tasks/setup/setup_synapse_ext_ldap_auth.yml - include: tasks/setup/setup_synapse_ext_mautrix_telegram.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap_auth.yml similarity index 66% rename from roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml rename to roles/matrix-server/tasks/setup/setup_synapse_ext_ldap_auth.yml index abe9d3bd..8c87e8e5 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap_auth.yml @@ -1,11 +1,11 @@ - set_fact: matrix_synapse_password_providers_enabled: true - when: "matrix_synapse_ext_password_provider_ldap" + when: "matrix_synapse_ext_password_provider_ldap_enabled" - set_fact: matrix_synapse_additional_loggers: > {{ matrix_synapse_additional_loggers }} + {{ [{'name': 'ldap_auth_provider', 'level': 'INFO'}] }} - when: "matrix_synapse_ext_password_provider_ldap" + when: "matrix_synapse_ext_password_provider_ldap_enabled" diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 0840f5b3..a0e23ab6 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -649,7 +649,7 @@ password_providers: config: sharedSecret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" {% endif %} -{% if matrix_synapse_ext_password_provider_ldap %} +{% if matrix_synapse_ext_password_provider_ldap_enabled %} - module: "ldap_auth_provider.LdapAuthProvider" config: enabled: true From 3fec9dfa0e85c24d45f458c526a110f22225180a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 28 Nov 2018 11:21:03 +0200 Subject: [PATCH 0222/2384] Add LDAP auth password provider documentation and changelog description --- CHANGELOG.md | 9 +++++++++ README.md | 2 ++ docs/configuring-playbook-ldap-auth.md | 20 ++++++++++++++++++++ docs/configuring-playbook.md | 2 ++ 4 files changed, 33 insertions(+) create mode 100644 docs/configuring-playbook-ldap-auth.md diff --git a/CHANGELOG.md b/CHANGELOG.md index d961c651..9a3e1f16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2018-11-28 + +## LDAP auth support via matrix-synapse-ldap3 + +The playbook can now install and configure [LDAP auth support](https://github.com/matrix-org/matrix-synapse-ldap3) for you. + +Additional details are available in [Setting up the LDAP authentication password provider module](docs/configuring-playbook-ldap-auth.md). + + # 2018-11-23 ## Support for controlling public registration and room auto-join diff --git a/README.md b/README.md index 33edc2de..1539d678 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,8 @@ Using this playbook, you can get the following services configured on your serve - (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module +- (optional, advanced) the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider module + - (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server - (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md new file mode 100644 index 00000000..5d63cf26 --- /dev/null +++ b/docs/configuring-playbook-ldap-auth.md @@ -0,0 +1,20 @@ +# Setting up the LDAP authentication password provider module (optional, advanced) + +The playbook can install and configure the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider for you. + +See that project's documentation to learn what it does and why it might be useful to you. + +If you decide that you'd like to let this playbook install it for you, you need some configuration like this: + +```yaml +matrix_synapse_ext_password_provider_ldap_enabled: true +matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" +matrix_synapse_ext_password_provider_ldap_start_tls: true +matrix_synapse_ext_password_provider_ldap_base: "ou=users,dc=example,dc=com" +matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" +matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" +matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" +matrix_synapse_ext_password_provider_ldap_bind_dn: "" +matrix_synapse_ext_password_provider_ldap_bind_password: "" +matrix_synapse_ext_password_provider_ldap_filter: "" +``` \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 6659f662..b0dc0cb3 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -41,6 +41,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional, advanced) +- [Setting up the LDAP password provider module](configuring-playbook-ldap-auth.md) (optional, advanced) + - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) - [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) From 2bdc35de63843eff4b0ece106b90a02aaaee4f8b Mon Sep 17 00:00:00 2001 From: Thomas vO Date: Wed, 28 Nov 2018 11:02:15 +0100 Subject: [PATCH 0223/2384] add script + doc to change a user to admin --- docs/registering-users.md | 12 +++++++++++- .../matrix-server/tasks/setup/setup_postgres.yml | 6 ++++++ .../usr-local-bin/matrix-make-user-admin.j2 | 15 +++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-server/templates/usr-local-bin/matrix-make-user-admin.j2 diff --git a/docs/registering-users.md b/docs/registering-users.md index b934a55a..9822979d 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -16,4 +16,14 @@ You can do it via this Ansible playbook (make sure to edit the `` ----- -If you've just installed Matrix, **to finalize the installation process**, it's best if you proceed to [Configuring service discovery via .well-known](configuring-well-known.md) \ No newline at end of file +If you've just installed Matrix, **to finalize the installation process**, it's best if you proceed to [Configuring service discovery via .well-known](configuring-well-known.md) + +----- + +The script `/usr/local/bin/matrix-make-user-admin` may be used to upgrade a user's privileges: + +* log on to your server with ssh +* execute with the username: + + /usr/local/bin/matrix-make-user-admin + diff --git a/roles/matrix-server/tasks/setup/setup_postgres.yml b/roles/matrix-server/tasks/setup/setup_postgres.yml index bbaebad7..fdf253be 100644 --- a/roles/matrix-server/tasks/setup/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup/setup_postgres.yml @@ -62,6 +62,12 @@ dest: "/usr/local/bin/matrix-postgres-cli" mode: 0750 +- name: Ensure matrix-make-user-admin script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2" + dest: "/usr/local/bin/matrix-make-user-admin" + mode: 0750 + # # Tasks related to setting up an internal postgres server # diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-make-user-admin.j2 new file mode 100644 index 00000000..37d72370 --- /dev/null +++ b/roles/matrix-server/templates/usr-local-bin/matrix-make-user-admin.j2 @@ -0,0 +1,15 @@ +#!/bin/bash + +if [ $# -ne 1 ]; then + echo "Usage: "$0" " + exit 1 +fi + +docker run \ + -it \ + --rm \ + --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ + --network {{ matrix_docker_network }} \ + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ host_specific_hostname_identity }}'" + From caba16ea0d3a4cc9ed6c91429a31dc7737cf8fea Mon Sep 17 00:00:00 2001 From: Thomas vO Date: Wed, 28 Nov 2018 11:02:51 +0100 Subject: [PATCH 0224/2384] add script + doc to remove everything --- docs/uninstalling.md | 5 ++- .../matrix-server/tasks/setup/setup_main.yml | 9 ++++- .../usr-local-bin/matrix-remove-all.j2 | 34 +++++++++++++++++++ 3 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 roles/matrix-server/templates/usr-local-bin/matrix-remove-all.j2 diff --git a/docs/uninstalling.md b/docs/uninstalling.md index 3693ac1b..7acb9bcc 100644 --- a/docs/uninstalling.md +++ b/docs/uninstalling.md @@ -18,4 +18,7 @@ However, if you've installed this on some server where you have other stuff you - uninstall Docker itself, if necessary -- delete the `/matrix` directory (`rm -rf /matrix`) \ No newline at end of file +- delete the `/matrix` directory (`rm -rf /matrix`) + +The script `/usr/local/bin/matrix-remove-all` performs all these steps (**use with caution!**). + diff --git a/roles/matrix-server/tasks/setup/setup_main.yml b/roles/matrix-server/tasks/setup/setup_main.yml index a4da6986..a147c862 100644 --- a/roles/matrix-server/tasks/setup/setup_main.yml +++ b/roles/matrix-server/tasks/setup/setup_main.yml @@ -53,4 +53,11 @@ - name: Create Matrix network in Docker shell: cmd: "docker network create --driver=bridge {{ matrix_docker_network }}" - when: "result_check_docker_network.stdout == ''" \ No newline at end of file + when: "result_check_docker_network.stdout == ''" + +- name: Ensure matrix-remove-all script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2" + dest: "/usr/local/bin/matrix-remove-all" + mode: 0750 + diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-remove-all.j2 new file mode 100644 index 00000000..5614b0e3 --- /dev/null +++ b/roles/matrix-server/templates/usr-local-bin/matrix-remove-all.j2 @@ -0,0 +1,34 @@ +#!/bin/bash + +if [ "$(id -u)" != "0" ]; then + echo "This script must be executed as root! Aborting." + exit 1 +fi + +echo "WARNING! You are about to remove everything the playbook installs for matrix.{{ host_specific_hostname_identity }}: matrix, docker images,..." +echo -n "If you're sure you want to do this, type: 'Yes, I really want to remove everything!'" +read sure + +if [ "$sure" != "Yes, I really want to remove everything!" ]; then + echo "Good thing I asked, exiting" + exit 0 +else + echo "Stop and remove matrix services" + for s in $(find /etc/systemd/system/ -name "matrix-*" -printf "%f\n"); do + systemctl stop $s + rm -f /etc/systemd/system/$s + done + systemctl daemon-reload + echo "Remove matrix cronjobs" + find /etc/cron.d/ -name "matrix-*" -delete + echo "Remove matrix scripts" + find /usr/local/bin/ -name "matrix-*" -delete + echo "Remove every docker images" + docker rmi $(docker images -aq) + echo "Remove docker matrix network" + docker network rm matrix + echo "Remove /matrix directory" + rm -fr /matrix + exit 0 +fi + From cf6d8c944553708a965053d4da8a42f1e07fe581 Mon Sep 17 00:00:00 2001 From: Thomas vO Date: Wed, 28 Nov 2018 11:05:35 +0100 Subject: [PATCH 0225/2384] update changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a3e1f16..0d71ff84 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # 2018-11-28 +## More scripts + +* matrix-remove-all allows to uninstall everything with a single command +* matrix-make-user-admin allows to upgrade a user's privileges + ## LDAP auth support via matrix-synapse-ldap3 The playbook can now install and configure [LDAP auth support](https://github.com/matrix-org/matrix-synapse-ldap3) for you. From 9dad4c7c2dfae0685e8d42e1525f7ae4726f7ba6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 29 Nov 2018 08:35:57 +0200 Subject: [PATCH 0226/2384] Fix /.well-known/matrix/client for CORS This is provoked by Github issue #46. No client had made use of the well-known mechanism so far, so the set up performed by this playbook was not tested and turned out to be a little deficient. Even though /.well-known/matrix/client is usually requested with a simple request (no preflight), it's still considered cross-origin and [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) applies. Thus, the file always needs to be served with the appropriate `Access-Control-Allow-Origin` header. Github issue #46 attempts to fix it at the "reverse-proxying" layer, which may work, but would need to be done for every server. It's better if it's done "upstream", so that all reverse-proxy configurations can benefit. --- docs/configuring-well-known.md | 20 ++++++++++++++----- .../self_check/self_check_well_known.yml | 19 +++++++++++++----- .../nginx-conf.d/matrix-synapse.conf.j2 | 1 + 3 files changed, 30 insertions(+), 10 deletions(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index ea3d32bb..4185a9d6 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -23,19 +23,29 @@ To make things easy for you to set up, this playbook generates and hosts the wel You have 2 options when it comes to installing the file on the base domain's server: -1) (Option 1): **Copying the file manually** to your base domain's server -All it takes is copying the `/.well-known/matrix/client` from the Matrix server (e.g. `matrix.example.com`) to your base domain's server (`example.com`). +### (Option 1): **Copying the file manually** to your base domain's server -This is easy to do and possibly your only choice if you can only host static files from the base domain's server. -It is, however, a little fragile, as future updates performed by this playbook may regenerate the well-known file and you may need to notice that and copy it again. +**Hint**: Option 2 (below) is generally a better way to do this. Make sure to go with that one, if possible. -2) (Option 2): **Setting up reverse-proxying** of the well-known file from the base domain's server to the Matrix server. +All you need to do is: + +- copy the `/.well-known/matrix/client` from the Matrix server (e.g. `matrix.example.com`) to your base domain's server (`example.com`). + +- set up the server at your base domain (e.g. `example.com`) so that it adds an extra HTTP header when serving the `/.well-known/matrix/client` file. [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS), the `Access-Control-Allow-Origin` header should be set with a value of `*`. If you don't do this step, web-based Matrix clients (like Riot) may fail to work. + +This is relatively easy to do and possibly your only choice if you can only host static files from the base domain's server. +It is, however, **a little fragile**, as future updates performed by this playbook may regenerate the well-known file and you may need to notice that and copy it again. + + +### (Option 2): **Setting up reverse-proxying** of the well-known file from the base domain's server to the Matrix server This option is less fragile and generally better. On the base domain's server (e.g. `example.com`), you can set up reverse-proxying, so that any access for the `/.well-known/matrix` location prefix is forwarded to the Matrix domain's server (e.g. `matrix.example.com`). +With this method, you **don't need** to add special HTTP headers for [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) reasons (like `Access-Control-Allow-Origin`), because your Matrix server (where requests ultimately go) will be configured by this playbook correctly. + **For nginx**, it would be something like this: ```nginx diff --git a/roles/matrix-server/tasks/self_check/self_check_well_known.yml b/roles/matrix-server/tasks/self_check/self_check_well_known.yml index 96c3724e..ea3bae4b 100644 --- a/roles/matrix-server/tasks/self_check/self_check_well_known.yml +++ b/roles/matrix-server/tasks/self_check/self_check_well_known.yml @@ -17,9 +17,14 @@ msg: "Failed checking well-known is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" when: "result_well_known_matrix.failed or 'json' not in result_well_known_matrix" +- name: Fail if .well-known not CORS-aware on the matrix hostname + fail: + msg: "Well-known serving for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." + when: "'access_control_allow_origin' not in result_well_known_matrix" + - name: Report working .well-known on the matrix hostname debug: - msg: "well-known is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" + msg: "well-known is configured correctly for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" - name: Check .well-known on the identity hostname @@ -34,13 +39,17 @@ msg: "Failed checking well-known is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" when: "result_well_known_identity.failed or 'json' not in result_well_known_identity" -- name: Report working .well-known on the identity hostname - debug: - msg: "well-known is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`)" - +- name: Fail if .well-known not CORS-aware on the identity hostname + fail: + msg: "Well-known serving for `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md" + when: "'access_control_allow_origin' not in result_well_known_identity" # For people who manually copy the well-known file, try to detect if it's outdated - name: Fail if well-known is different on matrix hostname and identity hostname fail: msg: "The well-known files at `{{ hostname_matrix }}` and `{{ hostname_identity }}` are different. Perhaps you copied the file manually before and now it's outdated?" when: "result_well_known_matrix.json|to_json != result_well_known_identity.json|to_json" + +- name: Report working .well-known on the identity hostname + debug: + msg: "well-known is configured correctly for `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`)" diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 096249e0..2b4c0231 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -43,6 +43,7 @@ server { root {{ matrix_static_files_base_path }}; expires 1m; default_type application/json; + add_header Access-Control-Allow-Origin *; } {% if matrix_corporal_enabled and matrix_corporal_http_api_enabled %} From f8987cb775285cc9c092992067cdedb83d29350a Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Fri, 30 Nov 2018 19:32:29 +0100 Subject: [PATCH 0227/2384] Set default mautrix-telegram image to 0.4.0 --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index a6b39532..d8b45fdf 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -295,7 +295,7 @@ matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" # Enable telegram bridge matrix_mautrix_telegram_enabled: false -matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.3.0" +matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.4.0" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" From 9028e3714ea5ea0be6d77adfbf748c72290c7492 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 4 Dec 2018 09:34:32 -0600 Subject: [PATCH 0228/2384] Add utf8 encoding option to log config --- roles/matrix-server/templates/synapse/synapse.log.config.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-server/templates/synapse/synapse.log.config.j2 b/roles/matrix-server/templates/synapse/synapse.log.config.j2 index b551047c..59fc9c80 100644 --- a/roles/matrix-server/templates/synapse/synapse.log.config.j2 +++ b/roles/matrix-server/templates/synapse/synapse.log.config.j2 @@ -18,6 +18,7 @@ handlers: maxBytes: {{ matrix_synapse_max_log_file_size_mb * 1024 * 1024 }} backupCount: {{ matrix_synapse_max_log_files_count }} filters: [context] + encoding: utf8 console: class: logging.StreamHandler formatter: precise From 22523c0e420b94f1ba9bc6562286a60987392f38 Mon Sep 17 00:00:00 2001 From: haslersn Date: Tue, 4 Dec 2018 17:19:35 +0100 Subject: [PATCH 0229/2384] Support configuring mxisd's identity stores (two of them) mxisd supports several identity stores. Add support to configure two of them: * synapseSql (storing identities directly in Synapse's database) * LDAP This removed the need to copy `mxisd.yaml.j2` to the inventory in case one wants to use LDAP as identity store. Note that the previous solution (copying `mxisd.yaml.j2` was poor because of two reasons: * The copy remains outdated in case the original is updated in future versions of this repo. * The role's configuration should be in one place (configured only through role variables) instead of in multiple. Configuring more identity stores through role variables can be supported in the future. --- roles/matrix-server/defaults/main.yml | 33 +++++++++++ .../templates/mxisd/mxisd.yaml.j2 | 59 +++++++++++++++++-- 2 files changed, 87 insertions(+), 5 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index d8b45fdf..c85ae796 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -237,6 +237,39 @@ matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" # Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups matrix_mxisd_matrixorg_forwarding_enabled: false +# mxisd has serveral supported identity stores. +# One of them is storing identities directly in Synapse's database. +# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md +matrix_mxisd_synapsesql_enabled: true +matrix_mxisd_synapsesql_type: postgresql +matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} + +# LDAP is another identity store that's supported by mxisd. +# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/ldap.md +matrix_mxisd_ldap_enabled: false +matrix_mxisd_ldap_connection_host: ldapHostnameOrIp +matrix_mxisd_ldap_connection_tls: false +matrix_mxisd_ldap_connection_port: 389 +matrix_mxisd_ldap_connection_baseDn: OU=Users,DC=example,DC=org +matrix_mxisd_ldap_connection_bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org +matrix_mxisd_ldap_connection_bindPassword: TheUserPassword +# The following keys are optional: +# matrix_mxisd_ldap_filter: "" +# matrix_mxisd_ldap_attribute_uid_type: uid +# matrix_mxisd_ldap_attribute_uid_value: sAMAccountName +# matrix_mxisd_ldap_attribute_name: cn +# matrix_mxisd_ldap_attribute_threepid_email: +# - mail +# - otherMailAttribute +# matrix_mxisd_ldap_attribute_threepid_msisdn: +# - phone +# - otherPhoneAttribute +# matrix_mxisd_ldap_identity_filter: "" +# matrix_mxisd_ldap_identity_medium: "" +# matrix_mxisd_ldap_auth_filter: "" +# matrix_mxisd_ldap_directory_filter: "" + + # Specifies which template files to use when configuring mxisd. # If you'd like to have your own different configuration, feel free to copy and paste # the original files into your inventory (e.g. in `inventory/host_vars//`) diff --git a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 index 99c2d3d6..58930284 100644 --- a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 +++ b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 @@ -10,10 +10,59 @@ threepid.medium.email.connectors.smtp.host: matrix-mailer threepid.medium.email.connectors.smtp.port: 587 threepid.medium.email.connectors.smtp.tls: 0 -synapseSql.enabled: true -synapseSql.type: postgresql -synapseSql.connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} - {% if matrix_mxisd_matrixorg_forwarding_enabled %} forward.servers: ['matrix-org'] -{% endif %} \ No newline at end of file +{% endif %} + +synapseSql.enabled: {{ matrix_mxisd_synapsesql_enabled }} +synapseSql.type: {{ matrix_mxisd_synapsesql_type }} +synapseSql.connection: {{ matrix_mxisd_synapsesql_connection }} + +ldap.enabled: {{ matrix_mxisd_ldap_enabled }} +ldap.connection.host: {{ matrix_mxisd_ldap_connection_host }} +ldap.connection.tls: {{ matrix_mxisd_ldap_connection_tls }} +ldap.connection.port: {{ matrix_mxisd_ldap_connection_port }} +ldap.connection.baseDn: {{ matrix_mxisd_ldap_connection_baseDn }} +ldap.connection.bindDn: {{ matrix_mxisd_ldap_connection_bindDn }} +ldap.connection.bindPassword: {{ matrix_mxisd_ldap_connection_bindPassword }} + +{% if matrix_mxisd_ldap_filter is defined %} +ldap.filter: {{ matrix_mxisd_ldap_filter }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_uid_type is defined %} +ldap.attribute.uid.type: {{ matrix_mxisd_ldap_attribute_uid_type }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_uid_value is defined %} +ldap.attribute.uid.value: {{ matrix_mxisd_ldap_attribute_uid_value }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_name is defined %} +ldap.attribute.name: {{ matrix_mxisd_ldap_attribute_name }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_threepid_email is defined %} +ldap.attribute.threepid.email: {{ matrix_mxisd_ldap_attribute_threepid_email|to_yaml }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_threepid_msisdn is defined %} +ldap.attribute.threepid.msisdn: {{ matrix_mxisd_ldap_attribute_threepid_msisdn|to_yaml }} +{% endif %} + +{% if matrix_mxisd_ldap_identity_filter is defined %} +ldap.identity.filter: {{ matrix_mxisd_ldap_identity_filter }} +{% endif %} + +{% if matrix_mxisd_ldap_identity_medium is defined %} +ldap.identity.medium: {{ matrix_mxisd_ldap_identity_medium }} +{% endif %} + +{% if matrix_mxisd_ldap_auth_filter is defined %} +ldap.auth.filter: {{ matrix_mxisd_ldap_auth_filter }} +{% endif %} + +{% if matrix_mxisd_ldap_directory_filter is defined %} +ldap.directory.filter: {{ matrix_mxisd_ldap_directory_filter }} +{% endif %} + From 57bfb970a997f54653386f87810378f38cbec3f7 Mon Sep 17 00:00:00 2001 From: anadahz Date: Tue, 11 Dec 2018 13:48:54 +0000 Subject: [PATCH 0230/2384] Enable support for custom HTML in riot-web homepage * Add default template file for homepage HTML * Add default riot-web config options for homepage --- roles/matrix-server/defaults/main.yml | 11 + .../tasks/setup/setup_riot_web.yml | 9 +- .../templates/riot-web/home.html.j2 | 308 ++++++++++++++++++ .../systemd/matrix-riot-web.service.j2 | 1 + 4 files changed, 325 insertions(+), 4 deletions(-) create mode 100644 roles/matrix-server/templates/riot-web/home.html.j2 diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index c85ae796..4e40df27 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -323,6 +323,17 @@ matrix_riot_web_roomdir_servers: ['matrix.org'] matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" +# Riot home.html customizations +# Default home.html template file +matrix_riot_web_homepage_template: "{{ role_path }}/templates/riot-web/home.html.j2" +# Show general discussion about Matrix and Riot row +matrix_riot_web_homepage_template_general: true +# Show Matrix technical discussions row +matrix_riot_web_homepage_template_technical: true +# Show building services on Matrix row +matrix_riot_web_homepage_template_building: true +# Show contributing code to Matrix and Riot row +matrix_riot_web_homepage_template_contributing: true # Matrix mautrix is a Matrix <-> Telegram bridge # Enable telegram bridge diff --git a/roles/matrix-server/tasks/setup/setup_riot_web.yml b/roles/matrix-server/tasks/setup/setup_riot_web.yml index dad384c1..60b1cdcd 100644 --- a/roles/matrix-server/tasks/setup/setup_riot_web.yml +++ b/roles/matrix-server/tasks/setup/setup_riot_web.yml @@ -20,14 +20,15 @@ - name: Ensure Matrix riot-web configured template: - src: "{{ role_path }}/templates/riot-web/{{ item }}.j2" - dest: "{{ matrix_riot_web_data_path }}/{{ item }}" + src: "{{ item.src }}" + dest: "{{ matrix_riot_web_data_path }}/{{ item.name }}" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "riot.im.conf" - - "config.json" + - {src: "{{ role_path }}/templates/riot-web/riot.im.conf.j2", name: "riot.im.conf"} + - {src: "{{ role_path }}/templates/riot-web/config.json.j2", name: "config.json"} + - {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"} when: matrix_riot_web_enabled - name: Ensure matrix-riot-web.service installed diff --git a/roles/matrix-server/templates/riot-web/home.html.j2 b/roles/matrix-server/templates/riot-web/home.html.j2 new file mode 100644 index 00000000..8f191caa --- /dev/null +++ b/roles/matrix-server/templates/riot-web/home.html.j2 @@ -0,0 +1,308 @@ + + +
+
+ +
+

_t("Welcome to {{ hostname_riot }}")

+

_t("Decentralised, encrypted chat & collaboration powered by [matrix]")

+
+
+
+
+
+

_t("Search the room directory")

+ + + + + _t("Lots of rooms already exist in Matrix, linked to existing networks (Slack, IRC, Gitter etc) or independent. Check out the directory!") + +
+
+{% if matrix_riot_web_welcome_user_id %} +
+
+

_t("Chat with Riot Bot")

+ + + + + _t("Get started with some tips from Riot Bot!") + +
+
+{% endif %} +
+{% if matrix_riot_web_homepage_template_general %} + +

_t("General discussion about Matrix and Riot")

+ +
+
+ + + Matrix HQ + + _t("Discussion of all things Matrix!") +
+
+ + + Riot + + _t("Riot/Web & Desktop chat") +
+
+ + + #riot-ios + + _t("Riot/iOS & matrix-ios-sdk chat") +
+
+ + + #riot-android + + _t("Riot/Android & matrix-android-sdk chat") +
+
+{% endif %} +{% if matrix_riot_web_homepage_template_technical %} + +

_t("Matrix technical discussions")

+

_t("Running Matrix services")

+ +
+
+ + + Matrix Docker Ansible Deploy + + _t("Support for Matrix Docker Ansible role") +
+
+ + + Synapse Support Community + + _t("Community-run support for Synapse") +
+
+ + + #dendrite:matrix.org + + _t("Admin support for Dendrite") +
+
+ + + Synapse Homeowners + + _t("Announcements about Synapse releases") +
+
+ + + IRC Matrix Bridges + + _t("Support for those using and running matrix-appservice-irc") +
+
+{% endif %} +{% if matrix_riot_web_homepage_template_building %} + +

_t("Building services on Matrix")

+ +
+
+ + + #matrix-dev:matrix.org + + _t("Support for those using the Matrix spec") +
+
+ + + End-to-end crypto in Matrix + + _t("Design and implementation of E2E in Matrix") +
+
+ + + #vr:matrix.org + + _t("Implementing VR services with Matrix") +
+
+ + + #webrtc:matrix.org + + _t("Implementing VoIP services with Matrix") +
+
+ + + Matrix Identity + + _t("Discussion of the Identity Service API") +
+
+ + + Matrix Bridging + + _t("Support for those using, running and writing other bridges") +
+
+{% endif %} +{% if matrix_riot_web_homepage_template_contributing %} +

_t("Contributing code to Matrix and Riot")

+ +
+
+ + + #riot-dev + + _t("Dev chat for the Riot/Web dev team") +
+
+ + + #dendrite-dev + + _t("Dev chat for the Dendrite dev team") +
+
+ + + Riot Translations + + _t("Co-ordination for Riot translators") +
+
+{% endif %} +
diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index 3573c0d5..806402d5 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -11,6 +11,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ -v {{ matrix_riot_web_data_path }}/config.json:/riot-web/webapp/config.json:ro \ + -v {{ matrix_riot_web_data_path }}/home.html:/riot-web/webapp/home.html:ro \ -v {{ matrix_riot_web_data_path }}/riot.im.conf:/data/riot.im.conf:ro \ --network={{ matrix_docker_network }} \ {% if not matrix_nginx_proxy_enabled %} From 92ef6986a22c86d45642949f76ba5f2703ee061d Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 11 Dec 2018 10:15:09 -0600 Subject: [PATCH 0231/2384] Link to Synapse Homeowners room --- docs/installing.md | 3 ++- docs/maintenance-upgrading-services.md | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/installing.md b/docs/installing.md index 10e754d9..79d06335 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -34,4 +34,5 @@ Now that the services are running, you might want to: - [create your first user account](registering-users.md) - or **finalize the installation process** by [Configuring service discovery via .well-known](configuring-well-known.md) -- or [Check if services work](maintenance-checking-services.md) \ No newline at end of file +- or [Check if services work](maintenance-checking-services.md) +- or learn how to [upgrade your services when new versions are released](maintenance-upgrading-services.md) diff --git a/docs/maintenance-upgrading-services.md b/docs/maintenance-upgrading-services.md index 9190f61b..2ab8799b 100644 --- a/docs/maintenance-upgrading-services.md +++ b/docs/maintenance-upgrading-services.md @@ -2,6 +2,8 @@ This playbook not only installs the various Matrix services for you, but can also upgrade them as new versions are made available. +If you want to be notified when new versions of Synapse are released, you should join the Synapse Homeowners room: [#homeowners:matrix.org](https://matrix.to/#/#homeowners:matrix.org). + To upgrade the services: - update your playbook directory (`git pull`), so you'd obtain everything new we've done @@ -12,4 +14,4 @@ To upgrade the services: - restart the services: `ansible-playbook -i inventory/hosts setup.yml --tags=start` -**Note**: major version upgrades are not done to the internal PostgreSQL database. To upgrade that one, refer to the [upgrading PostgreSQL document](maintenance-upgrading-postgres.md). \ No newline at end of file +**Note**: major version upgrades are not done to the internal PostgreSQL database. To upgrade that one, refer to the [upgrading PostgreSQL document](maintenance-upgrading-postgres.md). From fcf43eeacc71777c0ae7f189d9624d42f2913508 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 12 Dec 2018 10:48:30 +0900 Subject: [PATCH 0232/2384] Fix "missing translation" warning on riot-web homepage Small bugfix related to #55 --- roles/matrix-server/templates/riot-web/home.html.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/templates/riot-web/home.html.j2 b/roles/matrix-server/templates/riot-web/home.html.j2 index 8f191caa..827906ea 100644 --- a/roles/matrix-server/templates/riot-web/home.html.j2 +++ b/roles/matrix-server/templates/riot-web/home.html.j2 @@ -197,7 +197,7 @@ Matrix Docker Ansible Deploy - _t("Support for Matrix Docker Ansible role") + Support for Matrix Docker Ansible role
From b11a4c07a8defe3fd69992e0be5b2449723ef689 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 13 Dec 2018 10:18:56 +0900 Subject: [PATCH 0233/2384] Upgrade mxisd (1.2.0 -> 1.2.1) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 4e40df27..82d0d023 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -225,7 +225,7 @@ matrix_mailer_relay_auth_password: "" # If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, # you may wish to disable this. matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.2.0" +matrix_mxisd_docker_image: "kamax/mxisd:1.2.1" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" From bf8023057a246d5b03215487ecbc16b727bc924a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 13 Dec 2018 14:40:30 +0900 Subject: [PATCH 0234/2384] Fix SQLite importing failure Fixes a problem where importing would lead to this error: Cannot link to /matrix-postgres, as it does not belond to the default network. --- roles/matrix-server/tasks/import_sqlite_db.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/roles/matrix-server/tasks/import_sqlite_db.yml b/roles/matrix-server/tasks/import_sqlite_db.yml index e72ff327..2eed74c3 100644 --- a/roles/matrix-server/tasks/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import_sqlite_db.yml @@ -49,22 +49,29 @@ - name: Wait a while, so that Postgres can manage to start pause: seconds=7 +# If the actual migration command (below) fails, it will leave a container behind. +# Starting it again later will relaunch that one, which may or may not work. +# To ensure we're starting from a clean state, ensure any such leftovers are removed. +- name: Cleanup any old leftover migration container + docker_container: + name: matrix-synapse-migrate + state: absent + - name: Importing SQLite database into Postgres docker_container: name: matrix-synapse-migrate image: "{{ matrix_synapse_docker_image }}" detach: no cleanup: yes - entrypoint: /usr/bin/python - command: "/usr/local/bin/synapse_port_db --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml" + entrypoint: /usr/local/bin/python + command: "/usr/local/bin/synapse_port_db --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" volumes: - "{{ matrix_synapse_config_dir_path }}:/data" - "{{ matrix_synapse_run_path }}:/matrix-run" - - "{{ matrix_synapse_media_store_path }}:/matrix-media-store" - "{{ matrix_scratchpad_dir }}:/scratchpad" - links: - - "matrix-postgres:{{ matrix_postgres_connection_hostname }}" + networks: + - name: "{{ matrix_docker_network }}" - name: Ensure scratchpad directory is deleted file: From 59afa841cbba95d9985913f31ed1fef01d1b65db Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 13 Dec 2018 14:44:27 +0900 Subject: [PATCH 0235/2384] Add unintentionally removed quote --- roles/matrix-server/tasks/import_sqlite_db.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/tasks/import_sqlite_db.yml b/roles/matrix-server/tasks/import_sqlite_db.yml index 2eed74c3..102ef22a 100644 --- a/roles/matrix-server/tasks/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import_sqlite_db.yml @@ -64,7 +64,7 @@ detach: no cleanup: yes entrypoint: /usr/local/bin/python - command: "/usr/local/bin/synapse_port_db --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml + command: "/usr/local/bin/synapse_port_db --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" volumes: - "{{ matrix_synapse_config_dir_path }}:/data" From 2b2409bf1e3b3ae7b6fd67fef5198669d967f2f5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 13 Dec 2018 15:19:01 +0900 Subject: [PATCH 0236/2384] Update documentation about email configuration This makes it explicit that outgoing traffic (25/587) needs to be let through, as well as documenting how to debug other non-delivery issues. --- docs/configuring-playbook-email.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-email.md b/docs/configuring-playbook-email.md index b308b6b4..5f386ef3 100644 --- a/docs/configuring-playbook-email.md +++ b/docs/configuring-playbook-email.md @@ -18,4 +18,8 @@ matrix_mailer_relay_host_port: 587 matrix_mailer_relay_auth: true matrix_mailer_relay_auth_username: "another.sender@example.com" matrix_mailer_relay_auth_password: "some-password" -``` \ No newline at end of file +``` + +**Note**: no matter whether you relay email through another host (by defining `matrix_mailer_relay_host_name`) or you let the local (in-container) postfix deliver directly, you'll probably need to allow outgoing traffic for TCP ports 25/587 (depending on configuration). + +If you're having trouble with email not being delivered, it may be useful to inspect the mailer logs: `journalctl -f -u matrix-mailer`. \ No newline at end of file From 4fd8b66b6e3563add3ab07ad3f3f945f997f95c0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 13 Dec 2018 16:32:10 +0900 Subject: [PATCH 0237/2384] Update documentation about email configuration (relayhost brackets) Relay hostnames that have MX records are looked up by postfix and the MX record's payload is used instead. This special behavior may be undesirable, so we make sure to point it out. --- docs/configuring-playbook-email.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-email.md b/docs/configuring-playbook-email.md index 5f386ef3..7fb35eed 100644 --- a/docs/configuring-playbook-email.md +++ b/docs/configuring-playbook-email.md @@ -7,7 +7,15 @@ This may or may not work, depending on your domain configuration (SPF settings, By default, emails are sent from `matrix@` (as specified by the `matrix_mailer_sender_address` playbook variable). -Furthmore, if you'd like to relay email through another SMTP server, feel free to redefine a few more playbook variables. + +## Firewall settings + +No matter whether you send email directly (the default) or you relay email through another host (see how below), you'll probably need to allow outgoing traffic for TCP ports 25/587 (depending on configuration). + + +## Relaying email through another SMTP server + +If you'd like to relay email through another SMTP server, feel free to redefine a few playbook variables. Example: ```yaml @@ -20,6 +28,9 @@ matrix_mailer_relay_auth_username: "another.sender@example.com" matrix_mailer_relay_auth_password: "some-password" ``` -**Note**: no matter whether you relay email through another host (by defining `matrix_mailer_relay_host_name`) or you let the local (in-container) postfix deliver directly, you'll probably need to allow outgoing traffic for TCP ports 25/587 (depending on configuration). +Keep in mind that postfix will look up the MX record of your relay host (`matrix_mailer_relay_host_name`) and, if available, will actually use that instead of what you've defined. This behavior is [documented here](http://www.postfix.org/postconf.5.html#relayhost). If you'd like to suppress this and use the relay host value as is, wrap it in square brackets (e.g. `matrix_mailer_relay_host_name: "[mail.example.com]"`). + + +## Troubleshooting If you're having trouble with email not being delivered, it may be useful to inspect the mailer logs: `journalctl -f -u matrix-mailer`. \ No newline at end of file From 60c7af93fe908d3e4850ab5c9e6bd254205e7a6b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 14 Dec 2018 16:34:23 +0900 Subject: [PATCH 0238/2384] Do not restart matrix-nginx-proxy during media store import Previously, it was more necessary to have it (because we had a dependency between matrix-synapse and matrix-nginx-proxy).. But nowadays, it can be removed without negative side effects. Restarting matrix-nginx-proxy is especially bad when the proxy is not installed at all. --- roles/matrix-server/tasks/import_media_store.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-server/tasks/import_media_store.yml b/roles/matrix-server/tasks/import_media_store.yml index 13515b33..57dd15cd 100644 --- a/roles/matrix-server/tasks/import_media_store.yml +++ b/roles/matrix-server/tasks/import_media_store.yml @@ -63,4 +63,3 @@ when: stopping_result.changed with_items: - matrix-synapse - - matrix-nginx-proxy From e693b12d287eed93f8659cb5fb0818f99af313d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 20 Dec 2018 13:00:07 +0200 Subject: [PATCH 0239/2384] Relocate fail check to a better place --- roles/matrix-server/tasks/setup/setup_synapse_main.yml | 5 ----- roles/matrix-server/tasks/setup/setup_synapse_pre.yml | 5 +++++ 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-server/tasks/setup/setup_synapse_main.yml b/roles/matrix-server/tasks/setup/setup_synapse_main.yml index e36b417a..6264abce 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_main.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_main.yml @@ -1,10 +1,5 @@ --- -- name: Fail if Macaroon key is missing - fail: - msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" - when: "matrix_synapse_macaroon_secret_key == ''" - # This will throw a Permission Denied error if already mounted using fuse - name: Check Matrix Synapse media store path stat: path="{{ matrix_synapse_media_store_path }}" diff --git a/roles/matrix-server/tasks/setup/setup_synapse_pre.yml b/roles/matrix-server/tasks/setup/setup_synapse_pre.yml index 77fa51a1..8e8adca3 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_pre.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_pre.yml @@ -1,5 +1,10 @@ --- +- name: Fail if Macaroon key is missing + fail: + msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" + when: "matrix_synapse_macaroon_secret_key == ''" + - name: Ensure Matrix Synapse paths exist file: path: "{{ item }}" From bfcceb1e82fb35c73adb56a10760fde4c927a804 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 20 Dec 2018 13:39:01 +0200 Subject: [PATCH 0240/2384] Make it safer to override matrix_synapse_media_store_path This is described in Github issue #58. Until now, we had the variable, but if you redefined it, you'd run into multiple problems: - we actually always mounted some "storage" directory to the Synapse container. So if your media store is not there, you're out of luck - homeserver.yaml always hardcoded the path to the media store, as a directory called "media-store" inside the storage directory. Relocating to outside the storage directory was out of the question. Moreover, even if you had simply renamed the media store directory (e.g. "media-store" -> "media_store"), it would have also caused trouble. With this patch, we mount the media store's parent to the Synapse container. This way, we don't care where the media store is (inside storage or not). We also don't assume (anymore) that the final part of the path is called "media-store" -- anything can be used. The "storage" directory and variable (`matrix_synapse_storage_path`) still remain for compatibility purposes. People who were previously overriding `matrix_synapse_storage_path` can continue doing so and their media store will be at the same place. The playbook no longer explicitly creates the `matrix_synapse_storage_path` directory though. It's not necessary. If the media store is specified to be within it, it will get created when the media store directory is created by the playbook. --- roles/matrix-server/tasks/setup/setup_synapse_pre.yml | 11 +++++++---- .../templates/synapse/homeserver.yaml.j2 | 2 +- .../templates/systemd/matrix-synapse.service.j2 | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/matrix-server/tasks/setup/setup_synapse_pre.yml b/roles/matrix-server/tasks/setup/setup_synapse_pre.yml index 8e8adca3..f0599861 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_pre.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_pre.yml @@ -5,6 +5,10 @@ msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" when: "matrix_synapse_macaroon_secret_key == ''" +- set_fact: + matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}" + matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}" + - name: Ensure Matrix Synapse paths exist file: path: "{{ item }}" @@ -15,8 +19,7 @@ with_items: - "{{ matrix_synapse_config_dir_path }}" - "{{ matrix_synapse_run_path }}" - - "{{ matrix_synapse_storage_path }}" - "{{ matrix_synapse_ext_path }}" - # We handle matrix_synapse_media_store_path elsewhere (in setup_synapse.yml), - # because if it's using S3fs and it's already mounted (from before), - # trying to chown/chmod it here will cause trouble. + # We handle matrix_synapse_media_store_path elsewhere (in setup_synapse_main.yml), + # because if it's using Goofys and it's already mounted (from before), + # trying to chown/chmod it here will cause trouble. \ No newline at end of file diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index a0e23ab6..7c6afb59 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -261,7 +261,7 @@ federation_rc_concurrent: 3 # Directory where uploaded images and attachments are stored. -media_store_path: "/matrix-storage/media-store" +media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" # Media storage providers allow media to be stored in different # locations. diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 78c46694..1e7c7570 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -37,7 +37,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ - -v {{ matrix_synapse_storage_path }}:/matrix-storage:slave \ + -v {{ matrix_synapse_base_path }}/storage:/matrix-media-store-parent:slave \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} From 97280c7cc1ba6a6ab1fa11a2c342e6aac9dce851 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 20 Dec 2018 14:30:24 +0200 Subject: [PATCH 0241/2384] Change Goofys Docker image (clodproto/goofys -> ewoutp/goofys) The new image is built in a much better way (2-stage build) and is 10x smaller. In terms of Goofys version recency, it's about the same.. Both images (and others alike) seem to not use version tags, but rather some `:latest` (master), with ewoutp/goofys being a bit more recent than clodproto/goofys. Not using version tags is good (in this case), because the last Goofys release seems to be from about a year ago and there had been a bunch of bugfixes afterwards. --- README.md | 2 +- roles/matrix-server/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1539d678..38ec5748 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ This playbook sets up your server using the following Docker images: - [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) -- [cloudproto/goofys](https://hub.docker.com/r/cloudproto/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) +- [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) - [panubo/postfix](https://hub.docker.com/r/panubo/postfix/) - the [Postfix](http://www.postfix.org/) email server (optional) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 82d0d023..39814bc9 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -198,7 +198,7 @@ matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_s3_media_store_enabled: false -matrix_s3_goofys_docker_image: "cloudproto/goofys:latest" +matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" From b9e5ad6c6665c0fc8121c01c3fdfcf3fbe8cd19e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 20 Dec 2018 15:10:49 +0200 Subject: [PATCH 0242/2384] Upgrade Docker images for various components --- roles/matrix-server/defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 39814bc9..b96a49f2 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -175,8 +175,8 @@ matrix_postgres_db_name: "homeserver" matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" -matrix_postgres_docker_image_v9: "postgres:9.6.10-alpine" -matrix_postgres_docker_image_v10: "postgres:10.5-alpine" +matrix_postgres_docker_image_v9: "postgres:9.6.11-alpine" +matrix_postgres_docker_image_v10: "postgres:10.6-alpine" matrix_postgres_docker_image_v11: "postgres:11.1-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" @@ -307,7 +307,7 @@ matrix_corporal_debug: false # you may wish to disable this. matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.6" +matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.8" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" @@ -366,7 +366,7 @@ matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_docker_image: "nginx:1.15.6-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.15.7-alpine" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" @@ -390,7 +390,7 @@ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}" -matrix_ssl_certbot_docker_image: "certbot/certbot:v0.28.0" +matrix_ssl_certbot_docker_image: "certbot/certbot:v0.29.1" matrix_ssl_certbot_standalone_http_port: 2402 matrix_ssl_use_staging: false From 9f163b2bf5c11c219240caaf32be8bcdea5e033c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 20 Dec 2018 15:21:45 +0200 Subject: [PATCH 0243/2384] Do not disable SELinux on RedHat systems It looks like SELinux can be left running without any (so far) negative effects on our Matrix services. There's no need to use `:z` or `:Z` options when mounting volumes either. This means that files we create are labeled with a default context (which may not be ideal if we only want them used from containers), but it's compatible and doesn't cause issues. Relabelling files is probably something we wish to stay away from, especially for things like the media store, which contains lots of files and is possibly on a fuse-mounted (S3/goofys) filesystem. --- roles/matrix-server/tasks/setup/setup_base.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/matrix-server/tasks/setup/setup_base.yml b/roles/matrix-server/tasks/setup/setup_base.yml index 20ba7a1f..14c288d7 100644 --- a/roles/matrix-server/tasks/setup/setup_base.yml +++ b/roles/matrix-server/tasks/setup/setup_base.yml @@ -79,7 +79,3 @@ name: "{{ 'ntpd' if ansible_os_family == 'RedHat' else 'ntp' }}" state: started enabled: yes - -- name: Ensure SELinux disabled - selinux: state=disabled - when: ansible_os_family == 'RedHat' \ No newline at end of file From 40626ff8dfc150d322f199b2bcd201b271ef995b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 Dec 2018 10:13:35 +0200 Subject: [PATCH 0244/2384] Upgrade Synapse (0.33.9/Python 2 -> 0.33.4/Python 3) --- CHANGELOG.md | 8 ++++++++ roles/matrix-server/defaults/main.yml | 6 ++++-- .../tasks/setup/setup_synapse_ext_rest_auth.yml | 2 +- .../tasks/setup/setup_synapse_ext_shared_secret_auth.yml | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d71ff84..b75dfbb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2018-12-21 + +## Synapse 0.34.0 and Python 3 + +Synapse has been upgraded to 0.34.0 and now uses Python 3. +Based on feedback from others, running Synapse on Python 3 is supposed to decrease memory usage significantly (~2x). + + # 2018-11-28 ## More scripts diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index b96a49f2..0529ce40 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -28,7 +28,7 @@ matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_se matrix_docker_network: "matrix" -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.33.9" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.0-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" @@ -37,6 +37,8 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" +matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages" + # Specifies which template files to use when configuring Synapse. # If you'd like to have your own different configuration, feel free to copy and paste # the original files into your inventory (e.g. in `inventory/host_vars//`) @@ -149,7 +151,7 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals # Enable this to activate the Shared Secret Auth password provider module. # See: https://github.com/devture/matrix-synapse-shared-secret-auth matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false -matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" # Enable this to activate LDAP password provider diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_rest_auth.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_rest_auth.yml index 37f90be7..09a5708d 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext_rest_auth.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext_rest_auth.yml @@ -22,7 +22,7 @@ matrix_synapse_container_additional_volumes: > {{ matrix_synapse_container_additional_volumes }} + - {{ [{'src': '{{ matrix_synapse_ext_path }}/rest_auth_provider.py', 'dst': '/usr/local/lib/python2.7/site-packages/rest_auth_provider.py', 'options': 'ro'}] }} + {{ [{'src': '{{ matrix_synapse_ext_path }}/rest_auth_provider.py', 'dst': '{{ matrix_synapse_in_container_python_packages_path }}/rest_auth_provider.py', 'options': 'ro'}] }} when: "matrix_synapse_ext_password_provider_rest_auth_enabled" - set_fact: diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_shared_secret_auth.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_shared_secret_auth.yml index 4f8bd7ee..34680add 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext_shared_secret_auth.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext_shared_secret_auth.yml @@ -27,7 +27,7 @@ matrix_synapse_container_additional_volumes: > {{ matrix_synapse_container_additional_volumes }} + - {{ [{'src': '{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py', 'dst': '/usr/local/lib/python2.7/site-packages/shared_secret_authenticator.py', 'options': 'ro'}] }} + {{ [{'src': '{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py', 'dst': '{{ matrix_synapse_in_container_python_packages_path }}/shared_secret_authenticator.py', 'options': 'ro'}] }} when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled" - set_fact: From 6124effbe152b662f7d962b3201d5f6b66c618b9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 Dec 2018 10:16:36 +0200 Subject: [PATCH 0245/2384] Register shared-secret-auth password provider first For people using multiple password providers, it makes sense to have the fastest one (which doesn't make network requests) be first. --- .../matrix-server/templates/synapse/homeserver.yaml.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 7c6afb59..f91c8694 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -630,6 +630,11 @@ email: # #filter: "(objectClass=posixAccount)" {% if matrix_synapse_password_providers_enabled %} password_providers: +{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} + - module: "shared_secret_authenticator.SharedSecretAuthenticator" + config: + sharedSecret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" +{% endif %} {% if matrix_synapse_ext_password_provider_rest_auth_enabled %} - module: "rest_auth_provider.RestAuthProvider" config: @@ -644,11 +649,6 @@ password_providers: profile: name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} {% endif %} -{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} - - module: "shared_secret_authenticator.SharedSecretAuthenticator" - config: - sharedSecret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" -{% endif %} {% if matrix_synapse_ext_password_provider_ldap_enabled %} - module: "ldap_auth_provider.LdapAuthProvider" config: From 8cf66bdff3b03891409537f22ab6a77dd7e51db8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 Dec 2018 10:25:25 +0200 Subject: [PATCH 0246/2384] Update changelog with some past information --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b75dfbb0..9005547a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,21 @@ Synapse has been upgraded to 0.34.0 and now uses Python 3. Based on feedback from others, running Synapse on Python 3 is supposed to decrease memory usage significantly (~2x). +# 2018-12-12 + +## Riot homepage customization + +You can now customize some parts of the Riot homepage (or even completely replace it with your own custom page). +See the `matrix_riot_web_homepage_` variables in `roles/matrix-server/defaults/main.yml`. + + +# 2018-12-04 + +## mxisd extensibility + +The [LDAP identity store for mxisd](https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/ldap.md) can now be configured easily using playbook variables (see the `matrix_mxisd_ldap_` variables in `roles/matrix-server/defaults/main.yml`). + + # 2018-11-28 ## More scripts From cc9d3aef5981fe00a810d429b31c2b7297d84272 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 Dec 2018 11:55:35 +0200 Subject: [PATCH 0247/2384] Upgrade matrix-corporal (1.2.1 -> 1.2.2) --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 0529ce40..317a77a5 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -284,7 +284,7 @@ matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" # See: https://github.com/devture/matrix-corporal matrix_corporal_enabled: false -matrix_corporal_docker_image: "devture/matrix-corporal:1.2.1" +matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" From 57ee350420b96b63a6142d04e37b27ee99df8e37 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 Dec 2018 12:18:23 +0200 Subject: [PATCH 0248/2384] Raise default timeout value for matrix-corporal This is in line with what the recommendation is for matrix-corporal. A value higher than 30 seconds is required to satisfy Riot (and other clients') default long-polling behavior. --- roles/matrix-server/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 317a77a5..81eec541 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -290,7 +290,7 @@ matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" -matrix_corporal_matrix_timeout_milliseconds: 30000 +matrix_corporal_matrix_timeout_milliseconds: 45000 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" From bfcba5256eabf37bc0fbbf0fed24816049b3b7a5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 08:49:21 +0200 Subject: [PATCH 0249/2384] Upgrade mxisd (1.2.1 -> 1.2.2) --- CHANGELOG.md | 14 ++++++++++++++ roles/matrix-server/defaults/main.yml | 4 ++-- roles/matrix-server/tasks/setup/setup_mxisd.yml | 5 +++++ roles/matrix-server/templates/mxisd/mxisd.yaml.j2 | 3 ++- 4 files changed, 23 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9005547a..3cfb1d03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2018-12-23 + +## (BC Break) mxisd upgrade with multiple base DN support + +mxisd has bee upgraded to [version 1.2.2](https://github.com/kamax-matrix/mxisd/releases/tag/v1.2.2), which supports [multiple base DNs](https://github.com/kamax-matrix/mxisd/blob/v1.2.2/docs/stores/ldap.md#base). + +If you were configuring this playbook's `matrix_mxisd_ldap_connection_baseDn` variable until now (a string containing a single base DN), you'll need to change to configuring the `matrix_mxisd_ldap_connection_baseDns` variable (an array containing multiple base DNs). + +Example change: + +- before: `matrix_mxisd_ldap_connection_baseDn: OU=Users,DC=example,DC=org` +- after: `matrix_mxisd_ldap_connection_baseDns: ['OU=Users,DC=example,DC=org']` + + # 2018-12-21 ## Synapse 0.34.0 and Python 3 diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 81eec541..67ee84ef 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -227,7 +227,7 @@ matrix_mailer_relay_auth_password: "" # If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, # you may wish to disable this. matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.2.1" +matrix_mxisd_docker_image: "kamax/mxisd:1.2.2" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" @@ -252,7 +252,7 @@ matrix_mxisd_ldap_enabled: false matrix_mxisd_ldap_connection_host: ldapHostnameOrIp matrix_mxisd_ldap_connection_tls: false matrix_mxisd_ldap_connection_port: 389 -matrix_mxisd_ldap_connection_baseDn: OU=Users,DC=example,DC=org +matrix_mxisd_ldap_connection_baseDns: ['OU=Users,DC=example,DC=org'] matrix_mxisd_ldap_connection_bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org matrix_mxisd_ldap_connection_bindPassword: TheUserPassword # The following keys are optional: diff --git a/roles/matrix-server/tasks/setup/setup_mxisd.yml b/roles/matrix-server/tasks/setup/setup_mxisd.yml index 8d6f361e..5a76d372 100644 --- a/roles/matrix-server/tasks/setup/setup_mxisd.yml +++ b/roles/matrix-server/tasks/setup/setup_mxisd.yml @@ -4,6 +4,11 @@ # Tasks related to setting up mxisd # +- name: (Deprecation) Fail if using outdated configuration + fail: + msg: "You're using the `matrix_mxisd_ldap_connection_baseDn` variable (single string), which has been superseded by `matrix_mxisd_ldap_connection_baseDns` (array of strings). See https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#bc-break-mxisd-upgrade-with-multiple-base-dn-support" + when: "matrix_mxisd_ldap_connection_baseDn is defined" + - name: Fail if mailer is not enabled fail: msg: "You need to enable the mailer service (matrix_mailer_enabled) to install mxisd" diff --git a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 index 58930284..b9c6e229 100644 --- a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 +++ b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 @@ -22,7 +22,8 @@ ldap.enabled: {{ matrix_mxisd_ldap_enabled }} ldap.connection.host: {{ matrix_mxisd_ldap_connection_host }} ldap.connection.tls: {{ matrix_mxisd_ldap_connection_tls }} ldap.connection.port: {{ matrix_mxisd_ldap_connection_port }} -ldap.connection.baseDn: {{ matrix_mxisd_ldap_connection_baseDn }} +ldap.connection.baseDns: +{{ matrix_mxisd_ldap_connection_baseDns|to_nice_yaml }} ldap.connection.bindDn: {{ matrix_mxisd_ldap_connection_bindDn }} ldap.connection.bindPassword: {{ matrix_mxisd_ldap_connection_bindPassword }} From d28bdb325871a4c50700dc073a5ac3f32639d9b3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 11:00:12 +0200 Subject: [PATCH 0250/2384] Add support for 2 more SSL certificate retrieval methods Adds support for managing certificates manually and for having the playbook generate self-signed certificates for you. With this, Let's Encrypt usage is no longer required. Fixes Github issue #50. --- CHANGELOG.md | 15 +++++ README.md | 2 +- docs/configuring-playbook-own-webserver.md | 4 +- docs/configuring-playbook-ssl-certificates.md | 32 ++++++++++ docs/configuring-playbook.md | 2 + examples/host-vars.yml | 6 +- roles/matrix-server/defaults/main.yml | 31 +++++++--- roles/matrix-server/tasks/setup/main.yml | 2 +- roles/matrix-server/tasks/setup/setup_ssl.yml | 54 ---------------- roles/matrix-server/tasks/setup/ssl/main.yml | 38 ++++++++++++ .../setup/ssl/setup_ssl_lets_encrypt.yml | 61 +++++++++++++++++++ ...up_ssl_lets_encrypt_obtain_for_domain.yml} | 20 +++--- .../setup/ssl/setup_ssl_manually_managed.yml | 8 +++ ...ssl_manually_managed_verify_for_domain.yml | 23 +++++++ .../tasks/setup/ssl/setup_ssl_self_signed.yml | 24 ++++++++ ...etup_ssl_self_signed_obtain_for_domain.yml | 40 ++++++++++++ .../matrix-nginx-proxy-periodic-restarter.j2 | 2 +- .../cron.d/matrix-ssl-certificate-renewal.j2 | 4 +- .../nginx-conf.d/matrix-riot-web.conf.j2 | 2 +- .../nginx-conf.d/matrix-synapse.conf.j2 | 2 +- .../matrix-ssl-certificates-renew.j2 | 10 +-- 21 files changed, 296 insertions(+), 86 deletions(-) create mode 100644 docs/configuring-playbook-ssl-certificates.md delete mode 100644 roles/matrix-server/tasks/setup/setup_ssl.yml create mode 100644 roles/matrix-server/tasks/setup/ssl/main.yml create mode 100644 roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml rename roles/matrix-server/tasks/setup/{setup_ssl_for_domain.yml => ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml} (79%) create mode 100644 roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml create mode 100644 roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml create mode 100644 roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml create mode 100644 roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cfb1d03..e09290f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,20 @@ # 2018-12-23 +## More SSL certificate retrieval methods + +The playbook now lets you decide between 3 different SSL certificate retrieval methods: +- (default) obtaining free SSL certificates from Let's Encrypt +- generating self-signed SSL certificates +- managing SSL certificates manually + +Learn more in [Adjusting SSL certificate retrieval](docs/configuring-playbook-ssl-certificates.md). + +For people who use Let's Encrypt (mostly everyone, since it's the default), you'll also have to rename a variable in your configuration: + +- before: `host_specific_matrix_ssl_support_email` +- after: `host_specific_matrix_ssl_lets_encrypt_support_email` + + ## (BC Break) mxisd upgrade with multiple base DN support mxisd has bee upgraded to [version 1.2.2](https://github.com/kamax-matrix/mxisd/releases/tag/v1.2.2), which supports [multiple base DNs](https://github.com/kamax-matrix/mxisd/blob/v1.2.2/docs/stores/ldap.md#base). diff --git a/README.md b/README.md index 38ec5748..c037f8f8 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ Using this playbook, you can get the following services configured on your serve - a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls -- free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI +- (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI - (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 5bafe142..a85719ba 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -24,6 +24,6 @@ matrix_nginx_proxy_enabled: false - ensure you set up (separate) vhosts that proxy for both Riot (`localhost:8765`) and Matrix Synapse (`localhost:8008`) -- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" gets proxied to `http://localhost:2402` (controlled by `matrix_ssl_certbot_standalone_http_port`) for automated SSL renewal to work +- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" gets proxied to `http://localhost:2402` (controlled by `matrix_ssl_lets_encrypt_certbot_standalone_http_port`) for automated SSL renewal to work -- ensure that you restart/reload your webserver once in a while, so that renewed SSL certificates would take effect (once a month should be enough) \ No newline at end of file +- ensure that you restart/reload your webserver once in a while, so that renewed SSL certificates would take effect (once a month should be enough) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md new file mode 100644 index 00000000..8974431a --- /dev/null +++ b/docs/configuring-playbook-ssl-certificates.md @@ -0,0 +1,32 @@ +# Adjusting SSL certificate retrieval (optional, advanced) + +By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/). + +If that's alright, you can skip this. + + +## Using self-signed SSL certificates + +For private deployments (not publicly accessible from the internet), you may not be able to use Let's Encrypt certificates. + +If self-signed certificates are alright with you, you can ask the playbook to generate such for you with the following configuration: + +```yaml +matrix_ssl_retrieval_method: self-signed +``` + + +## Using your own SSL certificates + +If you'd like to manage SSL certificates by yourself and have the playbook use your certificate files, you can use the following configuration: + +```yaml +matrix_ssl_retrieval_method: manually-managed +``` + +With such a configuration, the playbook would expect you to drop the SSL certificate files in the directory specified by `matrix_ssl_config_dir_path` (`/matrix/ssl/config` by default) obeying the following hierarchy: + +- `/live//fullchain.pem` +- `/live//privkey.pem` + +where `` refers to the domains that you need (usually `matrix.` and `riot.`). \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b0dc0cb3..d069f2e1 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -35,6 +35,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) +- [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced) + - [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced) - [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced) diff --git a/examples/host-vars.yml b/examples/host-vars.yml index 80a4c13e..79311af4 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -4,8 +4,12 @@ # In case SSL renewal fails at some point, you'll also get # an email notification there. # +# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt), +# you won't be required to define this variable +# (see `docs/configuring-playbook-ssl-certificates.md`). +# # Example value: someone@example.com -host_specific_matrix_ssl_support_email: YOUR_EMAIL_ADDRESS_HERE +host_specific_matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE # This is your bare domain name (`/live//fullchain.pem +# - /live//privkey.pem +# where refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). +matrix_ssl_retrieval_method: "lets-encrypt" + +# Controls whether to obtain production or staging certificates from Let's Encrypt. +matrix_ssl_lets_encrypt_staging: false +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.29.1" +matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 +matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}" + +# Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt. +matrix_ssl_lets_encrypt_renew_cron_time_definition: "15 4 */5 * *" matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" -matrix_ssl_support_email: "{{ host_specific_matrix_ssl_support_email }}" -matrix_ssl_certbot_docker_image: "certbot/certbot:v0.29.1" -matrix_ssl_certbot_standalone_http_port: 2402 -matrix_ssl_use_staging: false - -# Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt. -matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" # Variables to Control which parts of the role run. run_setup: true diff --git a/roles/matrix-server/tasks/setup/main.yml b/roles/matrix-server/tasks/setup/main.yml index ac6cb782..33e6e7f8 100644 --- a/roles/matrix-server/tasks/setup/main.yml +++ b/roles/matrix-server/tasks/setup/main.yml @@ -8,7 +8,7 @@ tags: - setup-all -- include: tasks/setup/setup_ssl.yml +- include: tasks/setup/ssl/main.yml tags: - setup-all - setup-ssl diff --git a/roles/matrix-server/tasks/setup/setup_ssl.yml b/roles/matrix-server/tasks/setup/setup_ssl.yml deleted file mode 100644 index cabffb81..00000000 --- a/roles/matrix-server/tasks/setup/setup_ssl.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -- name: Determine domains to obtain certificates for (Matrix) - set_fact: - domains_to_obtain_certificate_for: "['{{ hostname_matrix }}']" - -- name: Determine domains to obtain certificates for (Riot) - set_fact: - domains_to_obtain_certificate_for: "{{ domains_to_obtain_certificate_for + [hostname_riot] }}" - when: matrix_riot_web_enabled - -- name: Allow access to HTTP/HTTPS in firewalld - firewalld: - service: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - http - - https - when: ansible_os_family == 'RedHat' - -- name: Ensure certbot Docker image is pulled - docker_image: - name: "{{ matrix_ssl_certbot_docker_image }}" - -- name: Ensure SSL certificate paths exists - file: - path: "{{ item }}" - state: directory - mode: 0770 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - "{{ matrix_ssl_log_dir_path }}" - - "{{ matrix_ssl_config_dir_path }}" - -- name: Obtain initial certificates - include_tasks: "tasks/setup/setup_ssl_for_domain.yml" - with_items: "{{ domains_to_obtain_certificate_for }}" - loop_control: - loop_var: domain_name - -- name: Ensure SSL renewal script installed - template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2" - dest: "/usr/local/bin/matrix-ssl-certificates-renew" - mode: 0750 - -- name: Ensure periodic SSL renewal cronjob configured - template: - src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2" - dest: "/etc/cron.d/matrix-ssl-certificate-renewal" - mode: 0600 diff --git a/roles/matrix-server/tasks/setup/ssl/main.yml b/roles/matrix-server/tasks/setup/ssl/main.yml new file mode 100644 index 00000000..d8593d78 --- /dev/null +++ b/roles/matrix-server/tasks/setup/ssl/main.yml @@ -0,0 +1,38 @@ +--- + +- name: Fail if using unsupported SSL certificate retrieval method + fail: + msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value" + when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed']" + + +# Common tasks, required by any method below. + +- name: Determine domains that we require certificates for (Matrix) + set_fact: + domains_requiring_certificates: "['{{ hostname_matrix }}']" + +- name: Determine domains that we require certificates for (Riot) + set_fact: + domains_requiring_certificates: "{{ domains_requiring_certificates + [hostname_riot] }}" + when: "matrix_riot_web_enabled" + +- name: Ensure SSL certificate paths exists + file: + path: "{{ item }}" + state: directory + mode: 0770 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_ssl_log_dir_path }}" + - "{{ matrix_ssl_config_dir_path }}" + + +# Method specific tasks follow + +- include: tasks/setup/ssl/setup_ssl_lets_encrypt.yml + +- include: tasks/setup/ssl/setup_ssl_self_signed.yml + +- include: tasks/setup/ssl/setup_ssl_manually_managed.yml diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml new file mode 100644 index 00000000..2836e595 --- /dev/null +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml @@ -0,0 +1,61 @@ +--- + +# +# Tasks related to setting up Let's Encrypt's management of certificates +# + +- name: (Deprecation) Fail if using outdated configuration + fail: + msg: "You're using the `host_specific_matrix_ssl_support_email` variable, which has been superseded by `host_specific_matrix_ssl_lets_encrypt_support_email`. Please change your configuration to use the new name!" + when: "matrix_ssl_retrieval_method == 'lets-encrypt' and host_specific_matrix_ssl_support_email is defined" + +- name: Allow access to HTTP/HTTPS in firewalld + firewalld: + service: "{{ item }}" + state: enabled + immediate: yes + permanent: yes + with_items: + - http + - https + when: "matrix_ssl_retrieval_method == 'lets-encrypt' and ansible_os_family == 'RedHat'" + +- name: Ensure certbot Docker image is pulled + docker_image: + name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" + when: "matrix_ssl_retrieval_method == 'lets-encrypt'" + +- name: Obtain certificates + include_tasks: "tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" + with_items: "{{ domains_requiring_certificates }}" + loop_control: + loop_var: domain_name + when: "matrix_ssl_retrieval_method == 'lets-encrypt'" + +- name: Ensure SSL renewal script installed + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2" + dest: "/usr/local/bin/matrix-ssl-certificates-renew" + mode: 0750 + when: "matrix_ssl_retrieval_method == 'lets-encrypt'" + +- name: Ensure periodic SSL renewal cronjob configured + template: + src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2" + dest: "/etc/cron.d/matrix-ssl-certificate-renewal" + mode: 0600 + when: "matrix_ssl_retrieval_method == 'lets-encrypt'" + + +# +# Tasks related to getting rid of Let's Encrypt's management of certificates +# + +- name: Ensure Let's Encrypt SSL certificate management files removed + file: + path: "{{ item }}" + state: absent + with_items: + - /usr/local/bin/matrix-ssl-certificates-renew + - /etc/cron.d/matrix-ssl-certificate-renewal + when: "matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-server/tasks/setup/setup_ssl_for_domain.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml similarity index 79% rename from roles/matrix-server/tasks/setup/setup_ssl_for_domain.yml rename to roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index c7bb15c1..cf97444f 100644 --- a/roles/matrix-server/tasks/setup/setup_ssl_for_domain.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -22,38 +22,38 @@ --net=host -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt - {{ matrix_ssl_certbot_docker_image }} + {{ matrix_ssl_lets_encrypt_certbot_docker_image }} certonly --non-interactive - {% if matrix_ssl_use_staging %}--staging{% endif %} + {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http --agree-tos - --email={{ matrix_ssl_support_email }} + --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} when: "domain_name_needs_cert" register: result_certbot_direct ignore_errors: true # If matrix-nginx-proxy is configured from a previous run of this playbook, -# and it's running now, it may be able to proxy requests to `matrix_ssl_certbot_standalone_http_port`. +# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`. - name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy) shell: >- /usr/bin/docker run --rm --name=matrix-certbot - -p 127.0.0.1:{{ matrix_ssl_certbot_standalone_http_port }}:80 + -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80 --network={{ matrix_docker_network }} -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt - {{ matrix_ssl_certbot_docker_image }} + {{ matrix_ssl_lets_encrypt_certbot_docker_image }} certonly --non-interactive - {% if matrix_ssl_use_staging %}--staging{% endif %} + {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http --agree-tos - --email={{ matrix_ssl_support_email }} + --email={{ matrix_ssl_lets_encrypt_support_email }} -d {{ domain_name }} when: "domain_name_needs_cert and result_certbot_direct.failed" register: result_certbot_proxy @@ -65,6 +65,6 @@ Failed to obtain a certificate directly (by listening on port 80) and also failed to obtain by relying on the server at port 80 to proxy the request. See above for details. - You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_certbot_standalone_http_port }} or, + You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or, more easily, stop the server on port 80 while this playbook runs. - when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed" \ No newline at end of file + when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed" diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml new file mode 100644 index 00000000..78766381 --- /dev/null +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml @@ -0,0 +1,8 @@ +--- + +- name: Verify certificates + include_tasks: "tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml" + with_items: "{{ domains_requiring_certificates }}" + loop_control: + loop_var: domain_name + when: "matrix_ssl_retrieval_method == 'manually-managed'" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml new file mode 100644 index 00000000..be0444b1 --- /dev/null +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml @@ -0,0 +1,23 @@ +--- + +- set_fact: + matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" + matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem" + +- name: Check if SSL certificate file exists + stat: + path: "{{ matrix_ssl_certificate_verification_cert_path }}" + register: matrix_ssl_certificate_verification_cert_path_stat_result + +- fail: + msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`" + when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists" + +- name: Check if SSL certificate key file exists + stat: + path: "{{ matrix_ssl_certificate_verification_cert_key_path }}" + register: matrix_ssl_certificate_verification_cert_key_path_stat_result + +- fail: + msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`" + when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml new file mode 100644 index 00000000..92780266 --- /dev/null +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml @@ -0,0 +1,24 @@ +--- + +- name: Ensure OpenSSL installed (RedHat) + yum: + name: + - openssl + state: present + update_cache: no + when: ansible_os_family == 'RedHat' + +- name: Ensure APT usage dependencies are installed (Debian) + apt: + name: + - openssl + state: present + update_cache: no + when: ansible_os_family == 'Debian' + +- name: Obtain certificates + include_tasks: "tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml" + with_items: "{{ domains_requiring_certificates }}" + loop_control: + loop_var: domain_name + when: "matrix_ssl_retrieval_method == 'self-signed'" diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml new file mode 100644 index 00000000..0e690834 --- /dev/null +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -0,0 +1,40 @@ +--- + +- set_fact: + matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr" + matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" + matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem" + +- name: Check if SSL certificate file exists + stat: + path: "{{ matrix_ssl_certificate_cert_path }}" + register: matrix_ssl_certificate_cert_path_stat_result + +# In order to do any sort of generation (below), we need to ensure the directory exists first +- name: Ensure SSL certificate directory exists + file: + path: "{{ matrix_ssl_certificate_csr_path|dirname }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" + +# The proper way to do this is by using a sequence of +# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`. +# +# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work, +# which is not available on CentOS 7 (at least). +# +# We'll do it in a more manual way. +- name: Generate SSL certificate + command: | + openssl req -x509 \ + -sha256 \ + -newkey rsa:4096 \ + -nodes \ + -subj "/CN={{ domain_name }}" \ + -keyout {{ matrix_ssl_certificate_cert_key_path }} \ + -out {{ matrix_ssl_certificate_cert_path }} \ + -days 3650 + when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" \ No newline at end of file diff --git a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 index e8dfb72b..0cfa2a7b 100644 --- a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 @@ -1,4 +1,4 @@ -MAILTO="{{ matrix_ssl_support_email }}" +MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}" # This periodically reloads the matrix-nginx-proxy service # to ensure it's using the latest SSL certificate diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 index 2c7b71f2..b8eb8ce8 100644 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 @@ -1,4 +1,4 @@ -MAILTO="{{ matrix_ssl_support_email }}" +MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}" # The goal of this cronjob is to ask certbot to check # the current SSL certificates and to see if some need renewal. @@ -8,4 +8,4 @@ MAILTO="{{ matrix_ssl_support_email }}" # This is not our concern here. We simply make sure the certificates are up to date. # Restarting of services happens on its own different schedule (other cronjobs). -{{ matrix_ssl_renew_cron_time_definition }} root /bin/bash /usr/local/bin/matrix-ssl-certificates-renew +{{ matrix_ssl_lets_encrypt_renew_cron_time_definition }} root /bin/bash /usr/local/bin/matrix-ssl-certificates-renew diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index eaa87440..273915a8 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -12,7 +12,7 @@ server { proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:{{ matrix_ssl_certbot_standalone_http_port }}; + proxy_pass http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; {% endif %} } diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 2b4c0231..0b6b2235 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -12,7 +12,7 @@ server { proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:{{ matrix_ssl_certbot_standalone_http_port }}; + proxy_pass http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; {% endif %} } diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 index 2fde95dd..12504d1f 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 +++ b/roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 @@ -4,23 +4,23 @@ # need to forward requests for `/.well-known/acme-challenge` to the certbot container. # # This can happen inside the container network by proxying to `http://matrix-certbot:80` -# or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_certbot_standalone_http_port }}`. +# or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. docker run \ --rm \ --name=matrix-certbot \ --network="{{ matrix_docker_network }}" \ - -p 127.0.0.1:{{ matrix_ssl_certbot_standalone_http_port }}:80 \ + -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80 \ -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \ -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt \ - {{ matrix_ssl_certbot_docker_image }} \ + {{ matrix_ssl_lets_encrypt_certbot_docker_image }} \ renew \ --non-interactive \ - {% if matrix_ssl_use_staging %} + {% if matrix_ssl_lets_encrypt_staging %} --staging \ {% endif %} --quiet \ --standalone \ --preferred-challenges http \ --agree-tos \ - --email={{ matrix_ssl_support_email }} + --email={{ matrix_ssl_lets_encrypt_support_email }} From d05b66cff318fa6655b1e4e09cd6a3cbeab511fa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 11:03:42 +0200 Subject: [PATCH 0251/2384] Update README --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e09290f9..500ec36b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # 2018-12-23 -## More SSL certificate retrieval methods +## (BC Break) More SSL certificate retrieval methods The playbook now lets you decide between 3 different SSL certificate retrieval methods: - (default) obtaining free SSL certificates from Let's Encrypt From 727dcda7d73a902361b7981c833046dfa90582ee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 14:26:40 +0200 Subject: [PATCH 0252/2384] Organize Synapse setup files better --- roles/matrix-server/tasks/setup/main.yml | 2 +- roles/matrix-server/tasks/setup/setup_synapse.yml | 7 ------- roles/matrix-server/tasks/setup/setup_synapse_ext.yml | 11 ----------- roles/matrix-server/tasks/setup/synapse/ext/main.yml | 11 +++++++++++ .../{ => synapse/ext}/setup_synapse_ext_ldap_auth.yml | 0 .../ext}/setup_synapse_ext_mautrix_telegram.yml | 0 .../ext}/setup_synapse_ext_mautrix_whatsapp.yml | 0 .../{ => synapse/ext}/setup_synapse_ext_rest_auth.yml | 0 .../ext}/setup_synapse_ext_shared_secret_auth.yml | 0 roles/matrix-server/tasks/setup/synapse/main.yml | 7 +++++++ .../tasks/setup/{ => synapse}/setup_synapse_main.yml | 0 .../tasks/setup/{ => synapse}/setup_synapse_pre.yml | 0 12 files changed, 19 insertions(+), 19 deletions(-) delete mode 100644 roles/matrix-server/tasks/setup/setup_synapse.yml delete mode 100644 roles/matrix-server/tasks/setup/setup_synapse_ext.yml create mode 100644 roles/matrix-server/tasks/setup/synapse/ext/main.yml rename roles/matrix-server/tasks/setup/{ => synapse/ext}/setup_synapse_ext_ldap_auth.yml (100%) rename roles/matrix-server/tasks/setup/{ => synapse/ext}/setup_synapse_ext_mautrix_telegram.yml (100%) rename roles/matrix-server/tasks/setup/{ => synapse/ext}/setup_synapse_ext_mautrix_whatsapp.yml (100%) rename roles/matrix-server/tasks/setup/{ => synapse/ext}/setup_synapse_ext_rest_auth.yml (100%) rename roles/matrix-server/tasks/setup/{ => synapse/ext}/setup_synapse_ext_shared_secret_auth.yml (100%) create mode 100644 roles/matrix-server/tasks/setup/synapse/main.yml rename roles/matrix-server/tasks/setup/{ => synapse}/setup_synapse_main.yml (100%) rename roles/matrix-server/tasks/setup/{ => synapse}/setup_synapse_pre.yml (100%) diff --git a/roles/matrix-server/tasks/setup/main.yml b/roles/matrix-server/tasks/setup/main.yml index 33e6e7f8..34d7c8b8 100644 --- a/roles/matrix-server/tasks/setup/main.yml +++ b/roles/matrix-server/tasks/setup/main.yml @@ -47,7 +47,7 @@ - setup-all - setup-corporal -- include: tasks/setup/setup_synapse.yml +- include: tasks/setup/synapse/main.yml tags: - setup-all - setup-synapse diff --git a/roles/matrix-server/tasks/setup/setup_synapse.yml b/roles/matrix-server/tasks/setup/setup_synapse.yml deleted file mode 100644 index ecf69fdf..00000000 --- a/roles/matrix-server/tasks/setup/setup_synapse.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- include: tasks/setup/setup_synapse_pre.yml - -- include: tasks/setup/setup_synapse_ext.yml - -- include: tasks/setup/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml deleted file mode 100644 index e5b3067c..00000000 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- include: tasks/setup/setup_synapse_ext_rest_auth.yml - -- include: tasks/setup/setup_synapse_ext_shared_secret_auth.yml - -- include: tasks/setup/setup_synapse_ext_ldap_auth.yml - -- include: tasks/setup/setup_synapse_ext_mautrix_telegram.yml - -- include: tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml diff --git a/roles/matrix-server/tasks/setup/synapse/ext/main.yml b/roles/matrix-server/tasks/setup/synapse/ext/main.yml new file mode 100644 index 00000000..507d4d72 --- /dev/null +++ b/roles/matrix-server/tasks/setup/synapse/ext/main.yml @@ -0,0 +1,11 @@ +--- + +- include: tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml + +- include: tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml + +- include: tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml + +- include: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml + +- include: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap_auth.yml b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_synapse_ext_ldap_auth.yml rename to roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml rename to roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml rename to roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_rest_auth.yml b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_synapse_ext_rest_auth.yml rename to roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_shared_secret_auth.yml b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_synapse_ext_shared_secret_auth.yml rename to roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml diff --git a/roles/matrix-server/tasks/setup/synapse/main.yml b/roles/matrix-server/tasks/setup/synapse/main.yml new file mode 100644 index 00000000..a2df4df4 --- /dev/null +++ b/roles/matrix-server/tasks/setup/synapse/main.yml @@ -0,0 +1,7 @@ +--- + +- include: tasks/setup/synapse/setup_synapse_pre.yml + +- include: tasks/setup/synapse/ext/main.yml + +- include: tasks/setup/synapse/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_main.yml b/roles/matrix-server/tasks/setup/synapse/setup_synapse_main.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_synapse_main.yml rename to roles/matrix-server/tasks/setup/synapse/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_pre.yml b/roles/matrix-server/tasks/setup/synapse/setup_synapse_pre.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_synapse_pre.yml rename to roles/matrix-server/tasks/setup/synapse/setup_synapse_pre.yml From 268e9b5b669e748c5a916905f9e55a5a18a27874 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 15:20:01 +0200 Subject: [PATCH 0253/2384] Escape homeserver variables to prevent rare breakage Strings containing double-quotes would cause YAML syntax breakage. Not anymore. Closes #48 and #49. --- .../templates/synapse/homeserver.yaml.j2 | 43 ++++++++++--------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index f91c8694..8d3b9be2 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -120,7 +120,8 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # - nyc.example.com # - syd.example.com {% if matrix_synapse_federation_domain_whitelist is not none %} -federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} +federation_domain_whitelist: +{{ matrix_synapse_federation_domain_whitelist|to_nice_yaml }} {% endif %} # List of ports that Synapse should listen on, their purpose and their @@ -215,8 +216,8 @@ database: # The database engine name name: "psycopg2" args: - user: "{{ matrix_postgres_connection_username }}" - password: "{{ matrix_postgres_connection_password }}" + user: {{ matrix_postgres_connection_username|to_json }} + password: {{ matrix_postgres_connection_password|to_json }} database: "{{ matrix_postgres_db_name }}" host: "{{ matrix_postgres_connection_hostname }}" cp_min: 5 @@ -411,7 +412,7 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"] # The shared secret used to compute passwords for the TURN server -turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret }}" +turn_shared_secret: {{ matrix_coturn_turn_static_auth_secret|to_json }} # The Username and password if the TURN server needs them and # does not use a token @@ -432,7 +433,7 @@ turn_allow_guests: False ## Registration ## # Enable registration for new users. -enable_registration: {{ matrix_synapse_enable_registration }} +enable_registration: {{ matrix_synapse_enable_registration|to_json }} # The user must provide all of the below types of 3PID when registering. # @@ -453,7 +454,7 @@ enable_registration: {{ matrix_synapse_enable_registration }} # If set, allows registration by anyone who also has the shared # secret, even if registration is otherwise disabled. -registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}" +registration_shared_secret: {{ matrix_synapse_registration_shared_secret|to_json }} # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. @@ -496,7 +497,7 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms }} # Enable collection and rendering of performance metrics enable_metrics: False -report_stats: {{ matrix_synapse_report_stats }} +report_stats: {{ matrix_synapse_report_stats|to_json }} ## API Configuration ## @@ -513,14 +514,14 @@ room_invite_state_types: app_service_config_files: {{ matrix_synapse_app_service_config_files }} -macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}" +macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }} # Used to enable access token expiration. expire_access_token: False # a secret which is used to calculate HMACs for form values, to stop # falsification of values -form_secret: "{{ matrix_synapse_form_secret }}" +form_secret: {{ matrix_synapse_form_secret|to_json }} ## Signing Keys ## @@ -587,7 +588,7 @@ password_config: enabled: true # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! - pepper: "{{ matrix_synapse_password_config_pepper }}" + pepper: {{ matrix_synapse_password_config_pepper|to_json }} @@ -633,12 +634,12 @@ password_providers: {% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} - module: "shared_secret_authenticator.SharedSecretAuthenticator" config: - sharedSecret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" + sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|to_json }} {% endif %} {% if matrix_synapse_ext_password_provider_rest_auth_enabled %} - module: "rest_auth_provider.RestAuthProvider" config: - endpoint: "{{ matrix_synapse_ext_password_provider_rest_auth_endpoint }}" + endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|to_json }} policy: registration: username: @@ -653,16 +654,16 @@ password_providers: - module: "ldap_auth_provider.LdapAuthProvider" config: enabled: true - uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" - start_tls: "{{ matrix_synapse_ext_password_provider_ldap_start_tls }}" - base: "{{ matrix_synapse_ext_password_provider_ldap_base }}" + uri: {{ matrix_synapse_ext_password_provider_ldap_uri|to_json }} + start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} + base: {{ matrix_synapse_ext_password_provider_ldap_base|to_json }} attributes: - uid: "{{ matrix_synapse_ext_password_provider_ldap_attributes_uid }}" - mail: "{{ matrix_synapse_ext_password_provider_ldap_attributes_mail }}" - name: "{{ matrix_synapse_ext_password_provider_ldap_attributes_name }}" - bind_dn: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}" - bind_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}" - filter: "{{ matrix_synapse_ext_password_provider_ldap_filter }}" + uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|to_json }} + mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|to_json }} + name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|to_json }} + bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|to_json }} + bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|to_json }} + filter: {{ matrix_synapse_ext_password_provider_ldap_filter|to_json }} {% endif %} {% endif %} From e033eb443ba94c72f97403aacae87b0525cd6752 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 15:38:33 +0200 Subject: [PATCH 0254/2384] Do not set up nginx-proxy auto-restart if not using Let's Encrypt Fix for d28bdb325871a4 --- roles/matrix-server/tasks/setup/setup_nginx_proxy.yml | 4 ++-- .../matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml index 270c3bfa..8a4b1029 100644 --- a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml @@ -62,7 +62,7 @@ src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2" dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" mode: 0600 - when: matrix_nginx_proxy_enabled + when: "matrix_nginx_proxy_enabled and matrix_ssl_retrieval_method == 'lets-encrypt'" # # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) @@ -87,4 +87,4 @@ file: path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" state: absent - when: "not matrix_nginx_proxy_enabled" + when: "not matrix_nginx_proxy_enabled or matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml index 2836e595..e7fcd94c 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml @@ -4,6 +4,8 @@ # Tasks related to setting up Let's Encrypt's management of certificates # +- debug: var="matrix_ssl_retrieval_method" + - name: (Deprecation) Fail if using outdated configuration fail: msg: "You're using the `host_specific_matrix_ssl_support_email` variable, which has been superseded by `host_specific_matrix_ssl_lets_encrypt_support_email`. Please change your configuration to use the new name!" From 91567fc41d9d4b65312075208d5e39cc6a811d37 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 17:26:39 +0200 Subject: [PATCH 0255/2384] Remove debug --- roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml index e7fcd94c..2836e595 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml @@ -4,8 +4,6 @@ # Tasks related to setting up Let's Encrypt's management of certificates # -- debug: var="matrix_ssl_retrieval_method" - - name: (Deprecation) Fail if using outdated configuration fail: msg: "You're using the `host_specific_matrix_ssl_support_email` variable, which has been superseded by `host_specific_matrix_ssl_lets_encrypt_support_email`. Please change your configuration to use the new name!" From fe9b9773c06b95ab6a37fdd7d4036bb5d4c12466 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 19:14:01 +0200 Subject: [PATCH 0256/2384] Move setup sanity checks to a central place --- roles/matrix-server/tasks/setup/main.yml | 4 ++++ .../matrix-server/tasks/setup/setup_sanity_check.yml | 11 +++++++++++ .../tasks/setup/synapse/setup_synapse_pre.yml | 5 ----- 3 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 roles/matrix-server/tasks/setup/setup_sanity_check.yml diff --git a/roles/matrix-server/tasks/setup/main.yml b/roles/matrix-server/tasks/setup/main.yml index 34d7c8b8..92b5b5ff 100644 --- a/roles/matrix-server/tasks/setup/main.yml +++ b/roles/matrix-server/tasks/setup/main.yml @@ -1,5 +1,9 @@ --- +- include: tasks/setup/setup_sanity_check.yml + tags: + - always + - include: tasks/setup/setup_base.yml tags: - setup-all diff --git a/roles/matrix-server/tasks/setup/setup_sanity_check.yml b/roles/matrix-server/tasks/setup/setup_sanity_check.yml new file mode 100644 index 00000000..a24ae1d0 --- /dev/null +++ b/roles/matrix-server/tasks/setup/setup_sanity_check.yml @@ -0,0 +1,11 @@ +--- + +- name: Fail if Macaroon key is missing + fail: + msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" + when: "matrix_synapse_macaroon_secret_key == ''" + +- name: Fail if Coturn Auth secret is missing + fail: + msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable" + when: "matrix_coturn_turn_static_auth_secret == ''" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/synapse/setup_synapse_pre.yml b/roles/matrix-server/tasks/setup/synapse/setup_synapse_pre.yml index f0599861..2871ef26 100644 --- a/roles/matrix-server/tasks/setup/synapse/setup_synapse_pre.yml +++ b/roles/matrix-server/tasks/setup/synapse/setup_synapse_pre.yml @@ -1,10 +1,5 @@ --- -- name: Fail if Macaroon key is missing - fail: - msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" - when: "matrix_synapse_macaroon_secret_key == ''" - - set_fact: matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}" matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}" From b9b5674b8a8e7b9c3bd0656d40fede982933ad30 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 19:20:53 +0200 Subject: [PATCH 0257/2384] Lowercase host_specific_hostname_identity to prevent troubles If uppercase is used, certain tools (like certbot) would cause trouble. They would retrieve a certificate for the lowercased domain name, but we'd try to use it from an uppercase-named directory, which will fail. Besides certbot, we may experience other trouble too. (it hasn't been investigated how far the breakage goes). To fix it all, we lowercase `host_specific_hostname_identity` by default, which takes care of the general use-case (people only setting that and relying on us to build the other domain names - `hostname_matrix` and `hostname_riot`). For others, who decide to override these other variables directly (and who may work around us and introduce uppercase there directly), we also have the sanity-check tool warn if uppercase is detected in any of the final domains. --- roles/matrix-server/defaults/main.yml | 2 +- .../tasks/setup/setup_sanity_check.yml | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 163901d2..e789f597 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -1,7 +1,7 @@ # The bare hostname which represents your identity. # This is something like "example.com". # Note: this playbook does not touch the server referenced here. -hostname_identity: "{{ host_specific_hostname_identity }}" +hostname_identity: "{{ host_specific_hostname_identity|lower }}" # This is where your data lives and what we set up here. # This and the Riot hostname (see below) are expected to be on the same server. diff --git a/roles/matrix-server/tasks/setup/setup_sanity_check.yml b/roles/matrix-server/tasks/setup/setup_sanity_check.yml index a24ae1d0..bb048a20 100644 --- a/roles/matrix-server/tasks/setup/setup_sanity_check.yml +++ b/roles/matrix-server/tasks/setup/setup_sanity_check.yml @@ -8,4 +8,17 @@ - name: Fail if Coturn Auth secret is missing fail: msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable" - when: "matrix_coturn_turn_static_auth_secret == ''" \ No newline at end of file + when: "matrix_coturn_turn_static_auth_secret == ''" + +# This sanity check is only used to detect uppercase when people override these specific variables. +# +# If people set `host_specific_hostname_identity` without overriding other variables (the general use-case), +# we take care to lower-case it automatically and it won't cause trouble anyway. +- name: Fail if uppercase domain used + fail: + msg: "Detected that you're using an uppercase domain name - `{{ item }}`. This will cause trouble. Please use all-lowercase!" + when: "item != item|lower" + with_items: + - "{{ hostname_identity }}" + - "{{ hostname_matrix }}" + - "{{ hostname_riot }}" \ No newline at end of file From 12b65d8ccc11217644402d57245cbf5f69ebd543 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Dec 2018 19:45:03 +0200 Subject: [PATCH 0258/2384] Serve a non-scary page at the matrix domain Fixes #18 (Github issue). It would probably be better if we serve our own page, as the Matrix one says: "To use this server you'll need a Matrix client", which is true, but we install Riot by default and it'd be better if we mention that instead. --- .../templates/nginx-conf.d/matrix-synapse.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 0b6b2235..4e6aeb20 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -105,4 +105,8 @@ server { client_max_body_size {{ matrix_synapse_max_upload_size_mb }}M; proxy_max_temp_file_size 0; } + + location / { + set $location "/_matrix/static/"; + } } From 4757c13a2e79e8a7d7332471e33061804d38c6d1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 24 Dec 2018 09:38:00 +0200 Subject: [PATCH 0259/2384] Do not install openssl if not necessary Fix for d28bdb325871. We were only supposed to install openssl when the self-signed SSL certificate retrieval method is used, not always. --- roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml index 92780266..65bb86c4 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml @@ -6,7 +6,7 @@ - openssl state: present update_cache: no - when: ansible_os_family == 'RedHat' + when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'RedHat'" - name: Ensure APT usage dependencies are installed (Debian) apt: @@ -14,7 +14,7 @@ - openssl state: present update_cache: no - when: ansible_os_family == 'Debian' + when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" - name: Obtain certificates include_tasks: "tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml" From f7aa362961d94447db6891f8c0522b85a553f114 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 24 Dec 2018 09:39:27 +0200 Subject: [PATCH 0260/2384] Make "obtain certificates" tasks have unique names We always skip at least one of these tasks, depending on which SSL retrieval method is enabled, so it could have been confusing why. --- roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml | 2 +- roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml index 2836e595..205e648c 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml @@ -25,7 +25,7 @@ name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" when: "matrix_ssl_retrieval_method == 'lets-encrypt'" -- name: Obtain certificates +- name: Obtain Let's Encrypt certificates include_tasks: "tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" with_items: "{{ domains_requiring_certificates }}" loop_control: diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml index 65bb86c4..8e97a612 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml @@ -16,7 +16,7 @@ update_cache: no when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" -- name: Obtain certificates +- name: Generate self-signed certificates include_tasks: "tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml" with_items: "{{ domains_requiring_certificates }}" loop_control: From c48e31381dcf983d78863e8b066efd4322321a52 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 29 Dec 2018 15:31:05 +0200 Subject: [PATCH 0261/2384] Add minimum version requirement for Ansible --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 2b5a90bc..8895db06 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -4,7 +4,7 @@ - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). -- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you +- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Version 2.4 or later is required (see `ansible --version`). - properly configured DNS SRV record for `` (details in [Configuring DNS](configuring-dns.md#configuring-dns) below) From 87b5f0a4d4a96c0561dc3860f81b20c28997827e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 29 Dec 2018 20:11:37 +0200 Subject: [PATCH 0262/2384] Server non-scary page at matrix domain (take 2) Fix for 12b65d8ccc11217644. --- .../matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 4e6aeb20..76673ef4 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -107,6 +107,6 @@ server { } location / { - set $location "/_matrix/static/"; + rewrite ^/$ /_matrix/static/ last; } } From 2fc0f5f3cf55d4b1dfe1cdb855a255c60a3cc2a1 Mon Sep 17 00:00:00 2001 From: Hardy Erlinger Date: Sun, 30 Dec 2018 21:50:59 +0100 Subject: [PATCH 0263/2384] Set MAILNAME env variable to FQDN hostname for matrix-mailer. --- roles/matrix-server/templates/env/env-mailer.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/templates/env/env-mailer.j2 b/roles/matrix-server/templates/env/env-mailer.j2 index 67f867e5..9cacf789 100644 --- a/roles/matrix-server/templates/env/env-mailer.j2 +++ b/roles/matrix-server/templates/env/env-mailer.j2 @@ -1,4 +1,4 @@ -MAILNAME=matrix-mailer +MAILNAME={{ hostname_matrix }} {% if matrix_mailer_relay_use %} RELAYHOST={{ matrix_mailer_relay_host_name }}:{{ matrix_mailer_relay_host_port }} {% endif %} From c59a53551a6f9e55d710792db54cff0c1890e75c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 31 Dec 2018 11:17:52 +0200 Subject: [PATCH 0264/2384] Make well-known self-check not depend on Content-Type: application/json Fixes #60 (Github issue) --- .../self_check/self_check_well_known.yml | 24 +++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/roles/matrix-server/tasks/self_check/self_check_well_known.yml b/roles/matrix-server/tasks/self_check/self_check_well_known.yml index ea3bae4b..7e38f8b2 100644 --- a/roles/matrix-server/tasks/self_check/self_check_well_known.yml +++ b/roles/matrix-server/tasks/self_check/self_check_well_known.yml @@ -4,18 +4,24 @@ well_known_url_matrix: "https://{{ hostname_matrix }}/.well-known/matrix/client" well_known_url_identity: "https://{{ hostname_identity }}/.well-known/matrix/client" - +# These well-known files may be served without a `Content-Type: application/json` header, +# so we can't rely on the uri module's automatic parsing of JSON. - name: Check .well-known on the matrix hostname uri: url: "{{ well_known_url_matrix }}" follow_redirects: false + return_content: true register: result_well_known_matrix ignore_errors: true - name: Fail if .well-known not working on the matrix hostname fail: - msg: "Failed checking well-known is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" - when: "result_well_known_matrix.failed or 'json' not in result_well_known_matrix" + msg: "Failed checking that well-known is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" + when: "result_well_known_matrix.failed" + +- name: Parse JSON for well-known payload at the matrix hostname + set_fact: + well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}" - name: Fail if .well-known not CORS-aware on the matrix hostname fail: @@ -26,18 +32,22 @@ debug: msg: "well-known is configured correctly for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" - - name: Check .well-known on the identity hostname uri: url: "{{ well_known_url_identity }}" follow_redirects: false + return_content: true register: result_well_known_identity ignore_errors: true - name: Fail if .well-known not working on the identity hostname fail: - msg: "Failed checking well-known is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" - when: "result_well_known_identity.failed or 'json' not in result_well_known_identity" + msg: "Failed checking that well-known is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" + when: "result_well_known_identity.failed" + +- name: Parse JSON for well-known payload at the identity hostname + set_fact: + well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}" - name: Fail if .well-known not CORS-aware on the identity hostname fail: @@ -48,7 +58,7 @@ - name: Fail if well-known is different on matrix hostname and identity hostname fail: msg: "The well-known files at `{{ hostname_matrix }}` and `{{ hostname_identity }}` are different. Perhaps you copied the file manually before and now it's outdated?" - when: "result_well_known_matrix.json|to_json != result_well_known_identity.json|to_json" + when: "well_known_matrix_payload != well_known_identity_payload" - name: Report working .well-known on the identity hostname debug: From a7f791f8f9a2af8942cda4da9e0ba9e91f18982b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jan 2019 13:31:01 +0200 Subject: [PATCH 0265/2384] Make Postgres version detection logic reusable to ease maintenance We've had that logic in 2 places so far, leading to duplication and a maintenance burden. In the future, we'll also have an import-postgres feature, which will also need Postgres version detection, leading to more benefit from that logic being reusable. --- .../tasks/setup/setup_postgres.yml | 46 +++++-------------- .../matrix-server/tasks/upgrade_postgres.yml | 40 ++-------------- .../util/detect_existing_postgres_version.yml | 46 +++++++++++++++++++ 3 files changed, 62 insertions(+), 70 deletions(-) create mode 100644 roles/matrix-server/tasks/util/detect_existing_postgres_version.yml diff --git a/roles/matrix-server/tasks/setup/setup_postgres.yml b/roles/matrix-server/tasks/setup/setup_postgres.yml index fdf253be..53491b55 100644 --- a/roles/matrix-server/tasks/setup/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup/setup_postgres.yml @@ -4,41 +4,17 @@ # Generic tasks, no matter what kind of server we're using (internal/external) # -- name: Determine existing Postgres version (check PG_VERSION file) - stat: - path: "{{ matrix_postgres_data_path }}/PG_VERSION" - register: result_pg_version_stat - -- name: Determine existing Postgres version (read PG_VERSION file) - slurp: - src: "{{ matrix_postgres_data_path }}/PG_VERSION" - register: result_pg_version - when: "result_pg_version_stat.stat.exists" - -- name: Determine existing Postgres version (default to empty) - set_fact: - pg_version: "" - -- name: Determine existing Postgres version (make sense of PG_VERSION file) - set_fact: - pg_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" - when: "result_pg_version_stat.stat.exists" - -- name: Determine Postgres version to use (default to latest) - set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest }}" - -- name: Determine Postgres version to use (use 9.x, if detected) - set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v9 }}" - when: "pg_version.startswith('9.')" - -- name: Determine Postgres version to use (use 10.x, if detected) - set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v10 }}" - when: "pg_version == '10' or pg_version.startswith('10.')" - -- debug: +- include: tasks/util/detect_existing_postgres_version.yml + +# If we have found an existing version (installed from before), we use its corresponding Docker image. +# If not, we install using the latest Postgres. +# +# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). +- set_fact: + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" + +- name: Warn if on an old version of Postgres + debug: msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" when: "matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest" diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index 05cf8d54..e6d3415c 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -35,48 +35,18 @@ msg: "Detected that a left-over {{ postgres_auto_upgrade_backup_data_path }} exists. You should rename it to {{ matrix_postgres_data_path }} if the previous upgrade went wrong, or delete it if it went well." when: "result_auto_upgrade_path.stat.exists" -- name: Determine existing Postgres version (check PG_VERSION file) - stat: - path: "{{ matrix_postgres_data_path }}/PG_VERSION" - register: result_pg_version_stat +- include: tasks/util/detect_existing_postgres_version.yml - name: Abort, if no existing Postgres version detected fail: msg="Could not find existing Postgres installation" - when: "not result_pg_version_stat.stat.exists" - -- name: Determine existing Postgres version (read PG_VERSION file) - slurp: - src: "{{ matrix_postgres_data_path }}/PG_VERSION" - register: result_pg_version - -- name: Determine existing Postgres version (default to empty) - set_fact: - pg_version: "" - -- name: Determine existing Postgres version (make sense of PG_VERSION file) - set_fact: - pg_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" - -- name: Determine Postgres version to use (default to latest) - set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest }}" - -- name: Determine Postgres version to use (use 9.x, if detected) - set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v9 }}" - when: "pg_version.startswith('9.')" - -- name: Determine Postgres version to use (use 10.x, if detected) - set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_v10 }}" - when: "pg_version == '10' or pg_version.startswith('10.')" + when: "not matrix_postgres_detected_existing" - name: Abort, if already at latest Postgres version fail: msg="You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" - when: "matrix_postgres_docker_image_to_use == matrix_postgres_docker_image_latest" + when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest" - debug: - msg: "Upgrading database from {{ matrix_postgres_docker_image_to_use }} to {{ matrix_postgres_docker_image_latest }}" + msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}" - name: Ensure matrix-synapse is stopped service: name=matrix-synapse state=stopped @@ -96,7 +66,7 @@ --network={{ matrix_docker_network }} \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/out \ - {{ matrix_postgres_docker_image_to_use }} pg_dump -h matrix-postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} + {{ matrix_postgres_detected_version_corresponding_docker_image }} pg_dump -h matrix-postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} - name: Ensure matrix-postgres is stopped service: name=matrix-postgres state=stopped diff --git a/roles/matrix-server/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-server/tasks/util/detect_existing_postgres_version.yml new file mode 100644 index 00000000..a3fbe33e --- /dev/null +++ b/roles/matrix-server/tasks/util/detect_existing_postgres_version.yml @@ -0,0 +1,46 @@ +--- + +# This utility aims to determine if there is some existing Postgres version in use or not. +# If there is, it also tries to detect the Docker image that corresponds to that version. + +- name: Initialize Postgres version determination variables (default to empty) + set_fact: + matrix_postgres_detection_pg_version_path: "{{ matrix_postgres_data_path }}/PG_VERSION" + matrix_postgres_detected_existing: false + matrix_postgres_detected_version: "" + matrix_postgres_detected_version_corresponding_docker_image: "" + +- name: Determine existing Postgres version (check PG_VERSION file) + stat: + path: "{{ matrix_postgres_detection_pg_version_path }}" + register: result_pg_version_stat + +- set_fact: + matrix_postgres_detected_existing: true + when: "result_pg_version_stat.stat.exists" + +- name: Determine existing Postgres version (read PG_VERSION file) + slurp: + src: "{{ matrix_postgres_detection_pg_version_path }}" + register: result_pg_version + when: "matrix_postgres_detected_existing" + +- name: Determine existing Postgres version (make sense of PG_VERSION file) + set_fact: + matrix_postgres_detected_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" + when: "matrix_postgres_detected_existing" + +- name: Determine corresponding Docker image to detected version (assume default of latest) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_latest }}" + when: "matrix_postgres_detected_version != ''" + +- name: Determine corresponding Docker image to detected version (use 9.x, if detected) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v9 }}" + when: "matrix_postgres_detected_version.startswith('9.')" + +- name: Determine corresponding Docker image to detected version (use 10.x, if detected) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v10 }}" + when: "matrix_postgres_detected_version == '10' or matrix_postgres_detected_version.startswith('10.')" \ No newline at end of file From f472c1b9e54e3ba820577db1bfb77a2e363e6d55 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jan 2019 14:02:31 +0200 Subject: [PATCH 0266/2384] Ensure psql returns a failure exit code when it fails Until now, if the .sql file contained invalid data, psql would choke on it, but still return an exit code of 0. This is very misleading. We need to pass `-v ON_ERROR_STOP=1` to make it exit with a proper error exit code when failures happen. --- roles/matrix-server/tasks/upgrade_postgres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index e6d3415c..7c60df3e 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -94,7 +94,7 @@ --network={{ matrix_docker_network }} \ --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ -v {{ postgres_dump_dir }}:/in:ro \ - {{ matrix_postgres_docker_image_latest }} psql -h matrix-postgres -f /in/{{ postgres_dump_name }} + {{ matrix_postgres_docker_image_latest }} psql -v ON_ERROR_STOP=1 -h matrix-postgres -f /in/{{ postgres_dump_name }} - name: Delete Postgres database dump file file: From 6d89319822f4b2ecb8817b97cae9f9d132c79067 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jan 2019 14:40:48 +0200 Subject: [PATCH 0267/2384] Add support for importing an existing Postgres database --- docs/importing-postgres.md | 24 +++++++++ docs/installing.md | 2 + roles/matrix-server/defaults/main.yml | 1 + roles/matrix-server/tasks/import_postgres.yml | 53 +++++++++++++++++++ roles/matrix-server/tasks/main.yml | 5 ++ 5 files changed, 85 insertions(+) create mode 100644 docs/importing-postgres.md create mode 100644 roles/matrix-server/tasks/import_postgres.yml diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md new file mode 100644 index 00000000..66aa9d3a --- /dev/null +++ b/docs/importing-postgres.md @@ -0,0 +1,24 @@ +# Importing an existing Postgres database from another installation (optional) + +Run this if you'd like to import your database from a previous installation of Matrix Synapse. +(don't forget to import your `media_store` files as well - see [the restoring media store guide](restoring-media-store.md)). + + +## Prerequisites + +For this to work, **the database name in Postgres must match** what this playbook uses. +This playbook uses a Postgres database name of `homeserver` by default (controlled by the `matrix_postgres_db_name` variable). +If your database name differs, be sure to change `matrix_postgres_db_name` to your desired name and to re-run the playbook before proceeding. + +The playbook supports importing Postgres dump files in **text** (e.g. `pg_dump > dump.sql`) or **gzipped** formats (e.g. `pg_dump | gzip -c > dump.sql.gz`). + +Before doing the actual import, **you need to upload your Postgres dump file to the server**. + + +## Importing + +To import, run this command (make sure to replace `` with a file path on your server): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_postgres_dump=' --tags=import-postgres + +**Note**: `` must be a file path to a Postgres dump file on the server (not on your local machine!). diff --git a/docs/installing.md b/docs/installing.md index 79d06335..46700ac8 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -19,6 +19,8 @@ After installing, but before starting the services, you may want to do additiona - [Importing an existing SQLite database (from another installation)](importing-sqlite.md) (optional) +- [Importing an existing Postgres database (from another installation)](importing-postgres.md) (optional) + - [Restoring `media_store` data files from an existing installation](restoring-media-store.md) (optional) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index e789f597..c504eeeb 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -418,6 +418,7 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" # Variables to Control which parts of the role run. run_setup: true +run_import_postgres: true run_upgrade_postgres: true run_start: true run_register_user: true diff --git a/roles/matrix-server/tasks/import_postgres.yml b/roles/matrix-server/tasks/import_postgres.yml new file mode 100644 index 00000000..60b93362 --- /dev/null +++ b/roles/matrix-server/tasks/import_postgres.yml @@ -0,0 +1,53 @@ +--- + +# Pre-checks + +- name: Fail if playbook called incorrectly + fail: msg="The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_postgres_dump is not defined or server_path_postgres_dump.startswith('<')" + +- name: Check if the provided Postgres dump file exists + stat: path="{{ server_path_postgres_dump }}" + register: result_server_path_postgres_dump_stat + +- name: Fail if provided Postgres dump file doesn't exists + fail: msg="File cannot be found on the local machine at {{ server_path_postgres_dump }}" + when: not result_server_path_postgres_dump_stat.stat.exists + +- include: tasks/util/detect_existing_postgres_version.yml + +- name: Abort, if no existing Postgres version detected + fail: msg="Could not find existing Postgres installation" + when: "not matrix_postgres_detected_existing" + + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + + +# Actual import work + +- name: Ensure matrix-postgres is started + service: name=matrix-postgres state=started daemon_reload=yes + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + +- name: Perform Postgres database import + command: | + /usr/bin/docker run --rm --name matrix-postgres-import \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ + -v {{ server_path_postgres_dump }}:{{ server_path_postgres_dump }}:ro \ + --entrypoint=/bin/sh + {{ matrix_postgres_docker_image_latest }} + -c 'cat {{ server_path_postgres_dump }} | \ + {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} + psql -v ON_ERROR_STOP=1 -h matrix-postgres' diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index c76c2070..6f038281 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -3,6 +3,11 @@ - include: tasks/setup/main.yml when: run_setup +- include: tasks/import_postgres.yml + tags: + - import-postgres + when: run_import_postgres + - include: tasks/upgrade_postgres.yml tags: - upgrade-postgres From f153c70a607093473771eeee356f1af1b5d376d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jan 2019 14:47:22 +0200 Subject: [PATCH 0268/2384] Reorganize some files --- .../matrix-server/tasks/{ => import}/import_media_store.yml | 0 roles/matrix-server/tasks/{ => import}/import_postgres.yml | 0 roles/matrix-server/tasks/{ => import}/import_sqlite_db.yml | 0 roles/matrix-server/tasks/main.yml | 6 +++--- 4 files changed, 3 insertions(+), 3 deletions(-) rename roles/matrix-server/tasks/{ => import}/import_media_store.yml (100%) rename roles/matrix-server/tasks/{ => import}/import_postgres.yml (100%) rename roles/matrix-server/tasks/{ => import}/import_sqlite_db.yml (100%) diff --git a/roles/matrix-server/tasks/import_media_store.yml b/roles/matrix-server/tasks/import/import_media_store.yml similarity index 100% rename from roles/matrix-server/tasks/import_media_store.yml rename to roles/matrix-server/tasks/import/import_media_store.yml diff --git a/roles/matrix-server/tasks/import_postgres.yml b/roles/matrix-server/tasks/import/import_postgres.yml similarity index 100% rename from roles/matrix-server/tasks/import_postgres.yml rename to roles/matrix-server/tasks/import/import_postgres.yml diff --git a/roles/matrix-server/tasks/import_sqlite_db.yml b/roles/matrix-server/tasks/import/import_sqlite_db.yml similarity index 100% rename from roles/matrix-server/tasks/import_sqlite_db.yml rename to roles/matrix-server/tasks/import/import_sqlite_db.yml diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 6f038281..896efe82 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -3,7 +3,7 @@ - include: tasks/setup/main.yml when: run_setup -- include: tasks/import_postgres.yml +- include: tasks/import/import_postgres.yml tags: - import-postgres when: run_import_postgres @@ -23,12 +23,12 @@ - register-user when: run_register_user -- include: tasks/import_sqlite_db.yml +- include: tasks/import/import_sqlite_db.yml tags: - import-sqlite-db when: run_import_sqlite_db -- include: tasks/import_media_store.yml +- include: tasks/import/import_media_store.yml tags: - import-media-store when: run_import_media_store From 4c2e1a05881df3bfb1e0b8f3bd36139310e5f47b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jan 2019 15:16:13 +0200 Subject: [PATCH 0269/2384] Make SQLite database import work with server files, not local This is a simplification and a way to make it consistent with how we do Postgres imports (see 6d89319822f4b2ecb), using files coming from the server, not from the local machine. --- docs/importing-sqlite.md | 14 +++-- roles/matrix-server/defaults/main.yml | 1 - .../tasks/import/import_sqlite_db.yml | 52 +++++++++---------- 3 files changed, 35 insertions(+), 32 deletions(-) diff --git a/docs/importing-sqlite.md b/docs/importing-sqlite.md index f7aa4c01..cd9917b4 100644 --- a/docs/importing-sqlite.md +++ b/docs/importing-sqlite.md @@ -8,8 +8,16 @@ using an SQLite database. If you have such a Matrix Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you. -Run this command (make sure to replace `` with a file path on your local machine): - ansible-playbook -i inventory/hosts setup.yml --extra-vars='local_path_homeserver_db=' --tags=import-sqlite-db +## Prerequisites -**Note**: `` must be a file path to a `homeserver.db` file on your local machine (not on the server!). This file is copied to the server and imported. +Before doing the actual import, **you need to upload your SQLite database file to the server**. + + +## Importing + +Run this command (make sure to replace `` with a file path on your server): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=' --tags=import-sqlite-db + +**Note**: `` must be a file path to a `homeserver.db` file on the server (not on your local machine!). \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index c504eeeb..15e7dfce 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -18,7 +18,6 @@ matrix_user_gid: 991 matrix_base_data_path: "/matrix" matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables" -matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_homeserver_url: "https://{{ hostname_matrix }}" diff --git a/roles/matrix-server/tasks/import/import_sqlite_db.yml b/roles/matrix-server/tasks/import/import_sqlite_db.yml index 102ef22a..8b8c0286 100644 --- a/roles/matrix-server/tasks/import/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import/import_sqlite_db.yml @@ -1,31 +1,29 @@ --- +# Pre-checks + - name: Fail if playbook called incorrectly - fail: msg="The `local_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" - when: "local_path_homeserver_db is not defined or local_path_homeserver_db.startswith('<')" + fail: msg="The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_homeserver_db is not defined or server_path_homeserver_db.startswith('<')" - name: Check if the provided SQLite homeserver.db file exists - stat: path="{{ local_path_homeserver_db }}" - delegate_to: 127.0.0.1 - become: false - register: local_path_homeserver_db_stat + stat: path="{{ server_path_homeserver_db }}" + register: result_server_path_homeserver_db_stat - name: Fail if provided SQLite homeserver.db file doesn't exist - fail: msg="File cannot be found on the local machine at {{ local_path_homeserver_db }}" - when: not local_path_homeserver_db_stat.stat.exists + fail: msg="File cannot be found on the local machine at {{ server_path_homeserver_db }}" + when: not result_server_path_homeserver_db_stat.stat.exists -- name: Ensure scratchpad directory exists - file: - path: "{{ matrix_scratchpad_dir }}" - state: directory - mode: 0755 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" -- name: Ensure provided SQLite homeserver.db file is copied to scratchpad directory on the server - synchronize: - src: "{{ local_path_homeserver_db }}" - dest: "{{ matrix_scratchpad_dir }}/homeserver.db" +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + + +# Actual import work - name: Ensure matrix-postgres is stopped service: name=matrix-postgres state=stopped daemon_reload=yes @@ -46,8 +44,11 @@ - name: Ensure matrix-postgres is started service: name=matrix-postgres state=restarted daemon_reload=yes -- name: Wait a while, so that Postgres can manage to start - pause: seconds=7 +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false # If the actual migration command (below) fails, it will leave a container behind. # Starting it again later will relaunch that one, which may or may not work. @@ -64,16 +65,11 @@ detach: no cleanup: yes entrypoint: /usr/local/bin/python - command: "/usr/local/bin/synapse_port_db --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml" + command: "/usr/local/bin/synapse_port_db --sqlite-database {{ server_path_homeserver_db }} --postgres-config /data/homeserver.yaml" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" volumes: - "{{ matrix_synapse_config_dir_path }}:/data" - "{{ matrix_synapse_run_path }}:/matrix-run" - - "{{ matrix_scratchpad_dir }}:/scratchpad" + - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db }}:ro" networks: - name: "{{ matrix_docker_network }}" - -- name: Ensure scratchpad directory is deleted - file: - path: "{{ matrix_scratchpad_dir }}" - state: absent From e604a7bd43b42cb13efae5ca706722a1e38cea16 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jan 2019 15:25:52 +0200 Subject: [PATCH 0270/2384] Fix error message inaccuracy --- roles/matrix-server/tasks/import/import_postgres.yml | 2 +- roles/matrix-server/tasks/import/import_sqlite_db.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/tasks/import/import_postgres.yml b/roles/matrix-server/tasks/import/import_postgres.yml index 60b93362..a96a7369 100644 --- a/roles/matrix-server/tasks/import/import_postgres.yml +++ b/roles/matrix-server/tasks/import/import_postgres.yml @@ -11,7 +11,7 @@ register: result_server_path_postgres_dump_stat - name: Fail if provided Postgres dump file doesn't exists - fail: msg="File cannot be found on the local machine at {{ server_path_postgres_dump }}" + fail: msg="File cannot be found on the server at {{ server_path_postgres_dump }}" when: not result_server_path_postgres_dump_stat.stat.exists - include: tasks/util/detect_existing_postgres_version.yml diff --git a/roles/matrix-server/tasks/import/import_sqlite_db.yml b/roles/matrix-server/tasks/import/import_sqlite_db.yml index 8b8c0286..347ac761 100644 --- a/roles/matrix-server/tasks/import/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import/import_sqlite_db.yml @@ -11,7 +11,7 @@ register: result_server_path_homeserver_db_stat - name: Fail if provided SQLite homeserver.db file doesn't exist - fail: msg="File cannot be found on the local machine at {{ server_path_homeserver_db }}" + fail: msg="File cannot be found on the server at {{ server_path_homeserver_db }}" when: not result_server_path_homeserver_db_stat.stat.exists From 543b98d24ccbde8b5f4cb8fb14323541031920bc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jan 2019 15:35:33 +0200 Subject: [PATCH 0271/2384] Update documentation --- docs/importing-postgres.md | 2 +- docs/importing-sqlite.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 66aa9d3a..9b679bdb 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -12,7 +12,7 @@ If your database name differs, be sure to change `matrix_postgres_db_name` to yo The playbook supports importing Postgres dump files in **text** (e.g. `pg_dump > dump.sql`) or **gzipped** formats (e.g. `pg_dump | gzip -c > dump.sql.gz`). -Before doing the actual import, **you need to upload your Postgres dump file to the server**. +Before doing the actual import, **you need to upload your Postgres dump file to the server** (any path is okay). ## Importing diff --git a/docs/importing-sqlite.md b/docs/importing-sqlite.md index cd9917b4..ff60fa32 100644 --- a/docs/importing-sqlite.md +++ b/docs/importing-sqlite.md @@ -11,7 +11,7 @@ If you have such a Matrix Synapse setup and wish to migrate it here (and over to ## Prerequisites -Before doing the actual import, **you need to upload your SQLite database file to the server**. +Before doing the actual import, **you need to upload your SQLite database file to the server** (any path is okay). ## Importing From 76506f34e0827650afb49233a3605b71a7a1e0a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jan 2019 15:37:57 +0200 Subject: [PATCH 0272/2384] Make media-store restore work with server files, not local This is a simplification and a way to make it consistent with how we do Postgres imports (see 6d89319822f4b2ecb), using files coming from the server, not from the local machine. By encouraging people NOT to use local files, we potentially avoid problems such as #34 (Github issue), where people would download `media_store` to their Mac's filesystem and case-sensitivity issues will actually corrupt it. By not encouraging local files usage, it's less likely that people would copy (huge) directories to their local machine like that. --- docs/importing-media-store.md | 22 ++++++++ docs/importing-postgres.md | 2 +- docs/importing-sqlite.md | 2 +- docs/installing.md | 2 +- docs/restoring-media-store.md | 9 ---- .../tasks/import/import_media_store.yml | 51 ++++++++++--------- 6 files changed, 53 insertions(+), 35 deletions(-) create mode 100644 docs/importing-media-store.md delete mode 100644 docs/restoring-media-store.md diff --git a/docs/importing-media-store.md b/docs/importing-media-store.md new file mode 100644 index 00000000..7aa6c5b5 --- /dev/null +++ b/docs/importing-media-store.md @@ -0,0 +1,22 @@ +# Importing `media_store` data files from an existing installation (optional) + +Run this if you'd like to import your `media_store` files from a previous installation of Matrix Synapse. + + +## Prerequisites + +Before doing the actual data restore, **you need to upload your media store directory to the server** (any path is okay). + +If you are [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional), restoring with this tool is not possible right now. +As an alternative, you can perform a manual restore using the [AWS CLI tool](https://aws.amazon.com/cli/) (e.g. `aws s3 sync /path/to/server/media_store/. s3://name-of-bucket/`) + +**Note for Mac users**: Due to case-sensitivity issues on certain Mac filesystems (HFS or HFS+), filename corruption may occur if you copy a `media_store` directory to your Mac. If you're transferring a `media_store` directory between 2 servers, make sure you do it directly (from server to server with a tool such as [rsync](https://rsync.samba.org/)), and not by downloading the files to your Mac. + + +## Importing + +Run this command (make sure to replace `` with a path on your server): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_media_store=' --tags=import-media-store + +**Note**: `` must be a file path to a `media_store` directory on the server (not on your local machine!). \ No newline at end of file diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 9b679bdb..7fd1ba97 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -1,7 +1,7 @@ # Importing an existing Postgres database from another installation (optional) Run this if you'd like to import your database from a previous installation of Matrix Synapse. -(don't forget to import your `media_store` files as well - see [the restoring media store guide](restoring-media-store.md)). +(don't forget to import your `media_store` files as well - see [the importing-media-store guide](importing-media-store.md)). ## Prerequisites diff --git a/docs/importing-sqlite.md b/docs/importing-sqlite.md index ff60fa32..af705a79 100644 --- a/docs/importing-sqlite.md +++ b/docs/importing-sqlite.md @@ -1,7 +1,7 @@ # Importing an existing SQLite database from another installation (optional) Run this if you'd like to import your database from a previous default installation of Matrix Synapse. -(don't forget to import your `media_store` files as well - see [the restoring media store guide](restoring-media-store.md)). +(don't forget to import your `media_store` files as well - see [the importing-media-store guide](importing-media-store.md)). While this playbook always sets up PostgreSQL, by default a Matrix Synapse installation would run using an SQLite database. diff --git a/docs/installing.md b/docs/installing.md index 46700ac8..8ca36859 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -21,7 +21,7 @@ After installing, but before starting the services, you may want to do additiona - [Importing an existing Postgres database (from another installation)](importing-postgres.md) (optional) -- [Restoring `media_store` data files from an existing installation](restoring-media-store.md) (optional) +- [Importing `media_store` data files from an existing installation](importing-media-store.md) (optional) ## Starting the services diff --git a/docs/restoring-media-store.md b/docs/restoring-media-store.md deleted file mode 100644 index 62bddcd9..00000000 --- a/docs/restoring-media-store.md +++ /dev/null @@ -1,9 +0,0 @@ -# Restoring `media_store` data files from an existing installation (optional) - -Run this if you'd like to import your `media_store` files from a previous installation of Matrix Synapse. - -Run this command (make sure to replace `` with a path on your local machine): - - ansible-playbook -i inventory/hosts setup.yml --extra-vars='local_path_media_store=' --tags=import-media-store - -**Note**: `` must be a file path to a `media_store` directory on your local machine (not on the server!). This directory's contents are then copied to the server. \ No newline at end of file diff --git a/roles/matrix-server/tasks/import/import_media_store.yml b/roles/matrix-server/tasks/import/import_media_store.yml index 57dd15cd..64179835 100644 --- a/roles/matrix-server/tasks/import/import_media_store.yml +++ b/roles/matrix-server/tasks/import/import_media_store.yml @@ -1,49 +1,54 @@ --- +# Pre-checks + - name: Fail if playbook called incorrectly - fail: msg="The `local_path_media_store` variable needs to be provided to this playbook, via --extra-vars" - when: "local_path_media_store is not defined or local_path_media_store.startswith('<')" + fail: msg="The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" + +- name: Fail if media store is on Amazon S3 + fail: msg="Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." + when: "matrix_s3_media_store_enabled" - name: Check if the provided media store directory exists - stat: path="{{ local_path_media_store }}" - delegate_to: 127.0.0.1 - become: false - register: local_path_media_store_stat + stat: path="{{ server_path_media_store }}" + register: server_path_media_store_stat -- name: Fail if provided media store directory doesn't exist on the local machine - fail: msg="{{ local_path_media_store }} cannot be found on the local machine" - when: "not local_path_media_store_stat.stat.exists or not local_path_media_store_stat.stat.isdir" +- name: Fail if provided media store directory doesn't exist on the server + fail: msg="{{ server_path_media_store }} cannot be found on the server" + when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" - name: Check if media store contains local_content - stat: path="{{ local_path_media_store }}/local_content" - delegate_to: 127.0.0.1 - become: false - register: local_path_media_store_local_content_stat + stat: path="{{ server_path_media_store }}/local_content" + register: server_path_media_store_local_content_stat - name: Check if media store contains remote_content - stat: path="{{ local_path_media_store }}/remote_content" - delegate_to: 127.0.0.1 - become: false - register: local_path_media_store_remote_content_stat + stat: path="{{ server_path_media_store }}/remote_content" + register: server_path_media_store_remote_content_stat - name: Fail if media store directory doesn't look okay (lacking remote and local content) - fail: msg="{{ local_path_media_store }} contains neither local_content nor remote_content. It's most likely a mistake and is not a media store directory." - when: "not local_path_media_store_local_content_stat.stat.exists and not local_path_media_store_remote_content_stat.stat.exists" + fail: msg="{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." + when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" + + +# Actual import work - name: Ensure matrix-synapse is stopped service: name=matrix-synapse state=stopped daemon_reload=yes register: stopping_result -- name: Ensure provided media store directory is copied to the server +# This can only work with local files, not if the media store is on Amazon S3, +# as it won't be accessible in such a case. +- name: Ensure provided media store directory is synchronized synchronize: - src: "{{ local_path_media_store }}/" + src: "{{ server_path_media_store }}/" dest: "{{ matrix_synapse_media_store_path }}" delete: yes # It's wasteful to preserve owner/group now. We chown below anyway. owner: no group: no - times: "{{ False if matrix_s3_media_store_enabled else True }}" - perms: "{{ False if matrix_s3_media_store_enabled else True }}" + times: yes + delegate_to: "{{ inventory_hostname }}" # This is for the generic case and fails in other cases (remote file systems), # because in such cases the base path (matrix_synapse_media_store_path) is a mount point. From 99af4543ac4587aeeb7d43e9b7ada035b6da5b5b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 3 Jan 2019 15:24:08 +0200 Subject: [PATCH 0273/2384] Replace include usage with include_tasks and import_tasks The long-deprecated (since Ansible 2.4) use of include is no more. --- .../tasks/import/import_postgres.yml | 2 +- roles/matrix-server/tasks/main.yml | 16 +++++----- roles/matrix-server/tasks/self_check/main.yml | 14 ++++----- roles/matrix-server/tasks/setup/main.yml | 30 +++++++++---------- .../tasks/setup/setup_postgres.yml | 2 +- roles/matrix-server/tasks/setup/ssl/main.yml | 6 ++-- .../setup/ssl/setup_ssl_lets_encrypt.yml | 2 +- .../setup/ssl/setup_ssl_manually_managed.yml | 2 +- .../tasks/setup/ssl/setup_ssl_self_signed.yml | 2 +- .../tasks/setup/synapse/ext/main.yml | 10 +++---- .../tasks/setup/synapse/main.yml | 6 ++-- .../matrix-server/tasks/upgrade_postgres.yml | 4 +-- 12 files changed, 48 insertions(+), 48 deletions(-) diff --git a/roles/matrix-server/tasks/import/import_postgres.yml b/roles/matrix-server/tasks/import/import_postgres.yml index a96a7369..a8a426ff 100644 --- a/roles/matrix-server/tasks/import/import_postgres.yml +++ b/roles/matrix-server/tasks/import/import_postgres.yml @@ -14,7 +14,7 @@ fail: msg="File cannot be found on the server at {{ server_path_postgres_dump }}" when: not result_server_path_postgres_dump_stat.stat.exists -- include: tasks/util/detect_existing_postgres_version.yml +- import_tasks: tasks/util/detect_existing_postgres_version.yml - name: Abort, if no existing Postgres version detected fail: msg="Could not find existing Postgres installation" diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 896efe82..a6ba542b 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -1,39 +1,39 @@ --- -- include: tasks/setup/main.yml +- import_tasks: tasks/setup/main.yml when: run_setup -- include: tasks/import/import_postgres.yml +- import_tasks: tasks/import/import_postgres.yml tags: - import-postgres when: run_import_postgres -- include: tasks/upgrade_postgres.yml +- import_tasks: tasks/upgrade_postgres.yml tags: - upgrade-postgres when: run_upgrade_postgres -- include: tasks/start.yml +- import_tasks: tasks/start.yml tags: - start when: run_start -- include: tasks/register_user.yml +- import_tasks: tasks/register_user.yml tags: - register-user when: run_register_user -- include: tasks/import/import_sqlite_db.yml +- import_tasks: tasks/import/import_sqlite_db.yml tags: - import-sqlite-db when: run_import_sqlite_db -- include: tasks/import/import_media_store.yml +- import_tasks: tasks/import/import_media_store.yml tags: - import-media-store when: run_import_media_store -- include: tasks/self_check/main.yml +- import_tasks: tasks/self_check/main.yml delegate_to: 127.0.0.1 become: false tags: diff --git a/roles/matrix-server/tasks/self_check/main.yml b/roles/matrix-server/tasks/self_check/main.yml index 001303bb..fdd73dd6 100644 --- a/roles/matrix-server/tasks/self_check/main.yml +++ b/roles/matrix-server/tasks/self_check/main.yml @@ -1,18 +1,18 @@ --- -- include: tasks/self_check/self_check_dns.yml +- import_tasks: tasks/self_check/self_check_dns.yml -- include: tasks/self_check/self_check_client_api.yml +- import_tasks: tasks/self_check/self_check_client_api.yml -- include: tasks/self_check/self_check_federation_api.yml +- import_tasks: tasks/self_check/self_check_federation_api.yml -- include: tasks/self_check/self_check_riot_web.yml +- import_tasks: tasks/self_check/self_check_riot_web.yml when: "matrix_riot_web_enabled" -- include: tasks/self_check/self_check_mxisd.yml +- import_tasks: tasks/self_check/self_check_mxisd.yml when: "matrix_mxisd_enabled" -- include: tasks/self_check/self_check_well_known.yml +- import_tasks: tasks/self_check/self_check_well_known.yml -- include: tasks/self_check/self_check_corporal.yml +- import_tasks: tasks/self_check/self_check_corporal.yml when: "matrix_corporal_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/main.yml b/roles/matrix-server/tasks/setup/main.yml index 92b5b5ff..34876faa 100644 --- a/roles/matrix-server/tasks/setup/main.yml +++ b/roles/matrix-server/tasks/setup/main.yml @@ -1,68 +1,68 @@ --- -- include: tasks/setup/setup_sanity_check.yml +- import_tasks: tasks/setup/setup_sanity_check.yml tags: - always -- include: tasks/setup/setup_base.yml +- import_tasks: tasks/setup/setup_base.yml tags: - setup-all -- include: tasks/setup/setup_main.yml +- import_tasks: tasks/setup/setup_main.yml tags: - setup-all -- include: tasks/setup/ssl/main.yml +- import_tasks: tasks/setup/ssl/main.yml tags: - setup-all - setup-ssl -- include: tasks/setup/setup_postgres.yml +- import_tasks: tasks/setup/setup_postgres.yml tags: - setup-all - setup-postgres -- include: tasks/setup/setup_goofys.yml +- import_tasks: tasks/setup/setup_goofys.yml tags: - setup-all - setup-goofys -- include: tasks/setup/setup_coturn.yml +- import_tasks: tasks/setup/setup_coturn.yml tags: - setup-all - setup-coturn -- include: tasks/setup/setup_mailer.yml +- import_tasks: tasks/setup/setup_mailer.yml tags: - setup-all - setup-mailer -- include: tasks/setup/setup_mxisd.yml +- import_tasks: tasks/setup/setup_mxisd.yml tags: - setup-all - setup-mxisd -- include: tasks/setup/setup_corporal_overrides.yml +- import_tasks: tasks/setup/setup_corporal_overrides.yml tags: - always -- include: tasks/setup/setup_corporal.yml +- import_tasks: tasks/setup/setup_corporal.yml tags: - setup-all - setup-corporal -- include: tasks/setup/synapse/main.yml +- import_tasks: tasks/setup/synapse/main.yml tags: - setup-all - setup-synapse - setup-coturn -- include: tasks/setup/setup_riot_web.yml +- import_tasks: tasks/setup/setup_riot_web.yml tags: - setup-all - setup-riot-web -- include: tasks/setup/setup_well_known.yml +- import_tasks: tasks/setup/setup_well_known.yml tags: - setup-all - setup-mxisd @@ -70,7 +70,7 @@ - setup-nginx-proxy - setup-well-known -- include: tasks/setup/setup_nginx_proxy.yml +- import_tasks: tasks/setup/setup_nginx_proxy.yml tags: - setup-all - setup-nginx-proxy diff --git a/roles/matrix-server/tasks/setup/setup_postgres.yml b/roles/matrix-server/tasks/setup/setup_postgres.yml index 53491b55..aaadec90 100644 --- a/roles/matrix-server/tasks/setup/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup/setup_postgres.yml @@ -4,7 +4,7 @@ # Generic tasks, no matter what kind of server we're using (internal/external) # -- include: tasks/util/detect_existing_postgres_version.yml +- import_tasks: tasks/util/detect_existing_postgres_version.yml # If we have found an existing version (installed from before), we use its corresponding Docker image. # If not, we install using the latest Postgres. diff --git a/roles/matrix-server/tasks/setup/ssl/main.yml b/roles/matrix-server/tasks/setup/ssl/main.yml index d8593d78..d81c8f34 100644 --- a/roles/matrix-server/tasks/setup/ssl/main.yml +++ b/roles/matrix-server/tasks/setup/ssl/main.yml @@ -31,8 +31,8 @@ # Method specific tasks follow -- include: tasks/setup/ssl/setup_ssl_lets_encrypt.yml +- import_tasks: tasks/setup/ssl/setup_ssl_lets_encrypt.yml -- include: tasks/setup/ssl/setup_ssl_self_signed.yml +- import_tasks: tasks/setup/ssl/setup_ssl_self_signed.yml -- include: tasks/setup/ssl/setup_ssl_manually_managed.yml +- import_tasks: tasks/setup/ssl/setup_ssl_manually_managed.yml diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml index 205e648c..0063242b 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml @@ -26,7 +26,7 @@ when: "matrix_ssl_retrieval_method == 'lets-encrypt'" - name: Obtain Let's Encrypt certificates - include_tasks: "tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" + include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" with_items: "{{ domains_requiring_certificates }}" loop_control: loop_var: domain_name diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml index 78766381..10cd0765 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml @@ -1,7 +1,7 @@ --- - name: Verify certificates - include_tasks: "tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml" + include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml" with_items: "{{ domains_requiring_certificates }}" loop_control: loop_var: domain_name diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml index 8e97a612..69ca0659 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml @@ -17,7 +17,7 @@ when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" - name: Generate self-signed certificates - include_tasks: "tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml" + include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml" with_items: "{{ domains_requiring_certificates }}" loop_control: loop_var: domain_name diff --git a/roles/matrix-server/tasks/setup/synapse/ext/main.yml b/roles/matrix-server/tasks/setup/synapse/ext/main.yml index 507d4d72..a53cc9aa 100644 --- a/roles/matrix-server/tasks/setup/synapse/ext/main.yml +++ b/roles/matrix-server/tasks/setup/synapse/ext/main.yml @@ -1,11 +1,11 @@ --- -- include: tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml +- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml -- include: tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml +- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml -- include: tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml +- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml -- include: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml +- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml -- include: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml +- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml diff --git a/roles/matrix-server/tasks/setup/synapse/main.yml b/roles/matrix-server/tasks/setup/synapse/main.yml index a2df4df4..86e7087c 100644 --- a/roles/matrix-server/tasks/setup/synapse/main.yml +++ b/roles/matrix-server/tasks/setup/synapse/main.yml @@ -1,7 +1,7 @@ --- -- include: tasks/setup/synapse/setup_synapse_pre.yml +- import_tasks: tasks/setup/synapse/setup_synapse_pre.yml -- include: tasks/setup/synapse/ext/main.yml +- import_tasks: tasks/setup/synapse/ext/main.yml -- include: tasks/setup/synapse/setup_synapse_main.yml +- import_tasks: tasks/setup/synapse/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index 7c60df3e..6572d1e3 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -35,7 +35,7 @@ msg: "Detected that a left-over {{ postgres_auto_upgrade_backup_data_path }} exists. You should rename it to {{ matrix_postgres_data_path }} if the previous upgrade went wrong, or delete it if it went well." when: "result_auto_upgrade_path.stat.exists" -- include: tasks/util/detect_existing_postgres_version.yml +- import_tasks: tasks/util/detect_existing_postgres_version.yml - name: Abort, if no existing Postgres version detected fail: msg="Could not find existing Postgres installation" @@ -77,7 +77,7 @@ - debug: msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation." -- include: tasks/setup/setup_postgres.yml +- import_tasks: tasks/setup/setup_postgres.yml - name: Ensure matrix-postgres autoruns and is restarted service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes From 5135c0cc0a47265761e38d713aac06d50af4cddb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 3 Jan 2019 16:15:47 +0200 Subject: [PATCH 0274/2384] Add Ansible guide and Ansible version checks After having multiple people report issues with retrieving SSL certificates, we've finally discovered the culprit to be Ansible 2.5.1 (default and latest version on Ubuntu 18.04 LTS). As silly as it is, certain distributions ("LTS" even) are 13 bugfix versions of Ansible behind. From now on, we try to auto-detect buggy Ansible versions and tell the user. We also provide some tips for how to upgrade Ansible or run it from inside a Docker container. My testing shows that Ansible 2.4.0 and 2.4.6 are OK. All other intermediate 2.4.x versions haven't been tested, but we trust they're OK too. From the 2.5.x releases, only 2.5.0 and 2.5.1 seem to be affected. Ansible 2.5.2 corrects the problem with `include_tasks` + `with_items`. --- docs/ansible.md | 60 +++++++++++++++++++ docs/prerequisites.md | 2 +- .../tasks/setup/setup_sanity_check.yml | 17 +++++- 3 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 docs/ansible.md diff --git a/docs/ansible.md b/docs/ansible.md new file mode 100644 index 00000000..60480a60 --- /dev/null +++ b/docs/ansible.md @@ -0,0 +1,60 @@ +# Running this playbook + +This playbook is meant to be run using [Ansible](https://www.ansible.com/). + + +## Supported Ansible versions + +Generally, Ansible 2.4 or later is required. + +If you're on Ansible 2.5.x, then at least Ansible 2.5.2 is required. + + +## Checking your Ansible version + +In most cases, you won't need to worry about the Ansible version. +The playbook will try to detect it and tell you if you're on an unsupported version. + +To manually check which verison of Ansible you're on, run: `ansible --version`. + +If you're on an old version of Ansible, you should upgrade to a newer version. + + +## Upgrading Ansible + +Depending on your distribution, you may be able to upgrade Ansible in a few different ways: + +- by using an additional repository (PPA, etc.), which provides newer Ansible versions + +- by removing the Ansible package (`yum remove ansible` or `apt-get remove ansible`) and installing via [pip](https://pip.pypa.io/en/stable/installing/) (`pip install ansible`). + +If using the `pip` method, do note that the `ansible-playbook` binary may not be on the `$PATH` (https://linuxconfig.org/linux-path-environment-variable), but in some more special location like `/usr/local/bin/ansible-playbook`. You may need to invoke it using the full path. + + +**Note**: Both of the above methods are a bad way to run system software such as Ansible. +If you find yourself needing to resort to such hacks, please consider reporting a bug to your distribution and/or switching to a sane distribution, which provides up-to-date software. + + +## Using Ansible via Docker + +Alternatively, you can run Ansible itself from a Docker container on your computer. + +Here's a sample command to get you started (run this from the playbook's directory): + +```bash +docker run -it --rm \ +-w /work \ +-v `pwd`:/work \ +-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ +--entrypoint=/bin/sh \ +qmxme/ansible +``` + +The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). +If your SSH key is at a different path (not in `$HOME/.ssh/id_rsa`), adjust that part. +If you don't use SSH keys for authentication, simply remove that whole line (`-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro`). + +Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. +The `/work` directory contains the playbook's code. + +You can execute `ansible-playbook` commands as per normal now. \ No newline at end of file diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 8895db06..13cf89a5 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -4,7 +4,7 @@ - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). -- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Version 2.4 or later is required (see `ansible --version`). +- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for version requirements or alternative ways to run Ansible. - properly configured DNS SRV record for `` (details in [Configuring DNS](configuring-dns.md#configuring-dns) below) diff --git a/roles/matrix-server/tasks/setup/setup_sanity_check.yml b/roles/matrix-server/tasks/setup/setup_sanity_check.yml index bb048a20..4d967912 100644 --- a/roles/matrix-server/tasks/setup/setup_sanity_check.yml +++ b/roles/matrix-server/tasks/setup/setup_sanity_check.yml @@ -1,5 +1,20 @@ --- +- set_fact: + matrix_ansible_outdated_fail_msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" + +- name: Fail if running on Ansible < 2.4 + fail: + msg: "{{ matrix_ansible_outdated_fail_msg }}" + when: "ansible_version.major <= 2 and ansible_version.minor < 4" + +# Ansible 2.5.0 and 2.5.1 are known to have a bug with `include_tasks` + `with_items`. +# The bug has been fixed in Ansible 2.5.2. +- name: Fail if running on Ansible 2.5.x (lower than 2.5.2) + fail: + msg: "{{ matrix_ansible_outdated_fail_msg }}" + when: "ansible_version.major == 2 and ansible_version.minor == 5 and ansible_version.revision < 2" + - name: Fail if Macaroon key is missing fail: msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" @@ -21,4 +36,4 @@ with_items: - "{{ hostname_identity }}" - "{{ hostname_matrix }}" - - "{{ hostname_riot }}" \ No newline at end of file + - "{{ hostname_riot }}" From 29d10804f094133a7411bb3b121210ee6c543c68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= Date: Mon, 7 Jan 2019 23:35:35 +0100 Subject: [PATCH 0275/2384] Use yaml syntax instead of key=value syntax consistently fixes #62 --- .../tasks/import/import_media_store.yml | 31 ++++++--- .../tasks/import/import_postgres.yml | 17 +++-- .../tasks/import/import_sqlite_db.yml | 19 ++++-- roles/matrix-server/tasks/register_user.yml | 19 ++++-- .../matrix-server/tasks/setup/setup_base.yml | 10 ++- .../tasks/setup/setup_goofys.yml | 11 +++- .../tasks/setup/setup_mailer.yml | 10 ++- .../matrix-server/tasks/setup/setup_mxisd.yml | 10 ++- .../tasks/setup/setup_nginx_proxy.yml | 8 ++- .../tasks/setup/setup_postgres.yml | 11 +++- .../tasks/setup/setup_riot_web.yml | 8 ++- .../setup_synapse_ext_mautrix_telegram.yml | 3 +- .../setup_synapse_ext_mautrix_whatsapp.yml | 3 +- .../setup/synapse/setup_synapse_main.yml | 3 +- roles/matrix-server/tasks/start.yml | 66 +++++++++++++++---- .../matrix-server/tasks/upgrade_postgres.yml | 30 +++++++-- 16 files changed, 195 insertions(+), 64 deletions(-) diff --git a/roles/matrix-server/tasks/import/import_media_store.yml b/roles/matrix-server/tasks/import/import_media_store.yml index 64179835..f3f606fd 100644 --- a/roles/matrix-server/tasks/import/import_media_store.yml +++ b/roles/matrix-server/tasks/import/import_media_store.yml @@ -3,38 +3,48 @@ # Pre-checks - name: Fail if playbook called incorrectly - fail: msg="The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" + fail: + msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" - name: Fail if media store is on Amazon S3 - fail: msg="Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." + fail: + msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." when: "matrix_s3_media_store_enabled" - name: Check if the provided media store directory exists - stat: path="{{ server_path_media_store }}" + stat: + path: "{{ server_path_media_store }}" register: server_path_media_store_stat - name: Fail if provided media store directory doesn't exist on the server - fail: msg="{{ server_path_media_store }} cannot be found on the server" + fail: + msg: "{{ server_path_media_store }} cannot be found on the server" when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" - name: Check if media store contains local_content - stat: path="{{ server_path_media_store }}/local_content" + stat: + path: "{{ server_path_media_store }}/local_content" register: server_path_media_store_local_content_stat - name: Check if media store contains remote_content - stat: path="{{ server_path_media_store }}/remote_content" + stat: + path: "{{ server_path_media_store }}/remote_content" register: server_path_media_store_remote_content_stat - name: Fail if media store directory doesn't look okay (lacking remote and local content) - fail: msg="{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." + fail: + msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" # Actual import work - name: Ensure matrix-synapse is stopped - service: name=matrix-synapse state=stopped daemon_reload=yes + service: + name: matrix-synapse + state: stopped + daemon_reload: yes register: stopping_result # This can only work with local files, not if the media store is on Amazon S3, @@ -64,7 +74,10 @@ # all files become owned by whoever needs to own them. - name: Ensure Matrix Synapse is started (if it previously was) - service: name="{{ item }}" state=started daemon_reload=yes + service: + name: "{{ item }}" + state: started + daemon_reload: yes when: stopping_result.changed with_items: - matrix-synapse diff --git a/roles/matrix-server/tasks/import/import_postgres.yml b/roles/matrix-server/tasks/import/import_postgres.yml index a8a426ff..1c5989b1 100644 --- a/roles/matrix-server/tasks/import/import_postgres.yml +++ b/roles/matrix-server/tasks/import/import_postgres.yml @@ -3,21 +3,25 @@ # Pre-checks - name: Fail if playbook called incorrectly - fail: msg="The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars" + fail: + msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars" when: "server_path_postgres_dump is not defined or server_path_postgres_dump.startswith('<')" - name: Check if the provided Postgres dump file exists - stat: path="{{ server_path_postgres_dump }}" + stat: + path: "{{ server_path_postgres_dump }}" register: result_server_path_postgres_dump_stat - name: Fail if provided Postgres dump file doesn't exists - fail: msg="File cannot be found on the server at {{ server_path_postgres_dump }}" + fail: + msg: "File cannot be found on the server at {{ server_path_postgres_dump }}" when: not result_server_path_postgres_dump_stat.stat.exists - import_tasks: tasks/util/detect_existing_postgres_version.yml - name: Abort, if no existing Postgres version detected - fail: msg="Could not find existing Postgres installation" + fail: + msg: "Could not find existing Postgres installation" when: "not matrix_postgres_detected_existing" @@ -32,7 +36,10 @@ # Actual import work - name: Ensure matrix-postgres is started - service: name=matrix-postgres state=started daemon_reload=yes + service: + name: matrix-postgres + state: started + daemon_reload: yes - name: Wait a bit, so that Postgres can start wait_for: diff --git a/roles/matrix-server/tasks/import/import_sqlite_db.yml b/roles/matrix-server/tasks/import/import_sqlite_db.yml index 347ac761..cbfe6d7f 100644 --- a/roles/matrix-server/tasks/import/import_sqlite_db.yml +++ b/roles/matrix-server/tasks/import/import_sqlite_db.yml @@ -3,15 +3,18 @@ # Pre-checks - name: Fail if playbook called incorrectly - fail: msg="The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" + fail: + msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" when: "server_path_homeserver_db is not defined or server_path_homeserver_db.startswith('<')" - name: Check if the provided SQLite homeserver.db file exists - stat: path="{{ server_path_homeserver_db }}" + stat: + path: "{{ server_path_homeserver_db }}" register: result_server_path_homeserver_db_stat - name: Fail if provided SQLite homeserver.db file doesn't exist - fail: msg="File cannot be found on the server at {{ server_path_homeserver_db }}" + fail: + msg: "File cannot be found on the server at {{ server_path_homeserver_db }}" when: not result_server_path_homeserver_db_stat.stat.exists @@ -26,7 +29,10 @@ # Actual import work - name: Ensure matrix-postgres is stopped - service: name=matrix-postgres state=stopped daemon_reload=yes + service: + name: matrix-postgres + state: stopped + daemon_reload: yes - name: Ensure postgres data is wiped out file: @@ -42,7 +48,10 @@ group: "{{ matrix_user_username }}" - name: Ensure matrix-postgres is started - service: name=matrix-postgres state=restarted daemon_reload=yes + service: + name: matrix-postgres + state: restarted + daemon_reload: yes - name: Wait a bit, so that Postgres can start wait_for: diff --git a/roles/matrix-server/tasks/register_user.yml b/roles/matrix-server/tasks/register_user.yml index f77ee08d..1a4bd446 100644 --- a/roles/matrix-server/tasks/register_user.yml +++ b/roles/matrix-server/tasks/register_user.yml @@ -1,24 +1,31 @@ --- - name: Fail if playbook called incorrectly - fail: msg="The `username` variable needs to be provided to this playbook, via --extra-vars" + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" when: "username is not defined or username == ''" - name: Fail if playbook called incorrectly - fail: msg="The `password` variable needs to be provided to this playbook, via --extra-vars" + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" when: "password is not defined or password == ''" - name: Fail if playbook called incorrectly - fail: msg="The `admin` variable needs to be provided to this playbook, via --extra-vars" + fail: + msg: "The `admin` variable needs to be provided to this playbook, via --extra-vars" when: "admin is not defined or admin not in ['yes', 'no']" - name: Ensure matrix-synapse is started - service: name=matrix-synapse state=started daemon_reload=yes + service: + name: matrix-synapse + state: started + daemon_reload: yes register: start_result - name: Wait a while, so that Matrix Synapse can manage to start - pause: seconds=7 + pause: + seconds: 7 when: start_result.changed - name: Register user - shell: "/usr/local/bin/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" \ No newline at end of file + shell: "/usr/local/bin/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" diff --git a/roles/matrix-server/tasks/setup/setup_base.yml b/roles/matrix-server/tasks/setup/setup_base.yml index 14c288d7..5a41bd73 100644 --- a/roles/matrix-server/tasks/setup/setup_base.yml +++ b/roles/matrix-server/tasks/setup/setup_base.yml @@ -68,11 +68,17 @@ when: ansible_os_family == 'Debian' - name: Ensure firewalld is started and autoruns - service: name=firewalld state=started enabled=yes + service: + name: firewalld + state: started + enabled: yes when: ansible_os_family == 'RedHat' - name: Ensure Docker is started and autoruns - service: name=docker state=started enabled=yes + service: + name: docker + state: started + enabled: yes - name: Ensure ntpd is started and autoruns service: diff --git a/roles/matrix-server/tasks/setup/setup_goofys.yml b/roles/matrix-server/tasks/setup/setup_goofys.yml index 77004f0e..d08940ce 100644 --- a/roles/matrix-server/tasks/setup/setup_goofys.yml +++ b/roles/matrix-server/tasks/setup/setup_goofys.yml @@ -9,7 +9,8 @@ # This will throw a Permission Denied error if already mounted - name: Check Matrix Goofys external storage mountpoint path - stat: path="{{ matrix_synapse_media_store_path }}" + stat: + path: "{{ matrix_synapse_media_store_path }}" register: local_path_matrix_synapse_media_store_path_stat ignore_errors: yes when: matrix_s3_media_store_enabled @@ -43,11 +44,15 @@ # - name: Check existence of matrix-goofys service - stat: path="/etc/systemd/system/matrix-goofys.service" + stat: + path: "/etc/systemd/system/matrix-goofys.service" register: matrix_goofys_service_stat - name: Ensure matrix-goofys is stopped - service: name=matrix-goofys state=stopped daemon_reload=yes + service: + name: matrix-goofys + state: stopped + daemon_reload: yes register: stopping_result when: "not matrix_s3_media_store_enabled and matrix_goofys_service_stat.stat.exists" diff --git a/roles/matrix-server/tasks/setup/setup_mailer.yml b/roles/matrix-server/tasks/setup/setup_mailer.yml index fc8fb22f..1879917b 100644 --- a/roles/matrix-server/tasks/setup/setup_mailer.yml +++ b/roles/matrix-server/tasks/setup/setup_mailer.yml @@ -29,11 +29,15 @@ # - name: Check existence of matrix-mailer service - stat: path="/etc/systemd/system/matrix-mailer.service" + stat: + path: "/etc/systemd/system/matrix-mailer.service" register: matrix_mailer_service_stat - name: Ensure matrix-mailer is stopped - service: name=matrix-mailer state=stopped daemon_reload=yes + service: + name: matrix-mailer + state: stopped + daemon_reload: yes register: stopping_result when: "not matrix_mailer_enabled and matrix_mailer_service_stat.stat.exists" @@ -53,4 +57,4 @@ docker_image: name: "{{ matrix_mailer_docker_image }}" state: absent - when: "not matrix_mailer_enabled" \ No newline at end of file + when: "not matrix_mailer_enabled" diff --git a/roles/matrix-server/tasks/setup/setup_mxisd.yml b/roles/matrix-server/tasks/setup/setup_mxisd.yml index 5a76d372..e80ddbbf 100644 --- a/roles/matrix-server/tasks/setup/setup_mxisd.yml +++ b/roles/matrix-server/tasks/setup/setup_mxisd.yml @@ -52,11 +52,15 @@ # - name: Check existence of matrix-mxisd service - stat: path="/etc/systemd/system/matrix-mxisd.service" + stat: + path: "/etc/systemd/system/matrix-mxisd.service" register: matrix_mxisd_service_stat - name: Ensure matrix-mxisd is stopped - service: name=matrix-mxisd state=stopped daemon_reload=yes + service: + name: matrix-mxisd + state: stopped + daemon_reload: yes register: stopping_result when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists" @@ -76,4 +80,4 @@ docker_image: name: "{{ matrix_mxisd_docker_image }}" state: absent - when: "not matrix_mxisd_enabled" \ No newline at end of file + when: "not matrix_mxisd_enabled" diff --git a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml index 8a4b1029..b0a881a2 100644 --- a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml @@ -69,11 +69,15 @@ # - name: Check existence of matrix-nginx-proxy service - stat: path="/etc/systemd/system/matrix-nginx-proxy.service" + stat: + path: "/etc/systemd/system/matrix-nginx-proxy.service" register: matrix_nginx_proxy_service_stat - name: Ensure matrix-nginx-proxy is stopped - service: name=matrix-nginx-proxy state=stopped daemon_reload=yes + service: + name: matrix-nginx-proxy + state: stopped + daemon_reload: yes register: stopping_result when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" diff --git a/roles/matrix-server/tasks/setup/setup_postgres.yml b/roles/matrix-server/tasks/setup/setup_postgres.yml index aaadec90..5ffa3ebc 100644 --- a/roles/matrix-server/tasks/setup/setup_postgres.yml +++ b/roles/matrix-server/tasks/setup/setup_postgres.yml @@ -69,12 +69,16 @@ # - name: Check existence of matrix-postgres service - stat: path="/etc/systemd/system/matrix-postgres.service" + stat: + path: "/etc/systemd/system/matrix-postgres.service" register: matrix_postgres_service_stat when: matrix_postgres_use_external - name: Ensure matrix-postgres is stopped - service: name=matrix-postgres state=stopped daemon_reload=yes + service: + name: matrix-postgres + state: stopped + daemon_reload: yes when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists" - name: Ensure matrix-postgres.service doesn't exist @@ -84,7 +88,8 @@ when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists" - name: Check existence of matrix-postgres local data path - stat: path="{{ matrix_postgres_data_path }}" + stat: + path: "{{ matrix_postgres_data_path }}" register: matrix_postgres_data_path_stat when: matrix_postgres_use_external diff --git a/roles/matrix-server/tasks/setup/setup_riot_web.yml b/roles/matrix-server/tasks/setup/setup_riot_web.yml index 60b1cdcd..5a279074 100644 --- a/roles/matrix-server/tasks/setup/setup_riot_web.yml +++ b/roles/matrix-server/tasks/setup/setup_riot_web.yml @@ -43,11 +43,15 @@ # - name: Check existence of matrix-riot-web service - stat: path="/etc/systemd/system/matrix-riot-web.service" + stat: + path: "/etc/systemd/system/matrix-riot-web.service" register: matrix_riot_web_service_stat - name: Ensure matrix-riot-web is stopped - service: name=matrix-riot-web state=stopped daemon_reload=yes + service: + name: matrix-riot-web + state: stopped + daemon_reload: yes register: stopping_result when: "not matrix_riot_web_enabled and matrix_riot_web_service_stat.stat.exists" diff --git a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml index 2ea8bb29..25a04d56 100644 --- a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml +++ b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml @@ -33,7 +33,8 @@ mode: 0644 when: "matrix_mautrix_telegram_enabled" -- stat: "path={{ matrix_mautrix_telegram_base_path }}/registration.yaml" +- stat: + path: "{{ matrix_mautrix_telegram_base_path }}/registration.yaml" register: mautrix_telegram_registration_file - name: Generate matrix-mautrix-telegram registration.yaml if it doesn't exist diff --git a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml index eb4ed171..6afc4947 100644 --- a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml +++ b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml @@ -33,7 +33,8 @@ mode: 0644 when: "matrix_mautrix_whatsapp_enabled" -- stat: "path={{ matrix_mautrix_whatsapp_base_path }}/registration.yaml" +- stat: + path: "{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml" register: mautrix_whatsapp_registration_file - name: Generate matrix-mautrix-whatsapp registration.yaml if it doesn't exist diff --git a/roles/matrix-server/tasks/setup/synapse/setup_synapse_main.yml b/roles/matrix-server/tasks/setup/synapse/setup_synapse_main.yml index 6264abce..8466770c 100644 --- a/roles/matrix-server/tasks/setup/synapse/setup_synapse_main.yml +++ b/roles/matrix-server/tasks/setup/synapse/setup_synapse_main.yml @@ -2,7 +2,8 @@ # This will throw a Permission Denied error if already mounted using fuse - name: Check Matrix Synapse media store path - stat: path="{{ matrix_synapse_media_store_path }}" + stat: + path: "{{ matrix_synapse_media_store_path }}" register: local_path_media_store_stat ignore_errors: yes diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 4e5373c4..bbdf09f6 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -1,43 +1,87 @@ --- - name: Ensure matrix-postgres autoruns and is restarted - service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-postgres + enabled: yes + state: restarted + daemon_reload: yes when: "not matrix_postgres_use_external" - name: Ensure matrix-goofys autoruns and is restarted - service: name=matrix-goofys enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-goofys + enabled: yes + state: restarted + daemon_reload: yes when: matrix_s3_media_store_enabled - name: Ensure matrix-coturn autoruns and is restarted - service: name=matrix-coturn enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-coturn + enabled: yes + state: restarted + daemon_reload: yes - name: Ensure matrix-mailer autoruns and is restarted - service: name=matrix-mailer enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-mailer + enabled: yes + state: restarted + daemon_reload: yes when: matrix_mailer_enabled - name: Ensure matrix-mxisd autoruns and is restarted - service: name=matrix-mxisd enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-mxisd + enabled: yes + state: restarted + daemon_reload: yes when: matrix_mxisd_enabled - name: Ensure matrix-synapse autoruns and is restarted - service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-synapse + enabled: yes + state: restarted + daemon_reload: yes - name: Ensure matrix-riot-web autoruns and is restarted - service: name=matrix-riot-web enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-riot-web + enabled: yes + state: restarted + daemon_reload: yes when: matrix_riot_web_enabled - name: Ensure matrix-nginx-proxy autoruns and is restarted - service: name=matrix-nginx-proxy enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-nginx-proxy + enabled: yes + state: restarted + daemon_reload: yes when: matrix_nginx_proxy_enabled - name: Ensure matrix-corporal autoruns and is restarted - service: name=matrix-corporal enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-corporal + enabled: yes + state: restarted + daemon_reload: yes when: matrix_corporal_enabled - name: Ensure matrix-mautrix-telegram autoruns and is restarted - service: name=matrix-mautrix-telegram enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-mautrix-telegram + enabled: yes + state: restarted + daemon_reload: yes when: matrix_mautrix_telegram_enabled - name: Ensure matrix-mautrix-whatsapp autoruns and is restarted - service: name=matrix-mautrix-whatsapp enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-mautrix-whatsapp + enabled: yes + state: restarted + daemon_reload: yes when: matrix_mautrix_whatsapp_enabled diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-server/tasks/upgrade_postgres.yml index 6572d1e3..69955b30 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-server/tasks/upgrade_postgres.yml @@ -38,21 +38,28 @@ - import_tasks: tasks/util/detect_existing_postgres_version.yml - name: Abort, if no existing Postgres version detected - fail: msg="Could not find existing Postgres installation" + fail: + msg: "Could not find existing Postgres installation" when: "not matrix_postgres_detected_existing" - name: Abort, if already at latest Postgres version - fail: msg="You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" + fail: + msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest" - debug: msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}" - name: Ensure matrix-synapse is stopped - service: name=matrix-synapse state=stopped + service: + name: matrix-synapse + state: stopped - name: Ensure matrix-postgres is started - service: name=matrix-postgres state=started daemon_reload=yes + service: + name: matrix-postgres + state: started + daemon_reload: yes - name: Wait a bit, so that Postgres can start wait_for: @@ -69,7 +76,9 @@ {{ matrix_postgres_detected_version_corresponding_docker_image }} pg_dump -h matrix-postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} - name: Ensure matrix-postgres is stopped - service: name=matrix-postgres state=stopped + service: + name: matrix-postgres + state: stopped - name: Rename existing Postgres data directory command: "mv {{ matrix_postgres_data_path }} {{ postgres_auto_upgrade_backup_data_path }}" @@ -80,7 +89,11 @@ - import_tasks: tasks/setup/setup_postgres.yml - name: Ensure matrix-postgres autoruns and is restarted - service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes + service: + name: matrix-postgres + enabled: yes + state: restarted + daemon_reload: yes - name: Wait a bit, so that Postgres can start wait_for: @@ -102,7 +115,10 @@ state: absent - name: Ensure matrix-synapse is started - service: name=matrix-synapse state=started daemon_reload=yes + service: + name: matrix-synapse + state: started + daemon_reload: yes - debug: msg: "NOTE: Your old Postgres data directory is preserved at `{{ postgres_auto_upgrade_backup_data_path }}`. You might want to get rid of it once you've confirmed that all is well." From f92c4d5a27d7758fcf7e3b0c5dc3e4949756facc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Jan 2019 10:19:45 +0200 Subject: [PATCH 0276/2384] Use Ansible dig lookup instead of calling the dig program This means we no longer have a dependency on the `dig` program, but we do have a dependency on `dnspython`. Improves things as suggested in #65 (Github issue). --- .../tasks/self_check/self_check_dns.yml | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/roles/matrix-server/tasks/self_check/self_check_dns.yml b/roles/matrix-server/tasks/self_check/self_check_dns.yml index b4afce30..e3849619 100644 --- a/roles/matrix-server/tasks/self_check/self_check_dns.yml +++ b/roles/matrix-server/tasks/self_check/self_check_dns.yml @@ -1,24 +1,23 @@ --- +# This requires the dnspython library and will fail with a friendly error when unavailable. - name: Check DNS SRV record - shell: - cmd: "dig -t srv {{ ('_matrix._tcp.' + hostname_identity + '.')|quote }}" - register: result_dig_srv - changed_when: false - ignore_errors: true + set_fact: + result_dig_srv: "{{ lookup('dig', ('_matrix._tcp.' + hostname_identity + './SRV'), 'flat=0', wantlist=False) }}" -- name: Fail if dig failed +- name: Fail if DNS SRV record missing fail: - msg: "Failed checking DNS SRV record. You likely don't have the `dig` program installed locally. Full error: {{ result_dig_srv }}" - when: "result_dig_srv.stderr != ''" + msg: "It appears the DNS SRV record for {{ hostname_identity }} is not set up correctly (the record is missing). See the 'Configuring DNS' documentation for this playbook." + when: "result_dig_srv == 'NXDOMAIN'" -# We expect an answer like this: -# ;; ANSWER SECTION: -# _matrix._tcp.DOMAIN. 10800 IN SRV 10 0 8448 matrix.DOMAIN. - name: Fail if DNS SRV record incorrect fail: - msg: "It appears the DNS SRV record for {{ hostname_identity }} is not set up correctly. See the 'Configuring DNS' documentation for this playbook. Full DNS answer was: {{ result_dig_srv.stdout }}" - when: "('8448 ' + hostname_matrix) not in result_dig_srv.stdout" + msg: > + It appears the DNS SRV record for {{ hostname_identity }} is not set up correctly. + Expected it to point to `{{ (hostname_matrix + '.') }}` (port 8448). + Found it pointing to `{{ result_dig_srv.target }}` (port {{ result_dig_srv.port }}). + See the 'Configuring DNS' documentation for this playbook. + when: "result_dig_srv.target != (hostname_matrix + '.') or result_dig_srv.port != 8448" - name: Report correct DNS SRV record debug: From ef2dc3745aab2d5d7adc8295314b5125ad08fd43 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Jan 2019 10:39:22 +0200 Subject: [PATCH 0277/2384] Check DNS SRV record for _matrix-identity._tcp when mxisd enabled --- .../tasks/self_check/self_check_dns.yml | 40 ++++++++++--------- .../tasks/self_check/self_check_dns_srv.yml | 26 ++++++++++++ 2 files changed, 48 insertions(+), 18 deletions(-) create mode 100644 roles/matrix-server/tasks/self_check/self_check_dns_srv.yml diff --git a/roles/matrix-server/tasks/self_check/self_check_dns.yml b/roles/matrix-server/tasks/self_check/self_check_dns.yml index e3849619..b9f1706e 100644 --- a/roles/matrix-server/tasks/self_check/self_check_dns.yml +++ b/roles/matrix-server/tasks/self_check/self_check_dns.yml @@ -1,24 +1,28 @@ --- -# This requires the dnspython library and will fail with a friendly error when unavailable. -- name: Check DNS SRV record +- name: Determine DNS SRV records to check (Matrix) set_fact: - result_dig_srv: "{{ lookup('dig', ('_matrix._tcp.' + hostname_identity + './SRV'), 'flat=0', wantlist=False) }}" + dns_srv_record_checks: + - service_and_protocol: "_matrix._tcp" + domain: "{{ (hostname_identity + '.') }}" + expected_target: "{{ (hostname_matrix + '.') }}" + expected_port: 8448 -- name: Fail if DNS SRV record missing - fail: - msg: "It appears the DNS SRV record for {{ hostname_identity }} is not set up correctly (the record is missing). See the 'Configuring DNS' documentation for this playbook." - when: "result_dig_srv == 'NXDOMAIN'" +- block: + - set_fact: + dns_srv_record_check_mxisd: + service_and_protocol: "_matrix-identity._tcp" + domain: "{{ (hostname_identity + '.') }}" + expected_target: "{{ (hostname_matrix + '.') }}" + expected_port: 443 -- name: Fail if DNS SRV record incorrect - fail: - msg: > - It appears the DNS SRV record for {{ hostname_identity }} is not set up correctly. - Expected it to point to `{{ (hostname_matrix + '.') }}` (port 8448). - Found it pointing to `{{ result_dig_srv.target }}` (port {{ result_dig_srv.port }}). - See the 'Configuring DNS' documentation for this playbook. - when: "result_dig_srv.target != (hostname_matrix + '.') or result_dig_srv.port != 8448" + - name: Determine domains that we require certificates for (mxisd) + set_fact: + dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_mxisd] }}" + when: "matrix_mxisd_enabled" -- name: Report correct DNS SRV record - debug: - msg: "The DNS SRV record for {{ hostname_identity }} points to {{ hostname_matrix }}, as expected" \ No newline at end of file +- name: Perform DNS SRV checks + include_tasks: "{{ role_path }}/tasks/self_check/self_check_dns_srv.yml" + with_items: "{{ dns_srv_record_checks }}" + loop_control: + loop_var: dns_srv_record_check \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_dns_srv.yml b/roles/matrix-server/tasks/self_check/self_check_dns_srv.yml new file mode 100644 index 00000000..249b10ee --- /dev/null +++ b/roles/matrix-server/tasks/self_check/self_check_dns_srv.yml @@ -0,0 +1,26 @@ +--- + +# This requires the dnspython library and will fail with a friendly error when unavailable. +- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} + set_fact: + result_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}" + +- name: Fail if DNS SRV record missing + fail: + msg: "It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). See the 'Configuring DNS' documentation for this playbook." + when: "result_dig_srv == 'NXDOMAIN'" + +- name: Fail if DNS SRV record incorrect + fail: + msg: > + It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. + Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). + Found it pointing to `{{ result_dig_srv.target }}` (port {{ result_dig_srv.port }}). + See the 'Configuring DNS' documentation for this playbook. + when: "result_dig_srv.target != dns_srv_record_check.expected_target or result_dig_srv.port != dns_srv_record_check.expected_port" + +- name: Report correct DNS SRV record + debug: + msg: > + The DNS SRV record for `{{ dns_srv_record_check.service_and_protocol }}` on `{{ dns_srv_record_check.domain }}` + points to `{{ result_dig_srv.target }}` (port {{ dns_srv_record_check.expected_port }}), as expected \ No newline at end of file From b222d26c86e3859b51fd56cf55e45c0b9fafa567 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Jan 2019 12:24:59 +0200 Subject: [PATCH 0278/2384] Switch to managing cronjobs with the Ansible cron module As suggested in #65 (Github issue), this patch switches cronjob management from using templates to using Ansible's `cron` module. It also moves the management of the nginx-reload cronjob to `setup_ssl_lets_encrypt.yml`, which is a more fitting place for it (given that this cronjob is only required when Let's Encrypt is used). Pros: - using a module is more Ansible-ish than templating our own files in special directories - more reliable: will fail early (during playbook execution) if `/usr/bin/crontab` is not available, which is more of a guarantee that cron is working fine (idea: we should probably install some cron package using the playbook) Cons: - invocation schedule is no longer configurable, unless we define individual variables for everything or do something smart (splitting on ' ', etc.). Likely not necessary, however. - requires us to deprecate and clean-up after the old way of managing cronjobs, because it's not compatible (using the same file as before means appending additional jobs to it) --- CHANGELOG.md | 12 +++ roles/matrix-server/defaults/main.yml | 3 - .../tasks/setup/setup_nginx_proxy.yml | 13 +-- .../setup/ssl/setup_ssl_lets_encrypt.yml | 81 +++++++++++++++---- .../matrix-nginx-proxy-periodic-restarter.j2 | 8 -- .../cron.d/matrix-ssl-certificate-renewal.j2 | 11 --- ...ix-ssl-lets-encrypt-certificates-renew.j2} | 0 7 files changed, 80 insertions(+), 48 deletions(-) delete mode 100644 roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 delete mode 100644 roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 rename roles/matrix-server/templates/usr-local-bin/{matrix-ssl-certificates-renew.j2 => matrix-ssl-lets-encrypt-certificates-renew.j2} (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 500ec36b..58af939e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2019-01-08 + +## (BC Break) Cronjob schedule no longer configurable + +Due to the way we manage cronjobs now, you can no longer configure the schedule they're invoked at. + +If you were previously using `matrix_ssl_lets_encrypt_renew_cron_time_definition` or `matrix_nginx_proxy_reload_cron_time_definition` +to set a custom schedule, you should note that these variables don't affect anything anymore. + +If you miss this functionality, please [open an Issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/new) and let us know about your use case! + + # 2018-12-23 ## (BC Break) More SSL certificate retrieval methods diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 15e7dfce..a6870ea6 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -408,9 +408,6 @@ matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.29.1" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}" -# Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt. -matrix_ssl_lets_encrypt_renew_cron_time_definition: "15 4 */5 * *" - matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" diff --git a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml index b0a881a2..123f9791 100644 --- a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml @@ -31,6 +31,7 @@ - "matrix-synapse.conf" - "matrix-riot-web.conf" + # # Tasks related to setting up matrix-nginx-proxy # @@ -57,12 +58,6 @@ mode: 0644 when: matrix_nginx_proxy_enabled -- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal) - template: - src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2" - dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" - mode: 0600 - when: "matrix_nginx_proxy_enabled and matrix_ssl_retrieval_method == 'lets-encrypt'" # # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) @@ -86,9 +81,3 @@ path: "/etc/systemd/system/matrix-nginx-proxy.service" state: absent when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" - -- name: Ensure periodic restarting of matrix-nginx-proxy is removed - file: - path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter" - state: absent - when: "not matrix_nginx_proxy_enabled or matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml index 0063242b..add067d2 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml @@ -1,5 +1,17 @@ --- +# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name. +# This migration task can be removed some time in the future. +- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files + file: + path: "{{ item }}" + state: absent + with_items: + - /usr/local/bin/matrix-ssl-certificates-renew + - /etc/cron.d/matrix-ssl-certificate-renewal + - /etc/cron.d/matrix-nginx-proxy-periodic-restarter + + # # Tasks related to setting up Let's Encrypt's management of certificates # @@ -32,18 +44,44 @@ loop_var: domain_name when: "matrix_ssl_retrieval_method == 'lets-encrypt'" -- name: Ensure SSL renewal script installed +- name: Ensure Let's Encrypt SSL renewal script installed template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2" - dest: "/usr/local/bin/matrix-ssl-certificates-renew" + src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" + dest: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew mode: 0750 when: "matrix_ssl_retrieval_method == 'lets-encrypt'" -- name: Ensure periodic SSL renewal cronjob configured - template: - src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2" - dest: "/etc/cron.d/matrix-ssl-certificate-renewal" - mode: 0600 +- block: + - name: Ensure periodic SSL renewal cronjob configured (MAILTO) + cron: + user: root + cron_file: matrix-ssl-lets-encrypt + env: yes + name: MAILTO + value: "{{ matrix_ssl_lets_encrypt_support_email }}" + + - name: Ensure periodic SSL renewal cronjob configured (matrix-ssl-lets-encrypt-certificates-renew) + cron: + user: root + cron_file: matrix-ssl-lets-encrypt + name: matrix-ssl-lets-encrypt-certificates-renew + state: present + hour: 4 + minute: 15 + day: "*/5" + job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew + + - name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload) + cron: + user: root + cron_file: matrix-ssl-lets-encrypt + name: matrix-nginx-proxy-reload + state: present + hour: 4 + minute: 20 + day: "*/5" + job: /usr/bin/systemctl reload matrix-nginx-proxy.service + when: matrix_nginx_proxy_enabled when: "matrix_ssl_retrieval_method == 'lets-encrypt'" @@ -51,11 +89,26 @@ # Tasks related to getting rid of Let's Encrypt's management of certificates # -- name: Ensure Let's Encrypt SSL certificate management files removed - file: - path: "{{ item }}" +# When nginx-proxy is disabled, make sure its reloading cronjob is gone. +# Other cronjobs can potentially remain there (see below). +- name: Ensure matrix-nginx-proxy-reload cronjob removed + cron: + user: root + cron_file: matrix-ssl-lets-encrypt + name: matrix-nginx-proxy-reload + state: absent + when: "not matrix_nginx_proxy_enabled" + +# When Let's Encrypt is not used at all, remove all cronjobs in that cron file. +- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed + cron: + user: root + cron_file: matrix-ssl-lets-encrypt state: absent - with_items: - - /usr/local/bin/matrix-ssl-certificates-renew - - /etc/cron.d/matrix-ssl-certificate-renewal when: "matrix_ssl_retrieval_method != 'lets-encrypt'" + +- name: Ensure Let's Encrypt SSL renewal script removed + file: + path: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew + state: absent + when: "matrix_ssl_retrieval_method != 'lets-encrypt'" \ No newline at end of file diff --git a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 deleted file mode 100644 index 0cfa2a7b..00000000 --- a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 +++ /dev/null @@ -1,8 +0,0 @@ -MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}" - -# This periodically reloads the matrix-nginx-proxy service -# to ensure it's using the latest SSL certificate -# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob -# (which happens once every ~2-3 months). - -{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 deleted file mode 100644 index b8eb8ce8..00000000 --- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 +++ /dev/null @@ -1,11 +0,0 @@ -MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}" - -# The goal of this cronjob is to ask certbot to check -# the current SSL certificates and to see if some need renewal. -# If so, it would attempt to renew. -# -# Various services depend on these certificates and would need to be restarted. -# This is not our concern here. We simply make sure the certificates are up to date. -# Restarting of services happens on its own different schedule (other cronjobs). - -{{ matrix_ssl_lets_encrypt_renew_cron_time_definition }} root /bin/bash /usr/local/bin/matrix-ssl-certificates-renew diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 similarity index 100% rename from roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 rename to roles/matrix-server/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 From 00ae4350441eae52b1a91f18cbf0365fcd7e4e3f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Jan 2019 13:10:12 +0200 Subject: [PATCH 0279/2384] Use |to_json filter for serializing booleans to JSON This should account for all cases where we were still doing such a thing. Improvement suggested in #65 (Github issue). --- roles/matrix-server/templates/corporal/config.json.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/templates/corporal/config.json.j2 b/roles/matrix-server/templates/corporal/config.json.j2 index f86560ba..70fb3683 100644 --- a/roles/matrix-server/templates/corporal/config.json.j2 +++ b/roles/matrix-server/templates/corporal/config.json.j2 @@ -17,7 +17,7 @@ }, "HttpApi": { - "Enabled": {{ 'true' if matrix_corporal_http_api_enabled else 'false' }}, + "Enabled": {{ matrix_corporal_http_api_enabled|to_json }}, "ListenAddress": "0.0.0.0:41081", "AuthorizationBearerToken": "{{ matrix_corporal_http_api_auth_token }}" }, @@ -25,6 +25,6 @@ "PolicyProvider": {{ matrix_corporal_policy_provider_config }}, "Misc": { - "Debug": {{ 'true' if matrix_corporal_debug else 'false' }} + "Debug": {{ matrix_corporal_debug|to_json }} } } From 46c5d11d56b7d2030785a480ba1797920807ed38 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 10 Jan 2019 19:29:56 +0200 Subject: [PATCH 0280/2384] Update components --- roles/matrix-server/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index a6870ea6..e43d97f2 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -27,7 +27,7 @@ matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_se matrix_docker_network: "matrix" -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.0-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.1.1-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" @@ -367,7 +367,7 @@ matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp # and take care of proxying by yourself. matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_docker_image: "nginx:1.15.7-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" @@ -404,7 +404,7 @@ matrix_ssl_retrieval_method: "lets-encrypt" # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.29.1" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}" From fca2f2e036804b336e184edcd2d8cc93b3a630a1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Jan 2019 01:03:35 +0200 Subject: [PATCH 0281/2384] Catch misconfigured REST Auth password provider during installation --- .../tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml index 09a5708d..9cdb5a2d 100644 --- a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml +++ b/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml @@ -4,6 +4,11 @@ # Tasks related to setting up matrix-synapse-rest-auth # +- name: Fail if REST Auth enabled, but endpoint not configured + fail: + msg: "You have enabled the REST Auth password provider, but have not configured its endpoint in the `matrix_synapse_ext_password_provider_rest_auth_endpoint` variable. Consult the documentation." + when: "matrix_synapse_ext_password_provider_rest_auth_enabled and matrix_synapse_ext_password_provider_rest_auth_endpoint == ''" + - name: Download matrix-synapse-rest-auth get_url: url: "{{ matrix_synapse_ext_password_provider_rest_auth_download_url }}" From 9a9b7383e9b4b50a5b1a30ad3085f0706edc62fb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Jan 2019 19:33:54 +0200 Subject: [PATCH 0282/2384] Completely redo how mxisd configuration gets generated This change is provoked by a few different things: - #54 (Github Pull Request), which rightfully says that we need a way to support ALL mxisd configuration options easily - the upcoming mxisd 1.3.0 release, which drops support for property-style configuration (dot-notation), forcing us to redo the way we generate the configuration file With this, mxisd is much more easily configurable now and much more easily maintaneable by us in the future (no need to introduce additional playbook variables and logic). --- CHANGELOG.md | 40 ++++++++ docs/configuring-playbook-mxisd.md | 8 +- roles/matrix-server/defaults/main.yml | 95 ++++++++++++------- .../matrix-server/tasks/setup/setup_mxisd.yml | 47 +++++++-- .../templates/mxisd/mxisd.yaml.j2 | 69 -------------- 5 files changed, 148 insertions(+), 111 deletions(-) delete mode 100644 roles/matrix-server/templates/mxisd/mxisd.yaml.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 58af939e..3e81354c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,43 @@ +# 2019-01-11 + +## (BC Break) mxisd configuration changes + +To be more flexible and to support the upcoming [mxisd](https://github.com/kamax-io/mxisd) 1.3.0 (when it gets released), +we've had to redo how mxisd gets configured. + +The following variables are no longer supported by this playbook: + +- `matrix_mxisd_ldap_enabled` +- `matrix_mxisd_ldap_connection_host` +- `matrix_mxisd_ldap_connection_tls` +- `matrix_mxisd_ldap_connection_port` +- `matrix_mxisd_ldap_connection_baseDn` +- `matrix_mxisd_ldap_connection_baseDns` +- `matrix_mxisd_ldap_connection_bindDn` +- `matrix_mxisd_ldap_connection_bindDn` +- `matrix_mxisd_ldap_connection_bindPassword` +- `matrix_mxisd_ldap_filter` +- `matrix_mxisd_ldap_attribute_uid_type` +- `matrix_mxisd_ldap_attribute_uid_value` +- `matrix_mxisd_ldap_connection_bindPassword` +- `matrix_mxisd_ldap_attribute_name` +- `matrix_mxisd_ldap_attribute_threepid_email` +- `matrix_mxisd_ldap_attribute_threepid_msisdn` +- `matrix_mxisd_ldap_identity_filter` +- `matrix_mxisd_ldap_identity_medium` +- `matrix_mxisd_ldap_auth_filter` +- `matrix_mxisd_ldap_directory_filter` +- `matrix_mxisd_template_config` + +You are encouraged to use the `matrix_mxisd_configuration_extension_yaml` variable to define your own mxisd configuration additions and overrides. +Refer to the [default variables file](roles/matrix-server/defaults/main.yml) for more information. + +This new way of configuring mxisd is beneficial because: + +- it lets us support all mxisd configuration options, as the playbook simply forwards them to mxisd without needing to care or understand them +- it lets you upgrade to newer mxisd versions and make use of their features, without us having to add support for them explicitly + + # 2019-01-08 ## (BC Break) Cronjob schedule no longer configurable diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-mxisd.md index ae6be2c2..5e95da45 100644 --- a/docs/configuring-playbook-mxisd.md +++ b/docs/configuring-playbook-mxisd.md @@ -22,10 +22,14 @@ matrix_mxisd_matrixorg_forwarding_enabled: true What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services. +A few variables can be toggled in this playbook to alter the mxisd configuration that gets generated. + Still, mxisd can do much more. -You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more details. +You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more details and configuration options. -You can override the `matrix_mxisd_template_config` variable and use your own custom configuration template. +To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable +and put your configuration in it. +To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-server/defaults/main.yml). ## Troubleshooting diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index e43d97f2..26186d33 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -239,44 +239,73 @@ matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" matrix_mxisd_matrixorg_forwarding_enabled: false # mxisd has serveral supported identity stores. -# One of them is storing identities directly in Synapse's database. +# One of them (which we enable by default) is storing identities directly in Synapse's database. # Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md +# +# If you need to disable this in favor of some other store, you can toggle it to disabled here +# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`. matrix_mxisd_synapsesql_enabled: true matrix_mxisd_synapsesql_type: postgresql matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} -# LDAP is another identity store that's supported by mxisd. -# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/ldap.md -matrix_mxisd_ldap_enabled: false -matrix_mxisd_ldap_connection_host: ldapHostnameOrIp -matrix_mxisd_ldap_connection_tls: false -matrix_mxisd_ldap_connection_port: 389 -matrix_mxisd_ldap_connection_baseDns: ['OU=Users,DC=example,DC=org'] -matrix_mxisd_ldap_connection_bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org -matrix_mxisd_ldap_connection_bindPassword: TheUserPassword -# The following keys are optional: -# matrix_mxisd_ldap_filter: "" -# matrix_mxisd_ldap_attribute_uid_type: uid -# matrix_mxisd_ldap_attribute_uid_value: sAMAccountName -# matrix_mxisd_ldap_attribute_name: cn -# matrix_mxisd_ldap_attribute_threepid_email: -# - mail -# - otherMailAttribute -# matrix_mxisd_ldap_attribute_threepid_msisdn: -# - phone -# - otherPhoneAttribute -# matrix_mxisd_ldap_identity_filter: "" -# matrix_mxisd_ldap_identity_medium: "" -# matrix_mxisd_ldap_auth_filter: "" -# matrix_mxisd_ldap_directory_filter: "" - - -# Specifies which template files to use when configuring mxisd. -# If you'd like to have your own different configuration, feel free to copy and paste -# the original files into your inventory (e.g. in `inventory/host_vars//`) -# and then change the specific host's `vars.yaml` file like this: -# matrix_mxisd_template_config: "{{ playbook_dir }}/inventory/host_vars//mxisd.yaml.j2" -matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" +# Default mxisd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mxisd_configuration_yaml: | + matrix: + domain: {{ hostname_identity }} + + server: + name: {{ hostname_matrix }} + + key: + path: /var/mxisd/sign.key + + storage: + provider: + sqlite: + database: /var/mxisd/mxisd.db + + {% if matrix_mxisd_matrixorg_forwarding_enabled %} + forward: + servers: ['matrix-org'] + {% endif %} + + synapseSql: + enabled: {{ matrix_mxisd_synapsesql_enabled }} + type: {{ matrix_mxisd_synapsesql_type }} + connection: {{ matrix_mxisd_synapsesql_connection }} + +matrix_mxisd_configuration_extension_yaml: | + # Your custom YAML configuration for mxisd goes here. + # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mxisd_configuration_yaml`. + # + # Example configuration extension follows: + # + # ldap: + # enabled: true + # connection: + # host: ldapHostnameOrIp + # tls: false + # port: 389 + # baseDns: ['OU=Users,DC=example,DC=org'] + # bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org + # bindPassword: TheUserPassword + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. +matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" + +# Holds the final mxisd configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. +matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" # Enable this to add support for matrix-corporal. diff --git a/roles/matrix-server/tasks/setup/setup_mxisd.yml b/roles/matrix-server/tasks/setup/setup_mxisd.yml index e80ddbbf..92514f22 100644 --- a/roles/matrix-server/tasks/setup/setup_mxisd.yml +++ b/roles/matrix-server/tasks/setup/setup_mxisd.yml @@ -4,14 +4,47 @@ # Tasks related to setting up mxisd # -- name: (Deprecation) Fail if using outdated configuration +- name: (Deprecation) Warn about mxisd variables that are not used anymore fail: - msg: "You're using the `matrix_mxisd_ldap_connection_baseDn` variable (single string), which has been superseded by `matrix_mxisd_ldap_connection_baseDns` (array of strings). See https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#bc-break-mxisd-upgrade-with-multiple-base-dn-support" - when: "matrix_mxisd_ldap_connection_baseDn is defined" + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of extending mxisd configuration. + See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples. + when: "matrix_mxisd_enabled and item in vars" + with_items: + - 'matrix_mxisd_ldap_enabled' + - 'matrix_mxisd_ldap_connection_host' + - 'matrix_mxisd_ldap_connection_tls' + - 'matrix_mxisd_ldap_connection_port' + - 'matrix_mxisd_ldap_connection_baseDn' + - 'matrix_mxisd_ldap_connection_baseDns' + - 'matrix_mxisd_ldap_connection_bindDn' + - 'matrix_mxisd_ldap_connection_bindPassword' + - 'matrix_mxisd_ldap_filter' + - 'matrix_mxisd_ldap_attribute_uid_type' + - 'matrix_mxisd_ldap_attribute_uid_value' + - 'matrix_mxisd_ldap_connection_bindPassword' + - 'matrix_mxisd_ldap_attribute_name' + - 'matrix_mxisd_ldap_attribute_threepid_email' + - 'matrix_mxisd_ldap_attribute_threepid_msisdn' + - 'matrix_mxisd_ldap_identity_filter' + - 'matrix_mxisd_ldap_identity_medium' + - 'matrix_mxisd_ldap_auth_filter' + - 'matrix_mxisd_ldap_directory_filter' + - 'matrix_mxisd_template_config' + +- name: Ensure mxisd configuration does not contain any dot-notation keys + fail: + msg: > + Since version 1.3.0, mxisd will not accept property-style configuration keys. + You have defined a key (`{{ item.key }}`) which contains a dot. + Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130 + when: "matrix_mxisd_enabled and '.' in item.key" + with_dict: "{{ matrix_mxisd_configuration }}" - name: Fail if mailer is not enabled fail: - msg: "You need to enable the mailer service (matrix_mailer_enabled) to install mxisd" + msg: "You need to enable the mailer service (`matrix_mailer_enabled`) to install mxisd" when: "matrix_mxisd_enabled and not matrix_mailer_enabled" - name: Ensure mxisd paths exist @@ -32,8 +65,8 @@ when: matrix_mxisd_enabled - name: Ensure mxisd config installed - template: - src: "{{ matrix_mxisd_template_config }}" + copy: + content: "{{ matrix_mxisd_configuration|to_nice_yaml }}" dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml" mode: 0644 owner: "{{ matrix_user_username }}" @@ -59,7 +92,7 @@ - name: Ensure matrix-mxisd is stopped service: name: matrix-mxisd - state: stopped + state: stopped daemon_reload: yes register: stopping_result when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists" diff --git a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 deleted file mode 100644 index b9c6e229..00000000 --- a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 +++ /dev/null @@ -1,69 +0,0 @@ -matrix.domain: {{ hostname_identity }} -server.name: {{ hostname_matrix }} - -key.path: /var/mxisd/sign.key - -storage.provider.sqlite.database: /var/mxisd/mxisd.db - -threepid.medium.email.identity.from: {{ matrix_mailer_sender_address }} -threepid.medium.email.connectors.smtp.host: matrix-mailer -threepid.medium.email.connectors.smtp.port: 587 -threepid.medium.email.connectors.smtp.tls: 0 - -{% if matrix_mxisd_matrixorg_forwarding_enabled %} -forward.servers: ['matrix-org'] -{% endif %} - -synapseSql.enabled: {{ matrix_mxisd_synapsesql_enabled }} -synapseSql.type: {{ matrix_mxisd_synapsesql_type }} -synapseSql.connection: {{ matrix_mxisd_synapsesql_connection }} - -ldap.enabled: {{ matrix_mxisd_ldap_enabled }} -ldap.connection.host: {{ matrix_mxisd_ldap_connection_host }} -ldap.connection.tls: {{ matrix_mxisd_ldap_connection_tls }} -ldap.connection.port: {{ matrix_mxisd_ldap_connection_port }} -ldap.connection.baseDns: -{{ matrix_mxisd_ldap_connection_baseDns|to_nice_yaml }} -ldap.connection.bindDn: {{ matrix_mxisd_ldap_connection_bindDn }} -ldap.connection.bindPassword: {{ matrix_mxisd_ldap_connection_bindPassword }} - -{% if matrix_mxisd_ldap_filter is defined %} -ldap.filter: {{ matrix_mxisd_ldap_filter }} -{% endif %} - -{% if matrix_mxisd_ldap_attribute_uid_type is defined %} -ldap.attribute.uid.type: {{ matrix_mxisd_ldap_attribute_uid_type }} -{% endif %} - -{% if matrix_mxisd_ldap_attribute_uid_value is defined %} -ldap.attribute.uid.value: {{ matrix_mxisd_ldap_attribute_uid_value }} -{% endif %} - -{% if matrix_mxisd_ldap_attribute_name is defined %} -ldap.attribute.name: {{ matrix_mxisd_ldap_attribute_name }} -{% endif %} - -{% if matrix_mxisd_ldap_attribute_threepid_email is defined %} -ldap.attribute.threepid.email: {{ matrix_mxisd_ldap_attribute_threepid_email|to_yaml }} -{% endif %} - -{% if matrix_mxisd_ldap_attribute_threepid_msisdn is defined %} -ldap.attribute.threepid.msisdn: {{ matrix_mxisd_ldap_attribute_threepid_msisdn|to_yaml }} -{% endif %} - -{% if matrix_mxisd_ldap_identity_filter is defined %} -ldap.identity.filter: {{ matrix_mxisd_ldap_identity_filter }} -{% endif %} - -{% if matrix_mxisd_ldap_identity_medium is defined %} -ldap.identity.medium: {{ matrix_mxisd_ldap_identity_medium }} -{% endif %} - -{% if matrix_mxisd_ldap_auth_filter is defined %} -ldap.auth.filter: {{ matrix_mxisd_ldap_auth_filter }} -{% endif %} - -{% if matrix_mxisd_ldap_directory_filter is defined %} -ldap.directory.filter: {{ matrix_mxisd_ldap_directory_filter }} -{% endif %} - From 14a237885a95d609f43471f66caceb2036a51880 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Jan 2019 20:26:40 +0200 Subject: [PATCH 0283/2384] Fix missing SMTP configuration for mxisd Regression since 9a9b7383e9b4. --- roles/matrix-server/defaults/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 26186d33..54422bac 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -273,6 +273,17 @@ matrix_mxisd_configuration_yaml: | servers: ['matrix-org'] {% endif %} + threepid: + medium: + email: + identity: + from: {{ matrix_mailer_sender_address }} + connectors: + smtp: + host: matrix-mailer + port: 587 + tls: 0 + synapseSql: enabled: {{ matrix_mxisd_synapsesql_enabled }} type: {{ matrix_mxisd_synapsesql_type }} From 6d253ff5711301ca633b8b28f52b18d591f68d4e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Jan 2019 21:20:17 +0200 Subject: [PATCH 0284/2384] Switch to a better riot-web image (avhost/docker-matrix-riot -> bubuntux/riot-web) The new container image is about 20x smaller in size, faster to start up, etc. This also fixes #26 (Github issue). --- roles/matrix-server/defaults/main.yml | 2 +- roles/matrix-server/tasks/setup/setup_riot_web.yml | 1 - .../templates/nginx-conf.d/matrix-riot-web.conf.j2 | 2 +- roles/matrix-server/templates/riot-web/riot.im.conf.j2 | 3 --- .../templates/systemd/matrix-riot-web.service.j2 | 8 +++----- 5 files changed, 5 insertions(+), 11 deletions(-) delete mode 100644 roles/matrix-server/templates/riot-web/riot.im.conf.j2 diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 54422bac..148eb97a 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -348,7 +348,7 @@ matrix_corporal_debug: false # you may wish to disable this. matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "avhost/docker-matrix-riot:v0.17.8" +matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" diff --git a/roles/matrix-server/tasks/setup/setup_riot_web.yml b/roles/matrix-server/tasks/setup/setup_riot_web.yml index 5a279074..c3a2fa31 100644 --- a/roles/matrix-server/tasks/setup/setup_riot_web.yml +++ b/roles/matrix-server/tasks/setup/setup_riot_web.yml @@ -26,7 +26,6 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - {src: "{{ role_path }}/templates/riot-web/riot.im.conf.j2", name: "riot.im.conf"} - {src: "{{ role_path }}/templates/riot-web/config.json.j2", name: "config.json"} - {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"} when: matrix_riot_web_enabled diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 273915a8..c3eea7b3 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -43,7 +43,7 @@ server { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-riot-web:8765"; + set $backend "matrix-riot-web:80"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} diff --git a/roles/matrix-server/templates/riot-web/riot.im.conf.j2 b/roles/matrix-server/templates/riot-web/riot.im.conf.j2 deleted file mode 100644 index 0d0922ed..00000000 --- a/roles/matrix-server/templates/riot-web/riot.im.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ --p 8765 --A 0.0.0.0 --c 3500 \ No newline at end of file diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 index 806402d5..a4742a38 100644 --- a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 @@ -9,13 +9,11 @@ ExecStartPre=-/usr/bin/docker kill matrix-riot-web ExecStartPre=-/usr/bin/docker rm matrix-riot-web ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - -v {{ matrix_riot_web_data_path }}/config.json:/riot-web/webapp/config.json:ro \ - -v {{ matrix_riot_web_data_path }}/home.html:/riot-web/webapp/home.html:ro \ - -v {{ matrix_riot_web_data_path }}/riot.im.conf:/data/riot.im.conf:ro \ + -v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \ + -v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \ --network={{ matrix_docker_network }} \ {% if not matrix_nginx_proxy_enabled %} - -p 127.0.0.1:8765:8765 \ + -p 127.0.0.1:8765:80 \ {% endif %} {{ matrix_riot_web_docker_image }} ExecStop=-/usr/bin/docker kill matrix-riot-web From 7716c3b4ae7452a24c22fab79f1535552fe13ade Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 11 Jan 2019 15:29:45 -0600 Subject: [PATCH 0285/2384] Update README to link to bubuntux/riot-web --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c037f8f8..c1fff127 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ This playbook sets up your server using the following Docker images: - [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server -- [avhost/docker-matrix-riot](https://hub.docker.com/r/avhost/docker-matrix-riot/) - the [Riot.im](https://about.riot.im/) web client (optional) +- [bubuntux/riot-web](https://hub.docker.com/r/bubuntux/riot-web/) - the [Riot.im](https://about.riot.im/) web client (optional) - [kamax/mxisd](https://hub.docker.com/r/kamax/mxisd/) - the [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server (optional) From 51312b8250d0c3940839d6c7ffddb195bcefa20a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 12 Jan 2019 17:53:00 +0200 Subject: [PATCH 0286/2384] Split playbook into multiple roles As suggested in #63 (Github issue), splitting the playbook's logic into multiple roles will be beneficial for maintainability. This patch realizes this split. Still, some components affect others, so the roles are not really independent of one another. For example: - disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse and riot-web to reconfigure themselves with other (public) Identity servers. - enabling matrix-corporal (`matrix_corporal_enabled: true`) affects how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to put matrix-corporal's gateway server in front of Synapse We may be able to move away from such dependencies in the future, at the expense of a more complicated manual configuration, but it's probably not worth sacrificing the convenience we have now. As part of this work, the way we do "start components" has been redone now to use a loop, as suggested in #65 (Github issue). This should make restarting faster and more reliable. --- CHANGELOG.md | 16 +- docs/configuring-playbook-mxisd.md | 2 +- docs/configuring-playbook.md | 2 +- roles/matrix-base/defaults/main.yml | 37 ++ .../files/yum.repos.d/docker-ce.repo | 0 .../matrix-base/tasks/clean_up_old_files.yml | 9 + roles/matrix-base/tasks/main.yml | 33 ++ .../tasks/sanity_check.yml} | 0 .../tasks}/self_check_dns.yml | 2 +- .../tasks}/self_check_dns_srv.yml | 0 .../tasks/setup_matrix_base.yml} | 7 - .../tasks/setup_server_base.yml} | 0 roles/matrix-base/tasks/setup_well_known.yml | 21 + .../static-files}/well-known/matrix-client.j2 | 0 .../usr-local-bin/matrix-remove-all.j2 | 0 roles/matrix-base/vars/main.yml | 3 + roles/matrix-common-after/tasks/main.yml | 4 + roles/matrix-common-after/tasks/start.yml | 18 + roles/matrix-corporal/defaults/main.yml | 28 ++ roles/matrix-corporal/tasks/init.yml | 9 + roles/matrix-corporal/tasks/main.yml | 16 + .../tasks}/self_check_corporal.yml | 0 .../tasks}/setup_corporal.yml | 9 +- .../templates}/config.json.j2 | 0 .../systemd/matrix-corporal.service.j2 | 2 +- roles/matrix-coturn/defaults/main.yml | 14 + roles/matrix-coturn/tasks/init.yml | 2 + roles/matrix-coturn/tasks/main.yml | 9 + .../tasks}/setup_coturn.yml | 2 +- .../systemd/matrix-coturn.service.j2 | 1 - .../templates}/turnserver.conf.j2 | 0 roles/matrix-mailer/defaults/main.yml | 16 + roles/matrix-mailer/tasks/init.yml | 3 + roles/matrix-mailer/tasks/main.yml | 9 + .../tasks}/setup_mailer.yml | 18 +- .../templates}/env-mailer.j2 | 0 .../systemd/matrix-mailer.service.j2 | 2 +- roles/matrix-mxisd/defaults/main.yml | 101 ++++ roles/matrix-mxisd/tasks/init.yml | 3 + roles/matrix-mxisd/tasks/main.yml | 13 + .../tasks}/self_check_mxisd.yml | 0 .../tasks}/setup_mxisd.yml | 0 .../templates/systemd/matrix-mxisd.service.j2 | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 50 ++ roles/matrix-nginx-proxy/tasks/init.yml | 3 + roles/matrix-nginx-proxy/tasks/main.yml | 23 + .../tasks}/self_check_well_known.yml | 0 .../tasks}/setup_nginx_proxy.yml | 0 .../tasks}/setup_well_known.yml | 4 +- .../tasks}/ssl/main.yml | 6 +- .../tasks}/ssl/setup_ssl_lets_encrypt.yml | 2 +- ...tup_ssl_lets_encrypt_obtain_for_domain.yml | 0 .../tasks/ssl/setup_ssl_manually_managed.yml | 8 + ...ssl_manually_managed_verify_for_domain.yml | 0 .../tasks}/ssl/setup_ssl_self_signed.yml | 2 +- ...etup_ssl_self_signed_obtain_for_domain.yml | 0 .../nginx-conf.d/matrix-riot-web.conf.j2 | 0 .../nginx-conf.d/matrix-synapse.conf.j2 | 0 .../templates/nginx-conf.d/nginx-http.conf.j2 | 0 .../systemd/matrix-nginx-proxy.service.j2 | 0 ...rix-ssl-lets-encrypt-certificates-renew.j2 | 0 roles/matrix-postgres/defaults/main.yml | 15 + .../tasks}/import_postgres.yml | 2 +- .../tasks}/import_sqlite_db.yml | 0 roles/matrix-postgres/tasks/init.yml | 3 + roles/matrix-postgres/tasks/main.yml | 24 + .../tasks/migrate_postgres_data_directory.yml | 70 +++ .../tasks}/setup_postgres.yml | 36 +- .../tasks/upgrade_postgres.yml | 6 +- .../util/detect_existing_postgres_version.yml | 0 .../templates/env-postgres-psql.j2} | 0 .../templates/env-postgres-server.j2} | 0 .../systemd/matrix-postgres.service.j2 | 2 +- .../usr-local-bin/matrix-make-user-admin.j2 | 2 +- .../usr-local-bin/matrix-postgres-cli.j2 | 2 +- roles/matrix-riot-web/defaults/main.yml | 32 ++ roles/matrix-riot-web/tasks/init.yml | 3 + roles/matrix-riot-web/tasks/main.yml | 16 + .../tasks}/self_check_riot_web.yml | 0 .../tasks}/setup_riot_web.yml | 2 +- .../templates}/config.json.j2 | 0 .../templates}/home.html.j2 | 0 .../systemd/matrix-riot-web.service.j2 | 0 roles/matrix-server/defaults/main.yml | 463 ------------------ roles/matrix-server/tasks/main.yml | 41 -- roles/matrix-server/tasks/self_check/main.yml | 18 - roles/matrix-server/tasks/setup/main.yml | 77 --- .../tasks/setup/setup_corporal_overrides.yml | 11 - .../setup/ssl/setup_ssl_manually_managed.yml | 8 - .../tasks/setup/synapse/ext/main.yml | 11 - .../tasks/setup/synapse/main.yml | 7 - roles/matrix-server/tasks/start.yml | 87 ---- roles/matrix-synapse/defaults/main.yml | 176 +++++++ roles/matrix-synapse/tasks/ext/init.yml | 5 + .../tasks/ext/ldap-auth/setup.yml} | 0 .../tasks/ext/mautrix-telegram/init.yml | 3 + .../tasks/ext/mautrix-telegram/setup.yml} | 4 +- .../tasks/ext/mautrix-whatsapp/init.yml | 3 + .../tasks/ext/mautrix-whatsapp/setup.yml} | 4 +- .../tasks/ext/rest-auth/setup.yml} | 0 roles/matrix-synapse/tasks/ext/setup.yml | 11 + .../tasks/ext/shared-secret-auth/setup.yml} | 0 .../tasks}/import_media_store.yml | 0 roles/matrix-synapse/tasks/init.yml | 8 + roles/matrix-synapse/tasks/main.yml | 33 ++ .../tasks/register_user.yml | 0 .../tasks}/self_check_client_api.yml | 0 .../tasks}/self_check_federation_api.yml | 0 .../tasks/setup_synapse_entrypoint.yml | 9 + .../tasks/setup_synapse_goofys.yml} | 8 +- .../tasks}/setup_synapse_main.yml | 11 +- .../tasks}/setup_synapse_pre.yml | 0 .../ext}/mautrix-telegram/config.yaml.j2 | 0 .../matrix-mautrix-telegram.service.j2 | 0 .../ext}/mautrix-whatsapp/config.yaml.j2 | 0 .../matrix-mautrix-whatsapp.service.j2 | 0 .../templates/goofys}/env-goofys.j2 | 0 .../goofys}/systemd/matrix-goofys.service.j2 | 2 +- .../templates/synapse}/env-synapse.j2 | 0 .../templates/synapse/homeserver.yaml.j2 | 0 .../templates/synapse/synapse.log.config.j2 | 0 .../systemd/matrix-synapse.service.j2 | 5 +- .../matrix-synapse-register-user.j2 | 0 setup.yml | 11 +- 124 files changed, 943 insertions(+), 799 deletions(-) create mode 100644 roles/matrix-base/defaults/main.yml rename roles/{matrix-server => matrix-base}/files/yum.repos.d/docker-ce.repo (100%) create mode 100644 roles/matrix-base/tasks/clean_up_old_files.yml create mode 100644 roles/matrix-base/tasks/main.yml rename roles/{matrix-server/tasks/setup/setup_sanity_check.yml => matrix-base/tasks/sanity_check.yml} (100%) rename roles/{matrix-server/tasks/self_check => matrix-base/tasks}/self_check_dns.yml (88%) rename roles/{matrix-server/tasks/self_check => matrix-base/tasks}/self_check_dns_srv.yml (100%) rename roles/{matrix-server/tasks/setup/setup_main.yml => matrix-base/tasks/setup_matrix_base.yml} (88%) rename roles/{matrix-server/tasks/setup/setup_base.yml => matrix-base/tasks/setup_server_base.yml} (100%) create mode 100644 roles/matrix-base/tasks/setup_well_known.yml rename roles/{matrix-server/templates => matrix-base/templates/static-files}/well-known/matrix-client.j2 (100%) rename roles/{matrix-server => matrix-base}/templates/usr-local-bin/matrix-remove-all.j2 (100%) create mode 100644 roles/matrix-base/vars/main.yml create mode 100644 roles/matrix-common-after/tasks/main.yml create mode 100644 roles/matrix-common-after/tasks/start.yml create mode 100644 roles/matrix-corporal/defaults/main.yml create mode 100644 roles/matrix-corporal/tasks/init.yml create mode 100644 roles/matrix-corporal/tasks/main.yml rename roles/{matrix-server/tasks/self_check => matrix-corporal/tasks}/self_check_corporal.yml (100%) rename roles/{matrix-server/tasks/setup => matrix-corporal/tasks}/setup_corporal.yml (89%) rename roles/{matrix-server/templates/corporal => matrix-corporal/templates}/config.json.j2 (100%) rename roles/{matrix-server => matrix-corporal}/templates/systemd/matrix-corporal.service.j2 (95%) create mode 100644 roles/matrix-coturn/defaults/main.yml create mode 100644 roles/matrix-coturn/tasks/init.yml create mode 100644 roles/matrix-coturn/tasks/main.yml rename roles/{matrix-server/tasks/setup => matrix-coturn/tasks}/setup_coturn.yml (94%) rename roles/{matrix-server => matrix-coturn}/templates/systemd/matrix-coturn.service.j2 (92%) rename roles/{matrix-server/templates/coturn => matrix-coturn/templates}/turnserver.conf.j2 (100%) create mode 100644 roles/matrix-mailer/defaults/main.yml create mode 100644 roles/matrix-mailer/tasks/init.yml create mode 100644 roles/matrix-mailer/tasks/main.yml rename roles/{matrix-server/tasks/setup => matrix-mailer/tasks}/setup_mailer.yml (77%) rename roles/{matrix-server/templates/env => matrix-mailer/templates}/env-mailer.j2 (100%) rename roles/{matrix-server => matrix-mailer}/templates/systemd/matrix-mailer.service.j2 (87%) create mode 100644 roles/matrix-mxisd/defaults/main.yml create mode 100644 roles/matrix-mxisd/tasks/init.yml create mode 100644 roles/matrix-mxisd/tasks/main.yml rename roles/{matrix-server/tasks/self_check => matrix-mxisd/tasks}/self_check_mxisd.yml (100%) rename roles/{matrix-server/tasks/setup => matrix-mxisd/tasks}/setup_mxisd.yml (100%) rename roles/{matrix-server => matrix-mxisd}/templates/systemd/matrix-mxisd.service.j2 (94%) create mode 100644 roles/matrix-nginx-proxy/defaults/main.yml create mode 100644 roles/matrix-nginx-proxy/tasks/init.yml create mode 100644 roles/matrix-nginx-proxy/tasks/main.yml rename roles/{matrix-server/tasks/self_check => matrix-nginx-proxy/tasks}/self_check_well_known.yml (100%) rename roles/{matrix-server/tasks/setup => matrix-nginx-proxy/tasks}/setup_nginx_proxy.yml (100%) rename roles/{matrix-server/tasks/setup => matrix-nginx-proxy/tasks}/setup_well_known.yml (81%) rename roles/{matrix-server/tasks/setup => matrix-nginx-proxy/tasks}/ssl/main.yml (84%) rename roles/{matrix-server/tasks/setup => matrix-nginx-proxy/tasks}/ssl/setup_ssl_lets_encrypt.yml (96%) rename roles/{matrix-server/tasks/setup => matrix-nginx-proxy/tasks}/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml (100%) create mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml rename roles/{matrix-server/tasks/setup => matrix-nginx-proxy/tasks}/ssl/setup_ssl_manually_managed_verify_for_domain.yml (100%) rename roles/{matrix-server/tasks/setup => matrix-nginx-proxy/tasks}/ssl/setup_ssl_self_signed.yml (86%) rename roles/{matrix-server/tasks/setup => matrix-nginx-proxy/tasks}/ssl/setup_ssl_self_signed_obtain_for_domain.yml (100%) rename roles/{matrix-server => matrix-nginx-proxy}/templates/nginx-conf.d/matrix-riot-web.conf.j2 (100%) rename roles/{matrix-server => matrix-nginx-proxy}/templates/nginx-conf.d/matrix-synapse.conf.j2 (100%) rename roles/{matrix-server => matrix-nginx-proxy}/templates/nginx-conf.d/nginx-http.conf.j2 (100%) rename roles/{matrix-server => matrix-nginx-proxy}/templates/systemd/matrix-nginx-proxy.service.j2 (100%) rename roles/{matrix-server => matrix-nginx-proxy}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 (100%) create mode 100644 roles/matrix-postgres/defaults/main.yml rename roles/{matrix-server/tasks/import => matrix-postgres/tasks}/import_postgres.yml (95%) rename roles/{matrix-server/tasks/import => matrix-postgres/tasks}/import_sqlite_db.yml (100%) create mode 100644 roles/matrix-postgres/tasks/init.yml create mode 100644 roles/matrix-postgres/tasks/main.yml create mode 100644 roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml rename roles/{matrix-server/tasks/setup => matrix-postgres/tasks}/setup_postgres.yml (83%) rename roles/{matrix-server => matrix-postgres}/tasks/upgrade_postgres.yml (95%) rename roles/{matrix-server => matrix-postgres}/tasks/util/detect_existing_postgres_version.yml (100%) rename roles/{matrix-server/templates/env/env-postgres-pgsql-docker.j2 => matrix-postgres/templates/env-postgres-psql.j2} (100%) rename roles/{matrix-server/templates/env/env-postgres-server-docker.j2 => matrix-postgres/templates/env-postgres-server.j2} (100%) rename roles/{matrix-server => matrix-postgres}/templates/systemd/matrix-postgres.service.j2 (88%) rename roles/{matrix-server => matrix-postgres}/templates/usr-local-bin/matrix-make-user-admin.j2 (80%) rename roles/{matrix-server => matrix-postgres}/templates/usr-local-bin/matrix-postgres-cli.j2 (67%) create mode 100644 roles/matrix-riot-web/defaults/main.yml create mode 100644 roles/matrix-riot-web/tasks/init.yml create mode 100644 roles/matrix-riot-web/tasks/main.yml rename roles/{matrix-server/tasks/self_check => matrix-riot-web/tasks}/self_check_riot_web.yml (100%) rename roles/{matrix-server/tasks/setup => matrix-riot-web/tasks}/setup_riot_web.yml (95%) rename roles/{matrix-server/templates/riot-web => matrix-riot-web/templates}/config.json.j2 (100%) rename roles/{matrix-server/templates/riot-web => matrix-riot-web/templates}/home.html.j2 (100%) rename roles/{matrix-server => matrix-riot-web}/templates/systemd/matrix-riot-web.service.j2 (100%) delete mode 100644 roles/matrix-server/defaults/main.yml delete mode 100644 roles/matrix-server/tasks/main.yml delete mode 100644 roles/matrix-server/tasks/self_check/main.yml delete mode 100644 roles/matrix-server/tasks/setup/main.yml delete mode 100644 roles/matrix-server/tasks/setup/setup_corporal_overrides.yml delete mode 100644 roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml delete mode 100644 roles/matrix-server/tasks/setup/synapse/ext/main.yml delete mode 100644 roles/matrix-server/tasks/setup/synapse/main.yml delete mode 100644 roles/matrix-server/tasks/start.yml create mode 100644 roles/matrix-synapse/defaults/main.yml create mode 100644 roles/matrix-synapse/tasks/ext/init.yml rename roles/{matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml => matrix-synapse/tasks/ext/ldap-auth/setup.yml} (100%) create mode 100644 roles/matrix-synapse/tasks/ext/mautrix-telegram/init.yml rename roles/{matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml => matrix-synapse/tasks/ext/mautrix-telegram/setup.yml} (93%) create mode 100644 roles/matrix-synapse/tasks/ext/mautrix-whatsapp/init.yml rename roles/{matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml => matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml} (93%) rename roles/{matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml => matrix-synapse/tasks/ext/rest-auth/setup.yml} (100%) create mode 100644 roles/matrix-synapse/tasks/ext/setup.yml rename roles/{matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml => matrix-synapse/tasks/ext/shared-secret-auth/setup.yml} (100%) rename roles/{matrix-server/tasks/import => matrix-synapse/tasks}/import_media_store.yml (100%) create mode 100644 roles/matrix-synapse/tasks/init.yml create mode 100644 roles/matrix-synapse/tasks/main.yml rename roles/{matrix-server => matrix-synapse}/tasks/register_user.yml (100%) rename roles/{matrix-server/tasks/self_check => matrix-synapse/tasks}/self_check_client_api.yml (100%) rename roles/{matrix-server/tasks/self_check => matrix-synapse/tasks}/self_check_federation_api.yml (100%) create mode 100644 roles/matrix-synapse/tasks/setup_synapse_entrypoint.yml rename roles/{matrix-server/tasks/setup/setup_goofys.yml => matrix-synapse/tasks/setup_synapse_goofys.yml} (89%) rename roles/{matrix-server/tasks/setup/synapse => matrix-synapse/tasks}/setup_synapse_main.yml (87%) rename roles/{matrix-server/tasks/setup/synapse => matrix-synapse/tasks}/setup_synapse_pre.yml (100%) rename roles/{matrix-server/templates => matrix-synapse/templates/ext}/mautrix-telegram/config.yaml.j2 (100%) rename roles/{matrix-server/templates => matrix-synapse/templates/ext/mautrix-telegram}/systemd/matrix-mautrix-telegram.service.j2 (100%) rename roles/{matrix-server/templates => matrix-synapse/templates/ext}/mautrix-whatsapp/config.yaml.j2 (100%) rename roles/{matrix-server/templates => matrix-synapse/templates/ext/mautrix-whatsapp}/systemd/matrix-mautrix-whatsapp.service.j2 (100%) rename roles/{matrix-server/templates/env => matrix-synapse/templates/goofys}/env-goofys.j2 (100%) rename roles/{matrix-server/templates => matrix-synapse/templates/goofys}/systemd/matrix-goofys.service.j2 (94%) rename roles/{matrix-server/templates/env => matrix-synapse/templates/synapse}/env-synapse.j2 (100%) rename roles/{matrix-server => matrix-synapse}/templates/synapse/homeserver.yaml.j2 (100%) rename roles/{matrix-server => matrix-synapse}/templates/synapse/synapse.log.config.j2 (100%) rename roles/{matrix-server/templates => matrix-synapse/templates/synapse}/systemd/matrix-synapse.service.j2 (89%) rename roles/{matrix-server/templates => matrix-synapse/templates/synapse}/usr-local-bin/matrix-synapse-register-user.j2 (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e81354c..d87d314c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2019-01-xx + +## Splitting the playbook into multiple roles + +For better maintainability, the playbook logic (which all used to reside in a single `matrix-server` role) +has been split out into a number of different roles: `matrix-synapse`, `matrix-postgres`, `matrix-riot-web`, `matrix-mxisd`, etc. (see the `roles/` directory). + +To keep the filesystem more consistent with this separation, the **Postgres data had to be relocated**. + +The default value of `matrix_postgres_data_path` was changed from `/matrix/postgres` to `/matrix/postgres/data`. The `/matrix/postgres` directory is what we consider a base path now (new variable `matrix_postgres_base_path`). **Your Postgres data files will automatically be relocated by the playbook** (`/matrix/postgres/*` -> `/matrix/postgres/data/`) when you run with `--tags=setup-all` (or `--tags=setup-postgres`). While this shouldn't cause data-loss, **it's better if you do a Postgres backup just in case**. You'd need to restart all services after this migration (`--tags=start`). + + # 2019-01-11 ## (BC Break) mxisd configuration changes @@ -30,7 +42,7 @@ The following variables are no longer supported by this playbook: - `matrix_mxisd_template_config` You are encouraged to use the `matrix_mxisd_configuration_extension_yaml` variable to define your own mxisd configuration additions and overrides. -Refer to the [default variables file](roles/matrix-server/defaults/main.yml) for more information. +Refer to the [default variables file](roles/matrix-mxisd/defaults/main.yml) for more information. This new way of configuring mxisd is beneficial because: @@ -92,7 +104,7 @@ Based on feedback from others, running Synapse on Python 3 is supposed to decrea ## Riot homepage customization You can now customize some parts of the Riot homepage (or even completely replace it with your own custom page). -See the `matrix_riot_web_homepage_` variables in `roles/matrix-server/defaults/main.yml`. +See the `matrix_riot_web_homepage_` variables in `roles/matrix-riot-web/defaults/main.yml`. # 2018-12-04 diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-mxisd.md index 5e95da45..70b6410c 100644 --- a/docs/configuring-playbook-mxisd.md +++ b/docs/configuring-playbook-mxisd.md @@ -29,7 +29,7 @@ You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable and put your configuration in it. -To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-server/defaults/main.yml). +To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-mxisd/defaults/main.yml) of the mxisd component. ## Troubleshooting diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index d069f2e1..0c99a788 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -8,7 +8,7 @@ You can follow these steps: - copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix./vars.yml`) -- edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at `roles/matrix-server/defaults/main.yml` and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. +- edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. - copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml new file mode 100644 index 00000000..03f05488 --- /dev/null +++ b/roles/matrix-base/defaults/main.yml @@ -0,0 +1,37 @@ +# The bare hostname which represents your identity. +# This is something like "example.com". +# Note: this playbook does not touch the server referenced here. +hostname_identity: "{{ host_specific_hostname_identity|lower }}" + +# This is where your data lives and what we set up here. +# This and the Riot hostname (see below) are expected to be on the same server. +hostname_matrix: "matrix.{{ hostname_identity }}" + +# This is where you access the web UI from and what we set up here. +# This and the Matrix hostname (see above) are expected to be on the same server. +hostname_riot: "riot.{{ hostname_identity }}" + + +matrix_user_username: "matrix" +matrix_user_uid: 991 +matrix_user_gid: 991 + +matrix_base_data_path: "/matrix" + +matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" + +matrix_homeserver_url: "https://{{ hostname_matrix }}" +matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" + +# The Docker network that all services would be put into +matrix_docker_network: "matrix" + +# Variables to Control which parts of our roles run. +run_setup: true +run_import_postgres: true +run_upgrade_postgres: true +run_start: true +run_register_user: true +run_import_sqlite_db: true +run_import_media_store: true +run_self_check: true \ No newline at end of file diff --git a/roles/matrix-server/files/yum.repos.d/docker-ce.repo b/roles/matrix-base/files/yum.repos.d/docker-ce.repo similarity index 100% rename from roles/matrix-server/files/yum.repos.d/docker-ce.repo rename to roles/matrix-base/files/yum.repos.d/docker-ce.repo diff --git a/roles/matrix-base/tasks/clean_up_old_files.yml b/roles/matrix-base/tasks/clean_up_old_files.yml new file mode 100644 index 00000000..01d4a83d --- /dev/null +++ b/roles/matrix-base/tasks/clean_up_old_files.yml @@ -0,0 +1,9 @@ +--- + +- name: Get rid of old files and directories + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ matrix_base_data_path }}/environment-variables" + - "{{ matrix_base_data_path }}/scratchpad" \ No newline at end of file diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml new file mode 100644 index 00000000..facfc5b2 --- /dev/null +++ b/roles/matrix-base/tasks/main.yml @@ -0,0 +1,33 @@ +- import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml" + when: run_setup + tags: + - setup-all + +- import_tasks: "{{ role_path }}/tasks/setup_server_base.yml" + when: run_setup + tags: + - setup-all + +- import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" + when: run_setup + tags: + - setup-all + +- import_tasks: "{{ role_path }}/tasks/setup_well_known.yml" + when: run_setup + tags: + - setup-all + - setup-mxisd + - setup-synapse + - setup-nginx-proxy + +- import_tasks: "{{ role_path }}/tasks/sanity_check.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/self_check_dns.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check + tags: + - self-check \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/setup_sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_sanity_check.yml rename to roles/matrix-base/tasks/sanity_check.yml diff --git a/roles/matrix-server/tasks/self_check/self_check_dns.yml b/roles/matrix-base/tasks/self_check_dns.yml similarity index 88% rename from roles/matrix-server/tasks/self_check/self_check_dns.yml rename to roles/matrix-base/tasks/self_check_dns.yml index b9f1706e..371147fd 100644 --- a/roles/matrix-server/tasks/self_check/self_check_dns.yml +++ b/roles/matrix-base/tasks/self_check_dns.yml @@ -22,7 +22,7 @@ when: "matrix_mxisd_enabled" - name: Perform DNS SRV checks - include_tasks: "{{ role_path }}/tasks/self_check/self_check_dns_srv.yml" + include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml" with_items: "{{ dns_srv_record_checks }}" loop_control: loop_var: dns_srv_record_check \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_dns_srv.yml b/roles/matrix-base/tasks/self_check_dns_srv.yml similarity index 100% rename from roles/matrix-server/tasks/self_check/self_check_dns_srv.yml rename to roles/matrix-base/tasks/self_check_dns_srv.yml diff --git a/roles/matrix-server/tasks/setup/setup_main.yml b/roles/matrix-base/tasks/setup_matrix_base.yml similarity index 88% rename from roles/matrix-server/tasks/setup/setup_main.yml rename to roles/matrix-base/tasks/setup_matrix_base.yml index a147c862..424cd83d 100644 --- a/roles/matrix-server/tasks/setup/setup_main.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -13,12 +13,6 @@ state: present group: "{{ matrix_user_username }}" -- name: Ensure environment variables data path exists - file: - path: "{{ matrix_environment_variables_data_path }}" - state: directory - mode: 0700 - - name: Ensure Matrix base path exists file: path: "{{ item }}" @@ -28,7 +22,6 @@ group: "{{ matrix_user_username }}" with_items: - "{{ matrix_base_data_path }}" - - "{{ matrix_synapse_base_path }}" # `docker_network` doesn't work as expected when the given network # is a substring of a network that already exists. diff --git a/roles/matrix-server/tasks/setup/setup_base.yml b/roles/matrix-base/tasks/setup_server_base.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_base.yml rename to roles/matrix-base/tasks/setup_server_base.yml diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml new file mode 100644 index 00000000..7620c893 --- /dev/null +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -0,0 +1,21 @@ +# We need others to be able to read these directories too, +# so that matrix-nginx-proxy's nginx user can access the files. +# +# For running with another webserver, we recommend being part of the `matrix` group. +- name: Ensure Matrix static-files path exists + file: + path: "{{ item }}" + state: directory + mode: 0755 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_static_files_base_path }}/.well-known/matrix" + +- name: Ensure Matrix /.well-known/matrix/client configured + template: + src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2" + dest: "{{ matrix_static_files_base_path }}/.well-known/matrix" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" \ No newline at end of file diff --git a/roles/matrix-server/templates/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 similarity index 100% rename from roles/matrix-server/templates/well-known/matrix-client.j2 rename to roles/matrix-base/templates/static-files/well-known/matrix-client.j2 diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 similarity index 100% rename from roles/matrix-server/templates/usr-local-bin/matrix-remove-all.j2 rename to roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 diff --git a/roles/matrix-base/vars/main.yml b/roles/matrix-base/vars/main.yml new file mode 100644 index 00000000..e4e9c166 --- /dev/null +++ b/roles/matrix-base/vars/main.yml @@ -0,0 +1,3 @@ +# This will contain a list of enabled services that the playbook is managing. +# Each component is expected to append its service name to this list. +matrix_systemd_services_list: [] \ No newline at end of file diff --git a/roles/matrix-common-after/tasks/main.yml b/roles/matrix-common-after/tasks/main.yml new file mode 100644 index 00000000..3b5c5428 --- /dev/null +++ b/roles/matrix-common-after/tasks/main.yml @@ -0,0 +1,4 @@ +- import_tasks: "{{ role_path }}/tasks/start.yml" + when: run_start + tags: + - start \ No newline at end of file diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml new file mode 100644 index 00000000..688b9244 --- /dev/null +++ b/roles/matrix-common-after/tasks/start.yml @@ -0,0 +1,18 @@ +--- + +- name: Ensure systemd reloaded + service: + daemon_reload: yes + +- name: Ensure Matrix services stopped + service: + name: "{{ item }}" + state: stopped + with_items: "{{ matrix_systemd_services_list }}" + +- name: Ensure Matrix services started + service: + name: "{{ item }}" + enabled: yes + state: started + with_items: "{{ matrix_systemd_services_list }}" \ No newline at end of file diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml new file mode 100644 index 00000000..264c98dd --- /dev/null +++ b/roles/matrix-corporal/defaults/main.yml @@ -0,0 +1,28 @@ +# Enable this to add support for matrix-corporal. +# See: https://github.com/devture/matrix-corporal +matrix_corporal_enabled: false + +# Controls whether the matrix-corporal web server's ports are exposed outside of the container. +# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`). +matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}" + +matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2" +matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" +matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" +matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" +matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" + +matrix_corporal_matrix_timeout_milliseconds: 45000 + +matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 +matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" + +matrix_corporal_http_api_enabled: false +matrix_corporal_http_api_auth_token: "" + +# Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value) +matrix_corporal_policy_provider_config: "" + +matrix_corporal_debug: false \ No newline at end of file diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml new file mode 100644 index 00000000..4c63a447 --- /dev/null +++ b/roles/matrix-corporal/tasks/init.yml @@ -0,0 +1,9 @@ +- name: Override configuration specifying where the Matrix Client API is + set_fact: + matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080" + matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080" + when: "matrix_corporal_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}" + when: "matrix_corporal_enabled" \ No newline at end of file diff --git a/roles/matrix-corporal/tasks/main.yml b/roles/matrix-corporal/tasks/main.yml new file mode 100644 index 00000000..ddb49ee4 --- /dev/null +++ b/roles/matrix-corporal/tasks/main.yml @@ -0,0 +1,16 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_corporal.yml" + when: run_setup + tags: + - setup-all + - setup-corporal + +- import_tasks: "{{ role_path }}/tasks/self_check_corporal.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check and matrix_corporal_enabled" + tags: + - self-check \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_corporal.yml b/roles/matrix-corporal/tasks/self_check_corporal.yml similarity index 100% rename from roles/matrix-server/tasks/self_check/self_check_corporal.yml rename to roles/matrix-corporal/tasks/self_check_corporal.yml diff --git a/roles/matrix-server/tasks/setup/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml similarity index 89% rename from roles/matrix-server/tasks/setup/setup_corporal.yml rename to roles/matrix-corporal/tasks/setup_corporal.yml index db3edc1c..42b5ae02 100644 --- a/roles/matrix-server/tasks/setup/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -42,7 +42,7 @@ - name: Ensure Matrix Corporal config installed template: - src: "{{ role_path }}/templates/corporal/config.json.j2" + src: "{{ role_path }}/templates/config.json.j2" dest: "{{ matrix_corporal_config_dir_path }}/config.json" mode: 0644 when: "matrix_corporal_enabled" @@ -58,8 +58,11 @@ # Tasks related to getting rid of matrix-corporal (if it was previously enabled) # -- name: Ensure matrix-corporal.service doesn't exist +- name: Ensure matrix-corporal files don't exist file: - path: "/etc/systemd/system/matrix-corporal.service" + path: "{{ item }}" state: absent when: "not matrix_corporal_enabled" + with_items: + - /etc/systemd/system/matrix-corporal.service + - "{{ matrix_corporal_config_dir_path }}/config.json" diff --git a/roles/matrix-server/templates/corporal/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 similarity index 100% rename from roles/matrix-server/templates/corporal/config.json.j2 rename to roles/matrix-corporal/templates/config.json.j2 diff --git a/roles/matrix-server/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 similarity index 95% rename from roles/matrix-server/templates/systemd/matrix-corporal.service.j2 rename to roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 25b02ad2..7ac5f13a 100644 --- a/roles/matrix-server/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -13,7 +13,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ - {% if not matrix_nginx_proxy_enabled %} + {% if matrix_corporal_container_expose_ports %} -p 127.0.0.1:41080:41080 \ -p 127.0.0.1:41081:41081 \ {% endif %} diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml new file mode 100644 index 00000000..d3e48ef1 --- /dev/null +++ b/roles/matrix-coturn/defaults/main.yml @@ -0,0 +1,14 @@ +matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8" + +matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" +matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" + +# A shared secret (between Synapse and Coturn) used for authentication. +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +matrix_coturn_turn_static_auth_secret: "" + +# UDP port-range to use for TURN +matrix_coturn_turn_udp_min_port: 49152 +matrix_coturn_turn_udp_max_port: 49172 + +matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" \ No newline at end of file diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml new file mode 100644 index 00000000..f25b2ed7 --- /dev/null +++ b/roles/matrix-coturn/tasks/init.yml @@ -0,0 +1,2 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}" \ No newline at end of file diff --git a/roles/matrix-coturn/tasks/main.yml b/roles/matrix-coturn/tasks/main.yml new file mode 100644 index 00000000..8d90138d --- /dev/null +++ b/roles/matrix-coturn/tasks/main.yml @@ -0,0 +1,9 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml" + when: run_setup + tags: + - setup-coturn + - setup-all \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml similarity index 94% rename from roles/matrix-server/tasks/setup/setup_coturn.yml rename to roles/matrix-coturn/tasks/setup_coturn.yml index 36a4c9a5..e11326fc 100644 --- a/roles/matrix-server/tasks/setup/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -19,7 +19,7 @@ - name: Ensure turnserver.conf installed template: - src: "{{ role_path }}/templates/coturn/turnserver.conf.j2" + src: "{{ role_path }}/templates/turnserver.conf.j2" dest: "{{ matrix_coturn_config_path }}" mode: 0644 diff --git a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 similarity index 92% rename from roles/matrix-server/templates/systemd/matrix-coturn.service.j2 rename to roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 6c9f87ec..3387f772 100644 --- a/roles/matrix-server/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -13,7 +13,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ -p 3478:3478 \ -p 3478:3478/udp \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ - -v {{ matrix_synapse_config_dir_path }}:/matrix-config:ro \ -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ {{ matrix_coturn_docker_image }} \ -c /turnserver.conf diff --git a/roles/matrix-server/templates/coturn/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 similarity index 100% rename from roles/matrix-server/templates/coturn/turnserver.conf.j2 rename to roles/matrix-coturn/templates/turnserver.conf.j2 diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml new file mode 100644 index 00000000..fe303f1b --- /dev/null +++ b/roles/matrix-mailer/defaults/main.yml @@ -0,0 +1,16 @@ +# By default, this playbook sets up a postfix mailer server (running in a container). +# This is so that Matrix Synapse can send email reminders for unread messages. +# Other services (like mxisd), however, also use that mailer to send emails through it. +matrix_mailer_enabled: true + +matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer" + +matrix_mailer_docker_image: "panubo/postfix:latest" + +matrix_mailer_sender_address: "matrix@{{ hostname_identity }}" +matrix_mailer_relay_use: false +matrix_mailer_relay_host_name: "mail.example.com" +matrix_mailer_relay_host_port: 587 +matrix_mailer_relay_auth: false +matrix_mailer_relay_auth_username: "" +matrix_mailer_relay_auth_password: "" \ No newline at end of file diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml new file mode 100644 index 00000000..c5f51ffe --- /dev/null +++ b/roles/matrix-mailer/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer'] }}" + when: "matrix_mailer_enabled" \ No newline at end of file diff --git a/roles/matrix-mailer/tasks/main.yml b/roles/matrix-mailer/tasks/main.yml new file mode 100644 index 00000000..8019bf3d --- /dev/null +++ b/roles/matrix-mailer/tasks/main.yml @@ -0,0 +1,9 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_mailer.yml" + when: run_setup + tags: + - setup-mailer + - setup-all \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml similarity index 77% rename from roles/matrix-server/tasks/setup/setup_mailer.yml rename to roles/matrix-mailer/tasks/setup_mailer.yml index 1879917b..7155556c 100644 --- a/roles/matrix-server/tasks/setup/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -4,13 +4,21 @@ # Tasks related to setting up the mailer # +- name: Ensure mailer base path exists + file: + path: "{{ matrix_mailer_base_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_mailer_enabled + - name: Ensure mailer environment variables file created template: - src: "{{ role_path }}/templates/env/{{ item }}.j2" - dest: "{{ matrix_environment_variables_data_path }}/{{ item }}" + src: "{{ role_path }}/templates/env-mailer.j2" + dest: "{{ matrix_mailer_base_path }}/env-mailer" mode: 0640 - with_items: - - "env-mailer" + when: matrix_mailer_enabled - name: Ensure mailer image is pulled docker_image: @@ -49,7 +57,7 @@ - name: Ensure Matrix mailer environment variables path doesn't exist file: - path: "{{ matrix_environment_variables_data_path }}/env-mailer" + path: "{{ matrix_mailer_base_path }}" state: absent when: "not matrix_mailer_enabled" diff --git a/roles/matrix-server/templates/env/env-mailer.j2 b/roles/matrix-mailer/templates/env-mailer.j2 similarity index 100% rename from roles/matrix-server/templates/env/env-mailer.j2 rename to roles/matrix-mailer/templates/env-mailer.j2 diff --git a/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 similarity index 87% rename from roles/matrix-server/templates/systemd/matrix-mailer.service.j2 rename to roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index 8b3ccf9d..f0adaa7c 100644 --- a/roles/matrix-server/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -10,7 +10,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-mailer ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ --log-driver=none \ --network={{ matrix_docker_network }} \ - --env-file={{ matrix_environment_variables_data_path }}/env-mailer \ + --env-file={{ matrix_mailer_base_path }}/env-mailer \ {{ matrix_mailer_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mailer ExecStop=-/usr/bin/docker rm matrix-mailer diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml new file mode 100644 index 00000000..6dbae4a5 --- /dev/null +++ b/roles/matrix-mxisd/defaults/main.yml @@ -0,0 +1,101 @@ +# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`). +# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, +# you may wish to disable this. +matrix_mxisd_enabled: true +matrix_mxisd_docker_image: "kamax/mxisd:1.2.2" +matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" +matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" +matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" + +# Controls whether the mxisd web server's port is exposed outside of the container. +# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# mxisd's web-server port to the local host (`127.0.0.1:8090`). +matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" + +# Your identity server is private by default. +# To ensure maximum discovery, you can make your identity server +# also forward lookups to the central matrix.org Identity server +# (at the cost of potentially leaking all your contacts information). +# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups +matrix_mxisd_matrixorg_forwarding_enabled: false + +# mxisd has serveral supported identity stores. +# One of them (which we enable by default) is storing identities directly in Synapse's database. +# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md +# +# If you need to disable this in favor of some other store, you can toggle it to disabled here +# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`. +matrix_mxisd_synapsesql_enabled: true +matrix_mxisd_synapsesql_type: postgresql +matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} + +# Default mxisd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mxisd_configuration_yaml: | + matrix: + domain: {{ hostname_identity }} + + server: + name: {{ hostname_matrix }} + + key: + path: /var/mxisd/sign.key + + storage: + provider: + sqlite: + database: /var/mxisd/mxisd.db + + {% if matrix_mxisd_matrixorg_forwarding_enabled %} + forward: + servers: ['matrix-org'] + {% endif %} + + threepid: + medium: + email: + identity: + from: {{ matrix_mailer_sender_address }} + connectors: + smtp: + host: matrix-mailer + port: 587 + tls: 0 + + synapseSql: + enabled: {{ matrix_mxisd_synapsesql_enabled }} + type: {{ matrix_mxisd_synapsesql_type }} + connection: {{ matrix_mxisd_synapsesql_connection }} + +matrix_mxisd_configuration_extension_yaml: | + # Your custom YAML configuration for mxisd goes here. + # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mxisd_configuration_yaml`. + # + # Example configuration extension follows: + # + # ldap: + # enabled: true + # connection: + # host: ldapHostnameOrIp + # tls: false + # port: 389 + # baseDns: ['OU=Users,DC=example,DC=org'] + # bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org + # bindPassword: TheUserPassword + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. +matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" + +# Holds the final mxisd configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. +matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" \ No newline at end of file diff --git a/roles/matrix-mxisd/tasks/init.yml b/roles/matrix-mxisd/tasks/init.yml new file mode 100644 index 00000000..b41ad7e3 --- /dev/null +++ b/roles/matrix-mxisd/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}" + when: "matrix_mxisd_enabled" \ No newline at end of file diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml new file mode 100644 index 00000000..8f22426a --- /dev/null +++ b/roles/matrix-mxisd/tasks/main.yml @@ -0,0 +1,13 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml" + tags: + - setup-all + - setup-mxisd + +- import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check and matrix_mxisd_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml similarity index 100% rename from roles/matrix-server/tasks/self_check/self_check_mxisd.yml rename to roles/matrix-mxisd/tasks/self_check_mxisd.yml diff --git a/roles/matrix-server/tasks/setup/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_mxisd.yml rename to roles/matrix-mxisd/tasks/setup_mxisd.yml diff --git a/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 similarity index 94% rename from roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 rename to roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 index fd4af2e1..895cf4f4 100644 --- a/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 @@ -15,7 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ - {% if not matrix_nginx_proxy_enabled %} + {% if matrix_mxisd_container_expose_port %} -p 127.0.0.1:8090:8090 \ {% endif %} -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml new file mode 100644 index 00000000..0562ca56 --- /dev/null +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -0,0 +1,50 @@ +# By default, this playbook sets up its own nginx proxy server on port 80/443. +# This is fine if you're dedicating the whole server to Matrix. +# But in case that's not the case, you may wish to prevent that +# and take care of proxying by yourself. +matrix_nginx_proxy_enabled: true + +matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine" + +matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" +matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" + +# The addresses where the Matrix Client API is. +# Certain extensions (like matrix-corporal) may override this in order to capture all traffic. +matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008" +matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008" + +# Specifies when to reload the matrix-nginx-proxy service so that +# a new SSL certificate could go into effect. +matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" + +# Specifies which SSL protocols to use when serving Riot and Synapse +# Note TLSv1.3 is not yet available in dockerized nginx +# See: https://github.com/nginxinc/docker-nginx/issues/190 +matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" + +# By default, this playbook automatically retrieves and auto-renews +# free SSL certificates from Let's Encrypt. +# +# The following retrieval methods are supported: +# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt +# - "self-signed" - the playbook generates and self-signs certificates +# - "manually-managed" - lets you manage certificates by yourself (manually; see below) +# +# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), +# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` +# obeying the following hierarchy: +# - /live//fullchain.pem +# - /live//privkey.pem +# where refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). +matrix_ssl_retrieval_method: "lets-encrypt" + +# Controls whether to obtain production or staging certificates from Let's Encrypt. +matrix_ssl_lets_encrypt_staging: false +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0" +matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 +matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}" + +matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" +matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" +matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/init.yml b/roles/matrix-nginx-proxy/tasks/init.yml new file mode 100644 index 00000000..dc27f789 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy'] }}" + when: "matrix_nginx_proxy_enabled" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/main.yml b/roles/matrix-nginx-proxy/tasks/main.yml new file mode 100644 index 00000000..022d5272 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/main.yml @@ -0,0 +1,23 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/ssl/main.yml" + when: run_setup + tags: + - setup-all + - setup-nginx-proxy + - setup-ssl + +- import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml" + when: run_setup + tags: + - setup-all + - setup-nginx-proxy + +- import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check + tags: + - self-check \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml similarity index 100% rename from roles/matrix-server/tasks/self_check/self_check_well_known.yml rename to roles/matrix-nginx-proxy/tasks/self_check_well_known.yml diff --git a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml similarity index 100% rename from roles/matrix-server/tasks/setup/setup_nginx_proxy.yml rename to roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml diff --git a/roles/matrix-server/tasks/setup/setup_well_known.yml b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml similarity index 81% rename from roles/matrix-server/tasks/setup/setup_well_known.yml rename to roles/matrix-nginx-proxy/tasks/setup_well_known.yml index d6c4eebd..5cd54cc8 100644 --- a/roles/matrix-server/tasks/setup/setup_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml @@ -13,12 +13,12 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_well_known_file_path|dirname }}" + - "{{ matrix_static_files_base_path }}/.well-known/matrix" - name: Ensure Matrix /.well-known/matrix/client configured template: src: "{{ role_path }}/templates/well-known/matrix-client.j2" - dest: "{{ matrix_well_known_file_path }}" + dest: "{{ matrix_static_files_base_path }}/.well-known/matrix" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml similarity index 84% rename from roles/matrix-server/tasks/setup/ssl/main.yml rename to roles/matrix-nginx-proxy/tasks/ssl/main.yml index d81c8f34..7e269eb6 100644 --- a/roles/matrix-server/tasks/setup/ssl/main.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml @@ -31,8 +31,8 @@ # Method specific tasks follow -- import_tasks: tasks/setup/ssl/setup_ssl_lets_encrypt.yml +- import_tasks: tasks/ssl/setup_ssl_lets_encrypt.yml -- import_tasks: tasks/setup/ssl/setup_ssl_self_signed.yml +- import_tasks: tasks/ssl/setup_ssl_self_signed.yml -- import_tasks: tasks/setup/ssl/setup_ssl_manually_managed.yml +- import_tasks: tasks/ssl/setup_ssl_manually_managed.yml diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml similarity index 96% rename from roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml rename to roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index add067d2..a798881e 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -38,7 +38,7 @@ when: "matrix_ssl_retrieval_method == 'lets-encrypt'" - name: Obtain Let's Encrypt certificates - include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" + include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" with_items: "{{ domains_requiring_certificates }}" loop_control: loop_var: domain_name diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml similarity index 100% rename from roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml rename to roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml new file mode 100644 index 00000000..27937c43 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml @@ -0,0 +1,8 @@ +--- + +- name: Verify certificates + include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml" + with_items: "{{ domains_requiring_certificates }}" + loop_control: + loop_var: domain_name + when: "matrix_ssl_retrieval_method == 'manually-managed'" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml similarity index 100% rename from roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml rename to roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml similarity index 86% rename from roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml rename to roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml index 69ca0659..e67340e6 100644 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -17,7 +17,7 @@ when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" - name: Generate self-signed certificates - include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml" + include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" with_items: "{{ domains_requiring_certificates }}" loop_control: loop_var: domain_name diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml similarity index 100% rename from roles/matrix-server/tasks/setup/ssl/setup_ssl_self_signed_obtain_for_domain.yml rename to roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 similarity index 100% rename from roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 rename to roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 similarity index 100% rename from roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 rename to roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 diff --git a/roles/matrix-server/templates/nginx-conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/nginx-http.conf.j2 similarity index 100% rename from roles/matrix-server/templates/nginx-conf.d/nginx-http.conf.j2 rename to roles/matrix-nginx-proxy/templates/nginx-conf.d/nginx-http.conf.j2 diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 similarity index 100% rename from roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 rename to roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 similarity index 100% rename from roles/matrix-server/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 rename to roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml new file mode 100644 index 00000000..7d4b8574 --- /dev/null +++ b/roles/matrix-postgres/defaults/main.yml @@ -0,0 +1,15 @@ +# The defaults below cause a postgres server to be configured (running within a container). +# Using an external server is possible by tweaking all of the parameters below. +matrix_postgres_use_external: false +matrix_postgres_connection_hostname: "matrix-postgres" +matrix_postgres_connection_username: "synapse" +matrix_postgres_connection_password: "synapse-password" +matrix_postgres_db_name: "homeserver" + +matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" +matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" + +matrix_postgres_docker_image_v9: "postgres:9.6.11-alpine" +matrix_postgres_docker_image_v10: "postgres:10.6-alpine" +matrix_postgres_docker_image_v11: "postgres:11.1-alpine" +matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" \ No newline at end of file diff --git a/roles/matrix-server/tasks/import/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml similarity index 95% rename from roles/matrix-server/tasks/import/import_postgres.yml rename to roles/matrix-postgres/tasks/import_postgres.yml index 1c5989b1..98df10e9 100644 --- a/roles/matrix-server/tasks/import/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -51,7 +51,7 @@ command: | /usr/bin/docker run --rm --name matrix-postgres-import \ --network={{ matrix_docker_network }} \ - --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ -v {{ server_path_postgres_dump }}:{{ server_path_postgres_dump }}:ro \ --entrypoint=/bin/sh {{ matrix_postgres_docker_image_latest }} diff --git a/roles/matrix-server/tasks/import/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml similarity index 100% rename from roles/matrix-server/tasks/import/import_sqlite_db.yml rename to roles/matrix-postgres/tasks/import_sqlite_db.yml diff --git a/roles/matrix-postgres/tasks/init.yml b/roles/matrix-postgres/tasks/init.yml new file mode 100644 index 00000000..433020df --- /dev/null +++ b/roles/matrix-postgres/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}" + when: "not matrix_postgres_use_external" \ No newline at end of file diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml new file mode 100644 index 00000000..123ddde4 --- /dev/null +++ b/roles/matrix-postgres/tasks/main.yml @@ -0,0 +1,24 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_postgres.yml" + when: run_setup + tags: + - setup-postgres + - setup-all + +- import_tasks: "{{ role_path }}/tasks/import_postgres.yml" + when: run_import_postgres + tags: + - import-postgres + +- import_tasks: "{{ role_path }}/tasks/import_sqlite_db.yml" + when: run_import_sqlite_db + tags: + - import-sqlite-db + +- import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml" + when: run_upgrade_postgres + tags: + - upgrade-postgres diff --git a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml new file mode 100644 index 00000000..5a4e0689 --- /dev/null +++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml @@ -0,0 +1,70 @@ +--- + +# We used to store Postgres data directly under `/matrix/postgres` (what is now considered `matrix_postgres_base_path`). +# +# From now on, we expect to store Postgres data one directory below now (`/matrix/postgres/data` - `matrix_postgres_data_path`). +# We wish to use the base directory for other purposes (storing environment variable files, etc.). +# Mixing those with the Postgres data is no good and it leads to Postgres's `initdb` complaining to initialize +# a database in a non-empty directory. +# +# For this reason, we store the Postgres data in `/matrix/postgres/data` and need to relocate any installations +# which still store it in the parent directory (`/matrix/postgres`). + +- name: Check if old Postgres data directory is used + stat: + path: "{{ matrix_postgres_base_path }}/PG_VERSION" + register: result_pg_old_data_dir_stat + +- name: Warn if old Postgres data directory detected + debug: + msg: > + Found that you have Postgres data in `{{ matrix_postgres_base_path }}`. + From now on, Postgres data is supposed to be stored in `{{ matrix_postgres_data_path }}` instead. + We'll stop Postgres and relocate the files there for you. + when: "result_pg_old_data_dir_stat.stat.exists" + +- name: Find files and directories in old Postgres data path + find: + paths: "{{ matrix_postgres_base_path }}" + file_type: any + excludes: ["data"] + register: "result_pg_old_data_dir_find" + when: "result_pg_old_data_dir_stat.stat.exists" + +- name: Ensure new Postgres data path exists + file: + path: "{{ matrix_postgres_data_path }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "result_pg_old_data_dir_stat.stat.exists" + +- name: Ensure matrix-postgres is stopped + service: + name: matrix-postgres + state: stopped + daemon_reload: yes + when: "result_pg_old_data_dir_stat.stat.exists" + +- block: + - name: Relocate Postgres data files from old directory to new + command: "mv {{ item.path }} {{ matrix_postgres_data_path }}/{{ item.path|basename }}" + with_items: "{{ result_pg_old_data_dir_find.files }}" + when: "result_pg_old_data_dir_stat.stat.exists" + +# Intentionally not starting matrix-postgres here. +# It likely needs to be updated to point to the new directory. +# In fact, let's even get rid of the outdated service, to ensure no one will start it +# and have it initialize a new database. + +- name: Ensure outdated matrix-postgres.service doesn't exist + file: + path: "/etc/systemd/system/matrix-postgres.service" + state: absent + when: "result_pg_old_data_dir_stat.stat.exists" + +- name: Ensure systemd reloaded after getting rid of outdated matrix-postgres.service + service: + daemon_reload: yes + when: "result_pg_old_data_dir_stat.stat.exists" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml similarity index 83% rename from roles/matrix-server/tasks/setup/setup_postgres.yml rename to roles/matrix-postgres/tasks/setup_postgres.yml index 5ffa3ebc..89e8104f 100644 --- a/roles/matrix-server/tasks/setup/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -4,7 +4,9 @@ # Generic tasks, no matter what kind of server we're using (internal/external) # -- import_tasks: tasks/util/detect_existing_postgres_version.yml +- import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml" + +- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml" # If we have found an existing version (installed from before), we use its corresponding Docker image. # If not, we install using the latest Postgres. @@ -23,14 +25,27 @@ docker_image: name: "{{ matrix_postgres_docker_image_to_use }}" +# We always create these directories, even if an external Postgres is used, +# because we store environment variable files there. +- name: Ensure Postgres paths exist + file: + path: "{{ item }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_postgres_base_path }}" + - "{{ matrix_postgres_data_path }}" + - name: Ensure Postgres environment variables file created template: - src: "{{ role_path }}/templates/env/{{ item }}.j2" - dest: "{{ matrix_environment_variables_data_path }}/{{ item }}" + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_postgres_base_path }}/{{ item }}" mode: 0640 with_items: - - "env-postgres-pgsql-docker" - - "env-postgres-server-docker" + - "env-postgres-psql" + - "env-postgres-server" - name: Ensure matrix-postgres-cli script created template: @@ -48,15 +63,6 @@ # Tasks related to setting up an internal postgres server # -- name: Ensure postgres data path exists - file: - path: "{{ matrix_postgres_data_path }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: "not matrix_postgres_use_external" - - name: Ensure matrix-postgres.service installed template: src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" @@ -96,5 +102,5 @@ # We just want to notify the user. Deleting data is too destructive. - name: Notify if matrix-postgres local data remains debug: - msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete that." + msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete it." when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists" diff --git a/roles/matrix-server/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml similarity index 95% rename from roles/matrix-server/tasks/upgrade_postgres.yml rename to roles/matrix-postgres/tasks/upgrade_postgres.yml index 69955b30..b73bc030 100644 --- a/roles/matrix-server/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -71,7 +71,7 @@ command: | /usr/bin/docker run --rm --name matrix-postgres-dump \ --network={{ matrix_docker_network }} \ - --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ -v {{ postgres_dump_dir }}:/out \ {{ matrix_postgres_detected_version_corresponding_docker_image }} pg_dump -h matrix-postgres {{ matrix_postgres_db_name }} -f /out/{{ postgres_dump_name }} @@ -86,7 +86,7 @@ - debug: msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation." -- import_tasks: tasks/setup/setup_postgres.yml +- import_tasks: tasks/setup_postgres.yml - name: Ensure matrix-postgres autoruns and is restarted service: @@ -105,7 +105,7 @@ command: | /usr/bin/docker run --rm --name matrix-postgres-import \ --network={{ matrix_docker_network }} \ - --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ -v {{ postgres_dump_dir }}:/in:ro \ {{ matrix_postgres_docker_image_latest }} psql -v ON_ERROR_STOP=1 -h matrix-postgres -f /in/{{ postgres_dump_name }} diff --git a/roles/matrix-server/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml similarity index 100% rename from roles/matrix-server/tasks/util/detect_existing_postgres_version.yml rename to roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml diff --git a/roles/matrix-server/templates/env/env-postgres-pgsql-docker.j2 b/roles/matrix-postgres/templates/env-postgres-psql.j2 similarity index 100% rename from roles/matrix-server/templates/env/env-postgres-pgsql-docker.j2 rename to roles/matrix-postgres/templates/env-postgres-psql.j2 diff --git a/roles/matrix-server/templates/env/env-postgres-server-docker.j2 b/roles/matrix-postgres/templates/env-postgres-server.j2 similarity index 100% rename from roles/matrix-server/templates/env/env-postgres-server-docker.j2 rename to roles/matrix-postgres/templates/env-postgres-server.j2 diff --git a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 similarity index 88% rename from roles/matrix-server/templates/systemd/matrix-postgres.service.j2 rename to roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 0988f61d..40509e8c 100644 --- a/roles/matrix-server/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -11,7 +11,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ - --env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ -v /etc/passwd:/etc/passwd:ro \ {{ matrix_postgres_docker_image_to_use }} diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 similarity index 80% rename from roles/matrix-server/templates/usr-local-bin/matrix-make-user-admin.j2 rename to roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 index 37d72370..3e5b6ebe 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-make-user-admin.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 @@ -8,7 +8,7 @@ fi docker run \ -it \ --rm \ - --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ host_specific_hostname_identity }}'" diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 similarity index 67% rename from roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 rename to roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 index 6cae5e5e..07e1f43b 100644 --- a/roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -3,7 +3,7 @@ docker run \ -it \ --rm \ - --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ psql -h {{ matrix_postgres_connection_hostname }} diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml new file mode 100644 index 00000000..bd2b42d2 --- /dev/null +++ b/roles/matrix-riot-web/defaults/main.yml @@ -0,0 +1,32 @@ +# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. +# If you wish to connect to your Matrix server by other means, +# you may wish to disable this. +matrix_riot_web_enabled: true + +matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8" + +matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" + +# Riot config.json customizations +matrix_riot_web_disable_custom_urls: true +matrix_riot_web_disable_guests: true +matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" +matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" +matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api" +matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" +# Riot public room directory server(s) +matrix_riot_web_roomdir_servers: ['matrix.org'] +matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" + + +# Riot home.html customizations +# Default home.html template file +matrix_riot_web_homepage_template: "{{ role_path }}/templates/home.html.j2" +# Show general discussion about Matrix and Riot row +matrix_riot_web_homepage_template_general: true +# Show Matrix technical discussions row +matrix_riot_web_homepage_template_technical: true +# Show building services on Matrix row +matrix_riot_web_homepage_template_building: true +# Show contributing code to Matrix and Riot row +matrix_riot_web_homepage_template_contributing: true \ No newline at end of file diff --git a/roles/matrix-riot-web/tasks/init.yml b/roles/matrix-riot-web/tasks/init.yml new file mode 100644 index 00000000..1fd0c7eb --- /dev/null +++ b/roles/matrix-riot-web/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-riot-web'] }}" + when: matrix_riot_web_enabled \ No newline at end of file diff --git a/roles/matrix-riot-web/tasks/main.yml b/roles/matrix-riot-web/tasks/main.yml new file mode 100644 index 00000000..da57a88a --- /dev/null +++ b/roles/matrix-riot-web/tasks/main.yml @@ -0,0 +1,16 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_riot_web.yml" + when: run_setup + tags: + - setup-all + - setup-riot-web + +- import_tasks: "{{ role_path }}/tasks/self_check_riot_web.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check and matrix_riot_web_enabled" + tags: + - self-check \ No newline at end of file diff --git a/roles/matrix-server/tasks/self_check/self_check_riot_web.yml b/roles/matrix-riot-web/tasks/self_check_riot_web.yml similarity index 100% rename from roles/matrix-server/tasks/self_check/self_check_riot_web.yml rename to roles/matrix-riot-web/tasks/self_check_riot_web.yml diff --git a/roles/matrix-server/tasks/setup/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml similarity index 95% rename from roles/matrix-server/tasks/setup/setup_riot_web.yml rename to roles/matrix-riot-web/tasks/setup_riot_web.yml index c3a2fa31..1eadf933 100644 --- a/roles/matrix-server/tasks/setup/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -26,7 +26,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - {src: "{{ role_path }}/templates/riot-web/config.json.j2", name: "config.json"} + - {src: "{{ role_path }}/templates/config.json.j2", name: "config.json"} - {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"} when: matrix_riot_web_enabled diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 similarity index 100% rename from roles/matrix-server/templates/riot-web/config.json.j2 rename to roles/matrix-riot-web/templates/config.json.j2 diff --git a/roles/matrix-server/templates/riot-web/home.html.j2 b/roles/matrix-riot-web/templates/home.html.j2 similarity index 100% rename from roles/matrix-server/templates/riot-web/home.html.j2 rename to roles/matrix-riot-web/templates/home.html.j2 diff --git a/roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 similarity index 100% rename from roles/matrix-server/templates/systemd/matrix-riot-web.service.j2 rename to roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml deleted file mode 100644 index 148eb97a..00000000 --- a/roles/matrix-server/defaults/main.yml +++ /dev/null @@ -1,463 +0,0 @@ -# The bare hostname which represents your identity. -# This is something like "example.com". -# Note: this playbook does not touch the server referenced here. -hostname_identity: "{{ host_specific_hostname_identity|lower }}" - -# This is where your data lives and what we set up here. -# This and the Riot hostname (see below) are expected to be on the same server. -hostname_matrix: "matrix.{{ hostname_identity }}" - -# This is where you access the web UI from and what we set up here. -# This and the Matrix hostname (see above) are expected to be on the same server. -hostname_riot: "riot.{{ hostname_identity }}" - - -matrix_user_username: "matrix" -matrix_user_uid: 991 -matrix_user_gid: 991 - -matrix_base_data_path: "/matrix" -matrix_environment_variables_data_path: "{{ matrix_base_data_path }}/environment-variables" -matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" - -matrix_homeserver_url: "https://{{ hostname_matrix }}" -matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" - -# The Docker network that all services would be put into -matrix_docker_network: "matrix" - - -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.1.1-py3" - -matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" -matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" -matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" -matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" -matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" -matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" - -matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages" - -# Specifies which template files to use when configuring Synapse. -# If you'd like to have your own different configuration, feel free to copy and paste -# the original files into your inventory (e.g. in `inventory/host_vars//`) -# and then change the specific host's `vars.yaml` file like this: -# matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars//homeserver.yaml.j2" -matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2" -matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2" - -matrix_synapse_macaroon_secret_key: "" -matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" -matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" - -# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled -matrix_synapse_id_servers_public: ['vector.im', 'matrix.org'] - -# These are the identity servers that would be trusted by Synapse if mxisd IS enabled -matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']" - -# The final list of identity servers to use for Synapse. -# The first one would also be used as riot-web's default identity server. -matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" - -matrix_synapse_max_upload_size_mb: 10 -matrix_synapse_max_log_file_size_mb: 100 -matrix_synapse_max_log_files_count: 10 - -# Log levels -# Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels -# warning: setting log level to DEBUG will make synapse log sensitive information such -# as access tokens -matrix_synapse_log_level: "INFO" -matrix_synapse_storage_sql_log_level: "INFO" -matrix_synapse_root_log_level: "INFO" - -# Rate limits -matrix_synapse_rc_messages_per_second: 0.2 -matrix_synapse_rc_message_burst_count: 10.0 - -# Enable this to allow Synapse to report utilization statistics about your server to matrix.org -# (things like number of users, number of messages sent, uptime, load, etc.) -matrix_synapse_report_stats: false - -# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. -# If users participate in large rooms with many other servers, -# disabling this will decrease server load significantly. -matrix_synapse_use_presence: true - -# Controls whether people with access to the homeserver can register by themselves. -matrix_synapse_enable_registration: false - -# Users who register on this homeserver will automatically be joined to these rooms. -# Rooms are to be specified using addresses (e.g. `#address:example.com`) -matrix_synapse_auto_join_rooms: [] - -# Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created -# automatically if they don't already exist. -matrix_synapse_autocreate_auto_join_rooms: true - -# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. -matrix_synapse_password_config_pepper: "" - -# Controls the number of events that Matrix Synapse caches in memory. -matrix_synapse_event_cache_size: "100K" - -# Controls cache sizes for Matrix Synapse via the SYNAPSE_CACHE_FACTOR environment variable. -# Raise this to increase cache sizes or lower it to potentially lower memory use. -# To learn more, see: -# - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram -# - https://github.com/matrix-org/synapse/issues/3939 -matrix_synapse_cache_factor: 0.5 - -# Controls whether Matrix Synapse will federate at all. -# Disable this to completely isolate your server from the rest of the Matrix network. -matrix_synapse_federation_enabled: true - -# A list of domain names that are allowed to federate with the given Matrix Synapse server. -# An empty list value (`[]`) will also effectively stop federation, but if that's the desired -# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. -matrix_synapse_federation_domain_whitelist: ~ - -# A list of additional "volumes" to mount in the container. -# This list gets populated dynamically based on Synapse extensions that have been enabled. -# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} -matrix_synapse_container_additional_volumes: [] - -# A list of additional loggers to register in synapse.log.config. -# This list gets populated dynamically based on Synapse extensions that have been enabled. -# Contains definition objects like this: `{"name": "..", "level": "DEBUG"} -matrix_synapse_additional_loggers: [] - -# A list of service config files -# This list gets populated dynamically based on Synapse extensions that have been enabled. -# Contains fs paths -matrix_synapse_app_service_config_files: [] - -# This is set dynamically during execution depending on whether -# any password providers have been enabled or not. -matrix_synapse_password_providers_enabled: false - - -# Enable this to activate the REST auth password provider module. -# See: https://github.com/kamax-io/matrix-synapse-rest-auth -matrix_synapse_ext_password_provider_rest_auth_enabled: false -matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py" -matrix_synapse_ext_password_provider_rest_auth_endpoint: "" -matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false -matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true -matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false - -# Enable this to activate the Shared Secret Auth password provider module. -# See: https://github.com/devture/matrix-synapse-shared-secret-auth -matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false -matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py" -matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" - -# Enable this to activate LDAP password provider -matrix_synapse_ext_password_provider_ldap_enabled: false -matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" -matrix_synapse_ext_password_provider_ldap_start_tls: true -matrix_synapse_ext_password_provider_ldap_base: "" -matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" -matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" -matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" -matrix_synapse_ext_password_provider_ldap_bind_dn: "" -matrix_synapse_ext_password_provider_ldap_bind_password: "" -matrix_synapse_ext_password_provider_ldap_filter: "" - - -# The defaults below cause a postgres server to be configured (running within a container). -# Using an external server is possible by tweaking all of the parameters below. -matrix_postgres_use_external: false -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_username: "synapse" -matrix_postgres_connection_password: "synapse-password" -matrix_postgres_db_name: "homeserver" - -matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" - -matrix_postgres_docker_image_v9: "postgres:9.6.11-alpine" -matrix_postgres_docker_image_v10: "postgres:10.6-alpine" -matrix_postgres_docker_image_v11: "postgres:11.1-alpine" -matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" - - -matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8" - -matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" -matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" - -# A shared secret (between Synapse and Coturn) used for authentication. -# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_coturn_turn_static_auth_secret: "" - -# UDP port-range to use for TURN -matrix_coturn_turn_udp_min_port: 49152 -matrix_coturn_turn_udp_max_port: 49172 - -matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" - - -matrix_s3_media_store_enabled: false -matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" -matrix_s3_media_store_bucket_name: "your-bucket-name" -matrix_s3_media_store_aws_access_key: "your-aws-access-key" -matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" -matrix_s3_media_store_region: "eu-central-1" - - -# By default, this playbook sets up a postfix mailer server (running in a container). -# This is so that Matrix Synapse can send email reminders for unread messages. -# Other services (like mxisd), however, also use that mailer to send emails through it. -matrix_mailer_enabled: true - -matrix_mailer_docker_image: "panubo/postfix:latest" - -matrix_mailer_sender_address: "matrix@{{ hostname_identity }}" -matrix_mailer_relay_use: false -matrix_mailer_relay_host_name: "mail.example.com" -matrix_mailer_relay_host_port: 587 -matrix_mailer_relay_auth: false -matrix_mailer_relay_auth_username: "" -matrix_mailer_relay_auth_password: "" - - -# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`). -# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, -# you may wish to disable this. -matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.2.2" -matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" -matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" -matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" - -# Your identity server is private by default. -# To ensure maximum discovery, you can make your identity server -# also forward lookups to the central matrix.org Identity server -# (at the cost of potentially leaking all your contacts information). -# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups -matrix_mxisd_matrixorg_forwarding_enabled: false - -# mxisd has serveral supported identity stores. -# One of them (which we enable by default) is storing identities directly in Synapse's database. -# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md -# -# If you need to disable this in favor of some other store, you can toggle it to disabled here -# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`. -matrix_mxisd_synapsesql_enabled: true -matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} - -# Default mxisd configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_mxisd_configuration_yaml: | - matrix: - domain: {{ hostname_identity }} - - server: - name: {{ hostname_matrix }} - - key: - path: /var/mxisd/sign.key - - storage: - provider: - sqlite: - database: /var/mxisd/mxisd.db - - {% if matrix_mxisd_matrixorg_forwarding_enabled %} - forward: - servers: ['matrix-org'] - {% endif %} - - threepid: - medium: - email: - identity: - from: {{ matrix_mailer_sender_address }} - connectors: - smtp: - host: matrix-mailer - port: 587 - tls: 0 - - synapseSql: - enabled: {{ matrix_mxisd_synapsesql_enabled }} - type: {{ matrix_mxisd_synapsesql_type }} - connection: {{ matrix_mxisd_synapsesql_connection }} - -matrix_mxisd_configuration_extension_yaml: | - # Your custom YAML configuration for mxisd goes here. - # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_mxisd_configuration_yaml`. - # - # Example configuration extension follows: - # - # ldap: - # enabled: true - # connection: - # host: ldapHostnameOrIp - # tls: false - # port: 389 - # baseDns: ['OU=Users,DC=example,DC=org'] - # bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org - # bindPassword: TheUserPassword - -# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" - -# Holds the final mxisd configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. -matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" - - -# Enable this to add support for matrix-corporal. -# See: https://github.com/devture/matrix-corporal -matrix_corporal_enabled: false - -matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2" -matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" -matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" -matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" -matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" - -matrix_corporal_matrix_timeout_milliseconds: 45000 - -matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 -matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" - -matrix_corporal_http_api_enabled: false -matrix_corporal_http_api_auth_token: "" - -# Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value) -matrix_corporal_policy_provider_config: "" - -matrix_corporal_debug: false - - -# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. -# If you wish to connect to your Matrix server by other means, -# you may wish to disable this. -matrix_riot_web_enabled: true - -matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8" - -matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" - -# Riot config.json customizations -matrix_riot_web_disable_custom_urls: true -matrix_riot_web_disable_guests: true -matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" -matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" -matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api" -matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" -# Riot public room directory server(s) -matrix_riot_web_roomdir_servers: ['matrix.org'] -matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" - - -# Riot home.html customizations -# Default home.html template file -matrix_riot_web_homepage_template: "{{ role_path }}/templates/riot-web/home.html.j2" -# Show general discussion about Matrix and Riot row -matrix_riot_web_homepage_template_general: true -# Show Matrix technical discussions row -matrix_riot_web_homepage_template_technical: true -# Show building services on Matrix row -matrix_riot_web_homepage_template_building: true -# Show contributing code to Matrix and Riot row -matrix_riot_web_homepage_template_contributing: true - -# Matrix mautrix is a Matrix <-> Telegram bridge -# Enable telegram bridge -matrix_mautrix_telegram_enabled: false - -matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.4.0" - -matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" - -# Get your own API keys at https://my.telegram.org/apps -matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID -matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH -# Mautrix telegram public endpoint to log in to telegram -# Use an uuid so it's not easily discoverable -matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" - - -# Matrix mautrix is a Matrix <-> Whatsapp bridge -# Enable whatsapp bridge -matrix_mautrix_whatsapp_enabled: false - -matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest" - -matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" - - -# By default, this playbook sets up its own nginx proxy server on port 80/443. -# This is fine if you're dedicating the whole server to Matrix. -# But in case that's not the case, you may wish to prevent that -# and take care of proxying by yourself. -matrix_nginx_proxy_enabled: true - -matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine" - -matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" -matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" - -# The addresses where the Matrix Client API is. -# Certain extensions (like matrix-corporal) may override this in order to capture all traffic. -matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008" -matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008" - -# Specifies when to reload the matrix-nginx-proxy service so that -# a new SSL certificate could go into effect. -matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" - -# Specifies which SSL protocols to use when serving Riot and Synapse -# Note TLSv1.3 is not yet available in dockerized nginx -# See: https://github.com/nginxinc/docker-nginx/issues/190 -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" - -# By default, this playbook automatically retrieves and auto-renews -# free SSL certificates from Let's Encrypt. -# -# The following retrieval methods are supported: -# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt -# - "self-signed" - the playbook generates and self-signs certificates -# - "manually-managed" - lets you manage certificates by yourself (manually; see below) -# -# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), -# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` -# obeying the following hierarchy: -# - /live//fullchain.pem -# - /live//privkey.pem -# where refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). -matrix_ssl_retrieval_method: "lets-encrypt" - -# Controls whether to obtain production or staging certificates from Let's Encrypt. -matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0" -matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 -matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}" - -matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" -matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" -matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" - -# Variables to Control which parts of the role run. -run_setup: true -run_import_postgres: true -run_upgrade_postgres: true -run_start: true -run_register_user: true -run_import_sqlite_db: true -run_import_media_store: true -run_self_check: true diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml deleted file mode 100644 index a6ba542b..00000000 --- a/roles/matrix-server/tasks/main.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -- import_tasks: tasks/setup/main.yml - when: run_setup - -- import_tasks: tasks/import/import_postgres.yml - tags: - - import-postgres - when: run_import_postgres - -- import_tasks: tasks/upgrade_postgres.yml - tags: - - upgrade-postgres - when: run_upgrade_postgres - -- import_tasks: tasks/start.yml - tags: - - start - when: run_start - -- import_tasks: tasks/register_user.yml - tags: - - register-user - when: run_register_user - -- import_tasks: tasks/import/import_sqlite_db.yml - tags: - - import-sqlite-db - when: run_import_sqlite_db - -- import_tasks: tasks/import/import_media_store.yml - tags: - - import-media-store - when: run_import_media_store - -- import_tasks: tasks/self_check/main.yml - delegate_to: 127.0.0.1 - become: false - tags: - - self-check - when: run_self_check diff --git a/roles/matrix-server/tasks/self_check/main.yml b/roles/matrix-server/tasks/self_check/main.yml deleted file mode 100644 index fdd73dd6..00000000 --- a/roles/matrix-server/tasks/self_check/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- import_tasks: tasks/self_check/self_check_dns.yml - -- import_tasks: tasks/self_check/self_check_client_api.yml - -- import_tasks: tasks/self_check/self_check_federation_api.yml - -- import_tasks: tasks/self_check/self_check_riot_web.yml - when: "matrix_riot_web_enabled" - -- import_tasks: tasks/self_check/self_check_mxisd.yml - when: "matrix_mxisd_enabled" - -- import_tasks: tasks/self_check/self_check_well_known.yml - -- import_tasks: tasks/self_check/self_check_corporal.yml - when: "matrix_corporal_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/main.yml b/roles/matrix-server/tasks/setup/main.yml deleted file mode 100644 index 34876faa..00000000 --- a/roles/matrix-server/tasks/setup/main.yml +++ /dev/null @@ -1,77 +0,0 @@ ---- - -- import_tasks: tasks/setup/setup_sanity_check.yml - tags: - - always - -- import_tasks: tasks/setup/setup_base.yml - tags: - - setup-all - -- import_tasks: tasks/setup/setup_main.yml - tags: - - setup-all - -- import_tasks: tasks/setup/ssl/main.yml - tags: - - setup-all - - setup-ssl - -- import_tasks: tasks/setup/setup_postgres.yml - tags: - - setup-all - - setup-postgres - -- import_tasks: tasks/setup/setup_goofys.yml - tags: - - setup-all - - setup-goofys - -- import_tasks: tasks/setup/setup_coturn.yml - tags: - - setup-all - - setup-coturn - -- import_tasks: tasks/setup/setup_mailer.yml - tags: - - setup-all - - setup-mailer - -- import_tasks: tasks/setup/setup_mxisd.yml - tags: - - setup-all - - setup-mxisd - -- import_tasks: tasks/setup/setup_corporal_overrides.yml - tags: - - always - -- import_tasks: tasks/setup/setup_corporal.yml - tags: - - setup-all - - setup-corporal - -- import_tasks: tasks/setup/synapse/main.yml - tags: - - setup-all - - setup-synapse - - setup-coturn - -- import_tasks: tasks/setup/setup_riot_web.yml - tags: - - setup-all - - setup-riot-web - -- import_tasks: tasks/setup/setup_well_known.yml - tags: - - setup-all - - setup-mxisd - - setup-synapse - - setup-nginx-proxy - - setup-well-known - -- import_tasks: tasks/setup/setup_nginx_proxy.yml - tags: - - setup-all - - setup-nginx-proxy - - setup-well-known \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/setup_corporal_overrides.yml b/roles/matrix-server/tasks/setup/setup_corporal_overrides.yml deleted file mode 100644 index a410f801..00000000 --- a/roles/matrix-server/tasks/setup/setup_corporal_overrides.yml +++ /dev/null @@ -1,11 +0,0 @@ -# These overrides run with the `always` tag, -# because they're important not only for the `setup-corporal` tag, but for other tags too. -# -# We want an nginx-proxy rebuild (`--tags=setup-nginx-proxy`) to also go through here -# and be affected by these overrides. - -- name: Override configuration specifying where the Matrix Client API is - set_fact: - matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080" - matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080" - when: "matrix_corporal_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml deleted file mode 100644 index 10cd0765..00000000 --- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_manually_managed.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Verify certificates - include_tasks: "{{ role_path }}/tasks/setup/ssl/setup_ssl_manually_managed_verify_for_domain.yml" - with_items: "{{ domains_requiring_certificates }}" - loop_control: - loop_var: domain_name - when: "matrix_ssl_retrieval_method == 'manually-managed'" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/synapse/ext/main.yml b/roles/matrix-server/tasks/setup/synapse/ext/main.yml deleted file mode 100644 index a53cc9aa..00000000 --- a/roles/matrix-server/tasks/setup/synapse/ext/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml - -- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml - -- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml - -- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml - -- import_tasks: tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml diff --git a/roles/matrix-server/tasks/setup/synapse/main.yml b/roles/matrix-server/tasks/setup/synapse/main.yml deleted file mode 100644 index 86e7087c..00000000 --- a/roles/matrix-server/tasks/setup/synapse/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: tasks/setup/synapse/setup_synapse_pre.yml - -- import_tasks: tasks/setup/synapse/ext/main.yml - -- import_tasks: tasks/setup/synapse/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml deleted file mode 100644 index bbdf09f6..00000000 --- a/roles/matrix-server/tasks/start.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- - -- name: Ensure matrix-postgres autoruns and is restarted - service: - name: matrix-postgres - enabled: yes - state: restarted - daemon_reload: yes - when: "not matrix_postgres_use_external" - -- name: Ensure matrix-goofys autoruns and is restarted - service: - name: matrix-goofys - enabled: yes - state: restarted - daemon_reload: yes - when: matrix_s3_media_store_enabled - -- name: Ensure matrix-coturn autoruns and is restarted - service: - name: matrix-coturn - enabled: yes - state: restarted - daemon_reload: yes - -- name: Ensure matrix-mailer autoruns and is restarted - service: - name: matrix-mailer - enabled: yes - state: restarted - daemon_reload: yes - when: matrix_mailer_enabled - -- name: Ensure matrix-mxisd autoruns and is restarted - service: - name: matrix-mxisd - enabled: yes - state: restarted - daemon_reload: yes - when: matrix_mxisd_enabled - -- name: Ensure matrix-synapse autoruns and is restarted - service: - name: matrix-synapse - enabled: yes - state: restarted - daemon_reload: yes - -- name: Ensure matrix-riot-web autoruns and is restarted - service: - name: matrix-riot-web - enabled: yes - state: restarted - daemon_reload: yes - when: matrix_riot_web_enabled - -- name: Ensure matrix-nginx-proxy autoruns and is restarted - service: - name: matrix-nginx-proxy - enabled: yes - state: restarted - daemon_reload: yes - when: matrix_nginx_proxy_enabled - -- name: Ensure matrix-corporal autoruns and is restarted - service: - name: matrix-corporal - enabled: yes - state: restarted - daemon_reload: yes - when: matrix_corporal_enabled - -- name: Ensure matrix-mautrix-telegram autoruns and is restarted - service: - name: matrix-mautrix-telegram - enabled: yes - state: restarted - daemon_reload: yes - when: matrix_mautrix_telegram_enabled - -- name: Ensure matrix-mautrix-whatsapp autoruns and is restarted - service: - name: matrix-mautrix-whatsapp - enabled: yes - state: restarted - daemon_reload: yes - when: matrix_mautrix_whatsapp_enabled diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml new file mode 100644 index 00000000..6ebb3fa9 --- /dev/null +++ b/roles/matrix-synapse/defaults/main.yml @@ -0,0 +1,176 @@ +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.1.1-py3" + +matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" +matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" +matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" +matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" +matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" +matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" + +# Controls whether the Synapse container exposes the Client/Server API port (tcp/8008). +# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the Client/Server API's port to the local host (`127.0.0.1:8008`). +matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" + +matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages" + +# Specifies which template files to use when configuring Synapse. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars//`) +# and then change the specific host's `vars.yaml` file like this: +# matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars//homeserver.yaml.j2" +matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2" +matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2" + +matrix_synapse_macaroon_secret_key: "" +matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" +matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" + +# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled +matrix_synapse_id_servers_public: ['vector.im', 'matrix.org'] + +# These are the identity servers that would be trusted by Synapse if mxisd IS enabled +matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']" + +# The final list of identity servers to use for Synapse. +# The first one would also be used as riot-web's default identity server. +matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" + +matrix_synapse_max_upload_size_mb: 10 +matrix_synapse_max_log_file_size_mb: 100 +matrix_synapse_max_log_files_count: 10 + +# Log levels +# Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels +# warning: setting log level to DEBUG will make synapse log sensitive information such +# as access tokens +matrix_synapse_log_level: "INFO" +matrix_synapse_storage_sql_log_level: "INFO" +matrix_synapse_root_log_level: "INFO" + +# Rate limits +matrix_synapse_rc_messages_per_second: 0.2 +matrix_synapse_rc_message_burst_count: 10.0 + +# Enable this to allow Synapse to report utilization statistics about your server to matrix.org +# (things like number of users, number of messages sent, uptime, load, etc.) +matrix_synapse_report_stats: false + +# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. +# If users participate in large rooms with many other servers, +# disabling this will decrease server load significantly. +matrix_synapse_use_presence: true + +# Controls whether people with access to the homeserver can register by themselves. +matrix_synapse_enable_registration: false + +# Users who register on this homeserver will automatically be joined to these rooms. +# Rooms are to be specified using addresses (e.g. `#address:example.com`) +matrix_synapse_auto_join_rooms: [] + +# Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created +# automatically if they don't already exist. +matrix_synapse_autocreate_auto_join_rooms: true + +# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. +matrix_synapse_password_config_pepper: "" + +# Controls the number of events that Matrix Synapse caches in memory. +matrix_synapse_event_cache_size: "100K" + +# Controls cache sizes for Matrix Synapse via the SYNAPSE_CACHE_FACTOR environment variable. +# Raise this to increase cache sizes or lower it to potentially lower memory use. +# To learn more, see: +# - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram +# - https://github.com/matrix-org/synapse/issues/3939 +matrix_synapse_cache_factor: 0.5 + +# Controls whether Matrix Synapse will federate at all. +# Disable this to completely isolate your server from the rest of the Matrix network. +matrix_synapse_federation_enabled: true + +# A list of domain names that are allowed to federate with the given Matrix Synapse server. +# An empty list value (`[]`) will also effectively stop federation, but if that's the desired +# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. +matrix_synapse_federation_domain_whitelist: ~ + +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +matrix_synapse_container_additional_volumes: [] + +# A list of additional loggers to register in synapse.log.config. +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Contains definition objects like this: `{"name": "..", "level": "DEBUG"} +matrix_synapse_additional_loggers: [] + +# A list of service config files +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Contains fs paths +matrix_synapse_app_service_config_files: [] + +# This is set dynamically during execution depending on whether +# any password providers have been enabled or not. +matrix_synapse_password_providers_enabled: false + + +# Enable this to activate the REST auth password provider module. +# See: https://github.com/kamax-io/matrix-synapse-rest-auth +matrix_synapse_ext_password_provider_rest_auth_enabled: false +matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py" +matrix_synapse_ext_password_provider_rest_auth_endpoint: "" +matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false +matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true +matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false + +# Enable this to activate the Shared Secret Auth password provider module. +# See: https://github.com/devture/matrix-synapse-shared-secret-auth +matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" + +# Enable this to activate LDAP password provider +matrix_synapse_ext_password_provider_ldap_enabled: false +matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" +matrix_synapse_ext_password_provider_ldap_start_tls: true +matrix_synapse_ext_password_provider_ldap_base: "" +matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" +matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" +matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" +matrix_synapse_ext_password_provider_ldap_bind_dn: "" +matrix_synapse_ext_password_provider_ldap_bind_password: "" +matrix_synapse_ext_password_provider_ldap_filter: "" + + +matrix_s3_media_store_enabled: false +matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" +matrix_s3_media_store_bucket_name: "your-bucket-name" +matrix_s3_media_store_aws_access_key: "your-aws-access-key" +matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" +matrix_s3_media_store_region: "eu-central-1" + + +# Matrix mautrix is a Matrix <-> Telegram bridge +# Enable telegram bridge +matrix_mautrix_telegram_enabled: false + +matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.4.0" + +matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" + +# Get your own API keys at https://my.telegram.org/apps +matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID +matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH +# Mautrix telegram public endpoint to log in to telegram +# Use an uuid so it's not easily discoverable +matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" + + +# Matrix mautrix is a Matrix <-> Whatsapp bridge +# Enable whatsapp bridge +matrix_mautrix_whatsapp_enabled: false + +matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest" + +matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" \ No newline at end of file diff --git a/roles/matrix-synapse/tasks/ext/init.yml b/roles/matrix-synapse/tasks/ext/init.yml new file mode 100644 index 00000000..a33c2738 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/init.yml @@ -0,0 +1,5 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/mautrix-telegram/init.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/init.yml" diff --git a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml b/roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml similarity index 100% rename from roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_ldap_auth.yml rename to roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/init.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/init.yml new file mode 100644 index 00000000..566d7321 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram'] }}" + when: matrix_mautrix_telegram_enabled \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml similarity index 93% rename from roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml rename to roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index 25a04d56..6e0c3249 100644 --- a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_telegram.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -19,7 +19,7 @@ - name: Ensure Matrix Mautrix telegram config installed template: - src: "{{ role_path }}/templates/mautrix-telegram/config.yaml.j2" + src: "{{ role_path }}/templates/ext/mautrix-telegram/config.yaml.j2" dest: "{{ matrix_mautrix_telegram_base_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" @@ -28,7 +28,7 @@ - name: Ensure matrix-mautrix-telegram.service installed template: - src: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2" + src: "{{ role_path }}/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2" dest: "/etc/systemd/system/matrix-mautrix-telegram.service" mode: 0644 when: "matrix_mautrix_telegram_enabled" diff --git a/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/init.yml b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/init.yml new file mode 100644 index 00000000..fdc0d1b9 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp'] }}" + when: matrix_mautrix_whatsapp_enabled \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml similarity index 93% rename from roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml rename to roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml index 6afc4947..ee9b3358 100644 --- a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_mautrix_whatsapp.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml @@ -19,7 +19,7 @@ - name: Ensure Matrix Mautrix whatsapp config installed template: - src: "{{ role_path }}/templates/mautrix-whatsapp/config.yaml.j2" + src: "{{ role_path }}/templates/ext/mautrix-whatsapp/config.yaml.j2" dest: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" @@ -28,7 +28,7 @@ - name: Ensure matrix-mautrix-whatsapp.service installed template: - src: "{{ role_path }}/templates/systemd/matrix-mautrix-whatsapp.service.j2" + src: "{{ role_path }}/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2" dest: "/etc/systemd/system/matrix-mautrix-whatsapp.service" mode: 0644 when: "matrix_mautrix_whatsapp_enabled" diff --git a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup.yml similarity index 100% rename from roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_rest_auth.yml rename to roles/matrix-synapse/tasks/ext/rest-auth/setup.yml diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml new file mode 100644 index 00000000..c7936c71 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/setup.yml @@ -0,0 +1,11 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/mautrix-telegram/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/setup.yml" diff --git a/roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml similarity index 100% rename from roles/matrix-server/tasks/setup/synapse/ext/setup_synapse_ext_shared_secret_auth.yml rename to roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml diff --git a/roles/matrix-server/tasks/import/import_media_store.yml b/roles/matrix-synapse/tasks/import_media_store.yml similarity index 100% rename from roles/matrix-server/tasks/import/import_media_store.yml rename to roles/matrix-synapse/tasks/import_media_store.yml diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml new file mode 100644 index 00000000..ede7105d --- /dev/null +++ b/roles/matrix-synapse/tasks/init.yml @@ -0,0 +1,8 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse'] }}" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys'] }}" + when: matrix_s3_media_store_enabled + +- import_tasks: "{{ role_path }}/tasks/ext/init.yml" \ No newline at end of file diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml new file mode 100644 index 00000000..e385fe11 --- /dev/null +++ b/roles/matrix-synapse/tasks/main.yml @@ -0,0 +1,33 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_synapse_entrypoint.yml" + when: run_setup + tags: + - setup-all + - setup-synapse + +- import_tasks: "{{ role_path }}/tasks/import_media_store.yml" + when: run_import_media_store + tags: + - import-media-store + +- import_tasks: "{{ role_path }}/tasks/register_user.yml" + when: run_register_user + tags: + - register-user + +- import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check + tags: + - self-check diff --git a/roles/matrix-server/tasks/register_user.yml b/roles/matrix-synapse/tasks/register_user.yml similarity index 100% rename from roles/matrix-server/tasks/register_user.yml rename to roles/matrix-synapse/tasks/register_user.yml diff --git a/roles/matrix-server/tasks/self_check/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml similarity index 100% rename from roles/matrix-server/tasks/self_check/self_check_client_api.yml rename to roles/matrix-synapse/tasks/self_check_client_api.yml diff --git a/roles/matrix-server/tasks/self_check/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml similarity index 100% rename from roles/matrix-server/tasks/self_check/self_check_federation_api.yml rename to roles/matrix-synapse/tasks/self_check_federation_api.yml diff --git a/roles/matrix-synapse/tasks/setup_synapse_entrypoint.yml b/roles/matrix-synapse/tasks/setup_synapse_entrypoint.yml new file mode 100644 index 00000000..46639cdd --- /dev/null +++ b/roles/matrix-synapse/tasks/setup_synapse_entrypoint.yml @@ -0,0 +1,9 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/setup_synapse_pre.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/setup_synapse_main.yml" + +- import_tasks: "{{ role_path }}/tasks/setup_synapse_goofys.yml" diff --git a/roles/matrix-server/tasks/setup/setup_goofys.yml b/roles/matrix-synapse/tasks/setup_synapse_goofys.yml similarity index 89% rename from roles/matrix-server/tasks/setup/setup_goofys.yml rename to roles/matrix-synapse/tasks/setup_synapse_goofys.yml index d08940ce..f37a1eb6 100644 --- a/roles/matrix-server/tasks/setup/setup_goofys.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_goofys.yml @@ -26,15 +26,15 @@ - name: Ensure goofys environment variables file created template: - src: "{{ role_path }}/templates/env/env-goofys.j2" - dest: "{{ matrix_environment_variables_data_path }}/goofys" + src: "{{ role_path }}/templates/goofys/env-goofys.j2" + dest: "{{ matrix_synapse_config_dir_path }}/env-goofys" owner: root mode: 0600 when: matrix_s3_media_store_enabled - name: Ensure matrix-goofys.service installed template: - src: "{{ role_path }}/templates/systemd/matrix-goofys.service.j2" + src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" dest: "/etc/systemd/system/matrix-goofys.service" mode: 0644 when: matrix_s3_media_store_enabled @@ -64,7 +64,7 @@ - name: Ensure goofys environment variables file doesn't exist file: - path: "{{ matrix_environment_variables_data_path }}/goofys" + path: "{{ matrix_synapse_config_dir_path }}/env-goofys" state: absent when: "not matrix_s3_media_store_enabled" diff --git a/roles/matrix-server/tasks/setup/synapse/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml similarity index 87% rename from roles/matrix-server/tasks/setup/synapse/setup_synapse_main.yml rename to roles/matrix-synapse/tasks/setup_synapse_main.yml index 8466770c..7d86428c 100644 --- a/roles/matrix-server/tasks/setup/synapse/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -57,22 +57,15 @@ dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" mode: 0644 -- name: Ensure Synapse environment variables file created - template: - src: "{{ role_path }}/templates/env/env-synapse.j2" - dest: "{{ matrix_environment_variables_data_path }}/synapse" - owner: root - mode: 0600 - - name: Ensure matrix-synapse.service installed template: - src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2" + src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" dest: "/etc/systemd/system/matrix-synapse.service" mode: 0644 - name: Ensure matrix-synapse-register-user script created template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" + src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 diff --git a/roles/matrix-server/tasks/setup/synapse/setup_synapse_pre.yml b/roles/matrix-synapse/tasks/setup_synapse_pre.yml similarity index 100% rename from roles/matrix-server/tasks/setup/synapse/setup_synapse_pre.yml rename to roles/matrix-synapse/tasks/setup_synapse_pre.yml diff --git a/roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 b/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 similarity index 100% rename from roles/matrix-server/templates/mautrix-telegram/config.yaml.j2 rename to roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 diff --git a/roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 similarity index 100% rename from roles/matrix-server/templates/systemd/matrix-mautrix-telegram.service.j2 rename to roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 diff --git a/roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2 similarity index 100% rename from roles/matrix-server/templates/mautrix-whatsapp/config.yaml.j2 rename to roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2 diff --git a/roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 similarity index 100% rename from roles/matrix-server/templates/systemd/matrix-mautrix-whatsapp.service.j2 rename to roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 diff --git a/roles/matrix-server/templates/env/env-goofys.j2 b/roles/matrix-synapse/templates/goofys/env-goofys.j2 similarity index 100% rename from roles/matrix-server/templates/env/env-goofys.j2 rename to roles/matrix-synapse/templates/goofys/env-goofys.j2 diff --git a/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 similarity index 94% rename from roles/matrix-server/templates/systemd/matrix-goofys.service.j2 rename to roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index ea54fb94..c123b2c4 100644 --- a/roles/matrix-server/templates/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -17,7 +17,7 @@ ExecStart=/usr/bin/docker run --rm --name %n \ --cap-add sys_admin \ --device=/dev/fuse \ -v {{ matrix_synapse_media_store_path }}:/s3:shared \ - --env-file={{ matrix_environment_variables_data_path }}/goofys \ + --env-file={{ matrix_synapse_config_dir_path }}/env-goofys \ --entrypoint /bin/sh \ {{ matrix_s3_goofys_docker_image }} \ -c 'goofys -f --storage-class=STANDARD_IA --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' diff --git a/roles/matrix-server/templates/env/env-synapse.j2 b/roles/matrix-synapse/templates/synapse/env-synapse.j2 similarity index 100% rename from roles/matrix-server/templates/env/env-synapse.j2 rename to roles/matrix-synapse/templates/synapse/env-synapse.j2 diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 similarity index 100% rename from roles/matrix-server/templates/synapse/homeserver.yaml.j2 rename to roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 diff --git a/roles/matrix-server/templates/synapse/synapse.log.config.j2 b/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 similarity index 100% rename from roles/matrix-server/templates/synapse/synapse.log.config.j2 rename to roles/matrix-synapse/templates/synapse/synapse.log.config.j2 diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 similarity index 89% rename from roles/matrix-server/templates/systemd/matrix-synapse.service.j2 rename to roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 1e7c7570..7654c7a0 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -27,12 +27,13 @@ ExecStartPre=/bin/sleep 5 {% endif %} ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --log-driver=none \ - --env-file={{ matrix_environment_variables_data_path }}/synapse \ --network={{ matrix_docker_network }} \ + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \ + -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ {% if matrix_synapse_federation_enabled %} -p 8448:8448 \ {% endif %} - {% if not matrix_nginx_proxy_enabled %} + {% if matrix_synapse_container_expose_client_server_api_port %} -p 127.0.0.1:8008:8008 \ {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data \ diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 similarity index 100% rename from roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2 rename to roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 diff --git a/setup.yml b/setup.yml index d0364f76..a15d6063 100644 --- a/setup.yml +++ b/setup.yml @@ -4,4 +4,13 @@ become: true roles: - - matrix-server + - matrix-base + - matrix-mailer + - matrix-coturn + - matrix-postgres + - matrix-corporal + - matrix-synapse + - matrix-riot-web + - matrix-mxisd + - matrix-nginx-proxy + - matrix-common-after From b80d44afaaa3e4cd79676685b0da60843e9826c3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 12 Jan 2019 18:16:08 +0200 Subject: [PATCH 0287/2384] Stop Postgres before finding files to move over --- .../tasks/migrate_postgres_data_directory.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml index 5a4e0689..22d584a9 100644 --- a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml +++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml @@ -23,6 +23,15 @@ We'll stop Postgres and relocate the files there for you. when: "result_pg_old_data_dir_stat.stat.exists" +# We should stop Postgres first, before building a list of files, +# as to ignore any `postmaster.pid` files, etc. +- name: Ensure matrix-postgres is stopped + service: + name: matrix-postgres + state: stopped + daemon_reload: yes + when: "result_pg_old_data_dir_stat.stat.exists" + - name: Find files and directories in old Postgres data path find: paths: "{{ matrix_postgres_base_path }}" @@ -40,13 +49,6 @@ group: "{{ matrix_user_username }}" when: "result_pg_old_data_dir_stat.stat.exists" -- name: Ensure matrix-postgres is stopped - service: - name: matrix-postgres - state: stopped - daemon_reload: yes - when: "result_pg_old_data_dir_stat.stat.exists" - - block: - name: Relocate Postgres data files from old directory to new command: "mv {{ item.path }} {{ matrix_postgres_data_path }}/{{ item.path|basename }}" From 857603d9d77761ea217a2ab5a4645f34a64174cc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Jan 2019 08:26:56 +0200 Subject: [PATCH 0288/2384] Make nginx-proxy files owned by matrix:matrix, not root:root --- roles/matrix-server/tasks/setup/setup_nginx_proxy.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml index 123f9791..1f783a0e 100644 --- a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml +++ b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml @@ -15,8 +15,9 @@ path: "{{ item }}" state: directory mode: 0750 - owner: root - group: root + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + recurse: yes with_items: - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" From f8ebd94d08ff63835f826d712c2cc1e24a546ca6 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Mon, 14 Jan 2019 13:28:37 +0000 Subject: [PATCH 0289/2384] Make the mode of the base path configurable --- roles/matrix-base/defaults/main.yml | 3 ++- roles/matrix-base/tasks/setup_matrix_base.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 03f05488..762bcc5f 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -17,6 +17,7 @@ matrix_user_uid: 991 matrix_user_gid: 991 matrix_base_data_path: "/matrix" +matrix_base_data_path_mode: "750" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" @@ -34,4 +35,4 @@ run_start: true run_register_user: true run_import_sqlite_db: true run_import_media_store: true -run_self_check: true \ No newline at end of file +run_self_check: true diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 424cd83d..85a05dcf 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -17,7 +17,7 @@ file: path: "{{ item }}" state: directory - mode: 0750 + mode: "{{ matrix_base_data_path_mode }}" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: From cec2aa61c1b5542d058db7c85ff1f9a4476f966f Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Wed, 16 Jan 2019 14:03:39 +0100 Subject: [PATCH 0290/2384] Fix scalar widgets Riot-web parses integrations_widgets_urls as a list, thus causing it to incorrectly think Scalar widgets are non-Scalar and not passing the scalar token --- roles/matrix-riot-web/defaults/main.yml | 4 ++-- roles/matrix-riot-web/templates/config.json.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index bd2b42d2..ea5b8095 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -12,7 +12,7 @@ matrix_riot_web_disable_custom_urls: true matrix_riot_web_disable_guests: true matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" -matrix_riot_web_integrations_widgets_urls: "https://scalar.vector.im/api" +matrix_riot_web_integrations_widgets_urls: ["https://scalar.vector.im/api"] matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" # Riot public room directory server(s) matrix_riot_web_roomdir_servers: ['matrix.org'] @@ -29,4 +29,4 @@ matrix_riot_web_homepage_template_technical: true # Show building services on Matrix row matrix_riot_web_homepage_template_building: true # Show contributing code to Matrix and Riot row -matrix_riot_web_homepage_template_contributing: true \ No newline at end of file +matrix_riot_web_homepage_template_contributing: true diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 6a979912..6add6512 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -6,7 +6,7 @@ "brand": "Riot", "integrations_ui_url": "{{ matrix_riot_web_integrations_ui_url }}", "integrations_rest_url": "{{ matrix_riot_web_integrations_rest_url }}", - "integrations_widgets_urls": "{{ matrix_riot_web_integrations_widgets_urls }}", + "integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }}, "integrations_jitsi_widget_url": "{{ matrix_riot_web_integrations_jitsi_widget_url }}", "bug_report_endpoint_url": "https://riot.im/bugreports/submit", "enableLabs": true, From 294a5c90831e7c6c18625b1bab21e51110dc95ba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 16 Jan 2019 17:06:58 +0200 Subject: [PATCH 0291/2384] Fix YAML serialization of empty matrix_synapse_federation_domain_whitelist We've previously changed a bunch of lists in `homeserver.yaml.j2` to be serialized using `|to_nice_yaml`, as that generates a more readable list in YAML. `matrix_synapse_federation_domain_whitelist`, however, couldn't have been changed to that, as it can potentially be an empty list. We may be able to differentiate between empty and non-empty now and serialize it accordingly (favoring `|to_nice_yaml` if non-empty), but it's not important enough to be justified. Thus, always serializing with `|to_json`. Fixes #78 (Github issue) --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 8d3b9be2..2ed60cce 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -120,8 +120,8 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # - nyc.example.com # - syd.example.com {% if matrix_synapse_federation_domain_whitelist is not none %} -federation_domain_whitelist: -{{ matrix_synapse_federation_domain_whitelist|to_nice_yaml }} +{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #} +federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} {% endif %} # List of ports that Synapse should listen on, their purpose and their From 515f04e93611c83abe3c5b62fb6513158be22355 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 16 Jan 2019 17:13:58 +0200 Subject: [PATCH 0292/2384] Update CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d87d314c..62623acc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -# 2019-01-xx +# 2019-01-16 ## Splitting the playbook into multiple roles From c10182e5a6a3c8f307064b7f67b02b092b59669c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 16 Jan 2019 18:05:48 +0200 Subject: [PATCH 0293/2384] Make roles more independent of one another With this change, the following roles are now only dependent on the minimal `matrix-base` role: - `matrix-corporal` - `matrix-coturn` - `matrix-mailer` - `matrix-mxisd` - `matrix-postgres` - `matrix-riot-web` - `matrix-synapse` The `matrix-nginx-proxy` role still does too much and remains dependent on the others. Wiring up the various (now-independent) roles happens via a glue variables file (`group_vars/matrix-servers`). It's triggered for all hosts in the `matrix-servers` group. According to Ansible's rules of priority, we have the following chain of inclusion/overriding now: - role defaults (mostly empty or good for independent usage) - playbook glue variables (`group_vars/matrix-servers`) - inventory host variables (`inventory/host_vars/matrix.`) All roles default to enabling their main component (e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`). Reasoning: if a role is included in a playbook (especially separately, in another playbook), it should "work" by default. Our playbook disables some of those if they are not generally useful (e.g. `matrix_corporal_enabled: false`). --- CHANGELOG.md | 37 +++ README.md | 12 +- .../configuring-playbook-external-postgres.md | 18 +- examples/host-vars.yml | 6 +- group_vars/matrix-servers | 289 ++++++++++++++++++ roles/matrix-base/defaults/main.yml | 3 +- roles/matrix-base/tasks/sanity_check.yml | 10 - roles/matrix-corporal/defaults/main.yml | 29 +- roles/matrix-corporal/tasks/init.yml | 6 - roles/matrix-corporal/tasks/main.yml | 6 + .../matrix-corporal/tasks/setup_corporal.yml | 18 -- .../matrix-corporal/tasks/validate_config.yml | 17 ++ .../matrix-corporal/templates/config.json.j2 | 8 +- .../systemd/matrix-corporal.service.j2 | 8 +- roles/matrix-coturn/defaults/main.yml | 5 + roles/matrix-coturn/tasks/main.yml | 10 +- roles/matrix-coturn/tasks/setup_coturn.yml | 48 ++- roles/matrix-coturn/tasks/validate_config.yml | 9 + .../systemd/matrix-coturn.service.j2 | 6 +- roles/matrix-mailer/defaults/main.yml | 3 - roles/matrix-mailer/tasks/main.yml | 4 +- roles/matrix-mxisd/defaults/main.yml | 50 +-- roles/matrix-mxisd/tasks/main.yml | 6 + roles/matrix-mxisd/tasks/setup_mxisd.yml | 43 --- roles/matrix-mxisd/tasks/validate_config.yml | 47 +++ .../templates/systemd/matrix-mxisd.service.j2 | 15 +- roles/matrix-mxisd/vars/main.yml | 5 + roles/matrix-nginx-proxy/defaults/main.yml | 21 +- .../tasks/setup_nginx_proxy.yml | 40 ++- roles/matrix-nginx-proxy/tasks/ssl/main.yml | 9 - .../tasks/ssl/setup_ssl_lets_encrypt.yml | 2 +- .../tasks/ssl/setup_ssl_manually_managed.yml | 2 +- .../tasks/ssl/setup_ssl_self_signed.yml | 2 +- .../nginx-conf.d/matrix-riot-web.conf.j2 | 8 +- .../nginx-conf.d/matrix-synapse.conf.j2 | 8 +- .../systemd/matrix-nginx-proxy.service.j2 | 21 +- roles/matrix-postgres/defaults/main.yml | 13 +- .../matrix-postgres/tasks/import_postgres.yml | 5 + .../tasks/import_sqlite_db.yml | 5 + roles/matrix-postgres/tasks/init.yml | 2 +- roles/matrix-postgres/tasks/main.yml | 8 +- .../matrix-postgres/tasks/setup_postgres.yml | 24 +- .../tasks/upgrade_postgres.yml | 4 +- .../matrix-postgres/tasks/validate_config.yml | 22 ++ roles/matrix-riot-web/defaults/main.yml | 11 +- roles/matrix-riot-web/tasks/main.yml | 6 + .../matrix-riot-web/tasks/validate_config.yml | 9 + .../matrix-riot-web/templates/config.json.j2 | 14 +- .../systemd/matrix-riot-web.service.j2 | 10 +- roles/matrix-synapse/defaults/main.yml | 40 ++- roles/matrix-synapse/tasks/main.yml | 6 + .../tasks/self_check_client_api.yml | 13 +- .../tasks/self_check_federation_api.yml | 13 +- .../matrix-synapse/tasks/validate_config.yml | 9 + .../templates/synapse/homeserver.yaml.j2 | 24 +- .../synapse/systemd/matrix-synapse.service.j2 | 21 +- roles/matrix-synapse/vars/main.yml | 6 + 57 files changed, 807 insertions(+), 289 deletions(-) create mode 100644 group_vars/matrix-servers create mode 100644 roles/matrix-corporal/tasks/validate_config.yml create mode 100644 roles/matrix-coturn/tasks/validate_config.yml create mode 100644 roles/matrix-mxisd/tasks/validate_config.yml create mode 100644 roles/matrix-mxisd/vars/main.yml create mode 100644 roles/matrix-postgres/tasks/validate_config.yml create mode 100644 roles/matrix-riot-web/tasks/validate_config.yml create mode 100644 roles/matrix-synapse/tasks/validate_config.yml create mode 100644 roles/matrix-synapse/vars/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 62623acc..5021978d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,40 @@ +# 2019-01-xx + +## (BC Break) Making the playbook's roles more independent of one another + +The following change **affects people running a more non-standard setup** - external Postgres or using our roles in their own other playbook. +**Most users don't need to do anything**, besides becoming aware of the new glue variables file [`group_vars/matrix-servers`](group_vars/matrix-servers). + +Because people like using the playbook's components independently (outside of this playbook) and because it's much better for maintainability, we've continued working on separating them. +Still, we'd like to offer a turnkey solution for running a fully-featured Matrix server, so this playbook remains important for wiring up the various components. + +With the new changes, the following roles are now only dependent on the minimal `matrix-base` role: +- `matrix-corporal` +- `matrix-coturn` +- `matrix-mailer` +- `matrix-mxisd` +- `matrix-postgres` +- `matrix-riot-web` +- `matrix-synapse` + +The `matrix-nginx-proxy` role still does too much and remains dependent on the others. + +In addition, the following components can be completely disabled now (for those who want/need to): +- `matrix-coturn` +- `matrix-mailer` +- `matrix-postgres` + +The following changes had to be done: + +- glue variables had to be introduced to the playbook, so it can wire together the various components. Those glue vars are stored in the [`group_vars/matrix-servers`](group_vars/matrix-servers) file. When overriding variables for a given component (role), you need to be aware of both the role defaults (`role/ROLE/defaults/main.yml`) and the role's corresponding section in the [`group_vars/matrix-servers`](group_vars/matrix-servers) file. + +- `matrix_postgres_use_external` has been superceeded by the more consistently named `matrix_postgres_enabled` variable and a few other `matrix_synapse_database_` variables. See the [Using an external PostgreSQL server (optional)](docs/configuring-playbook-external-postgres.md) documentation page for an up-to-date replacement. + +- Postgres tools (`matrix-postgres-cli` and `matrix-make-user-admin`) are no longer installed if you're using an external Postgres server (`matrix_postgres_enabled: false`) + +- roles, being more independent now, are more minimal and do not do so much magic for you. People that are building their own playbook using our roles will definitely need to take a look at the [`group_vars/matrix-servers`](group_vars/matrix-servers) file and adapt their playbooks with the same (or similar) wiring logic. + + # 2019-01-16 ## Splitting the playbook into multiple roles diff --git a/README.md b/README.md index c1fff127..2b18df77 100644 --- a/README.md +++ b/README.md @@ -8,17 +8,17 @@ That is, it lets you join the Matrix network with your own `@:`. +# when retrieving the SSL certificates for domains. # # In case SSL renewal fails at some point, you'll also get # an email notification there. @@ -11,7 +11,7 @@ # Example value: someone@example.com host_specific_matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE -# This is your bare domain name (``). # # Note: the server specified here is not touched. # @@ -22,7 +22,7 @@ host_specific_matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE # Example value: example.com host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE -# A shared secret (between Synapse and Coturn) used for authentication. +# A shared secret (between Coturn and Synapse) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: "" diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers new file mode 100644 index 00000000..da2ca830 --- /dev/null +++ b/group_vars/matrix-servers @@ -0,0 +1,289 @@ +--- + +# This variables file wires together the various components (roles) used by the playbook. +# +# Roles used by playbook are pretty minimal and kept independent of one another as much as possible. +# To deliver a turnkey fully-featured Matrix server, this playbook needs +# to connect them all together. It does so by overriding role variables. +# +# You can also override ANY variable (seen here or in any given role), +# by re-defining it in your own configuration file (`inventory/host_vars/matrix.`). + + +###################################################################### +# +# matrix-base +# +###################################################################### + +matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}" + + +###################################################################### +# +# /matrix-base +# +###################################################################### + + + +###################################################################### +# +# matrix-corporal +# +###################################################################### + +matrix_corporal_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`). +matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}" + +matrix_corporal_systemd_required_services_list: | + {{ + (['docker.service']) + + + (['matrix-synapse.service']) + }} + +matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008" + +matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" + +matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}" + +###################################################################### +# +# /matrix-corporal +# +###################################################################### + + + +###################################################################### +# +# matrix-coturn +# +###################################################################### + +matrix_coturn_enabled: true + +###################################################################### +# +# /matrix-coturn +# +###################################################################### + + + +###################################################################### +# +# matrix-mailer +# +###################################################################### + +# By default, this playbook sets up a postfix mailer server (running in a container). +# This is so that Synapse can send email reminders for unread messages. +# Other services (like mxisd), also use the mailer. +matrix_mailer_enabled: true + +###################################################################### +# +# /matrix-mailer +# +###################################################################### + + + +###################################################################### +# +# matrix-mxisd +# +###################################################################### + +# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`). +# If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. +matrix_mxisd_enabled: true + +# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# mxisd's web-server port to the local host (`127.0.0.1:8090`). +matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" + +# We enable Synapse integration via its Postgres database by default. +# When using another Identity store, you might wish to disable this and define +# your own configuration in `matrix_mxisd_configuration_extension_yaml`. +matrix_mxisd_synapsesql_enabled: true +matrix_mxisd_synapsesql_type: postgresql +matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }} + +# By default, we send mail through the `matrix-mailer` service. +matrix_mxid_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" +matrix_mxid_threepid_medium_email_connectors_smtp_host: "matrix-mailer" +matrix_mxid_threepid_medium_email_connectors_smtp_port: 587 +matrix_mxid_threepid_medium_email_connectors_smtp_tls: 0 + +matrix_mxisd_systemd_wanted_services_list: | + {{ + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-mailer.service'] if matrix_mailer_enabled else []) + }} + +###################################################################### +# +# /matrix-mxisd +# +###################################################################### + + + +###################################################################### +# +# matrix-nginx-proxy +# +###################################################################### + +# By default, this playbook sets up a reverse-proxy nginx proxy server on port 80/443. +# This is fine if you're dedicating the whole server to Matrix. +# If that's not the case, you may wish to disable this and take care of proxying yourself. +matrix_nginx_proxy_enabled: true +matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" +matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "{{ 'localhost:41080' if matrix_corporal_enabled else 'localhost:8008' }}" + +matrix_nginx_proxy_proxy_matrix_enabled: true +matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" + +matrix_nginx_proxy_systemd_wanted_services_list: | + {{ + (['matrix-synapse.service']) + + + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + + + (['matrix-mxisd.service'] if matrix_mxisd_enabled else []) + + + (['matrix-riot-web.service'] if matrix_riot_web_enabled else []) + }} + +matrix_ssl_domains_to_obtain_certificates_for: | + {{ + ([hostname_matrix]) + + + ([hostname_riot] if matrix_riot_web_enabled else []) + }} + +###################################################################### +# +# /matrix-nginx-proxy +# +###################################################################### + + + +###################################################################### +# +# matrix-postgres +# +###################################################################### + +matrix_postgres_enabled: true + +matrix_postgres_connection_hostname: "matrix-postgres" +matrix_postgres_connection_username: "synapse" +matrix_postgres_connection_password: "synapse-password" +matrix_postgres_db_name: "homeserver" + +###################################################################### +# +# /matrix-postgres +# +###################################################################### + + + +###################################################################### +# +# matrix-riot-web +# +###################################################################### + +# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. +# If you wish to connect to your Matrix server by other means, you may wish to disable this. +matrix_riot_web_enabled: true + +# Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the riot-web HTTP port to the local host (`127.0.0.1:80`). +matrix_riot_web_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" + +matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}" +matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}" + +###################################################################### +# +# /matrix-riot-web +# +###################################################################### + + + +###################################################################### +# +# matrix-synapse +# +###################################################################### + +# When mxisd is enabled, we can use it instead of the default public Identity servers. +matrix_synapse_trusted_third_party_id_servers: "{{ [hostname_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the Client/Server API's port to the local host (`127.0.0.1:8008`). +matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" + +matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}" +matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}" +matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}" +matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" + +matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" +matrix_synapse_email_smtp_host: "matrix-mailer" +matrix_synapse_email_smtp_port: 587 +matrix_synapse_email_smtp_require_transport_security: false +matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" +matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}" + +matrix_synapse_turn_uris: | + {{ + [ + 'turn:' + hostname_matrix + ':3478?transport=udp', + 'turn:' + hostname_matrix + ':3478?transport=tcp', + ] + if matrix_coturn_enabled + else [] + }} + +matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" + +matrix_synapse_systemd_required_services_list: | + {{ + (['docker.service']) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-goofys'] if matrix_s3_media_store_enabled else []) + }} + +matrix_synapse_systemd_wanted_services_list: | + {{ + (['matrix-coturn.service'] if matrix_coturn_enabled else []) + + + (['matrix-mailer.service'] if matrix_mailer_enabled else []) + }} + +###################################################################### +# +# /matrix-synapse +# +###################################################################### \ No newline at end of file diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 762bcc5f..3f3d7f06 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -22,7 +22,8 @@ matrix_base_data_path_mode: "750" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_homeserver_url: "https://{{ hostname_matrix }}" -matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" + +matrix_identity_server_url: ~ # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 4d967912..592afe2e 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -15,16 +15,6 @@ msg: "{{ matrix_ansible_outdated_fail_msg }}" when: "ansible_version.major == 2 and ansible_version.minor == 5 and ansible_version.revision < 2" -- name: Fail if Macaroon key is missing - fail: - msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" - when: "matrix_synapse_macaroon_secret_key == ''" - -- name: Fail if Coturn Auth secret is missing - fail: - msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable" - when: "matrix_coturn_turn_static_auth_secret == ''" - # This sanity check is only used to detect uppercase when people override these specific variables. # # If people set `host_specific_hostname_identity` without overriding other variables (the general use-case), diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 264c98dd..dd77e921 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -1,12 +1,13 @@ -# Enable this to add support for matrix-corporal. +# matrix-corporal is a reconciliator and gateway for a managed Matrix server. # See: https://github.com/devture/matrix-corporal -matrix_corporal_enabled: false -# Controls whether the matrix-corporal web server's ports are exposed outside of the container. -# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`). -matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}" +matrix_corporal_enabled: true + +# Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container. +matrix_corporal_container_expose_ports: false + +# List of systemd services that matrix-corporal.service depends on +matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" @@ -14,6 +15,20 @@ matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" +matrix_corporal_matrix_homeserver_domain_name: "{{ hostname_identity }}" + +# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:8008"). +# If Synapse runs on the same machine, you may need to add its service to `matrix_corporal_systemd_required_services_list`. +matrix_corporal_matrix_homeserver_api_endpoint: "" + +# The shared secret between matrix-corporal and Synapse's shared-secret-auth password provider module. +# To use matrix-corporal, the shared-secret-auth password provider needs to be enabled and the secret needs to be identical. +matrix_corporal_matrix_auth_shared_secret: "" + +# The shared secret for registering users with Synapse. +# Needs to be identical to Synapse's `registration_shared_secret` setting. +matrix_corporal_matrix_registration_shared_secret: "" + matrix_corporal_matrix_timeout_milliseconds: 45000 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index 4c63a447..e0d89edf 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -1,9 +1,3 @@ -- name: Override configuration specifying where the Matrix Client API is - set_fact: - matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080" - matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080" - when: "matrix_corporal_enabled" - - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}" when: "matrix_corporal_enabled" \ No newline at end of file diff --git a/roles/matrix-corporal/tasks/main.yml b/roles/matrix-corporal/tasks/main.yml index ddb49ee4..c4d109b8 100644 --- a/roles/matrix-corporal/tasks/main.yml +++ b/roles/matrix-corporal/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup and matrix_corporal_enabled" + tags: + - setup-all + - setup-corporal + - import_tasks: "{{ role_path }}/tasks/setup_corporal.yml" when: run_setup tags: diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index 42b5ae02..aba53c3f 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -4,24 +4,6 @@ # Tasks related to setting up matrix-corporal # -- name: Fail if Shared Secret Auth extension not enabled - fail: - msg: "To use matrix-corporal, you need to enable the Shared Secret Auth module for Synapse (see matrix_synapse_ext_password_provider_shared_secret_auth_enabled)" - when: "matrix_corporal_enabled and not matrix_synapse_ext_password_provider_shared_secret_auth_enabled" - -- name: Fail if HTTP API enabled, but no token set - fail: - msg: "The Matrix Corporal HTTP API is enabled, but no auth token has been set in matrix_corporal_http_api_auth_token" - when: "matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''" - -- name: Fail if policy provider configuration not set - fail: - msg: "The Matrix Corporal policy provider configuration has not been set in matrix_corporal_policy_provider_config" - when: "matrix_corporal_enabled and matrix_corporal_policy_provider_config == ''" - -# There are some additional initialization tasks in setup_corporal_overrides.yml, -# which need to always run, no matter what tag the playbook is running with. - - name: Ensure Matrix Corporal paths exist file: path: "{{ item }}" diff --git a/roles/matrix-corporal/tasks/validate_config.yml b/roles/matrix-corporal/tasks/validate_config.yml new file mode 100644 index 00000000..db84f9d9 --- /dev/null +++ b/roles/matrix-corporal/tasks/validate_config.yml @@ -0,0 +1,17 @@ +--- + +- name: Fail if required matrix-corporal settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal. + when: "vars[item] == ''" + with_items: + - "matrix_corporal_matrix_homeserver_api_endpoint" + - "matrix_corporal_matrix_auth_shared_secret" + - "matrix_corporal_matrix_registration_shared_secret" + - "matrix_corporal_policy_provider_config" + +- name: Fail if HTTP API enabled, but no token set + fail: + msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`" + when: "matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''" diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index 70fb3683..5835cced 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -1,9 +1,9 @@ { "Matrix": { - "HomeserverDomainName": "{{ hostname_identity }}", - "HomeserverApiEndpoint": "http://matrix-synapse:8008", - "AuthSharedSecret": "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}", - "RegistrationSharedSecret": "{{ matrix_synapse_registration_shared_secret }}", + "HomeserverDomainName": "{{ matrix_corporal_matrix_homeserver_domain_name }}", + "HomeserverApiEndpoint": "{{ matrix_corporal_matrix_homeserver_api_endpoint }}", + "AuthSharedSecret": "{{ matrix_corporal_matrix_auth_shared_secret }}", + "RegistrationSharedSecret": "{{ matrix_corporal_matrix_registration_shared_secret }}", "TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }} }, diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 7ac5f13a..eb11890d 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -1,9 +1,9 @@ [Unit] Description=Matrix Corporal -After=docker.service -Requires=docker.service -Requires=matrix-synapse.service -After=matrix-synapse.service +{% for service in matrix_corporal_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} [Service] Type=simple diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index d3e48ef1..32883c02 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,8 +1,13 @@ +matrix_coturn_enabled: true + matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" +# List of systemd services that matrix-coturn.service depends on +matrix_coturn_systemd_required_services_list: ['docker.service'] + # A shared secret (between Synapse and Coturn) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: "" diff --git a/roles/matrix-coturn/tasks/main.yml b/roles/matrix-coturn/tasks/main.yml index 8d90138d..e12aeca3 100644 --- a/roles/matrix-coturn/tasks/main.yml +++ b/roles/matrix-coturn/tasks/main.yml @@ -2,8 +2,14 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup and matrix_coturn_enabled" + tags: + - setup-all + - setup-coturn + - import_tasks: "{{ role_path }}/tasks/setup_coturn.yml" when: run_setup tags: - - setup-coturn - - setup-all \ No newline at end of file + - setup-all + - setup-coturn \ No newline at end of file diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index e11326fc..fbbabaa6 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -1,13 +1,13 @@ --- -- name: Fail if Coturn secret is missing - fail: - msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable" - when: "matrix_coturn_turn_static_auth_secret == ''" +# +# Tasks related to setting up Coturn +# - name: Ensure Coturn image is pulled docker_image: name: "{{ matrix_coturn_docker_image }}" + when: matrix_coturn_enabled - name: Ensure Coturn configuration path exists file: @@ -16,18 +16,21 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + when: matrix_coturn_enabled - name: Ensure turnserver.conf installed template: src: "{{ role_path }}/templates/turnserver.conf.j2" dest: "{{ matrix_coturn_config_path }}" mode: 0644 + when: matrix_coturn_enabled - name: Ensure matrix-coturn.service installed template: src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" dest: "/etc/systemd/system/matrix-coturn.service" mode: 0644 + when: matrix_coturn_enabled - name: Allow access to Coturn ports in firewalld firewalld: @@ -39,4 +42,39 @@ - '3478/tcp' # STUN - '3478/udp' # STUN - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN - when: ansible_os_family == 'RedHat' + when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'" + +# +# Tasks related to getting rid of Coturn (if it was previously enabled) +# + +- name: Check existence of matrix-coturn service + stat: + path: "/etc/systemd/system/matrix-coturn.service" + register: matrix_coturn_service_stat + +- name: Ensure matrix-coturn is stopped + service: + name: matrix-coturn + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_coturn_enabled and matrix_coturn_service_stat.stat.exists" + +- name: Ensure matrix-coturn.service doesn't exist + file: + path: "/etc/systemd/system/matrix-coturn.service" + state: absent + when: "not matrix_coturn_enabled and matrix_coturn_service_stat.stat.exists" + +- name: Ensure Matrix coturn paths don't exist + file: + path: "{{ matrix_coturn_base_path }}" + state: absent + when: "not matrix_coturn_enabled" + +- name: Ensure coturn Docker image doesn't exist + docker_image: + name: "{{ matrix_coturn_docker_image }}" + state: absent + when: "not matrix_coturn_enabled" \ No newline at end of file diff --git a/roles/matrix-coturn/tasks/validate_config.yml b/roles/matrix-coturn/tasks/validate_config.yml new file mode 100644 index 00000000..c62b56d3 --- /dev/null +++ b/roles/matrix-coturn/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required Coturn settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using Coturn. + when: "vars[item] == ''" + with_items: + - "matrix_coturn_turn_static_auth_secret" \ No newline at end of file diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 3387f772..69bd5eb8 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -1,7 +1,9 @@ [Unit] Description=Matrix Coturn server -After=docker.service -Requires=docker.service +{% for service in matrix_coturn_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} [Service] Type=simple diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index fe303f1b..a820f087 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -1,6 +1,3 @@ -# By default, this playbook sets up a postfix mailer server (running in a container). -# This is so that Matrix Synapse can send email reminders for unread messages. -# Other services (like mxisd), however, also use that mailer to send emails through it. matrix_mailer_enabled: true matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer" diff --git a/roles/matrix-mailer/tasks/main.yml b/roles/matrix-mailer/tasks/main.yml index 8019bf3d..d2f574ad 100644 --- a/roles/matrix-mailer/tasks/main.yml +++ b/roles/matrix-mailer/tasks/main.yml @@ -5,5 +5,5 @@ - import_tasks: "{{ role_path }}/tasks/setup_mailer.yml" when: run_setup tags: - - setup-mailer - - setup-all \ No newline at end of file + - setup-all + - setup-mailer \ No newline at end of file diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index 6dbae4a5..6fc37ba3 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -1,17 +1,18 @@ -# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`). -# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, -# you may wish to disable this. matrix_mxisd_enabled: true + matrix_mxisd_docker_image: "kamax/mxisd:1.2.2" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" -# Controls whether the mxisd web server's port is exposed outside of the container. -# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# mxisd's web-server port to the local host (`127.0.0.1:8090`). -matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" +# Controls whether the mxisd web server's port (`8090`) is exposed outside of the container. +matrix_mxisd_container_expose_port: false + +# List of systemd services that matrix-mxisd.service depends on +matrix_mxisd_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mxisd.service wants +matrix_mxisd_systemd_wanted_services_list: [] # Your identity server is private by default. # To ensure maximum discovery, you can make your identity server @@ -21,14 +22,19 @@ matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" matrix_mxisd_matrixorg_forwarding_enabled: false # mxisd has serveral supported identity stores. -# One of them (which we enable by default) is storing identities directly in Synapse's database. +# One of them is storing identities directly in Synapse's database. # Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md -# -# If you need to disable this in favor of some other store, you can toggle it to disabled here -# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`. -matrix_mxisd_synapsesql_enabled: true -matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} +matrix_mxisd_synapsesql_enabled: false +matrix_mxisd_synapsesql_type: "" +matrix_mxisd_synapsesql_connection: "" + +# Setting up email-sending settings is required for using mxisd. +matrix_mxid_threepid_medium_email_identity_from: "matrix@{{ hostname_identity }}" +matrix_mxid_threepid_medium_email_connectors_smtp_host: "" +matrix_mxid_threepid_medium_email_connectors_smtp_port: 587 +matrix_mxid_threepid_medium_email_connectors_smtp_tls: 1 +matrix_mxid_threepid_medium_email_connectors_smtp_login: "" +matrix_mxid_threepid_medium_email_connectors_smtp_password: "" # Default mxisd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. @@ -59,12 +65,14 @@ matrix_mxisd_configuration_yaml: | medium: email: identity: - from: {{ matrix_mailer_sender_address }} + from: {{ matrix_mxid_threepid_medium_email_identity_from }} connectors: smtp: - host: matrix-mailer - port: 587 - tls: 0 + host: {{ matrix_mxid_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_mxid_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_mxid_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_mxid_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_mxid_threepid_medium_email_connectors_smtp_password }} synapseSql: enabled: {{ matrix_mxisd_synapsesql_enabled }} @@ -92,10 +100,6 @@ matrix_mxisd_configuration_extension_yaml: | # bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org # bindPassword: TheUserPassword -# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" - # Holds the final mxisd configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" \ No newline at end of file diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml index 8f22426a..43dba179 100644 --- a/roles/matrix-mxisd/tasks/main.yml +++ b/roles/matrix-mxisd/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup and matrix_mxisd_enabled" + tags: + - setup-all + - setup-mxisd + - import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml" tags: - setup-all diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index 92514f22..8d81e47c 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -4,49 +4,6 @@ # Tasks related to setting up mxisd # -- name: (Deprecation) Warn about mxisd variables that are not used anymore - fail: - msg: > - The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of extending mxisd configuration. - See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples. - when: "matrix_mxisd_enabled and item in vars" - with_items: - - 'matrix_mxisd_ldap_enabled' - - 'matrix_mxisd_ldap_connection_host' - - 'matrix_mxisd_ldap_connection_tls' - - 'matrix_mxisd_ldap_connection_port' - - 'matrix_mxisd_ldap_connection_baseDn' - - 'matrix_mxisd_ldap_connection_baseDns' - - 'matrix_mxisd_ldap_connection_bindDn' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_filter' - - 'matrix_mxisd_ldap_attribute_uid_type' - - 'matrix_mxisd_ldap_attribute_uid_value' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_attribute_name' - - 'matrix_mxisd_ldap_attribute_threepid_email' - - 'matrix_mxisd_ldap_attribute_threepid_msisdn' - - 'matrix_mxisd_ldap_identity_filter' - - 'matrix_mxisd_ldap_identity_medium' - - 'matrix_mxisd_ldap_auth_filter' - - 'matrix_mxisd_ldap_directory_filter' - - 'matrix_mxisd_template_config' - -- name: Ensure mxisd configuration does not contain any dot-notation keys - fail: - msg: > - Since version 1.3.0, mxisd will not accept property-style configuration keys. - You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130 - when: "matrix_mxisd_enabled and '.' in item.key" - with_dict: "{{ matrix_mxisd_configuration }}" - -- name: Fail if mailer is not enabled - fail: - msg: "You need to enable the mailer service (`matrix_mailer_enabled`) to install mxisd" - when: "matrix_mxisd_enabled and not matrix_mailer_enabled" - - name: Ensure mxisd paths exist file: path: "{{ item }}" diff --git a/roles/matrix-mxisd/tasks/validate_config.yml b/roles/matrix-mxisd/tasks/validate_config.yml new file mode 100644 index 00000000..a9bc038a --- /dev/null +++ b/roles/matrix-mxisd/tasks/validate_config.yml @@ -0,0 +1,47 @@ +--- + +- name: (Deprecation) Warn about mxisd variables that are not used anymore + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of extending mxisd configuration. + See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples. + when: "item in vars" + with_items: + - 'matrix_mxisd_ldap_enabled' + - 'matrix_mxisd_ldap_connection_host' + - 'matrix_mxisd_ldap_connection_tls' + - 'matrix_mxisd_ldap_connection_port' + - 'matrix_mxisd_ldap_connection_baseDn' + - 'matrix_mxisd_ldap_connection_baseDns' + - 'matrix_mxisd_ldap_connection_bindDn' + - 'matrix_mxisd_ldap_connection_bindPassword' + - 'matrix_mxisd_ldap_filter' + - 'matrix_mxisd_ldap_attribute_uid_type' + - 'matrix_mxisd_ldap_attribute_uid_value' + - 'matrix_mxisd_ldap_connection_bindPassword' + - 'matrix_mxisd_ldap_attribute_name' + - 'matrix_mxisd_ldap_attribute_threepid_email' + - 'matrix_mxisd_ldap_attribute_threepid_msisdn' + - 'matrix_mxisd_ldap_identity_filter' + - 'matrix_mxisd_ldap_identity_medium' + - 'matrix_mxisd_ldap_auth_filter' + - 'matrix_mxisd_ldap_directory_filter' + - 'matrix_mxisd_template_config' + +- name: Ensure mxisd configuration does not contain any dot-notation keys + fail: + msg: > + Since version 1.3.0, mxisd will not accept property-style configuration keys. + You have defined a key (`{{ item.key }}`) which contains a dot. + Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130 + when: "'.' in item.key" + with_dict: "{{ matrix_mxisd_configuration }}" + +- name: Fail if required mxisd settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using mxisd. + when: "vars[item] == ''" + with_items: + - "matrix_mxid_threepid_medium_email_connectors_smtp_host" \ No newline at end of file diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 index 895cf4f4..978a85c1 100644 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 @@ -1,11 +1,12 @@ [Unit] -Description=Matrix mxisd identity server -After=docker.service -Requires=docker.service -{% if not matrix_postgres_use_external %} -Requires=matrix-postgres.service -After=matrix-postgres.service -{% endif %} +Description=Matrix mxisd Identity server +{% for service in matrix_mxisd_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mxisd_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} [Service] Type=simple diff --git a/roles/matrix-mxisd/vars/main.yml b/roles/matrix-mxisd/vars/main.yml new file mode 100644 index 00000000..f5fbf9ad --- /dev/null +++ b/roles/matrix-mxisd/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. +matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 0562ca56..8003772f 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,7 +1,3 @@ -# By default, this playbook sets up its own nginx proxy server on port 80/443. -# This is fine if you're dedicating the whole server to Matrix. -# But in case that's not the case, you may wish to prevent that -# and take care of proxying by yourself. matrix_nginx_proxy_enabled: true matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine" @@ -9,6 +5,20 @@ matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" +# List of systemd services that matrix-nginx-proxy.service depends on +matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-nginx-proxy.service wants +matrix_nginx_proxy_systemd_wanted_services_list: [] + +# Controls whether proxying the riot domain should be done. +matrix_nginx_proxy_proxy_riot_enabled: false +matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}" + +# Controls whether proxying the matrix domain should be done. +matrix_nginx_proxy_proxy_matrix_enabled: false +matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}" + # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008" @@ -39,6 +49,9 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" # where refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). matrix_ssl_retrieval_method: "lets-encrypt" +# The list of domains that this role will obtain certificates for. +matrix_ssl_domains_to_obtain_certificates_for: [] + # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 1f783a0e..59c3fe15 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -17,21 +17,30 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" - recurse: yes with_items: - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" -- name: Ensure Matrix nginx-proxy configured +- name: Ensure Matrix nginx-proxy configured (generic) template: - src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}" + src: "{{ role_path }}/templates/nginx-conf.d/nginx-http.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf" mode: 0644 - with_items: - - "nginx-http.conf" - - "matrix-synapse.conf" - - "matrix-riot-web.conf" + when: "matrix_nginx_proxy_enabled" +- name: Ensure Matrix nginx-proxy configuration for matrix domain exists + template: + src: "{{ role_path }}/templates/nginx-conf.d/matrix-synapse.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" + mode: 0644 + when: "matrix_nginx_proxy_proxy_matrix_enabled" + +- name: Ensure Matrix nginx-proxy configuration for riot domain exists + template: + src: "{{ role_path }}/templates/nginx-conf.d/matrix-riot-web.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf" + mode: 0644 + when: "matrix_nginx_proxy_proxy_riot_enabled" # # Tasks related to setting up matrix-nginx-proxy @@ -50,7 +59,7 @@ with_items: - "http" - "https" - when: "ansible_os_family == 'RedHat' and matrix_nginx_proxy_enabled" + when: "matrix_nginx_proxy_enabled and ansible_os_family == 'RedHat'" - name: Ensure matrix-nginx-proxy.service installed template: @@ -82,3 +91,16 @@ path: "/etc/systemd/system/matrix-nginx-proxy.service" state: absent when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" + +- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_matrix_enabled" + +- name: Ensure Matrix nginx-proxy configuration for riot domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_riot_enabled" + diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml index 7e269eb6..c78b4f35 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml @@ -8,15 +8,6 @@ # Common tasks, required by any method below. -- name: Determine domains that we require certificates for (Matrix) - set_fact: - domains_requiring_certificates: "['{{ hostname_matrix }}']" - -- name: Determine domains that we require certificates for (Riot) - set_fact: - domains_requiring_certificates: "{{ domains_requiring_certificates + [hostname_riot] }}" - when: "matrix_riot_web_enabled" - - name: Ensure SSL certificate paths exists file: path: "{{ item }}" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index a798881e..583ce29c 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -39,7 +39,7 @@ - name: Obtain Let's Encrypt certificates include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" - with_items: "{{ domains_requiring_certificates }}" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" loop_control: loop_var: domain_name when: "matrix_ssl_retrieval_method == 'lets-encrypt'" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml index 27937c43..ea39f5e9 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml @@ -2,7 +2,7 @@ - name: Verify certificates include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml" - with_items: "{{ domains_requiring_certificates }}" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" loop_control: loop_var: domain_name when: "matrix_ssl_retrieval_method == 'manually-managed'" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml index e67340e6..437c8f68 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -18,7 +18,7 @@ - name: Generate self-signed certificates include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" - with_items: "{{ domains_requiring_certificates }}" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" loop_control: loop_var: domain_name when: "matrix_ssl_retrieval_method == 'self-signed'" diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 index c3eea7b3..87ccc532 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -1,6 +1,6 @@ server { listen 80; - server_name {{ hostname_riot }}; + server_name {{ matrix_nginx_proxy_proxy_riot_hostname }}; server_tokens off; @@ -25,7 +25,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ hostname_riot }}; + server_name {{ matrix_nginx_proxy_proxy_riot_hostname }}; server_tokens off; root /dev/null; @@ -33,8 +33,8 @@ server { gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem; + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 index 76673ef4..06a120cf 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -1,6 +1,6 @@ server { listen 80; - server_name {{ hostname_matrix }}; + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; server_tokens off; @@ -25,7 +25,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ hostname_matrix }}; + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; server_tokens off; root /dev/null; @@ -33,8 +33,8 @@ server { gzip on; gzip_types text/plain application/json; - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem; + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 4e06d19d..62700157 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -1,17 +1,12 @@ [Unit] -Description=Matrix nginx proxy server -After=docker.service -Requires=docker.service -Wants=matrix-synapse.service -{% if matrix_corporal_enabled %} -Wants=matrix-corporal.service -{% endif %} -{% if matrix_riot_web_enabled %} -Wants=matrix-riot-web.service -{% endif %} -{% if matrix_mxisd_enabled %} -Wants=matrix-mxisd.service -{% endif %} +Description=Matrix nginx-proxy server +{% for service in matrix_nginx_proxy_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_nginx_proxy_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} [Service] Type=simple diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 7d4b8574..d4818a7f 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -1,10 +1,9 @@ -# The defaults below cause a postgres server to be configured (running within a container). -# Using an external server is possible by tweaking all of the parameters below. -matrix_postgres_use_external: false -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_username: "synapse" -matrix_postgres_connection_password: "synapse-password" -matrix_postgres_db_name: "homeserver" +matrix_postgres_enabled: true + +matrix_postgres_connection_hostname: "" +matrix_postgres_connection_username: "" +matrix_postgres_connection_password: "" +matrix_postgres_db_name: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index 98df10e9..7255c74e 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -2,6 +2,11 @@ # Pre-checks +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." + when: "not matrix_postgres_enabled" + - name: Fail if playbook called incorrectly fail: msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars" diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index cbfe6d7f..b3cf75be 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -2,6 +2,11 @@ # Pre-checks +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." + when: "not matrix_postgres_enabled" + - name: Fail if playbook called incorrectly fail: msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" diff --git a/roles/matrix-postgres/tasks/init.yml b/roles/matrix-postgres/tasks/init.yml index 433020df..a8544e0f 100644 --- a/roles/matrix-postgres/tasks/init.yml +++ b/roles/matrix-postgres/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}" - when: "not matrix_postgres_use_external" \ No newline at end of file + when: matrix_postgres_enabled \ No newline at end of file diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml index 123ddde4..397924ee 100644 --- a/roles/matrix-postgres/tasks/main.yml +++ b/roles/matrix-postgres/tasks/main.yml @@ -2,11 +2,17 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup and matrix_postgres_enabled" + tags: + - setup-all + - setup-postgres + - import_tasks: "{{ role_path }}/tasks/setup_postgres.yml" when: run_setup tags: - - setup-postgres - setup-all + - setup-postgres - import_tasks: "{{ role_path }}/tasks/import_postgres.yml" when: run_import_postgres diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 89e8104f..2b83d4aa 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -5,8 +5,10 @@ # - import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml" + when: matrix_postgres_enabled - import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml" + when: matrix_postgres_enabled # If we have found an existing version (installed from before), we use its corresponding Docker image. # If not, we install using the latest Postgres. @@ -14,16 +16,18 @@ # Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). - set_fact: matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" + when: matrix_postgres_enabled - name: Warn if on an old version of Postgres debug: msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" - when: "matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest" + when: "matrix_postgres_enabled and matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest" # Even if we don't run the internal server, we still need this for running the CLI - name: Ensure postgres Docker image is pulled docker_image: name: "{{ matrix_postgres_docker_image_to_use }}" + when: matrix_postgres_enabled # We always create these directories, even if an external Postgres is used, # because we store environment variable files there. @@ -37,6 +41,7 @@ with_items: - "{{ matrix_postgres_base_path }}" - "{{ matrix_postgres_data_path }}" + when: matrix_postgres_enabled - name: Ensure Postgres environment variables file created template: @@ -46,18 +51,21 @@ with_items: - "env-postgres-psql" - "env-postgres-server" + when: matrix_postgres_enabled - name: Ensure matrix-postgres-cli script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" dest: "/usr/local/bin/matrix-postgres-cli" mode: 0750 + when: matrix_postgres_enabled - name: Ensure matrix-make-user-admin script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2" dest: "/usr/local/bin/matrix-make-user-admin" mode: 0750 + when: matrix_postgres_enabled # # Tasks related to setting up an internal postgres server @@ -68,7 +76,7 @@ src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" dest: "/etc/systemd/system/matrix-postgres.service" mode: 0644 - when: "not matrix_postgres_use_external" + when: matrix_postgres_enabled # # Tasks related to getting rid of the internal postgres server (if it was previously enabled) @@ -78,29 +86,29 @@ stat: path: "/etc/systemd/system/matrix-postgres.service" register: matrix_postgres_service_stat - when: matrix_postgres_use_external + when: "not matrix_postgres_enabled" - name: Ensure matrix-postgres is stopped service: name: matrix-postgres state: stopped daemon_reload: yes - when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists" + when: "not matrix_postgres_enabled and matrix_postgres_service_stat.stat.exists" - name: Ensure matrix-postgres.service doesn't exist file: path: "/etc/systemd/system/matrix-postgres.service" state: absent - when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists" + when: "not matrix_postgres_enabled and matrix_postgres_service_stat.stat.exists" - name: Check existence of matrix-postgres local data path stat: path: "{{ matrix_postgres_data_path }}" register: matrix_postgres_data_path_stat - when: matrix_postgres_use_external + when: "not matrix_postgres_enabled" # We just want to notify the user. Deleting data is too destructive. - name: Notify if matrix-postgres local data remains debug: - msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete it." - when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists" + msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." + when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists" diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml index b73bc030..3e67dfc5 100644 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -22,8 +22,8 @@ - name: Fail, if trying to upgrade external Postgres database fail: - msg: "Your configuration indicates that you're using an external Postgres database. Refusing to try and upgrade that." - when: "matrix_postgres_use_external" + msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade." + when: "not matrix_postgres_enabled" - name: Check Postgres auto-upgrade backup data directory stat: diff --git a/roles/matrix-postgres/tasks/validate_config.yml b/roles/matrix-postgres/tasks/validate_config.yml new file mode 100644 index 00000000..8c3e0fbe --- /dev/null +++ b/roles/matrix-postgres/tasks/validate_config.yml @@ -0,0 +1,22 @@ +--- + +- name: (Deprecation) Warn about matrix_postgres_use_external usage + fail: + msg: > + The `matrix_postgres_use_external` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of using an external Postgres server. + It's a combination of `matrix_postgres_enabled: false` and specifying Postgres connection + details in a few `matrix_synapse_database_` variables. + See the "Using an external PostgreSQL server (optional)" documentation page. + when: "'matrix_postgres_use_external' in vars" + +- name: Fail if required Postgres settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using mxisd. + when: "vars[item] == ''" + with_items: + - "matrix_postgres_connection_hostname" + - "matrix_postgres_connection_username" + - "matrix_postgres_connection_password" + - "matrix_postgres_db_name" \ No newline at end of file diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index ea5b8095..dd0e7d40 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,13 +1,17 @@ -# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. -# If you wish to connect to your Matrix server by other means, -# you may wish to disable this. matrix_riot_web_enabled: true matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" +matrix_riot_web_container_expose_port: false + +# List of systemd services that matrix-riot-web.service depends on +matrix_riot_web_systemd_required_services_list: ['docker.service'] + # Riot config.json customizations +matrix_riot_web_default_hs_url: "" +matrix_riot_web_default_is_url: ~ matrix_riot_web_disable_custom_urls: true matrix_riot_web_disable_guests: true matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" @@ -18,7 +22,6 @@ matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/wid matrix_riot_web_roomdir_servers: ['matrix.org'] matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" - # Riot home.html customizations # Default home.html template file matrix_riot_web_homepage_template: "{{ role_path }}/templates/home.html.j2" diff --git a/roles/matrix-riot-web/tasks/main.yml b/roles/matrix-riot-web/tasks/main.yml index da57a88a..a2fd2c8e 100644 --- a/roles/matrix-riot-web/tasks/main.yml +++ b/roles/matrix-riot-web/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup and matrix_riot_web_enabled" + tags: + - setup-all + - setup-riot-web + - import_tasks: "{{ role_path }}/tasks/setup_riot_web.yml" when: run_setup tags: diff --git a/roles/matrix-riot-web/tasks/validate_config.yml b/roles/matrix-riot-web/tasks/validate_config.yml new file mode 100644 index 00000000..0068580d --- /dev/null +++ b/roles/matrix-riot-web/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required riot-web settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using riot-web. + when: "vars[item] == ''" + with_items: + - "matrix_riot_web_default_hs_url" diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 6add6512..05d9a442 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -1,13 +1,13 @@ { - "default_hs_url": "{{ matrix_homeserver_url }}", - "default_is_url": "{{ matrix_identity_server_url }}", - "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|lower }}, - "disable_guests": {{ matrix_riot_web_disable_guests|lower }}, + "default_hs_url": {{ matrix_riot_web_default_hs_url|to_json }}, + "default_is_url": {{ matrix_riot_web_default_is_url|to_json }}, + "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }}, + "disable_guests": {{ matrix_riot_web_disable_guests|to_json }}, "brand": "Riot", - "integrations_ui_url": "{{ matrix_riot_web_integrations_ui_url }}", - "integrations_rest_url": "{{ matrix_riot_web_integrations_rest_url }}", + "integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|to_json }}, + "integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|to_json }}, "integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }}, - "integrations_jitsi_widget_url": "{{ matrix_riot_web_integrations_jitsi_widget_url }}", + "integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|to_json }}, "bug_report_endpoint_url": "https://riot.im/bugreports/submit", "enableLabs": true, "roomDirectory": { diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index a4742a38..6ef2ad17 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -1,7 +1,9 @@ [Unit] -Description=Matrix Riot web server -After=docker.service -Requires=docker.service +Description=Matrix riot-web server +{% for service in matrix_riot_web_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} [Service] Type=simple @@ -12,7 +14,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ -v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \ -v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \ --network={{ matrix_docker_network }} \ - {% if not matrix_nginx_proxy_enabled %} + {% if matrix_riot_web_container_expose_port %} -p 127.0.0.1:8765:80 \ {% endif %} {{ matrix_riot_web_docker_image }} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 6ebb3fa9..a0c42b03 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -8,10 +8,13 @@ matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" # Controls whether the Synapse container exposes the Client/Server API port (tcp/8008). -# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the Client/Server API's port to the local host (`127.0.0.1:8008`). -matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" +matrix_synapse_container_expose_client_server_api_port: false + +# List of systemd services that matrix-synapse.service depends on +matrix_synapse_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-synapse.service wants +matrix_synapse_systemd_wanted_services_list: [] matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages" @@ -27,15 +30,10 @@ matrix_synapse_macaroon_secret_key: "" matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" -# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled -matrix_synapse_id_servers_public: ['vector.im', 'matrix.org'] - -# These are the identity servers that would be trusted by Synapse if mxisd IS enabled -matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']" - -# The final list of identity servers to use for Synapse. -# The first one would also be used as riot-web's default identity server. -matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" +# The list of identity servers to use for Synapse. +# We assume this role runs standalone without a local Identity server, so we point Synapse to public ones. +# This most likely gets overwritten later, so that a local Identity server is used. +matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_public }}" matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 @@ -114,6 +112,22 @@ matrix_synapse_app_service_config_files: [] # any password providers have been enabled or not. matrix_synapse_password_providers_enabled: false +# Postgres database information +matrix_synapse_database_host: "" +matrix_synapse_database_user: "" +matrix_synapse_database_password: "" +matrix_synapse_database_database: "" + +matrix_synapse_turn_uris: [] +matrix_synapse_turn_shared_secret: "" + +matrix_synapse_email_enabled: false +matrix_synapse_email_smtp_host: "" +matrix_synapse_email_smtp_port: 587 +matrix_synapse_email_smtp_require_transport_security: false +matrix_synapse_email_notif_from: "Matrix " +matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}" + # Enable this to activate the REST auth password provider module. # See: https://github.com/kamax-io/matrix-synapse-rest-auth diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index e385fe11..1049cb5f 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup + tags: + - setup-all + - setup-synapse + - import_tasks: "{{ role_path }}/tasks/setup_synapse_entrypoint.yml" when: run_setup tags: diff --git a/roles/matrix-synapse/tasks/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml index 7fae6468..d8914214 100644 --- a/roles/matrix-synapse/tasks/self_check_client_api.yml +++ b/roles/matrix-synapse/tasks/self_check_client_api.yml @@ -1,20 +1,17 @@ --- -- set_fact: - matrix_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions" - - name: Check Matrix Client API uri: - url: "{{ matrix_client_api_url_endpoint_public }}" + url: "{{ matrix_synapse_client_api_url_endpoint_public }}" follow_redirects: false - register: result_matrix_client_api + register: result_matrix_synapse_client_api ignore_errors: true - name: Fail if Matrix Client API not working fail: - msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_client_api }}" - when: "result_matrix_client_api.failed or 'json' not in result_matrix_client_api" + msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_synapse_client_api }}" + when: "result_matrix_synapse_client_api.failed or 'json' not in result_matrix_synapse_client_api" - name: Report working Matrix Client API debug: - msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`) is working" \ No newline at end of file + msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`) is working" \ No newline at end of file diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index 2082cf65..dc451955 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -1,21 +1,18 @@ --- -- set_fact: - matrix_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version" - - name: Check Matrix Federation API uri: - url: "{{ matrix_federation_api_url_endpoint_public }}" + url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" follow_redirects: false validate_certs: false - register: result_matrix_federation_api + register: result_matrix_synapse_federation_api ignore_errors: true - name: Fail if Matrix Federation API not working fail: - msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_federation_api }}" - when: "result_matrix_federation_api.failed or 'json' not in result_matrix_federation_api" + msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" + when: "result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api" - name: Report working Matrix Federation API debug: - msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`) is working" \ No newline at end of file + msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working" \ No newline at end of file diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml new file mode 100644 index 00000000..e1454bfa --- /dev/null +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required Synapse settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using Synapse. + when: "vars[item] == ''" + with_items: + - "matrix_synapse_macaroon_secret_key" \ No newline at end of file diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 2ed60cce..a123f319 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -216,10 +216,10 @@ database: # The database engine name name: "psycopg2" args: - user: {{ matrix_postgres_connection_username|to_json }} - password: {{ matrix_postgres_connection_password|to_json }} - database: "{{ matrix_postgres_db_name }}" - host: "{{ matrix_postgres_connection_hostname }}" + user: {{ matrix_synapse_database_user|to_json }} + password: {{ matrix_synapse_database_password|to_json }} + database: "{{ matrix_synapse_database_database }}" + host: "{{ matrix_synapse_database_host }}" cp_min: 5 cp_max: 10 @@ -409,10 +409,10 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" ## Turn ## # The public URIs of the TURN server to give to clients -turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"] +turn_uris: {{ matrix_synapse_turn_uris|to_json }} # The shared secret used to compute passwords for the TURN server -turn_shared_secret: {{ matrix_coturn_turn_static_auth_secret|to_json }} +turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }} # The Username and password if the TURN server needs them and # does not use a token @@ -600,18 +600,18 @@ password_config: # If your SMTP server requires authentication, the optional smtp_user & # smtp_pass variables should be used # -{% if matrix_mailer_enabled %} +{% if matrix_synapse_email_enabled %} email: enable_notifs: true - smtp_host: "matrix-mailer" - smtp_port: 587 - require_transport_security: false - notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" + smtp_host: {{ matrix_synapse_email_smtp_host|to_json }} + smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} + require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} + notif_from: {{ matrix_synapse_email_notif_from|to_json }} app_name: Matrix notif_template_html: notif_mail.html notif_template_text: notif_mail.txt notif_for_new_users: True - riot_base_url: "https://{{ hostname_riot }}" + riot_base_url: {{ matrix_synapse_email_riot_base_url|to_json }} {% endif %} diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 7654c7a0..850c750f 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -1,19 +1,12 @@ [Unit] Description=Matrix Synapse server -After=docker.service -Requires=docker.service -{% if not matrix_postgres_use_external %} -Requires=matrix-postgres.service -After=matrix-postgres.service -{% endif %} -{% if matrix_s3_media_store_enabled %} -After=matrix-goofys.service -Requires=matrix-goofys.service -{% endif %} -{% if matrix_mailer_enabled %} -Wants=matrix-mailer.service -{% endif %} -Wants=matrix-coturn.service +{% for service in matrix_synapse_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_synapse_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} [Service] Type=simple diff --git a/roles/matrix-synapse/vars/main.yml b/roles/matrix-synapse/vars/main.yml new file mode 100644 index 00000000..9d0136c2 --- /dev/null +++ b/roles/matrix-synapse/vars/main.yml @@ -0,0 +1,6 @@ +--- + +matrix_synapse_id_servers_public: ['vector.im', 'matrix.org'] + +matrix_synapse_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions" +matrix_synapse_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version" \ No newline at end of file From f4f06ae068bf0e21ebaacc7889ddb114f04e8c46 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Jan 2019 13:32:46 +0200 Subject: [PATCH 0294/2384] Make matrix-nginx-proxy role independent of others The matrix-nginx-proxy role can now be used independently. This makes it consistent with all other roles, with the `matrix-base` role remaining as their only dependency. Separating matrix-nginx-proxy was relatively straightforward, with the exception of the Mautrix Telegram reverse-proxying configuration. Mautrix Telegram, being an extension/bridge, does not feel important enough to justify its own special handling in matrix-nginx-proxy. Thus, we've introduced the concept of "additional configuration blocks" (`matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks`), where any module can register its own custom nginx server blocks. For such dynamic registration to work, the order of role execution becomes important. To make it possible for each module participating in dynamic registration to verify that the order of execution is correct, we've also introduced a `matrix_nginx_proxy_role_executed` variable. It should be noted that this doesn't make the matrix-synapse role dependent on matrix-nginx-proxy. It's optional runtime detection and registration, and it only happens in the matrix-synapse role when `matrix_mautrix_telegram_enabled: true`. --- CHANGELOG.md | 23 +++------ group_vars/matrix-servers | 14 +++++- roles/matrix-nginx-proxy/defaults/main.yml | 19 +++++++- roles/matrix-nginx-proxy/tasks/main.yml | 17 ++++++- .../tasks/validate_config.yml | 12 +++++ .../nginx-conf.d/matrix-synapse.conf.j2 | 34 +++++--------- roles/matrix-nginx-proxy/vars/main.yml | 4 ++ .../tasks/ext/mautrix-telegram/setup.yml | 47 +++++++++++++++++++ 8 files changed, 127 insertions(+), 43 deletions(-) create mode 100644 roles/matrix-nginx-proxy/tasks/validate_config.yml create mode 100644 roles/matrix-nginx-proxy/vars/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 5021978d..e32c61c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,21 +8,12 @@ The following change **affects people running a more non-standard setup** - exte Because people like using the playbook's components independently (outside of this playbook) and because it's much better for maintainability, we've continued working on separating them. Still, we'd like to offer a turnkey solution for running a fully-featured Matrix server, so this playbook remains important for wiring up the various components. -With the new changes, the following roles are now only dependent on the minimal `matrix-base` role: -- `matrix-corporal` -- `matrix-coturn` -- `matrix-mailer` -- `matrix-mxisd` -- `matrix-postgres` -- `matrix-riot-web` -- `matrix-synapse` - -The `matrix-nginx-proxy` role still does too much and remains dependent on the others. - -In addition, the following components can be completely disabled now (for those who want/need to): -- `matrix-coturn` -- `matrix-mailer` -- `matrix-postgres` +With the new changes, **all roles are now only dependent on the minimal `matrix-base` role**. They are no longer dependent among themselves. + +In addition, the following components can now be completely disabled (for those who want/need to): +- `matrix-coturn` by using `matrix_coturn_enabled: false` +- `matrix-mailer` by using `matrix_mailer_enabled: false` +- `matrix-postgres` by using `matrix_postgres_enabled: false` The following changes had to be done: @@ -30,7 +21,7 @@ The following changes had to be done: - `matrix_postgres_use_external` has been superceeded by the more consistently named `matrix_postgres_enabled` variable and a few other `matrix_synapse_database_` variables. See the [Using an external PostgreSQL server (optional)](docs/configuring-playbook-external-postgres.md) documentation page for an up-to-date replacement. -- Postgres tools (`matrix-postgres-cli` and `matrix-make-user-admin`) are no longer installed if you're using an external Postgres server (`matrix_postgres_enabled: false`) +- Postgres tools (`matrix-postgres-cli` and `matrix-make-user-admin`) are no longer installed if you're not enabling the `matrix-postgres` role (`matrix_postgres_enabled: false`) - roles, being more independent now, are more minimal and do not do so much magic for you. People that are building their own playbook using our roles will definitely need to take a look at the [`group_vars/matrix-servers`](group_vars/matrix-servers) file and adapt their playbooks with the same (or similar) wiring logic. diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index da2ca830..50fe3f94 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -149,12 +149,22 @@ matrix_mxisd_systemd_wanted_services_list: | # This is fine if you're dedicating the whole server to Matrix. # If that's not the case, you may wish to disable this and take care of proxying yourself. matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" -matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "{{ 'localhost:41080' if matrix_corporal_enabled else 'localhost:8008' }}" + +matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ 'localhost:41080' if matrix_corporal_enabled else 'localhost:8008' }}" +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size: "{{ matrix_synapse_max_upload_size_mb }}M" matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" +matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "localhost:41081" + +matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" + matrix_nginx_proxy_systemd_wanted_services_list: | {{ (['matrix-synapse.service']) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8003772f..4acceb77 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -19,10 +19,25 @@ matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}" matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}" +# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) +matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "localhost:41081" + +# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) +matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" + # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. -matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008" -matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008" +matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "localhost:8008" +# This needs to be equal or higher than the maximum upload size accepted by Synapse. +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size: "25M" + +# A list of strings containing additional configuration blocks to add to the matrix domain's server configuration. +matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. diff --git a/roles/matrix-nginx-proxy/tasks/main.yml b/roles/matrix-nginx-proxy/tasks/main.yml index 022d5272..08a71400 100644 --- a/roles/matrix-nginx-proxy/tasks/main.yml +++ b/roles/matrix-nginx-proxy/tasks/main.yml @@ -2,6 +2,15 @@ tags: - always +# Always validating the configuration, even if `matrix_nginx_proxy: false`. +# This role performs actions even if the role is disabled, so we need +# to ensure there's a valid configuration in any case. +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup + tags: + - setup-all + - setup-nginx-proxy + - import_tasks: "{{ role_path }}/tasks/ssl/main.yml" when: run_setup tags: @@ -20,4 +29,10 @@ become: false when: run_self_check tags: - - self-check \ No newline at end of file + - self-check + +- name: Mark matrix-nginx-proxy role as executed + set_fact: + matrix_nginx_proxy_role_executed: true + tags: + - always diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml new file mode 100644 index 00000000..9316fc4e --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: > + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container'} + - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container'} + diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 index 06a120cf..c1458878 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -46,63 +46,53 @@ server { add_header Access-Control-Allow-Origin *; } - {% if matrix_corporal_enabled and matrix_corporal_http_api_enabled %} + {% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} location /_matrix/corporal { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-corporal:41081"; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:41081; + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }}; {% endif %} } {% endif %} - {% if matrix_mxisd_enabled %} + {% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %} location /_matrix/identity { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-mxisd:8090"; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:8090; + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}; {% endif %} } {% endif %} - {% if matrix_mautrix_telegram_enabled %} - location {{ matrix_mautrix_telegram_public_endpoint }} { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-telegram:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:8080; - {% endif %} - } - {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} location /_matrix { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container }}"; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container }}; + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; {% endif %} proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; - client_max_body_size {{ matrix_synapse_max_upload_size_mb }}M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size }}; proxy_max_temp_file_size 0; } diff --git a/roles/matrix-nginx-proxy/vars/main.yml b/roles/matrix-nginx-proxy/vars/main.yml new file mode 100644 index 00000000..4d0235cb --- /dev/null +++ b/roles/matrix-nginx-proxy/vars/main.yml @@ -0,0 +1,4 @@ +--- + +# Tells whether this role had executed or not. Toggled to `true` during runtime. +matrix_nginx_proxy_role_executed: false \ No newline at end of file diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index 6e0c3249..f85abb13 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -58,6 +58,53 @@ {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }} when: "matrix_mautrix_telegram_enabled" +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: > + Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-synapse role. + when: "matrix_nginx_proxy_role_executed" + + - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy + set_fact: + matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_telegram_public_endpoint }} { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-telegram:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://localhost:8080; + {% endif %} + } + + - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks + + + [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] + }} + + when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled|default(False)" + tags: + - always + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: > + NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` + URL endpoint to the matrix-mautrix-telegram container. + when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled is not defined" + # # Tasks related to getting rid of matrix-mautrix-telegram (if it was previously enabled) # From 2fdafaa85b6ec6abc470419d8eac4936b91cbe08 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Jan 2019 14:37:29 +0200 Subject: [PATCH 0295/2384] Update CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e32c61c0..d96635b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -# 2019-01-xx +# 2019-01-17 ## (BC Break) Making the playbook's roles more independent of one another From df0d46548261c9c24054084d8d1c0c0eb00fcf0e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Jan 2019 14:47:37 +0200 Subject: [PATCH 0296/2384] Fix typos in some variables (matrix_mxid -> matrix_mxisd) --- group_vars/matrix-servers | 10 ++++---- roles/matrix-mxisd/defaults/main.yml | 26 ++++++++++---------- roles/matrix-mxisd/tasks/validate_config.yml | 2 +- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 50fe3f94..196483fc 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -119,10 +119,10 @@ matrix_mxisd_synapsesql_type: postgresql matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }} # By default, we send mail through the `matrix-mailer` service. -matrix_mxid_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" -matrix_mxid_threepid_medium_email_connectors_smtp_host: "matrix-mailer" -matrix_mxid_threepid_medium_email_connectors_smtp_port: 587 -matrix_mxid_threepid_medium_email_connectors_smtp_tls: 0 +matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" +matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" +matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587 +matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 matrix_mxisd_systemd_wanted_services_list: | {{ @@ -296,4 +296,4 @@ matrix_synapse_systemd_wanted_services_list: | # # /matrix-synapse # -###################################################################### \ No newline at end of file +###################################################################### diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index 6fc37ba3..42440240 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -29,12 +29,12 @@ matrix_mxisd_synapsesql_type: "" matrix_mxisd_synapsesql_connection: "" # Setting up email-sending settings is required for using mxisd. -matrix_mxid_threepid_medium_email_identity_from: "matrix@{{ hostname_identity }}" -matrix_mxid_threepid_medium_email_connectors_smtp_host: "" -matrix_mxid_threepid_medium_email_connectors_smtp_port: 587 -matrix_mxid_threepid_medium_email_connectors_smtp_tls: 1 -matrix_mxid_threepid_medium_email_connectors_smtp_login: "" -matrix_mxid_threepid_medium_email_connectors_smtp_password: "" +matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ hostname_identity }}" +matrix_mxisd_threepid_medium_email_connectors_smtp_host: "" +matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587 +matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1 +matrix_mxisd_threepid_medium_email_connectors_smtp_login: "" +matrix_mxisd_threepid_medium_email_connectors_smtp_password: "" # Default mxisd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. @@ -65,14 +65,14 @@ matrix_mxisd_configuration_yaml: | medium: email: identity: - from: {{ matrix_mxid_threepid_medium_email_identity_from }} + from: {{ matrix_mxisd_threepid_medium_email_identity_from }} connectors: smtp: - host: {{ matrix_mxid_threepid_medium_email_connectors_smtp_host }} - port: {{ matrix_mxid_threepid_medium_email_connectors_smtp_port }} - tls: {{ matrix_mxid_threepid_medium_email_connectors_smtp_tls }} - login: {{ matrix_mxid_threepid_medium_email_connectors_smtp_login }} - password: {{ matrix_mxid_threepid_medium_email_connectors_smtp_password }} + host: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }} synapseSql: enabled: {{ matrix_mxisd_synapsesql_enabled }} @@ -102,4 +102,4 @@ matrix_mxisd_configuration_extension_yaml: | # Holds the final mxisd configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. -matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" \ No newline at end of file +matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/validate_config.yml b/roles/matrix-mxisd/tasks/validate_config.yml index a9bc038a..3b125b3f 100644 --- a/roles/matrix-mxisd/tasks/validate_config.yml +++ b/roles/matrix-mxisd/tasks/validate_config.yml @@ -44,4 +44,4 @@ You need to define a required configuration setting (`{{ item }}`) for using mxisd. when: "vars[item] == ''" with_items: - - "matrix_mxid_threepid_medium_email_connectors_smtp_host" \ No newline at end of file + - "matrix_mxisd_threepid_medium_email_connectors_smtp_host" From cb11548eec55da9b9129877557153a0a44a4a62c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Jan 2019 15:55:23 +0200 Subject: [PATCH 0297/2384] Use mxisd for user directory searches Implements #77 (Github issue). --- group_vars/matrix-servers | 10 ++++++++++ roles/matrix-mxisd/defaults/main.yml | 16 ++++++++++++++++ roles/matrix-nginx-proxy/defaults/main.yml | 7 +++++++ .../nginx-conf.d/matrix-synapse.conf.j2 | 14 ++++++++++++++ 4 files changed, 47 insertions(+) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 196483fc..767b36eb 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -118,6 +118,10 @@ matrix_mxisd_synapsesql_enabled: true matrix_mxisd_synapsesql_type: postgresql matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }} +matrix_mxisd_dns_overwrite_enabled: true +matrix_mxisd_dns_overwrite_homeserver_client_name: "matrix-mxisd" +matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" + # By default, we send mail through the `matrix-mailer` service. matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" @@ -126,6 +130,8 @@ matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 matrix_mxisd_systemd_wanted_services_list: | {{ + (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + (['matrix-mailer.service'] if matrix_mailer_enabled else []) @@ -165,6 +171,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled } matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" + matrix_nginx_proxy_systemd_wanted_services_list: | {{ (['matrix-synapse.service']) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index 42440240..8970e2df 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -36,6 +36,13 @@ matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1 matrix_mxisd_threepid_medium_email_connectors_smtp_login: "" matrix_mxisd_threepid_medium_email_connectors_smtp_password: "" +# DNS overwrites are useful for telling mxisd how it can reach the homeserver directly. +# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to mxisd, +# so that mxisd can rewrite the original URL to one that would reach the homeserver. +matrix_mxisd_dns_overwrite_enabled: false +matrix_mxisd_dns_overwrite_homeserver_client_name: "matrix-mxisd" +matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" + # Default mxisd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -56,6 +63,15 @@ matrix_mxisd_configuration_yaml: | sqlite: database: /var/mxisd/mxisd.db + {% if matrix_mxisd_dns_overwrite_enabled %} + dns: + overwrite: + homeserver: + client: + - name: {{ matrix_mxisd_dns_overwrite_homeserver_client_name }} + value: {{ matrix_mxisd_dns_overwrite_homeserver_client_value }} + {% endif %} + {% if matrix_mxisd_matrixorg_forwarding_enabled %} forward: servers: ['matrix-org'] diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 4acceb77..ccc51ac8 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -24,6 +24,13 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "localhost:41081" +# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). +# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. +# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "localhost:8090" + # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 index c1458878..34c9d0ab 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -74,6 +74,20 @@ server { } {% endif %} + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} + location /_matrix/client/r0/user_directory/search { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; + {% endif %} + } + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From ba75ab496d7875f9209b59d32cb8408923b2ddec Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Jan 2019 16:21:04 +0200 Subject: [PATCH 0298/2384] Send Host/X-Forwarded-For to mxisd It worked without it too, but doing this is more consistent with the mxisd recommendations. --- group_vars/matrix-servers | 2 +- roles/matrix-mxisd/defaults/main.yml | 2 +- .../templates/nginx-conf.d/matrix-synapse.conf.j2 | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 767b36eb..3167c612 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -119,7 +119,7 @@ matrix_mxisd_synapsesql_type: postgresql matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }} matrix_mxisd_dns_overwrite_enabled: true -matrix_mxisd_dns_overwrite_homeserver_client_name: "matrix-mxisd" +matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ hostname_matrix }}" matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" # By default, we send mail through the `matrix-mailer` service. diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index 8970e2df..a0a1f781 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -40,7 +40,7 @@ matrix_mxisd_threepid_medium_email_connectors_smtp_password: "" # Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to mxisd, # so that mxisd can rewrite the original URL to one that would reach the homeserver. matrix_mxisd_dns_overwrite_enabled: false -matrix_mxisd_dns_overwrite_homeserver_client_name: "matrix-mxisd" +matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ hostname_matrix }}" matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" # Default mxisd configuration template which covers the generic use case. diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 index 34c9d0ab..a88bf27e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -71,6 +71,9 @@ server { {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}; {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; } {% endif %} @@ -85,6 +88,9 @@ server { {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; } {% endif %} From fef6c052c34404a15985a87ad9593596c349cd04 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Jan 2019 16:25:08 +0200 Subject: [PATCH 0299/2384] Pass Host/X-Forwarded-For everywhere It hasn't mattered much to have these so far, but it's probably a good idea to have them. --- .../templates/nginx-conf.d/matrix-riot-web.conf.j2 | 3 ++- .../templates/nginx-conf.d/matrix-synapse.conf.j2 | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 87ccc532..967a4355 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -50,6 +50,7 @@ server { proxy_pass http://localhost:8765; {% endif %} - proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; } } diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 index a88bf27e..1a2d166b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -57,6 +57,9 @@ server { {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }}; {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; } {% endif %} @@ -109,6 +112,7 @@ server { proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; {% endif %} + proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; From 8d186e5194d7039ba91ff65b16cb6ed21ca1a580 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 21 Jan 2019 07:32:19 +0200 Subject: [PATCH 0300/2384] Fix Postgres import when Postgres had never started If this is a brand new server and Postgres had never started, detecting it before we even start it is not possible. This moves the logic, so that it happens later on, when Postgres would have had the chance to start and possibly initialize a new empty database. Fixes #82 (Github issue) --- roles/matrix-postgres/tasks/import_postgres.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index 7255c74e..25e1fe1c 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -22,13 +22,6 @@ msg: "File cannot be found on the server at {{ server_path_postgres_dump }}" when: not result_server_path_postgres_dump_stat.stat.exists -- import_tasks: tasks/util/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing" - # Defaults @@ -52,6 +45,13 @@ delegate_to: 127.0.0.1 become: false +- import_tasks: tasks/util/detect_existing_postgres_version.yml + +- name: Abort, if no existing Postgres version detected + fail: + msg: "Could not find existing Postgres installation" + when: "not matrix_postgres_detected_existing" + - name: Perform Postgres database import command: | /usr/bin/docker run --rm --name matrix-postgres-import \ From 0392822aa7693030ce46cdeb1a48fa35b234bb90 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 21 Jan 2019 08:33:10 +0200 Subject: [PATCH 0301/2384] Show Postgres import command and mention manual importing --- .../matrix-postgres/tasks/import_postgres.yml | 33 ++++++++++++------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index 25e1fe1c..aed8f686 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -30,7 +30,6 @@ postgres_start_wait_time: 15 when: "postgres_start_wait_time|default('') == ''" - # Actual import work - name: Ensure matrix-postgres is started @@ -52,14 +51,26 @@ msg: "Could not find existing Postgres installation" when: "not matrix_postgres_detected_existing" +- name: Generate Postgres database import command + set_fact: + matrix_postgres_import_command: >- + /usr/bin/docker run --rm --name matrix-postgres-import + --network={{ matrix_docker_network }} + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + -v {{ server_path_postgres_dump }}:{{ server_path_postgres_dump }}:ro + --entrypoint=/bin/sh + {{ matrix_postgres_docker_image_latest }} + -c 'cat {{ server_path_postgres_dump }} | + {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} + psql -v ON_ERROR_STOP=1 -h matrix-postgres' + +- name: Note about Postgres importing alternative + debug: + msg: > + Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. + If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), + delete its existing data (`rm -rf {{ matrix_postgres_data_path }}/*`), start it again (`systemctl start matrix-postgres`) + and manually run the above import command directly on the server. + - name: Perform Postgres database import - command: | - /usr/bin/docker run --rm --name matrix-postgres-import \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - -v {{ server_path_postgres_dump }}:{{ server_path_postgres_dump }}:ro \ - --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_latest }} - -c 'cat {{ server_path_postgres_dump }} | \ - {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} - psql -v ON_ERROR_STOP=1 -h matrix-postgres' + command: "{{ matrix_postgres_import_command }}" From a4e7ad5566dd1292d59fd3e831b6d04e32ae3a7e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 21 Jan 2019 08:34:49 +0200 Subject: [PATCH 0302/2384] Use async Ansible task for importing Postgres A long-running import task may hit the SSH timeout value and die. Using async is supposed to improve reliability in such scenarios. --- roles/matrix-postgres/tasks/import_postgres.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index aed8f686..66b20a64 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -30,6 +30,11 @@ postgres_start_wait_time: 15 when: "postgres_start_wait_time|default('') == ''" +- name: Set postgres_import_wait_time, if not provided + set_fact: + postgres_import_wait_time: "{{ 7 * 86400 }}" + when: "postgres_import_wait_time|default('') == ''" + # Actual import work - name: Ensure matrix-postgres is started @@ -74,3 +79,5 @@ - name: Perform Postgres database import command: "{{ matrix_postgres_import_command }}" + async: "{{ postgres_import_wait_time }}" + poll: 10 From fcceb3143de5469b4ce55f3ea12c2b353ba978ab Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Jan 2019 08:13:27 +0200 Subject: [PATCH 0303/2384] Update riot-web (0.17.8 -> 0.17.9) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index dd0e7d40..a111c9d8 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8" +matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.9" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From a88b24ed2c2d358a6d850ce029e07f090ff5d205 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 25 Jan 2019 16:58:20 +0200 Subject: [PATCH 0304/2384] Update matrix-corporal (1.2.2 -> 1.3.0) --- roles/matrix-corporal/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index dd77e921..20f0fe62 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -9,7 +9,7 @@ matrix_corporal_container_expose_ports: false # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2" +matrix_corporal_docker_image: "devture/matrix-corporal:1.3.0" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" @@ -40,4 +40,4 @@ matrix_corporal_http_api_auth_token: "" # Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value) matrix_corporal_policy_provider_config: "" -matrix_corporal_debug: false \ No newline at end of file +matrix_corporal_debug: false From 1a80058a2a5d679b8d4f440612d59cb7d7c70f2a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 26 Jan 2019 09:37:26 +0200 Subject: [PATCH 0305/2384] Indent (non-YAML) using tabs Fixes #83 (Github issue) --- .../usr-local-bin/matrix-remove-all.j2 | 42 +++++++++---------- .../nginx-conf.d/matrix-riot-web.conf.j2 | 10 ++--- .../usr-local-bin/matrix-make-user-admin.j2 | 17 ++++---- .../matrix-riot-web/templates/config.json.j2 | 30 ++++++------- .../matrix-synapse-register-user.j2 | 10 ++--- 5 files changed, 54 insertions(+), 55 deletions(-) diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 5614b0e3..9fdd7a21 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -1,8 +1,8 @@ #!/bin/bash if [ "$(id -u)" != "0" ]; then - echo "This script must be executed as root! Aborting." - exit 1 + echo "This script must be executed as root! Aborting." + exit 1 fi echo "WARNING! You are about to remove everything the playbook installs for matrix.{{ host_specific_hostname_identity }}: matrix, docker images,..." @@ -10,25 +10,25 @@ echo -n "If you're sure you want to do this, type: 'Yes, I really want to remove read sure if [ "$sure" != "Yes, I really want to remove everything!" ]; then - echo "Good thing I asked, exiting" - exit 0 + echo "Good thing I asked, exiting" + exit 0 else - echo "Stop and remove matrix services" - for s in $(find /etc/systemd/system/ -name "matrix-*" -printf "%f\n"); do - systemctl stop $s - rm -f /etc/systemd/system/$s - done - systemctl daemon-reload - echo "Remove matrix cronjobs" - find /etc/cron.d/ -name "matrix-*" -delete - echo "Remove matrix scripts" - find /usr/local/bin/ -name "matrix-*" -delete - echo "Remove every docker images" - docker rmi $(docker images -aq) - echo "Remove docker matrix network" - docker network rm matrix - echo "Remove /matrix directory" - rm -fr /matrix - exit 0 + echo "Stop and remove matrix services" + for s in $(find /etc/systemd/system/ -name "matrix-*" -printf "%f\n"); do + systemctl stop $s + rm -f /etc/systemd/system/$s + done + systemctl daemon-reload + echo "Remove matrix cronjobs" + find /etc/cron.d/ -name "matrix-*" -delete + echo "Remove matrix scripts" + find /usr/local/bin/ -name "matrix-*" -delete + echo "Remove every docker images" + docker rmi $(docker images -aq) + echo "Remove docker matrix network" + docker network rm matrix + echo "Remove /matrix directory" + rm -fr /matrix + exit 0 fi diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 index 967a4355..99172147 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 @@ -22,10 +22,10 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl http2; + listen [::]:443 ssl http2; - server_name {{ matrix_nginx_proxy_proxy_riot_hostname }}; + server_name {{ matrix_nginx_proxy_proxy_riot_hostname }}; server_tokens off; root /dev/null; @@ -39,7 +39,7 @@ server { ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; - location / { + location / { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; @@ -52,5 +52,5 @@ server { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; - } + } } diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 index 3e5b6ebe..7b8fba37 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 @@ -1,15 +1,14 @@ #!/bin/bash if [ $# -ne 1 ]; then - echo "Usage: "$0" " - exit 1 + echo "Usage: "$0" " + exit 1 fi docker run \ - -it \ - --rm \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ host_specific_hostname_identity }}'" - + -it \ + --rm \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ + --network {{ matrix_docker_network }} \ + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ host_specific_hostname_identity }}'" diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 05d9a442..9eec9e22 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -1,17 +1,17 @@ { - "default_hs_url": {{ matrix_riot_web_default_hs_url|to_json }}, - "default_is_url": {{ matrix_riot_web_default_is_url|to_json }}, - "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }}, - "disable_guests": {{ matrix_riot_web_disable_guests|to_json }}, - "brand": "Riot", - "integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|to_json }}, - "integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|to_json }}, - "integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }}, - "integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|to_json }}, - "bug_report_endpoint_url": "https://riot.im/bugreports/submit", - "enableLabs": true, - "roomDirectory": { - "servers": {{ matrix_riot_web_roomdir_servers|to_json }} - }, - "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }} + "default_hs_url": {{ matrix_riot_web_default_hs_url|to_json }}, + "default_is_url": {{ matrix_riot_web_default_is_url|to_json }}, + "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }}, + "disable_guests": {{ matrix_riot_web_disable_guests|to_json }}, + "brand": "Riot", + "integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|to_json }}, + "integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|to_json }}, + "integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }}, + "integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|to_json }}, + "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "enableLabs": true, + "roomDirectory": { + "servers": {{ matrix_riot_web_roomdir_servers|to_json }} + }, + "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }} } diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 index d47addb6..f0846334 100644 --- a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 +++ b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 @@ -1,8 +1,8 @@ #!/bin/bash if [ $# -ne 3 ]; then - echo "Usage: "$0" " - exit 1 + echo "Usage: "$0" " + exit 1 fi user=$1 @@ -10,7 +10,7 @@ password=$2 admin=$3 if [ "$admin" -eq "1" ]; then - docker exec matrix-synapse register_new_matrix_user -u $user -p $password -c /data/homeserver.yaml --admin http://localhost:8008 + docker exec matrix-synapse register_new_matrix_user -u $user -p $password -c /data/homeserver.yaml --admin http://localhost:8008 else - docker exec matrix-synapse register_new_matrix_user -u $user -p $password -c /data/homeserver.yaml --no-admin http://localhost:8008 -fi \ No newline at end of file + docker exec matrix-synapse register_new_matrix_user -u $user -p $password -c /data/homeserver.yaml --no-admin http://localhost:8008 +fi From 56d501679d260e79cb7fa9e0991ec239e5c4d432 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 26 Jan 2019 20:21:18 +0200 Subject: [PATCH 0306/2384] Be explicit about the UID/GID we start Synapse with We do match the defaults anyway (by default that is), but people can customize `matrix_user_uid` and `matrix_user_uid` and it wouldn't be correct then. In any case, it's better to be explicit about such an important thing. --- .../templates/synapse/systemd/matrix-synapse.service.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 850c750f..dba102da 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -23,6 +23,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --network={{ matrix_docker_network }} \ -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \ -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ + -e UID={{ matrix_user_uid }} \ + -e GID={{ matrix_user_gid }} \ {% if matrix_synapse_federation_enabled %} -p 8448:8448 \ {% endif %} From 299a8c4c7c72244c8b4221927b0a740f5b9a4bb2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 27 Jan 2019 20:25:13 +0200 Subject: [PATCH 0307/2384] Make (most) containers start as non-root This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify. --- CHANGELOG.md | 26 ++++ README.md | 4 +- docs/configuring-playbook-email.md | 6 +- group_vars/matrix-servers | 4 +- roles/matrix-mailer/defaults/main.yml | 9 +- roles/matrix-mailer/templates/env-mailer.j2 | 9 +- .../systemd/matrix-mailer.service.j2 | 2 + roles/matrix-nginx-proxy/defaults/main.yml | 3 + .../tasks/setup_nginx_proxy.yml | 18 ++- roles/matrix-nginx-proxy/tasks/ssl/main.yml | 1 + ...tup_ssl_lets_encrypt_obtain_for_domain.yml | 10 +- .../conf.d}/matrix-riot-web.conf.j2 | 10 +- .../conf.d}/matrix-synapse.conf.j2 | 8 +- .../conf.d}/nginx-http.conf.j2 | 0 .../templates/nginx/nginx.conf.j2 | 45 +++++++ .../systemd/matrix-nginx-proxy.service.j2 | 6 +- ...rix-ssl-lets-encrypt-certificates-renew.j2 | 7 +- .../matrix-postgres/tasks/import_postgres.yml | 5 +- .../tasks/upgrade_postgres.yml | 2 + .../matrix-riot-web/tasks/setup_riot_web.yml | 1 + roles/matrix-riot-web/templates/nginx.conf.j2 | 60 +++++++++ .../systemd/matrix-riot-web.service.j2 | 5 +- .../tasks/ext/mautrix-telegram/setup.yml | 126 +++++++++--------- .../synapse/systemd/matrix-synapse.service.j2 | 8 +- 24 files changed, 272 insertions(+), 103 deletions(-) rename roles/matrix-nginx-proxy/templates/{nginx-conf.d => nginx/conf.d}/matrix-riot-web.conf.j2 (85%) rename roles/matrix-nginx-proxy/templates/{nginx-conf.d => nginx/conf.d}/matrix-synapse.conf.j2 (94%) rename roles/matrix-nginx-proxy/templates/{nginx-conf.d => nginx/conf.d}/nginx-http.conf.j2 (100%) create mode 100644 roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 create mode 100644 roles/matrix-riot-web/templates/nginx.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index d96635b6..d3539962 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,29 @@ +# 2019-01-xx + +## Running container processes as non-root + +To improve security, this playbook no longer starts container processes as the `root` user. + +Usually, most containers were dropping privileges anyway, but by the time they do that, we were trusting them with `root` privileges. +Not anymore -- container processes now start as a non-root user (usually `matrix`) from the get-go. + +The only images that we still start as `root` and trust to drop privileges are the optional bridge extensions (disabled by default): + +- [tulir/mautrix-telegram](https://hub.docker.com/r/tulir/mautrix-telegram) +- [tulir/mautrix-whatsapp](https://hub.docker.com/r/tulir/mautrix-whatsapp) + + +## matrix-mailer is now based on Exim, not Postfix + +While we would have preferred to stay with [Postfix](http://www.postfix.org/), we found out that it cannot run as a non-root user. +We've had to replace it with [Exim](https://www.exim.org/) (via the [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay) container image). + +The internal `matrix-mailer` service (running in a container) now listens on port `8025` (used to be `587` before). +The playbook will update your Synapse and mxisd email settings to match (`matrix-mailer:587` -> `matrix-mailer:8025`). + +Using the [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay) container image instead of [panubo/postfix](https://hub.docker.com/r/panubo/postfix/) also gives us a nice disk usage reduction (~200MB -> 8MB). + + # 2019-01-17 ## (BC Break) Making the playbook's roles more independent of one another diff --git a/README.md b/README.md index 2b18df77..b43ba590 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server -- (optional, default) a [Postfix](http://www.postfix.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) +- (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) @@ -98,7 +98,7 @@ This playbook sets up your server using the following Docker images: - [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) -- [panubo/postfix](https://hub.docker.com/r/panubo/postfix/) - the [Postfix](http://www.postfix.org/) email server (optional) +- [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay/) - the [Exim](https://www.exim.org/) email server (optional) - [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional) diff --git a/docs/configuring-playbook-email.md b/docs/configuring-playbook-email.md index 7fb35eed..59e080f3 100644 --- a/docs/configuring-playbook-email.md +++ b/docs/configuring-playbook-email.md @@ -1,6 +1,6 @@ # Adjusting email-sending settings (optional) -By default, this playbook sets up a [postfix](http://www.postfix.org/) email server through which all Matrix services send emails. +By default, this playbook sets up an [Exim](https://www.exim.org/) email server through which all Matrix services send emails. The email server would attempt to deliver emails directly to their final destination. This may or may not work, depending on your domain configuration (SPF settings, etc.) @@ -28,9 +28,7 @@ matrix_mailer_relay_auth_username: "another.sender@example.com" matrix_mailer_relay_auth_password: "some-password" ``` -Keep in mind that postfix will look up the MX record of your relay host (`matrix_mailer_relay_host_name`) and, if available, will actually use that instead of what you've defined. This behavior is [documented here](http://www.postfix.org/postconf.5.html#relayhost). If you'd like to suppress this and use the relay host value as is, wrap it in square brackets (e.g. `matrix_mailer_relay_host_name: "[mail.example.com]"`). - ## Troubleshooting -If you're having trouble with email not being delivered, it may be useful to inspect the mailer logs: `journalctl -f -u matrix-mailer`. \ No newline at end of file +If you're having trouble with email not being delivered, it may be useful to inspect the mailer logs: `journalctl -f -u matrix-mailer`. diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 3167c612..70d63256 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -125,7 +125,7 @@ matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal: # By default, we send mail through the `matrix-mailer` service. matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587 +matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 matrix_mxisd_systemd_wanted_services_list: | @@ -269,7 +269,7 @@ matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" -matrix_synapse_email_smtp_port: 587 +matrix_synapse_email_smtp_port: 8025 matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index a820f087..3b652799 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -2,7 +2,12 @@ matrix_mailer_enabled: true matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer" -matrix_mailer_docker_image: "panubo/postfix:latest" +matrix_mailer_docker_image: "devture/exim-relay:4.91-r1-0" + +# The user/group that the container runs with. +# These match the `exim` user/group within the container image. +matrix_mailer_container_user_uid: 100 +matrix_mailer_container_user_gid: 101 matrix_mailer_sender_address: "matrix@{{ hostname_identity }}" matrix_mailer_relay_use: false @@ -10,4 +15,4 @@ matrix_mailer_relay_host_name: "mail.example.com" matrix_mailer_relay_host_port: 587 matrix_mailer_relay_auth: false matrix_mailer_relay_auth_username: "" -matrix_mailer_relay_auth_password: "" \ No newline at end of file +matrix_mailer_relay_auth_password: "" diff --git a/roles/matrix-mailer/templates/env-mailer.j2 b/roles/matrix-mailer/templates/env-mailer.j2 index 9cacf789..7765b8f9 100644 --- a/roles/matrix-mailer/templates/env-mailer.j2 +++ b/roles/matrix-mailer/templates/env-mailer.j2 @@ -1,8 +1,7 @@ -MAILNAME={{ hostname_matrix }} {% if matrix_mailer_relay_use %} -RELAYHOST={{ matrix_mailer_relay_host_name }}:{{ matrix_mailer_relay_host_port }} +SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port }} {% endif %} {% if matrix_mailer_relay_auth %} -RELAYHOST_AUTH=yes -RELAYHOST_PASSWORDMAP={{ matrix_mailer_relay_host_name }}:{{ matrix_mailer_relay_auth_username }}:{{ matrix_mailer_relay_auth_password }} -{% endif %} \ No newline at end of file +SMTP_USERNAME={{ matrix_mailer_relay_auth_username }} +SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }} +{% endif %} diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index f0adaa7c..e6d79857 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -9,8 +9,10 @@ ExecStartPre=-/usr/bin/docker kill matrix-mailer ExecStartPre=-/usr/bin/docker rm matrix-mailer ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ --log-driver=none \ + --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_mailer_base_path }}/env-mailer \ + --hostname={{ hostname_matrix }} \ {{ matrix_mailer_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mailer ExecStop=-/usr/bin/docker rm matrix-mailer diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index ccc51ac8..78b2da12 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,8 @@ matrix_nginx_proxy_enabled: true +# We use an official nginx image, which we fix-up to run unprivileged. +# An alternative would be an `nginxinc/nginx-unprivileged` image, but +# those as more frequently out of date. matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 59c3fe15..434cfad8 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -21,23 +21,30 @@ - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" +- name: Ensure Matrix nginx-proxy configured (main config override) + template: + src: "{{ role_path }}/templates/nginx/nginx.conf.j2" + dest: "{{ matrix_nginx_proxy_data_path }}/nginx.conf" + mode: 0644 + when: "matrix_nginx_proxy_enabled" + - name: Ensure Matrix nginx-proxy configured (generic) template: - src: "{{ role_path }}/templates/nginx-conf.d/nginx-http.conf.j2" + src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf" mode: 0644 when: "matrix_nginx_proxy_enabled" - name: Ensure Matrix nginx-proxy configuration for matrix domain exists template: - src: "{{ role_path }}/templates/nginx-conf.d/matrix-synapse.conf.j2" + src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2" dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" mode: 0644 when: "matrix_nginx_proxy_proxy_matrix_enabled" - name: Ensure Matrix nginx-proxy configuration for riot domain exists template: - src: "{{ role_path }}/templates/nginx-conf.d/matrix-riot-web.conf.j2" + src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2" dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf" mode: 0644 when: "matrix_nginx_proxy_proxy_riot_enabled" @@ -104,3 +111,8 @@ state: absent when: "not matrix_nginx_proxy_proxy_riot_enabled" +- name: Ensure Matrix nginx-proxy configuration for main config override deleted + file: + path: "{{ matrix_nginx_proxy_data_path }}/nginx.conf" + state: absent + when: "not matrix_nginx_proxy_enabled" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml index c78b4f35..2681164d 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml @@ -15,6 +15,7 @@ mode: 0770 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + recurse: true with_items: - "{{ matrix_ssl_log_dir_path }}" - "{{ matrix_ssl_config_dir_path }}" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index cf97444f..1882400e 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -19,12 +19,15 @@ /usr/bin/docker run --rm --name=matrix-certbot - --net=host + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -p 80:8080 -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt {{ matrix_ssl_lets_encrypt_certbot_docker_image }} certonly --non-interactive + --work-dir=/tmp + --http-01-port 8080 {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http @@ -42,13 +45,16 @@ /usr/bin/docker run --rm --name=matrix-certbot - -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80 + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 --network={{ matrix_docker_network }} -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt {{ matrix_ssl_lets_encrypt_certbot_docker_image }} certonly --non-interactive + --work-dir=/tmp + --http-01-port 8080 {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} --standalone --preferred-challenges http diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 similarity index 85% rename from roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 rename to roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 99172147..578a7e0c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -1,5 +1,5 @@ server { - listen 80; + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_proxy_riot_hostname }}; server_tokens off; @@ -8,7 +8,7 @@ server { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:80"; + set $backend "matrix-certbot:8080"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} @@ -22,8 +22,8 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; server_name {{ matrix_nginx_proxy_proxy_riot_hostname }}; @@ -43,7 +43,7 @@ server { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-riot-web:80"; + set $backend "matrix-riot-web:8080"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 similarity index 94% rename from roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 rename to roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 1a2d166b..3638e357 100644 --- a/roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -1,5 +1,5 @@ server { - listen 80; + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; server_tokens off; @@ -8,7 +8,7 @@ server { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:80"; + set $backend "matrix-certbot:8080"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} @@ -22,8 +22,8 @@ server { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx-conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 similarity index 100% rename from roles/matrix-nginx-proxy/templates/nginx-conf.d/nginx-http.conf.j2 rename to roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 new file mode 100644 index 00000000..3382d6c6 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -0,0 +1,45 @@ +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# +# The following changes have been done compared to a default nginx configuration file: +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 62700157..7bfade3d 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -14,9 +14,11 @@ ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ - -p 80:80 \ - -p 443:443 \ + -p 80:8080 \ + -p 443:8443 \ + -v {{ matrix_nginx_proxy_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ -v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \ diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 12504d1f..b723da38 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -3,19 +3,22 @@ # For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) # need to forward requests for `/.well-known/acme-challenge` to the certbot container. # -# This can happen inside the container network by proxying to `http://matrix-certbot:80` +# This can happen inside the container network by proxying to `http://matrix-certbot:8080` # or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. docker run \ --rm \ --name=matrix-certbot \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network="{{ matrix_docker_network }}" \ - -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80 \ + -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \ -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt \ {{ matrix_ssl_lets_encrypt_certbot_docker_image }} \ renew \ --non-interactive \ + --work-dir=/tmp \ + --http-01-port 8080 {% if matrix_ssl_lets_encrypt_staging %} --staging \ {% endif %} diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index 66b20a64..17590023 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -60,12 +60,13 @@ set_fact: matrix_postgres_import_command: >- /usr/bin/docker run --rm --name matrix-postgres-import + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --network={{ matrix_docker_network }} --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - -v {{ server_path_postgres_dump }}:{{ server_path_postgres_dump }}:ro + -v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro --entrypoint=/bin/sh {{ matrix_postgres_docker_image_latest }} - -c 'cat {{ server_path_postgres_dump }} | + -c 'cat /{{ server_path_postgres_dump|basename }} | {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} psql -v ON_ERROR_STOP=1 -h matrix-postgres' diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml index 3e67dfc5..e1fcf639 100644 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -70,6 +70,7 @@ - name: Perform Postgres database dump command: | /usr/bin/docker run --rm --name matrix-postgres-dump \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ -v {{ postgres_dump_dir }}:/out \ @@ -104,6 +105,7 @@ - name: Perform Postgres database import command: | /usr/bin/docker run --rm --name matrix-postgres-import \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ -v {{ postgres_dump_dir }}:/in:ro \ diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index 1eadf933..c9a84f91 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -27,6 +27,7 @@ group: "{{ matrix_user_username }}" with_items: - {src: "{{ role_path }}/templates/config.json.j2", name: "config.json"} + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"} when: matrix_riot_web_enabled diff --git a/roles/matrix-riot-web/templates/nginx.conf.j2 b/roles/matrix-riot-web/templates/nginx.conf.j2 new file mode 100644 index 00000000..a7707cd9 --- /dev/null +++ b/roles/matrix-riot-web/templates/nginx.conf.j2 @@ -0,0 +1,60 @@ +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 6ef2ad17..28228e23 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -11,11 +11,14 @@ ExecStartPre=-/usr/bin/docker kill matrix-riot-web ExecStartPre=-/usr/bin/docker rm matrix-riot-web ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ + -v /dev/null:/etc/nginx/conf.d/default.conf:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \ -v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \ --network={{ matrix_docker_network }} \ {% if matrix_riot_web_container_expose_port %} - -p 127.0.0.1:8765:80 \ + -p 127.0.0.1:8765:8080 \ {% endif %} {{ matrix_riot_web_docker_image }} ExecStop=-/usr/bin/docker kill matrix-riot-web diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index f85abb13..e0ffb77e 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -41,69 +41,69 @@ shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_mautrix_telegram_docker_image }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml when: "matrix_mautrix_telegram_enabled and mautrix_telegram_registration_file.stat.exists == False" -- set_fact: - matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml' - -- set_fact: - matrix_synapse_container_additional_volumes: > - {{ matrix_synapse_container_additional_volumes }} - + - {{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }} - when: "matrix_mautrix_telegram_enabled" - -- set_fact: - matrix_synapse_app_service_config_files: > - {{ matrix_synapse_app_service_config_files }} - + - {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }} - when: "matrix_mautrix_telegram_enabled" - -- block: - - name: Fail if matrix-nginx-proxy role already executed - fail: - msg: > - Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, - so that the matrix-nginx-proxy role would run after the matrix-synapse role. - when: "matrix_nginx_proxy_role_executed" - - - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy - set_fact: - matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | - location {{ matrix_mautrix_telegram_public_endpoint }} { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-mautrix-telegram:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:8080; - {% endif %} - } - - - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy - set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks - + - [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] - }} - - when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled|default(False)" - tags: - - always - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - debug: - msg: > - NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` - URL endpoint to the matrix-mautrix-telegram container. - when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled is not defined" +# - set_fact: +# matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml' + +# - set_fact: +# matrix_synapse_container_additional_volumes: > +# {{ matrix_synapse_container_additional_volumes }} +# + +# {{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }} +# when: "matrix_mautrix_telegram_enabled" + +# - set_fact: +# matrix_synapse_app_service_config_files: > +# {{ matrix_synapse_app_service_config_files }} +# + +# {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }} +# when: "matrix_mautrix_telegram_enabled" + +# - block: +# - name: Fail if matrix-nginx-proxy role already executed +# fail: +# msg: > +# Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, +# but it's pointless since the matrix-nginx-proxy role had already executed. +# To fix this, please change the order of roles in your plabook, +# so that the matrix-nginx-proxy role would run after the matrix-synapse role. +# when: "matrix_nginx_proxy_role_executed" + +# - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy +# set_fact: +# matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | +# location {{ matrix_mautrix_telegram_public_endpoint }} { +# {% if matrix_nginx_proxy_enabled %} +# {# Use the embedded DNS resolver in Docker containers to discover the service #} +# resolver 127.0.0.11 valid=5s; +# set $backend "matrix-mautrix-telegram:8080"; +# proxy_pass http://$backend; +# {% else %} +# {# Generic configuration for use outside of our container setup #} +# proxy_pass http://localhost:8080; +# {% endif %} +# } + +# - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy +# set_fact: +# matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | +# {{ +# matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks +# + +# [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] +# }} + +# when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled|default(False)" +# tags: +# - always + +# - name: Warn about reverse-proxying if matrix-nginx-proxy not used +# debug: +# msg: > +# NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy +# reverse proxy. +# Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` +# URL endpoint to the matrix-mautrix-telegram container. +# when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled is not defined" # # Tasks related to getting rid of matrix-mautrix-telegram (if it was previously enabled) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index dba102da..05023642 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -20,11 +20,10 @@ ExecStartPre=/bin/sleep 5 {% endif %} ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --entrypoint=python \ --network={{ matrix_docker_network }} \ - -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \ -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ - -e UID={{ matrix_user_uid }} \ - -e GID={{ matrix_user_gid }} \ {% if matrix_synapse_federation_enabled %} -p 8448:8448 \ {% endif %} @@ -37,7 +36,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} - {{ matrix_synapse_docker_image }} + {{ matrix_synapse_docker_image }} \ + -m synapse.app.homeserver -c /data/homeserver.yaml ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse Restart=always From 0ff6735546fe368698ed43d76e7b6118b199df46 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 09:42:04 +0200 Subject: [PATCH 0308/2384] Fall back to dig for SRV lookup, if no dnspython This is a known/intentional regression since f92c4d5a27d7758fc. The new stance on this is that most people would not have dnspython, but may have the `dig` tool. There's no good reason for not increasing our chances of success by trying both methods (Ansible dig lookup and using the `dig` CLI tool). Fixes #85 (Github issue). --- .../matrix-base/tasks/self_check_dns_srv.yml | 63 +++++++++++++++---- 1 file changed, 51 insertions(+), 12 deletions(-) diff --git a/roles/matrix-base/tasks/self_check_dns_srv.yml b/roles/matrix-base/tasks/self_check_dns_srv.yml index 249b10ee..9300fb65 100644 --- a/roles/matrix-base/tasks/self_check_dns_srv.yml +++ b/roles/matrix-base/tasks/self_check_dns_srv.yml @@ -1,26 +1,65 @@ --- -# This requires the dnspython library and will fail with a friendly error when unavailable. -- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} +# This requires the dnspython library which is usually unavailable. +- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using Ansible dig lookup set_fact: - result_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}" + lookup_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}" + register: result_lookup_dig_srv + ignore_errors: true -- name: Fail if DNS SRV record missing +- name: Fail if DNS SRV check via Ansible dig lookup failed for non-dependency reason fail: - msg: "It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). See the 'Configuring DNS' documentation for this playbook." - when: "result_dig_srv == 'NXDOMAIN'" + msg: "DNS SRV record check via Ansible dig lookup plugin (which uses the dnspython package) failed. Error is: {{ result_lookup_dig_srv.msg }}" + when: "result_lookup_dig_srv.failed and 'dnspython' not in result_lookup_dig_srv.msg" -- name: Fail if DNS SRV record incorrect +# Fallback to using the dig CLI tool if dnspython was unavailable. +- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using dig CLI tool + shell: + cmd: "dig -t srv {{ (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain)|quote }}" + register: result_cli_dig_srv + changed_when: false + ignore_errors: true + when: "lookup_dig_srv is not defined" + +- name: Fail if dig CLI used and failed + fail: + msg: >- + Failed performing DNS SRV record check. + You neither have the `dnspython` Python package, nor the `dig` program installed locally. + You need to install one of those, so we could perform a DNS SRV record check. + Full error from trying to run `dig`: {{ result_cli_dig_srv }} + when: "lookup_dig_srv is not defined and result_cli_dig_srv.stderr != ''" + +- name: Fail if DNS SRV record missing (Ansible dig lookup) + fail: + msg: >- + It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). + See the 'Configuring DNS' documentation for this playbook. + when: "lookup_dig_srv is defined and lookup_dig_srv == 'NXDOMAIN'" + +- name: Fail if DNS SRV record incorrect (Ansible dig lookup) + fail: + msg: >- + It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. + Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). + Found it pointing to `{{ lookup_dig_srv.target }}` (port {{ lookup_dig_srv.port }}). + See the 'Configuring DNS' documentation for this playbook. + when: "lookup_dig_srv is defined and (lookup_dig_srv.target != dns_srv_record_check.expected_target or lookup_dig_srv.port != dns_srv_record_check.expected_port)" + +# We expect an answer like this: +# ;; ANSWER SECTION: +# _matrix._tcp.DOMAIN. 10800 IN SRV 10 0 8448 matrix.DOMAIN. +- name: Fail if DNS SRV record missing or incorrect (dig CLI tool) fail: - msg: > + msg: >- It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). - Found it pointing to `{{ result_dig_srv.target }}` (port {{ result_dig_srv.port }}). See the 'Configuring DNS' documentation for this playbook. - when: "result_dig_srv.target != dns_srv_record_check.expected_target or result_dig_srv.port != dns_srv_record_check.expected_port" + Full response from the `dig` lookup was: {{ result_cli_dig_srv }} + when: "lookup_dig_srv is not defined and (dns_srv_record_check.expected_port|string + ' ' + dns_srv_record_check.expected_target) not in result_cli_dig_srv.stdout" - name: Report correct DNS SRV record debug: - msg: > + msg: >- The DNS SRV record for `{{ dns_srv_record_check.service_and_protocol }}` on `{{ dns_srv_record_check.domain }}` - points to `{{ result_dig_srv.target }}` (port {{ dns_srv_record_check.expected_port }}), as expected \ No newline at end of file + points to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}), as expected. From 316d653d3e0530d11f7f3a8a6b3f8cf97daaf0f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 11:22:54 +0200 Subject: [PATCH 0309/2384] Drop capabilities in containers We run containers as a non-root user (no effective capabilities). Still, if a setuid binary is available in a container image, it could potentially be used to give the user the default capabilities that the container was started with. For Docker, the default set currently is: - "CAP_CHOWN" - "CAP_DAC_OVERRIDE" - "CAP_FSETID" - "CAP_FOWNER" - "CAP_MKNOD" - "CAP_NET_RAW" - "CAP_SETGID" - "CAP_SETUID" - "CAP_SETFCAP" - "CAP_SETPCAP" - "CAP_NET_BIND_SERVICE" - "CAP_SYS_CHROOT" - "CAP_KILL" - "CAP_AUDIT_WRITE" We'd rather prevent such a potential escalation by dropping ALL capabilities. The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203 --- .../matrix-corporal/templates/systemd/matrix-corporal.service.j2 | 1 + roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 1 + roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 1 + roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 | 1 + .../templates/systemd/matrix-nginx-proxy.service.j2 | 1 + .../matrix-postgres/templates/systemd/matrix-postgres.service.j2 | 1 + .../matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 | 1 + .../templates/synapse/systemd/matrix-synapse.service.j2 | 1 + 8 files changed, 8 insertions(+) diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index eb11890d..3d8c083f 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -12,6 +12,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-corporal ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_corporal_container_expose_ports %} -p 127.0.0.1:41080:41080 \ diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 69bd5eb8..cf2c096e 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -12,6 +12,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-coturn ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ -p 3478:3478 \ -p 3478:3478/udp \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index e6d79857..d588ac0e 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -10,6 +10,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-mailer ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ --log-driver=none \ --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_mailer_base_path }}/env-mailer \ --hostname={{ hostname_matrix }} \ diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 index 978a85c1..1835301a 100644 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 @@ -15,6 +15,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-mxisd ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_mxisd_container_expose_port %} -p 127.0.0.1:8090:8090 \ diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 7bfade3d..810797d7 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -15,6 +15,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ -p 80:8080 \ -p 443:8443 \ diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 40509e8c..89b5abb8 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -10,6 +10,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-postgres ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 28228e23..e7929489 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -12,6 +12,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-riot-web ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ -v /dev/null:/etc/nginx/conf.d/default.conf:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \ diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 05023642..79b3478c 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -21,6 +21,7 @@ ExecStartPre=/bin/sleep 5 ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --entrypoint=python \ --network={{ matrix_docker_network }} \ -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ From 9438402f61560ac7e76e7569f341defd0bcd3159 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 11:43:32 +0200 Subject: [PATCH 0310/2384] Drop capabilities in a few more places Continuation of 316d653d3e0530 --- .../tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml | 2 ++ .../matrix-ssl-lets-encrypt-certificates-renew.j2 | 1 + roles/matrix-postgres/tasks/import_postgres.yml | 1 + roles/matrix-postgres/tasks/import_sqlite_db.yml | 5 +++-- roles/matrix-postgres/tasks/upgrade_postgres.yml | 1 + .../templates/usr-local-bin/matrix-make-user-admin.j2 | 2 ++ .../templates/usr-local-bin/matrix-postgres-cli.j2 | 2 ++ roles/matrix-synapse/tasks/setup_synapse_main.yml | 1 + 8 files changed, 13 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 1882400e..8adc1e60 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -20,6 +20,7 @@ --rm --name=matrix-certbot --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ -p 80:8080 -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt @@ -46,6 +47,7 @@ --rm --name=matrix-certbot --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 --network={{ matrix_docker_network }} -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index b723da38..1b36acaf 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -10,6 +10,7 @@ docker run \ --rm \ --name=matrix-certbot \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network="{{ matrix_docker_network }}" \ -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \ diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index 17590023..9f1c15c0 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -61,6 +61,7 @@ matrix_postgres_import_command: >- /usr/bin/docker run --rm --name matrix-postgres-import --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL --network={{ matrix_docker_network }} --env-file={{ matrix_postgres_base_path }}/env-postgres-psql -v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index b3cf75be..c989dca9 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -79,11 +79,12 @@ detach: no cleanup: yes entrypoint: /usr/local/bin/python - command: "/usr/local/bin/synapse_port_db --sqlite-database {{ server_path_homeserver_db }} --postgres-config /data/homeserver.yaml" + command: "/usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" + cap_drop: ['all'] volumes: - "{{ matrix_synapse_config_dir_path }}:/data" - "{{ matrix_synapse_run_path }}:/matrix-run" - - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db }}:ro" + - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro" networks: - name: "{{ matrix_docker_network }}" diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml index e1fcf639..c32634b9 100644 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -106,6 +106,7 @@ command: | /usr/bin/docker run --rm --name matrix-postgres-import \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ -v {{ postgres_dump_dir }}:/in:ro \ diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 index 7b8fba37..5f474453 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 @@ -8,6 +8,8 @@ fi docker run \ -it \ --rm \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 index 07e1f43b..34836629 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -3,6 +3,8 @@ docker run \ -it \ --rm \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 7d86428c..57a296bc 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -41,6 +41,7 @@ SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" SYNAPSE_REPORT_STATS: "no" user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" + cap_drop: ['all'] volumes: - "{{ matrix_synapse_config_dir_path }}:/data" when: "not matrix_synapse_config_stat.stat.exists" From 9830a0871d11336157f3a89e6cf8fc25cbf98d7b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 11:47:31 +0200 Subject: [PATCH 0311/2384] Fix self-check for mxisd not being enabled --- roles/matrix-mxisd/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml index 43dba179..c0e863d4 100644 --- a/roles/matrix-mxisd/tasks/main.yml +++ b/roles/matrix-mxisd/tasks/main.yml @@ -16,4 +16,6 @@ - import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml" delegate_to: 127.0.0.1 become: false - when: "run_self_check and matrix_mxisd_enabled" \ No newline at end of file + when: "run_self_check and matrix_mxisd_enabled" + tags: + - self-check From 3e8a4159e6d3f6beebef6be944d2e9c4d51fa0b0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 14:25:03 +0200 Subject: [PATCH 0312/2384] Uncomment unintentionally-commented logic --- .../tasks/ext/mautrix-telegram/setup.yml | 126 +++++++++--------- 1 file changed, 63 insertions(+), 63 deletions(-) diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index e0ffb77e..f85abb13 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -41,69 +41,69 @@ shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_mautrix_telegram_docker_image }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml when: "matrix_mautrix_telegram_enabled and mautrix_telegram_registration_file.stat.exists == False" -# - set_fact: -# matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml' - -# - set_fact: -# matrix_synapse_container_additional_volumes: > -# {{ matrix_synapse_container_additional_volumes }} -# + -# {{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }} -# when: "matrix_mautrix_telegram_enabled" - -# - set_fact: -# matrix_synapse_app_service_config_files: > -# {{ matrix_synapse_app_service_config_files }} -# + -# {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }} -# when: "matrix_mautrix_telegram_enabled" - -# - block: -# - name: Fail if matrix-nginx-proxy role already executed -# fail: -# msg: > -# Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, -# but it's pointless since the matrix-nginx-proxy role had already executed. -# To fix this, please change the order of roles in your plabook, -# so that the matrix-nginx-proxy role would run after the matrix-synapse role. -# when: "matrix_nginx_proxy_role_executed" - -# - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy -# set_fact: -# matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | -# location {{ matrix_mautrix_telegram_public_endpoint }} { -# {% if matrix_nginx_proxy_enabled %} -# {# Use the embedded DNS resolver in Docker containers to discover the service #} -# resolver 127.0.0.11 valid=5s; -# set $backend "matrix-mautrix-telegram:8080"; -# proxy_pass http://$backend; -# {% else %} -# {# Generic configuration for use outside of our container setup #} -# proxy_pass http://localhost:8080; -# {% endif %} -# } - -# - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy -# set_fact: -# matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | -# {{ -# matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks -# + -# [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] -# }} - -# when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled|default(False)" -# tags: -# - always - -# - name: Warn about reverse-proxying if matrix-nginx-proxy not used -# debug: -# msg: > -# NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy -# reverse proxy. -# Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` -# URL endpoint to the matrix-mautrix-telegram container. -# when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled is not defined" +- set_fact: + matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml' + +- set_fact: + matrix_synapse_container_additional_volumes: > + {{ matrix_synapse_container_additional_volumes }} + + + {{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }} + when: "matrix_mautrix_telegram_enabled" + +- set_fact: + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files }} + + + {{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }} + when: "matrix_mautrix_telegram_enabled" + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: > + Trying to append Mautrix Telegram's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-synapse role. + when: "matrix_nginx_proxy_role_executed" + + - name: Generate Mautrix Telegram proxying configuration for matrix-nginx-proxy + set_fact: + matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | + location {{ matrix_mautrix_telegram_public_endpoint }} { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mautrix-telegram:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://localhost:8080; + {% endif %} + } + + - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks + + + [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] + }} + + when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled|default(False)" + tags: + - always + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: > + NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` + URL endpoint to the matrix-mautrix-telegram container. + when: "matrix_mautrix_telegram_enabled and matrix_nginx_proxy_enabled is not defined" # # Tasks related to getting rid of matrix-mautrix-telegram (if it was previously enabled) From 8a3f942d93de6a23b3b1622a042f60fc30783c64 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 15:40:16 +0200 Subject: [PATCH 0313/2384] Make mautrix-telegram run as non-root and w/o capabilities --- .../tasks/ext/mautrix-telegram/setup.yml | 37 +++++++++++++++---- .../ext/mautrix-telegram/config.yaml.j2 | 4 +- .../matrix-mautrix-telegram.service.j2 | 13 ++++++- 3 files changed, 43 insertions(+), 11 deletions(-) diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index f85abb13..6bf97e22 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -14,8 +14,10 @@ group: "{{ matrix_user_username }}" when: "matrix_mautrix_telegram_enabled" -- stat: "path={{ matrix_mautrix_telegram_base_path }}/config.yaml" - register: mautrix_config_file +- name: Check if a mautrix-telegram configuration file exists + stat: + path: "{{ matrix_mautrix_telegram_base_path }}/config.yaml" + register: mautrix_config_file_stat - name: Ensure Matrix Mautrix telegram config installed template: @@ -24,7 +26,18 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" - when: "matrix_mautrix_telegram_enabled and mautrix_config_file.stat.exists == False" + when: "matrix_mautrix_telegram_enabled and not mautrix_config_file_stat.stat.exists" + +- name: (Migration) Fix up old configuration + lineinfile: + path: "{{ matrix_mautrix_telegram_base_path }}/config.yaml" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + backrefs: yes + with_items: + - {'regexp': '^(\s+)filename: \./mautrix-telegram.log', 'line': '\1filename: /data/mautrix-telegram.log'} + - {'regexp': '^(\s+)database:', 'line': '\1database: sqlite:////data/mautrix-telegram.db'} + when: "matrix_mautrix_telegram_enabled and mautrix_config_file_stat.stat.exists" - name: Ensure matrix-mautrix-telegram.service installed template: @@ -33,13 +46,23 @@ mode: 0644 when: "matrix_mautrix_telegram_enabled" -- stat: +- name: Check if a mautrix-telegram registration file exists + stat: path: "{{ matrix_mautrix_telegram_base_path }}/registration.yaml" - register: mautrix_telegram_registration_file + register: mautrix_telegram_registration_file_stat - name: Generate matrix-mautrix-telegram registration.yaml if it doesn't exist - shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_mautrix_telegram_docker_image }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml - when: "matrix_mautrix_telegram_enabled and mautrix_telegram_registration_file.stat.exists == False" + shell: + cmd: >- + /usr/bin/docker run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --name matrix-mautrix-telegram-gen + -v {{ matrix_mautrix_telegram_base_path }}:/data:z + {{ matrix_mautrix_telegram_docker_image }} + python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml + when: "matrix_mautrix_telegram_enabled and not mautrix_telegram_registration_file_stat.stat.exists" - set_fact: matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml' diff --git a/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 b/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 index c1858686..7e6174a1 100644 --- a/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 +++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 @@ -26,7 +26,7 @@ appservice: # Format examples: # SQLite: sqlite:///filename.db # Postgres: postgres://username:password@hostname/dbname - database: sqlite:///mautrix-telegram.db + database: sqlite:////data/mautrix-telegram.db # Public part of web server for out-of-Matrix interaction with the bridge. # Used for things like login if the user wants to make sure the 2FA password isn't stored in @@ -253,7 +253,7 @@ logging: file: class: logging.handlers.RotatingFileHandler formatter: precise - filename: ./mautrix-telegram.log + filename: /data/mautrix-telegram.log maxBytes: 10485760 backupCount: 10 console: diff --git a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 index 61f7e7f8..7e965804 100644 --- a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 @@ -9,12 +9,21 @@ After=matrix-synapse.service Type=simple ExecStartPre=-/usr/bin/docker kill matrix-mautrix-telegram ExecStartPre=-/usr/bin/docker rm matrix-mautrix-telegram +ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-telegram-db \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + -v {{ matrix_mautrix_telegram_base_path }}:/data:z \ + {{ matrix_mautrix_telegram_docker_image }} \ + alembic -x config=/data/config.yaml upgrade head ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ --log-driver=none \ - -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_telegram_base_path }}:/data:z \ - {{ matrix_mautrix_telegram_docker_image }} + {{ matrix_mautrix_telegram_docker_image }} \ + python3 -m mautrix_telegram -c /data/config.yaml ExecStop=-/usr/bin/docker kill matrix-mautrix-telegram ExecStop=-/usr/bin/docker rm matrix-mautrix-telegram Restart=always From bf1033145614663e490c69790e5830f059cffb3d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 15:55:58 +0200 Subject: [PATCH 0314/2384] Make mautrix-whatsapp run as non-root and w/o capabilities --- .../tasks/ext/mautrix-telegram/setup.yml | 6 ++--- .../tasks/ext/mautrix-whatsapp/setup.yml | 26 ++++++++++++++----- .../matrix-mautrix-whatsapp.service.j2 | 7 +++-- 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index 6bf97e22..189c9356 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -17,7 +17,7 @@ - name: Check if a mautrix-telegram configuration file exists stat: path: "{{ matrix_mautrix_telegram_base_path }}/config.yaml" - register: mautrix_config_file_stat + register: mautrix_telegram_config_file_stat - name: Ensure Matrix Mautrix telegram config installed template: @@ -26,7 +26,7 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" - when: "matrix_mautrix_telegram_enabled and not mautrix_config_file_stat.stat.exists" + when: "matrix_mautrix_telegram_enabled and not mautrix_telegram_config_file_stat.stat.exists" - name: (Migration) Fix up old configuration lineinfile: @@ -37,7 +37,7 @@ with_items: - {'regexp': '^(\s+)filename: \./mautrix-telegram.log', 'line': '\1filename: /data/mautrix-telegram.log'} - {'regexp': '^(\s+)database:', 'line': '\1database: sqlite:////data/mautrix-telegram.db'} - when: "matrix_mautrix_telegram_enabled and mautrix_config_file_stat.stat.exists" + when: "matrix_mautrix_telegram_enabled and mautrix_telegram_config_file_stat.stat.exists" - name: Ensure matrix-mautrix-telegram.service installed template: diff --git a/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml index ee9b3358..3c22c62c 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml @@ -14,8 +14,10 @@ group: "{{ matrix_user_username }}" when: "matrix_mautrix_whatsapp_enabled" -- stat: "path={{ matrix_mautrix_whatsapp_base_path }}/config.yaml" - register: mautrix_config_file +- name: Check if a mautrix-whatsapp configuration file exists + stat: + path: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml" + register: mautrix_whatsapp_config_file_stat - name: Ensure Matrix Mautrix whatsapp config installed template: @@ -24,7 +26,7 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" - when: "matrix_mautrix_whatsapp_enabled and mautrix_config_file.stat.exists == False" + when: "matrix_mautrix_whatsapp_enabled and not mautrix_whatsapp_config_file_stat.stat.exists" - name: Ensure matrix-mautrix-whatsapp.service installed template: @@ -33,13 +35,23 @@ mode: 0644 when: "matrix_mautrix_whatsapp_enabled" -- stat: +- name: Check if a mautrix-whatsapp registration file exists + stat: path: "{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml" - register: mautrix_whatsapp_registration_file + register: mautrix_whatsapp_registration_file_stat - name: Generate matrix-mautrix-whatsapp registration.yaml if it doesn't exist - shell: /usr/bin/docker run --rm --name matrix-mautrix-whatsapp-gen -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z {{ matrix_mautrix_whatsapp_docker_image }} /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml - when: "matrix_mautrix_whatsapp_enabled and mautrix_whatsapp_registration_file.stat.exists == False" + shell: + cmd: >- + /usr/bin/docker run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --name matrix-mautrix-whatsapp-gen + -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z + {{ matrix_mautrix_whatsapp_docker_image }} + /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml + when: "matrix_mautrix_whatsapp_enabled and not mautrix_whatsapp_registration_file_stat.stat.exists" - set_fact: matrix_synapse_app_service_config_file_mautrix_whatsapp: '/app-registration/mautrix-whatsapp.yml' diff --git a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 index e90b7a9e..bb4194aa 100644 --- a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 @@ -11,10 +11,13 @@ ExecStartPre=-/usr/bin/docker kill matrix-mautrix-whatsapp ExecStartPre=-/usr/bin/docker rm matrix-mautrix-whatsapp ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \ --log-driver=none \ - -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z \ - {{ matrix_mautrix_whatsapp_docker_image }} + --workdir=/data \ + {{ matrix_mautrix_whatsapp_docker_image }} \ + /usr/bin/mautrix-whatsapp ExecStop=-/usr/bin/docker kill matrix-mautrix-whatsapp ExecStop=-/usr/bin/docker rm matrix-mautrix-whatsapp Restart=always From 9c09978ecd3673df7c3984502f0f25bfade70f26 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 28 Jan 2019 15:57:57 +0200 Subject: [PATCH 0315/2384] Update changelog --- CHANGELOG.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d3539962..be257ddd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,13 +4,10 @@ To improve security, this playbook no longer starts container processes as the `root` user. -Usually, most containers were dropping privileges anyway, but by the time they do that, we were trusting them with `root` privileges. +Most containers were dropping privileges anyway, but we were trusting them with `root` privileges until they would do that. Not anymore -- container processes now start as a non-root user (usually `matrix`) from the get-go. -The only images that we still start as `root` and trust to drop privileges are the optional bridge extensions (disabled by default): - -- [tulir/mautrix-telegram](https://hub.docker.com/r/tulir/mautrix-telegram) -- [tulir/mautrix-whatsapp](https://hub.docker.com/r/tulir/mautrix-whatsapp) +For additional security, various [capabilities are also dropped](https://github.com/projectatomic/atomic-site/issues/203) for all containers. ## matrix-mailer is now based on Exim, not Postfix From cbc1cdbbf08c4901c7905947bbc772c369d2ee63 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 Jan 2019 17:56:40 +0200 Subject: [PATCH 0316/2384] Do not try to load certificates Seems like we unintentionally removed the mounting of certificates (the `/matrix-config` mount) as part of splitting the playbook into roles in 51312b8250d0c394083. It appears that those certificates weren't necessary for coturn to funciton though, so we might just get rid of the configuration as well. --- roles/matrix-coturn/templates/turnserver.conf.j2 | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 7aea813c..32329d60 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -1,14 +1,11 @@ use-auth-secret static-auth-secret={{ matrix_coturn_turn_static_auth_secret }} realm=turn.{{ hostname_matrix }} -cert=/matrix-config/{{ hostname_matrix }}.tls.crt -pkey=/matrix-config/{{ hostname_matrix }}.tls.key -dh-file=/matrix-config/{{ hostname_matrix }}.tls.dh -cipher-list="HIGH" min-port={{ matrix_coturn_turn_udp_min_port }} max-port={{ matrix_coturn_turn_udp_max_port }} external-ip={{ matrix_coturn_turn_external_ip_address }} log-file=stdout pidfile=/var/tmp/turnserver.pid userdb=/var/tmp/turnserver.db -no-cli \ No newline at end of file +no-cli +prod From 0be7b25c647eb4a16ef51c93a37b983c5afef184 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 Jan 2019 18:52:02 +0200 Subject: [PATCH 0317/2384] Make (most) containers run with a read-only filesystem --- CHANGELOG.md | 13 +++++++++---- group_vars/matrix-servers | 2 +- .../templates/systemd/matrix-corporal.service.j2 | 1 + .../templates/systemd/matrix-coturn.service.j2 | 2 ++ .../templates/systemd/matrix-mailer.service.j2 | 2 ++ .../templates/systemd/matrix-mxisd.service.j2 | 8 +++++++- roles/matrix-nginx-proxy/defaults/main.yml | 7 +++++-- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 2 +- .../templates/systemd/matrix-nginx-proxy.service.j2 | 4 ++++ roles/matrix-postgres/tasks/import_postgres.yml | 2 +- .../templates/systemd/matrix-postgres.service.j2 | 5 ++++- .../templates/systemd/matrix-riot-web.service.j2 | 2 ++ roles/matrix-synapse/defaults/main.yml | 5 ++++- .../synapse/systemd/matrix-synapse.service.j2 | 8 ++++++-- 14 files changed, 49 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index be257ddd..29bded25 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,18 @@ -# 2019-01-xx +# 2019-01-29 -## Running container processes as non-root +## Running container processes as non-root, without capabilities and read-only To improve security, this playbook no longer starts container processes as the `root` user. - Most containers were dropping privileges anyway, but we were trusting them with `root` privileges until they would do that. Not anymore -- container processes now start as a non-root user (usually `matrix`) from the get-go. -For additional security, various [capabilities are also dropped](https://github.com/projectatomic/atomic-site/issues/203) for all containers. +For additional security, various capabilities are also dropped (see [why it's important](https://github.com/projectatomic/atomic-site/issues/203)) for all containers. + +Additionally, most containers now use a read-only filesystem (see [why it's important](https://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/)). +Containers are given write access only to the directories they need to write to. + +A minor breaking change is the `matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size` variable having being renamed to `matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb` (note the `_mb` suffix). The new variable expects a number value (e.g. `25M` -> `25`). +If you weren't customizing this variable, this wouldn't affect you. ## matrix-mailer is now based on Exim, not Postfix diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 70d63256..7d4becce 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -158,7 +158,7 @@ matrix_nginx_proxy_enabled: true matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ 'localhost:41080' if matrix_corporal_enabled else 'localhost:8008' }}" -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size: "{{ matrix_synapse_max_upload_size_mb }}M" +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 3d8c083f..4035aa65 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -13,6 +13,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ --network={{ matrix_docker_network }} \ {% if matrix_corporal_container_expose_ports %} -p 127.0.0.1:41080:41080 \ diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index cf2c096e..980ca984 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -13,6 +13,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ + --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ -p 3478:3478 \ -p 3478:3478/udp \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index d588ac0e..54beb215 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -11,6 +11,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ --log-driver=none \ --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ --cap-drop=ALL \ + --read-only \ + --tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_mailer_base_path }}/env-mailer \ --hostname={{ hostname_matrix }} \ diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 index 1835301a..de0c0681 100644 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 @@ -12,17 +12,23 @@ Wants={{ service }} Type=simple ExecStartPre=-/usr/bin/docker kill matrix-mxisd ExecStartPre=-/usr/bin/docker rm matrix-mxisd + +# mxisd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, +# so /tmp needs to be mounted with an exec option. ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,exec,nosuid,size=10m \ --network={{ matrix_docker_network }} \ {% if matrix_mxisd_container_expose_port %} -p 127.0.0.1:8090:8090 \ {% endif %} -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ - -v {{ matrix_mxisd_data_path }}:/var/mxisd \ + -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ {{ matrix_mxisd_docker_image }} + ExecStop=-/usr/bin/docker kill matrix-mxisd ExecStop=-/usr/bin/docker rm matrix-mxisd Restart=always diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 78b2da12..94a86adc 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -44,7 +44,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:809 matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "localhost:8008" # This needs to be equal or higher than the maximum upload size accepted by Synapse. -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size: "25M" +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 50 }}" # A list of strings containing additional configuration blocks to add to the matrix domain's server configuration. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] @@ -85,4 +88,4 @@ matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" -matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" \ No newline at end of file +matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 3638e357..016b9414 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -116,7 +116,7 @@ server { proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size }}; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; proxy_max_temp_file_size 0; } diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 810797d7..410d6a01 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -12,10 +12,13 @@ Wants={{ service }} Type=simple ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy + ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ -p 80:8080 \ -p 443:8443 \ @@ -24,6 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ -v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \ {{ matrix_nginx_proxy_docker_image }} + ExecStop=-/usr/bin/docker kill matrix-nginx-proxy ExecStop=-/usr/bin/docker rm matrix-nginx-proxy ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index 9f1c15c0..67d7f86c 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -73,7 +73,7 @@ - name: Note about Postgres importing alternative debug: - msg: > + msg: >- Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), delete its existing data (`rm -rf {{ matrix_postgres_data_path }}/*`), start it again (`systemctl start matrix-postgres`) diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 89b5abb8..0d2b9fcf 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -11,9 +11,12 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ + --tmpfs=/run/postgresql:rw,noexec,nosuid,size=100m \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ - -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \ + -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data:rw \ -v /etc/passwd:/etc/passwd:ro \ {{ matrix_postgres_docker_image_to_use }} ExecStop=-/usr/bin/docker stop matrix-postgres diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index e7929489..5cd69774 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -13,6 +13,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ -v /dev/null:/etc/nginx/conf.d/default.conf:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \ diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a0c42b03..cc3eed17 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -39,6 +39,9 @@ matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 matrix_synapse_max_log_files_count: 10 +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}" + # Log levels # Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels # warning: setting log level to DEBUG will make synapse log sensitive information such @@ -187,4 +190,4 @@ matrix_mautrix_whatsapp_enabled: false matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest" -matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" \ No newline at end of file +matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 79b3478c..a369190d 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -18,11 +18,14 @@ ExecStartPre=-/usr/bin/docker rm matrix-synapse # we'd write files to the local filesystem and fusermount will complain. ExecStartPre=/bin/sleep 5 {% endif %} + ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --entrypoint=python \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ {% if matrix_synapse_federation_enabled %} @@ -31,14 +34,15 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if matrix_synapse_container_expose_client_server_api_port %} -p 127.0.0.1:8008:8008 \ {% endif %} - -v {{ matrix_synapse_config_dir_path }}:/data \ - -v {{ matrix_synapse_run_path }}:/matrix-run \ + -v {{ matrix_synapse_config_dir_path }}:/data:ro \ + -v {{ matrix_synapse_run_path }}:/matrix-run:rw \ -v {{ matrix_synapse_base_path }}/storage:/matrix-media-store-parent:slave \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} {{ matrix_synapse_docker_image }} \ -m synapse.app.homeserver -c /data/homeserver.yaml + ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse Restart=always From 3a4a671dd7a5482f612227919361126ad799e307 Mon Sep 17 00:00:00 2001 From: Plailect Date: Thu, 31 Jan 2019 00:37:23 -0500 Subject: [PATCH 0318/2384] Add support for matrix-appservice-irc --- README.md | 4 + ...figuring-playbook-bridge-appservice-irc.md | 435 +++++++++++++++++ docs/configuring-playbook.md | 2 + roles/matrix-synapse/defaults/main.yml | 441 ++++++++++++++++++ .../tasks/ext/appservice-irc/init.yml | 3 + .../tasks/ext/appservice-irc/setup.yml | 73 +++ roles/matrix-synapse/tasks/ext/init.yml | 2 + roles/matrix-synapse/tasks/ext/setup.yml | 2 + .../systemd/matrix-appservice-irc.service.j2 | 26 ++ 9 files changed, 988 insertions(+) create mode 100644 docs/configuring-playbook-bridge-appservice-irc.md create mode 100644 roles/matrix-synapse/tasks/ext/appservice-irc/init.yml create mode 100644 roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml create mode 100644 roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 diff --git a/README.md b/README.md index b43ba590..dc87648e 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/) +- (optional) the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. @@ -110,6 +112,8 @@ This playbook sets up your server using the following Docker images: - [tulir/mautrix-whatsapp](https://hub.docker.com/r/tulir/mautrix-whatsapp/) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) +- [tedomum/matrix-appservice-irc](https://hub.docker.com/r/tedomum/matrix-appservice-irc/) - the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) + ## Deficiencies diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md new file mode 100644 index 00000000..4063ccd2 --- /dev/null +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -0,0 +1,435 @@ +# Setting up Appservice IRC (optional) + +The playbook can install and configure [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) for you. + +See the project's [documentation](https://github.com/TeDomum/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. + +You'll need to use the following playbook configuration: + +```yaml +matrix_matrix_appservice_irc_enabled: true +matrix_appservice_irc_configuration_extension_yaml: | + # Your custom YAML configuration for Appservice IRC servers goes here. + # This configuration extends the default starting configuration (`matrix_appservice_irc_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_appservice_irc_configuration_yaml`. + # + # Example configuration extension follows: + # + ircService: + databaseUri: "nedb://data" # does not typically need modification + passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification + matrixHandler: + eventCacheSize: 4096 + servers: + # The address of the server to connect to. + irc.example.com: + # A human-readable short name. This is used to label IRC status rooms + # where matrix users control their connections. + # E.g. 'ExampleNet IRC Bridge status'. + # It is also used in the Third Party Lookup API as the instance `desc` + # property, where each server is an instance. + name: "ExampleNet" + + additionalAddresses: [ "irc2.example.com" ] + # + # [DEPRECATED] Use `name`, above, instead. + # A human-readable description string + # description: "Example.com IRC network" + + # An ID for uniquely identifying this server amongst other servers being bridged. + # networkId: "example" + + # URL to an icon used as the network icon whenever this network appear in + # a network list. (Like in the riot room directory, for instance.) + # icon: https://example.com/images/hash.png + + # The port to connect to. Optional. + port: 6697 + # Whether to use SSL or not. Default: false. + ssl: true + # Whether or not IRC server is using a self-signed cert or not providing CA Chain + sslselfsign: false + # Should the connection attempt to identify via SASL (if a server or user password is given) + # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS. + sasl: false + # Whether to allow expired certs when connecting to the IRC server. + # Usually this should be off. Default: false. + allowExpiredCerts: false + # A specific CA to trust instead of the default CAs. Optional. + #ca: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + # + # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. + # password: 'pa$$w0rd' + # + # Whether or not to send connection/error notices to real Matrix users. Default: true. + sendConnectionMessages: true + + quitDebounce: + # Whether parts due to net-splits are debounced for delayMs, to allow + # time for the netsplit to resolve itself. A netsplit is detected as being + # a QUIT rate higher than quitsPerSecond. Default: false. + enabled: false + # The maximum number of quits per second acceptable above which a netsplit is + # considered ongoing. Default: 5. + quitsPerSecond: 5 + # The time window in which to wait before bridging a QUIT to Matrix that occurred during + # a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS + # is not sent many requests to leave rooms all at once if a netsplit occurs and many + # people to not rejoin. + # If the user with the same IRC nick as the one who sent the quit rejoins a channel + # they are considered back online and the quit is not bridged, so long as the rejoin + # occurs before the randomly-jittered timeout is not reached. + # Default: 3600000, = 1h + delayMinMs: 3600000 # 1h + # Default: 7200000, = 2h + delayMaxMs: 7200000 # 2h + + # A map for conversion of IRC user modes to Matrix power levels. This enables bridging + # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has + # been given multiple modes, the one that maps to the highest power level will be used. + modePowerMap: + o: 50 + + botConfig: + # Enable the presence of the bot in IRC channels. The bot serves as the entity + # which maps from IRC -> Matrix. You can disable the bot entirely which + # means IRC -> Matrix chat will be shared by active "M-Nick" connections + # in the room. If there are no users in the room (or if there are users + # but their connections are not on IRC) then nothing will be bridged to + # Matrix. If you're concerned about the bot being treated as a "logger" + # entity, then you may want to disable the bot. If you want IRC->Matrix + # but don't want to have TCP connections to IRC unless a Matrix user speaks + # (because your client connection limit is low), then you may want to keep + # the bot enabled. Default: true. + # NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned + # on, else there will be no users and no bot in a channel (meaning no + # messages to Matrix!) until a Matrix user speaks which makes a client + # join the target IRC channel. + # NBB: The bridge bot IRC client will still join the target IRC network so + # it can service bridge-specific queries from the IRC-side e.g. so + # real IRC clients have a way to change their Matrix display name. + # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 + enabled: true + # The nickname to give the AS bot. + nick: "MatrixBot" + # The password to give to NickServ or IRC Server for this nick. Optional. + # password: "helloworld" + # + # Join channels even if there are no Matrix users on the other side of + # the bridge. Set to false to prevent the bot from joining channels which have no + # real matrix users in them, even if there is a mapping for the channel. + # Default: true + joinChannelsIfNoUsers: true + + # Configuration for PMs / private 1:1 communications between users. + privateMessages: + # Enable the ability for PMs to be sent to/from IRC/Matrix. + # Default: true. + enabled: true + # Prevent Matrix users from sending PMs to the following IRC nicks. + # Optional. Default: []. + # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED + + # Should created Matrix PM rooms be federated? If false, only users on the + # HS attached to this AS will be able to interact with this room. + # Optional. Default: true. + federate: true + + # Configuration for mappings not explicitly listed in the 'mappings' + # section. + dynamicChannels: + # Enable the ability for Matrix users to join *any* channel on this IRC + # network. + # Default: false. + enabled: true + # Should the AS create a room alias for the new Matrix room? The form of + # the alias can be modified via 'aliasTemplate'. Default: true. + createAlias: true + # Should the AS publish the new Matrix room to the public room list so + # anyone can see it? Default: true. + published: true + # What should the join_rule be for the new Matrix room? If 'public', + # anyone can join the room. If 'invite', only users with an invite can + # join the room. Note that if an IRC channel has +k or +i set on it, + # join_rules will be set to 'invite' until these modes are removed. + # Default: "public". + joinRule: public + # This will set the m.room.related_groups state event in newly created rooms + # with the given groupId. This means flares will show up on IRC users in those rooms. + # This should be set to the same thing as namespaces.users.group_id in irc_registration. + # This does not alter existing rooms. + # Leaving this option empty will not set the event. + groupId: +myircnetwork:localhost + # Should created Matrix rooms be federated? If false, only users on the + # HS attached to this AS will be able to interact with this room. + # Default: true. + federate: true + # The room alias template to apply when creating new aliases. This only + # applies if createAlias is 'true'. The following variables are exposed: + # $SERVER => The IRC server address (e.g. "irc.example.com") + # $CHANNEL => The IRC channel (e.g. "#python") + # This MUST have $CHANNEL somewhere in it. + # Default: '#irc_$SERVER_$CHANNEL' + aliasTemplate: "#irc_$CHANNEL" + # A list of user IDs which the AS bot will send invites to in response + # to a !join. Only applies if joinRule is 'invite'. Default: [] + # whitelist: + # - "@foo:example.com" + # - "@bar:example.com" + # + # Prevent the given list of channels from being mapped under any + # circumstances. + # exclude: ["#foo", "#bar"] + + # Configuration for controlling how Matrix and IRC membership lists are + # synced. + membershipLists: + # Enable the syncing of membership lists between IRC and Matrix. This + # can have a significant effect on performance on startup as the lists are + # synced. This must be enabled for anything else in this section to take + # effect. Default: false. + enabled: false + + # Syncing membership lists at startup can result in hundreds of members to + # process all at once. This timer drip feeds membership entries at the + # specified rate. Default: 10000. (10s) + floodDelayMs: 10000 + + global: + ircToMatrix: + # Get a snapshot of all real IRC users on a channel (via NAMES) and + # join their virtual matrix clients to the room. + initial: false + # Make virtual matrix clients join and leave rooms as their real IRC + # counterparts join/part channels. Default: false. + incremental: false + + matrixToIrc: + # Get a snapshot of all real Matrix users in the room and join all of + # them to the mapped IRC channel on startup. Default: false. + initial: false + # Make virtual IRC clients join and leave channels as their real Matrix + # counterparts join/leave rooms. Make sure your 'maxClients' value is + # high enough! Default: false. + incremental: false + + # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. + rooms: + - room: "!fuasirouddJoxtwfge:localhost" + matrixToIrc: + initial: false + incremental: false + + # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. + channels: + - channel: "#foo" + ircToMatrix: + initial: false + incremental: false + + mappings: + # 1:many mappings from IRC channels to room IDs on this IRC server. + # The matrix room must already exist. Your matrix client should expose + # the room ID in a "settings" page for the room. + "#thepub": ["!kieouiJuedJoxtVdaG:localhost"] + + # Configuration for virtual matrix users. The following variables are + # exposed: + # $NICK => The IRC nick + # $SERVER => The IRC server address (e.g. "irc.example.com") + matrixClients: + # The user ID template to use when creating virtual matrix users. This + # MUST have $NICK somewhere in it. + # Optional. Default: "@$SERVER_$NICK". + # Example: "@irc.example.com_Alice:example.com" + userTemplate: "@irc_$NICK" + # The display name to use for created matrix clients. This should have + # $NICK somewhere in it if it is specified. Can also use $SERVER to + # insert the IRC domain. + # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" + displayName: "$NICK (IRC)" + # Number of tries a client can attempt to join a room before the request + # is discarded. You can also use -1 to never retry or 0 to never give up. + # Optional. Default: -1 + joinAttempts: -1 + + # Configuration for virtual IRC users. The following variables are exposed: + # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) + # $USERID => The user ID + # $DISPLAY => The display name of this user, with excluded characters + # (e.g. space) removed. If the user has no display name, this + # falls back to $LOCALPART. + ircClients: + # The template to apply to every IRC client nick. This MUST have either + # $DISPLAY or $USERID or $LOCALPART somewhere in it. + # Optional. Default: "M-$DISPLAY". Example: "M-Alice". + nickTemplate: "$DISPLAY[m]" + # True to allow virtual IRC clients to change their nick on this server + # by issuing !nick commands to the IRC AS bot. + # This is completely freeform: it will NOT follow the nickTemplate. + allowNickChanges: true + # The max number of IRC clients that will connect. If the limit is + # reached, the client that spoke the longest time ago will be + # disconnected and replaced. + # Optional. Default: 30. + maxClients: 30 + # IPv6 configuration. + ipv6: + # Optional. Set to true to force IPv6 for outgoing connections. + only: false + # Optional. The IPv6 prefix to use for generating unique addresses for each + # connected user. If not specified, all users will connect from the same + # (default) address. This may require additional OS-specific work to allow + # for the node process to bind to multiple different source addresses + # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library + # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. + # prefix: "2001:0db8:85a3::" # modify appropriately + # + # The maximum amount of time in seconds that the client can exist + # without sending another message before being disconnected. Use 0 to + # not apply an idle timeout. This value is ignored if this IRC server is + # mirroring matrix membership lists to IRC. Default: 172800 (48 hours) + idleTimeout: 10800 + # The number of millseconds to wait between consecutive reconnections if a + # client gets disconnected. Setting to 0 will cause the scheduling to be + # disabled, i.e. it will be scheduled immediately (with jitter. + # Otherwise, the scheduling interval will be used such that one client + # reconnect for this server will be handled every reconnectIntervalMs ms using + # a FIFO queue. + # Default: 5000 (5 seconds) + reconnectIntervalMs: 5000 + # The number of concurrent reconnects if a user has been disconnected unexpectedly + # (e.g. a netsplit). You should set this to a reasonably high number so that + # bridges are not waiting an eternity to reconnect all its clients if + # we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs + # setting above which is for connecting on restart of the bridge. Set to 0 to + # immediately try to reconnect all users. + # Default: 50 + concurrentReconnectLimit: 50 + # The number of lines to allow being sent by the IRC client that has received + # a large block of text to send from matrix. If the number of lines that would + # be sent is > lineLimit, the text will instead be uploaded to matrix and the + # resulting URI is treated as a file. As such, a link will be sent to the IRC + # side instead of potentially spamming IRC and getting the IRC client kicked. + # Default: 3. + lineLimit: 3 + # A list of user modes to set on every IRC client. For example, "RiG" would set + # +R, +i and +G on every IRC connection when they have successfully connected. + # User modes vary wildly depending on the IRC network you're connecting to, + # so check before setting this value. Some modes may not work as intended + # through the bridge e.g. caller ID as there is no way to /ACCEPT. + # Default: "" (no user modes) + # userModes: "R" + + # Configuration for an ident server. If you are running a public bridge it is + # advised you setup an ident server so IRC mods can ban specific matrix users + # rather than the application service itself. + ident: + # True to listen for Ident requests and respond with the + # matrix user's user_id (converted to ASCII, respecting RFC 1413). + # Default: false. + enabled: false + # The port to listen on for incoming ident requests. + # Ports below 1024 require root to listen on, and you may not want this to + # run as root. Instead, you can get something like an Apache to yank up + # incoming requests to 113 to a high numbered port. Set the port to listen + # on instead of 113 here. + # Default: 113. + port: 1113 + # The address to listen on for incoming ident requests. + # Default: 0.0.0.0 + address: "::" + + # Configuration for logging. Optional. Default: console debug level logging + # only. + logging: + # Level to log on console/logfile. One of error|warn|info|debug + level: "debug" + # The file location to log to. This is relative to the project directory. + logfile: "debug.log" + # The file location to log errors to. This is relative to the project + # directory. + errfile: "errors.log" + # Whether to log to the console or not. + toConsole: true + # The max number of files to keep. Files will be overwritten eventually due + # to rotations. + maxFiles: 5 + + # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: + # $ npm install prom-client@6.3.0 + # Metrics will then be available via GET /metrics on the bridge listening port (-p). + metrics: + # Whether to actually enable the metric endpoint. Default: false + enabled: true + # When collecting remote user active times, which "buckets" should be used. Defaults are given below. + # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). + remoteUserAgeBuckets: + - "1h" + - "1d" + - "1w" + + # The nedb database URI to connect to. This is the name of the directory to + # dump .db files to. This is relative to the project directory. + # Required. + databaseUri: "nedb://data" + + # Configuration options for the debug HTTP API. To access this API, you must + # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. + # + # The debug API exposes the following endpoints: + # + # GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID. + # + # POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection. + # Format: new line delimited commands as per IRC protocol. + # + debugApi: + # True to enable the HTTP API endpoint. Default: false. + enabled: false + # The port to host the HTTP API. + port: 11100 + + # Configuration for the provisioning API. + # + # GET /_matrix/provision/link + # GET /_matrix/provision/unlink + # GET /_matrix/provision/listlinks + # + provisioning: + # True to enable the provisioning HTTP endpoint. Default: false. + enabled: false + # The number of seconds to wait before giving up on getting a response from + # an IRC channel operator. If the channel operator does not respond within the + # allotted time period, the provisioning request will fail. + # Default: 300 seconds (5 mins) + requestTimeoutSeconds: 300 + + # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot + # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in + # the database. + # + # To generate a .pem file: + # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + # + # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords + # for storage in the database. Passwords are stored by using the admin room command + # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of + # the Matrix user, this password will be sent as the server password (PASS command). + passwordEncryptionKeyPath: "passkey.pem" + + # Config for Matrix -> IRC bridging + matrixHandler: + # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). + eventCacheSize: 4096 +``` + +You then need to start a chat with `@irc_bot:{{ hostname_identity }}` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 0c99a788..30d1b05f 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -50,3 +50,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) + +- [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index cc3eed17..7b089f6a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -191,3 +191,444 @@ matrix_mautrix_whatsapp_enabled: false matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest" matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" + +# Matrix Appservice IRC is a Matrix <-> IRC bridge +# Enable IRC bridge +matrix_appservice_irc_enabled: false + +matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest" + +matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" + +matrix_appservice_irc_configuration_yaml: | + homeserver: + url: "https://{{ hostname_matrix }}" + domain: "{{ hostname_identity }}" + enablePresence: true + +matrix_appservice_irc_configuration_extension_yaml: | + # Your custom YAML configuration for Appservice IRC servers goes here. + # This configuration extends the default starting configuration (`matrix_appservice_irc_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_appservice_irc_configuration_yaml`. + # + # Example configuration extension follows: + # + # ircService: + # databaseUri: "nedb://data" # does not typically need modification + # passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification + # matrixHandler: + # eventCacheSize: 4096 + # servers: + # # The address of the server to connect to. + # irc.example.com: + # # A human-readable short name. This is used to label IRC status rooms + # # where matrix users control their connections. + # # E.g. 'ExampleNet IRC Bridge status'. + # # It is also used in the Third Party Lookup API as the instance `desc` + # # property, where each server is an instance. + # name: "ExampleNet" + # + # additionalAddresses: [ "irc2.example.com" ] + # # + # # [DEPRECATED] Use `name`, above, instead. + # # A human-readable description string + # # description: "Example.com IRC network" + # + # # An ID for uniquely identifying this server amongst other servers being bridged. + # # networkId: "example" + # + # # URL to an icon used as the network icon whenever this network appear in + # # a network list. (Like in the riot room directory, for instance.) + # # icon: https://example.com/images/hash.png + # + # # The port to connect to. Optional. + # port: 6697 + # # Whether to use SSL or not. Default: false. + # ssl: true + # # Whether or not IRC server is using a self-signed cert or not providing CA Chain + # sslselfsign: false + # # Should the connection attempt to identify via SASL (if a server or user password is given) + # # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS. + # sasl: false + # # Whether to allow expired certs when connecting to the IRC server. + # # Usually this should be off. Default: false. + # allowExpiredCerts: false + # # A specific CA to trust instead of the default CAs. Optional. + # #ca: | + # # -----BEGIN CERTIFICATE----- + # # ... + # # -----END CERTIFICATE----- + # + # # + # # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. + # # password: 'pa$$w0rd' + # # + # # Whether or not to send connection/error notices to real Matrix users. Default: true. + # sendConnectionMessages: true + # + # quitDebounce: + # # Whether parts due to net-splits are debounced for delayMs, to allow + # # time for the netsplit to resolve itself. A netsplit is detected as being + # # a QUIT rate higher than quitsPerSecond. Default: false. + # enabled: false + # # The maximum number of quits per second acceptable above which a netsplit is + # # considered ongoing. Default: 5. + # quitsPerSecond: 5 + # # The time window in which to wait before bridging a QUIT to Matrix that occurred during + # # a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS + # # is not sent many requests to leave rooms all at once if a netsplit occurs and many + # # people to not rejoin. + # # If the user with the same IRC nick as the one who sent the quit rejoins a channel + # # they are considered back online and the quit is not bridged, so long as the rejoin + # # occurs before the randomly-jittered timeout is not reached. + # # Default: 3600000, = 1h + # delayMinMs: 3600000 # 1h + # # Default: 7200000, = 2h + # delayMaxMs: 7200000 # 2h + # + # # A map for conversion of IRC user modes to Matrix power levels. This enables bridging + # # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has + # # been given multiple modes, the one that maps to the highest power level will be used. + # modePowerMap: + # o: 50 + # + # botConfig: + # # Enable the presence of the bot in IRC channels. The bot serves as the entity + # # which maps from IRC -> Matrix. You can disable the bot entirely which + # # means IRC -> Matrix chat will be shared by active "M-Nick" connections + # # in the room. If there are no users in the room (or if there are users + # # but their connections are not on IRC) then nothing will be bridged to + # # Matrix. If you're concerned about the bot being treated as a "logger" + # # entity, then you may want to disable the bot. If you want IRC->Matrix + # # but don't want to have TCP connections to IRC unless a Matrix user speaks + # # (because your client connection limit is low), then you may want to keep + # # the bot enabled. Default: true. + # # NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned + # # on, else there will be no users and no bot in a channel (meaning no + # # messages to Matrix!) until a Matrix user speaks which makes a client + # # join the target IRC channel. + # # NBB: The bridge bot IRC client will still join the target IRC network so + # # it can service bridge-specific queries from the IRC-side e.g. so + # # real IRC clients have a way to change their Matrix display name. + # # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 + # enabled: true + # # The nickname to give the AS bot. + # nick: "MatrixBot" + # # The password to give to NickServ or IRC Server for this nick. Optional. + # # password: "helloworld" + # # + # # Join channels even if there are no Matrix users on the other side of + # # the bridge. Set to false to prevent the bot from joining channels which have no + # # real matrix users in them, even if there is a mapping for the channel. + # # Default: true + # joinChannelsIfNoUsers: true + # + # # Configuration for PMs / private 1:1 communications between users. + # privateMessages: + # # Enable the ability for PMs to be sent to/from IRC/Matrix. + # # Default: true. + # enabled: true + # # Prevent Matrix users from sending PMs to the following IRC nicks. + # # Optional. Default: []. + # # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED + # + # # Should created Matrix PM rooms be federated? If false, only users on the + # # HS attached to this AS will be able to interact with this room. + # # Optional. Default: true. + # federate: true + # + # # Configuration for mappings not explicitly listed in the 'mappings' + # # section. + # dynamicChannels: + # # Enable the ability for Matrix users to join *any* channel on this IRC + # # network. + # # Default: false. + # enabled: true + # # Should the AS create a room alias for the new Matrix room? The form of + # # the alias can be modified via 'aliasTemplate'. Default: true. + # createAlias: true + # # Should the AS publish the new Matrix room to the public room list so + # # anyone can see it? Default: true. + # published: true + # # What should the join_rule be for the new Matrix room? If 'public', + # # anyone can join the room. If 'invite', only users with an invite can + # # join the room. Note that if an IRC channel has +k or +i set on it, + # # join_rules will be set to 'invite' until these modes are removed. + # # Default: "public". + # joinRule: public + # # This will set the m.room.related_groups state event in newly created rooms + # # with the given groupId. This means flares will show up on IRC users in those rooms. + # # This should be set to the same thing as namespaces.users.group_id in irc_registration. + # # This does not alter existing rooms. + # # Leaving this option empty will not set the event. + # groupId: +myircnetwork:localhost + # # Should created Matrix rooms be federated? If false, only users on the + # # HS attached to this AS will be able to interact with this room. + # # Default: true. + # federate: true + # # The room alias template to apply when creating new aliases. This only + # # applies if createAlias is 'true'. The following variables are exposed: + # # $SERVER => The IRC server address (e.g. "irc.example.com") + # # $CHANNEL => The IRC channel (e.g. "#python") + # # This MUST have $CHANNEL somewhere in it. + # # Default: '#irc_$SERVER_$CHANNEL' + # aliasTemplate: "#irc_$CHANNEL" + # # A list of user IDs which the AS bot will send invites to in response + # # to a !join. Only applies if joinRule is 'invite'. Default: [] + # # whitelist: + # # - "@foo:example.com" + # # - "@bar:example.com" + # # + # # Prevent the given list of channels from being mapped under any + # # circumstances. + # # exclude: ["#foo", "#bar"] + # + # # Configuration for controlling how Matrix and IRC membership lists are + # # synced. + # membershipLists: + # # Enable the syncing of membership lists between IRC and Matrix. This + # # can have a significant effect on performance on startup as the lists are + # # synced. This must be enabled for anything else in this section to take + # # effect. Default: false. + # enabled: false + # + # # Syncing membership lists at startup can result in hundreds of members to + # # process all at once. This timer drip feeds membership entries at the + # # specified rate. Default: 10000. (10s) + # floodDelayMs: 10000 + # + # global: + # ircToMatrix: + # # Get a snapshot of all real IRC users on a channel (via NAMES) and + # # join their virtual matrix clients to the room. + # initial: false + # # Make virtual matrix clients join and leave rooms as their real IRC + # # counterparts join/part channels. Default: false. + # incremental: false + # + # matrixToIrc: + # # Get a snapshot of all real Matrix users in the room and join all of + # # them to the mapped IRC channel on startup. Default: false. + # initial: false + # # Make virtual IRC clients join and leave channels as their real Matrix + # # counterparts join/leave rooms. Make sure your 'maxClients' value is + # # high enough! Default: false. + # incremental: false + # + # # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. + # rooms: + # - room: "!fuasirouddJoxtwfge:localhost" + # matrixToIrc: + # initial: false + # incremental: false + # + # # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. + # channels: + # - channel: "#foo" + # ircToMatrix: + # initial: false + # incremental: false + # + # mappings: + # # 1:many mappings from IRC channels to room IDs on this IRC server. + # # The matrix room must already exist. Your matrix client should expose + # # the room ID in a "settings" page for the room. + # "#thepub": ["!kieouiJuedJoxtVdaG:localhost"] + # + # # Configuration for virtual matrix users. The following variables are + # # exposed: + # # $NICK => The IRC nick + # # $SERVER => The IRC server address (e.g. "irc.example.com") + # matrixClients: + # # The user ID template to use when creating virtual matrix users. This + # # MUST have $NICK somewhere in it. + # # Optional. Default: "@$SERVER_$NICK". + # # Example: "@irc.example.com_Alice:example.com" + # userTemplate: "@irc_$NICK" + # # The display name to use for created matrix clients. This should have + # # $NICK somewhere in it if it is specified. Can also use $SERVER to + # # insert the IRC domain. + # # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" + # displayName: "$NICK (IRC)" + # # Number of tries a client can attempt to join a room before the request + # # is discarded. You can also use -1 to never retry or 0 to never give up. + # # Optional. Default: -1 + # joinAttempts: -1 + # + # # Configuration for virtual IRC users. The following variables are exposed: + # # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) + # # $USERID => The user ID + # # $DISPLAY => The display name of this user, with excluded characters + # # (e.g. space) removed. If the user has no display name, this + # # falls back to $LOCALPART. + # ircClients: + # # The template to apply to every IRC client nick. This MUST have either + # # $DISPLAY or $USERID or $LOCALPART somewhere in it. + # # Optional. Default: "M-$DISPLAY". Example: "M-Alice". + # nickTemplate: "$DISPLAY[m]" + # # True to allow virtual IRC clients to change their nick on this server + # # by issuing !nick commands to the IRC AS bot. + # # This is completely freeform: it will NOT follow the nickTemplate. + # allowNickChanges: true + # # The max number of IRC clients that will connect. If the limit is + # # reached, the client that spoke the longest time ago will be + # # disconnected and replaced. + # # Optional. Default: 30. + # maxClients: 30 + # # IPv6 configuration. + # ipv6: + # # Optional. Set to true to force IPv6 for outgoing connections. + # only: false + # # Optional. The IPv6 prefix to use for generating unique addresses for each + # # connected user. If not specified, all users will connect from the same + # # (default) address. This may require additional OS-specific work to allow + # # for the node process to bind to multiple different source addresses + # # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library + # # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. + # # prefix: "2001:0db8:85a3::" # modify appropriately + # # + # # The maximum amount of time in seconds that the client can exist + # # without sending another message before being disconnected. Use 0 to + # # not apply an idle timeout. This value is ignored if this IRC server is + # # mirroring matrix membership lists to IRC. Default: 172800 (48 hours) + # idleTimeout: 10800 + # # The number of millseconds to wait between consecutive reconnections if a + # # client gets disconnected. Setting to 0 will cause the scheduling to be + # # disabled, i.e. it will be scheduled immediately (with jitter. + # # Otherwise, the scheduling interval will be used such that one client + # # reconnect for this server will be handled every reconnectIntervalMs ms using + # # a FIFO queue. + # # Default: 5000 (5 seconds) + # reconnectIntervalMs: 5000 + # # The number of concurrent reconnects if a user has been disconnected unexpectedly + # # (e.g. a netsplit). You should set this to a reasonably high number so that + # # bridges are not waiting an eternity to reconnect all its clients if + # # we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs + # # setting above which is for connecting on restart of the bridge. Set to 0 to + # # immediately try to reconnect all users. + # # Default: 50 + # concurrentReconnectLimit: 50 + # # The number of lines to allow being sent by the IRC client that has received + # # a large block of text to send from matrix. If the number of lines that would + # # be sent is > lineLimit, the text will instead be uploaded to matrix and the + # # resulting URI is treated as a file. As such, a link will be sent to the IRC + # # side instead of potentially spamming IRC and getting the IRC client kicked. + # # Default: 3. + # lineLimit: 3 + # # A list of user modes to set on every IRC client. For example, "RiG" would set + # # +R, +i and +G on every IRC connection when they have successfully connected. + # # User modes vary wildly depending on the IRC network you're connecting to, + # # so check before setting this value. Some modes may not work as intended + # # through the bridge e.g. caller ID as there is no way to /ACCEPT. + # # Default: "" (no user modes) + # # userModes: "R" + # + # # Configuration for an ident server. If you are running a public bridge it is + # # advised you setup an ident server so IRC mods can ban specific matrix users + # # rather than the application service itself. + # ident: + # # True to listen for Ident requests and respond with the + # # matrix user's user_id (converted to ASCII, respecting RFC 1413). + # # Default: false. + # enabled: false + # # The port to listen on for incoming ident requests. + # # Ports below 1024 require root to listen on, and you may not want this to + # # run as root. Instead, you can get something like an Apache to yank up + # # incoming requests to 113 to a high numbered port. Set the port to listen + # # on instead of 113 here. + # # Default: 113. + # port: 1113 + # # The address to listen on for incoming ident requests. + # # Default: 0.0.0.0 + # address: "::" + # + # # Configuration for logging. Optional. Default: console debug level logging + # # only. + # logging: + # # Level to log on console/logfile. One of error|warn|info|debug + # level: "debug" + # # The file location to log to. This is relative to the project directory. + # logfile: "debug.log" + # # The file location to log errors to. This is relative to the project + # # directory. + # errfile: "errors.log" + # # Whether to log to the console or not. + # toConsole: true + # # The max number of files to keep. Files will be overwritten eventually due + # # to rotations. + # maxFiles: 5 + # + # # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: + # # $ npm install prom-client@6.3.0 + # # Metrics will then be available via GET /metrics on the bridge listening port (-p). + # metrics: + # # Whether to actually enable the metric endpoint. Default: false + # enabled: true + # # When collecting remote user active times, which "buckets" should be used. Defaults are given below. + # # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). + # remoteUserAgeBuckets: + # - "1h" + # - "1d" + # - "1w" + # + # # The nedb database URI to connect to. This is the name of the directory to + # # dump .db files to. This is relative to the project directory. + # # Required. + # databaseUri: "nedb://data" + # + # # Configuration options for the debug HTTP API. To access this API, you must + # # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. + # # + # # The debug API exposes the following endpoints: + # # + # # GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID. + # # + # # POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection. + # # Format: new line delimited commands as per IRC protocol. + # # + # debugApi: + # # True to enable the HTTP API endpoint. Default: false. + # enabled: false + # # The port to host the HTTP API. + # port: 11100 + # + # # Configuration for the provisioning API. + # # + # # GET /_matrix/provision/link + # # GET /_matrix/provision/unlink + # # GET /_matrix/provision/listlinks + # # + # provisioning: + # # True to enable the provisioning HTTP endpoint. Default: false. + # enabled: false + # # The number of seconds to wait before giving up on getting a response from + # # an IRC channel operator. If the channel operator does not respond within the + # # allotted time period, the provisioning request will fail. + # # Default: 300 seconds (5 mins) + # requestTimeoutSeconds: 300 + # + # # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot + # # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in + # # the database. + # # + # # To generate a .pem file: + # # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + # # + # # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords + # # for storage in the database. Passwords are stored by using the admin room command + # # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of + # # the Matrix user, this password will be sent as the server password (PASS command). + # passwordEncryptionKeyPath: "passkey.pem" + # + # # Config for Matrix -> IRC bridging + # matrixHandler: + # # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). + # eventCacheSize: 4096 + +matrix_appservice_irc_configuration_extension: "{{ matrix_appservice_irc_configuration_extension_yaml|from_yaml if matrix_appservice_irc_configuration_extension_yaml|from_yaml else {} }}" + +matrix_appservice_irc_configuration: "{{ matrix_appservice_irc_configuration_yaml|from_yaml|combine(matrix_appservice_irc_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-synapse/tasks/ext/appservice-irc/init.yml b/roles/matrix-synapse/tasks/ext/appservice-irc/init.yml new file mode 100644 index 00000000..e4dd1d98 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/appservice-irc/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc'] }}" + when: matrix_appservice_irc_enabled diff --git a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml new file mode 100644 index 00000000..79d800a0 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml @@ -0,0 +1,73 @@ +--- +- name: Ensure Appservice IRC image is pulled + docker_image: + name: "{{ matrix_appservice_irc_docker_image }}" + when: "matrix_appservice_irc_enabled" + +- name: Ensure Appservice IRC configuration path exists + file: + path: "{{ matrix_appservice_irc_base_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_appservice_irc_enabled" + +- name: Ensure Matrix Appservice IRC config installed + copy: + content: "{{ matrix_appservice_irc_configuration|to_nice_yaml }}" + dest: "{{ matrix_appservice_irc_base_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_appservice_irc_enabled" + +- stat: + path: "{{ matrix_appservice_irc_base_path }}/passkey.pem" + register: irc_passkey_file + +- name: Generate matrix-appservice-irc passkey if it doesn't exist + shell: /usr/bin/openssl genpkey -out {{ matrix_appservice_irc_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + when: "matrix_appservice_irc_enabled and irc_passkey_file.stat.exists == False" + +- name: Ensure matrix-appservice-irc.service installed + template: + src: "{{ role_path }}/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2" + dest: "/etc/systemd/system/matrix-appservice-irc.service" + mode: 0644 + when: "matrix_appservice_irc_enabled" + +- stat: + path: "{{ matrix_appservice_irc_base_path }}/registration.yaml" + register: appservice_irc_registration_file + +- name: Generate matrix-appservice-irc registration.yaml if it doesn't exist + shell: /usr/bin/docker run --rm --name matrix-appservice-irc-gen -v {{ matrix_appservice_irc_base_path }}:/data:z {{ matrix_appservice_irc_docker_image }} node app.js -r -f /data/registration.yaml -u "http://matrix-appservice-irc:9999" -c /data/config.yaml -l irc_bot + when: "matrix_appservice_irc_enabled and appservice_irc_registration_file.stat.exists == False" + +- set_fact: + matrix_synapse_app_service_config_file_appservice_irc: '/app-registration/appservice-irc.yml' + +- set_fact: + matrix_synapse_container_additional_volumes: > + {{ matrix_synapse_container_additional_volumes }} + + + {{ [{'src': '{{ matrix_appservice_irc_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_appservice_irc }}', 'options': 'ro'}] }} + when: "matrix_appservice_irc_enabled" + +- set_fact: + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files }} + + + {{ ["{{ matrix_synapse_app_service_config_file_appservice_irc }}"] | to_nice_json }} + when: "matrix_appservice_irc_enabled" + +# +# Tasks related to getting rid of matrix-appservice-irc (if it was previously enabled) +# + +- name: Ensure matrix-appservice-irc.service doesn't exist + file: + path: "/etc/systemd/system/matrix-appservice-irc.service" + state: absent + when: "not matrix_appservice_irc_enabled" diff --git a/roles/matrix-synapse/tasks/ext/init.yml b/roles/matrix-synapse/tasks/ext/init.yml index a33c2738..6023116f 100644 --- a/roles/matrix-synapse/tasks/ext/init.yml +++ b/roles/matrix-synapse/tasks/ext/init.yml @@ -3,3 +3,5 @@ - import_tasks: "{{ role_path }}/tasks/ext/mautrix-telegram/init.yml" - import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/init.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/appservice-irc/init.yml" diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml index c7936c71..609269e7 100644 --- a/roles/matrix-synapse/tasks/ext/setup.yml +++ b/roles/matrix-synapse/tasks/ext/setup.yml @@ -9,3 +9,5 @@ - import_tasks: "{{ role_path }}/tasks/ext/mautrix-telegram/setup.yml" - import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/appservice-irc/setup.yml" diff --git a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 new file mode 100644 index 00000000..194a791d --- /dev/null +++ b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 @@ -0,0 +1,26 @@ +[Unit] +Description=Matrix Appservice IRC server +After=docker.service +Requires=docker.service +Requires=matrix-synapse.service +After=matrix-synapse.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-appservice-irc +ExecStartPre=-/usr/bin/docker rm matrix-appservice-irc +ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ + --log-driver=none \ + -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ + --network={{ matrix_docker_network }} \ + -p 127.0.0.1:9999:9999 \ + -v {{ matrix_appservice_irc_base_path }}:/data:z \ + {{ matrix_appservice_irc_docker_image }} \ + -c /data/config.yaml -f /data/registration.yaml -p 9999 +ExecStop=-/usr/bin/docker kill matrix-appservice-irc +ExecStop=-/usr/bin/docker rm matrix-appservice-irc +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target From c2b1cf7f938a63c9e29b15b76477c4f7a914c103 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 31 Jan 2019 09:43:09 +0200 Subject: [PATCH 0319/2384] Fix SSL renewal script Regression since 299a8c4c7c72244 --- .../usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 1b36acaf..7c99ca33 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -19,7 +19,7 @@ docker run \ renew \ --non-interactive \ --work-dir=/tmp \ - --http-01-port 8080 + --http-01-port 8080 \ {% if matrix_ssl_lets_encrypt_staging %} --staging \ {% endif %} From 1c057bf06d6ace80ec053747f9411574c253e457 Mon Sep 17 00:00:00 2001 From: Plailect Date: Thu, 31 Jan 2019 10:58:45 -0500 Subject: [PATCH 0320/2384] Correct variable name in documentation --- docs/configuring-playbook-bridge-appservice-irc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index 4063ccd2..8e9d6f84 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -7,7 +7,7 @@ See the project's [documentation](https://github.com/TeDomum/matrix-appservice-i You'll need to use the following playbook configuration: ```yaml -matrix_matrix_appservice_irc_enabled: true +matrix_appservice_irc_enabled: true matrix_appservice_irc_configuration_extension_yaml: | # Your custom YAML configuration for Appservice IRC servers goes here. # This configuration extends the default starting configuration (`matrix_appservice_irc_configuration_yaml`). From 0a2a8e118c5d0740534dfa27f28f3500ccb41f0e Mon Sep 17 00:00:00 2001 From: Plailect Date: Thu, 31 Jan 2019 11:05:27 -0500 Subject: [PATCH 0321/2384] Update example configuration and documentation --- ...figuring-playbook-bridge-appservice-irc.md | 365 +----------------- roles/matrix-synapse/defaults/main.yml | 18 - 2 files changed, 3 insertions(+), 380 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index 8e9d6f84..5f70384d 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -16,8 +16,10 @@ matrix_appservice_irc_configuration_extension_yaml: | # # If you need something more special, you can take full control by # completely redefining `matrix_appservice_irc_configuration_yaml`. + # + # For a full example configuration with comments, see `roles/matrix-synapse/defaults/main.yml` # - # Example configuration extension follows: + # A simple example configuration extension follows: # ircService: databaseUri: "nedb://data" # does not typically need modification @@ -25,411 +27,50 @@ matrix_appservice_irc_configuration_extension_yaml: | matrixHandler: eventCacheSize: 4096 servers: - # The address of the server to connect to. irc.example.com: - # A human-readable short name. This is used to label IRC status rooms - # where matrix users control their connections. - # E.g. 'ExampleNet IRC Bridge status'. - # It is also used in the Third Party Lookup API as the instance `desc` - # property, where each server is an instance. name: "ExampleNet" - - additionalAddresses: [ "irc2.example.com" ] - # - # [DEPRECATED] Use `name`, above, instead. - # A human-readable description string - # description: "Example.com IRC network" - - # An ID for uniquely identifying this server amongst other servers being bridged. - # networkId: "example" - - # URL to an icon used as the network icon whenever this network appear in - # a network list. (Like in the riot room directory, for instance.) - # icon: https://example.com/images/hash.png - - # The port to connect to. Optional. port: 6697 - # Whether to use SSL or not. Default: false. ssl: true - # Whether or not IRC server is using a self-signed cert or not providing CA Chain - sslselfsign: false - # Should the connection attempt to identify via SASL (if a server or user password is given) - # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS. sasl: false - # Whether to allow expired certs when connecting to the IRC server. - # Usually this should be off. Default: false. allowExpiredCerts: false - # A specific CA to trust instead of the default CAs. Optional. - #ca: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - - # - # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. - # password: 'pa$$w0rd' - # - # Whether or not to send connection/error notices to real Matrix users. Default: true. sendConnectionMessages: true - - quitDebounce: - # Whether parts due to net-splits are debounced for delayMs, to allow - # time for the netsplit to resolve itself. A netsplit is detected as being - # a QUIT rate higher than quitsPerSecond. Default: false. - enabled: false - # The maximum number of quits per second acceptable above which a netsplit is - # considered ongoing. Default: 5. - quitsPerSecond: 5 - # The time window in which to wait before bridging a QUIT to Matrix that occurred during - # a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS - # is not sent many requests to leave rooms all at once if a netsplit occurs and many - # people to not rejoin. - # If the user with the same IRC nick as the one who sent the quit rejoins a channel - # they are considered back online and the quit is not bridged, so long as the rejoin - # occurs before the randomly-jittered timeout is not reached. - # Default: 3600000, = 1h - delayMinMs: 3600000 # 1h - # Default: 7200000, = 2h - delayMaxMs: 7200000 # 2h - - # A map for conversion of IRC user modes to Matrix power levels. This enables bridging - # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has - # been given multiple modes, the one that maps to the highest power level will be used. - modePowerMap: - o: 50 - botConfig: - # Enable the presence of the bot in IRC channels. The bot serves as the entity - # which maps from IRC -> Matrix. You can disable the bot entirely which - # means IRC -> Matrix chat will be shared by active "M-Nick" connections - # in the room. If there are no users in the room (or if there are users - # but their connections are not on IRC) then nothing will be bridged to - # Matrix. If you're concerned about the bot being treated as a "logger" - # entity, then you may want to disable the bot. If you want IRC->Matrix - # but don't want to have TCP connections to IRC unless a Matrix user speaks - # (because your client connection limit is low), then you may want to keep - # the bot enabled. Default: true. - # NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned - # on, else there will be no users and no bot in a channel (meaning no - # messages to Matrix!) until a Matrix user speaks which makes a client - # join the target IRC channel. - # NBB: The bridge bot IRC client will still join the target IRC network so - # it can service bridge-specific queries from the IRC-side e.g. so - # real IRC clients have a way to change their Matrix display name. - # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 enabled: true - # The nickname to give the AS bot. nick: "MatrixBot" - # The password to give to NickServ or IRC Server for this nick. Optional. - # password: "helloworld" - # - # Join channels even if there are no Matrix users on the other side of - # the bridge. Set to false to prevent the bot from joining channels which have no - # real matrix users in them, even if there is a mapping for the channel. - # Default: true joinChannelsIfNoUsers: true - - # Configuration for PMs / private 1:1 communications between users. privateMessages: - # Enable the ability for PMs to be sent to/from IRC/Matrix. - # Default: true. enabled: true - # Prevent Matrix users from sending PMs to the following IRC nicks. - # Optional. Default: []. - # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED - - # Should created Matrix PM rooms be federated? If false, only users on the - # HS attached to this AS will be able to interact with this room. - # Optional. Default: true. federate: true - - # Configuration for mappings not explicitly listed in the 'mappings' - # section. dynamicChannels: - # Enable the ability for Matrix users to join *any* channel on this IRC - # network. - # Default: false. enabled: true - # Should the AS create a room alias for the new Matrix room? The form of - # the alias can be modified via 'aliasTemplate'. Default: true. createAlias: true - # Should the AS publish the new Matrix room to the public room list so - # anyone can see it? Default: true. published: true - # What should the join_rule be for the new Matrix room? If 'public', - # anyone can join the room. If 'invite', only users with an invite can - # join the room. Note that if an IRC channel has +k or +i set on it, - # join_rules will be set to 'invite' until these modes are removed. - # Default: "public". joinRule: public - # This will set the m.room.related_groups state event in newly created rooms - # with the given groupId. This means flares will show up on IRC users in those rooms. - # This should be set to the same thing as namespaces.users.group_id in irc_registration. - # This does not alter existing rooms. - # Leaving this option empty will not set the event. groupId: +myircnetwork:localhost - # Should created Matrix rooms be federated? If false, only users on the - # HS attached to this AS will be able to interact with this room. - # Default: true. federate: true - # The room alias template to apply when creating new aliases. This only - # applies if createAlias is 'true'. The following variables are exposed: - # $SERVER => The IRC server address (e.g. "irc.example.com") - # $CHANNEL => The IRC channel (e.g. "#python") - # This MUST have $CHANNEL somewhere in it. - # Default: '#irc_$SERVER_$CHANNEL' aliasTemplate: "#irc_$CHANNEL" - # A list of user IDs which the AS bot will send invites to in response - # to a !join. Only applies if joinRule is 'invite'. Default: [] - # whitelist: - # - "@foo:example.com" - # - "@bar:example.com" - # - # Prevent the given list of channels from being mapped under any - # circumstances. - # exclude: ["#foo", "#bar"] - - # Configuration for controlling how Matrix and IRC membership lists are - # synced. membershipLists: - # Enable the syncing of membership lists between IRC and Matrix. This - # can have a significant effect on performance on startup as the lists are - # synced. This must be enabled for anything else in this section to take - # effect. Default: false. enabled: false - - # Syncing membership lists at startup can result in hundreds of members to - # process all at once. This timer drip feeds membership entries at the - # specified rate. Default: 10000. (10s) floodDelayMs: 10000 - global: ircToMatrix: - # Get a snapshot of all real IRC users on a channel (via NAMES) and - # join their virtual matrix clients to the room. initial: false - # Make virtual matrix clients join and leave rooms as their real IRC - # counterparts join/part channels. Default: false. incremental: false - matrixToIrc: - # Get a snapshot of all real Matrix users in the room and join all of - # them to the mapped IRC channel on startup. Default: false. initial: false - # Make virtual IRC clients join and leave channels as their real Matrix - # counterparts join/leave rooms. Make sure your 'maxClients' value is - # high enough! Default: false. incremental: false - - # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. - rooms: - - room: "!fuasirouddJoxtwfge:localhost" - matrixToIrc: - initial: false - incremental: false - - # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. - channels: - - channel: "#foo" - ircToMatrix: - initial: false - incremental: false - - mappings: - # 1:many mappings from IRC channels to room IDs on this IRC server. - # The matrix room must already exist. Your matrix client should expose - # the room ID in a "settings" page for the room. - "#thepub": ["!kieouiJuedJoxtVdaG:localhost"] - - # Configuration for virtual matrix users. The following variables are - # exposed: - # $NICK => The IRC nick - # $SERVER => The IRC server address (e.g. "irc.example.com") matrixClients: - # The user ID template to use when creating virtual matrix users. This - # MUST have $NICK somewhere in it. - # Optional. Default: "@$SERVER_$NICK". - # Example: "@irc.example.com_Alice:example.com" userTemplate: "@irc_$NICK" - # The display name to use for created matrix clients. This should have - # $NICK somewhere in it if it is specified. Can also use $SERVER to - # insert the IRC domain. - # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" displayName: "$NICK (IRC)" - # Number of tries a client can attempt to join a room before the request - # is discarded. You can also use -1 to never retry or 0 to never give up. - # Optional. Default: -1 joinAttempts: -1 - - # Configuration for virtual IRC users. The following variables are exposed: - # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) - # $USERID => The user ID - # $DISPLAY => The display name of this user, with excluded characters - # (e.g. space) removed. If the user has no display name, this - # falls back to $LOCALPART. ircClients: - # The template to apply to every IRC client nick. This MUST have either - # $DISPLAY or $USERID or $LOCALPART somewhere in it. - # Optional. Default: "M-$DISPLAY". Example: "M-Alice". nickTemplate: "$DISPLAY[m]" - # True to allow virtual IRC clients to change their nick on this server - # by issuing !nick commands to the IRC AS bot. - # This is completely freeform: it will NOT follow the nickTemplate. allowNickChanges: true - # The max number of IRC clients that will connect. If the limit is - # reached, the client that spoke the longest time ago will be - # disconnected and replaced. - # Optional. Default: 30. maxClients: 30 - # IPv6 configuration. - ipv6: - # Optional. Set to true to force IPv6 for outgoing connections. - only: false - # Optional. The IPv6 prefix to use for generating unique addresses for each - # connected user. If not specified, all users will connect from the same - # (default) address. This may require additional OS-specific work to allow - # for the node process to bind to multiple different source addresses - # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library - # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. - # prefix: "2001:0db8:85a3::" # modify appropriately - # - # The maximum amount of time in seconds that the client can exist - # without sending another message before being disconnected. Use 0 to - # not apply an idle timeout. This value is ignored if this IRC server is - # mirroring matrix membership lists to IRC. Default: 172800 (48 hours) idleTimeout: 10800 - # The number of millseconds to wait between consecutive reconnections if a - # client gets disconnected. Setting to 0 will cause the scheduling to be - # disabled, i.e. it will be scheduled immediately (with jitter. - # Otherwise, the scheduling interval will be used such that one client - # reconnect for this server will be handled every reconnectIntervalMs ms using - # a FIFO queue. - # Default: 5000 (5 seconds) reconnectIntervalMs: 5000 - # The number of concurrent reconnects if a user has been disconnected unexpectedly - # (e.g. a netsplit). You should set this to a reasonably high number so that - # bridges are not waiting an eternity to reconnect all its clients if - # we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs - # setting above which is for connecting on restart of the bridge. Set to 0 to - # immediately try to reconnect all users. - # Default: 50 concurrentReconnectLimit: 50 - # The number of lines to allow being sent by the IRC client that has received - # a large block of text to send from matrix. If the number of lines that would - # be sent is > lineLimit, the text will instead be uploaded to matrix and the - # resulting URI is treated as a file. As such, a link will be sent to the IRC - # side instead of potentially spamming IRC and getting the IRC client kicked. - # Default: 3. lineLimit: 3 - # A list of user modes to set on every IRC client. For example, "RiG" would set - # +R, +i and +G on every IRC connection when they have successfully connected. - # User modes vary wildly depending on the IRC network you're connecting to, - # so check before setting this value. Some modes may not work as intended - # through the bridge e.g. caller ID as there is no way to /ACCEPT. - # Default: "" (no user modes) - # userModes: "R" - - # Configuration for an ident server. If you are running a public bridge it is - # advised you setup an ident server so IRC mods can ban specific matrix users - # rather than the application service itself. - ident: - # True to listen for Ident requests and respond with the - # matrix user's user_id (converted to ASCII, respecting RFC 1413). - # Default: false. - enabled: false - # The port to listen on for incoming ident requests. - # Ports below 1024 require root to listen on, and you may not want this to - # run as root. Instead, you can get something like an Apache to yank up - # incoming requests to 113 to a high numbered port. Set the port to listen - # on instead of 113 here. - # Default: 113. - port: 1113 - # The address to listen on for incoming ident requests. - # Default: 0.0.0.0 - address: "::" - - # Configuration for logging. Optional. Default: console debug level logging - # only. - logging: - # Level to log on console/logfile. One of error|warn|info|debug - level: "debug" - # The file location to log to. This is relative to the project directory. - logfile: "debug.log" - # The file location to log errors to. This is relative to the project - # directory. - errfile: "errors.log" - # Whether to log to the console or not. - toConsole: true - # The max number of files to keep. Files will be overwritten eventually due - # to rotations. - maxFiles: 5 - - # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: - # $ npm install prom-client@6.3.0 - # Metrics will then be available via GET /metrics on the bridge listening port (-p). - metrics: - # Whether to actually enable the metric endpoint. Default: false - enabled: true - # When collecting remote user active times, which "buckets" should be used. Defaults are given below. - # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). - remoteUserAgeBuckets: - - "1h" - - "1d" - - "1w" - - # The nedb database URI to connect to. This is the name of the directory to - # dump .db files to. This is relative to the project directory. - # Required. - databaseUri: "nedb://data" - - # Configuration options for the debug HTTP API. To access this API, you must - # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. - # - # The debug API exposes the following endpoints: - # - # GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID. - # - # POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection. - # Format: new line delimited commands as per IRC protocol. - # - debugApi: - # True to enable the HTTP API endpoint. Default: false. - enabled: false - # The port to host the HTTP API. - port: 11100 - - # Configuration for the provisioning API. - # - # GET /_matrix/provision/link - # GET /_matrix/provision/unlink - # GET /_matrix/provision/listlinks - # - provisioning: - # True to enable the provisioning HTTP endpoint. Default: false. - enabled: false - # The number of seconds to wait before giving up on getting a response from - # an IRC channel operator. If the channel operator does not respond within the - # allotted time period, the provisioning request will fail. - # Default: 300 seconds (5 mins) - requestTimeoutSeconds: 300 - - # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot - # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in - # the database. - # - # To generate a .pem file: - # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 - # - # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords - # for storage in the database. Passwords are stored by using the admin room command - # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of - # the Matrix user, this password will be sent as the server password (PASS command). - passwordEncryptionKeyPath: "passkey.pem" - - # Config for Matrix -> IRC bridging - matrixHandler: - # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). - eventCacheSize: 4096 ``` You then need to start a chat with `@irc_bot:{{ hostname_identity }}` diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 7b089f6a..33e19162 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -575,11 +575,6 @@ matrix_appservice_irc_configuration_extension_yaml: | # - "1d" # - "1w" # - # # The nedb database URI to connect to. This is the name of the directory to - # # dump .db files to. This is relative to the project directory. - # # Required. - # databaseUri: "nedb://data" - # # # Configuration options for the debug HTTP API. To access this API, you must # # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. # # @@ -615,19 +610,6 @@ matrix_appservice_irc_configuration_extension_yaml: | # # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in # # the database. # # - # # To generate a .pem file: - # # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 - # # - # # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords - # # for storage in the database. Passwords are stored by using the admin room command - # # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of - # # the Matrix user, this password will be sent as the server password (PASS command). - # passwordEncryptionKeyPath: "passkey.pem" - # - # # Config for Matrix -> IRC bridging - # matrixHandler: - # # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). - # eventCacheSize: 4096 matrix_appservice_irc_configuration_extension: "{{ matrix_appservice_irc_configuration_extension_yaml|from_yaml if matrix_appservice_irc_configuration_extension_yaml|from_yaml else {} }}" From 5e1d96c727c7aa92e38c05eb23d9f1c1e5ca271a Mon Sep 17 00:00:00 2001 From: Plailect Date: Thu, 31 Jan 2019 11:20:45 -0500 Subject: [PATCH 0322/2384] Add `matrix_appservice_irc_container_expose_client_server_api_port` --- group_vars/matrix-servers | 10 ++++++++++ roles/matrix-synapse/defaults/main.yml | 3 +++ .../systemd/matrix-appservice-irc.service.j2 | 2 ++ 3 files changed, 15 insertions(+) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 7d4becce..30e55131 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -9,6 +9,16 @@ # You can also override ANY variable (seen here or in any given role), # by re-defining it in your own configuration file (`inventory/host_vars/matrix.`). +###################################################################### +# +# matrix-appservice-irc +# +###################################################################### + +# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# matrix-appservice-irc's client-server port to the local host (`127.0.0.1:9999`). +matrix_appservice_irc_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" ###################################################################### # diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 33e19162..5b8b6fc8 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -10,6 +10,9 @@ matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" # Controls whether the Synapse container exposes the Client/Server API port (tcp/8008). matrix_synapse_container_expose_client_server_api_port: false +# Controls whether the Appservice IRC container exposes the Client/Server API port (tcp/9999). +matrix_appservice_irc_container_expose_client_server_api_port: false + # List of systemd services that matrix-synapse.service depends on matrix_synapse_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 index 194a791d..2353796b 100644 --- a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 @@ -13,7 +13,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ --log-driver=none \ -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ --network={{ matrix_docker_network }} \ + {% if matrix_appservice_irc_container_expose_client_server_api_port %} -p 127.0.0.1:9999:9999 \ + {% endif %} -v {{ matrix_appservice_irc_base_path }}:/data:z \ {{ matrix_appservice_irc_docker_image }} \ -c /data/config.yaml -f /data/registration.yaml -p 9999 From 0dac5ea508a0ab0f65eb95c8db64e9ecb6332ed5 Mon Sep 17 00:00:00 2001 From: Plailect Date: Thu, 31 Jan 2019 11:38:54 -0500 Subject: [PATCH 0323/2384] Use native OpenSSL module to generate `passkey.pem` --- docs/configuring-playbook-bridge-appservice-irc.md | 2 ++ .../matrix-synapse/tasks/ext/appservice-irc/setup.yml | 11 +++++------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index 5f70384d..71d2f69a 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -4,6 +4,8 @@ The playbook can install and configure [matrix-appservice-irc](https://github.co See the project's [documentation](https://github.com/TeDomum/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. +The Appservice IRC bridge configuration using Ansible will require that you have `python-pyOpenSSL` installed on your local machine. + You'll need to use the following playbook configuration: ```yaml diff --git a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml index 79d800a0..c241853a 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml @@ -22,13 +22,12 @@ group: "{{ matrix_user_username }}" when: "matrix_appservice_irc_enabled" -- stat: - path: "{{ matrix_appservice_irc_base_path }}/passkey.pem" - register: irc_passkey_file - - name: Generate matrix-appservice-irc passkey if it doesn't exist - shell: /usr/bin/openssl genpkey -out {{ matrix_appservice_irc_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 - when: "matrix_appservice_irc_enabled and irc_passkey_file.stat.exists == False" + openssl_privatekey: + path: "{{ matrix_appservice_irc_base_path }}/passkey.pem" + size: 2048 + force: false + when: "matrix_appservice_irc_enabled" - name: Ensure matrix-appservice-irc.service installed template: From a9fae8e3b1d419e8f96d69063d6bc5502d20057c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 31 Jan 2019 20:45:14 +0200 Subject: [PATCH 0324/2384] Revert "Use native OpenSSL module to generate `passkey.pem`" This reverts commit 0dac5ea508a0ab0f65eb95c8db64e9ecb6332ed5. Relying on pyOpenSSL is the Ansible way of doing things, but is impractical and annoying for users. `openssl` is easily available on most servers, even by default. We'd better use that. --- docs/configuring-playbook-bridge-appservice-irc.md | 2 -- .../matrix-synapse/tasks/ext/appservice-irc/setup.yml | 11 ++++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index 71d2f69a..5f70384d 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -4,8 +4,6 @@ The playbook can install and configure [matrix-appservice-irc](https://github.co See the project's [documentation](https://github.com/TeDomum/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. -The Appservice IRC bridge configuration using Ansible will require that you have `python-pyOpenSSL` installed on your local machine. - You'll need to use the following playbook configuration: ```yaml diff --git a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml index c241853a..79d800a0 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml @@ -22,12 +22,13 @@ group: "{{ matrix_user_username }}" when: "matrix_appservice_irc_enabled" -- name: Generate matrix-appservice-irc passkey if it doesn't exist - openssl_privatekey: +- stat: path: "{{ matrix_appservice_irc_base_path }}/passkey.pem" - size: 2048 - force: false - when: "matrix_appservice_irc_enabled" + register: irc_passkey_file + +- name: Generate matrix-appservice-irc passkey if it doesn't exist + shell: /usr/bin/openssl genpkey -out {{ matrix_appservice_irc_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + when: "matrix_appservice_irc_enabled and irc_passkey_file.stat.exists == False" - name: Ensure matrix-appservice-irc.service installed template: From 345d53b69385b81822f4d4dbb070fc0cd34ca33a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 31 Jan 2019 20:52:20 +0200 Subject: [PATCH 0325/2384] Update changelog --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 29bded25..ed7d655d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2019-01-31 + +## IRC bridging support + +[Devon Maloney (@Plailect)](https://github.com/Plailect) has done some great work bringing IRC bridging support via [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc). +To learn more, see the [Setting up Appservice IRC](docs/configuring-playbook-bridge-appservice-irc.md) documentation page. + + # 2019-01-29 ## Running container processes as non-root, without capabilities and read-only From d48f6ab922f39518bdf48ffa6219334171a50a42 Mon Sep 17 00:00:00 2001 From: dhose <4066579+dhose@users.noreply.github.com> Date: Thu, 31 Jan 2019 09:37:20 +0100 Subject: [PATCH 0326/2384] Adding .editorconfig. --- .editorconfig | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 00000000..9b9ea1fd --- /dev/null +++ b/.editorconfig @@ -0,0 +1,24 @@ +# This file is the top-most EditorConfig file +root = true + +# All Files +[*] +charset = utf-8 +end_of_line = lf +indent_style = tab +indent_size = 4 +insert_final_newline = true +trim_trailing_whitespace = true + +######################### +# File Extension Settings +######################### + +# YAML Files +[*.{yml,yaml,log.config.j2,yaml.j2}] +indent_style = space +indent_size = 2 + +# Markdown Files +[*.md] +trim_trailing_whitespace = false From d5a0f562bab5669feca0b33edb0c95a18a24e082 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Feb 2019 11:00:25 +0200 Subject: [PATCH 0327/2384] Add comment about trailing whitespace in Markdown Related to #88 (Github Pull Request) --- .editorconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.editorconfig b/.editorconfig index 9b9ea1fd..6d5dc09a 100644 --- a/.editorconfig +++ b/.editorconfig @@ -20,5 +20,8 @@ indent_style = space indent_size = 2 # Markdown Files +# +# Two spaces at the end of a line in Markdown mean "new line", +# so trimming trailing whitespace for such files can cause breakage. [*.md] trim_trailing_whitespace = false From cd332d9b4e9c2323cbc0a028eaecf1d1391a85e0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Feb 2019 11:47:43 +0200 Subject: [PATCH 0328/2384] Add TLS v1.3 support to matrix-nginx-proxy This was mentioned in #27 (Github Pull Request), but it's just now that the nginx Docker image actually supports TLS v1.3 and we can enable it. --- CHANGELOG.md | 15 +++++++++++++++ docs/configuring-playbook-own-webserver.md | 6 +++++- roles/matrix-nginx-proxy/defaults/main.yml | 4 +--- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ed7d655d..72bd2c53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +# 2019-02-01 + +## TLS v1.3 support + +Now that the [nginx Docker image](https://hub.docker.com/_/nginx) has [added support for TLS v1.3](https://github.com/nginxinc/docker-nginx/issues/190), we have enabled that protocol by default. + +When using: + +- the **integrated nginx server**: TLS v1.3 support might not kick in immediately, because the nginx version hasn't been bumped and you may have an older build of the nginx Docker image (currently `nginx:1.15.8-alpine`). Typically, we do not re-pull images that you already have. When the nginx version gets bumped in the future, everyone will get the update. Until then, you could manually force-pull the rebuilt Docker image by running this on the server: `docker pull nginx:1.15.8-alpine`. + +- **your own external nginx server**: if your external nginx server is too old, the new configuration we generate for you in `/matrix/nginx-proxy/conf.d/` might not work anymore, because it mentions `TLSv1.3` and your nginx version might not support that. You can adjust the SSL protocol list by overriding the `matrix_nginx_proxy_ssl_protocols` variable. Learn more in the documentation page for [Using your own webserver, instead of this playbook's nginx proxy](docs/configuring-playbook-own-webserver.md) + +- **another web server**: you don't need to do anything to accommodate this change + + # 2019-01-31 ## IRC bridging support diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index a85719ba..9e3391c3 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -14,11 +14,15 @@ All it takes is: ```yaml matrix_nginx_proxy_enabled: false + +# If you use an external nginx, we'll generate some configuration for you in `/matrix/nginx-proxy/conf.d/`. +# You might need to tweak the protocol list (removing `TLSv1.3`) to suit your nginx version. +matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" ``` **Note**: even if you do this, in order [to install](installing.md), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards. -**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` +**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`. Please note that if your nginx version is old, it might not like our default SSL protocols (particularly the fact that `TLSv1.3` is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. **If your own webserver is not nginx**, you can still take a look at the sample files in `/matrix/nginx-proxy/conf.d`, and: diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 94a86adc..9171470b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -57,9 +57,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # Specifies which SSL protocols to use when serving Riot and Synapse -# Note TLSv1.3 is not yet available in dockerized nginx -# See: https://github.com/nginxinc/docker-nginx/issues/190 -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" +matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. From e09b7435d1f504ebd926af4ed5d8f557398fb581 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Feb 2019 12:26:43 +0200 Subject: [PATCH 0329/2384] Update documentation a bit --- docs/ansible.md | 5 ++++- examples/hosts | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index 60480a60..1d2946d5 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -2,6 +2,9 @@ This playbook is meant to be run using [Ansible](https://www.ansible.com/). +Ansible typically runs on your local computer and carries out tasks on a remote server. +If your local computer cannot run Ansible, you can also run Ansible on some server somewhere (including the server you wish to install to). + ## Supported Ansible versions @@ -57,4 +60,4 @@ If you don't use SSH keys for authentication, simply remove that whole line (`-v Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container. The `/work` directory contains the playbook's code. -You can execute `ansible-playbook` commands as per normal now. \ No newline at end of file +You can execute `ansible-playbook` commands as per normal now. diff --git a/examples/hosts b/examples/hosts index 75d68ef6..1f1a6e72 100644 --- a/examples/hosts +++ b/examples/hosts @@ -1,2 +1,2 @@ [matrix-servers] -matrix. ansible_host= ansible_ssh_user=root +matrix. ansible_host= ansible_ssh_user=root From 8681a5dc695f77b6492fd1b962f2f18088fd720f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Feb 2019 16:50:02 +0200 Subject: [PATCH 0330/2384] Add 'none' SSL certificate retrieval method --- docs/configuring-playbook-ssl-certificates.md | 15 ++++++++++++++- roles/matrix-nginx-proxy/defaults/main.yml | 5 +++++ roles/matrix-nginx-proxy/tasks/ssl/main.yml | 5 +++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 8974431a..5c8161fa 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -2,6 +2,8 @@ By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/). +Those certificates are used when configuring the nginx reverse proxy installed by this playbook. + If that's alright, you can skip this. @@ -29,4 +31,15 @@ With such a configuration, the playbook would expect you to drop the SSL certifi - `/live//fullchain.pem` - `/live//privkey.pem` -where `` refers to the domains that you need (usually `matrix.` and `riot.`). \ No newline at end of file +where `` refers to the domains that you need (usually `matrix.` and `riot.`). + + +## Not bothering with SSL certificates + +If you're [using an external web server](configuring-playbook-own-webserver.md) which is not nginx, or you would otherwise want to manage its certificates without this playbook getting in the way, you can completely disable SSL certificate management with the following configuration: + +```yaml +matrix_ssl_retrieval_method: none +``` + +With such a configuration, no certificates will be retrieved at all. You're free to manage them however you want. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 9171470b..0bf7955b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -66,6 +66,7 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt # - "self-signed" - the playbook generates and self-signs certificates # - "manually-managed" - lets you manage certificates by yourself (manually; see below) +# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects # # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` @@ -73,6 +74,10 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" # - /live//fullchain.pem # - /live//privkey.pem # where refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). +# +# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen. +# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`) +# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself. matrix_ssl_retrieval_method: "lets-encrypt" # The list of domains that this role will obtain certificates for. diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml index 2681164d..5402468c 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml @@ -3,10 +3,10 @@ - name: Fail if using unsupported SSL certificate retrieval method fail: msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value" - when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed']" + when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" -# Common tasks, required by any method below. +# Common tasks, required by almost any method below. - name: Ensure SSL certificate paths exists file: @@ -19,6 +19,7 @@ with_items: - "{{ matrix_ssl_log_dir_path }}" - "{{ matrix_ssl_config_dir_path }}" + when: "matrix_ssl_retrieval_method != 'none'" # Method specific tasks follow From 5e8a7fd05b7787877b8e05dc9b016cdc3db95ea2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Feb 2019 16:51:18 +0200 Subject: [PATCH 0331/2384] Update own-webserver guide and add sample Apache configuration This supersedes #59 (Github Pull Request), which was greatly beneficial in creating our sample Apache configuration. --- docs/configuring-playbook-own-webserver.md | 46 ++++++++++---- examples/apache/README.md | 17 +++++ examples/apache/matrix-riot-web.conf | 41 ++++++++++++ examples/apache/matrix-synapse.conf | 73 ++++++++++++++++++++++ 4 files changed, 165 insertions(+), 12 deletions(-) create mode 100644 examples/apache/README.md create mode 100644 examples/apache/matrix-riot-web.conf create mode 100644 examples/apache/matrix-synapse.conf diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 9e3391c3..448f5d03 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -6,28 +6,50 @@ If that's alright, you can skip this. If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that, and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can. -All it takes is: -1) making sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx` +## Preparation -2) editing your configuration file (`inventory/matrix./vars.yml`): +No matter which external webserver you decide to go with, you'll need to: + +1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx` + +2) Edit your configuration file (`inventory/matrix./vars.yml`) to disable the integrated nginx server: ```yaml matrix_nginx_proxy_enabled: false +``` + +3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/matrix./vars.yml`) to disable SSL certificate retrieval: + +```yaml +matrix_ssl_retrieval_method: none +``` + +**Note**: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. **Please manually stop your other webserver while installing**. You can start it back up afterwards. -# If you use an external nginx, we'll generate some configuration for you in `/matrix/nginx-proxy/conf.d/`. -# You might need to tweak the protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" + +## Using your own external nginx webserver + +Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server. + +Even with `matrix_nginx_proxy_enabled: false`, the playbook still generates some helpful files for you in `/matrix/nginx-proxy/conf.d`. +Those configuration files are adapted for use with an external web server (one not running in the container network). + +You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` + +Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: + +```yaml +# Custom protocol list (removing `TLSv1.3`) to suit your nginx version. +matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" ``` -**Note**: even if you do this, in order [to install](installing.md), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards. -**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`. Please note that if your nginx version is old, it might not like our default SSL protocols (particularly the fact that `TLSv1.3` is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. +## Using your own external Apache webserver -**If your own webserver is not nginx**, you can still take a look at the sample files in `/matrix/nginx-proxy/conf.d`, and: +Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration. -- ensure you set up (separate) vhosts that proxy for both Riot (`localhost:8765`) and Matrix Synapse (`localhost:8008`) -- ensure that the `/.well-known/acme-challenge` location for each "port=80 vhost" gets proxied to `http://localhost:2402` (controlled by `matrix_ssl_lets_encrypt_certbot_standalone_http_port`) for automated SSL renewal to work +## Using another external webserver -- ensure that you restart/reload your webserver once in a while, so that renewed SSL certificates would take effect (once a month should be enough) +Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/matrix-nginx-proxy/templates/conf.d/). diff --git a/examples/apache/README.md b/examples/apache/README.md new file mode 100644 index 00000000..33183b9c --- /dev/null +++ b/examples/apache/README.md @@ -0,0 +1,17 @@ +# Apache reverse-proxy + +This directory contains sample files that show you how to do reverse-proxying using Apache. + +This is for when you wish to have your own Apache webserver sitting in front of Matrix services installed by this playbook. +See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page. + +To use your own Apache reverse-proxy, you first need to disable the integrated nginx server. +You do that with the following custom configuration (`inventory/matrix./vars.yml`): + +```yaml +matrix_nginx_proxy_enabled: false +``` + +You can then use the configuration files from this directory as an example for how to configure your Apache server. + +**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration). diff --git a/examples/apache/matrix-riot-web.conf b/examples/apache/matrix-riot-web.conf new file mode 100644 index 00000000..263136ee --- /dev/null +++ b/examples/apache/matrix-riot-web.conf @@ -0,0 +1,41 @@ +# This is a sample file demonstrating how to set up reverse-proxy for the riot.DOMAIN. +# If you're not using Riot (`matrix_riot_web_enabled: false`), you won't need this. + + + ServerName riot.DOMAIN + + # Map /.well-known/acme-challenge to the certbot server + # If you manage SSL certificates by yourself, this will differ. + + ProxyPreserveHost On + ProxyRequests Off + ProxyVia On + ProxyPass http://localhost:2402/.well-known/acme-challenge + + + Redirect permanent / https://riot.DOMAIN/ + + + + ServerName riot.DOMAIN + + SSLEngine On + + # If you manage SSL certificates by yourself, these paths will differ. + SSLCertificateFile /matrix/ssl/config/live/riot.DOMAIN/fullchain.pem + SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem + + SSLProxyEngine on + SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + + ProxyPreserveHost On + ProxyRequests Off + ProxyVia On + + ProxyPass / http://localhost:8765/ + ProxyPassReverse / http://localhost:8765/ + + ErrorLog ${APACHE_LOG_DIR}/riot.DOMAIN-error.log + CustomLog ${APACHE_LOG_DIR}/riot.DOMAIN-access.log combined + diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf new file mode 100644 index 00000000..b5e11d04 --- /dev/null +++ b/examples/apache/matrix-synapse.conf @@ -0,0 +1,73 @@ +# This is a sample file demonstrating how to set up reverse-proxy for the matrix.DOMAIN + + + ServerName matrix.DOMAIN + + # Map /.well-known/acme-challenge to the certbot server + # If you manage SSL certificates by yourself, this will differ. + + ProxyPreserveHost On + ProxyRequests Off + ProxyVia On + ProxyPass http://localhost:2402/.well-known/acme-challenge + + + Redirect permanent / https://matrix.DOMAIN/ + + + + ServerName matrix.DOMAIN + + SSLEngine On + + # If you manage SSL certificates by yourself, these paths will differ. + SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem + SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem + + SSLProxyEngine on + SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + + ProxyPreserveHost On + ProxyRequests Off + ProxyVia On + + # Keep some URIs free for different proxy/location + ProxyPassMatch ^/.well-known/matrix/client ! + ProxyPassMatch ^/_matrix/identity ! + ProxyPassMatch ^/_matrix/client/r0/user_directory/search ! + + # Proxy all remaining traffic to Synapse + ProxyPass / http://localhost:8008/ + ProxyPassReverse / http://localhost:8008/ + + # Map /.well-known/matrix/client for client discovery + Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client + + Require all granted + + + Header always set Content-Type "application/json" + Header always set Access-Control-Allow-Origin "*" + + + AllowOverride All + # Apache 2.4: + Require all granted + # Or for Apache 2.2: + #order allow,deny + + + # Map /_matrix/identity to the identity server + + ProxyPass http://localhost:8090/_matrix/identity + + + # Map /_matrix/client/r0/user_directory/search to the identity server + + ProxyPass http://localhost:8090/_matrix/client/r0/user_directory/search + + + ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log + CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined + From 897cfbdcba8888bd8e318005ed0e3abe024e16be Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Feb 2019 17:06:49 +0200 Subject: [PATCH 0332/2384] Fix /.well-known/matrix/client installation Regression since 51312b82 --- roles/matrix-base/tasks/setup_well_known.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 7620c893..8a24bd2f 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -15,7 +15,7 @@ - name: Ensure Matrix /.well-known/matrix/client configured template: src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2" - dest: "{{ matrix_static_files_base_path }}/.well-known/matrix" + dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" \ No newline at end of file + group: "{{ matrix_user_username }}" From 29b40b428ace9353c737e5177c1dc8e5f48dd170 Mon Sep 17 00:00:00 2001 From: Plailect Date: Fri, 1 Feb 2019 11:44:06 -0500 Subject: [PATCH 0333/2384] Database files must be stored on permanent storage --- docs/configuring-playbook-bridge-appservice-irc.md | 2 +- roles/matrix-synapse/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index 5f70384d..7f8349a0 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -22,7 +22,7 @@ matrix_appservice_irc_configuration_extension_yaml: | # A simple example configuration extension follows: # ircService: - databaseUri: "nedb://data" # does not typically need modification + databaseUri: "nedb:///data" # does not typically need modification passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification matrixHandler: eventCacheSize: 4096 diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5b8b6fc8..ba737dc6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -221,7 +221,7 @@ matrix_appservice_irc_configuration_extension_yaml: | # Example configuration extension follows: # # ircService: - # databaseUri: "nedb://data" # does not typically need modification + # databaseUri: "nedb:///data" # does not typically need modification # passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification # matrixHandler: # eventCacheSize: 4096 From 87e3deebfd59143d3255d3aadd88811f8267145f Mon Sep 17 00:00:00 2001 From: dhose <4066579+dhose@users.noreply.github.com> Date: Wed, 30 Jan 2019 19:31:50 +0100 Subject: [PATCH 0334/2384] Enable exposure of Prometheus metrics. --- group_vars/matrix-servers | 6 +++++ roles/matrix-nginx-proxy/defaults/main.yml | 5 +++++ .../tasks/setup_nginx_proxy.yml | 15 +++++++++++++ .../nginx/conf.d/matrix-synapse.conf.j2 | 22 +++++++++++++++++++ .../nginx/matrix-synapse-metrics-htpasswd.j2 | 2 ++ .../systemd/matrix-nginx-proxy.service.j2 | 3 +++ roles/matrix-synapse/defaults/main.yml | 8 +++++++ .../templates/synapse/homeserver.yaml.j2 | 8 ++++++- .../synapse/systemd/matrix-synapse.service.j2 | 3 +++ 9 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 30e55131..9f1d37de 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -181,6 +181,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled } matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" +matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" +matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" +matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "localhost:{{ matrix_synapse_metrics_port }}" + matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" @@ -272,6 +276,8 @@ matrix_synapse_trusted_third_party_id_servers: "{{ [hostname_matrix] if matrix_m # the Client/Server API's port to the local host (`127.0.0.1:8008`). matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" +matrix_synapse_container_expose_metrics_port: "{{ not matrix_nginx_proxy_enabled }}" + matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}" matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}" matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 0bf7955b..7ae4bd00 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -39,6 +39,11 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" +# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) +matrix_nginx_proxy_proxy_synapse_metrics: false +matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false +matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" + # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 434cfad8..97530ec2 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -28,6 +28,15 @@ mode: 0644 when: "matrix_nginx_proxy_enabled" +- name: Ensure matrix-synapse-metrics-htpasswd is present (protecting /_synapse/metrics URI) + template: + src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2" + dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + mode: 0400 + when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled and matrix_nginx_proxy_proxy_synapse_metrics" + - name: Ensure Matrix nginx-proxy configured (generic) template: src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" @@ -116,3 +125,9 @@ path: "{{ matrix_nginx_proxy_data_path }}/nginx.conf" state: absent when: "not matrix_nginx_proxy_enabled" + +- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /_synapse/metrics URI) + file: + path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" + state: absent + when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled or not matrix_nginx_proxy_proxy_synapse_metrics" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 016b9414..734ddb5b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -120,6 +120,28 @@ server { proxy_max_temp_file_size 0; } + {% if matrix_nginx_proxy_proxy_synapse_metrics %} + location /_synapse/metrics { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} + auth_basic "protected"; + auth_basic_user_file .matrix-synapse-metrics-htpasswd; + {% endif %} + } + {% endif %} + location / { rewrite ^/$ /_matrix/static/ last; } diff --git a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 new file mode 100644 index 00000000..27cf298f --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 @@ -0,0 +1,2 @@ +# User and password for protecting /_synapse/metrics URI +prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 410d6a01..7f05ed26 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -26,6 +26,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ -v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \ + {% if (matrix_nginx_proxy_proxy_synapse_metrics and matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled) %} + -v {{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd:/etc/nginx/.matrix-synapse-metrics-htpasswd:ro \ + {% endif %} {{ matrix_nginx_proxy_docker_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ba737dc6..13273f78 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -13,6 +13,9 @@ matrix_synapse_container_expose_client_server_api_port: false # Controls whether the Appservice IRC container exposes the Client/Server API port (tcp/9999). matrix_appservice_irc_container_expose_client_server_api_port: false +# Controls whether the matrix-synapse container exposes the metrics port (tcp/9100). +matrix_synapse_container_expose_metrics_port: false + # List of systemd services that matrix-synapse.service depends on matrix_synapse_systemd_required_services_list: ['docker.service'] @@ -118,6 +121,11 @@ matrix_synapse_app_service_config_files: [] # any password providers have been enabled or not. matrix_synapse_password_providers_enabled: false +# Enable exposure of metrics to Prometheus +# See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.rst +matrix_synapse_metrics_enabled: false +matrix_synapse_metrics_port: 9100 + # Postgres database information matrix_synapse_database_host: "" matrix_synapse_database_user: "" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index a123f319..e6537ef0 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -127,6 +127,12 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # List of ports that Synapse should listen on, their purpose and their # configuration. listeners: +{% if matrix_synapse_metrics_enabled %} + - type: metrics + port: {{ matrix_synapse_metrics_port }} + bind_addresses: + - '0.0.0.0' +{% endif %} {% if matrix_synapse_federation_enabled %} # Main HTTPS listener # For when matrix traffic is sent directly to synapse. @@ -496,7 +502,7 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms }} ## Metrics ### # Enable collection and rendering of performance metrics -enable_metrics: False +enable_metrics: {{ matrix_synapse_metrics_enabled }} report_stats: {{ matrix_synapse_report_stats|to_json }} diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index a369190d..9ba918d6 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -34,6 +34,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if matrix_synapse_container_expose_client_server_api_port %} -p 127.0.0.1:8008:8008 \ {% endif %} + {% if matrix_synapse_container_expose_metrics_port %} + -p 127.0.0.1:{{ matrix_synapse_metrics_port }}:{{ matrix_synapse_metrics_port }} \ + {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data:ro \ -v {{ matrix_synapse_run_path }}:/matrix-run:rw \ -v {{ matrix_synapse_base_path }}/storage:/matrix-media-store-parent:slave \ From 52d5e540c0d8d59d8b44393b0bb7a49af29b8086 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 2 Feb 2019 17:32:13 +0200 Subject: [PATCH 0335/2384] Fix ownership of generated self-signed certificates (root -> matrix) --- .../tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index 0e690834..80838fa6 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -37,4 +37,6 @@ -keyout {{ matrix_ssl_certificate_cert_key_path }} \ -out {{ matrix_ssl_certificate_cert_path }} \ -days 3650 - when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" \ No newline at end of file + become: true + become_user: "{{ matrix_user_username }}" + when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" From 58ca2e7dfddbebbbcde32fdb49de181768033623 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 4 Feb 2019 09:03:43 -0600 Subject: [PATCH 0336/2384] Turn off IPv6 when using your own Nginx server Docker apparently doesn't like IPv6. --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 1 + roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 734ddb5b..6417b77c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -110,6 +110,7 @@ server { {% else %} {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; + resolver 127.0.0.1 ipv6=off; {% endif %} proxy_set_header Host $host; diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e6537ef0..2cca864e 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -144,9 +144,7 @@ listeners: # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6 # addresses by default. For most other OSes, this will only listen # on IPv6. - bind_addresses: - - '::' - - '0.0.0.0' + bind_addresses: ['::'] # This is a 'http' listener, allows us to specify 'resources'. type: http @@ -174,7 +172,7 @@ listeners: # For when matrix traffic passes through loadbalancer that unwraps TLS. - port: 8008 tls: false - bind_addresses: ['::', '0.0.0.0'] + bind_addresses: ['::'] type: http x_forwarded: true From 1f0cc92b330b425ce8da1e9958ea39e797bf5ace Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 4 Feb 2019 09:49:45 -0600 Subject: [PATCH 0337/2384] Use IPv4 localhost everywhere (or almost everywhere) --- group_vars/matrix-servers | 8 ++++---- roles/matrix-nginx-proxy/defaults/main.yml | 8 ++++---- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 4 ++-- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 3 +-- roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml | 2 +- 5 files changed, 12 insertions(+), 13 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 9f1d37de..7b14b4e1 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -167,7 +167,7 @@ matrix_mxisd_systemd_wanted_services_list: | matrix_nginx_proxy_enabled: true matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ 'localhost:41080' if matrix_corporal_enabled else 'localhost:8008' }}" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}" matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" matrix_nginx_proxy_proxy_matrix_enabled: true @@ -175,15 +175,15 @@ matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "localhost:41081" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}" matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "localhost:{{ matrix_synapse_metrics_port }}" +matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7ae4bd00..93e9ffee 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -25,19 +25,19 @@ matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}" # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "localhost:41081" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. # To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "localhost:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_synapse_metrics: false @@ -47,7 +47,7 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "localhost:8008" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008" # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 578a7e0c..661a5f31 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -12,7 +12,7 @@ server { proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; {% endif %} } @@ -47,7 +47,7 @@ server { proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:8765; + proxy_pass http://127.0.0.1:8765; {% endif %} proxy_set_header Host $host; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 6417b77c..a357e862 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -12,7 +12,7 @@ server { proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; {% endif %} } @@ -110,7 +110,6 @@ server { {% else %} {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; - resolver 127.0.0.1 ipv6=off; {% endif %} proxy_set_header Host $host; diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index 189c9356..51a68336 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -102,7 +102,7 @@ proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:8080; + proxy_pass http://127.0.0.1:8080; {% endif %} } From 9a251e4e46c753d09c723ce097c407a5b9c83d3a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 11:11:28 +0200 Subject: [PATCH 0338/2384] Remove some more references to localhost Continuation of 1f0cc92b330b42. As an explanation for the problem: when saying `localhost` on the host, it sometimes gets resolved to `::1` and sometimes to `127.0.0.1`. On the unfortunate occassions that it gets resolved to `::1`, the container won't be able to serve the request, because Docker containers don't have IPv6 enabled by default. To avoid this problem, we simply prevent any lookups from happening and explicitly use `127.0.0.1`. --- examples/apache/matrix-riot-web.conf | 6 +++--- examples/apache/matrix-synapse.conf | 10 +++++----- .../matrix-ssl-lets-encrypt-certificates-renew.j2 | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/apache/matrix-riot-web.conf b/examples/apache/matrix-riot-web.conf index 263136ee..6fadd5a8 100644 --- a/examples/apache/matrix-riot-web.conf +++ b/examples/apache/matrix-riot-web.conf @@ -10,7 +10,7 @@ ProxyPreserveHost On ProxyRequests Off ProxyVia On - ProxyPass http://localhost:2402/.well-known/acme-challenge + ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge Redirect permanent / https://riot.DOMAIN/ @@ -33,8 +33,8 @@ ProxyRequests Off ProxyVia On - ProxyPass / http://localhost:8765/ - ProxyPassReverse / http://localhost:8765/ + ProxyPass / http://127.0.0.1:8765/ + ProxyPassReverse / http://127.0.0.1:8765/ ErrorLog ${APACHE_LOG_DIR}/riot.DOMAIN-error.log CustomLog ${APACHE_LOG_DIR}/riot.DOMAIN-access.log combined diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index b5e11d04..eae8dde4 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -9,7 +9,7 @@ ProxyPreserveHost On ProxyRequests Off ProxyVia On - ProxyPass http://localhost:2402/.well-known/acme-challenge + ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge Redirect permanent / https://matrix.DOMAIN/ @@ -38,8 +38,8 @@ ProxyPassMatch ^/_matrix/client/r0/user_directory/search ! # Proxy all remaining traffic to Synapse - ProxyPass / http://localhost:8008/ - ProxyPassReverse / http://localhost:8008/ + ProxyPass / http://127.0.0.1:8008/ + ProxyPassReverse / http://127.0.0.1:8008/ # Map /.well-known/matrix/client for client discovery Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client @@ -60,12 +60,12 @@ # Map /_matrix/identity to the identity server - ProxyPass http://localhost:8090/_matrix/identity + ProxyPass http://127.0.0.1:8090/_matrix/identity # Map /_matrix/client/r0/user_directory/search to the identity server - ProxyPass http://localhost:8090/_matrix/client/r0/user_directory/search + ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 7c99ca33..7e561017 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -4,7 +4,7 @@ # need to forward requests for `/.well-known/acme-challenge` to the certbot container. # # This can happen inside the container network by proxying to `http://matrix-certbot:8080` -# or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. +# or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. docker run \ --rm \ From 96afbbb5af5c773a9f97f798a1adb403e9e0cea1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 11:46:16 +0200 Subject: [PATCH 0339/2384] Allow additional volumes to be mounted into matrix-nginx-proxy Certain use-cases may require that people mount additional files into the matrix-nginx-proxy container. Similarly to how we do it for Synapse, we are introducing a new variable that makes this possible (`matrix_nginx_proxy_container_additional_volumes`). This makes the htpasswd file for Synapse Metrics (introduced in #86, Github Pull Request) to also perform mounting using this new mechanism. Hopefully, for such an "extension", keeping htpasswd file-creation and volume definition in the same place (the tasks file) is better. All other major volumes' mounting mechanism remains the same (explicit mounting). --- roles/matrix-nginx-proxy/defaults/main.yml | 6 ++++++ roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 8 ++++++++ .../templates/systemd/matrix-nginx-proxy.service.j2 | 6 +++--- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 93e9ffee..af3489ca 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -14,6 +14,12 @@ matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically at runtime. You can provide a different default value, +# if you wish to mount your own files into the container. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +matrix_nginx_proxy_container_additional_volumes: [] + # Controls whether proxying the riot domain should be done. matrix_nginx_proxy_proxy_riot_enabled: false matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 97530ec2..476e845c 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -37,6 +37,14 @@ mode: 0400 when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled and matrix_nginx_proxy_proxy_synapse_metrics" +- name: Ensure matrix-synapse-metrics-htpasswd is mounted into the matrix-nginx-proxy container + - set_fact: + matrix_nginx_proxy_container_additional_volumes: > + {{ matrix_nginx_proxy_container_additional_volumes }} + + + {{ [{'src': '{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd', 'dst': '/etc/nginx/.matrix-synapse-metrics-htpasswd', 'options': 'ro'}] }} + when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled and matrix_nginx_proxy_proxy_synapse_metrics" + - name: Ensure Matrix nginx-proxy configured (generic) template: src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 7f05ed26..e04b9ae8 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -26,9 +26,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ -v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \ - {% if (matrix_nginx_proxy_proxy_synapse_metrics and matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled) %} - -v {{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd:/etc/nginx/.matrix-synapse-metrics-htpasswd:ro \ - {% endif %} + {% for volume in matrix_nginx_proxy_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} {{ matrix_nginx_proxy_docker_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy From e06e5dd208ba87c22011f7394bc53d26ff773ffb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 12:09:33 +0200 Subject: [PATCH 0340/2384] Fix syntax breakage Regression since 96afbbb5af5c7 --- roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 476e845c..0a67a457 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -38,7 +38,7 @@ when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled and matrix_nginx_proxy_proxy_synapse_metrics" - name: Ensure matrix-synapse-metrics-htpasswd is mounted into the matrix-nginx-proxy container - - set_fact: + set_fact: matrix_nginx_proxy_container_additional_volumes: > {{ matrix_nginx_proxy_container_additional_volumes }} + From f6ebd4ce6214d7a11bbd2d692246526140854869 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 11:07:08 +0200 Subject: [PATCH 0341/2384] Initial work on Synapse 0.99/1.0 preparation --- docs/configuring-dns.md | 48 +++++++--- docs/configuring-playbook.md | 2 +- docs/configuring-well-known.md | 59 ++++++++---- docs/installing.md | 6 +- docs/prerequisites.md | 8 +- group_vars/matrix-servers | 21 +++- roles/matrix-base/tasks/setup_well_known.yml | 9 +- .../static-files/well-known/matrix-server.j2 | 3 + .../matrix-corporal/tasks/setup_corporal.yml | 1 + roles/matrix-nginx-proxy/defaults/main.yml | 8 +- .../tasks/self_check_well_known.yml | 74 +++------------ .../tasks/self_check_well_known_file.yml | 65 +++++++++++++ .../nginx/conf.d/matrix-synapse.conf.j2 | 46 ++++++++- .../systemd/matrix-nginx-proxy.service.j2 | 3 + roles/matrix-synapse/defaults/main.yml | 20 +++- .../tasks/setup_synapse_main.yml | 55 +++++++++++ .../matrix-synapse/tasks/validate_config.yml | 12 ++- .../templates/synapse/homeserver.yaml.j2 | 95 ++++++++++++++++--- .../synapse/systemd/matrix-synapse.service.j2 | 9 +- 19 files changed, 415 insertions(+), 129 deletions(-) create mode 100644 roles/matrix-base/templates/static-files/well-known/matrix-server.j2 create mode 100644 roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 49b6a057..16bc4436 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -5,26 +5,50 @@ To set up Matrix on your domain, you'd need to do some DNS configuration. To use an identifier like `@:`, you don't actually need to install anything on the actual `` server. + +## General outline of DNS settings you need to do + +| Type | Host | Priority | Weight | Port | Target | +| ----- | ----------------------- | -------- | ------ | ---- | ---------------------- | +| A | `matrix` | - | - | - | `matrix-server-IP` | +| CNAME | `riot` | - | - | - | `matrix.` | +| SRV | `_matrix._tcp` | 10 | 0 | 8448 | `matrix.` | +| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | + +The `_matrix._tcp` SRV record is a temporary measure and will not be necessary in the near future. +In fact, it will have to be removed at some point. To learn more about that, read below. + + +## Subdomains setup + +As the table above illustrates, you need to create 2 subdomains (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine). + +The `riot.` subdomain is necessary, because this playbook installs the Riot web client for you. +If you'd rather instruct the playbook not to install Riot (`matrix_riot_web_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `riot.` DNS record. + + +## `_matrix._tcp` SRV record setup (temporary requirement) + All services created by this playbook are meant to be installed on their own server (such as `matrix.`). -To accomplish such a "redirect", you need to instruct the Matrix network of this by setting up a DNS SRV record. +To use a Matrix user identifier like `@:` while hosting services on `matrix.`, we need to instruct the Matrix network of such a delegation/redirection by means of setting up a DNS SRV record. + The SRV record should look like this: - Name: `_matrix._tcp` (use this text as-is) - Content: `10 0 8448 matrix.` (replace `` with your own) +A [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) is superseding the `_matrix._tcp` SRV record. **During the transition phase, you'll need to set up both mechanisms**. We'll instruct you how to set up the file-based mechanism after the [installation phase](installing.md) for this playbook. + +Doing delegation/redirection of Matrix services using a DNS SRV record (`_matrix._tcp`) is a **temporary measure** that is only necessary before Synapse v1.0 is released. + +As more and more people upgrade to the Synapse v0.99 transitional release and just before the final Synapse v1.0 gets released, at some point in the near future **you will need to remove the `_matrix._tcp` SRV record** and leave only the [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) in place. + + +## `_matrix-identity._tcp` SRV record setup + To make the [mxisd](https://github.com/kamax-io/mxisd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: - Name: `_matrix-identity._tcp` (use this text as-is) - Content: `10 0 443 matrix.` (replace `` with your own) -Once you've set up these DNS SRV records, you should create 2 other domain names (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` is fine). - -This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`. - -| Type | Host | Priority | Weight | Port | Target | -| ----- | ----------------------- | -------- | ------ | ---- | ---------------------- | -| SRV | `_matrix._tcp` | 10 | 0 | 8448 | `matrix.` | -| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | -| A | `matrix` | - | - | - | `server-IP` | -| CNAME | `riot` | - | - | - | `matrix.` | -When ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). \ No newline at end of file +When you're done with the DNS configuration and ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 30d1b05f..9a61c153 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -1,6 +1,6 @@ # Configuring the Ansible playbook -Once you have your server and you have [configured your DNS records](configuring-dns.md#configuring-dns), you can proceed with configuring this playbook, so that it knows what to install and where. +Once you have your server and you have [configured your DNS records](configuring-dns.md), you can proceed with configuring this playbook, so that it knows what to install and where. You can follow these steps: diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 4185a9d6..166ece1f 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -1,44 +1,66 @@ -# Configuring service discovery via .well-known +# Configuring Service Discovery via .well-known +Service discovery is a way for the Matrix network to discover where a Matrix server is. -## Introduction +There are 2 types of well-known service discovery that Matrix makes use of: -Service discovery lets various client programs which support it, to receive a full user id (e.g. `@username:example.com`) and determine where the Matrix server is automatically (e.g. `https://matrix.example.com`). +- (important) **Federation Server discovery** (`/.well-known/matrix/server`) -- assists other servers in the Matrix network with finding your server. Without a proper configuration, your server will effectively not be part of the Matrix network. Learn more in [Introduction to Federation Server Discovery](#introduction-to-federation-server-discovery) -This lets your users easily connect to your Matrix server without having to customize connection URLs. +- (not that important) **Client Server discovery** (`/.well-known/matrix/client`) -- assists programs that you use to connect to your server (e.g. Riot), so that they can make it more convenient for you by automatically configuring the "Homeserver URL" and "Identity Server URL" addresses. Learn more in [Introduction to Client Server Discovery](#introduction-to-client-server-discovery) -As [per the specification](https://matrix.org/docs/spec/client_server/r0.4.0.html#server-discovery) Matrix does service discovery using a `/.well-known/matrix/client` file hosted on the base domain (e.g. `example.com`). -However, this playbook installs your Matrix server on another domain (e.g. `matrix.example.com`) and not on the base domain (e.g. `example.com`), so it takes a little extra manual effort to set up the file. +## Introduction to Federation Server Discovery + +All services created by this playbook are meant to be installed on their own server (such as `matrix.`). + +As [per the Server-Server specification](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), to use a Matrix user identifier like `@:` while hosting services on a subdomain like `matrix.`, we need to instruct the Matrix network of such a delegation/redirection by means of setting up a `/.well-known/matrix/server` file on the base domain (`). + +We have discussed this same thing already in the "`_matrix._tcp` SRV record setup (temporary requirement)" section of [Configuring DNS](configuring-dns.md). + +In short, you are required to set up both a `_matrix._tcp` DNS SRV record and the `/.well-known/matrix/server` file at the moment. + +As the Synapse server progresses towards v1.0, only the `/.well-known/matrix/server` file will be used. At that future moment, you would need to remove the `_matrix._tcp` SRV record because Synapse v1.0+ will do the wrong thing if a SRV record exists. During the transitional phase (before Synapse 1.0), we do need to have both a SRV record and a `/.well-known/matrix/server` file, in order to federate correctly with v0.99 and older Synapse versions. + +To learn how to set it up, read the Installing section below. -## Prerequisites +## Introduction to Client Server Discovery -To implement service discovery, your base domain's server (e.g. `example.com`) needs to support HTTPS. +Client Server Service discovery lets various client programs which support it, to receive a full user id (e.g. `@username:example.com`) and determine where the Matrix server is automatically (e.g. `https://matrix.example.com`). +This lets you (and your users) easily connect to your Matrix server without having to customize connection URLs. When using client programs that support it, you won't need to point them to `https://matrix.example.com` in Custom Server options manually anymore. The connection URL would be discovered automatically from your full username. -## Setting it up +As [per the Client-Server specification](https://matrix.org/docs/spec/client_server/r0.4.0.html#server-discovery) Matrix does Client Server service discovery using a `/.well-known/matrix/client` file hosted on the base domain (e.g. `example.com`). -To make things easy for you to set up, this playbook generates and hosts the well-known file on the Matrix domain's server (e.g. `https://matrix.example.com/.well-known/matrix/client`), even though this is the wrong place to host it. +However, this playbook installs your Matrix server on another domain (e.g. `matrix.example.com`) and not on the base domain (e.g. `example.com`), so it takes a little extra manual effort to set up the file. + +To learn how to set it up, read the Installing section below. + + +## Installing well-known files on the base domain's server -You have 2 options when it comes to installing the file on the base domain's server: +To implement the two service discovery mechanisms, your base domain's server (e.g. `example.com`) needs to support HTTPS. +To make things easy for you to set up, this playbook generates and hosts 2 well-known files on the Matrix domain's server (e.g. `https://matrix.example.com/.well-known/matrix/server` and `https://matrix.example.com/.well-known/matrix/client`), even though this is the wrong place to host them. -### (Option 1): **Copying the file manually** to your base domain's server +You have 2 options when it comes to installing the files on the base domain's server: + + +### (Option 1): **Copying the files manually** to your base domain's server **Hint**: Option 2 (below) is generally a better way to do this. Make sure to go with that one, if possible. All you need to do is: -- copy the `/.well-known/matrix/client` from the Matrix server (e.g. `matrix.example.com`) to your base domain's server (`example.com`). +- copy `/.well-known/matrix/server` and `/.well-known/matrix/client` from the Matrix server (e.g. `matrix.example.com`) to your base domain's server (`example.com`). -- set up the server at your base domain (e.g. `example.com`) so that it adds an extra HTTP header when serving the `/.well-known/matrix/client` file. [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS), the `Access-Control-Allow-Origin` header should be set with a value of `*`. If you don't do this step, web-based Matrix clients (like Riot) may fail to work. +- set up the server at your base domain (e.g. `example.com`) so that it adds an extra HTTP header when serving the `/.well-known/matrix/client` file. [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS), the `Access-Control-Allow-Origin` header should be set with a value of `*`. If you don't do this step, web-based Matrix clients (like Riot) may fail to work. Setting up headers for the `/.well-known/matrix/server` file is not necessary, as this file is only consumed by non-browsers, which don't care about CORS. This is relatively easy to do and possibly your only choice if you can only host static files from the base domain's server. -It is, however, **a little fragile**, as future updates performed by this playbook may regenerate the well-known file and you may need to notice that and copy it again. +It is, however, **a little fragile**, as future updates performed by this playbook may regenerate the well-known files and you may need to notice that and copy them over again. -### (Option 2): **Setting up reverse-proxying** of the well-known file from the base domain's server to the Matrix server +### (Option 2): **Setting up reverse-proxying** of the well-known files from the base domain's server to the Matrix server This option is less fragile and generally better. @@ -91,6 +113,9 @@ Make sure to: ## Confirming it works -No matter which method you've used to set up the well-known file, if you've done it correctly you should be able to see a JSON file at a URL like this: `https:///.well-known/matrix/client`. +No matter which method you've used to set up the well-known files, if you've done it correctly you should be able to see a JSON file at both of these URLs: + +- `https:///.well-known/matrix/server` +- `https:///.well-known/matrix/client` You can also check if everything is configured correctly, by [checking if services work](maintenance-checking-services.md). diff --git a/docs/installing.md b/docs/installing.md index 8ca36859..38536f5a 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -34,7 +34,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=start Now that the services are running, you might want to: -- [create your first user account](registering-users.md) -- or **finalize the installation process** by [Configuring service discovery via .well-known](configuring-well-known.md) -- or [Check if services work](maintenance-checking-services.md) +- **finalize the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md) +- or [create your first user account](registering-users.md) +- or [check if services work](maintenance-checking-services.md) - or learn how to [upgrade your services when new versions are released](maintenance-upgrading-services.md) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 13cf89a5..dc6b91f8 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -6,12 +6,10 @@ - the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for version requirements or alternative ways to run Ansible. -- properly configured DNS SRV record for `` (details in [Configuring DNS](configuring-dns.md#configuring-dns) below) +- an HTTPS-capable web server at the base domain name (``) which is capable of serving static files -- `matrix.` domain name pointing to your new server - this is where the Matrix Synapse server will live (details in [Configuring DNS](configuring-dns.md#configuring-dns) below) - -- `riot.` domain name pointing to your new server - this is where the Riot web UI will live (details in [Configuring DNS](configuring-dns.md#configuring-dns) below) +- properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) - some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix federation HTTPS webserver), `49152-49172/udp` (TURN over UDP). -When ready to proceed, continue with [Configuring DNS](configuring-dns.md). \ No newline at end of file +When ready to proceed, continue with [Configuring DNS](configuring-dns.md). diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 7b14b4e1..b79f5038 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -161,7 +161,7 @@ matrix_mxisd_systemd_wanted_services_list: | # ###################################################################### -# By default, this playbook sets up a reverse-proxy nginx proxy server on port 80/443. +# By default, this playbook sets up a reverse-proxy nginx proxy server on TCP ports 80, 443 and 8448. # This is fine if you're dedicating the whole server to Matrix. # If that's not the case, you may wish to disable this and take care of proxying yourself. matrix_nginx_proxy_enabled: true @@ -181,6 +181,11 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled } matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" +# By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true +matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" +matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048" + matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" @@ -272,9 +277,13 @@ matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}" matrix_synapse_trusted_third_party_id_servers: "{{ [hostname_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the Client/Server API's port to the local host (`127.0.0.1:8008`). -matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose its ports +# to the local host. +# +# For exposing the Matrix Client API's port (plain HTTP) to the local host (`127.0.0.1:8008`). +matrix_synapse_container_expose_client_api_port: "{{ not matrix_nginx_proxy_enabled }}" +# For exposing the Matrix Federation API's port (plain HTTP) to the local host (`127.0.0.1:8048`). +matrix_synapse_container_expose_federation_api_port: "{{ not matrix_nginx_proxy_enabled }}" matrix_synapse_container_expose_metrics_port: "{{ not matrix_nginx_proxy_enabled }}" @@ -283,6 +292,10 @@ matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}" matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}" matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" +# We do not enable TLS in Synapse by default. +# TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. +matrix_synapse_no_tls: true + matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" matrix_synapse_email_smtp_port: 8025 diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 8a24bd2f..70b91f77 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -12,10 +12,13 @@ with_items: - "{{ matrix_static_files_base_path }}/.well-known/matrix" -- name: Ensure Matrix /.well-known/matrix/client configured +- name: Ensure Matrix /.well-known/matrix files configured template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2" - dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" + src: "{{ role_path }}/templates/static-files/well-known/matrix-{{ item }}.j2" + dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/{{ item }}" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + with_items: + - "client" + - "server" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 new file mode 100644 index 00000000..53ed8787 --- /dev/null +++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 @@ -0,0 +1,3 @@ +{ + "m.server": "{{ hostname_matrix }}:8448" +} diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index aba53c3f..f1fd2d9b 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -36,6 +36,7 @@ mode: 0644 when: "matrix_corporal_enabled" + # # Tasks related to getting rid of matrix-corporal (if it was previously enabled) # diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index af3489ca..f9b3d745 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -57,8 +57,14 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008" # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 +# Controls whether proxying for the Matrix Federation API should be done. +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false +matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" +matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048" +matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 3 }}" + # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. -matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 50 }}" +matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb * 50 }}" # A list of strings containing additional configuration blocks to add to the matrix domain's server configuration. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 7e38f8b2..93ac88da 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -1,65 +1,13 @@ --- -- set_fact: - well_known_url_matrix: "https://{{ hostname_matrix }}/.well-known/matrix/client" - well_known_url_identity: "https://{{ hostname_identity }}/.well-known/matrix/client" - -# These well-known files may be served without a `Content-Type: application/json` header, -# so we can't rely on the uri module's automatic parsing of JSON. -- name: Check .well-known on the matrix hostname - uri: - url: "{{ well_known_url_matrix }}" - follow_redirects: false - return_content: true - register: result_well_known_matrix - ignore_errors: true - -- name: Fail if .well-known not working on the matrix hostname - fail: - msg: "Failed checking that well-known is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" - when: "result_well_known_matrix.failed" - -- name: Parse JSON for well-known payload at the matrix hostname - set_fact: - well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}" - -- name: Fail if .well-known not CORS-aware on the matrix hostname - fail: - msg: "Well-known serving for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." - when: "'access_control_allow_origin' not in result_well_known_matrix" - -- name: Report working .well-known on the matrix hostname - debug: - msg: "well-known is configured correctly for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" - -- name: Check .well-known on the identity hostname - uri: - url: "{{ well_known_url_identity }}" - follow_redirects: false - return_content: true - register: result_well_known_identity - ignore_errors: true - -- name: Fail if .well-known not working on the identity hostname - fail: - msg: "Failed checking that well-known is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" - when: "result_well_known_identity.failed" - -- name: Parse JSON for well-known payload at the identity hostname - set_fact: - well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}" - -- name: Fail if .well-known not CORS-aware on the identity hostname - fail: - msg: "Well-known serving for `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md" - when: "'access_control_allow_origin' not in result_well_known_identity" - -# For people who manually copy the well-known file, try to detect if it's outdated -- name: Fail if well-known is different on matrix hostname and identity hostname - fail: - msg: "The well-known files at `{{ hostname_matrix }}` and `{{ hostname_identity }}` are different. Perhaps you copied the file manually before and now it's outdated?" - when: "well_known_matrix_payload != well_known_identity_payload" - -- name: Report working .well-known on the identity hostname - debug: - msg: "well-known is configured correctly for `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`)" +- name: Perform well-known checks + include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml" + with_items: + - path: /.well-known/matrix/server + purpose: Server Discovery + cors: false + - path: /.well-known/matrix/client + purpose: Client Discovery + cors: true + loop_control: + loop_var: well_known_file_check diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml new file mode 100644 index 00000000..40161807 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -0,0 +1,65 @@ +--- + +- set_fact: + well_known_url_matrix: "https://{{ hostname_matrix }}{{ well_known_file_check.path }}" + well_known_url_identity: "https://{{ hostname_identity }}{{ well_known_file_check.path }}" + +# These well-known files may be served without a `Content-Type: application/json` header, +# so we can't rely on the uri module's automatic parsing of JSON. +- name: Check .well-known on the matrix hostname + uri: + url: "{{ well_known_url_matrix }}" + follow_redirects: false + return_content: true + register: result_well_known_matrix + ignore_errors: true + +- name: Fail if .well-known not working on the matrix hostname + fail: + msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" + when: "result_well_known_matrix.failed" + +- name: Parse JSON for well-known payload at the matrix hostname + set_fact: + well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}" + +- name: Fail if .well-known not CORS-aware on the matrix hostname + fail: + msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." + when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix" + +- name: Report working .well-known on the matrix hostname + debug: + msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" + +- name: Check .well-known on the identity hostname + uri: + url: "{{ well_known_url_identity }}" + follow_redirects: false + return_content: true + register: result_well_known_identity + ignore_errors: true + +- name: Fail if .well-known not working on the identity hostname + fail: + msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" + when: "result_well_known_identity.failed" + +- name: Parse JSON for well-known payload at the identity hostname + set_fact: + well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}" + +- name: Fail if .well-known not CORS-aware on the identity hostname + fail: + msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md" + when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity" + +# For people who manually copy the well-known file, try to detect if it's outdated +- name: Fail if well-known is different on matrix hostname and identity hostname + fail: + msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ hostname_matrix }}` and `{{ hostname_identity }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?" + when: "well_known_matrix_payload != well_known_identity_payload" + +- name: Report working .well-known on the identity hostname + debug: + msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`)" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index a357e862..4786911a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -39,7 +39,7 @@ server { ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; - location /.well-known/matrix/client { + location /.well-known/matrix { root {{ matrix_static_files_base_path }}; expires 1m; default_type application/json; @@ -101,6 +101,10 @@ server { {{- configuration_block }} {% endfor %} + {# + This handles the Matrix Client API only. + The Matrix Federation API is handled by a separate vhost. + #} location /_matrix { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} @@ -146,3 +150,43 @@ server { rewrite ^/$ /_matrix/static/ last; } } + +{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} +server { + listen 8448 ssl http2; + listen [::]:8448 ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; + + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + ssl_prefer_server_ciphers on; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index e04b9ae8..48a6441d 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -22,6 +22,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ --network={{ matrix_docker_network }} \ -p 80:8080 \ -p 443:8443 \ + {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} + -p 8448:8448 \ + {% endif %} -v {{ matrix_nginx_proxy_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 13273f78..d72fc2ec 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -8,7 +8,12 @@ matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" # Controls whether the Synapse container exposes the Client/Server API port (tcp/8008). -matrix_synapse_container_expose_client_server_api_port: false +matrix_synapse_container_expose_client_api_port: false + +# Controls whether the Synapse container exposes the Server/Server (Federation) API port (tcp/8048). +# This is for the plain HTTP API. If you need Synapse to handle TLS encryption, +# that would be on another port (tcp/8448) controlled by `matrix_synapse_tls_federation_listener_enabled`. +matrix_synapse_container_expose_federation_api_port: false # Controls whether the Appservice IRC container exposes the Client/Server API port (tcp/9999). matrix_appservice_irc_container_expose_client_server_api_port: false @@ -60,6 +65,17 @@ matrix_synapse_root_log_level: "INFO" matrix_synapse_rc_messages_per_second: 0.2 matrix_synapse_rc_message_burst_count: 10.0 +# If you're serving Synapse behind an HTTPS-capable reverse-proxy, +# you can disable TLS completely (`matrix_synapse_no_tls: true`). +# Otherwise, you would need to provide certificate files to it. +matrix_synapse_no_tls: false +# Controls whether the TLS federation listener is enabled (tcp/8448). +# Note that federation may potentially be enabled on tcp/8008 as well. +# Only makes sense if federation is not disabled (`matrix_synapse_federation_enabled`). +matrix_synapse_tls_federation_listener_enabled: "{{ not matrix_synapse_no_tls }}" +matrix_synapse_tls_certificate_path: "/data/{{ hostname_matrix }}.tls.crt" +matrix_synapse_tls_private_key_path: "/data/{{ hostname_matrix }}.tls.key" + # Enable this to allow Synapse to report utilization statistics about your server to matrix.org # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false @@ -95,6 +111,8 @@ matrix_synapse_cache_factor: 0.5 # Controls whether Matrix Synapse will federate at all. # Disable this to completely isolate your server from the rest of the Matrix network. +# Also see: `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled, +# but want to stop the TLS listener (port 8448). matrix_synapse_federation_enabled: true # A list of domain names that are allowed to federate with the given Matrix Synapse server. diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 57a296bc..4d2598af 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -58,6 +58,61 @@ dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" mode: 0644 +# +# To make Synapse 0.99 happy, we need to generate a valid (self-signed is OK) certificate file that we provide to it. +# It won't be used for anything important, but it needs to be there. +# See https://github.com/matrix-org/synapse/issues/4554 +# +# Previously, Synapse would generate such certificate files and actually use them. +# So existing installations already have them. +# + +- name: Check if Synapse certificate exists + stat: + path: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt" + register: matrix_synapse_certificate_stat + +- name: Ensure OpenSSL installed (RedHat) + yum: + name: + - openssl + state: present + update_cache: no + when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'RedHat'" + +- name: Ensure OpenSSL installed (Debian) + apt: + name: + - openssl + state: present + update_cache: no + when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'Debian'" + +# The proper way to do this is by using a sequence of +# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`. +# +# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work, +# which is not available on CentOS 7 (at least). +# +# We'll do it in a more manual way. +- name: Generate SSL certificate + command: | + openssl req -x509 \ + -sha256 \ + -newkey rsa:4096 \ + -nodes \ + -subj "/CN={{ hostname_matrix }}" \ + -keyout {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key \ + -out {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt \ + -days 3650 + become: true + become_user: "{{ matrix_user_username }}" + when: "not matrix_synapse_certificate_stat.stat.exists" + +# +# End of tasks related to making Synapse 0.99 happy. +# + - name: Ensure matrix-synapse.service installed template: src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index e1454bfa..2f86e676 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -6,4 +6,14 @@ You need to define a required configuration setting (`{{ item }}`) for using Synapse. when: "vars[item] == ''" with_items: - - "matrix_synapse_macaroon_secret_key" \ No newline at end of file + - "matrix_synapse_macaroon_secret_key" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: > + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_synapse_container_expose_api_port', 'new': 'matrix_synapse_container_expose_client_api_port'} + diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 2cca864e..8570c92f 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1,19 +1,70 @@ # vim:ft=yaml -# PEM encoded X509 certificate for TLS. -# You can replace the self-signed certificate that synapse -# autogenerates on launch with your own SSL certificate + key pair -# if you like. Any required intermediary certificates can be -# appended after the primary certificate in hierarchical order. -tls_certificate_path: "/data/{{ hostname_matrix }}.tls.crt" +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# See 'ACME support' below to enable auto-provisioning this certificate via +# Let's Encrypt. +# +tls_certificate_path: "{{ matrix_synapse_tls_certificate_path }}" + +# PEM-encoded private key for TLS +tls_private_key_path: "{{ matrix_synapse_tls_private_key_path }}" + +# ACME support: This will configure Synapse to request a valid TLS certificate +# for your configured `server_name` via Let's Encrypt. +# +# Note that provisioning a certificate in this way requires port 80 to be +# routed to Synapse so that it can complete the http-01 ACME challenge. +# By default, if you enable ACME support, Synapse will attempt to listen on +# port 80 for incoming http-01 challenges - however, this will likely fail +# with 'Permission denied' or a similar error. +# +# There are a couple of potential solutions to this: +# +# * If you already have an Apache, Nginx, or similar listening on port 80, +# you can configure Synapse to use an alternate port, and have your web +# server forward the requests. For example, assuming you set 'port: 8009' +# below, on Apache, you would write: +# +# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge +# +# * Alternatively, you can use something like `authbind` to give Synapse +# permission to listen on port 80. +# +acme: + # ACME support is disabled by default. Uncomment the following line + # to enable it. + # + # enabled: true + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + # url: https://acme-v01.api.letsencrypt.org/directory -# PEM encoded private key for TLS -tls_private_key_path: "/data/{{ hostname_matrix }}.tls.key" + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + # port: 80 -# PEM dh parameters for ephemeral keys -tls_dh_params_path: "/data/{{ hostname_matrix }}.tls.dh" + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + # bind_addresses: ['::', '0.0.0.0'] -# Don't bind to the https port -no_tls: False + # How many days remaining on a certificate before it is renewed. + # + # reprovision_threshold: 30 + +# If your server runs behind a reverse-proxy which terminates TLS connections +# (for both client and federation connections), it may be useful to disable +# All TLS support for incoming connections. Setting no_tls to True will +# do so (and avoid the need to give synapse a TLS private key). +# +no_tls: {{ matrix_synapse_no_tls|to_json }} # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that @@ -133,7 +184,8 @@ listeners: bind_addresses: - '0.0.0.0' {% endif %} -{% if matrix_synapse_federation_enabled %} + +{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %} # Main HTTPS listener # For when matrix traffic is sent directly to synapse. - @@ -168,7 +220,7 @@ listeners: # config: {} {% endif %} - # Unsecure HTTP listener, + # Unsecure HTTP listener for the Client API, # For when matrix traffic passes through loadbalancer that unwraps TLS. - port: 8008 tls: false @@ -181,6 +233,21 @@ listeners: - names: [client] compress: false +{% if matrix_synapse_federation_enabled %} + # Unsecure HTTP listener for the Federation API, + # For when matrix traffic passes through loadbalancer that unwraps TLS. + - port: 8048 + tls: false + bind_addresses: ['::'] + type: http + + x_forwarded: true + + resources: + - names: [federation] + compress: false +{% endif %} + # Turn on the twisted ssh manhole service on localhost on the given # port. # - port: 9000 diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 9ba918d6..9d12d5f3 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -28,11 +28,14 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ - {% if matrix_synapse_federation_enabled %} + {% if matrix_synapse_container_expose_client_api_port %} + -p 127.0.0.1:8008:8008 \ + {% endif %} + {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %} -p 8448:8448 \ {% endif %} - {% if matrix_synapse_container_expose_client_server_api_port %} - -p 127.0.0.1:8008:8008 \ + {% if matrix_synapse_federation_enabled and matrix_synapse_container_expose_federation_api_port %} + -p 127.0.0.1:8048:8048 \ {% endif %} {% if matrix_synapse_container_expose_metrics_port %} -p 127.0.0.1:{{ matrix_synapse_metrics_port }}:{{ matrix_synapse_metrics_port }} \ From 74710427e583b868494128f68e7516541c5f68c1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 11:49:59 +0200 Subject: [PATCH 0342/2384] Allow for the federation port (tcp/8448)'s certificate to be changed If someone decides to not use `/.well-known/matrix/server` and only relies on SRV records, then they would need to serve tcp/8448 using a certificate for the base domain (not for the matrix) domain. Until now, they could do that by giving the certificate to Synapse and setting it terminate TLS. That makes swapping certificates more annoying (Synapse requires a restart to re-read certificates), so it's better if we can support it via matrix-nginx-proxy. Mounting certificates (or any other file) into the matrix-nginx-proxy container can be done with `matrix_nginx_proxy_container_additional_volumes`, introduced in 96afbbb5a. --- roles/matrix-nginx-proxy/defaults/main.yml | 2 ++ .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index f9b3d745..30a41cb8 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -62,6 +62,8 @@ matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048" matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 3 }}" +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb * 50 }}" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 4786911a..c618f789 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -164,8 +164,8 @@ server { gzip on; gzip_types text/plain application/json; - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; + ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; + ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; From 764a040a90f049a763210dd30a0c27990c77efd7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 12:08:00 +0200 Subject: [PATCH 0343/2384] Make /.well-known/matrix/server optional People who wish to rely on SRV records can prevent the `/.well-known/matrix/server` file from being generated (and thus, served.. which causes trouble). --- roles/matrix-base/defaults/main.yml | 8 ++++++ roles/matrix-base/tasks/setup_well_known.yml | 24 ++++++++++++----- .../tasks/self_check_well_known.yml | 27 ++++++++++++++----- 3 files changed, 46 insertions(+), 13 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 3f3d7f06..f86cf2f1 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -28,6 +28,14 @@ matrix_identity_server_url: ~ # The Docker network that all services would be put into matrix_docker_network: "matrix" +# Controls whether a `/.well-known/matrix/server` file is generated and used at all. +# +# If you wish to rely on DNS SRV records only, you can disable this. +# That implies that you'll be handling Matrix Federation API traffic (tcp/8448) +# using certificates for the base domain (`hostname_identity`) and not for the +# matrix domain (`hostname_matrix`). +matrix_well_known_matrix_server_enabled: true + # Variables to Control which parts of our roles run. run_setup: true run_import_postgres: true diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 70b91f77..06e62617 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -12,13 +12,25 @@ with_items: - "{{ matrix_static_files_base_path }}/.well-known/matrix" -- name: Ensure Matrix /.well-known/matrix files configured +- name: Ensure Matrix /.well-known/matrix/client file configured template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-{{ item }}.j2" - dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/{{ item }}" + src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2" + dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" - with_items: - - "client" - - "server" + +- name: Ensure Matrix /.well-known/matrix/server file configured + template: + src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2" + dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_well_known_matrix_server_enabled + +- name: Ensure Matrix /.well-known/matrix/server file deleted + file: + path: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" + state: absent + when: "not matrix_well_known_matrix_server_enabled" diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 93ac88da..d12e3fd3 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -1,13 +1,26 @@ --- +- name: Determine well-known files to check (Matrix) + set_fact: + well_known_file_checks: + - path: /.well-known/matrix/client + purpose: Client Discovery + cors: true + +- block: + - set_fact: + well_known_file_check_matrix_server: + path: /.well-known/matrix/server + purpose: Server Discovery + cors: false + + - name: Determine domains that we require certificates for (mxisd) + set_fact: + well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" + when: "matrix_well_known_matrix_server_enabled" + - name: Perform well-known checks include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml" - with_items: - - path: /.well-known/matrix/server - purpose: Server Discovery - cors: false - - path: /.well-known/matrix/client - purpose: Client Discovery - cors: true + with_items: "{{ well_known_file_checks }}" loop_control: loop_var: well_known_file_check From b5404279742fbfcd44f2d027b58725f3a11384db Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 12:54:27 +0200 Subject: [PATCH 0344/2384] Mention alternative ways to do Server Delegation --- docs/howto-server-delegation.md | 131 ++++++++++++++++++++++++++++++++ docs/prerequisites.md | 2 +- 2 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 docs/howto-server-delegation.md diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md new file mode 100644 index 00000000..29d57082 --- /dev/null +++ b/docs/howto-server-delegation.md @@ -0,0 +1,131 @@ +# Server Delegation + +To have a server on a subdomain (e.g. `matrix.`) handle Matrix federation traffic for the base domain (``), we need to instruct the Matrix network of such a delegation. + +By default, this playbook guides you into setting up [Server Delegation via a well-known file](#server-delegation-via-a-well-known-file). +However, that method may have some downsides that are not to your liking. Hence this guide about alternative ways to set up Server Delegation. + +It is a complicated matter, so unless you are affected by the [Downsides of well-known-based Server Delegation](#downsides-of-well-known-based-server-delegation), we suggest you stay on the simple/default path. + + +## Server Delegation via a well-known file + +Serving a `/.well-known/matrix/server` file from the base domain is the most straightforward way to set up server delegation, but it suffers from the following problems: + +As we already mention in [Configuring DNS](configuring-dns.md) and [Configuring Service Discovery via .well-known](configuring-well-known.md), +this playbook already properly guides you into setting up such delegation by means of a `/.well-known/matrix/server` file served from the base domain (``). + +If this is okay with you, feel free to not read ahead. + + +### Downsides of well-known-based Server Delegation + +Server Delegation by means of a `/.well-known/matrix/server` file is the most straightforward, but suffers from the following downsides: + +- you need to have a working HTTPS server for the base domain (``) + +- any downtime on the base domain (``) or network trouble between the matrix subdomain (`matrix.`) and the base `` may cause Matrix Federation outages. As the [Server-Server spec says](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery): + +> Errors are recommended to be cached for up to an hour, and servers are encouraged to exponentially back off for repeated failures. + +If this is not a concern for you, feel free to not read ahead. + +Otherwise, you can decide to go against the default for this playbook, and instead set up [Server Delegation via a DNS SRV record (advanced)](#server-delegation-via-a-dns-serv-record-advanced). + + +## Server Delegation via a DNS SRV record (advanced) + +**NOTE**: doing Server Delegation via a DNS SRV record is a more advanced way to do it and is not the default for this playbook. + +As per the [Server-Server spec](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), it's possible to do Server Delegation using only a SRV record (without a `/.well-known/matrix/server` file). + +This prevents you from suffering the [Downsides of well-known-based Server Delegation](#downsides-of-well-known-based-server-delegation). + +To use DNS SRV record validation, you need to: + +- ensure that no `/.well-known/matrix/server` is served from the base domain, as that would interfere with DNS SRV record Server Delegation. To make the playbook **not** generate and serve the file, use the following configuration: `matrix_well_known_matrix_server_enabled: false`. + +- ensure that you have a `_matrix._tcp` DNS SRV record for your base domain (``) with a value of `10 0 8448 matrix.` + +- ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). See below. + + +### Obtaining certificates + +How you can obtain a valid certificate for `` on the `matrix.` server is up to you. + +If `` and `matrix.` is the same machine, you can let the playbook obtain the certificate for you by redefining the `matrix_ssl_domains_to_obtain_certificates_for` variable. Example: + +```yaml +matrix_ssl_domains_to_obtain_certificates_for: + - '{{ hostname_matrix }}' + - '{{ hostname_riot }}' + - '{{ hostname_identity }}' +``` + +This way, the playbook would obtain certificates for your base domain as well (referred to by the `hostname_identity` variable). +The certificate files would be available in `/matrix/ssl/config/live//...`. + +If `` and `matrix.` are not the same machine, you can copy over the certificate files manually. +If they get renewed automatically, you may also have to transfer them periodically. How often you do that is up to you, as long as the certificate files don't expire. + + +### Serving the Federation API with your certificates + +Regardless of which method for obtaining certificates you've used, once you've managed to get certificates for your base domain onto the `matrix.` machine you can put them to use. + + +### Serving the Federation API with your certificates and matrix-nginx-proxy + +**If you are using matrix-nginx-proxy**, a reverse-proxy webserver used by default in this playbook, you only need to override the certificates used for the Matrix Federation API. You can do that using: + +```yaml +# Adjust paths below to point to your certificate. +# +# NOTE: these are in-container paths. `/matrix/ssl` on the host is mounted into the container +# at the same path (`/matrix/ssl`) by default, so if that's the path you need, it would be seamless. +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live//fullchain.pem +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live//privkey.pem +``` + +If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container: + +```yaml +matrix_nginx_proxy_container_additional_volumes: + - src: /some/path/on/the/host + dst: /some/path/inside/the/container + options: ro +``` + +You then refer to them (for `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate` and `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key`) by using `/some/path/inside/the/container`. + + +### Serving the Federation API with your certificates and another webserver + +**If you are NOT using matrix-nginx-proxy**, but rather some other webserver, you can set up reverse-proxying for the `tcp/8448` port by yourself. +Make sure to use the proper certificates for `` (not for `matrix.`) when serving the `tcp/8448` port. + +Proxying needs to happen to `127.0.0.1:8048` (unencrypted Synapse federation listener). + + +### Serving the Federation API with your certificates and Synapse handling Federation + +**Alternatively**, if you are **NOT using matrix-nginx-proxy** and **would rather not use your own webserver for Federation traffic**, you can let Synapse handle Federation by itself. + +To do that, make sure the certificate files are mounted into the Synapse container: + +```yaml +matrix_synapse_container_additional_volumes: + - src: /some/path/on/the/host + dst: /some/path/inside/the/container + options: ro +``` + +You can then tell Synapse to serve Federation traffic over TLS on `tcp/8448`: + +```yaml +matrix_synapse_no_tls: false +matrix_synapse_tls_federation_listener_enabled: true +matrix_synapse_tls_certificate_path: /some/path/inside/the/container/certificate.crt +matrix_synapse_tls_private_key_path: /some/path/inside/the/container/private.key +``` diff --git a/docs/prerequisites.md b/docs/prerequisites.md index dc6b91f8..4d8aa20c 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -6,7 +6,7 @@ - the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for version requirements or alternative ways to run Ansible. -- an HTTPS-capable web server at the base domain name (``) which is capable of serving static files +- an HTTPS-capable web server at the base domain name (``) which is capable of serving static files (unless you decide to use DNS SRV records for [Server Delegation](howto-server-delegation.md)) - properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) From 119016e8589c2e6477c1224a146318f76d7b368f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 13:06:17 +0200 Subject: [PATCH 0345/2384] Cache /.well-known/matrix files for longer --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index c618f789..17f67696 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -41,7 +41,12 @@ server { location /.well-known/matrix { root {{ matrix_static_files_base_path }}; - expires 1m; + {# + A somewhat long expires value is used to prevent outages + in case this is unreachable due to network failure or + due to the base domain's server completely dying. + #} + expires 4h; default_type application/json; add_header Access-Control-Allow-Origin *; } From 738c592c274ce662580160a45f9e793f8fd0eb0d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 13:33:39 +0200 Subject: [PATCH 0346/2384] Bump Synapse version (0.34.1.1 -> 0.99.0rc4) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d72fc2ec..af5fa68a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.34.1.1-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0rc4-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" From 772154f3b907cd2ce0b9b660a29aa31b93ccbbf3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Feb 2019 13:38:20 +0200 Subject: [PATCH 0347/2384] Update Server Delegation docs a bit --- docs/howto-server-delegation.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 29d57082..dae7c6cf 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -99,6 +99,9 @@ matrix_nginx_proxy_container_additional_volumes: You then refer to them (for `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate` and `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key`) by using `/some/path/inside/the/container`. +Make sure to reload matrix-nginx-proxy once in a while (`systemctl reload matrix-nginx-proxy`), so that newer certificates can kick in. +Reloading doesn't cause any downtime. + ### Serving the Federation API with your certificates and another webserver @@ -107,6 +110,8 @@ Make sure to use the proper certificates for `` (not for `matrix. Date: Tue, 5 Feb 2019 14:02:01 +0200 Subject: [PATCH 0348/2384] Remove some useless homeserver.yaml configuration --- .../templates/synapse/homeserver.yaml.j2 | 29 ------------------- 1 file changed, 29 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 8570c92f..d52ba1ab 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -66,35 +66,6 @@ acme: # no_tls: {{ matrix_synapse_no_tls|to_json }} -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -tls_fingerprints: [] -# tls_fingerprints: [{"sha256": ""}] - - ## Server ## # The domain name of the server, with optional explicit port. From 40f3793af702cba03e8aba10ad0672856978484f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 09:17:55 +0200 Subject: [PATCH 0349/2384] Upgrade Synapse to v0.99 and simplify dummy TLS cert logic --- group_vars/matrix-servers | 5 ++ roles/matrix-synapse/defaults/main.yml | 2 +- .../tasks/setup_synapse_main.yml | 55 ------------------- 3 files changed, 6 insertions(+), 56 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index b79f5038..597a6a89 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -295,6 +295,11 @@ matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. matrix_synapse_no_tls: true +# Even though we don't do TLS at the Synapse side, Synapse v0.99 would still like to read +# some certificate file. The container contains a dummy certificate that could be used +# to prevent certificate file reading errors. It won't actually be used for anything else. +# See https://github.com/matrix-org/synapse/issues/4554 +matrix_synapse_tls_certificate_path: /conf/dummy.tls.crt matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index af5fa68a..96825f94 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0rc4-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 4d2598af..57a296bc 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -58,61 +58,6 @@ dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" mode: 0644 -# -# To make Synapse 0.99 happy, we need to generate a valid (self-signed is OK) certificate file that we provide to it. -# It won't be used for anything important, but it needs to be there. -# See https://github.com/matrix-org/synapse/issues/4554 -# -# Previously, Synapse would generate such certificate files and actually use them. -# So existing installations already have them. -# - -- name: Check if Synapse certificate exists - stat: - path: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt" - register: matrix_synapse_certificate_stat - -- name: Ensure OpenSSL installed (RedHat) - yum: - name: - - openssl - state: present - update_cache: no - when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'RedHat'" - -- name: Ensure OpenSSL installed (Debian) - apt: - name: - - openssl - state: present - update_cache: no - when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'Debian'" - -# The proper way to do this is by using a sequence of -# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`. -# -# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work, -# which is not available on CentOS 7 (at least). -# -# We'll do it in a more manual way. -- name: Generate SSL certificate - command: | - openssl req -x509 \ - -sha256 \ - -newkey rsa:4096 \ - -nodes \ - -subj "/CN={{ hostname_matrix }}" \ - -keyout {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key \ - -out {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt \ - -days 3650 - become: true - become_user: "{{ matrix_user_username }}" - when: "not matrix_synapse_certificate_stat.stat.exists" - -# -# End of tasks related to making Synapse 0.99 happy. -# - - name: Ensure matrix-synapse.service installed template: src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" From 91a757c5811c11552b6a466e47556d6673fed730 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 09:25:13 +0200 Subject: [PATCH 0350/2384] Add support for reloading Synapse --- docs/howto-server-delegation.md | 3 ++- .../templates/synapse/systemd/matrix-synapse.service.j2 | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index dae7c6cf..fd151eb1 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -135,4 +135,5 @@ matrix_synapse_tls_certificate_path: /some/path/inside/the/container/certificate matrix_synapse_tls_private_key_path: /some/path/inside/the/container/private.key ``` -Every once in a while (before the certificates expire), you'll need to completely restart Synapse (unless [Synapse becomes capable of reloading certificates without restarting - issue #1180](https://github.com/matrix-org/synapse/issues/1180)). Restarting Synapse can be done like this: `systemctl restart matrix-synapse`. Restarting causes some downtime. +Make sure to reload Synapse once in a while (`systemctl reload matrix-synapse`), so that newer certificates can kick in. +Reloading doesn't cause any downtime. diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 9d12d5f3..f11e99d4 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -51,6 +51,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ ExecStop=-/usr/bin/docker kill matrix-synapse ExecStop=-/usr/bin/docker rm matrix-synapse +ExecReload=/usr/bin/docker exec matrix-synapse kill -HUP 1 Restart=always RestartSec=30 From 5148f8edf4c95986703d840c4b5676f2be84f49f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 09:36:03 +0200 Subject: [PATCH 0351/2384] Update docs --- docs/configuring-dns.md | 14 ++++++++++++++ docs/prerequisites.md | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 16bc4436..5a49878d 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -5,6 +5,20 @@ To set up Matrix on your domain, you'd need to do some DNS configuration. To use an identifier like `@:`, you don't actually need to install anything on the actual `` server. +You do, however need to instruct the Matrix network that Matrix services for `` are delegated +over to `matrix.`. +As we discuss in [Server Delegation](howto-server-delegation.md), there are 2 different ways to set up such delegation: + +- using a `https:///.well-known/matrix/server` file (on the base domain!) +- using DNS SRV records + +This playbook mostly discusses the well-known file method, because it's easier to manage with regard to certificates. +If you decide to go with the alternative method ([Server Delegation via a DNS SRV record (advanced)](howto-server-delegation.md#server-delegation-via-a-dns-serv-record-advanced)), please be aware that the general flow that this playbook guides you through may not match what you need to do. + +To make matters worse, for backward compatibility until the Synapse server reaches v1.0, you need to set up a DNS SRV record anyway. +So don't be confused if the general flow of this playbook asks you for both DNS SRV records and for setting up a well-known file. +It's a temporary requirement during the Synapse v0.99/v1.0 transition. + ## General outline of DNS settings you need to do diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 4d8aa20c..59e6c83d 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -10,6 +10,6 @@ - properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) -- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix federation HTTPS webserver), `49152-49172/udp` (TURN over UDP). +- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), `49152-49172/udp` (TURN over UDP). When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 241a4f9ef906714c9a7d52968cc701680e70a195 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 12:57:33 +0200 Subject: [PATCH 0352/2384] Add changelog entry for Synapse v0.99 --- CHANGELOG.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72bd2c53..a0bb8762 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,21 @@ +# 2019-02-06 + +## Synapse v0.99 support and preparation for Synapse v1.0 + +Matrix is undergoing a lot of changes as it matures towards Synapse v1.0. +The first step is the Synapse v0.99 transitional release, which this playbook now supports. + +If you've been using this playbook successfully until now, you'd be aware that we've been doing [Server Delegation](docs/howto-server-delegation.md) using a `_matrix._tcp` DNS SRV record (as per [Configuring DNS](docs/configuring-dns.md)). + +Due to changes related to certificate file requirements that will affect us at Synapse v1.0, we'll have to stop using a **`_matrix._tcp` DNS SRV record in the future** (when Synapse goes to v1.0 - around 5th of March 2019). We **still need to keep the SRV record for now**, for backward compatibility with older Synapse versions (lower than v0.99). + +**What you need to do now** is make use of this transitional Synapse v0.99 release to **prepare your federation settings for the future**. You have 2 choices to prepare yourself for compatibility with the future Synapse v1.0: + +- (recommended) set up [Server Delegation via a well-known file](docs/howto-server-delegation.md#server-delegation-via-a-well-known-file), unless you are affected by the [Downsides of well-known-based Server Delegation](docs/howto-server-delegation.md#downsides-of-well-known-based-server-delegation). After some time, when most people have upgraded to Synapse v0.99 and older releases have disappeared, be prepared to drop your `_matrix._tcp` SRV record. + +- (more advanced) if the [Downsides of well-known-based Server Delegation](docs/howto-server-delegation.md#downsides-of-well-known-based-server-delegation) are not to your liking, **as an alternative**, you can set up [Server Delegation via a DNS SRV record](docs/howto-server-delegation.md#server-delegation-via-a-dns-serv-record-advanced). In such a case, you get to keep using your existing `_matrix._tcp` DNS SRV record forever and need to NOT set up a `/.well-known/matrix/server` file. Don't forget that you need to do certificate changes though. Follow the guide at [Server Delegation via a DNS SRV record](docs/howto-server-delegation.md#server-delegation-via-a-dns-serv-record-advanced). + + # 2019-02-01 ## TLS v1.3 support From 33726cdb0898d6dd5b8d004682a4e00382899efe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 13:02:17 +0200 Subject: [PATCH 0353/2384] Fix anchor --- CHANGELOG.md | 2 +- docs/configuring-dns.md | 2 +- docs/howto-server-delegation.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0bb8762..210d18bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ Due to changes related to certificate file requirements that will affect us at S - (recommended) set up [Server Delegation via a well-known file](docs/howto-server-delegation.md#server-delegation-via-a-well-known-file), unless you are affected by the [Downsides of well-known-based Server Delegation](docs/howto-server-delegation.md#downsides-of-well-known-based-server-delegation). After some time, when most people have upgraded to Synapse v0.99 and older releases have disappeared, be prepared to drop your `_matrix._tcp` SRV record. -- (more advanced) if the [Downsides of well-known-based Server Delegation](docs/howto-server-delegation.md#downsides-of-well-known-based-server-delegation) are not to your liking, **as an alternative**, you can set up [Server Delegation via a DNS SRV record](docs/howto-server-delegation.md#server-delegation-via-a-dns-serv-record-advanced). In such a case, you get to keep using your existing `_matrix._tcp` DNS SRV record forever and need to NOT set up a `/.well-known/matrix/server` file. Don't forget that you need to do certificate changes though. Follow the guide at [Server Delegation via a DNS SRV record](docs/howto-server-delegation.md#server-delegation-via-a-dns-serv-record-advanced). +- (more advanced) if the [Downsides of well-known-based Server Delegation](docs/howto-server-delegation.md#downsides-of-well-known-based-server-delegation) are not to your liking, **as an alternative**, you can set up [Server Delegation via a DNS SRV record](docs/howto-server-delegation.md#server-delegation-via-a-dns-srv-record-advanced). In such a case, you get to keep using your existing `_matrix._tcp` DNS SRV record forever and need to NOT set up a `/.well-known/matrix/server` file. Don't forget that you need to do certificate changes though. Follow the guide at [Server Delegation via a DNS SRV record](docs/howto-server-delegation.md#server-delegation-via-a-dns-srv-record-advanced). # 2019-02-01 diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 5a49878d..cdb54090 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -13,7 +13,7 @@ As we discuss in [Server Delegation](howto-server-delegation.md), there are 2 di - using DNS SRV records This playbook mostly discusses the well-known file method, because it's easier to manage with regard to certificates. -If you decide to go with the alternative method ([Server Delegation via a DNS SRV record (advanced)](howto-server-delegation.md#server-delegation-via-a-dns-serv-record-advanced)), please be aware that the general flow that this playbook guides you through may not match what you need to do. +If you decide to go with the alternative method ([Server Delegation via a DNS SRV record (advanced)](howto-server-delegation.md#server-delegation-via-a-dns-srv-record-advanced)), please be aware that the general flow that this playbook guides you through may not match what you need to do. To make matters worse, for backward compatibility until the Synapse server reaches v1.0, you need to set up a DNS SRV record anyway. So don't be confused if the general flow of this playbook asks you for both DNS SRV records and for setting up a well-known file. diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index fd151eb1..1a338555 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -30,7 +30,7 @@ Server Delegation by means of a `/.well-known/matrix/server` file is the most st If this is not a concern for you, feel free to not read ahead. -Otherwise, you can decide to go against the default for this playbook, and instead set up [Server Delegation via a DNS SRV record (advanced)](#server-delegation-via-a-dns-serv-record-advanced). +Otherwise, you can decide to go against the default for this playbook, and instead set up [Server Delegation via a DNS SRV record (advanced)](#server-delegation-via-a-dns-srv-record-advanced). ## Server Delegation via a DNS SRV record (advanced) From 92aa5bfa2de6b18c702bba316050bc962befe73c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 13:03:23 +0200 Subject: [PATCH 0354/2384] Fix YAML indentation on documentation page --- docs/howto-server-delegation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 1a338555..912fe6fa 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -94,7 +94,7 @@ If your files are not in `/matrix/ssl` but in some other location, you would nee matrix_nginx_proxy_container_additional_volumes: - src: /some/path/on/the/host dst: /some/path/inside/the/container - options: ro + options: ro ``` You then refer to them (for `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate` and `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key`) by using `/some/path/inside/the/container`. From e9cfcb8429b323856cf0f14738ba06282e7dbb3b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 13:04:19 +0200 Subject: [PATCH 0355/2384] Fix another YAML indentation problem on documentation page --- docs/howto-server-delegation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 912fe6fa..475ed0e3 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -123,7 +123,7 @@ To do that, make sure the certificate files are mounted into the Synapse contain matrix_synapse_container_additional_volumes: - src: /some/path/on/the/host dst: /some/path/inside/the/container - options: ro + options: ro ``` You can then tell Synapse to serve Federation traffic over TLS on `tcp/8448`: From ef903fe544398e04f4f247e7146457fae2a7d8ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 13:30:24 +0200 Subject: [PATCH 0356/2384] Add some quick links --- docs/howto-server-delegation.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 475ed0e3..aa9b0f95 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -74,6 +74,14 @@ If they get renewed automatically, you may also have to transfer them periodical Regardless of which method for obtaining certificates you've used, once you've managed to get certificates for your base domain onto the `matrix.` machine you can put them to use. +Based on your setup, you have different ways to go about it: + +- [Serving the Federation API with your certificates and matrix-nginx-proxy](#serving-the-federation-api-with-your-certificates-and-matrix-nginx-proxy) + +- [Serving the Federation API with your certificates and another webserver](#serving-the-federation-api-with-your-certificates-and-another-webserver) + +- [Serving the Federation API with your certificates and Synapse handling Federation](#serving-the-federation-api-with-your-certificates-and-synapse-handling-federation) + ### Serving the Federation API with your certificates and matrix-nginx-proxy From fd4bd204e1f2ef376dc259c03634c7601e0cae1b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 14:02:10 +0200 Subject: [PATCH 0357/2384] Improve changelog entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 210d18bd..1b2083d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ Due to changes related to certificate file requirements that will affect us at S **What you need to do now** is make use of this transitional Synapse v0.99 release to **prepare your federation settings for the future**. You have 2 choices to prepare yourself for compatibility with the future Synapse v1.0: -- (recommended) set up [Server Delegation via a well-known file](docs/howto-server-delegation.md#server-delegation-via-a-well-known-file), unless you are affected by the [Downsides of well-known-based Server Delegation](docs/howto-server-delegation.md#downsides-of-well-known-based-server-delegation). After some time, when most people have upgraded to Synapse v0.99 and older releases have disappeared, be prepared to drop your `_matrix._tcp` SRV record. +- (recommended) set up [Server Delegation via a well-known file](docs/howto-server-delegation.md#server-delegation-via-a-well-known-file), unless you are affected by the [Downsides of well-known-based Server Delegation](docs/howto-server-delegation.md#downsides-of-well-known-based-server-delegation). If you had previously set up the well-known `client` file, depending on how you've done it, it may be that there is nothing new required of you (besides [upgrading](docs/maintenance-upgrading-services.md)). After upgrading, you can [run a self-check](docs/maintenance-checking-services.md), which will tell you if you need to do anything extra with regard to setting up [Server Delegation via a well-known file](docs/howto-server-delegation.md#server-delegation-via-a-well-known-file). After some time, when most people have upgraded to Synapse v0.99 and older releases have disappeared, be prepared to drop your `_matrix._tcp` SRV record. - (more advanced) if the [Downsides of well-known-based Server Delegation](docs/howto-server-delegation.md#downsides-of-well-known-based-server-delegation) are not to your liking, **as an alternative**, you can set up [Server Delegation via a DNS SRV record](docs/howto-server-delegation.md#server-delegation-via-a-dns-srv-record-advanced). In such a case, you get to keep using your existing `_matrix._tcp` DNS SRV record forever and need to NOT set up a `/.well-known/matrix/server` file. Don't forget that you need to do certificate changes though. Follow the guide at [Server Delegation via a DNS SRV record](docs/howto-server-delegation.md#server-delegation-via-a-dns-srv-record-advanced). From 536c85619f0d0f4daeac120134a3e76c5cbd4703 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Feb 2019 14:24:10 +0200 Subject: [PATCH 0358/2384] Bind metrics on :: too For consistency with all our other listeners, we make this one bind on the `::` address too (both IPv4 and IPv6). Additional details are in #91 (Github Pull Request). --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index d52ba1ab..647bbfce 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -152,8 +152,7 @@ listeners: {% if matrix_synapse_metrics_enabled %} - type: metrics port: {{ matrix_synapse_metrics_port }} - bind_addresses: - - '0.0.0.0' + bind_addresses: ['::'] {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %} From f5cd916de89b60839c223b462827a21dacf4e51a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Feb 2019 13:15:59 +0200 Subject: [PATCH 0359/2384] Update coturn (4.5.0.8 -> 4.5.1.0) --- roles/matrix-coturn/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 32883c02..9f21281b 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,6 +1,6 @@ matrix_coturn_enabled: true -matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8" +matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.0" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" @@ -16,4 +16,4 @@ matrix_coturn_turn_static_auth_secret: "" matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 -matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" \ No newline at end of file +matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" From 08635666df680bb9571624aad0439602fd8ec34c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Feb 2019 13:20:30 +0200 Subject: [PATCH 0360/2384] Do not attempt to start coturn TLS listeners We don't provide certificates, so it fails anyway, but we'd rather suppress the warnings about it too. --- roles/matrix-coturn/templates/turnserver.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 32329d60..56c84120 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -8,4 +8,6 @@ log-file=stdout pidfile=/var/tmp/turnserver.pid userdb=/var/tmp/turnserver.db no-cli +no-tls +no-dtls prod From f4fa03d4b97869bc91b64a0adab668e7e431e320 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 7 Feb 2019 19:43:00 +0200 Subject: [PATCH 0361/2384] Re-iterate where one can find the well-known files --- docs/configuring-well-known.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 166ece1f..193d380b 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -52,7 +52,7 @@ You have 2 options when it comes to installing the files on the base domain's se All you need to do is: -- copy `/.well-known/matrix/server` and `/.well-known/matrix/client` from the Matrix server (e.g. `matrix.example.com`) to your base domain's server (`example.com`). +- copy `/.well-known/matrix/server` and `/.well-known/matrix/client` from the Matrix server (e.g. `matrix.example.com`) to your base domain's server (`example.com`). You can find these files in the `/matrix/static-files/.well-known/matrix` directory on the Matrix server. They are also accessible on URLs like this: `https://matrix.example.com/.well-known/matrix/server` (same for `client`). - set up the server at your base domain (e.g. `example.com`) so that it adds an extra HTTP header when serving the `/.well-known/matrix/client` file. [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS), the `Access-Control-Allow-Origin` header should be set with a value of `*`. If you don't do this step, web-based Matrix clients (like Riot) may fail to work. Setting up headers for the `/.well-known/matrix/server` file is not necessary, as this file is only consumed by non-browsers, which don't care about CORS. From 46accfdb3c53f0a6b9e5fd7aacf9adaf21172ebc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Feb 2019 11:59:00 +0200 Subject: [PATCH 0362/2384] Add guide about certificates for other domains We had something like that on the Server Delegation how-to page, but it's better if we have it on the SSL certificates page. Relocated there and improved linking. Fixes #94 (Github Issue) --- docs/configuring-playbook-ssl-certificates.md | 48 ++++++++++++++++++- docs/howto-server-delegation.md | 16 ++----- 2 files changed, 49 insertions(+), 15 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 5c8161fa..d7673738 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -1,10 +1,21 @@ # Adjusting SSL certificate retrieval (optional, advanced) -By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/). +By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.` and possibly `riot.`) Those certificates are used when configuring the nginx reverse proxy installed by this playbook. +They can also be used for configuring [your own webserver](docs/configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook. -If that's alright, you can skip this. +If you need to retrieve certificates for other domains (e.g. your base domain) or more control over certificate retrieval, read below. + +Things discussed in this document: + +- [Using self-signed SSL certificates](#using-self-signed-ssl-certificates), if you can't use Let's Encrypt or just need a test setup + +- [Using your own SSL certificates](#using-your-own-ssl-certificates), if you don't want to or can't use Let's Encrypt certificates, but are still interested in using the integrated nginx reverse proxy server + +- [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](docs/configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you + +- [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server (perhaps your base domain?) and would like the playbook to help you obtain and renew certificates for those domains automatically. ## Using self-signed SSL certificates @@ -43,3 +54,36 @@ matrix_ssl_retrieval_method: none ``` With such a configuration, no certificates will be retrieved at all. You're free to manage them however you want. + + +## Obtaining SSL certificates for additional domains + +The playbook tries to be smart about the certificates it will obtain for you. + +By default, it obtains certificates for `matrix.` and possibly for `riot.` (unless you have disabled the Riot component using `matrix_riot_web_enabled: false`). + +If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too. +To do that, simply define your own custom configuration like this: + +```yaml +# Note: we need to include the matrix (`hostname_matrix`) and riot (`hostname_riot`) domains explicitly. +# Your base domain is in the `hostname_identity` variable. +# Adding any other additional domains (hosted on the same machine) is possible. +matrix_ssl_domains_to_obtain_certificates_for: + - '{{ hostname_matrix }}' + - '{{ hostname_riot }}' + - '{{ hostname_identity }}' +``` + +After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually obtain certificates you should: + +- make sure the web server occupying port 80 is stopped. If you are using matrix-nginx-proxy server (which is the default for this playbook), you need to stop it temporarily by running `systemctl stop matrix-nginx-proxy` on the server. + +- re-run the SSL part of the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-ssl,start` + +The certificate files would be available in `/matrix/ssl/config/live//...`. + +For automated certificate renewal to work, each port `80` vhost for each domain you are obtaining certificates for needs to forward requests for `/.well-known/acme-challenge` to the certbot container we use for renewal. + +See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-synapse.conf` +Don't be alarmed if the above configuraiton file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers. diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index aa9b0f95..ef0c0faa 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -54,20 +54,10 @@ To use DNS SRV record validation, you need to: How you can obtain a valid certificate for `` on the `matrix.` server is up to you. -If `` and `matrix.` is the same machine, you can let the playbook obtain the certificate for you by redefining the `matrix_ssl_domains_to_obtain_certificates_for` variable. Example: +If `` and `matrix.` are hosted on the same machine, you can let the playbook obtain the certificate for you, by following our [Obtaining SSL certificates for additional domains](configuring-playbook-ssl-certificates.md#obtaining-ssl-certificates-for-additional-domains) guide. -```yaml -matrix_ssl_domains_to_obtain_certificates_for: - - '{{ hostname_matrix }}' - - '{{ hostname_riot }}' - - '{{ hostname_identity }}' -``` - -This way, the playbook would obtain certificates for your base domain as well (referred to by the `hostname_identity` variable). -The certificate files would be available in `/matrix/ssl/config/live//...`. - -If `` and `matrix.` are not the same machine, you can copy over the certificate files manually. -If they get renewed automatically, you may also have to transfer them periodically. How often you do that is up to you, as long as the certificate files don't expire. +If `` and `matrix.` are not hosted on the same machine, you can copy over the certificate files manually. +Don't forget that they may get renewed once in a while, so you may also have to transfer them periodically. How often you do that is up to you, as long as the certificate files don't expire. ### Serving the Federation API with your certificates From 42c4de348cfd5854d63d4a9447ff468da92c53ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 9 Feb 2019 13:21:18 +0200 Subject: [PATCH 0363/2384] Revert "Bind metrics on :: too" This reverts commit 536c85619f0d0f4daeac120134a3e76c5cbd4703. Looks like binding metrics on IPv6 (`::`) fails with an error: socket.gaierror: [Errno -2] Name does not resolve --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 647bbfce..d52ba1ab 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -152,7 +152,8 @@ listeners: {% if matrix_synapse_metrics_enabled %} - type: metrics port: {{ matrix_synapse_metrics_port }} - bind_addresses: ['::'] + bind_addresses: + - '0.0.0.0' {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %} From 70b2f07fecca7c61a9921f9404a8efa549076c53 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 9 Feb 2019 14:36:47 +0200 Subject: [PATCH 0364/2384] Add PostgreSQL backup information --- CHANGELOG.md | 2 +- docs/README.md | 2 +- docs/maintenance-and-troubleshooting.md | 4 +- docs/maintenance-postgres.md | 61 +++++++++++++++++++++++++ docs/maintenance-upgrading-postgres.md | 22 --------- docs/maintenance-upgrading-services.md | 2 +- 6 files changed, 65 insertions(+), 28 deletions(-) create mode 100644 docs/maintenance-postgres.md delete mode 100644 docs/maintenance-upgrading-postgres.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b2083d6..29781be6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -294,7 +294,7 @@ Note: Currently the dockerized nginx doesn't support TLSv1.3. See https://github The playbook now installs [Postgres 11](https://www.postgresql.org/about/news/1894/) by default. -If you have have an existing setup, it's likely running on an older Postgres version (9.x or 10.x). You can easily upgrade by following the [Maintenance / upgrading PostgreSQL](docs/maintenance-upgrading-postgres.md) guide. +If you have have an existing setup, it's likely running on an older Postgres version (9.x or 10.x). You can easily upgrade by following the [upgrading PostgreSQL guide](docs/maintenance-postgres.md#upgrading-postgresql). ## (BC Break) Renaming playbook variables diff --git a/docs/README.md b/docs/README.md index 53ac5398..35ba609a 100644 --- a/docs/README.md +++ b/docs/README.md @@ -16,7 +16,7 @@ - [Maintenance / upgrading services](maintenance-upgrading-services.md) -- [Maintenance / upgrading PostgreSQL](maintenance-upgrading-postgres.md) +- [Maintenance / PostgreSQL](maintenance-postgres.md) - [Maintenance and Troubleshooting](maintenance-and-troubleshooting.md) diff --git a/docs/maintenance-and-troubleshooting.md b/docs/maintenance-and-troubleshooting.md index 9ef9d70b..ad0babc9 100644 --- a/docs/maintenance-and-troubleshooting.md +++ b/docs/maintenance-and-troubleshooting.md @@ -18,6 +18,4 @@ sudo journalctl -fu matrix-synapse ## Postgres -You can access the Postgres command line interface using the script installed on your server at `/usr/local/bin/matrix-postgres-cli`. - -This playbook attempts to preserve the Postgres version it starts with. When you are ready to upgrade to a new Postgres version, read through the [guide for upgrading PostgreSQL](maintenance-upgrading-postgres.md). +See the dedicated [PostgreSQL Maintenance](maintenances-postgres.md) documentation page. diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md new file mode 100644 index 00000000..4be26a80 --- /dev/null +++ b/docs/maintenance-postgres.md @@ -0,0 +1,61 @@ +# PostgreSQL maintenance + +This document shows you how to perform various maintenance tasks related to the Postgres database server used by Matrix. + +Table of contents: + +- [Getting a database terminal](#getting-a-database-terminal), for when you wish to execute SQL queries + +- [Backing up PostgreSQL](#backing-up-postgresql), for when you wish to make a backup + +- [Upgrading PostgreSQL](#upgrading-postgresql), for upgrading to new major versions of PostgreSQL. Such **manual upgrades are sometimes required**. + + +## Getting a database terminal + +You can use the `/usr/local/bin/matrix-postgres-cli` tool to get interactive terminal access ([psql](https://www.postgresql.org/docs/11/app-psql.html)) to the PostgreSQL server. + +If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above tool will not be available. + + +## Backing up PostgreSQL + +To make a back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server: + +```bash +docker run \ +--rm \ +--network matrix \ +--env-file=/matrix/postgres/env-postgres-psql \ +postgres:11.1-alpine \ +pg_dump -h matrix-postgres \ +| gzip -c \ +> /postgres.sql.gz +``` + +If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because the credentials file (`/matrix/postgres/env-postgres-psql`) is not available. + + +## Upgrading PostgreSQL + +Unless you are using an [external Postgres server](configuring-playbook-external-postgres.md), this playbook initially installs Postgres for you. + +Once installed, the playbook attempts to preserve the Postgres version it starts with. +This is because newer Postgres versions cannot start with data generated by older Postgres versions. + +Upgrades must be performed manually. + +This playbook can upgrade your existing Postgres setup with the following command: + + ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres + +**The old Postgres data directory is backed up** automatically, by renaming to `/matrix/postgres-auto-upgrade-backup`. +To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` + +The auto-upgrade-backup directory stays around forever, until you **manually decide to delete it**. + +As part of the upgrade, the database is dumped to `/tmp`, an upgraded and empty Postgres server is started, and then the dump is restored into the new server. +To use a different directory for the dump, pass some extra flags to the command above, like this: `--extra-vars="postgres_dump_dir=/directory/to/dump/here"` + +**ONLY one database is migrated** (the one specified in `matrix_postgres_db_name`, named `homeserver` by default). +If you've created other databases in that database instance (something this playbook never does and never advises), data will be lost. diff --git a/docs/maintenance-upgrading-postgres.md b/docs/maintenance-upgrading-postgres.md deleted file mode 100644 index c41712f3..00000000 --- a/docs/maintenance-upgrading-postgres.md +++ /dev/null @@ -1,22 +0,0 @@ -# Upgrading PostgreSQL - -If you're not using an external Postgres server, this playbook initially installs Postgres for you. - -Once installed like that, this playbook attempts to preserve the Postgres version it starts with. -This is because newer Postgres versions cannot start with data generated by older Postgres versions. -An upgrade must be performed. - -This playbook can upgrade your existing Postgres setup with the following command: - - ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres - -**The old Postgres data directory is backed up** by renaming to `/matrix/postgres-auto-upgrade-backup`, by default. -To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` - -The auto-upgrade-backup directory stays around forever, until you **manually decide to delete it**. - -As part of the upgrade, the database is dumped to `/tmp`, upgraded and then restored from that dump. -To use a different directory, pass some extra flags to the command above, like this: `--extra-vars="postgres_dump_dir=/directory/to/dump/here"` - -**ONLY one database is migrated** (the one specified in `matrix_postgres_db_name`, named `homeserver` by default). -If you've created other databases in that database instance (something this playbook never does and never advises), data will be lost. \ No newline at end of file diff --git a/docs/maintenance-upgrading-services.md b/docs/maintenance-upgrading-services.md index 2ab8799b..8530d8bc 100644 --- a/docs/maintenance-upgrading-services.md +++ b/docs/maintenance-upgrading-services.md @@ -14,4 +14,4 @@ To upgrade the services: - restart the services: `ansible-playbook -i inventory/hosts setup.yml --tags=start` -**Note**: major version upgrades are not done to the internal PostgreSQL database. To upgrade that one, refer to the [upgrading PostgreSQL document](maintenance-upgrading-postgres.md). +**Note**: major version upgrades are not done to the internal PostgreSQL database. To upgrade that one, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql). From 7a1b5a2024644657f979cfe97361c6f1a8827246 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 10 Feb 2019 23:20:05 +0200 Subject: [PATCH 0365/2384] Update mxisd (1.2.2 -> 1.3.0) --- roles/matrix-mxisd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index a0a1f781..c5d43350 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -1,6 +1,6 @@ matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.2.2" +matrix_mxisd_docker_image: "kamax/mxisd:1.3.0" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" From df76ae707a47d2f640f611c9a81e68c1e3a6ea11 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Feb 2019 14:07:16 +0200 Subject: [PATCH 0366/2384] Fix inaccurate comment --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 96825f94..95ebc7a3 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -70,8 +70,8 @@ matrix_synapse_rc_message_burst_count: 10.0 # Otherwise, you would need to provide certificate files to it. matrix_synapse_no_tls: false # Controls whether the TLS federation listener is enabled (tcp/8448). -# Note that federation may potentially be enabled on tcp/8008 as well. # Only makes sense if federation is not disabled (`matrix_synapse_federation_enabled`). +# Note that federation may potentially be enabled as non-TLS on tcp/8048 as well. matrix_synapse_tls_federation_listener_enabled: "{{ not matrix_synapse_no_tls }}" matrix_synapse_tls_certificate_path: "/data/{{ hostname_matrix }}.tls.crt" matrix_synapse_tls_private_key_path: "/data/{{ hostname_matrix }}.tls.key" From eb08e20418ce173a9a485e54dec0bd710e04a340 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Feb 2019 18:40:55 +0200 Subject: [PATCH 0367/2384] Upgrade Synapse (0.99.0 -> 0.99.1) and sync config `matrix_synapse_no_tls` is now implicit, so we've gotten rid of it. The `homeserver.yaml.j2` template has been synchronized with the configuration generated by Synapse v0.99.1 (some new options are present, etc.) --- docs/howto-server-delegation.md | 1 - group_vars/matrix-servers | 9 +- roles/matrix-base/defaults/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 12 +- .../matrix-synapse/tasks/validate_config.yml | 1 + .../templates/synapse/homeserver.yaml.j2 | 416 ++++++++++++------ 6 files changed, 281 insertions(+), 160 deletions(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index ef0c0faa..512e1196 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -127,7 +127,6 @@ matrix_synapse_container_additional_volumes: You can then tell Synapse to serve Federation traffic over TLS on `tcp/8448`: ```yaml -matrix_synapse_no_tls: false matrix_synapse_tls_federation_listener_enabled: true matrix_synapse_tls_certificate_path: /some/path/inside/the/container/certificate.crt matrix_synapse_tls_private_key_path: /some/path/inside/the/container/private.key diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 597a6a89..f46b5c6f 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -294,12 +294,9 @@ matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. -matrix_synapse_no_tls: true -# Even though we don't do TLS at the Synapse side, Synapse v0.99 would still like to read -# some certificate file. The container contains a dummy certificate that could be used -# to prevent certificate file reading errors. It won't actually be used for anything else. -# See https://github.com/matrix-org/synapse/issues/4554 -matrix_synapse_tls_certificate_path: /conf/dummy.tls.crt +matrix_synapse_tls_federation_listener_enabled: false +matrix_synapse_tls_certificate_path: ~ +matrix_synapse_tls_private_key_path: ~ matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index f86cf2f1..033bda7e 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -31,7 +31,7 @@ matrix_docker_network: "matrix" # Controls whether a `/.well-known/matrix/server` file is generated and used at all. # # If you wish to rely on DNS SRV records only, you can disable this. -# That implies that you'll be handling Matrix Federation API traffic (tcp/8448) +# Using DNS SRV records implies that you'll be handling Matrix Federation API traffic (tcp/8448) # using certificates for the base domain (`hostname_identity`) and not for the # matrix domain (`hostname_matrix`). matrix_well_known_matrix_server_enabled: true diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 95ebc7a3..8ecc7339 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.1-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" @@ -65,14 +65,12 @@ matrix_synapse_root_log_level: "INFO" matrix_synapse_rc_messages_per_second: 0.2 matrix_synapse_rc_message_burst_count: 10.0 -# If you're serving Synapse behind an HTTPS-capable reverse-proxy, -# you can disable TLS completely (`matrix_synapse_no_tls: true`). -# Otherwise, you would need to provide certificate files to it. -matrix_synapse_no_tls: false # Controls whether the TLS federation listener is enabled (tcp/8448). -# Only makes sense if federation is not disabled (`matrix_synapse_federation_enabled`). +# Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). # Note that federation may potentially be enabled as non-TLS on tcp/8048 as well. -matrix_synapse_tls_federation_listener_enabled: "{{ not matrix_synapse_no_tls }}" +# If you're serving Synapse behind an HTTPS-capable reverse-proxy, +# you can disable the TLS listener (`matrix_synapse_tls_federation_listener_enabled: false`). +matrix_synapse_tls_federation_listener_enabled: true matrix_synapse_tls_certificate_path: "/data/{{ hostname_matrix }}.tls.crt" matrix_synapse_tls_private_key_path: "/data/{{ hostname_matrix }}.tls.key" diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index 2f86e676..3cf1d1c4 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -16,4 +16,5 @@ when: "item.old in vars" with_items: - {'old': 'matrix_synapse_container_expose_api_port', 'new': 'matrix_synapse_container_expose_client_api_port'} + - {'old': 'matrix_synapse_no_tls', 'new': ''} diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index d52ba1ab..73c0003a 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1,71 +1,4 @@ # vim:ft=yaml -# PEM-encoded X509 certificate for TLS. -# This certificate, as of Synapse 1.0, will need to be a valid and verifiable -# certificate, signed by a recognised Certificate Authority. -# -# See 'ACME support' below to enable auto-provisioning this certificate via -# Let's Encrypt. -# -tls_certificate_path: "{{ matrix_synapse_tls_certificate_path }}" - -# PEM-encoded private key for TLS -tls_private_key_path: "{{ matrix_synapse_tls_private_key_path }}" - -# ACME support: This will configure Synapse to request a valid TLS certificate -# for your configured `server_name` via Let's Encrypt. -# -# Note that provisioning a certificate in this way requires port 80 to be -# routed to Synapse so that it can complete the http-01 ACME challenge. -# By default, if you enable ACME support, Synapse will attempt to listen on -# port 80 for incoming http-01 challenges - however, this will likely fail -# with 'Permission denied' or a similar error. -# -# There are a couple of potential solutions to this: -# -# * If you already have an Apache, Nginx, or similar listening on port 80, -# you can configure Synapse to use an alternate port, and have your web -# server forward the requests. For example, assuming you set 'port: 8009' -# below, on Apache, you would write: -# -# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge -# -# * Alternatively, you can use something like `authbind` to give Synapse -# permission to listen on port 80. -# -acme: - # ACME support is disabled by default. Uncomment the following line - # to enable it. - # - # enabled: true - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - # url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - # port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - # bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - # reprovision_threshold: 30 - -# If your server runs behind a reverse-proxy which terminates TLS connections -# (for both client and federation connections), it may be useful to disable -# All TLS support for incoming connections. Setting no_tls to True will -# do so (and avoid the need to give synapse a TLS private key). -# -no_tls: {{ matrix_synapse_no_tls|to_json }} - ## Server ## # The domain name of the server, with optional explicit port. @@ -100,16 +33,16 @@ pid_file: /homeserver.pid # # cpu_affinity: 0xFFFFFFFF -# Whether to serve a web client from the HTTP/HTTPS root resource. -web_client: False - -# The root directory to server for the above web client. -# If left undefined, synapse will serve the matrix-angular-sdk web client. -# Make sure matrix-angular-sdk is installed with pip if web_client is True -# and web_client_location is undefined +# The path to the web client which will be served at /_matrix/client/ +# if 'webclient' is configured under the 'listeners' configuration. +# # web_client_location: "/path/to/web/root" -# The public-facing base URL for the client API (not including _matrix/...) +# The public-facing base URL that clients use to access this HS +# (not including _matrix/...). This is the same URL a user would +# enter into the 'custom HS URL' field on their client. If you +# use synapse with a reverse proxy, this should be the URL to reach +# synapse via the proxy. public_baseurl: https://{{ hostname_matrix }}/ # Set the soft limit on the number of file descriptors synapse can use @@ -148,6 +81,64 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # List of ports that Synapse should listen on, their purpose and their # configuration. +# +# Options for each listener include: +# +# port: the TCP port to bind to +# +# bind_addresses: a list of local addresses to listen on. The default is +# 'all local interfaces'. +# +# type: the type of listener. Normally 'http', but other valid options are: +# 'manhole' (see docs/manhole.md), +# 'metrics' (see docs/metrics-howto.rst), +# 'replication' (see docs/workers.rst). +# +# tls: set to true to enable TLS for this listener. Will use the TLS +# key/cert specified in tls_private_key_path / tls_certificate_path. +# +# x_forwarded: Only valid for an 'http' listener. Set to true to use the +# X-Forwarded-For header as the client IP. Useful when Synapse is +# behind a reverse-proxy. +# +# resources: Only valid for an 'http' listener. A list of resources to host +# on this port. Options for each resource are: +# +# names: a list of names of HTTP resources. See below for a list of +# valid resource names. +# +# compress: set to true to enable HTTP comression for this resource. +# +# additional_resources: Only valid for an 'http' listener. A map of +# additional endpoints which should be loaded via dynamic modules. +# +# Valid resource names are: +# +# client: the client-server API (/_matrix/client). Also implies 'media' and +# 'static'. +# +# consent: user consent forms (/_matrix/consent). See +# docs/consent_tracking.md. +# +# federation: the server-server API (/_matrix/federation). Also implies +# 'media', 'keys', 'openid' +# +# keys: the key discovery API (/_matrix/keys). +# +# media: the media API (/_matrix/media). +# +# metrics: the metrics interface. See docs/metrics-howto.rst. +# +# openid: OpenID authentication. +# +# replication: the HTTP replication API (/_synapse/replication). See +# docs/workers.rst. +# +# static: static resources under synapse/static (/_matrix/static). (Mostly +# useful for 'fallback authentication'.) +# +# webclient: A web client. Requires web_client_location to be set. +# listeners: {% if matrix_synapse_metrics_enabled %} - type: metrics @@ -157,47 +148,24 @@ listeners: {% endif %} {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %} - # Main HTTPS listener - # For when matrix traffic is sent directly to synapse. - - - # The port to listen for HTTPS requests on. - port: 8448 - - # Local addresses to listen on. - # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6 - # addresses by default. For most other OSes, this will only listen - # on IPv6. + # TLS-enabled listener: for when matrix traffic is sent directly to synapse. + - port: 8448 + tls: true bind_addresses: ['::'] - - # This is a 'http' listener, allows us to specify 'resources'. type: http - - tls: true - - # Use the X-Forwarded-For (XFF) header as the client IP and not the - # actual client IP. x_forwarded: false - # List of HTTP resources to serve on this listener. resources: - - names: [federation] # Federation APIs + - names: [federation] compress: false - - # optional list of additional endpoints which can be loaded via - # dynamic modules - # additional_resources: - # "/_matrix/my/custom/endpoint": - # module: my_module.CustomRequestHandler - # config: {} {% endif %} - # Unsecure HTTP listener for the Client API, - # For when matrix traffic passes through loadbalancer that unwraps TLS. + # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. - port: 8008 tls: false bind_addresses: ['::'] type: http - x_forwarded: true resources: @@ -205,13 +173,12 @@ listeners: compress: false {% if matrix_synapse_federation_enabled %} - # Unsecure HTTP listener for the Federation API, - # For when matrix traffic passes through loadbalancer that unwraps TLS. + # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. - port: 8048 tls: false bind_addresses: ['::'] type: http - x_forwarded: true resources: @@ -225,31 +192,132 @@ listeners: # bind_addresses: ['::1', '127.0.0.1'] # type: manhole +# Homeserver blocking +# +# How to reach the server admin, used in ResourceLimitError +# admin_contact: 'mailto:admin@server.com' +# +# Global block config +# +# hs_disabled: False +# hs_disabled_message: 'Human readable reason for why the HS is blocked' +# hs_disabled_limit_type: 'error code(str), to help clients decode reason' +# +# Monthly Active User Blocking +# +# Enables monthly active user checking +# limit_usage_by_mau: False +# max_mau_value: 50 +# mau_trial_days: 2 +# +# If enabled, the metrics for the number of monthly active users will +# be populated, however no one will be limited. If limit_usage_by_mau +# is true, this is implied to be true. +# mau_stats_only: False +# +# Sometimes the server admin will want to ensure certain accounts are +# never blocked by mau checking. These accounts are specified here. +# +# mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' +# +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# enable_search: true + + +## TLS ## + +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# See 'ACME support' below to enable auto-provisioning this certificate via +# Let's Encrypt. +# +tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} + +# PEM-encoded private key for TLS +tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} + +# ACME support: This will configure Synapse to request a valid TLS certificate +# for your configured `server_name` via Let's Encrypt. +# +# Note that provisioning a certificate in this way requires port 80 to be +# routed to Synapse so that it can complete the http-01 ACME challenge. +# By default, if you enable ACME support, Synapse will attempt to listen on +# port 80 for incoming http-01 challenges - however, this will likely fail +# with 'Permission denied' or a similar error. +# +# There are a couple of potential solutions to this: +# +# * If you already have an Apache, Nginx, or similar listening on port 80, +# you can configure Synapse to use an alternate port, and have your web +# server forward the requests. For example, assuming you set 'port: 8009' +# below, on Apache, you would write: +# +# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge +# +# * Alternatively, you can use something like `authbind` to give Synapse +# permission to listen on port 80. +# +acme: + # ACME support is disabled by default. Uncomment the following line + # (and tls_certificate_path and tls_private_key_path above) to enable it. + # + # enabled: true + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + # url: https://acme-v01.api.letsencrypt.org/directory + + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + # port: 80 + + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + # bind_addresses: ['::', '0.0.0.0'] + + # How many days remaining on a certificate before it is renewed. + # + # reprovision_threshold: 30 - # Homeserver blocking - # - # How to reach the server admin, used in ResourceLimitError - # admin_contact: 'mailto:admin@server.com' - # - # Global block config - # - # hs_disabled: False - # hs_disabled_message: 'Human readable reason for why the HS is blocked' - # hs_disabled_limit_type: 'error code(str), to help clients decode reason' - # - # Monthly Active User Blocking - # - # Enables monthly active user checking - # limit_usage_by_mau: False - # max_mau_value: 50 - # mau_trial_days: 2 - # - # Sometimes the server admin will want to ensure certain accounts are - # never blocked by mau checking. These accounts are specified here. - # - # mau_limit_reserved_threepids: - # - medium: 'email' - # address: 'reserved_user@example.com' +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handled directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +tls_fingerprints: [] +# tls_fingerprints: [{"sha256": ""}] @@ -483,16 +551,21 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # - email # - msisdn +# Explicitly disable asking for MSISDNs from the registration +# flow (overrides registrations_require_3pid if MSISDNs are set as required) +# +# disable_msisdn_registration = True + # Mandate that users are only allowed to associate certain formats of # 3PIDs with accounts on this server. # # allowed_local_3pids: # - medium: email -# pattern: ".*@matrix\.org" +# pattern: '.*@matrix\.org' # - medium: email -# pattern: ".*@vector\.im" +# pattern: '.*@vector\.im' # - medium: msisdn -# pattern: "\+44" +# pattern: '\+44' # If set, allows registration by anyone who also has the shared # secret, even if registration is otherwise disabled. @@ -510,8 +583,19 @@ bcrypt_rounds: 12 # accessible to anonymous users. allow_guest_access: False +# The identity server which we suggest that clients should use when users log +# in on this server. +# +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) +# +# default_identity_server: https://matrix.org + # The list of identity servers trusted to verify third party # identifiers by this server. +# +# Also defines the ID server which will be called when an account is +# deactivated (one will be picked arbitrarily). {% if matrix_synapse_trusted_third_party_id_servers|length > 0 %} trusted_third_party_id_servers: {{ matrix_synapse_trusted_third_party_id_servers|to_nice_yaml }} @@ -534,7 +618,6 @@ auto_join_rooms: autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms }} - ## Metrics ### # Enable collection and rendering of performance metrics @@ -549,20 +632,29 @@ room_invite_state_types: - "m.room.join_rules" - "m.room.canonical_alias" - "m.room.avatar" + - "m.room.encryption" - "m.room.name" # A list of application service config file to use app_service_config_files: {{ matrix_synapse_app_service_config_files }} +# Whether or not to track application service IP addresses. Implicitly +# enables MAU tracking for application service users. +track_appservice_user_ips: False + +# a secret which is used to sign access tokens. If none is specified, +# the registration_shared_secret is used, if one is given; otherwise, +# a secret key is derived from the signing key. macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }} # Used to enable access token expiration. expire_access_token: False # a secret which is used to calculate HMACs for form values, to stop -# falsification of values +# falsification of values. Must be specified for the User Consent +# forms to work. form_secret: {{ matrix_synapse_form_secret|to_json }} ## Signing Keys ## @@ -595,15 +687,48 @@ perspectives: -# Enable SAML2 for registration and login. Uses pysaml2 -# config_path: Path to the sp_conf.py configuration file -# idp_redirect_url: Identity provider URL which will redirect -# the user back to /login/saml2 with proper info. -# See pysaml2 docs for format of config. -#saml2_config: -# enabled: true -# config_path: "/data/sp_conf.py" -# idp_redirect_url: "http://{{ hostname_matrix }}/idp" +# Enable SAML2 for registration and login. Uses pysaml2. +# +# saml2_config: +# +# # The following is the configuration for the pysaml2 Service Provider. +# # See pysaml2 docs for format of config. +# # +# # Default values will be used for the 'entityid' and 'service' settings, +# # so it is not normally necessary to specify them unless you need to +# # override them. +# +# sp_config: +# # point this to the IdP's metadata. You can use either a local file or +# # (preferably) a URL. +# metadata: +# # local: ["saml2/idp.xml"] +# remote: +# - url: https://our_idp/metadata.xml +# +# # The following is just used to generate our metadata xml, and you +# # may well not need it, depending on your setup. Alternatively you +# # may need a whole lot more detail - see the pysaml2 docs! +# +# description: ["My awesome SP", "en"] +# name: ["Test SP", "en"] +# +# organization: +# name: Example com +# display_name: +# - ["Example co", "en"] +# url: "http://example.com" +# +# contact_person: +# - given_name: Bob +# sur_name: "the Sysadmin" +# email_address": ["admin@example.com"] +# contact_type": technical +# +# # Instead of putting the config inline as above, you can specify a +# # separate pysaml2 configuration file: +# # +# # config_path: "/data/sp_conf.py" @@ -710,6 +835,7 @@ password_providers: {% endif %} + # Clients requesting push notifications can either have the body of # the message sent in the notification poke along with other details # like the sender, or just the event ID and room ID (`event_id_only`). From 1dd4f85e61167c67e0646efae784d287b6989e97 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Feb 2019 19:05:14 +0200 Subject: [PATCH 0368/2384] Update changelog --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 29781be6..0d2e2046 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +# 2019-02-14 + +## Synapse v0.99.1 + +As we're moving toward Synapse v1.0, things are beginning to stabilize. +Upgrading from v0.99.0 to v0.99.1 should be painless. + +If you've been overriding the default configuration so that you can terminate TLS at the Synapse side (`matrix_synapse_no_tls: false`), you'll now have to replace this custom configuration with `matrix_synapse_tls_federation_listener_enabled: true`. The `matrix_synapse_no_tls` variable is no more. + + # 2019-02-06 ## Synapse v0.99 support and preparation for Synapse v1.0 From 0f55823c5f03c58b645053197271062cd62fd537 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Feb 2019 19:43:13 +0200 Subject: [PATCH 0369/2384] Update Synapse (0.99.1 -> 0.99.1.1) It's not important for us, as it only contains some ACME-related fix. --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8ecc7339..3e4b6b81 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.1-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.1.1-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" From fcdc2a6c4f67c51b2fc9b2c6fa7e29fcec86ba06 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 15 Feb 2019 10:01:10 +0200 Subject: [PATCH 0370/2384] Fix incomplete sentence --- docs/howto-server-delegation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 512e1196..fe692d8d 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -10,7 +10,7 @@ It is a complicated matter, so unless you are affected by the [Downsides of well ## Server Delegation via a well-known file -Serving a `/.well-known/matrix/server` file from the base domain is the most straightforward way to set up server delegation, but it suffers from the following problems: +Serving a `/.well-known/matrix/server` file from the base domain is the most straightforward way to set up server delegation, but it suffers from some problems that we list in [Downsides of well-known-based Server Delegation](#downsides-of-well-known-based-server-delegation). As we already mention in [Configuring DNS](configuring-dns.md) and [Configuring Service Discovery via .well-known](configuring-well-known.md), this playbook already properly guides you into setting up such delegation by means of a `/.well-known/matrix/server` file served from the base domain (``). From b79db8922123968c8f23593a98913d021ace50a9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 15 Feb 2019 10:03:33 +0200 Subject: [PATCH 0371/2384] Improve wording a bit --- docs/howto-server-delegation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index fe692d8d..a7863d88 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -43,7 +43,7 @@ This prevents you from suffering the [Downsides of well-known-based Server Deleg To use DNS SRV record validation, you need to: -- ensure that no `/.well-known/matrix/server` is served from the base domain, as that would interfere with DNS SRV record Server Delegation. To make the playbook **not** generate and serve the file, use the following configuration: `matrix_well_known_matrix_server_enabled: false`. +- ensure that `/.well-known/matrix/server` is **not served** from the base domain, as that would interfere with DNS SRV record Server Delegation. To make the playbook **not** generate and serve the file, use the following configuration: `matrix_well_known_matrix_server_enabled: false`. - ensure that you have a `_matrix._tcp` DNS SRV record for your base domain (``) with a value of `10 0 8448 matrix.` From 350b25690d7c3368429b5b4d45cb7a39277e1dfa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 16 Feb 2019 11:48:17 +0200 Subject: [PATCH 0372/2384] Add Riot v1.0 (v1.0.1) support --- CHANGELOG.md | 11 + roles/matrix-riot-web/defaults/main.yml | 16 +- .../matrix-riot-web/tasks/setup_riot_web.yml | 14 +- .../matrix-riot-web/tasks/validate_config.yml | 13 + .../matrix-riot-web/templates/config.json.j2 | 5 +- roles/matrix-riot-web/templates/home.html.j2 | 308 ------------------ .../systemd/matrix-riot-web.service.j2 | 8 +- roles/matrix-riot-web/vars/main.yml | 3 + .../matrix-synapse/tasks/validate_config.yml | 1 - 9 files changed, 51 insertions(+), 328 deletions(-) delete mode 100644 roles/matrix-riot-web/templates/home.html.j2 create mode 100644 roles/matrix-riot-web/vars/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d2e2046..58816b21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2019-02-16 + +## Riot v1.0.1 support + +You can now use the brand new and redesigned Riot. + +The new version no longer has a homepage by default, so we've also removed the custom homepage that we've been installing. + +However, we still provide you with hooks to install your own `home.html` file (using the `matrix_riot_web_embedded_pages_home_path` variable). + + # 2019-02-14 ## Synapse v0.99.1 diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index a111c9d8..3bf9844c 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.9" +matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.1" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" @@ -22,14 +22,6 @@ matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/wid matrix_riot_web_roomdir_servers: ['matrix.org'] matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" -# Riot home.html customizations -# Default home.html template file -matrix_riot_web_homepage_template: "{{ role_path }}/templates/home.html.j2" -# Show general discussion about Matrix and Riot row -matrix_riot_web_homepage_template_general: true -# Show Matrix technical discussions row -matrix_riot_web_homepage_template_technical: true -# Show building services on Matrix row -matrix_riot_web_homepage_template_building: true -# Show contributing code to Matrix and Riot row -matrix_riot_web_homepage_template_contributing: true +# By default, there's no Riot homepage (when logged in). If you wish to have one, +# point this to a `home.html` template file on your local filesystem. +matrix_riot_web_embedded_pages_home_path: ~ diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index c9a84f91..94863a8c 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -18,7 +18,7 @@ name: "{{ matrix_riot_web_docker_image }}" when: matrix_riot_web_enabled -- name: Ensure Matrix riot-web configured +- name: Ensure Matrix riot-web config files installed template: src: "{{ item.src }}" dest: "{{ matrix_riot_web_data_path }}/{{ item.name }}" @@ -28,8 +28,16 @@ with_items: - {src: "{{ role_path }}/templates/config.json.j2", name: "config.json"} - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - - {src: "{{ matrix_riot_web_homepage_template }}", name: "home.html"} - when: matrix_riot_web_enabled + - {src: "{{ matrix_riot_web_embedded_pages_home_path }}", name: "home.html"} + when: "matrix_riot_web_enabled and item.src is not none" + +- name: Ensure Matrix riot-web config files removed + file: + path: "{{ matrix_riot_web_data_path }}/{{ item.name }}" + state: absent + with_items: + - {src: "{{ matrix_riot_web_embedded_pages_home_path }}", name: "home.html"} + when: "matrix_riot_web_enabled and item.src is none" - name: Ensure matrix-riot-web.service installed template: diff --git a/roles/matrix-riot-web/tasks/validate_config.yml b/roles/matrix-riot-web/tasks/validate_config.yml index 0068580d..0a96afc0 100644 --- a/roles/matrix-riot-web/tasks/validate_config.yml +++ b/roles/matrix-riot-web/tasks/validate_config.yml @@ -7,3 +7,16 @@ when: "vars[item] == ''" with_items: - "matrix_riot_web_default_hs_url" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: > + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_riot_web_homepage_template', 'new': 'matrix_riot_web_embedded_pages_home_path'} + - {'old': 'matrix_riot_web_homepage_template_general', 'new': ''} + - {'old': 'matrix_riot_web_homepage_template_technical', 'new': ''} + - {'old': 'matrix_riot_web_homepage_template_building', 'new': ''} + - {'old': 'matrix_riot_web_homepage_template_contributing', 'new': ''} diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 9eec9e22..9477e53c 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -13,5 +13,8 @@ "roomDirectory": { "servers": {{ matrix_riot_web_roomdir_servers|to_json }} }, - "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }} + "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }}, + "embeddedPages": { + "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|to_json }} + } } diff --git a/roles/matrix-riot-web/templates/home.html.j2 b/roles/matrix-riot-web/templates/home.html.j2 deleted file mode 100644 index 827906ea..00000000 --- a/roles/matrix-riot-web/templates/home.html.j2 +++ /dev/null @@ -1,308 +0,0 @@ - - -
-
- -
-

_t("Welcome to {{ hostname_riot }}")

-

_t("Decentralised, encrypted chat & collaboration powered by [matrix]")

-
-
-
-
-
-

_t("Search the room directory")

- - - - - _t("Lots of rooms already exist in Matrix, linked to existing networks (Slack, IRC, Gitter etc) or independent. Check out the directory!") - -
-
-{% if matrix_riot_web_welcome_user_id %} -
-
-

_t("Chat with Riot Bot")

- - - - - _t("Get started with some tips from Riot Bot!") - -
-
-{% endif %} -
-{% if matrix_riot_web_homepage_template_general %} - -

_t("General discussion about Matrix and Riot")

- -
-
- - - Matrix HQ - - _t("Discussion of all things Matrix!") -
-
- - - Riot - - _t("Riot/Web & Desktop chat") -
-
- - - #riot-ios - - _t("Riot/iOS & matrix-ios-sdk chat") -
-
- - - #riot-android - - _t("Riot/Android & matrix-android-sdk chat") -
-
-{% endif %} -{% if matrix_riot_web_homepage_template_technical %} - -

_t("Matrix technical discussions")

-

_t("Running Matrix services")

- -
-
- - - Matrix Docker Ansible Deploy - - Support for Matrix Docker Ansible role -
-
- - - Synapse Support Community - - _t("Community-run support for Synapse") -
-
- - - #dendrite:matrix.org - - _t("Admin support for Dendrite") -
-
- - - Synapse Homeowners - - _t("Announcements about Synapse releases") -
-
- - - IRC Matrix Bridges - - _t("Support for those using and running matrix-appservice-irc") -
-
-{% endif %} -{% if matrix_riot_web_homepage_template_building %} - -

_t("Building services on Matrix")

- -
-
- - - #matrix-dev:matrix.org - - _t("Support for those using the Matrix spec") -
-
- - - End-to-end crypto in Matrix - - _t("Design and implementation of E2E in Matrix") -
-
- - - #vr:matrix.org - - _t("Implementing VR services with Matrix") -
-
- - - #webrtc:matrix.org - - _t("Implementing VoIP services with Matrix") -
-
- - - Matrix Identity - - _t("Discussion of the Identity Service API") -
-
- - - Matrix Bridging - - _t("Support for those using, running and writing other bridges") -
-
-{% endif %} -{% if matrix_riot_web_homepage_template_contributing %} -

_t("Contributing code to Matrix and Riot")

- -
-
- - - #riot-dev - - _t("Dev chat for the Riot/Web dev team") -
-
- - - #dendrite-dev - - _t("Dev chat for the Dendrite dev team") -
-
- - - Riot Translations - - _t("Co-ordination for Riot translators") -
-
-{% endif %} -
diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 5cd69774..2b57f27c 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -14,14 +14,16 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_riot_web_container_expose_port %} + -p 127.0.0.1:8765:8080 \ + {% endif %} --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ -v /dev/null:/etc/nginx/conf.d/default.conf:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \ + {% if matrix_riot_web_embedded_pages_home_path is not none %} -v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \ - --network={{ matrix_docker_network }} \ - {% if matrix_riot_web_container_expose_port %} - -p 127.0.0.1:8765:8080 \ {% endif %} {{ matrix_riot_web_docker_image }} ExecStop=-/usr/bin/docker kill matrix-riot-web diff --git a/roles/matrix-riot-web/vars/main.yml b/roles/matrix-riot-web/vars/main.yml new file mode 100644 index 00000000..201b5bdd --- /dev/null +++ b/roles/matrix-riot-web/vars/main.yml @@ -0,0 +1,3 @@ +--- + +matrix_riot_web_embedded_pages_home_url: "{{ (none if matrix_riot_web_embedded_pages_home_path is none else 'home.html') }}" diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index 3cf1d1c4..607dced4 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -17,4 +17,3 @@ with_items: - {'old': 'matrix_synapse_container_expose_api_port', 'new': 'matrix_synapse_container_expose_client_api_port'} - {'old': 'matrix_synapse_no_tls', 'new': ''} - From 28a5027138de349dbb3233ca780738d4f0d148a8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 16 Feb 2019 11:50:06 +0200 Subject: [PATCH 0373/2384] Update changelog a bit --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58816b21..a69ad72d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ You can now use the brand new and redesigned Riot. The new version no longer has a homepage by default, so we've also removed the custom homepage that we've been installing. -However, we still provide you with hooks to install your own `home.html` file (using the `matrix_riot_web_embedded_pages_home_path` variable). +However, we still provide you with hooks to install your own `home.html` file by specifying the `matrix_riot_web_embedded_pages_home_path` variable (used to be called `matrix_riot_web_homepage_template` before). # 2019-02-14 From d552a742f8b66befc3c081b2e06adb3562b66c62 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 16 Feb 2019 17:59:41 +0200 Subject: [PATCH 0374/2384] Fix Riot caching troubles Some resources shouldn't be cached right now, as per https://github.com/vector-im/riot-web/pull/8702 (note all of the suggestions from that pull request were applied, because some of them do not seem relevant - no such files) Fixes #98 (Github Issue) --- roles/matrix-riot-web/templates/nginx.conf.j2 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/templates/nginx.conf.j2 b/roles/matrix-riot-web/templates/nginx.conf.j2 index a7707cd9..84789954 100644 --- a/roles/matrix-riot-web/templates/nginx.conf.j2 +++ b/roles/matrix-riot-web/templates/nginx.conf.j2 @@ -47,11 +47,16 @@ http { listen 8080; server_name localhost; + root /usr/share/nginx/html; + location / { - root /usr/share/nginx/html; index index.html index.htm; } + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; From 747574ab560ad47553eedadc0c5a42ac6fabf4cd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 20 Feb 2019 11:39:04 +0200 Subject: [PATCH 0375/2384] Update Prerequisites a bit --- docs/prerequisites.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 59e6c83d..f021a87d 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -4,7 +4,9 @@ - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). -- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for version requirements or alternative ways to run Ansible. +- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for [version requirements](ansible.md#supported-ansible-versions) or alternative ways to run Ansible. + +- either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. - an HTTPS-capable web server at the base domain name (``) which is capable of serving static files (unless you decide to use DNS SRV records for [Server Delegation](howto-server-delegation.md)) From 550d398e6cd29025180221d7d893782977b8ce3e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 20 Feb 2019 21:21:20 +0200 Subject: [PATCH 0376/2384] Remove some unnecessary slashes --- .../ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 8adc1e60..946b5731 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -19,8 +19,8 @@ /usr/bin/docker run --rm --name=matrix-certbot - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL -p 80:8080 -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt @@ -46,8 +46,8 @@ /usr/bin/docker run --rm --name=matrix-certbot - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 --network={{ matrix_docker_network }} -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt From 28bd6dc75b9c1e6ebf11bb78c4a8da7356aa6fec Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Feb 2019 14:50:07 +0200 Subject: [PATCH 0377/2384] Improve Telegram/Whatsapp instructions --- docs/configuring-playbook-bridge-mautrix-telegram.md | 2 +- docs/configuring-playbook-bridge-mautrix-whatsapp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index c814cfdd..223392d6 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -12,4 +12,4 @@ matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH ``` -You then need to start a chat with `@telegrambot:{{ hostname_identity }}` +You then need to start a chat with `@telegrambot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base hostname, not the `matrix.` hostname). diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index 241d9d9c..ad7f6fec 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -10,4 +10,4 @@ Use the following playbook configuration: matrix_mautrix_whatsapp_enabled: true ``` -You then need to start a chat with `@whatsappbot:{{ hostname_identity }}` +You then need to start a chat with `@whatsappbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base hostname, not the `matrix.` hostname). From 4c512c8e64b56fd3b74ddece4dd9091e41b07d3c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Feb 2019 15:44:13 +0200 Subject: [PATCH 0378/2384] Upgrade mxisd (1.3.0 -> 1.3.1) --- roles/matrix-mxisd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index c5d43350..4cd87003 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -1,6 +1,6 @@ matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.3.0" +matrix_mxisd_docker_image: "kamax/mxisd:1.3.1" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" From 639fc0bb5ce527bc55f6a04718382f0988bd5c5f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Feb 2019 18:02:10 +0200 Subject: [PATCH 0379/2384] Treat empty string dig lookup responses as "missing record" --- roles/matrix-base/tasks/self_check_dns_srv.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/self_check_dns_srv.yml b/roles/matrix-base/tasks/self_check_dns_srv.yml index 9300fb65..559d9dba 100644 --- a/roles/matrix-base/tasks/self_check_dns_srv.yml +++ b/roles/matrix-base/tasks/self_check_dns_srv.yml @@ -30,12 +30,15 @@ Full error from trying to run `dig`: {{ result_cli_dig_srv }} when: "lookup_dig_srv is not defined and result_cli_dig_srv.stderr != ''" +# Some DNS servers may respond with '' (stands for "No Answer"). +# Most usually, a missing record would yield a 'NXDOMAIN' response. +# In any case, we consider any non-mapping response to mean "missing record". - name: Fail if DNS SRV record missing (Ansible dig lookup) fail: msg: >- It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). See the 'Configuring DNS' documentation for this playbook. - when: "lookup_dig_srv is defined and lookup_dig_srv == 'NXDOMAIN'" + when: "lookup_dig_srv is defined and lookup_dig_srv is not mapping" - name: Fail if DNS SRV record incorrect (Ansible dig lookup) fail: From 433780384ef4cfa1d4d620d0e1493c443cddf0ab Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Feb 2019 10:42:27 +0200 Subject: [PATCH 0380/2384] Do not use docker_container module Using `docker_container` with a `cap_drop` argument requires Ansible >=2.7. We want to support older versions too (2.4), so we either need to stop invoking it with `cap_drop` (insecure), or just stop using the module altogether. Since it was suffering from other bugs too (not deleting containers on failure), we've decided to remove `docker_container` usage completely. --- .../tasks/import_sqlite_db.yml | 43 ++++++++----------- .../tasks/setup_synapse_main.yml | 29 +++++++------ 2 files changed, 34 insertions(+), 38 deletions(-) diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index c989dca9..d5fc832f 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -64,27 +64,22 @@ delegate_to: 127.0.0.1 become: false -# If the actual migration command (below) fails, it will leave a container behind. -# Starting it again later will relaunch that one, which may or may not work. -# To ensure we're starting from a clean state, ensure any such leftovers are removed. -- name: Cleanup any old leftover migration container - docker_container: - name: matrix-synapse-migrate - state: absent - -- name: Importing SQLite database into Postgres - docker_container: - name: matrix-synapse-migrate - image: "{{ matrix_synapse_docker_image }}" - detach: no - cleanup: yes - entrypoint: /usr/local/bin/python - command: "/usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml" - user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" - cap_drop: ['all'] - volumes: - - "{{ matrix_synapse_config_dir_path }}:/data" - - "{{ matrix_synapse_run_path }}:/matrix-run" - - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro" - networks: - - name: "{{ matrix_docker_network }}" +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +# +# Also, some old `docker_container` versions were buggy and would leave containers behind +# on failure, which we had to work around to allow retries (by re-running the playbook). +- name: Import SQLite database into Postgres + command: | + docker run + --rm + --name=matrix-synapse-migrate + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --entrypoint=python + -v {{ matrix_synapse_config_dir_path }}:/data + -v {{ matrix_synapse_run_path }}:/matrix-run + -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro + {{ matrix_synapse_docker_image }} + /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 57a296bc..339f5650 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -29,21 +29,22 @@ # We do this mostly so that the keys would get generated. # We'll replace the rest of the configuration with our own templates below. +# +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. - name: Generate initial Matrix config - docker_container: - name: matrix-config - image: "{{ matrix_synapse_docker_image }}" - detach: no - cleanup: yes - command: generate - env: - SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" - SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" - SYNAPSE_REPORT_STATS: "no" - user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" - cap_drop: ['all'] - volumes: - - "{{ matrix_synapse_config_dir_path }}:/data" + command: | + docker run + --rm + --name=matrix-config + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + -v {{ matrix_synapse_config_dir_path }}:/data + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + -e SYNAPSE_SERVER_NAME={{ hostname_matrix }} + -e SYNAPSE_REPORT_STATS=no + {{ matrix_synapse_docker_image }} + generate when: "not matrix_synapse_config_stat.stat.exists" - name: Ensure Matrix homeserver config installed From 25bdc106174e23bf95c99d906b825fa64fcadee9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Feb 2019 21:01:52 +0200 Subject: [PATCH 0381/2384] Follow redirects for some well-known files The Server spec says that redirects should be followed for `/.well-known/matrix/server`. So we follow them. The Client-Server specs doesn't mention redirects, so we don't follow redirects there. --- roles/matrix-nginx-proxy/tasks/self_check_well_known.yml | 2 ++ roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index d12e3fd3..2ea110bf 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -6,6 +6,7 @@ - path: /.well-known/matrix/client purpose: Client Discovery cors: true + follow_redirects: false - block: - set_fact: @@ -13,6 +14,7 @@ path: /.well-known/matrix/server purpose: Server Discovery cors: false + follow_redirects: true - name: Determine domains that we require certificates for (mxisd) set_fact: diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml index 40161807..40fa95a6 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -35,7 +35,7 @@ - name: Check .well-known on the identity hostname uri: url: "{{ well_known_url_identity }}" - follow_redirects: false + follow_redirects: "{{ well_known_file_check.follow_redirects }}" return_content: true register: result_well_known_identity ignore_errors: true From 8cac29a5d50708af1669fbb10b8ab2f049529220 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 28 Feb 2019 11:15:26 +0200 Subject: [PATCH 0382/2384] Update matrix-synapse-rest-auth (0.1.1 -> 0.1.2) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 3e4b6b81..f58251bf 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -162,7 +162,7 @@ matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}" # Enable this to activate the REST auth password provider module. # See: https://github.com/kamax-io/matrix-synapse-rest-auth matrix_synapse_ext_password_provider_rest_auth_enabled: false -matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py" +matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.2/rest_auth_provider.py" matrix_synapse_ext_password_provider_rest_auth_endpoint: "" matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true From a43bcd81feabb886029f696fd22718a94ae72b43 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 28 Feb 2019 11:51:09 +0200 Subject: [PATCH 0383/2384] Rename some variables --- CHANGELOG.md | 15 +++++++++ ...figuring-playbook-bridge-appservice-irc.md | 2 +- ...guring-playbook-bridge-mautrix-telegram.md | 2 +- ...guring-playbook-bridge-mautrix-whatsapp.md | 2 +- docs/configuring-playbook-ssl-certificates.md | 10 +++--- examples/host-vars.yml | 29 +++++++--------- group_vars/matrix-servers | 18 +++++----- roles/matrix-base/defaults/main.yml | 27 ++++++++------- roles/matrix-base/tasks/main.yml | 10 +++--- roles/matrix-base/tasks/sanity_check.yml | 33 ++++++++++++++----- roles/matrix-base/tasks/self_check_dns.yml | 10 +++--- .../static-files/well-known/matrix-server.j2 | 2 +- .../usr-local-bin/matrix-remove-all.j2 | 2 +- roles/matrix-corporal/defaults/main.yml | 2 +- .../tasks/self_check_corporal.yml | 6 ++-- .../matrix-corporal/templates/config.json.j2 | 2 +- .../templates/turnserver.conf.j2 | 2 +- roles/matrix-mailer/defaults/main.yml | 2 +- .../systemd/matrix-mailer.service.j2 | 2 +- roles/matrix-mxisd/defaults/main.yml | 8 ++--- roles/matrix-mxisd/tasks/self_check_mxisd.yml | 6 ++-- roles/matrix-nginx-proxy/defaults/main.yml | 8 ++--- .../tasks/self_check_well_known_file.yml | 18 +++++----- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 20 ++++++++--- .../usr-local-bin/matrix-make-user-admin.j2 | 2 +- .../tasks/self_check_riot_web.yml | 6 ++-- roles/matrix-synapse/defaults/main.yml | 12 +++---- .../tasks/self_check_client_api.yml | 4 +-- .../tasks/self_check_federation_api.yml | 4 +-- .../tasks/setup_synapse_main.yml | 4 +-- .../matrix-synapse/tasks/validate_config.yml | 2 +- .../ext/mautrix-telegram/config.yaml.j2 | 8 ++--- .../ext/mautrix-whatsapp/config.yaml.j2 | 6 ++-- .../templates/synapse/homeserver.yaml.j2 | 8 ++--- roles/matrix-synapse/vars/main.yml | 4 +-- 35 files changed, 170 insertions(+), 128 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a69ad72d..134dba8c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +# 2019-02-19 + +## Renaming variables + +The following playbook variables were renamed: + +- from `host_specific_hostname_identity` to `matrix_domain` +- from `hostname_identity` to `matrix_domain` +- from `hostname_matrix` to `matrix_server_fqn_matrix` +- from `hostname_riot` to `matrix_server_fqn_riot` +- from `host_specific_matrix_ssl_lets_encrypt_support_email` to `matrix_ssl_lets_encrypt_support_email` + +Doing that, we've simplified things, made names less confusing (hopefully) and moved all variable names under the `matrix_` prefix. + + # 2019-02-16 ## Riot v1.0.1 support diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index 7f8349a0..bec1791b 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -73,4 +73,4 @@ matrix_appservice_irc_configuration_extension_yaml: | lineLimit: 3 ``` -You then need to start a chat with `@irc_bot:{{ hostname_identity }}` +You then need to start a chat with `@irc_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 223392d6..f83a4dda 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -12,4 +12,4 @@ matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH ``` -You then need to start a chat with `@telegrambot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base hostname, not the `matrix.` hostname). +You then need to start a chat with `@telegrambot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). diff --git a/docs/configuring-playbook-bridge-mautrix-whatsapp.md b/docs/configuring-playbook-bridge-mautrix-whatsapp.md index ad7f6fec..4c646717 100644 --- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md +++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md @@ -10,4 +10,4 @@ Use the following playbook configuration: matrix_mautrix_whatsapp_enabled: true ``` -You then need to start a chat with `@whatsappbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base hostname, not the `matrix.` hostname). +You then need to start a chat with `@whatsappbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index d7673738..6a319575 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -66,13 +66,13 @@ If you are hosting other domains on the Matrix machine, you can make the playboo To do that, simply define your own custom configuration like this: ```yaml -# Note: we need to include the matrix (`hostname_matrix`) and riot (`hostname_riot`) domains explicitly. -# Your base domain is in the `hostname_identity` variable. +# Note: we need to include the matrix (`matrix_server_fqn_matrix`) and riot (`matrix_server_fqn_riot`) domains explicitly. +# Your base domain is in the `matrix_domain` variable. # Adding any other additional domains (hosted on the same machine) is possible. matrix_ssl_domains_to_obtain_certificates_for: - - '{{ hostname_matrix }}' - - '{{ hostname_riot }}' - - '{{ hostname_identity }}' + - '{{ matrix_server_fqn_matrix }}' + - '{{ matrix_server_fqn_riot }}' + - '{{ matrix_domain }}' ``` After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually obtain certificates you should: diff --git a/examples/host-vars.yml b/examples/host-vars.yml index 060997a7..64d12097 100644 --- a/examples/host-vars.yml +++ b/examples/host-vars.yml @@ -1,26 +1,21 @@ -# This is something which is provided to Let's Encrypt -# when retrieving the SSL certificates for domains. +# The bare domain name which represents your Matrix identity. +# Matrix user ids for your server will be of the form (`@user:`). # -# In case SSL renewal fails at some point, you'll also get -# an email notification there. +# Note: this playbook does not touch the server referenced here. +# Installation happens on another server ("matrix."). # -# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt), -# you won't be required to define this variable -# (see `docs/configuring-playbook-ssl-certificates.md`). -# -# Example value: someone@example.com -host_specific_matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE +# Example value: example.com +matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE -# This is your bare domain name (``). +# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains. # -# Note: the server specified here is not touched. +# In case SSL renewal fails at some point, you'll also get an email notification there. # -# This playbook only installs to `matrix.`, -# but it nevertheless requires to know the bare domain name -# (for configuration purposes). +# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt), +# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`). # -# Example value: example.com -host_specific_hostname_identity: YOUR_BARE_DOMAIN_NAME_HERE +# Example value: someone@example.com +matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE # A shared secret (between Coturn and Synapse) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index f46b5c6f..49183e37 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -112,7 +112,7 @@ matrix_mailer_enabled: true # ###################################################################### -# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`). +# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. matrix_mxisd_enabled: true @@ -129,7 +129,7 @@ matrix_mxisd_synapsesql_type: postgresql matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }} matrix_mxisd_dns_overwrite_enabled: true -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ hostname_matrix }}" +matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" # By default, we send mail through the `matrix-mailer` service. @@ -207,9 +207,9 @@ matrix_nginx_proxy_systemd_wanted_services_list: | matrix_ssl_domains_to_obtain_certificates_for: | {{ - ([hostname_matrix]) + ([matrix_server_fqn_matrix]) + - ([hostname_riot] if matrix_riot_web_enabled else []) + ([matrix_server_fqn_riot] if matrix_riot_web_enabled else []) }} ###################################################################### @@ -247,7 +247,7 @@ matrix_postgres_db_name: "homeserver" # ###################################################################### -# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. +# By default, this playbook installs the Riot.IM web UI on the `matrix_server_fqn_riot` domain. # If you wish to connect to your Matrix server by other means, you may wish to disable this. matrix_riot_web_enabled: true @@ -274,7 +274,7 @@ matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}" ###################################################################### # When mxisd is enabled, we can use it instead of the default public Identity servers. -matrix_synapse_trusted_third_party_id_servers: "{{ [hostname_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" +matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose its ports @@ -303,13 +303,13 @@ matrix_synapse_email_smtp_host: "matrix-mailer" matrix_synapse_email_smtp_port: 8025 matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" -matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}" +matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}" matrix_synapse_turn_uris: | {{ [ - 'turn:' + hostname_matrix + ':3478?transport=udp', - 'turn:' + hostname_matrix + ':3478?transport=tcp', + 'turn:' + matrix_server_fqn_matrix + ':3478?transport=udp', + 'turn:' + matrix_server_fqn_matrix + ':3478?transport=tcp', ] if matrix_coturn_enabled else [] diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 033bda7e..25122173 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -1,16 +1,19 @@ -# The bare hostname which represents your identity. -# This is something like "example.com". +# The bare domain name which represents your Matrix identity. +# Matrix user ids for your server will be of the form (`@user:`). +# # Note: this playbook does not touch the server referenced here. -hostname_identity: "{{ host_specific_hostname_identity|lower }}" +# Installation happens on another server ("matrix.", see `matrix_server_fqn_matrix`). +# +# Example value: example.com +matrix_domain: ~ -# This is where your data lives and what we set up here. -# This and the Riot hostname (see below) are expected to be on the same server. -hostname_matrix: "matrix.{{ hostname_identity }}" +# This is where your data lives and what we set up. +# This and the Riot FQN (see below) are expected to be on the same server. +matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" # This is where you access the web UI from and what we set up here. -# This and the Matrix hostname (see above) are expected to be on the same server. -hostname_riot: "riot.{{ hostname_identity }}" - +# This and the Matrix FQN (see above) are expected to be on the same server. +matrix_server_fqn_riot: "riot.{{ matrix_domain }}" matrix_user_username: "matrix" matrix_user_uid: 991 @@ -21,7 +24,7 @@ matrix_base_data_path_mode: "750" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" -matrix_homeserver_url: "https://{{ hostname_matrix }}" +matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" matrix_identity_server_url: ~ @@ -32,8 +35,8 @@ matrix_docker_network: "matrix" # # If you wish to rely on DNS SRV records only, you can disable this. # Using DNS SRV records implies that you'll be handling Matrix Federation API traffic (tcp/8448) -# using certificates for the base domain (`hostname_identity`) and not for the -# matrix domain (`hostname_matrix`). +# using certificates for the base domain (`matrix_domain`) and not for the +# matrix domain (`matrix_server_fqn_matrix`). matrix_well_known_matrix_server_enabled: true # Variables to Control which parts of our roles run. diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index facfc5b2..892cd7d1 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -1,3 +1,7 @@ +- import_tasks: "{{ role_path }}/tasks/sanity_check.yml" + tags: + - always + - import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml" when: run_setup tags: @@ -21,13 +25,9 @@ - setup-synapse - setup-nginx-proxy -- import_tasks: "{{ role_path }}/tasks/sanity_check.yml" - tags: - - always - - import_tasks: "{{ role_path }}/tasks/self_check_dns.yml" delegate_to: 127.0.0.1 become: false when: run_self_check tags: - - self-check \ No newline at end of file + - self-check diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 592afe2e..0bff6a6b 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -15,15 +15,32 @@ msg: "{{ matrix_ansible_outdated_fail_msg }}" when: "ansible_version.major == 2 and ansible_version.minor == 5 and ansible_version.revision < 2" -# This sanity check is only used to detect uppercase when people override these specific variables. -# -# If people set `host_specific_hostname_identity` without overriding other variables (the general use-case), -# we take care to lower-case it automatically and it won't cause trouble anyway. +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'host_specific_hostname_identity', 'new': 'matrix_domain'} + - {'old': 'hostname_identity', 'new': 'matrix_domain'} + - {'old': 'hostname_matrix', 'new': 'matrix_server_fqn_matrix'} + - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_riot'} + +- name: Fail if required variables are undefined + fail: + msg: "The `{{ item }}` variable must be defined and have a non-null value" + with_items: + - matrix_domain + - matrix_server_fqn_matrix + - matrix_server_fqn_riot + when: "item not in vars or vars[item] is none" + - name: Fail if uppercase domain used fail: msg: "Detected that you're using an uppercase domain name - `{{ item }}`. This will cause trouble. Please use all-lowercase!" - when: "item != item|lower" with_items: - - "{{ hostname_identity }}" - - "{{ hostname_matrix }}" - - "{{ hostname_riot }}" + - "{{ matrix_domain }}" + - "{{ matrix_server_fqn_matrix }}" + - "{{ matrix_server_fqn_riot }}" + when: "item != item|lower" diff --git a/roles/matrix-base/tasks/self_check_dns.yml b/roles/matrix-base/tasks/self_check_dns.yml index 371147fd..36c14631 100644 --- a/roles/matrix-base/tasks/self_check_dns.yml +++ b/roles/matrix-base/tasks/self_check_dns.yml @@ -4,16 +4,16 @@ set_fact: dns_srv_record_checks: - service_and_protocol: "_matrix._tcp" - domain: "{{ (hostname_identity + '.') }}" - expected_target: "{{ (hostname_matrix + '.') }}" + domain: "{{ (matrix_domain + '.') }}" + expected_target: "{{ (matrix_server_fqn_matrix + '.') }}" expected_port: 8448 - block: - set_fact: dns_srv_record_check_mxisd: service_and_protocol: "_matrix-identity._tcp" - domain: "{{ (hostname_identity + '.') }}" - expected_target: "{{ (hostname_matrix + '.') }}" + domain: "{{ (matrix_domain + '.') }}" + expected_target: "{{ (matrix_server_fqn_matrix + '.') }}" expected_port: 443 - name: Determine domains that we require certificates for (mxisd) @@ -25,4 +25,4 @@ include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml" with_items: "{{ dns_srv_record_checks }}" loop_control: - loop_var: dns_srv_record_check \ No newline at end of file + loop_var: dns_srv_record_check diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 index 53ed8787..a8e19167 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 @@ -1,3 +1,3 @@ { - "m.server": "{{ hostname_matrix }}:8448" + "m.server": "{{ matrix_server_fqn_matrix }}:8448" } diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 9fdd7a21..fc1ab5ba 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -5,7 +5,7 @@ if [ "$(id -u)" != "0" ]; then exit 1 fi -echo "WARNING! You are about to remove everything the playbook installs for matrix.{{ host_specific_hostname_identity }}: matrix, docker images,..." +echo "WARNING! You are about to remove everything the playbook installs for {{ matrix_server_fqn_matrix }}: matrix, docker images,..." echo -n "If you're sure you want to do this, type: 'Yes, I really want to remove everything!'" read sure diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 20f0fe62..ca89d481 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -15,7 +15,7 @@ matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" -matrix_corporal_matrix_homeserver_domain_name: "{{ hostname_identity }}" +matrix_corporal_matrix_homeserver_domain_name: "{{ matrix_domain }}" # Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:8008"). # If Synapse runs on the same machine, you may need to add its service to `matrix_corporal_systemd_required_services_list`. diff --git a/roles/matrix-corporal/tasks/self_check_corporal.yml b/roles/matrix-corporal/tasks/self_check_corporal.yml index 86985be1..03e91d8d 100644 --- a/roles/matrix-corporal/tasks/self_check_corporal.yml +++ b/roles/matrix-corporal/tasks/self_check_corporal.yml @@ -1,7 +1,7 @@ --- - set_fact: - corporal_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/corporal" + corporal_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/corporal" - name: Check Matrix Corporal HTTP gateway uri: @@ -13,9 +13,9 @@ - name: Fail if Matrix Corporal HTTP gateway not working fail: - msg: "Failed checking Matrix Corporal is fronting the Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`). Is matrix-corporal running? Is port 443 open in your firewall? Full error: {{ result_corporal_client_api }}" + msg: "Failed checking Matrix Corporal is fronting the Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`). Is matrix-corporal running? Is port 443 open in your firewall? Full error: {{ result_corporal_client_api }}" when: "result_corporal_client_api.failed or 'Matrix Client-Server API protected by Matrix Corporal' not in result_corporal_client_api.content" - name: Report working Matrix Corporal HTTP gateway debug: - msg: "Matrix Corporal is fronting the Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`)" \ No newline at end of file + msg: "Matrix Corporal is fronting the Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ corporal_client_api_url_endpoint_public }}`)" diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index 5835cced..378b2c19 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -8,7 +8,7 @@ }, "Reconciliation": { - "UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ hostname_identity }}", + "UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ matrix_domain }}", "RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }} }, diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 56c84120..a91aa5e0 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -1,6 +1,6 @@ use-auth-secret static-auth-secret={{ matrix_coturn_turn_static_auth_secret }} -realm=turn.{{ hostname_matrix }} +realm=turn.{{ matrix_server_fqn_matrix }} min-port={{ matrix_coturn_turn_udp_min_port }} max-port={{ matrix_coturn_turn_udp_max_port }} external-ip={{ matrix_coturn_turn_external_ip_address }} diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 3b652799..f4b2e917 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mailer_docker_image: "devture/exim-relay:4.91-r1-0" matrix_mailer_container_user_uid: 100 matrix_mailer_container_user_gid: 101 -matrix_mailer_sender_address: "matrix@{{ hostname_identity }}" +matrix_mailer_sender_address: "matrix@{{ matrix_domain }}" matrix_mailer_relay_use: false matrix_mailer_relay_host_name: "mail.example.com" matrix_mailer_relay_host_port: 587 diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index 54beb215..f9e1348e 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -15,7 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ --tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_mailer_base_path }}/env-mailer \ - --hostname={{ hostname_matrix }} \ + --hostname={{ matrix_server_fqn_matrix }} \ {{ matrix_mailer_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mailer ExecStop=-/usr/bin/docker rm matrix-mailer diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index 4cd87003..13866bd1 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -29,7 +29,7 @@ matrix_mxisd_synapsesql_type: "" matrix_mxisd_synapsesql_connection: "" # Setting up email-sending settings is required for using mxisd. -matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ hostname_identity }}" +matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" matrix_mxisd_threepid_medium_email_connectors_smtp_host: "" matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587 matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1 @@ -40,7 +40,7 @@ matrix_mxisd_threepid_medium_email_connectors_smtp_password: "" # Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to mxisd, # so that mxisd can rewrite the original URL to one that would reach the homeserver. matrix_mxisd_dns_overwrite_enabled: false -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ hostname_matrix }}" +matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" # Default mxisd configuration template which covers the generic use case. @@ -50,10 +50,10 @@ matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" # or completely replace this variable with your own template. matrix_mxisd_configuration_yaml: | matrix: - domain: {{ hostname_identity }} + domain: {{ matrix_domain }} server: - name: {{ hostname_matrix }} + name: {{ matrix_server_fqn_matrix }} key: path: /var/mxisd/sign.key diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml index 6c9f1e2d..1ca9a39b 100644 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ b/roles/matrix-mxisd/tasks/self_check_mxisd.yml @@ -1,7 +1,7 @@ --- - set_fact: - mxisd_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/identity/api/v1" + mxisd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" - name: Check mxisd Identity Service uri: @@ -12,9 +12,9 @@ - name: Fail if mxisd Identity Service not working fail: - msg: "Failed checking mxisd is up at `{{ hostname_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}" + msg: "Failed checking mxisd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}" when: "result_mxisd.failed or 'json' not in result_mxisd" - name: Report working mxisd Identity Service debug: - msg: "mxisd at `{{ hostname_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)" \ No newline at end of file + msg: "mxisd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 30a41cb8..48c3e18f 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -22,11 +22,11 @@ matrix_nginx_proxy_container_additional_volumes: [] # Controls whether proxying the riot domain should be done. matrix_nginx_proxy_proxy_riot_enabled: false -matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}" +matrix_nginx_proxy_proxy_riot_hostname: "{{ matrix_server_fqn_riot }}" # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false -matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}" +matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false @@ -92,7 +92,7 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" # obeying the following hierarchy: # - /live//fullchain.pem # - /live//privkey.pem -# where refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). +# where refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_riot`). # # The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen. # It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`) @@ -106,7 +106,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] matrix_ssl_lets_encrypt_staging: false matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 -matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}" +matrix_ssl_lets_encrypt_support_email: ~ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml index 40fa95a6..6467cedb 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -1,8 +1,8 @@ --- - set_fact: - well_known_url_matrix: "https://{{ hostname_matrix }}{{ well_known_file_check.path }}" - well_known_url_identity: "https://{{ hostname_identity }}{{ well_known_file_check.path }}" + well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}" + well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}" # These well-known files may be served without a `Content-Type: application/json` header, # so we can't rely on the uri module's automatic parsing of JSON. @@ -16,7 +16,7 @@ - name: Fail if .well-known not working on the matrix hostname fail: - msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" + msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" when: "result_well_known_matrix.failed" - name: Parse JSON for well-known payload at the matrix hostname @@ -25,12 +25,12 @@ - name: Fail if .well-known not CORS-aware on the matrix hostname fail: - msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." + msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix" - name: Report working .well-known on the matrix hostname debug: - msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" + msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" - name: Check .well-known on the identity hostname uri: @@ -42,7 +42,7 @@ - name: Fail if .well-known not working on the identity hostname fail: - msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" + msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" when: "result_well_known_identity.failed" - name: Parse JSON for well-known payload at the identity hostname @@ -51,15 +51,15 @@ - name: Fail if .well-known not CORS-aware on the identity hostname fail: - msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md" + msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md" when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity" # For people who manually copy the well-known file, try to detect if it's outdated - name: Fail if well-known is different on matrix hostname and identity hostname fail: - msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ hostname_matrix }}` and `{{ hostname_identity }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?" + msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?" when: "well_known_matrix_payload != well_known_identity_payload" - name: Report working .well-known on the identity hostname debug: - msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`)" + msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 583ce29c..78f1458b 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -16,10 +16,22 @@ # Tasks related to setting up Let's Encrypt's management of certificates # -- name: (Deprecation) Fail if using outdated configuration +- name: (Deprecation) Catch and report renamed settings fail: - msg: "You're using the `host_specific_matrix_ssl_support_email` variable, which has been superseded by `host_specific_matrix_ssl_lets_encrypt_support_email`. Please change your configuration to use the new name!" - when: "matrix_ssl_retrieval_method == 'lets-encrypt' and host_specific_matrix_ssl_support_email is defined" + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + with_items: + - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} + - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} + when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item.old in vars" + +- name: Fail if required variables are undefined + fail: + msg: "Detected an undefined required variable" + with_items: + - "{{ matrix_ssl_lets_encrypt_support_email }}" + when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item is none" - name: Allow access to HTTP/HTTPS in firewalld firewalld: @@ -111,4 +123,4 @@ file: path: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew state: absent - when: "matrix_ssl_retrieval_method != 'lets-encrypt'" \ No newline at end of file + when: "matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 index 5f474453..20f9fda2 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 @@ -13,4 +13,4 @@ docker run \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ host_specific_hostname_identity }}'" + psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-riot-web/tasks/self_check_riot_web.yml b/roles/matrix-riot-web/tasks/self_check_riot_web.yml index a32fb2cb..1e10566f 100644 --- a/roles/matrix-riot-web/tasks/self_check_riot_web.yml +++ b/roles/matrix-riot-web/tasks/self_check_riot_web.yml @@ -1,7 +1,7 @@ --- - set_fact: - riot_web_url_endpoint_public: "https://{{ hostname_riot }}/config.json" + riot_web_url_endpoint_public: "https://{{ matrix_server_fqn_riot }}/config.json" - name: Check riot-web uri: @@ -12,9 +12,9 @@ - name: Fail if riot-web not working fail: - msg: "Failed checking riot-web is up at `{{ hostname_riot }}` (checked endpoint: `{{ riot_web_url_endpoint_public }}`). Is Riot running? Is port 443 open in your firewall? Full error: {{ result_riot_web }}" + msg: "Failed checking riot-web is up at `{{ matrix_server_fqn_riot }}` (checked endpoint: `{{ riot_web_url_endpoint_public }}`). Is Riot running? Is port 443 open in your firewall? Full error: {{ result_riot_web }}" when: "result_riot_web.failed or 'json' not in result_riot_web" - name: Report working riot-web debug: - msg: "riot-web at `{{ hostname_riot }}` is working (checked endpoint: `{{ riot_web_url_endpoint_public }}`)" \ No newline at end of file + msg: "riot-web at `{{ matrix_server_fqn_riot }}` is working (checked endpoint: `{{ riot_web_url_endpoint_public }}`)" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f58251bf..fd320ab4 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -71,8 +71,8 @@ matrix_synapse_rc_message_burst_count: 10.0 # If you're serving Synapse behind an HTTPS-capable reverse-proxy, # you can disable the TLS listener (`matrix_synapse_tls_federation_listener_enabled: false`). matrix_synapse_tls_federation_listener_enabled: true -matrix_synapse_tls_certificate_path: "/data/{{ hostname_matrix }}.tls.crt" -matrix_synapse_tls_private_key_path: "/data/{{ hostname_matrix }}.tls.key" +matrix_synapse_tls_certificate_path: "/data/{{ matrix_server_fqn_matrix }}.tls.crt" +matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.key" # Enable this to allow Synapse to report utilization statistics about your server to matrix.org # (things like number of users, number of messages sent, uptime, load, etc.) @@ -155,8 +155,8 @@ matrix_synapse_email_enabled: false matrix_synapse_email_smtp_host: "" matrix_synapse_email_smtp_port: 587 matrix_synapse_email_smtp_require_transport_security: false -matrix_synapse_email_notif_from: "Matrix " -matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}" +matrix_synapse_email_notif_from: "Matrix " +matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}" # Enable this to activate the REST auth password provider module. @@ -229,8 +229,8 @@ matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" matrix_appservice_irc_configuration_yaml: | homeserver: - url: "https://{{ hostname_matrix }}" - domain: "{{ hostname_identity }}" + url: "https://{{ matrix_server_fqn_matrix }}" + domain: "{{ matrix_domain }}" enablePresence: true matrix_appservice_irc_configuration_extension_yaml: | diff --git a/roles/matrix-synapse/tasks/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml index d8914214..654f6a1a 100644 --- a/roles/matrix-synapse/tasks/self_check_client_api.yml +++ b/roles/matrix-synapse/tasks/self_check_client_api.yml @@ -9,9 +9,9 @@ - name: Fail if Matrix Client API not working fail: - msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_synapse_client_api }}" + msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_synapse_client_api }}" when: "result_matrix_synapse_client_api.failed or 'json' not in result_matrix_synapse_client_api" - name: Report working Matrix Client API debug: - msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`) is working" \ No newline at end of file + msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`) is working" diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index dc451955..235036cf 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -10,9 +10,9 @@ - name: Fail if Matrix Federation API not working fail: - msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" when: "result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api" - name: Report working Matrix Federation API debug: - msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working" \ No newline at end of file + msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working" diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 339f5650..f5199540 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -41,7 +41,7 @@ --cap-drop=ALL -v {{ matrix_synapse_config_dir_path }}:/data -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml - -e SYNAPSE_SERVER_NAME={{ hostname_matrix }} + -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} -e SYNAPSE_REPORT_STATS=no {{ matrix_synapse_docker_image }} generate @@ -56,7 +56,7 @@ - name: Ensure Matrix log config installed template: src: "{{ matrix_synapse_template_synapse_log }}" - dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" + dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.log.config" mode: 0644 - name: Ensure matrix-synapse.service installed diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index 607dced4..65778967 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -10,7 +10,7 @@ - name: (Deprecation) Catch and report renamed settings fail: - msg: > + msg: >- Your configuration contains a variable, which now has a different name. Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" diff --git a/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 b/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 index 7e6174a1..638f3e0e 100644 --- a/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 +++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 @@ -1,9 +1,9 @@ # Homeserver details homeserver: # The address that this appservice can use to connect to the homeserver. - address: https://{{ hostname_matrix }} + address: https://{{ matrix_server_fqn_matrix }} # The domain of the homeserver (for MXIDs, etc). - domain: {{ hostname_identity }} + domain: {{ matrix_domain }} # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true @@ -38,7 +38,7 @@ appservice: prefix: {{ matrix_mautrix_telegram_public_endpoint }} # The base URL where the public-facing endpoints are available. The prefix is not added # implicitly. - external: https://{{ hostname_matrix }}{{ matrix_mautrix_telegram_public_endpoint }} + external: https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }} # Provisioning API part of the web server for automated portal creation and fetching information. # Used by things like Dimension (https://dimension.t2bot.io/). @@ -206,7 +206,7 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - '{{ hostname_identity }}': full + '{{ matrix_domain }}': full # Options related to the message relay Telegram bot. relaybot: diff --git a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2 b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2 index a29117cc..15d9bbe6 100644 --- a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2 +++ b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2 @@ -1,9 +1,9 @@ # Homeserver details. homeserver: # The address that this appservice can use to connect to the homeserver. - address: https://{{ hostname_matrix }} + address: https://{{ matrix_server_fqn_matrix }} # The domain of the homeserver (for MXIDs, etc). - domain: {{ hostname_identity }} + domain: {{ matrix_domain }} # Application service host/registration related details. # Changing these values requires regeneration of the registration. @@ -67,7 +67,7 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - '{{ hostname_identity }}': user + '{{ matrix_domain }}': user # Logging config. logging: diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 73c0003a..36333788 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -5,7 +5,7 @@ # This is used by remote servers to connect to this server, # e.g. matrix.org, localhost:8080, etc. # This is also the last part of your UserID. -server_name: "{{ hostname_identity }}" +server_name: "{{ matrix_domain }}" # When running as a daemon, the file to store the pid in pid_file: /homeserver.pid @@ -43,7 +43,7 @@ pid_file: /homeserver.pid # enter into the 'custom HS URL' field on their client. If you # use synapse with a reverse proxy, this should be the URL to reach # synapse via the proxy. -public_baseurl: https://{{ hostname_matrix }}/ +public_baseurl: https://{{ matrix_server_fqn_matrix }}/ # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the @@ -339,7 +339,7 @@ event_cache_size: "{{ matrix_synapse_event_cache_size }}" # A yaml python logging config file -log_config: "/data/{{ hostname_matrix }}.log.config" +log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" ## Ratelimiting ## @@ -660,7 +660,7 @@ form_secret: {{ matrix_synapse_form_secret|to_json }} ## Signing Keys ## # Path to the signing key to sign messages with -signing_key_path: "/data/{{ hostname_matrix }}.signing.key" +signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" # The keys that the server used to sign messages with but won't use # to sign new messages. E.g. it has lost its private key diff --git a/roles/matrix-synapse/vars/main.yml b/roles/matrix-synapse/vars/main.yml index 9d0136c2..f5c40021 100644 --- a/roles/matrix-synapse/vars/main.yml +++ b/roles/matrix-synapse/vars/main.yml @@ -2,5 +2,5 @@ matrix_synapse_id_servers_public: ['vector.im', 'matrix.org'] -matrix_synapse_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions" -matrix_synapse_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version" \ No newline at end of file +matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" +matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:8448/_matrix/federation/v1/version" From 0b6c28fb231b1520be874be6a46da28270cfd9f4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 28 Feb 2019 14:23:17 +0200 Subject: [PATCH 0384/2384] Mark some Docker images as optional --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dc87648e..6e9885ce 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ This playbook sets up your server using the following Docker images: - [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Matrix Synapse](https://github.com/matrix-org/synapse) server -- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server +- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) - [bubuntux/riot-web](https://hub.docker.com/r/bubuntux/riot-web/) - the [Riot.im](https://about.riot.im/) web client (optional) @@ -106,7 +106,7 @@ This playbook sets up your server using the following Docker images: - [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) -- [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) +- [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) (optional) - [tulir/mautrix-telegram](https://hub.docker.com/r/tulir/mautrix-telegram/) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional) From 6b47ebeaa7b770b31c18a89de7d6bc141bbac8a6 Mon Sep 17 00:00:00 2001 From: frlae Date: Fri, 1 Mar 2019 07:48:45 +0100 Subject: [PATCH 0385/2384] fixed a small path typo in playbook telemetry docs --- docs/configuring-playbook-telemetry.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-telemetry.md b/docs/configuring-playbook-telemetry.md index bc954f67..2027c9c8 100644 --- a/docs/configuring-playbook-telemetry.md +++ b/docs/configuring-playbook-telemetry.md @@ -10,7 +10,7 @@ growth of the Matrix community, and helps to make Matrix a success. ## Enabling Telemetry -If you'd like to **help by enabling submission of anonymized usage statistics** for your homeserver, add this to your configuration file (`inventory/matrix./vars.yml`): +If you'd like to **help by enabling submission of anonymized usage statistics** for your homeserver, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml matrix_synapse_report_stats: true @@ -41,4 +41,4 @@ If statistics reporting is enabled, the information that gets submitted to the m - cache setting information -- CPU and memory statistics for the homeserver program \ No newline at end of file +- CPU and memory statistics for the homeserver program From f2a2cad107e5514915c90382ccc68472128e1726 Mon Sep 17 00:00:00 2001 From: paulbdavis Date: Fri, 1 Mar 2019 14:01:46 -0700 Subject: [PATCH 0386/2384] allow exposing mautrix_telegram port --- roles/matrix-synapse/defaults/main.yml | 3 ++- .../systemd/matrix-mautrix-telegram.service.j2 | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index fd320ab4..1073c2e1 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -209,7 +209,8 @@ matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH # Mautrix telegram public endpoint to log in to telegram # Use an uuid so it's not easily discoverable matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" - +# Set this to a port number to expose on the host when not using the nginx proxy +matrix_mautrix_telegram_container_expose_port: false # Matrix mautrix is a Matrix <-> Whatsapp bridge # Enable whatsapp bridge diff --git a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 index 7e965804..d46cbc50 100644 --- a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 @@ -21,6 +21,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + {% if matrix_mautrix_telegram_container_expose_port %} + -p 127.0.0.1:{{ matrix_mautrix_telegram_container_expose_port }}:8080 \ + {% endif %} -v {{ matrix_mautrix_telegram_base_path }}:/data:z \ {{ matrix_mautrix_telegram_docker_image }} \ python3 -m mautrix_telegram -c /data/config.yaml From 041a1947b30873c96061d4585d199778bc5cd667 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 2 Mar 2019 09:37:35 +0200 Subject: [PATCH 0387/2384] Update Synapse (0.99.1.1 -> 0.99.2) --- docs/configuring-playbook-telemetry.md | 2 ++ roles/matrix-synapse/defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-telemetry.md b/docs/configuring-playbook-telemetry.md index 2027c9c8..fd7f1218 100644 --- a/docs/configuring-playbook-telemetry.md +++ b/docs/configuring-playbook-telemetry.md @@ -42,3 +42,5 @@ If statistics reporting is enabled, the information that gets submitted to the m - cache setting information - CPU and memory statistics for the homeserver program + +- database engine type and version diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index fd320ab4..cbabaa6d 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.1.1-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.2-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" From 45618679f519408b596a3ec4e41ad8b27f8e462c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Mar 2019 11:55:15 +0200 Subject: [PATCH 0388/2384] Reload systemd services when they get updated Fixes #69 (Github Issue) --- .../matrix-corporal/tasks/setup_corporal.yml | 38 ++++++++++++++++++- roles/matrix-coturn/tasks/setup_coturn.yml | 13 ++++++- roles/matrix-mailer/tasks/setup_mailer.yml | 11 ++++++ roles/matrix-mxisd/tasks/setup_mxisd.yml | 11 ++++++ .../tasks/setup_nginx_proxy.yml | 11 ++++++ .../matrix-postgres/tasks/setup_postgres.yml | 11 ++++++ .../matrix-riot-web/tasks/setup_riot_web.yml | 11 ++++++ .../tasks/ext/appservice-irc/setup.yml | 6 +++ .../tasks/ext/mautrix-telegram/setup.yml | 6 +++ .../tasks/ext/mautrix-whatsapp/setup.yml | 6 +++ .../tasks/setup_synapse_goofys.yml | 11 ++++++ .../tasks/setup_synapse_main.yml | 6 +++ 12 files changed, 139 insertions(+), 2 deletions(-) diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index f1fd2d9b..0bfba48a 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -34,18 +34,54 @@ src: "{{ role_path }}/templates/systemd/matrix-corporal.service.j2" dest: "/etc/systemd/system/matrix-corporal.service" mode: 0644 + register: matrix_corporal_systemd_service_result when: "matrix_corporal_enabled" +- name: Ensure systemd reloaded after matrix-corporal.service installation + service: + daemon_reload: yes + when: "matrix_corporal_enabled and matrix_corporal_systemd_service_result.changed" + # # Tasks related to getting rid of matrix-corporal (if it was previously enabled) # +- name: Check existence of matrix-corporal service + stat: + path: "/etc/systemd/system/matrix-corporal.service" + register: matrix_corporal_service_stat + +- name: Ensure matrix-corporal is stopped + service: + name: matrix-corporal + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_corporal_enabled and matrix_corporal_service_stat.stat.exists" + +- name: Ensure matrix-corporal.service doesn't exist + file: + path: "/etc/systemd/system/matrix-corporal.service" + state: absent + when: "not matrix_corporal_enabled and matrix_corporal_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-corporal.service removal + service: + daemon_reload: yes + when: "not matrix_corporal_enabled and matrix_corporal_service_stat.stat.exists" + - name: Ensure matrix-corporal files don't exist file: path: "{{ item }}" state: absent - when: "not matrix_corporal_enabled" with_items: - /etc/systemd/system/matrix-corporal.service - "{{ matrix_corporal_config_dir_path }}/config.json" + when: "not matrix_corporal_enabled" + +- name: Ensure Matrix Corporal Docker image doesn't exist + docker_image: + name: "{{ matrix_corporal_docker_image }}" + state: absent + when: "not matrix_corporal_enabled" diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index fbbabaa6..5dd0db41 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -30,8 +30,14 @@ src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" dest: "/etc/systemd/system/matrix-coturn.service" mode: 0644 + register: matrix_coturn_systemd_service_result when: matrix_coturn_enabled +- name: Ensure systemd reloaded after matrix-coturn.service installation + service: + daemon_reload: yes + when: "matrix_coturn_enabled and matrix_coturn_systemd_service_result.changed" + - name: Allow access to Coturn ports in firewalld firewalld: port: "{{ item }}" @@ -67,6 +73,11 @@ state: absent when: "not matrix_coturn_enabled and matrix_coturn_service_stat.stat.exists" +- name: Ensure systemd reloaded after matrix-coturn.service removal + service: + daemon_reload: yes + when: "not matrix_coturn_enabled and matrix_coturn_service_stat.stat.exists" + - name: Ensure Matrix coturn paths don't exist file: path: "{{ matrix_coturn_base_path }}" @@ -77,4 +88,4 @@ docker_image: name: "{{ matrix_coturn_docker_image }}" state: absent - when: "not matrix_coturn_enabled" \ No newline at end of file + when: "not matrix_coturn_enabled" diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index 7155556c..9f57f8b7 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -30,8 +30,14 @@ src: "{{ role_path }}/templates/systemd/matrix-mailer.service.j2" dest: "/etc/systemd/system/matrix-mailer.service" mode: 0644 + register: matrix_mailer_systemd_service_result when: matrix_mailer_enabled +- name: Ensure systemd reloaded after matrix-mailer.service installation + service: + daemon_reload: yes + when: "matrix_mailer_enabled and matrix_mailer_systemd_service_result.changed" + # # Tasks related to getting rid of the mailer (if it was previously enabled) # @@ -55,6 +61,11 @@ state: absent when: "not matrix_mailer_enabled and matrix_mailer_service_stat.stat.exists" +- name: Ensure systemd reloaded after matrix-mailer.service removal + service: + daemon_reload: yes + when: "not matrix_mailer_enabled and matrix_mailer_service_stat.stat.exists" + - name: Ensure Matrix mailer environment variables path doesn't exist file: path: "{{ matrix_mailer_base_path }}" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index 8d81e47c..e10d79f6 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -35,8 +35,14 @@ src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" dest: "/etc/systemd/system/matrix-mxisd.service" mode: 0644 + register: matrix_mxisd_systemd_service_result when: matrix_mxisd_enabled +- name: Ensure systemd reloaded after matrix-mxisd.service installation + service: + daemon_reload: yes + when: "matrix_mxisd_enabled and matrix_mxisd_systemd_service_result.changed" + # # Tasks related to getting rid of mxisd (if it was previously enabled) # @@ -60,6 +66,11 @@ state: absent when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists" +- name: Ensure systemd reloaded after matrix-mxisd.service removal + service: + daemon_reload: yes + when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists" + - name: Ensure Matrix mxisd paths don't exist file: path: "{{ matrix_mxisd_base_path }}" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 0a67a457..b6aacab2 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -90,8 +90,14 @@ src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" dest: "/etc/systemd/system/matrix-nginx-proxy.service" mode: 0644 + register: matrix_nginx_proxy_systemd_service_result when: matrix_nginx_proxy_enabled +- name: Ensure systemd reloaded after matrix-nginx-proxy.service installation + service: + daemon_reload: yes + when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed" + # # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) @@ -116,6 +122,11 @@ state: absent when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" +- name: Ensure systemd reloaded after matrix-nginx-proxy.service removal + service: + daemon_reload: yes + when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists" + - name: Ensure Matrix nginx-proxy configuration for matrix domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 2b83d4aa..e22e1024 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -76,8 +76,14 @@ src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" dest: "/etc/systemd/system/matrix-postgres.service" mode: 0644 + register: matrix_postgres_systemd_service_result when: matrix_postgres_enabled +- name: Ensure systemd reloaded after matrix-postgres.service installation + service: + daemon_reload: yes + when: "matrix_postgres_enabled and matrix_postgres_systemd_service_result.changed" + # # Tasks related to getting rid of the internal postgres server (if it was previously enabled) # @@ -101,6 +107,11 @@ state: absent when: "not matrix_postgres_enabled and matrix_postgres_service_stat.stat.exists" +- name: Ensure systemd reloaded after matrix-postgres.service removal + service: + daemon_reload: yes + when: "not matrix_postgres_enabled and matrix_postgres_service_stat.stat.exists" + - name: Check existence of matrix-postgres local data path stat: path: "{{ matrix_postgres_data_path }}" diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index 94863a8c..9828ae2a 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -44,8 +44,14 @@ src: "{{ role_path }}/templates/systemd/matrix-riot-web.service.j2" dest: "/etc/systemd/system/matrix-riot-web.service" mode: 0644 + register: matrix_riot_web_systemd_service_result when: matrix_riot_web_enabled +- name: Ensure systemd reloaded after matrix-riot-web.service installation + service: + daemon_reload: yes + when: "matrix_riot_web_enabled and matrix_riot_web_systemd_service_result.changed" + # # Tasks related to getting rid of riot-web (if it was previously enabled) # @@ -69,6 +75,11 @@ state: absent when: "not matrix_riot_web_enabled and matrix_riot_web_service_stat.stat.exists" +- name: Ensure systemd reloaded after matrix-riot-web.service removal + service: + daemon_reload: yes + when: "not matrix_riot_web_enabled and matrix_riot_web_service_stat.stat.exists" + - name: Ensure Matrix riot-web paths doesn't exist file: path: "{{ matrix_riot_web_data_path }}" diff --git a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml index 79d800a0..7a18e044 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml @@ -35,8 +35,14 @@ src: "{{ role_path }}/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2" dest: "/etc/systemd/system/matrix-appservice-irc.service" mode: 0644 + register: matrix_appservice_irc_systemd_service_result when: "matrix_appservice_irc_enabled" +- name: Ensure systemd reloaded after matrix-appservice-irc.service installation + service: + daemon_reload: yes + when: "matrix_appservice_irc_enabled and matrix_appservice_irc_systemd_service_result.changed" + - stat: path: "{{ matrix_appservice_irc_base_path }}/registration.yaml" register: appservice_irc_registration_file diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index 51a68336..8c2c3cd5 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -44,8 +44,14 @@ src: "{{ role_path }}/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2" dest: "/etc/systemd/system/matrix-mautrix-telegram.service" mode: 0644 + register: matrix_mautrix_telegram_systemd_service_result when: "matrix_mautrix_telegram_enabled" +- name: Ensure systemd reloaded after matrix-mautrix-telegram.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_systemd_service_result.changed" + - name: Check if a mautrix-telegram registration file exists stat: path: "{{ matrix_mautrix_telegram_base_path }}/registration.yaml" diff --git a/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml index 3c22c62c..5c0bc033 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml @@ -33,8 +33,14 @@ src: "{{ role_path }}/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2" dest: "/etc/systemd/system/matrix-mautrix-whatsapp.service" mode: 0644 + register: matrix_mautrix_whatsapp_systemd_service_result when: "matrix_mautrix_whatsapp_enabled" +- name: Ensure systemd reloaded after matrix-mautrix-whatsapp.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_systemd_service_result.changed" + - name: Check if a mautrix-whatsapp registration file exists stat: path: "{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml" diff --git a/roles/matrix-synapse/tasks/setup_synapse_goofys.yml b/roles/matrix-synapse/tasks/setup_synapse_goofys.yml index f37a1eb6..ae4349cd 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_goofys.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_goofys.yml @@ -37,8 +37,14 @@ src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" dest: "/etc/systemd/system/matrix-goofys.service" mode: 0644 + register: matrix_goofys_systemd_service_result when: matrix_s3_media_store_enabled +- name: Ensure systemd reloaded after matrix-goofys.service installation + service: + daemon_reload: yes + when: "matrix_s3_media_store_enabled and matrix_goofys_systemd_service_result.changed" + # # Tasks related to getting rid of goofys (if it was previously enabled) # @@ -62,6 +68,11 @@ state: absent when: "not matrix_s3_media_store_enabled and matrix_goofys_service_stat.stat.exists" +- name: Ensure systemd reloaded after matrix-goofys.service removal + service: + daemon_reload: yes + when: "not matrix_s3_media_store_enabled and matrix_goofys_service_stat.stat.exists" + - name: Ensure goofys environment variables file doesn't exist file: path: "{{ matrix_synapse_config_dir_path }}/env-goofys" diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index f5199540..e2d7baea 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -64,6 +64,12 @@ src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" dest: "/etc/systemd/system/matrix-synapse.service" mode: 0644 + register: matrix_synapse_systemd_service_result + +- name: Ensure systemd reloaded after matrix-synapse.service installation + service: + daemon_reload: yes + when: matrix_synapse_systemd_service_result.changed - name: Ensure matrix-synapse-register-user script created template: From 6f6dff3e2b3615e17b27dcb8bf4ec11263c5707f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Mar 2019 12:27:43 +0200 Subject: [PATCH 0389/2384] Update some Docker images --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- roles/matrix-postgres/defaults/main.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 48c3e18f..0910dbc8 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # those as more frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.15.9-alpine" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" @@ -104,7 +104,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.31.0" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index d4818a7f..4b26f42d 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -8,7 +8,7 @@ matrix_postgres_db_name: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "postgres:9.6.11-alpine" -matrix_postgres_docker_image_v10: "postgres:10.6-alpine" -matrix_postgres_docker_image_v11: "postgres:11.1-alpine" -matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" \ No newline at end of file +matrix_postgres_docker_image_v9: "postgres:9.6.12-alpine" +matrix_postgres_docker_image_v10: "postgres:10.7-alpine" +matrix_postgres_docker_image_v11: "postgres:11.2-alpine" +matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" From 835c34927589e40fbbf268ee0c57a35d8ad0d192 Mon Sep 17 00:00:00 2001 From: Lionstiger Date: Sun, 3 Mar 2019 18:22:52 +0100 Subject: [PATCH 0390/2384] Add matrix-appservice-discord bridge Bridge is setup to work on the matrix side with this, but the discord invite link is not automatically generated. --- README.md | 4 + ...ring-playbook-bridge-appservice-discord.md | 5 + docs/configuring-playbook.md | 2 + group_vars/matrix-servers | 12 + matrix-servers | 352 ++++++++++++++++++ roles/matrix-synapse/defaults/main.yml | 126 ++++++- .../tasks/ext/appservice-discord/init.yml | 3 + .../tasks/ext/appservice-discord/setup.yml | 65 ++++ roles/matrix-synapse/tasks/ext/init.yml | 2 + roles/matrix-synapse/tasks/ext/setup.yml | 2 + .../matrix-appservice-discord.service.j2 | 29 ++ 11 files changed, 601 insertions(+), 1 deletion(-) create mode 100644 docs/configuring-playbook-bridge-appservice-discord.md create mode 100644 matrix-servers create mode 100644 roles/matrix-synapse/tasks/ext/appservice-discord/init.yml create mode 100644 roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml create mode 100644 roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2 diff --git a/README.md b/README.md index 6e9885ce..67c1373e 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) +- (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/) + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. @@ -114,6 +116,8 @@ This playbook sets up your server using the following Docker images: - [tedomum/matrix-appservice-irc](https://hub.docker.com/r/tedomum/matrix-appservice-irc/) - the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) +- [tedomum/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) + ## Deficiencies diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md new file mode 100644 index 00000000..2a7ad028 --- /dev/null +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -0,0 +1,5 @@ +# Setting up Appservice Discord (optional) + +The playbook can install and configure [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) for you. + +See the project's [documentation](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/README.md) to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 9a61c153..6285d4d1 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -52,3 +52,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) + +- [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 49183e37..8c98d611 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -20,6 +20,18 @@ # matrix-appservice-irc's client-server port to the local host (`127.0.0.1:9999`). matrix_appservice_irc_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" + +###################################################################### +# +# matrix-appservice-discord +# +###################################################################### + +# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# matrix-appservice-discord's client-server port to the local host (`127.0.0.1:9005`). +matrix_appservice_discord_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" + ###################################################################### # # matrix-base diff --git a/matrix-servers b/matrix-servers new file mode 100644 index 00000000..e3337bf2 --- /dev/null +++ b/matrix-servers @@ -0,0 +1,352 @@ +--- + +# This variables file wires together the various components (roles) used by the playbook. +# +# Roles used by playbook are pretty minimal and kept independent of one another as much as possible. +# To deliver a turnkey fully-featured Matrix server, this playbook needs +# to connect them all together. It does so by overriding role variables. +# +# You can also override ANY variable (seen here or in any given role), +# by re-defining it in your own configuration file (`inventory/host_vars/matrix.`). + +###################################################################### +# +# matrix-appservice-irc +# +###################################################################### + +# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# matrix-appservice-irc's client-server port to the local host (`127.0.0.1:9999`). +matrix_appservice_irc_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" + +###################################################################### +# +# matrix-appservice-discord +# +###################################################################### + +# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# matrix-appservice-discord's client-server port to the local host (`127.0.0.1:9005`). +matrix_appservice_discord_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" + + +###################################################################### +# +# matrix-base +# +###################################################################### + +matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}" + + +###################################################################### +# +# /matrix-base +# +###################################################################### + + + +###################################################################### +# +# matrix-corporal +# +###################################################################### + +matrix_corporal_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`). +matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}" + +matrix_corporal_systemd_required_services_list: | + {{ + (['docker.service']) + + + (['matrix-synapse.service']) + }} + +matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008" + +matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" + +matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}" + +###################################################################### +# +# /matrix-corporal +# +###################################################################### + + + +###################################################################### +# +# matrix-coturn +# +###################################################################### + +matrix_coturn_enabled: true + +###################################################################### +# +# /matrix-coturn +# +###################################################################### + + + +###################################################################### +# +# matrix-mailer +# +###################################################################### + +# By default, this playbook sets up a postfix mailer server (running in a container). +# This is so that Synapse can send email reminders for unread messages. +# Other services (like mxisd), also use the mailer. +matrix_mailer_enabled: true + +###################################################################### +# +# /matrix-mailer +# +###################################################################### + + + +###################################################################### +# +# matrix-mxisd +# +###################################################################### + +# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). +# If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. +matrix_mxisd_enabled: true + +# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# mxisd's web-server port to the local host (`127.0.0.1:8090`). +matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" + +# We enable Synapse integration via its Postgres database by default. +# When using another Identity store, you might wish to disable this and define +# your own configuration in `matrix_mxisd_configuration_extension_yaml`. +matrix_mxisd_synapsesql_enabled: true +matrix_mxisd_synapsesql_type: postgresql +matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }} + +matrix_mxisd_dns_overwrite_enabled: true +matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" + +# By default, we send mail through the `matrix-mailer` service. +matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" +matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" +matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 +matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 + +matrix_mxisd_systemd_wanted_services_list: | + {{ + (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-mailer.service'] if matrix_mailer_enabled else []) + }} + +###################################################################### +# +# /matrix-mxisd +# +###################################################################### + + + +###################################################################### +# +# matrix-nginx-proxy +# +###################################################################### + +# By default, this playbook sets up a reverse-proxy nginx proxy server on TCP ports 80, 443 and 8448. +# This is fine if you're dedicating the whole server to Matrix. +# If that's not the case, you may wish to disable this and take care of proxying yourself. +matrix_nginx_proxy_enabled: true + +matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}" +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" + +matrix_nginx_proxy_proxy_matrix_enabled: true +matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" + +matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" + +matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" + +# By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true +matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" +matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048" + +matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" +matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" +matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" + +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" + +matrix_nginx_proxy_systemd_wanted_services_list: | + {{ + (['matrix-synapse.service']) + + + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + + + (['matrix-mxisd.service'] if matrix_mxisd_enabled else []) + + + (['matrix-riot-web.service'] if matrix_riot_web_enabled else []) + }} + +matrix_ssl_domains_to_obtain_certificates_for: | + {{ + ([matrix_server_fqn_matrix]) + + + ([matrix_server_fqn_riot] if matrix_riot_web_enabled else []) + }} + +###################################################################### +# +# /matrix-nginx-proxy +# +###################################################################### + + + +###################################################################### +# +# matrix-postgres +# +###################################################################### + +matrix_postgres_enabled: true + +matrix_postgres_connection_hostname: "matrix-postgres" +matrix_postgres_connection_username: "synapse" +matrix_postgres_connection_password: "synapse-password" +matrix_postgres_db_name: "homeserver" + +###################################################################### +# +# /matrix-postgres +# +###################################################################### + + + +###################################################################### +# +# matrix-riot-web +# +###################################################################### + +# By default, this playbook installs the Riot.IM web UI on the `matrix_server_fqn_riot` domain. +# If you wish to connect to your Matrix server by other means, you may wish to disable this. +matrix_riot_web_enabled: true + +# Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the riot-web HTTP port to the local host (`127.0.0.1:80`). +matrix_riot_web_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" + +matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}" +matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}" + +###################################################################### +# +# /matrix-riot-web +# +###################################################################### + + + +###################################################################### +# +# matrix-synapse +# +###################################################################### + +# When mxisd is enabled, we can use it instead of the default public Identity servers. +matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose its ports +# to the local host. +# +# For exposing the Matrix Client API's port (plain HTTP) to the local host (`127.0.0.1:8008`). +matrix_synapse_container_expose_client_api_port: "{{ not matrix_nginx_proxy_enabled }}" +# For exposing the Matrix Federation API's port (plain HTTP) to the local host (`127.0.0.1:8048`). +matrix_synapse_container_expose_federation_api_port: "{{ not matrix_nginx_proxy_enabled }}" + +matrix_synapse_container_expose_metrics_port: "{{ not matrix_nginx_proxy_enabled }}" + +matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}" +matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}" +matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}" +matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" + +# We do not enable TLS in Synapse by default. +# TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. +matrix_synapse_tls_federation_listener_enabled: false +matrix_synapse_tls_certificate_path: ~ +matrix_synapse_tls_private_key_path: ~ + +matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" +matrix_synapse_email_smtp_host: "matrix-mailer" +matrix_synapse_email_smtp_port: 8025 +matrix_synapse_email_smtp_require_transport_security: false +matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" +matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}" + +matrix_synapse_turn_uris: | + {{ + [ + 'turn:' + matrix_server_fqn_matrix + ':3478?transport=udp', + 'turn:' + matrix_server_fqn_matrix + ':3478?transport=tcp', + ] + if matrix_coturn_enabled + else [] + }} + +matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" + +matrix_synapse_systemd_required_services_list: | + {{ + (['docker.service']) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-goofys'] if matrix_s3_media_store_enabled else []) + }} + +matrix_synapse_systemd_wanted_services_list: | + {{ + (['matrix-coturn.service'] if matrix_coturn_enabled else []) + + + (['matrix-mailer.service'] if matrix_mailer_enabled else []) + }} + +###################################################################### +# +# /matrix-synapse +# +###################################################################### diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index cbabaa6d..1ef52de3 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.2-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.1.1-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" @@ -18,6 +18,9 @@ matrix_synapse_container_expose_federation_api_port: false # Controls whether the Appservice IRC container exposes the Client/Server API port (tcp/9999). matrix_appservice_irc_container_expose_client_server_api_port: false +# Controls whether the Appservice Discord container exposes the Client/Server API port (tcp/9005). +matrix_appservice_discord_container_expose_client_server_api_port: false + # Controls whether the matrix-synapse container exposes the metrics port (tcp/9100). matrix_synapse_container_expose_metrics_port: false @@ -641,3 +644,124 @@ matrix_appservice_irc_configuration_extension_yaml: | matrix_appservice_irc_configuration_extension: "{{ matrix_appservice_irc_configuration_extension_yaml|from_yaml if matrix_appservice_irc_configuration_extension_yaml|from_yaml else {} }}" matrix_appservice_irc_configuration: "{{ matrix_appservice_irc_configuration_yaml|from_yaml|combine(matrix_appservice_irc_configuration_extension, recursive=True) }}" + + +# Matrix Appservice Discord is a Matrix <-> Discord bridge +# Enable Discord bridge +matrix_appservice_discord_enabled: false + +matrix_appservice_discord_docker_image: "halfshot/matrix-appservice-discord:latest" + +matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" + +matrix_appservice_discord_client_ID: "YOUR DISCORD APP CLIENT ID" +matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" + +matrix_appservice_discord_configuration_yaml: | + bridge: + domain: "{{ matrix_domain }}" + homeserverUrl: "{{ matrix_homeserver_url }}" + auth: + clientID: "{{matrix_appservice_discord_client_ID}}" + botToken: "{{matrix_appservice_discord_bot_token}}" + database: + filename: "/data/discord.db" + userStorePath: "/data/user-store.db" + roomStorePath: "/data/room-store.db" + +matrix_appservice_discord_configuration_extension_yaml: | + # This is a sample of the config file showing all avaliable options. + # Where possible we have documented what they do, and all values are the + # default values. + # + #bridge: + # # Domain part of the bridge, e.g. matrix.org + # domain: "localhost" + # # This should be your publically facing URL because Discord may use it to + # # fetch media from the media store. + # homeserverUrl: "http://localhost:8008" + # # Interval at which to process users in the 'presence queue'. If you have + # # 5 users, one user will be processed every 500 milliseconds according to the + # # value below. This has a minimum value of 250. + # # WARNING: This has a high chance of spamming the homeserver with presence + # # updates since it will send one each time somebody changes state or is online. + # presenceInterval: 500 + # # Disable setting presence for 'ghost users' which means Discord users on Matrix + # # will not be shown as away or online. + # disablePresence: false + # # Disable sending typing notifications when somebody on Discord types. + # disableTypingNotifications: false + # # Disable deleting messages on Discord if a message is redacted on Matrix. + # disableDeletionForwarding: false + # # Enable users to bridge rooms using !discord commands. See + # # https://t2bot.io/discord for instructions. + # enableSelfServiceBridging: false + # # Disable sending of read receipts for Matrix events which have been + # # successfully bridged to Discord. + # disableReadReceipts: false + # Authentication configuration for the discord bot. + #auth: + # clientID: "12345" + # botToken: "foobar" + #logging: + # # What level should the logger output to the console at. + # console: "warn" #silly, verbose, info, http, warn, error, silent + # lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format + # files: + # - file: "debug.log" + # disable: + # - "PresenceHandler" # Will not capture presence logging + # - file: "warn.log" # Will capture warnings + # level: "warn" + # - file: "botlogs.log" # Will capture logs from DiscordBot + # level: "info" + # enable: + # - "DiscordBot" + #database: + # userStorePath: "user-store.db" + # roomStorePath: "room-store.db" + # # You may either use SQLite or Postgresql for the bridge database, which contains + # # important mappings for events and user puppeting configurations. + # # Use the filename option for SQLite, or connString for Postgresql. + # # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite + # # WARNING: You will almost certainly be fine with sqlite unless your bridge + # # is in heavy demand and you suffer from IO slowness. + # filename: "discord.db" + # # connString: "postgresql://user:password@localhost/database_name" + #room: + # # Set the default visibility of alias rooms, defaults to "public". + # # One of: "public", "private" + # defaultVisibility: "public" + #channel: + # # Pattern of the name given to bridged rooms. + # # Can use :guild for the guild name and :name for the channel name. + # namePattern: "[Discord] :guild :name" + # # Changes made to rooms when a channel is deleted. + # deleteOptions: + # # Prefix the room name with a string. + # #namePrefix: "[Deleted]" + # # Prefix the room topic with a string. + # #topicPrefix: "This room has been deleted" + # # Disable people from talking in the room by raising the event PL to 50 + # disableMessaging: false + # # Remove the discord alias from the room. + # unsetRoomAlias: true + # # Remove the room from the directory. + # unlistFromDirectory: true + # # Set the room to be unavaliable for joining without an invite. + # setInviteOnly: true + # # Make all the discord users leave the room. + # ghostsLeave: true + #limits: + # # Delay in milliseconds between discord users joining a room. + # roomGhostJoinDelay: 6000 + # # Delay in milliseconds before sending messages to discord to avoid echos. + # # (Copies of a sent message may arrive from discord before we've + # # fininished handling it, causing us to echo it back to the room) + # discordSendDelay: 750 + +matrix_appservice_discord_configuration_extension: "{{ matrix_appservice_irc_configuration_extension_yaml|from_yaml if matrix_appservice_irc_configuration_extension_yaml|from_yaml else {} }}" + +matrix_appservice_discord_configuration: "{{ matrix_appservice_discord_configuration_yaml|from_yaml|combine(matrix_appservice_discord_configuration_extension, recursive=True) }}" + + diff --git a/roles/matrix-synapse/tasks/ext/appservice-discord/init.yml b/roles/matrix-synapse/tasks/ext/appservice-discord/init.yml new file mode 100644 index 00000000..ee6fe1ff --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/appservice-discord/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord'] }}" + when: matrix_appservice_discord_enabled diff --git a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml new file mode 100644 index 00000000..7d0ba359 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml @@ -0,0 +1,65 @@ +--- +- name: Ensure Appservice Discord image is pulled + docker_image: + name: "{{ matrix_appservice_discord_docker_image }}" + when: "matrix_appservice_discord_enabled" + +- name: Ensure Appservice Discord configuration path exists + file: + path: "{{ matrix_appservice_discord_base_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_appservice_discord_enabled" + +- name: Ensure Matrix Appservice Discord config installed + copy: + content: "{{ matrix_appservice_discord_configuration|to_nice_yaml }}" + dest: "{{ matrix_appservice_discord_base_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_appservice_discord_enabled" + +- name: Ensure matrix-appservice-discord.service installed + template: + src: "{{ role_path }}/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2" + dest: "/etc/systemd/system/matrix-appservice-discord.service" + mode: 0644 + when: "matrix_appservice_discord_enabled" + +- stat: + path: "{{ matrix_appservice_discord_base_path }}/discord-registration.yaml" + register: appservice_discord_registration_file + +- name: Generate matrix-appservice-discord discord-registration.yaml if it doesn't exist + shell: /usr/bin/docker run --rm --name matrix-appservice-discord-gen -v {{ matrix_appservice_discord_base_path }}:/data:z {{ matrix_appservice_discord_docker_image }} node build/src/discordas.js -r -u "http://matrix-appservice-discord:9005" -c /data/config.yaml -f /data/discord-registration.yaml -l discord_bot + when: "matrix_appservice_discord_enabled and appservice_discord_registration_file.stat.exists == False" + +- set_fact: + matrix_synapse_app_service_config_file_appservice_discord: '{{ matrix_appservice_discord_base_path }}/discord-registration.yml' + +- set_fact: + matrix_synapse_container_additional_volumes: > + {{ matrix_synapse_container_additional_volumes }} + + + {{ [{'src': '{{ matrix_appservice_discord_base_path }}/discord-registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_appservice_discord }}', 'options': 'ro'}] }} + when: "matrix_appservice_discord_enabled" + +- set_fact: + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files }} + + + {{ ["{{ matrix_synapse_app_service_config_file_appservice_discord }}"] | to_nice_json }} + when: "matrix_appservice_discord_enabled" + +# +# Tasks related to getting rid of matrix-appservice-discord (if it was previously enabled) +# + +- name: Ensure matrix-appservice-discord.service doesn't exist + file: + path: "/etc/systemd/system/matrix-appservice-discord.service" + state: absent + when: "not matrix_appservice_discord_enabled" diff --git a/roles/matrix-synapse/tasks/ext/init.yml b/roles/matrix-synapse/tasks/ext/init.yml index 6023116f..aa19ef6e 100644 --- a/roles/matrix-synapse/tasks/ext/init.yml +++ b/roles/matrix-synapse/tasks/ext/init.yml @@ -5,3 +5,5 @@ - import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/init.yml" - import_tasks: "{{ role_path }}/tasks/ext/appservice-irc/init.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/appservice-discord/init.yml" diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml index 609269e7..fe113281 100644 --- a/roles/matrix-synapse/tasks/ext/setup.yml +++ b/roles/matrix-synapse/tasks/ext/setup.yml @@ -11,3 +11,5 @@ - import_tasks: "{{ role_path }}/tasks/ext/mautrix-whatsapp/setup.yml" - import_tasks: "{{ role_path }}/tasks/ext/appservice-irc/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/appservice-discord/setup.yml" diff --git a/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2 new file mode 100644 index 00000000..4d4b3f39 --- /dev/null +++ b/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2 @@ -0,0 +1,29 @@ +[Unit] +Description=Matrix Appservice Discord server +After=docker.service +Requires=docker.service +Requires=matrix-synapse.service +After=matrix-synapse.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-appservice-discord +ExecStartPre=-/usr/bin/docker rm matrix-appservice-discord +ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \ + --log-driver=none \ + -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ + --network={{ matrix_docker_network }} \ + {% if matrix_appservice_discord_container_expose_client_server_api_port %} + -p 127.0.0.1:9005:9005 \ + {% endif %} + -v {{ matrix_appservice_discord_base_path }}:/data \ + {{ matrix_appservice_discord_docker_image }} + + +ExecStop=-/usr/bin/docker kill matrix-appservice-discord +ExecStop=-/usr/bin/docker rm matrix-appservice-discord +Restart=always +RestartSec=30 + + [Install] +WantedBy=multi-user.target From 4aeeb5cf316145d740862286d1e4b29dff74156b Mon Sep 17 00:00:00 2001 From: Lionstiger Date: Sun, 3 Mar 2019 19:33:16 +0100 Subject: [PATCH 0391/2384] Autogenerate Discord invite link Generates the link required to add the Bridge to a Discord server. --- .../matrix-synapse/tasks/ext/appservice-discord/setup.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml index 7d0ba359..baf4845c 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml @@ -40,6 +40,14 @@ - set_fact: matrix_synapse_app_service_config_file_appservice_discord: '{{ matrix_appservice_discord_base_path }}/discord-registration.yml' +- stat: + path: "{{ matrix_appservice_discord_base_path }}/invite_link" + register: appservice_discord_link_generated + +- name: Generate your discord invite link invite link + shell: /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen -v {{ matrix_appservice_discord_base_path }}:/data -w /data {{ matrix_appservice_discord_docker_image }} /bin/sh -c "node .././build/tools/addbot.js > invite_link" + when: "matrix_appservice_discord_enabled and appservice_discord_link_generated.stat.exists == False" + - set_fact: matrix_synapse_container_additional_volumes: > {{ matrix_synapse_container_additional_volumes }} From faa16617da4b8b693d6aa249f758af9c3bce6f6d Mon Sep 17 00:00:00 2001 From: Lionstiger Date: Sun, 3 Mar 2019 19:34:30 +0100 Subject: [PATCH 0392/2384] add documentation --- ...figuring-playbook-bridge-appservice-discord.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 2a7ad028..72cf7e0d 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -3,3 +3,18 @@ The playbook can install and configure [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) for you. See the project's [documentation](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/README.md) to learn what it does and why it might be useful to you. + +Setup Instructions: + +loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up) + +1. Create a Discord Application [here](https://discordapp.com/developers/applications/me/create). +2. Retrieve Client ID and Bot token from this Application. +3. Enable the bridge with "matrix_appservice_discord_enabled: true" in your vars.yml and provide id and token. +4. Rerun playbook with "setup-all" tag. Restart with tag "start" afterwards. +5. Retrieve Discord invitelink from {{ matrix_appservice_discord_base_path }}/invite_link (this defaults to /matrix/appservice-discord/invite_link) +6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. +7. Join the rooms by following this syntax "#_discord_guildid_channelid" + - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: discordapp.com/channels/guild_id/channel_id + +Other configuration options are available via the "matrix_appservice_discord_configuration_extension_yaml" variable. \ No newline at end of file From 7aadd8bbe977fbf2bb43e0d1378fd9b8c204529a Mon Sep 17 00:00:00 2001 From: Lionstiger Date: Sun, 3 Mar 2019 19:55:56 +0100 Subject: [PATCH 0393/2384] undo changed synapse version --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 1ef52de3..41038045 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.1.1-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.2-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" From e54f3889663a53f0721e5760d3ee853230e0ac1b Mon Sep 17 00:00:00 2001 From: Lionstiger Date: Mon, 4 Mar 2019 14:16:30 +0100 Subject: [PATCH 0394/2384] removed /group_vars/matrix-servers as it not needed --- group_vars/matrix-servers | 352 -------------------------------------- 1 file changed, 352 deletions(-) delete mode 100644 group_vars/matrix-servers diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers deleted file mode 100644 index 8c98d611..00000000 --- a/group_vars/matrix-servers +++ /dev/null @@ -1,352 +0,0 @@ ---- - -# This variables file wires together the various components (roles) used by the playbook. -# -# Roles used by playbook are pretty minimal and kept independent of one another as much as possible. -# To deliver a turnkey fully-featured Matrix server, this playbook needs -# to connect them all together. It does so by overriding role variables. -# -# You can also override ANY variable (seen here or in any given role), -# by re-defining it in your own configuration file (`inventory/host_vars/matrix.`). - -###################################################################### -# -# matrix-appservice-irc -# -###################################################################### - -# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# matrix-appservice-irc's client-server port to the local host (`127.0.0.1:9999`). -matrix_appservice_irc_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" - - -###################################################################### -# -# matrix-appservice-discord -# -###################################################################### - -# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# matrix-appservice-discord's client-server port to the local host (`127.0.0.1:9005`). -matrix_appservice_discord_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" - -###################################################################### -# -# matrix-base -# -###################################################################### - -matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}" - - -###################################################################### -# -# /matrix-base -# -###################################################################### - - - -###################################################################### -# -# matrix-corporal -# -###################################################################### - -matrix_corporal_enabled: false - -# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`). -matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}" - -matrix_corporal_systemd_required_services_list: | - {{ - (['docker.service']) - + - (['matrix-synapse.service']) - }} - -matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008" - -matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" - -matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}" - -###################################################################### -# -# /matrix-corporal -# -###################################################################### - - - -###################################################################### -# -# matrix-coturn -# -###################################################################### - -matrix_coturn_enabled: true - -###################################################################### -# -# /matrix-coturn -# -###################################################################### - - - -###################################################################### -# -# matrix-mailer -# -###################################################################### - -# By default, this playbook sets up a postfix mailer server (running in a container). -# This is so that Synapse can send email reminders for unread messages. -# Other services (like mxisd), also use the mailer. -matrix_mailer_enabled: true - -###################################################################### -# -# /matrix-mailer -# -###################################################################### - - - -###################################################################### -# -# matrix-mxisd -# -###################################################################### - -# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). -# If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. -matrix_mxisd_enabled: true - -# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# mxisd's web-server port to the local host (`127.0.0.1:8090`). -matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" - -# We enable Synapse integration via its Postgres database by default. -# When using another Identity store, you might wish to disable this and define -# your own configuration in `matrix_mxisd_configuration_extension_yaml`. -matrix_mxisd_synapsesql_enabled: true -matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }} - -matrix_mxisd_dns_overwrite_enabled: true -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" - -# By default, we send mail through the `matrix-mailer` service. -matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 - -matrix_mxisd_systemd_wanted_services_list: | - {{ - (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) - + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) - + - (['matrix-mailer.service'] if matrix_mailer_enabled else []) - }} - -###################################################################### -# -# /matrix-mxisd -# -###################################################################### - - - -###################################################################### -# -# matrix-nginx-proxy -# -###################################################################### - -# By default, this playbook sets up a reverse-proxy nginx proxy server on TCP ports 80, 443 and 8448. -# This is fine if you're dedicating the whole server to Matrix. -# If that's not the case, you may wish to disable this and take care of proxying yourself. -matrix_nginx_proxy_enabled: true - -matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}" -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" - -matrix_nginx_proxy_proxy_matrix_enabled: true -matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" - -matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" - -matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" - -# By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true -matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" -matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048" - -matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" -matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" - -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" - -matrix_nginx_proxy_systemd_wanted_services_list: | - {{ - (['matrix-synapse.service']) - + - (['matrix-corporal.service'] if matrix_corporal_enabled else []) - + - (['matrix-mxisd.service'] if matrix_mxisd_enabled else []) - + - (['matrix-riot-web.service'] if matrix_riot_web_enabled else []) - }} - -matrix_ssl_domains_to_obtain_certificates_for: | - {{ - ([matrix_server_fqn_matrix]) - + - ([matrix_server_fqn_riot] if matrix_riot_web_enabled else []) - }} - -###################################################################### -# -# /matrix-nginx-proxy -# -###################################################################### - - - -###################################################################### -# -# matrix-postgres -# -###################################################################### - -matrix_postgres_enabled: true - -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_username: "synapse" -matrix_postgres_connection_password: "synapse-password" -matrix_postgres_db_name: "homeserver" - -###################################################################### -# -# /matrix-postgres -# -###################################################################### - - - -###################################################################### -# -# matrix-riot-web -# -###################################################################### - -# By default, this playbook installs the Riot.IM web UI on the `matrix_server_fqn_riot` domain. -# If you wish to connect to your Matrix server by other means, you may wish to disable this. -matrix_riot_web_enabled: true - -# Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the riot-web HTTP port to the local host (`127.0.0.1:80`). -matrix_riot_web_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" - -matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}" - -###################################################################### -# -# /matrix-riot-web -# -###################################################################### - - - -###################################################################### -# -# matrix-synapse -# -###################################################################### - -# When mxisd is enabled, we can use it instead of the default public Identity servers. -matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" - -# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose its ports -# to the local host. -# -# For exposing the Matrix Client API's port (plain HTTP) to the local host (`127.0.0.1:8008`). -matrix_synapse_container_expose_client_api_port: "{{ not matrix_nginx_proxy_enabled }}" -# For exposing the Matrix Federation API's port (plain HTTP) to the local host (`127.0.0.1:8048`). -matrix_synapse_container_expose_federation_api_port: "{{ not matrix_nginx_proxy_enabled }}" - -matrix_synapse_container_expose_metrics_port: "{{ not matrix_nginx_proxy_enabled }}" - -matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}" -matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}" -matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}" -matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" - -# We do not enable TLS in Synapse by default. -# TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. -matrix_synapse_tls_federation_listener_enabled: false -matrix_synapse_tls_certificate_path: ~ -matrix_synapse_tls_private_key_path: ~ - -matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" -matrix_synapse_email_smtp_host: "matrix-mailer" -matrix_synapse_email_smtp_port: 8025 -matrix_synapse_email_smtp_require_transport_security: false -matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" -matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}" - -matrix_synapse_turn_uris: | - {{ - [ - 'turn:' + matrix_server_fqn_matrix + ':3478?transport=udp', - 'turn:' + matrix_server_fqn_matrix + ':3478?transport=tcp', - ] - if matrix_coturn_enabled - else [] - }} - -matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" - -matrix_synapse_systemd_required_services_list: | - {{ - (['docker.service']) - + - (['matrix-postgres.service'] if matrix_postgres_enabled else []) - + - (['matrix-goofys'] if matrix_s3_media_store_enabled else []) - }} - -matrix_synapse_systemd_wanted_services_list: | - {{ - (['matrix-coturn.service'] if matrix_coturn_enabled else []) - + - (['matrix-mailer.service'] if matrix_mailer_enabled else []) - }} - -###################################################################### -# -# /matrix-synapse -# -###################################################################### From b5ae0254fd4c8b24106ba9cb61a3fc2846923392 Mon Sep 17 00:00:00 2001 From: Lionstiger Date: Mon, 4 Mar 2019 14:41:58 +0100 Subject: [PATCH 0395/2384] used ` backticks instead of double quotes --- docs/configuring-playbook-bridge-appservice-discord.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 72cf7e0d..ab47187e 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -10,11 +10,11 @@ loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#s 1. Create a Discord Application [here](https://discordapp.com/developers/applications/me/create). 2. Retrieve Client ID and Bot token from this Application. -3. Enable the bridge with "matrix_appservice_discord_enabled: true" in your vars.yml and provide id and token. +3. Enable the bridge with `matrix_appservice_discord_enabled: true` in your vars.yml and provide id and token. 4. Rerun playbook with "setup-all" tag. Restart with tag "start" afterwards. -5. Retrieve Discord invitelink from {{ matrix_appservice_discord_base_path }}/invite_link (this defaults to /matrix/appservice-discord/invite_link) +5. Retrieve Discord invitelink from `{{ matrix_appservice_discord_base_path }}/invite_link` (this defaults to `/matrix/appservice-discord/invite_link`) 6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. -7. Join the rooms by following this syntax "#_discord_guildid_channelid" +7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: discordapp.com/channels/guild_id/channel_id -Other configuration options are available via the "matrix_appservice_discord_configuration_extension_yaml" variable. \ No newline at end of file +Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. \ No newline at end of file From 2d78c5f89d1e20f11e42ed4e6df44a1323b26ceb Mon Sep 17 00:00:00 2001 From: Lionstiger Date: Mon, 4 Mar 2019 14:42:20 +0100 Subject: [PATCH 0396/2384] made matrix_appservice_discord_client_id lowercase --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 41038045..919f3d6c 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -654,7 +654,7 @@ matrix_appservice_discord_docker_image: "halfshot/matrix-appservice-discord:late matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" -matrix_appservice_discord_client_ID: "YOUR DISCORD APP CLIENT ID" +matrix_appservice_discord_client_id: "YOUR DISCORD APP CLIENT ID" matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" matrix_appservice_discord_configuration_yaml: | @@ -662,7 +662,7 @@ matrix_appservice_discord_configuration_yaml: | domain: "{{ matrix_domain }}" homeserverUrl: "{{ matrix_homeserver_url }}" auth: - clientID: "{{matrix_appservice_discord_client_ID}}" + clientID: "{{matrix_appservice_discord_client_id}}" botToken: "{{matrix_appservice_discord_bot_token}}" database: filename: "/data/discord.db" From 278484656b75b70e3cac70fc432ffc6b3672ce7f Mon Sep 17 00:00:00 2001 From: Lionstiger Date: Mon, 4 Mar 2019 15:12:37 +0100 Subject: [PATCH 0397/2384] ensure systemd reloaded after bridge installation --- roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml index baf4845c..9efdd457 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml @@ -27,7 +27,13 @@ src: "{{ role_path }}/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2" dest: "/etc/systemd/system/matrix-appservice-discord.service" mode: 0644 + register: matrix_appservice_discord_systemd_service_result when: "matrix_appservice_discord_enabled" + +- name: Ensure systemd reloaded after matrix-appservice-discord.service installation + service: + daemon_reload: yes + when: "matrix_appservice_discord_enabled and matrix_appservice_discord_systemd_service_result.changed" - stat: path: "{{ matrix_appservice_discord_base_path }}/discord-registration.yaml" From c2834d222611db86ef9b3c1e4725ac07da0f35a3 Mon Sep 17 00:00:00 2001 From: Lionstiger Date: Mon, 4 Mar 2019 15:42:22 +0100 Subject: [PATCH 0398/2384] running as matrix user from the start --- .../systemd/matrix-appservice-discord.service.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2 index 4d4b3f39..af91b185 100644 --- a/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-synapse/templates/ext/appservice-discord/systemd/matrix-appservice-discord.service.j2 @@ -11,7 +11,8 @@ ExecStartPre=-/usr/bin/docker kill matrix-appservice-discord ExecStartPre=-/usr/bin/docker rm matrix-appservice-discord ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \ --log-driver=none \ - -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_appservice_discord_container_expose_client_server_api_port %} -p 127.0.0.1:9005:9005 \ From 401d7560e95828c9925e3efd5f695909b251dd6b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Mar 2019 09:08:22 +0200 Subject: [PATCH 0399/2384] Make Discord bridging instructions more detailed It didn't mention `matrix_appservice_discord_client_id` and `matrix_appservice_discord_bot_token`, which makes it hard for beginners. Related to #105 (Github Pull Request). --- ...ring-playbook-bridge-appservice-discord.md | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index ab47187e..967a75cf 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -4,17 +4,23 @@ The playbook can install and configure [matrix-appservice-discord](https://githu See the project's [documentation](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/README.md) to learn what it does and why it might be useful to you. -Setup Instructions: +Setup Instructions: loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up) 1. Create a Discord Application [here](https://discordapp.com/developers/applications/me/create). 2. Retrieve Client ID and Bot token from this Application. -3. Enable the bridge with `matrix_appservice_discord_enabled: true` in your vars.yml and provide id and token. -4. Rerun playbook with "setup-all" tag. Restart with tag "start" afterwards. -5. Retrieve Discord invitelink from `{{ matrix_appservice_discord_base_path }}/invite_link` (this defaults to `/matrix/appservice-discord/invite_link`) +3. Enable the bridge with the following configuration in your `vars.yml` file: + +```yaml +matrix_appservice_discord_enabled: true +matrix_appservice_discord_client_id: "YOUR DISCORD APP CLIENT ID" +matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" +``` + +4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. +5. Retrieve Discord invitelink from the `{{ matrix_appservice_discord_base_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/invite_link`) 6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. -7. Join the rooms by following this syntax `#_discord_guildid_channelid` - - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: discordapp.com/channels/guild_id/channel_id +7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: discordapp.com/channels/guild_id/channel_id -Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. \ No newline at end of file +Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. From a310a018183601930535991336a78ee780e54f7c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Mar 2019 09:10:15 +0200 Subject: [PATCH 0400/2384] Use non-root and no-capability containers during Discord setup Related to #105 (Github Pull Request). --- .../tasks/ext/appservice-discord/setup.yml | 36 ++++++++++++++----- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml index 9efdd457..13413948 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml @@ -29,30 +29,50 @@ mode: 0644 register: matrix_appservice_discord_systemd_service_result when: "matrix_appservice_discord_enabled" - + - name: Ensure systemd reloaded after matrix-appservice-discord.service installation service: daemon_reload: yes when: "matrix_appservice_discord_enabled and matrix_appservice_discord_systemd_service_result.changed" -- stat: +- name: Check if a matrix-appservice-discord registration file exists + stat: path: "{{ matrix_appservice_discord_base_path }}/discord-registration.yaml" register: appservice_discord_registration_file - name: Generate matrix-appservice-discord discord-registration.yaml if it doesn't exist - shell: /usr/bin/docker run --rm --name matrix-appservice-discord-gen -v {{ matrix_appservice_discord_base_path }}:/data:z {{ matrix_appservice_discord_docker_image }} node build/src/discordas.js -r -u "http://matrix-appservice-discord:9005" -c /data/config.yaml -f /data/discord-registration.yaml -l discord_bot - when: "matrix_appservice_discord_enabled and appservice_discord_registration_file.stat.exists == False" + shell: >- + /usr/bin/docker run --rm --name matrix-appservice-discord-gen + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + -v {{ matrix_appservice_discord_base_path }}:/data:z + {{ matrix_appservice_discord_docker_image }} + node build/src/discordas.js + -r + -u "http://matrix-appservice-discord:9005" + -c /data/config.yaml + -f /data/discord-registration.yaml + -l discord_bot + when: "matrix_appservice_discord_enabled and not appservice_discord_registration_file.stat.exists" - set_fact: matrix_synapse_app_service_config_file_appservice_discord: '{{ matrix_appservice_discord_base_path }}/discord-registration.yml' -- stat: +- name: Check if a matrix-appservice-discord invite_link file exists + stat: path: "{{ matrix_appservice_discord_base_path }}/invite_link" register: appservice_discord_link_generated -- name: Generate your discord invite link invite link - shell: /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen -v {{ matrix_appservice_discord_base_path }}:/data -w /data {{ matrix_appservice_discord_docker_image }} /bin/sh -c "node .././build/tools/addbot.js > invite_link" - when: "matrix_appservice_discord_enabled and appservice_discord_link_generated.stat.exists == False" +- name: Generate your discord invite link + shell: >- + /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + -v {{ matrix_appservice_discord_base_path }}:/data + -w /data + {{ matrix_appservice_discord_docker_image }} + /bin/sh -c "node .././build/tools/addbot.js > invite_link" + when: "matrix_appservice_discord_enabled and not appservice_discord_link_generated.stat.exists" - set_fact: matrix_synapse_container_additional_volumes: > From 85c5adfd693550f6d73caddd359aea65281a53b8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Mar 2019 09:20:36 +0200 Subject: [PATCH 0401/2384] Minor consistency improvements --- .../tasks/ext/appservice-discord/setup.yml | 2 +- .../tasks/ext/appservice-irc/setup.yml | 21 ++++++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml index 13413948..8c4a84cb 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml @@ -1,7 +1,7 @@ --- - name: Ensure Appservice Discord image is pulled docker_image: - name: "{{ matrix_appservice_discord_docker_image }}" + name: "{{ matrix_appservice_discord_docker_image }}" when: "matrix_appservice_discord_enabled" - name: Ensure Appservice Discord configuration path exists diff --git a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml index 7a18e044..773efea6 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml @@ -22,13 +22,14 @@ group: "{{ matrix_user_username }}" when: "matrix_appservice_irc_enabled" -- stat: +- name: Check if matrix-appservice-irc passkey exists + stat: path: "{{ matrix_appservice_irc_base_path }}/passkey.pem" register: irc_passkey_file - name: Generate matrix-appservice-irc passkey if it doesn't exist shell: /usr/bin/openssl genpkey -out {{ matrix_appservice_irc_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 - when: "matrix_appservice_irc_enabled and irc_passkey_file.stat.exists == False" + when: "matrix_appservice_irc_enabled and not irc_passkey_file.stat.exists" - name: Ensure matrix-appservice-irc.service installed template: @@ -43,13 +44,23 @@ daemon_reload: yes when: "matrix_appservice_irc_enabled and matrix_appservice_irc_systemd_service_result.changed" -- stat: +- name: Check if a matrix-appservice-irc registration file exists + stat: path: "{{ matrix_appservice_irc_base_path }}/registration.yaml" register: appservice_irc_registration_file - name: Generate matrix-appservice-irc registration.yaml if it doesn't exist - shell: /usr/bin/docker run --rm --name matrix-appservice-irc-gen -v {{ matrix_appservice_irc_base_path }}:/data:z {{ matrix_appservice_irc_docker_image }} node app.js -r -f /data/registration.yaml -u "http://matrix-appservice-irc:9999" -c /data/config.yaml -l irc_bot - when: "matrix_appservice_irc_enabled and appservice_irc_registration_file.stat.exists == False" + shell: >- + /usr/bin/docker run --rm --name matrix-appservice-irc-gen + -v {{ matrix_appservice_irc_base_path }}:/data:z + {{ matrix_appservice_irc_docker_image }} + node app.js + -r + -f /data/registration.yaml + -u "http://matrix-appservice-irc:9999" + -c /data/config.yaml + -l irc_bot + when: "matrix_appservice_irc_enabled and not appservice_irc_registration_file.stat.exists" - set_fact: matrix_synapse_app_service_config_file_appservice_irc: '/app-registration/appservice-irc.yml' From 08aa6763389ddc28e26ee3010c91b3c8cee9571a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Mar 2019 09:23:01 +0200 Subject: [PATCH 0402/2384] Update changelog Related to #105 (Github Pull Request). --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 134dba8c..2612f960 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2019-03-05 + +## Discord bridging support + +[@Lionstiger](https://github.com/Lionstiger) has done some great work adding Discord bridging support via [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord). +To learn more, see the [Setting up Appservice Discord bridging](docs/configuring-playbook-bridge-appservice-discord.md) documentation page. + + # 2019-02-19 ## Renaming variables From 22d72f5e6f19af021b4e99ff62935654c6e3dfa6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Mar 2019 11:31:20 +0200 Subject: [PATCH 0403/2384] Fix incorrectly located file Related to #105 (Github Pull Request). --- matrix-servers => group_vars/matrix-servers | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename matrix-servers => group_vars/matrix-servers (100%) diff --git a/matrix-servers b/group_vars/matrix-servers similarity index 100% rename from matrix-servers rename to group_vars/matrix-servers From aae87570272d1582037aced7f467782add1b37f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 Mar 2019 19:59:40 +0200 Subject: [PATCH 0404/2384] Update coturn (4.5.1.0 -> 4.5.1.1) --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 9f21281b..df1cc20b 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,6 +1,6 @@ matrix_coturn_enabled: true -matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.0" +matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" From 9735a2f600b4c942343e5521c0bc1c3499a7ee3d Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Thu, 7 Mar 2019 07:22:08 +0200 Subject: [PATCH 0405/2384] Implement self-hosted Dimension server --- group_vars/matrix-servers | 3 + roles/matrix-base/defaults/main.yml | 3 + roles/matrix-dimension/defaults/main.yml | 16 ++++ roles/matrix-dimension/tasks/init.yml | 3 + roles/matrix-dimension/tasks/main.yml | 9 +++ .../tasks/setup_dimension.yml | 79 ++++++++++++++++++ .../matrix-dimension/templates/config.yaml.j2 | 80 +++++++++++++++++++ .../systemd/matrix-dimension.service.j2 | 23 ++++++ roles/matrix-nginx-proxy/defaults/main.yml | 4 + .../tasks/setup_nginx_proxy.yml | 13 +++ .../nginx/conf.d/matrix-dimension.conf.j2 | 56 +++++++++++++ setup.yml | 1 + 12 files changed, 290 insertions(+) mode change 100644 => 100755 group_vars/matrix-servers mode change 100644 => 100755 roles/matrix-base/defaults/main.yml create mode 100755 roles/matrix-dimension/defaults/main.yml create mode 100755 roles/matrix-dimension/tasks/init.yml create mode 100755 roles/matrix-dimension/tasks/main.yml create mode 100755 roles/matrix-dimension/tasks/setup_dimension.yml create mode 100755 roles/matrix-dimension/templates/config.yaml.j2 create mode 100755 roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 mode change 100644 => 100755 roles/matrix-nginx-proxy/defaults/main.yml mode change 100644 => 100755 roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml create mode 100755 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 mode change 100644 => 100755 setup.yml diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers old mode 100644 new mode 100755 index e3337bf2..9e685b98 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -184,6 +184,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" +matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -222,6 +223,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | ([matrix_server_fqn_matrix]) + ([matrix_server_fqn_riot] if matrix_riot_web_enabled else []) + + + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) }} ###################################################################### diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml old mode 100644 new mode 100755 index 25122173..86369408 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -15,6 +15,9 @@ matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" # This and the Matrix FQN (see above) are expected to be on the same server. matrix_server_fqn_riot: "riot.{{ matrix_domain }}" +# This is where you access the Dimension. +matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" + matrix_user_username: "matrix" matrix_user_uid: 991 matrix_user_gid: 991 diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml new file mode 100755 index 00000000..5c1459d3 --- /dev/null +++ b/roles/matrix-dimension/defaults/main.yml @@ -0,0 +1,16 @@ +matrix_dimension_enabled: false + +# For information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens +matrix_dimension_access_token: CHANGEME + +# Users in form: ['@user1:domain.com', '@user2:domain.com'] +matrix_dimension_admin: [] + +matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" + +matrix_dimension_docker_image: "turt2live/matrix-dimension:latest" + +matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot" +matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar" +matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] +matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" diff --git a/roles/matrix-dimension/tasks/init.yml b/roles/matrix-dimension/tasks/init.yml new file mode 100755 index 00000000..3e98de9d --- /dev/null +++ b/roles/matrix-dimension/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension'] }}" + when: "matrix_dimension_enabled" \ No newline at end of file diff --git a/roles/matrix-dimension/tasks/main.yml b/roles/matrix-dimension/tasks/main.yml new file mode 100755 index 00000000..4aa0d081 --- /dev/null +++ b/roles/matrix-dimension/tasks/main.yml @@ -0,0 +1,9 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_dimension.yml" + when: run_setup + tags: + - setup-all + - setup-dimension \ No newline at end of file diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml new file mode 100755 index 00000000..83d01dda --- /dev/null +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -0,0 +1,79 @@ +--- + +# +# Tasks related to setting up the dimension +# + +- name: Ensure dimension base path exists + file: + path: "{{ matrix_dimension_base_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_dimension_enabled + +- name: Ensure dimension environment variables file created + template: + src: "{{ role_path }}/templates/config.yaml.j2" + dest: "{{ matrix_dimension_base_path }}/config.yaml" + mode: 0644 + when: matrix_dimension_enabled + +- name: Ensure dimension image is pulled + docker_image: + name: "{{ matrix_dimension_docker_image }}" + when: matrix_dimension_enabled + +- name: Ensure matrix-dimension.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2" + dest: "/etc/systemd/system/matrix-dimension.service" + mode: 0644 + register: matrix_dimension_systemd_service_result + when: matrix_dimension_enabled + +- name: Ensure systemd reloaded after matrix-dimension.service installation + service: + daemon_reload: yes + when: "matrix_dimension_enabled and matrix_dimension_systemd_service_result.changed" + +# +# Tasks related to getting rid of the dimension (if it was previously enabled) +# + +- name: Check existence of matrix-dimension service + stat: + path: "/etc/systemd/system/matrix-dimension.service" + register: matrix_dimension_service_stat + +- name: Ensure matrix-dimension is stopped + service: + name: matrix-dimension + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_dimension_enabled and matrix_dimension_service_stat.stat.exists" + +- name: Ensure matrix-dimension.service doesn't exist + file: + path: "/etc/systemd/system/matrix-dimension.service" + state: absent + when: "not matrix_dimension_enabled and matrix_dimension_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-dimension.service removal + service: + daemon_reload: yes + when: "not matrix_dimension_enabled and matrix_dimension_service_stat.stat.exists" + +- name: Ensure Matrix dimension environment variables path doesn't exist + file: + path: "{{ matrix_dimension_base_path }}" + state: absent + when: "not matrix_dimension_enabled" + +- name: Ensure dimension Docker image doesn't exist + docker_image: + name: "{{ matrix_dimension_docker_image }}" + state: absent + when: "not matrix_dimension_enabled" diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 new file mode 100755 index 00000000..887ecf68 --- /dev/null +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -0,0 +1,80 @@ +# The web settings for the service (API and UI). +# It is best to have this run on localhost and use a reverse proxy to access Dimension. +web: + port: 8184 + address: '0.0.0.0' + +# Homeserver configuration +homeserver: + # The domain name of the homeserver. This is used in many places, such as with go-neb + # setups, to identify the homeserver. + name: "{{ matrix_domain }}" + + # The URL that Dimension, go-neb, and other services provisioned by Dimension should + # use to access the homeserver with. + clientServerUrl: "https://{{ matrix_domain }}" + + # The URL that Dimension should use when trying to communicate with federated APIs on + # the homeserver. If not supplied or left empty Dimension will try to resolve the address + # through the normal federation process. + #federationUrl: "https://t2bot.io:8448" + + # The URL that Dimension will redirect media requests to for downloading media such as + # stickers. If not supplied or left empty Dimension will use the clientServerUrl. + #mediaUrl: "https://t2bot.io" + + # The access token Dimension should use for miscellaneous access to the homeserver. This + # should be for a user on the configured homeserver: any user will do, however it is + # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on + # how to acquire an access token, visit https://t2bot.io/docs/access_tokens + accessToken: "{{ matrix_dimension_access_token }}" + +# These users can modify the integrations this Dimension supports. +# To access the admin interface, open Dimension in Riot and click the settings icon. +admins: {{ matrix_dimension_admin }} + +# IPs and CIDR ranges listed here will be blocked from being widgets. +# Note: Widgets may still be embedded with restricted content, although not through Dimension directly. +widgetBlacklist: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 127.0.0.0/8 + +# Where the database for Dimension is +database: + file: "dimension.db" + +# Display settings that apply to self-hosted go-neb instances +goneb: + # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver + # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot, + # make the bot's avatar an empty string. + avatars: + giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27" + imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513" + github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1" + wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1" + travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8" + rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3" + google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142" + guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526" + echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13" + circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee" + jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329" + +# Settings for interacting with Telegram. Currently only applies for importing +# sticker packs from Telegram. +telegram: + # Talk to @BotFather on Telegram to get a token + botToken: "YourTokenHere" + +# Settings for controlling how logging works +logging: + file: logs/dimension.log + console: true + consoleLevel: info + fileLevel: verbose + rotate: + size: 52428800 # bytes, default is 50mb + count: 5 diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 new file mode 100755 index 00000000..04c70d7d --- /dev/null +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -0,0 +1,23 @@ +[Unit] +Description=Matrix Dimension +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-dimension +ExecStartPre=-/usr/bin/docker rm matrix-dimension +ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ + --log-driver=none \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -p 127.0.0.1:8184:8184 \ + -v {{ matrix_dimension_base_path }}:/data:rw \ + {{ matrix_dimension_docker_image }} +ExecStop=-/usr/bin/docker kill matrix-dimension +ExecStop=-/usr/bin/docker rm matrix-dimension +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml old mode 100644 new mode 100755 index 0910dbc8..4ecd92cf --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -28,6 +28,10 @@ matrix_nginx_proxy_proxy_riot_hostname: "{{ matrix_server_fqn_riot }}" matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" +# Controls whether proxying the dimension domain should be done. +matrix_nginx_proxy_proxy_dimension_enabled: false +matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" + # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml old mode 100644 new mode 100755 index b6aacab2..267d2133 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -66,6 +66,13 @@ mode: 0644 when: "matrix_nginx_proxy_proxy_riot_enabled" +- name: Ensure Matrix nginx-proxy configuration for dimension domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" + mode: 0644 + when: "matrix_nginx_proxy_proxy_dimension_enabled" + # # Tasks related to setting up matrix-nginx-proxy # @@ -139,6 +146,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_riot_enabled" +- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_dimension_enabled" + - name: Ensure Matrix nginx-proxy configuration for main config override deleted file: path: "{{ matrix_nginx_proxy_data_path }}/nginx.conf" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 new file mode 100755 index 00000000..1886496b --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -0,0 +1,56 @@ +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; + + server_tokens off; + + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } +} + +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; + + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + ssl_prefer_server_ciphers on; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-dimension:8184"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8184; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +} diff --git a/setup.yml b/setup.yml old mode 100644 new mode 100755 index a15d6063..3db1e5ca --- a/setup.yml +++ b/setup.yml @@ -12,5 +12,6 @@ - matrix-synapse - matrix-riot-web - matrix-mxisd + - matrix-dimension - matrix-nginx-proxy - matrix-common-after From 0cd8b99b003885fae21b8c4208ef48076fe69d12 Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Thu, 7 Mar 2019 13:16:48 +0100 Subject: [PATCH 0406/2384] Add support for custom MXISD templates --- roles/matrix-mxisd/defaults/main.yml | 31 ++++++++++++++++++++++++ roles/matrix-mxisd/tasks/setup_mxisd.yml | 14 +++++++++++ 2 files changed, 45 insertions(+) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index 13866bd1..d0146ff3 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -43,6 +43,16 @@ matrix_mxisd_dns_overwrite_enabled: false matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" +# Override the default email templates +# More info: +# https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md +# https://github.com/kamax-matrix/mxisd/tree/master/src/main/resources/threepids/email +matrix_mxisd_threepid_medium_email_custom_templates_enabled: false +matrix_mxisd_threepid_medium_email_custom_invite_template: "" +matrix_mxisd_threepid_medium_email_custom_session_validation_template: "" +matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: "" +matrix_mxisd_threepid_medium_email_custom_matrixid_template: "" + # Default mxisd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -89,6 +99,27 @@ matrix_mxisd_configuration_yaml: | tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }} login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }} password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }} + {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} + generators: + template: + {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} + invite: '/var/mxisd/invite-template.eml' + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + session: + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} + validation: '/var/mxisd/validate-template.eml' + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + unbind: + frandulent: '/var/mxisd/unbind-fraudulent.eml' + {% endif %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} + generic: + matrixId: '/var/mxisd/mxid-template.eml' + {% endif %} + {% endif %} synapseSql: enabled: {{ matrix_mxisd_synapsesql_enabled }} diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index e10d79f6..e5b950de 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -30,6 +30,20 @@ group: "{{ matrix_user_username }}" when: matrix_mxisd_enabled +- name: Ensure custom templates are installed if any + copy: + content: "{{ item.value }}" + dest: "{{ matrix_mxisd_data_path }}/{{ item.location }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - {value: "{{ matrix_mxisd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} + - {value: "{{ matrix_mxisd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} + - {value: "{{ matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} + - {value: "{{ matrix_mxisd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} + when: matrix_mxisd_enabled and matrix_mxisd_threepid_medium_email_custom_templates_enabled and item.value + - name: Ensure matrix-mxisd.service installed template: src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" From f297ff506b101686e08aac0f1cc5be57887a33da Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Thu, 7 Mar 2019 13:34:07 +0100 Subject: [PATCH 0407/2384] Explain how to set the template variables --- roles/matrix-mxisd/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index d0146ff3..b4712830 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -44,6 +44,8 @@ matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" # Override the default email templates +# To use this, fill in the template variables with the full desired template as a multi-line YAML variable +# # More info: # https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md # https://github.com/kamax-matrix/mxisd/tree/master/src/main/resources/threepids/email From 8cc420da15b734eff0c6260b6b2d244eb5c3841a Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Thu, 7 Mar 2019 13:53:33 +0100 Subject: [PATCH 0408/2384] Upgrade riot-web to v1.0.3 --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 3bf9844c..bec25468 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.1" +matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.3" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 17e86ba8178eccbd9cf88b0ae67b7ad944e15c37 Mon Sep 17 00:00:00 2001 From: paulbdavis Date: Thu, 7 Mar 2019 12:45:58 -0700 Subject: [PATCH 0409/2384] implement requested changes --- roles/matrix-synapse/defaults/main.yml | 2 +- .../systemd/matrix-mautrix-telegram.service.j2 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 1073c2e1..f3acef66 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -210,7 +210,7 @@ matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH # Use an uuid so it's not easily discoverable matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}" # Set this to a port number to expose on the host when not using the nginx proxy -matrix_mautrix_telegram_container_expose_port: false +matrix_mautrix_telegram_container_exposed_port_number: ~ # Matrix mautrix is a Matrix <-> Whatsapp bridge # Enable whatsapp bridge diff --git a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 index d46cbc50..54d0d84f 100644 --- a/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-synapse/templates/ext/mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 @@ -21,8 +21,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ - {% if matrix_mautrix_telegram_container_expose_port %} - -p 127.0.0.1:{{ matrix_mautrix_telegram_container_expose_port }}:8080 \ + {% if matrix_mautrix_telegram_container_exposed_port_number is not none %} + -p 127.0.0.1:{{ matrix_mautrix_telegram_container_exposed_port_number }}:8080 \ {% endif %} -v {{ matrix_mautrix_telegram_base_path }}:/data:z \ {{ matrix_mautrix_telegram_docker_image }} \ From 93992f7756f1b186e35fe18bdfc932eb0764ec8c Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Fri, 8 Mar 2019 10:50:51 +0100 Subject: [PATCH 0410/2384] Fix indenting of generators value --- roles/matrix-mxisd/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index b4712830..b28c20f6 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -101,7 +101,7 @@ matrix_mxisd_configuration_yaml: | tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }} login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }} password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }} - {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} + {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} generators: template: {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} @@ -121,7 +121,7 @@ matrix_mxisd_configuration_yaml: | generic: matrixId: '/var/mxisd/mxid-template.eml' {% endif %} - {% endif %} + {% endif %} synapseSql: enabled: {{ matrix_mxisd_synapsesql_enabled }} From ae7e17e64ada3c1a33be5858e76d3dd746cd0e05 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Mar 2019 12:06:50 +0200 Subject: [PATCH 0411/2384] Add information about mxisd email template customization Related to #108 (Github Pull Request). --- CHANGELOG.md | 8 ++++++++ docs/configuring-playbook-mxisd.md | 8 +++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2612f960..cb732599 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2019-03-07 + +## Ability to customize mxisd's email templates + +Thanks to [Sylvia van Os](https://github.com/TheLastProject), mxisd's email templates can now be customized easily. +To learn more, see the [Customizing email templates](docs/configuring-playbook-mxisd.md#customizing-email-templates) documentation page. + + # 2019-03-05 ## Discord bridging support diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-mxisd.md index 70b6410c..06ce4437 100644 --- a/docs/configuring-playbook-mxisd.md +++ b/docs/configuring-playbook-mxisd.md @@ -18,6 +18,12 @@ matrix_mxisd_matrixorg_forwarding_enabled: true ``` +## Customizing email templates + +If you'd like to change the default email templates used by mxisd, take a look at the `matrix_mxisd_threepid_medium_email_custom_` variables +(in the `roles/matrix-mxisd/defaults/main.yml` file. + + ## Additional features What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services. @@ -34,4 +40,4 @@ To learn more about how to do this, refer to the information about `matrix_mxisd ## Troubleshooting -If email address validation emails sent by mxisd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). \ No newline at end of file +If email address validation emails sent by mxisd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). From 390ec8a59917933724f70c0ffe88c2c1bcf4e01f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Mar 2019 12:14:54 +0200 Subject: [PATCH 0412/2384] Skip some tasks when not necessary to run them --- roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml | 3 +++ roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml | 3 +++ roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml | 3 +++ roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml index 8c4a84cb..9589477a 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-discord/setup.yml @@ -39,6 +39,7 @@ stat: path: "{{ matrix_appservice_discord_base_path }}/discord-registration.yaml" register: appservice_discord_registration_file + when: "matrix_appservice_discord_enabled" - name: Generate matrix-appservice-discord discord-registration.yaml if it doesn't exist shell: >- @@ -57,11 +58,13 @@ - set_fact: matrix_synapse_app_service_config_file_appservice_discord: '{{ matrix_appservice_discord_base_path }}/discord-registration.yml' + when: "matrix_appservice_discord_enabled" - name: Check if a matrix-appservice-discord invite_link file exists stat: path: "{{ matrix_appservice_discord_base_path }}/invite_link" register: appservice_discord_link_generated + when: "matrix_appservice_discord_enabled" - name: Generate your discord invite link shell: >- diff --git a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml index 773efea6..9f79c383 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml @@ -26,6 +26,7 @@ stat: path: "{{ matrix_appservice_irc_base_path }}/passkey.pem" register: irc_passkey_file + when: "matrix_appservice_irc_enabled" - name: Generate matrix-appservice-irc passkey if it doesn't exist shell: /usr/bin/openssl genpkey -out {{ matrix_appservice_irc_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 @@ -48,6 +49,7 @@ stat: path: "{{ matrix_appservice_irc_base_path }}/registration.yaml" register: appservice_irc_registration_file + when: "matrix_appservice_irc_enabled" - name: Generate matrix-appservice-irc registration.yaml if it doesn't exist shell: >- @@ -64,6 +66,7 @@ - set_fact: matrix_synapse_app_service_config_file_appservice_irc: '/app-registration/appservice-irc.yml' + when: "matrix_appservice_irc_enabled" - set_fact: matrix_synapse_container_additional_volumes: > diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index 8c2c3cd5..02487ddb 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -18,6 +18,7 @@ stat: path: "{{ matrix_mautrix_telegram_base_path }}/config.yaml" register: mautrix_telegram_config_file_stat + when: "matrix_mautrix_telegram_enabled" - name: Ensure Matrix Mautrix telegram config installed template: @@ -56,6 +57,7 @@ stat: path: "{{ matrix_mautrix_telegram_base_path }}/registration.yaml" register: mautrix_telegram_registration_file_stat + when: "matrix_mautrix_telegram_enabled" - name: Generate matrix-mautrix-telegram registration.yaml if it doesn't exist shell: @@ -72,6 +74,7 @@ - set_fact: matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml' + when: "matrix_mautrix_telegram_enabled" - set_fact: matrix_synapse_container_additional_volumes: > diff --git a/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml index 5c0bc033..065ca673 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml @@ -18,6 +18,7 @@ stat: path: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml" register: mautrix_whatsapp_config_file_stat + when: "matrix_mautrix_whatsapp_enabled" - name: Ensure Matrix Mautrix whatsapp config installed template: @@ -45,6 +46,7 @@ stat: path: "{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml" register: mautrix_whatsapp_registration_file_stat + when: "matrix_mautrix_whatsapp_enabled" - name: Generate matrix-mautrix-whatsapp registration.yaml if it doesn't exist shell: @@ -61,6 +63,7 @@ - set_fact: matrix_synapse_app_service_config_file_mautrix_whatsapp: '/app-registration/mautrix-whatsapp.yml' + when: "matrix_mautrix_whatsapp_enabled" - set_fact: matrix_synapse_container_additional_volumes: > From 1eb78ca93e328ab1f242796bb9d77106a8d6d8d0 Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Fri, 8 Mar 2019 15:00:53 +0200 Subject: [PATCH 0413/2384] Add additional changes for Dimension to work --- group_vars/matrix-servers | 21 +++++++++++++++++++ roles/matrix-dimension/defaults/main.yml | 11 ++++++++-- roles/matrix-dimension/tasks/main.yml | 6 ++++++ .../tasks/setup_dimension.yml | 9 +++++--- .../tasks/validate_config.yml | 7 +++++++ .../matrix-dimension/templates/config.yaml.j2 | 2 +- .../systemd/matrix-dimension.service.j2 | 3 +++ 7 files changed, 53 insertions(+), 6 deletions(-) create mode 100644 roles/matrix-dimension/tasks/validate_config.yml diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 9e685b98..773150ce 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -99,6 +99,27 @@ matrix_coturn_enabled: true +###################################################################### +# +# matrix-dimension +# +###################################################################### + +matrix_dimension_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the Dimension HTTP port to the local host (`127.0.0.1:8184`). +matrix_dimension_container_expose_port: {{ not matrix_nginx_proxy_enabled }} + +###################################################################### +# +# /matrix-dimension +# +###################################################################### + + + ###################################################################### # # matrix-mailer diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 5c1459d3..6b0bf87f 100755 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -1,15 +1,22 @@ matrix_dimension_enabled: false +# You are required to specify an access token for Dimension to work. # For information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens -matrix_dimension_access_token: CHANGEME +matrix_dimension_access_token: "" # Users in form: ['@user1:domain.com', '@user2:domain.com'] -matrix_dimension_admin: [] +matrix_dimension_admins: [] matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" matrix_dimension_docker_image: "turt2live/matrix-dimension:latest" +# The user and group id correspond to the node user in the `turt2live/matrix-dimension` image. +matrix_dimension_user_uid: 1000 +matrix_dimension_user_gid: 1000 + +matrix_dimension_container_expose_port: false + matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot" matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar" matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] diff --git a/roles/matrix-dimension/tasks/main.yml b/roles/matrix-dimension/tasks/main.yml index 4aa0d081..dd3bfc51 100755 --- a/roles/matrix-dimension/tasks/main.yml +++ b/roles/matrix-dimension/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup + tags: + - setup-all + - setup-dimension + - import_tasks: "{{ role_path }}/tasks/setup_dimension.yml" when: run_setup tags: diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml index 83d01dda..30ed5a83 100755 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -8,16 +8,18 @@ file: path: "{{ matrix_dimension_base_path }}" state: directory - mode: 0750 + mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_dimension_user_gid }}" when: matrix_dimension_enabled - name: Ensure dimension environment variables file created template: src: "{{ role_path }}/templates/config.yaml.j2" dest: "{{ matrix_dimension_base_path }}/config.yaml" - mode: 0644 + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_dimension_user_gid }}" when: matrix_dimension_enabled - name: Ensure dimension image is pulled @@ -46,6 +48,7 @@ stat: path: "/etc/systemd/system/matrix-dimension.service" register: matrix_dimension_service_stat + when: not matrix_dimension_enabled - name: Ensure matrix-dimension is stopped service: diff --git a/roles/matrix-dimension/tasks/validate_config.yml b/roles/matrix-dimension/tasks/validate_config.yml new file mode 100644 index 00000000..f5960142 --- /dev/null +++ b/roles/matrix-dimension/tasks/validate_config.yml @@ -0,0 +1,7 @@ +- name: Fail if required Dimension settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Dimension. + with_items: + - "matrix_dimension_access_token" + when: "matrix_dimension_enabled and vars[item] == ''" diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 index 887ecf68..4eb2ae93 100755 --- a/roles/matrix-dimension/templates/config.yaml.j2 +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -12,7 +12,7 @@ homeserver: # The URL that Dimension, go-neb, and other services provisioned by Dimension should # use to access the homeserver with. - clientServerUrl: "https://{{ matrix_domain }}" + clientServerUrl: "https://{{ matrix_server_fqn_matrix }}" # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 04c70d7d..554713d8 100755 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -9,9 +9,12 @@ ExecStartPre=-/usr/bin/docker kill matrix-dimension ExecStartPre=-/usr/bin/docker rm matrix-dimension ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ --log-driver=none \ + --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + {% if matrix_dimension_container_expose_port %} -p 127.0.0.1:8184:8184 \ + {% endif %} -v {{ matrix_dimension_base_path }}:/data:rw \ {{ matrix_dimension_docker_image }} ExecStop=-/usr/bin/docker kill matrix-dimension From 3d7dc15a547282b321c313a622f264483ad3db27 Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Fri, 8 Mar 2019 15:24:59 +0200 Subject: [PATCH 0414/2384] Use Dimension if enabled, otherwise fall back to Scalar --- group_vars/matrix-servers | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 773150ce..df631969 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -295,6 +295,12 @@ matrix_riot_web_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}" matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}" +# Use Dimension if enabled, otherwise fall back to Scalar +matrix_riot_web_integrations_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else 'https://scalar.vector.im/' }}" +matrix_riot_web_integrations_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else 'https://scalar.vector.im/api' }}" +matrix_riot_web_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" +matrix_riot_web_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" + ###################################################################### # # /matrix-riot-web From 30738d064e740e2a99da8de618c3ba3a539756f8 Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Fri, 8 Mar 2019 19:14:15 +0200 Subject: [PATCH 0415/2384] Fix errors --- group_vars/matrix-servers | 2 +- roles/matrix-dimension/templates/config.yaml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index df631969..9f06d8fe 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -110,7 +110,7 @@ matrix_dimension_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Dimension HTTP port to the local host (`127.0.0.1:8184`). -matrix_dimension_container_expose_port: {{ not matrix_nginx_proxy_enabled }} +matrix_dimension_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" ###################################################################### # diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 index 4eb2ae93..c624c4a9 100755 --- a/roles/matrix-dimension/templates/config.yaml.j2 +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -31,7 +31,7 @@ homeserver: # These users can modify the integrations this Dimension supports. # To access the admin interface, open Dimension in Riot and click the settings icon. -admins: {{ matrix_dimension_admin }} +admins: {{ matrix_dimension_admins }} # IPs and CIDR ranges listed here will be blocked from being widgets. # Note: Widgets may still be embedded with restricted content, although not through Dimension directly. From b2263f811a83af62abe4c062599f0a1ed29fd44c Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Fri, 8 Mar 2019 22:00:05 +0200 Subject: [PATCH 0416/2384] Disable logging to file. Set console logging to verbose. --- roles/matrix-dimension/templates/config.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 index c624c4a9..3abd3c78 100755 --- a/roles/matrix-dimension/templates/config.yaml.j2 +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -71,10 +71,10 @@ telegram: # Settings for controlling how logging works logging: - file: logs/dimension.log + file: /dev/null console: true - consoleLevel: info - fileLevel: verbose + consoleLevel: verbose + fileLevel: info rotate: size: 52428800 # bytes, default is 50mb count: 5 From 27772a6420bee52e19c2a4e344d77bb2591e05f5 Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Fri, 8 Mar 2019 22:01:11 +0200 Subject: [PATCH 0417/2384] Point federationUrl to matrix-synapse container --- roles/matrix-dimension/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 index 3abd3c78..84403d3a 100755 --- a/roles/matrix-dimension/templates/config.yaml.j2 +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -17,7 +17,7 @@ homeserver: # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - #federationUrl: "https://t2bot.io:8448" + federationUrl: "https://matrix-synapse:8448" # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. From bcbfc1e8385570a3aee2804539feb1938d0b386b Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Sat, 9 Mar 2019 10:30:31 +0200 Subject: [PATCH 0418/2384] Make Matrix Federation required and fix internal federationUrl --- roles/matrix-dimension/tasks/validate_config.yml | 8 ++++++++ roles/matrix-dimension/templates/config.yaml.j2 | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/matrix-dimension/tasks/validate_config.yml b/roles/matrix-dimension/tasks/validate_config.yml index f5960142..69971a9b 100644 --- a/roles/matrix-dimension/tasks/validate_config.yml +++ b/roles/matrix-dimension/tasks/validate_config.yml @@ -5,3 +5,11 @@ with_items: - "matrix_dimension_access_token" when: "matrix_dimension_enabled and vars[item] == ''" + +- name: Fail if Matrix Federation is disabled + fail: + msg: >- + You need to enable Matrix Federation to use Dimension. Set `{{ item }}` to 'true'. + with_items: + - "matrix_synapse_federation_enabled" + when: "matrix_dimension_enabled and matrix_synapse_federation_enabled == false" diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 index 84403d3a..f5f29f4f 100755 --- a/roles/matrix-dimension/templates/config.yaml.j2 +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -17,7 +17,7 @@ homeserver: # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "https://matrix-synapse:8448" + federationUrl: "http://matrix-synapse:8048" # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. From 5f13a1e50b6adb5199881c2b66346435ed2dfc9d Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Sat, 9 Mar 2019 19:08:00 +0200 Subject: [PATCH 0419/2384] Generate Dimension config from variable --- roles/matrix-dimension/defaults/main.yml | 103 ++++++++++++++++++ .../tasks/setup_dimension.yml | 14 +-- .../matrix-dimension/templates/config.yaml.j2 | 80 -------------- roles/matrix-dimension/vars/main.yml | 5 + 4 files changed, 115 insertions(+), 87 deletions(-) delete mode 100755 roles/matrix-dimension/templates/config.yaml.j2 create mode 100755 roles/matrix-dimension/vars/main.yml diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 6b0bf87f..20c2f4e8 100755 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -21,3 +21,106 @@ matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }} matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar" matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" + +# Default Dimension configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_dimension_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_dimension_configuration_yaml: | + # The web settings for the service (API and UI). + # It is best to have this run on localhost and use a reverse proxy to access Dimension. + web: + port: 8184 + address: '0.0.0.0' + + # Homeserver configuration + homeserver: + # The domain name of the homeserver. This is used in many places, such as with go-neb + # setups, to identify the homeserver. + name: "{{ matrix_server_fqn_matrix }}" + + # The URL that Dimension, go-neb, and other services provisioned by Dimension should + # use to access the homeserver with. + clientServerUrl: "https://{{ matrix_server_fqn_matrix }}" + + # The URL that Dimension should use when trying to communicate with federated APIs on + # the homeserver. If not supplied or left empty Dimension will try to resolve the address + # through the normal federation process. + federationUrl: "http://matrix-synapse:8048" + + # The URL that Dimension will redirect media requests to for downloading media such as + # stickers. If not supplied or left empty Dimension will use the clientServerUrl. + #mediaUrl: "https://t2bot.io" + + # The access token Dimension should use for miscellaneous access to the homeserver. This + # should be for a user on the configured homeserver: any user will do, however it is + # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on + # how to acquire an access token, visit https://t2bot.io/docs/access_tokens + accessToken: "{{ matrix_dimension_access_token }}" + + # These users can modify the integrations this Dimension supports. + # To access the admin interface, open Dimension in Riot and click the settings icon. + admins: {{ matrix_dimension_admins }} + + # IPs and CIDR ranges listed here will be blocked from being widgets. + # Note: Widgets may still be embedded with restricted content, although not through Dimension directly. + widgetBlacklist: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 127.0.0.0/8 + + # Where the database for Dimension is + database: + file: "dimension.db" + + # Display settings that apply to self-hosted go-neb instances + goneb: + # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver + # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot, + # make the bot's avatar an empty string. + avatars: + giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27" + imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513" + github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1" + wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1" + travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8" + rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3" + google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142" + guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526" + echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13" + circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee" + jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329" + + # Settings for controlling how logging works + logging: + file: /dev/null + console: true + consoleLevel: verbose + fileLevel: info + rotate: + size: 52428800 # bytes, default is 50mb + count: 5 + + +matrix_dimension_configuration_extension_yaml: | + # Your custom YAML configuration for Dimension goes here. + # This configuration extends the default starting configuration (`matrix_dimension_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_dimension_configuration_yaml`. + # + # Example configuration extension follows: + # telegram: + # botToken: "YourTokenHere" + # + + +# Holds the final Dimension configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_dimension_configuration_yaml`. +matrix_dimension_configuration: "{{ matrix_dimension_configuration_yaml|from_yaml|combine(matrix_dimension_configuration_extension, recursive=True) }}" + + diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml index 30ed5a83..e8dea9ea 100755 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -4,7 +4,7 @@ # Tasks related to setting up the dimension # -- name: Ensure dimension base path exists +- name: Ensure Dimension base path exists file: path: "{{ matrix_dimension_base_path }}" state: directory @@ -13,16 +13,16 @@ group: "{{ matrix_dimension_user_gid }}" when: matrix_dimension_enabled -- name: Ensure dimension environment variables file created - template: - src: "{{ role_path }}/templates/config.yaml.j2" +- name: Ensure Dimension config installed + copy: + content: "{{ matrix_dimension_configuration|to_nice_yaml }}" dest: "{{ matrix_dimension_base_path }}/config.yaml" mode: 0640 owner: "{{ matrix_user_username }}" group: "{{ matrix_dimension_user_gid }}" when: matrix_dimension_enabled -- name: Ensure dimension image is pulled +- name: Ensure Dimension image is pulled docker_image: name: "{{ matrix_dimension_docker_image }}" when: matrix_dimension_enabled @@ -69,13 +69,13 @@ daemon_reload: yes when: "not matrix_dimension_enabled and matrix_dimension_service_stat.stat.exists" -- name: Ensure Matrix dimension environment variables path doesn't exist +- name: Ensure Dimension environment variables path doesn't exist file: path: "{{ matrix_dimension_base_path }}" state: absent when: "not matrix_dimension_enabled" -- name: Ensure dimension Docker image doesn't exist +- name: Ensure Dimension Docker image doesn't exist docker_image: name: "{{ matrix_dimension_docker_image }}" state: absent diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 deleted file mode 100755 index f5f29f4f..00000000 --- a/roles/matrix-dimension/templates/config.yaml.j2 +++ /dev/null @@ -1,80 +0,0 @@ -# The web settings for the service (API and UI). -# It is best to have this run on localhost and use a reverse proxy to access Dimension. -web: - port: 8184 - address: '0.0.0.0' - -# Homeserver configuration -homeserver: - # The domain name of the homeserver. This is used in many places, such as with go-neb - # setups, to identify the homeserver. - name: "{{ matrix_domain }}" - - # The URL that Dimension, go-neb, and other services provisioned by Dimension should - # use to access the homeserver with. - clientServerUrl: "https://{{ matrix_server_fqn_matrix }}" - - # The URL that Dimension should use when trying to communicate with federated APIs on - # the homeserver. If not supplied or left empty Dimension will try to resolve the address - # through the normal federation process. - federationUrl: "http://matrix-synapse:8048" - - # The URL that Dimension will redirect media requests to for downloading media such as - # stickers. If not supplied or left empty Dimension will use the clientServerUrl. - #mediaUrl: "https://t2bot.io" - - # The access token Dimension should use for miscellaneous access to the homeserver. This - # should be for a user on the configured homeserver: any user will do, however it is - # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on - # how to acquire an access token, visit https://t2bot.io/docs/access_tokens - accessToken: "{{ matrix_dimension_access_token }}" - -# These users can modify the integrations this Dimension supports. -# To access the admin interface, open Dimension in Riot and click the settings icon. -admins: {{ matrix_dimension_admins }} - -# IPs and CIDR ranges listed here will be blocked from being widgets. -# Note: Widgets may still be embedded with restricted content, although not through Dimension directly. -widgetBlacklist: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - 127.0.0.0/8 - -# Where the database for Dimension is -database: - file: "dimension.db" - -# Display settings that apply to self-hosted go-neb instances -goneb: - # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver - # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot, - # make the bot's avatar an empty string. - avatars: - giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27" - imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513" - github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1" - wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1" - travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8" - rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3" - google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142" - guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526" - echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13" - circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee" - jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329" - -# Settings for interacting with Telegram. Currently only applies for importing -# sticker packs from Telegram. -telegram: - # Talk to @BotFather on Telegram to get a token - botToken: "YourTokenHere" - -# Settings for controlling how logging works -logging: - file: /dev/null - console: true - consoleLevel: verbose - fileLevel: info - rotate: - size: 52428800 # bytes, default is 50mb - count: 5 diff --git a/roles/matrix-dimension/vars/main.yml b/roles/matrix-dimension/vars/main.yml new file mode 100755 index 00000000..107bb4fa --- /dev/null +++ b/roles/matrix-dimension/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_dimension_configuration`) will fail later. +matrix_dimension_configuration_extension: "{{ matrix_dimension_configuration_extension_yaml|from_yaml if matrix_dimension_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file From 6c5cc173b0f423a09b811595ca14964fa7322bff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 9 Mar 2019 21:15:16 +0200 Subject: [PATCH 0420/2384] Fix permission mode for some files --- roles/matrix-base/defaults/main.yml | 0 roles/matrix-dimension/defaults/main.yml | 0 roles/matrix-dimension/tasks/init.yml | 0 roles/matrix-dimension/tasks/main.yml | 0 roles/matrix-dimension/tasks/setup_dimension.yml | 0 .../templates/systemd/matrix-dimension.service.j2 | 0 roles/matrix-dimension/vars/main.yml | 0 roles/matrix-nginx-proxy/defaults/main.yml | 0 roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 0 .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 0 10 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 roles/matrix-base/defaults/main.yml mode change 100755 => 100644 roles/matrix-dimension/defaults/main.yml mode change 100755 => 100644 roles/matrix-dimension/tasks/init.yml mode change 100755 => 100644 roles/matrix-dimension/tasks/main.yml mode change 100755 => 100644 roles/matrix-dimension/tasks/setup_dimension.yml mode change 100755 => 100644 roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 mode change 100755 => 100644 roles/matrix-dimension/vars/main.yml mode change 100755 => 100644 roles/matrix-nginx-proxy/defaults/main.yml mode change 100755 => 100644 roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml mode change 100755 => 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml old mode 100755 new mode 100644 diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml old mode 100755 new mode 100644 diff --git a/roles/matrix-dimension/tasks/init.yml b/roles/matrix-dimension/tasks/init.yml old mode 100755 new mode 100644 diff --git a/roles/matrix-dimension/tasks/main.yml b/roles/matrix-dimension/tasks/main.yml old mode 100755 new mode 100644 diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml old mode 100755 new mode 100644 diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 old mode 100755 new mode 100644 diff --git a/roles/matrix-dimension/vars/main.yml b/roles/matrix-dimension/vars/main.yml old mode 100755 new mode 100644 diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml old mode 100755 new mode 100644 diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml old mode 100755 new mode 100644 diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 old mode 100755 new mode 100644 From 1bff4893d97c1cdbc24dd7783f33b0d873729fcb Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Sun, 10 Mar 2019 10:12:31 +0200 Subject: [PATCH 0421/2384] Provide Dimension documentation --- README.md | 4 +++ docs/configuring-dns.md | 3 ++ docs/configuring-playbook-dimension.md | 48 ++++++++++++++++++++++++++ docs/configuring-playbook.md | 2 ++ 4 files changed, 57 insertions(+) create mode 100644 docs/configuring-playbook-dimension.md diff --git a/README.md b/README.md index 67c1373e..35b18ec2 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/) +- (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. @@ -118,6 +120,8 @@ This playbook sets up your server using the following Docker images: - [tedomum/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) +- [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) + ## Deficiencies diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index cdb54090..de7f8487 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -26,6 +26,7 @@ It's a temporary requirement during the Synapse v0.99/v1.0 transition. | ----- | ----------------------- | -------- | ------ | ---- | ---------------------- | | A | `matrix` | - | - | - | `matrix-server-IP` | | CNAME | `riot` | - | - | - | `matrix.` | +| CNAME | `dimension` | - | - | - | `matrix.` | | SRV | `_matrix._tcp` | 10 | 0 | 8448 | `matrix.` | | SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | @@ -40,6 +41,8 @@ As the table above illustrates, you need to create 2 subdomains (`matrix.` subdomain is necessary, because this playbook installs the Riot web client for you. If you'd rather instruct the playbook not to install Riot (`matrix_riot_web_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `riot.` DNS record. +The `dimension.` subdomain is necessary, because this playbook installs the Dimension integrations manager for you. Dimension installation is disabled by default and if you explicitly do not enable it's installation (`matrix_dimension_enabled: true` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `dimension.` DNS record. + ## `_matrix._tcp` SRV record setup (temporary requirement) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md new file mode 100644 index 00000000..78e41fbf --- /dev/null +++ b/docs/configuring-playbook-dimension.md @@ -0,0 +1,48 @@ +# Setting up Dimension (optional) + +Dimension integrations manager installation is disabled by default. You can enable it in your configuration file (`inventory/matrix./vars.yml`): + +```yaml +matrix_dimension_enabled: true +``` +Your Matrix also needs federation enabled for Dimension to work, so if you have disabled it by setting `matrix_synapse_federation_enabled` to `false`, please remove or comment this variable in your configuration file. Or set it to: + +```yaml +matrix_synapse_federation_enabled: true +``` + +## Define admin users +These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon. +Add this to your configuration file (`inventory/matrix./vars.yml`): + +```yaml +matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com'] +``` + +## Access token +You are required to specify an access token for Dimension to work. +To get an access token, follow these steps: + +1. In a private browsing session (incognito window), open Riot. +2. It's better to you use dedicated user for getting access token, so log in with this user's username and password. +3. Set the display name and avatar, if required. +4. In the settings page, scroll down to the bottom and click `Access Token: `. +5. Copy the highlighted text to your configuration. +6. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. + +**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** + +Add access token to your configuration file (`inventory/matrix./vars.yml`): + +```yaml +matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE" +``` + +For more information on how to acquire an access token, visit [https://t2bot.io/docs/access_tokens](https://t2bot.io/docs/access_tokens). + +## Additional features + +To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it. +To learn more about how to do this, refer to the information about `matrix_dimension_configuration_extension_yaml` in the [default variables file](../roles/matrix-dimension/defaults/main.yml) of the Dimension component. + +You can find all configuration options on [GitHub page of Dimension project](https://github.com/turt2live/matrix-dimension/blob/master/config/default.yaml). diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 6285d4d1..5cc609c3 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -54,3 +54,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional) + +- [Setting up Dimension (optional)](configuring-playbook-dimension.md) (optional) From 9f5215c95a018452ed1d5b20609a43c723c2acba Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Sun, 10 Mar 2019 13:17:56 +0200 Subject: [PATCH 0422/2384] Make some additions to Dimension documentation --- docs/configuring-dns.md | 2 +- docs/configuring-playbook-dimension.md | 15 ++++++++++----- docs/configuring-playbook.md | 2 +- docs/installing.md | 1 + 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index de7f8487..c96a9206 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -41,7 +41,7 @@ As the table above illustrates, you need to create 2 subdomains (`matrix.` subdomain is necessary, because this playbook installs the Riot web client for you. If you'd rather instruct the playbook not to install Riot (`matrix_riot_web_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `riot.` DNS record. -The `dimension.` subdomain is necessary, because this playbook installs the Dimension integrations manager for you. Dimension installation is disabled by default and if you explicitly do not enable it's installation (`matrix_dimension_enabled: true` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `dimension.` DNS record. +The `dimension.` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](docs/configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.` DNS record. ## `_matrix._tcp` SRV record setup (temporary requirement) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 78e41fbf..e6ed4a76 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -1,15 +1,20 @@ # Setting up Dimension (optional) -Dimension integrations manager installation is disabled by default. You can enable it in your configuration file (`inventory/matrix./vars.yml`): +**Dimension can only be installed after Matrix services are installed and running.** +If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. + +## Prerequisites +For an Integration Manager like Dimension to work, your server needs to have federation enabled (`matrix_synapse_federation_enabled: true`). This is the default for this playbook, so unless you've explicitly disabled federation, you're okay. + +Other important prerequisite is the `dimension.` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. + +## Enable +[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/matrix./vars.yml`): ```yaml matrix_dimension_enabled: true ``` -Your Matrix also needs federation enabled for Dimension to work, so if you have disabled it by setting `matrix_synapse_federation_enabled` to `false`, please remove or comment this variable in your configuration file. Or set it to: -```yaml -matrix_synapse_federation_enabled: true -``` ## Define admin users These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 5cc609c3..3da733b2 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -55,4 +55,4 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional) -- [Setting up Dimension (optional)](configuring-playbook-dimension.md) (optional) +- [Setting up Dimension](configuring-playbook-dimension.md) (optional) diff --git a/docs/installing.md b/docs/installing.md index 38536f5a..90209e57 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -36,5 +36,6 @@ Now that the services are running, you might want to: - **finalize the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md) - or [create your first user account](registering-users.md) +- or [set up the Dimension Integrations Manager](configuring-playbook-dimension.md) - or [check if services work](maintenance-checking-services.md) - or learn how to [upgrade your services when new versions are released](maintenance-upgrading-services.md) From a1f9869eb2ae7f9d82a6e2fb50fed4340b6c040a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 10 Mar 2019 17:02:17 +0200 Subject: [PATCH 0423/2384] Improve documentation about getting the playbook --- docs/README.md | 4 +++- docs/configuring-playbook.md | 8 +++++-- docs/getting-the-playbook.md | 41 ++++++++++++++++++++++++++++++++++++ docs/prerequisites.md | 2 +- 4 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 docs/getting-the-playbook.md diff --git a/docs/README.md b/docs/README.md index 35ba609a..1718c6ac 100644 --- a/docs/README.md +++ b/docs/README.md @@ -4,7 +4,9 @@ - [Configuring your DNS server](configuring-dns.md) -- [Configuring this Ansible playbook](configuring-playbook.md) +- [Getting this playbook's source code](getting-the-playbook.md) + +- [Configuring the playbook](configuring-playbook.md) - [Installing](installing.md) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 3da733b2..4951d8d4 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -1,8 +1,12 @@ # Configuring the Ansible playbook -Once you have your server and you have [configured your DNS records](configuring-dns.md), you can proceed with configuring this playbook, so that it knows what to install and where. +To configure the playbook, you need to have done the following things: -You can follow these steps: +- have a server where Matrix services will run +- [configured your DNS records](configuring-dns.md) +- [retrieved the playbook's source code](getting-the-playbook.md) to your computer + +You can then follow these steps inside the playbook directory: - create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) diff --git a/docs/getting-the-playbook.md b/docs/getting-the-playbook.md new file mode 100644 index 00000000..2541da0d --- /dev/null +++ b/docs/getting-the-playbook.md @@ -0,0 +1,41 @@ +# Getting the playbook + +This Ansible playbook is meant to be executed on your own computer (not the Matrix server). + +In special cases (if your computer cannot run Ansible, etc.) you may put the playbook on the server as well. + +You can retrieve the playbook's source code by: + +- [Using git to get the playbook](#using-git-to-get-the-playbook) (recommended) + +- [Downloading the playbook as a ZIP archive](#downloading-the-playbook-as-a-zip-archive) (not recommended) + + +## Using git to get the playbook + +We recommend using the [git](https://git-scm.com/) tool to get the playbook's source code, because it lets you easily keep up to date in the future when [Maintaining services](maintenance-upgrading-services.md). + +Once you've installed git on your computer, you can go to any directory of your choosing and run the following command to retrieve the playbook's source code: + +```bash +git clone https://github.com/spantaleev/matrix-docker-ansible-deploy.git +``` + +This will create a new `matrix-docker-ansible-deploy` directory. +You're supposed to execute all other installation commands inside that directory. + + +## Downloading the playbook as a ZIP archive + +Alternatively, you can download the playbook as a ZIP archive. +This is not recommended, as it's not easy to keep up to date with future updates. We suggest you [use git](#using-git-to-get-the-playbook) instead. + +The latest version is always at the following URL: https://github.com/spantaleev/matrix-docker-ansible-deploy/archive/master.zip + +You can extract this archive anywhere. You'll get a directory called `matrix-docker-ansible-deploy-master`. +You're supposed to execute all other installation commands inside that directory. + + +--------------------------------------------- + +No matter which method you've used to download the playbook, you can proceed by [Configuring the playbook](configuring-playbook.md). diff --git a/docs/prerequisites.md b/docs/prerequisites.md index f021a87d..cf270e5d 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -4,7 +4,7 @@ - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). -- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for [version requirements](ansible.md#supported-ansible-versions) or alternative ways to run Ansible. +- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. - either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. From 6745ee4ab61f89eec5c9be6422b0292e080bf6ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 10 Mar 2019 19:03:04 +0200 Subject: [PATCH 0424/2384] Add changelog entry for Dimension support Related to #107 and #111 (Github Pull Requests) --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cb732599..43d8f355 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2019-03-10 + +## Dimension Integration Manager support + +Thanks to [NullIsNot0](https://github.com/NullIsNot0), the playbook can now (optionally) install the [Dimension](https://dimension.t2bot.io/) Integration Manager. +To learn more, see the [Setting up Dimension](docs/configuring-playbook-dimension.md) documentation page. + + # 2019-03-07 ## Ability to customize mxisd's email templates From c49ba1c4ab4d454b4d26401c845e0aea39ae8a87 Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Sun, 10 Mar 2019 21:41:31 +0200 Subject: [PATCH 0425/2384] Fix Dimension documentation --- docs/configuring-dns.md | 2 +- docs/configuring-playbook-dimension.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index c96a9206..f6f7906c 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -41,7 +41,7 @@ As the table above illustrates, you need to create 2 subdomains (`matrix.` subdomain is necessary, because this playbook installs the Riot web client for you. If you'd rather instruct the playbook not to install Riot (`matrix_riot_web_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `riot.` DNS record. -The `dimension.` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](docs/configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.` DNS record. +The `dimension.` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.` DNS record. ## `_matrix._tcp` SRV record setup (temporary requirement) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index e6ed4a76..91d36dbf 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -31,7 +31,7 @@ To get an access token, follow these steps: 1. In a private browsing session (incognito window), open Riot. 2. It's better to you use dedicated user for getting access token, so log in with this user's username and password. 3. Set the display name and avatar, if required. -4. In the settings page, scroll down to the bottom and click `Access Token: `. +4. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. 5. Copy the highlighted text to your configuration. 6. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. From 52486356e5370fd3ca29d0d76ecc766ec8ae69ba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 10 Mar 2019 21:43:03 +0200 Subject: [PATCH 0426/2384] Add some more links to Dimension's homepage --- docs/configuring-playbook-dimension.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index e6ed4a76..a548d404 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -1,10 +1,10 @@ # Setting up Dimension (optional) -**Dimension can only be installed after Matrix services are installed and running.** +**[Dimension](https://dimension.t2bot.io) can only be installed after Matrix services are installed and running.** If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. ## Prerequisites -For an Integration Manager like Dimension to work, your server needs to have federation enabled (`matrix_synapse_federation_enabled: true`). This is the default for this playbook, so unless you've explicitly disabled federation, you're okay. +For an Integration Manager like [Dimension](https://dimension.t2bot.io) to work, your server needs to have federation enabled (`matrix_synapse_federation_enabled: true`). This is the default for this playbook, so unless you've explicitly disabled federation, you're okay. Other important prerequisite is the `dimension.` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. @@ -17,7 +17,7 @@ matrix_dimension_enabled: true ## Define admin users -These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon. +These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon. Add this to your configuration file (`inventory/matrix./vars.yml`): ```yaml @@ -25,7 +25,7 @@ matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com'] ``` ## Access token -You are required to specify an access token for Dimension to work. +You are required to specify an access token for Dimension to work. To get an access token, follow these steps: 1. In a private browsing session (incognito window), open Riot. From 4067e09409f0064c243daa46ddf9739d4a49dd7b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 10 Mar 2019 22:23:06 +0200 Subject: [PATCH 0427/2384] Fix rare YAML parsing problems in Dimension config It's been reported that YAML parsing errors would occur on certain Ansible/Python combinations for some reason. It appears that a bare `{{ matrix_dimension_admins }}` would sometimes yield things like `[u'@user:domain.com', ..]` (note the `u` string prefix). To prevent such problems, we now explicitly serialize with `|to_json`. --- roles/matrix-dimension/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 20c2f4e8..d66aecd0 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -61,7 +61,7 @@ matrix_dimension_configuration_yaml: | # These users can modify the integrations this Dimension supports. # To access the admin interface, open Dimension in Riot and click the settings icon. - admins: {{ matrix_dimension_admins }} + admins: {{ matrix_dimension_admins|to_json }} # IPs and CIDR ranges listed here will be blocked from being widgets. # Note: Widgets may still be embedded with restricted content, although not through Dimension directly. @@ -101,7 +101,7 @@ matrix_dimension_configuration_yaml: | fileLevel: info rotate: size: 52428800 # bytes, default is 50mb - count: 5 + count: 5 matrix_dimension_configuration_extension_yaml: | @@ -117,7 +117,7 @@ matrix_dimension_configuration_extension_yaml: | # telegram: # botToken: "YourTokenHere" # - + # Holds the final Dimension configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_dimension_configuration_yaml`. From 09d2c76fcbd604d50ddacd7dfcb59d43746dddba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 Mar 2019 18:25:12 +0200 Subject: [PATCH 0428/2384] Fix incorrect Docker image name in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 35b18ec2..cc3c8fe4 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ This playbook sets up your server using the following Docker images: - [tedomum/matrix-appservice-irc](https://hub.docker.com/r/tedomum/matrix-appservice-irc/) - the [matrix-appservice-irc](https://github.com/TeDomum/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) -- [tedomum/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) +- [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional) - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) From 1d8fd9792fb4903b5f0a9594dceb5e0642534060 Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Mon, 11 Mar 2019 20:05:52 +0200 Subject: [PATCH 0429/2384] Fix Matrix homeserver name in Dimension configuration --- roles/matrix-dimension/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index d66aecd0..31d899f2 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -38,7 +38,7 @@ matrix_dimension_configuration_yaml: | homeserver: # The domain name of the homeserver. This is used in many places, such as with go-neb # setups, to identify the homeserver. - name: "{{ matrix_server_fqn_matrix }}" + name: "{{ matrix_domain }}" # The URL that Dimension, go-neb, and other services provisioned by Dimension should # use to access the homeserver with. From 1974935bc6ea6208fc419a68cbfc8b34752d6fd8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 12 Mar 2019 11:38:59 +0200 Subject: [PATCH 0430/2384] Update docs a bit --- docs/configuring-playbook-ssl-certificates.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 6a319575..bcaef80a 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -60,18 +60,22 @@ With such a configuration, no certificates will be retrieved at all. You're free The playbook tries to be smart about the certificates it will obtain for you. -By default, it obtains certificates for `matrix.` and possibly for `riot.` (unless you have disabled the Riot component using `matrix_riot_web_enabled: false`). +By default, it obtains certificates for: +- `matrix.` (`matrix_server_fqn_matrix`) +- possibly for `riot.`, unless you have disabled the Riot component using `matrix_riot_web_enabled: false` +- possibly for `dimension.`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md). If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too. To do that, simply define your own custom configuration like this: ```yaml -# Note: we need to include the matrix (`matrix_server_fqn_matrix`) and riot (`matrix_server_fqn_riot`) domains explicitly. -# Your base domain is in the `matrix_domain` variable. +# Note: we need to explicitly list the aforementioned Matrix domains that you use (Matrix, Riot, Dimension). +# In this example, we retrieve an extra certificate - one for the base domain (in the `matrix_domain` variable). # Adding any other additional domains (hosted on the same machine) is possible. matrix_ssl_domains_to_obtain_certificates_for: - '{{ matrix_server_fqn_matrix }}' - '{{ matrix_server_fqn_riot }}' + - '{{ matrix_server_fqn_dimension }}' - '{{ matrix_domain }}' ``` From 610eef82b59abaed38f25a4fb30f0fd8e67c6a53 Mon Sep 17 00:00:00 2001 From: Edgars Voroboks Date: Tue, 12 Mar 2019 12:17:12 +0200 Subject: [PATCH 0431/2384] Add option to enable Dimension widgets serve sites with self signed certs --- roles/matrix-dimension/defaults/main.yml | 3 +++ .../templates/systemd/matrix-dimension.service.j2 | 3 +++ 2 files changed, 6 insertions(+) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 31d899f2..ee1b18a0 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -7,6 +7,9 @@ matrix_dimension_access_token: "" # Users in form: ['@user1:domain.com', '@user2:domain.com'] matrix_dimension_admins: [] +# Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates +matrix_dimension_widgets_allow_self_signed_ssl_certificates: false + matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" matrix_dimension_docker_image: "turt2live/matrix-dimension:latest" diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 554713d8..12f111f3 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -12,6 +12,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + {% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %} + -e NODE_TLS_REJECT_UNAUTHORIZED=0 \ + {% endif %} {% if matrix_dimension_container_expose_port %} -p 127.0.0.1:8184:8184 \ {% endif %} From f6de3fd6689165303b791722414f2f3360204136 Mon Sep 17 00:00:00 2001 From: Plailect Date: Tue, 12 Mar 2019 13:17:51 -0400 Subject: [PATCH 0432/2384] Start appservice-irc as non-root --- .../matrix-synapse/tasks/ext/appservice-irc/setup.yml | 11 +++++++++++ .../systemd/matrix-appservice-irc.service.j2 | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml index 9f79c383..5c75554d 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml @@ -54,6 +54,8 @@ - name: Generate matrix-appservice-irc registration.yaml if it doesn't exist shell: >- /usr/bin/docker run --rm --name matrix-appservice-irc-gen + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ -v {{ matrix_appservice_irc_base_path }}:/data:z {{ matrix_appservice_irc_docker_image }} node app.js @@ -82,6 +84,15 @@ {{ ["{{ matrix_synapse_app_service_config_file_appservice_irc }}"] | to_nice_json }} when: "matrix_appservice_irc_enabled" +- name: Ensure IRC configuration directory permissions are correct + file: + path: "{{ matrix_appservice_irc_base_path }}" + state: directory + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + recurse: true + when: "matrix_appservice_irc_enabled" + # # Tasks related to getting rid of matrix-appservice-irc (if it was previously enabled) # diff --git a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 index 2353796b..1b5b4fc0 100644 --- a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 @@ -11,7 +11,8 @@ ExecStartPre=-/usr/bin/docker kill matrix-appservice-irc ExecStartPre=-/usr/bin/docker rm matrix-appservice-irc ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ --log-driver=none \ - -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_appservice_irc_container_expose_client_server_api_port %} -p 127.0.0.1:9999:9999 \ From e645b0e3721ace973f68a5175a64c17a13f2c3a9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 12 Mar 2019 22:15:22 +0200 Subject: [PATCH 0433/2384] Rename matrix_nginx_proxy_data_path to matrix_nginx_proxy_base_path `matrix_nginx_proxy_data_path` has always served as a base path, so we're renaming it to reflect that. Along with this, we're also introducing a new "data path" variable (`matrix_nginx_proxy_data_path`), which is really a data path this time. It's used for storing additional, non-configuration, files related to matrix-nginx-proxy. --- CHANGELOG.md | 9 +++++++++ roles/matrix-nginx-proxy/defaults/main.yml | 5 +++-- .../matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 13 +++---------- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 2 +- .../templates/systemd/matrix-nginx-proxy.service.j2 | 3 ++- 5 files changed, 18 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43d8f355..8c4acb22 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2019-03-12 + +## (BC break) matrix-nginx-proxy data variable renamed + +`matrix_nginx_proxy_data_path` was renamed to `matrix_nginx_proxy_base_path`. + +There's a new `matrix_nginx_proxy_data_path` variable, which has a different use-purpose now (it's a subdirectory of `matrix_nginx_proxy_base_path` and is meant for storing various data files). + + # 2019-03-10 ## Dimension Integration Manager support diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 4ecd92cf..19b09f30 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -5,8 +5,9 @@ matrix_nginx_proxy_enabled: true # those as more frequently out of date. matrix_nginx_proxy_docker_image: "nginx:1.15.9-alpine" -matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" -matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" +matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" +matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" +matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" # List of systemd services that matrix-nginx-proxy.service depends on matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 267d2133..ef628e24 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -18,13 +18,14 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: + - "{{ matrix_nginx_proxy_base_path }}" - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" - name: Ensure Matrix nginx-proxy configured (main config override) template: src: "{{ role_path }}/templates/nginx/nginx.conf.j2" - dest: "{{ matrix_nginx_proxy_data_path }}/nginx.conf" + dest: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" mode: 0644 when: "matrix_nginx_proxy_enabled" @@ -37,14 +38,6 @@ mode: 0400 when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled and matrix_nginx_proxy_proxy_synapse_metrics" -- name: Ensure matrix-synapse-metrics-htpasswd is mounted into the matrix-nginx-proxy container - set_fact: - matrix_nginx_proxy_container_additional_volumes: > - {{ matrix_nginx_proxy_container_additional_volumes }} - + - {{ [{'src': '{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd', 'dst': '/etc/nginx/.matrix-synapse-metrics-htpasswd', 'options': 'ro'}] }} - when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled and matrix_nginx_proxy_proxy_synapse_metrics" - - name: Ensure Matrix nginx-proxy configured (generic) template: src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" @@ -154,7 +147,7 @@ - name: Ensure Matrix nginx-proxy configuration for main config override deleted file: - path: "{{ matrix_nginx_proxy_data_path }}/nginx.conf" + path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" state: absent when: "not matrix_nginx_proxy_enabled" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 17f67696..00e7a1be 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -146,7 +146,7 @@ server { {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} auth_basic "protected"; - auth_basic_user_file .matrix-synapse-metrics-htpasswd; + auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; {% endif %} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 48a6441d..cb2c4da2 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -25,7 +25,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} -p 8448:8448 \ {% endif %} - -v {{ matrix_nginx_proxy_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ + -v {{ matrix_nginx_proxy_base_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ + -v {{ matrix_nginx_proxy_data_path }}:/nginx-data:ro \ -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ -v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \ From c545d3eb8571d10eed4e202b1bfdbb3c63f75112 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 12 Mar 2019 22:27:18 +0200 Subject: [PATCH 0434/2384] Add support for serving base domain via matrix-nginx-proxy --- CHANGELOG.md | 8 +++ ...onfiguring-playbook-base-domain-serving.md | 29 +++++++++++ docs/configuring-playbook-ssl-certificates.md | 5 +- docs/configuring-playbook.md | 2 + docs/configuring-well-known.md | 8 ++- docs/prerequisites.md | 2 +- group_vars/matrix-servers | 2 + roles/matrix-nginx-proxy/defaults/main.yml | 21 ++++++++ .../tasks/setup_nginx_proxy.yml | 37 +++++++++++++ .../nginx/conf.d/matrix-domain.conf.j2 | 52 +++++++++++++++++++ 10 files changed, 162 insertions(+), 4 deletions(-) create mode 100644 docs/configuring-playbook-base-domain-serving.md create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c4acb22..31d25995 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # 2019-03-12 +## matrix-nginx-proxy support for serving the base domain + +If you don't have a dedicated server for your base domain and want to set up [Server Delegation via a well-known file](docs/howto-server-delegation.md#server-delegation-via-a-well-known-file), the playbook has got you covered now. + +It's now possible for the playbook to obtain an SSL certificate and serve the necessary files for Matrix Server Delegation on your base domain. +Take a look at the new [Serving the base domain](docs/configuring-playbook-base-domain-serving.md) documentation page. + + ## (BC break) matrix-nginx-proxy data variable renamed `matrix_nginx_proxy_data_path` was renamed to `matrix_nginx_proxy_base_path`. diff --git a/docs/configuring-playbook-base-domain-serving.md b/docs/configuring-playbook-base-domain-serving.md new file mode 100644 index 00000000..b937a4ba --- /dev/null +++ b/docs/configuring-playbook-base-domain-serving.md @@ -0,0 +1,29 @@ +# Serving the base domain + +This playbook sets up services on your Matrix server (`matrix.DOMAIN`). +To have this server officially be responsible for Matrix services for the base domain (`DOMAIN`), you need to set up [Server Delegation](howto-server-delegation.md). +This is normally done by [configuring well-known](configuring-well-known.md) files on the base domain. + +People who don't have a separate server to dedicate to the base domain have trouble arranging this. + +Usually, there are 2 options: + +- either get a separate server for the base domain, just for serving the files necessary for [Server Delegation via a well-known file](howto-server-delegation.md#server-delegation-via-a-well-known-file) + +- or, arrange for the Matrix server to serve the base domain. This involves [using your own webserver](configuring-playbook-own-webserver.md) or making the integrated webserver somehow serve your base domain (possible, but complicated). + +To solve this problem, we've created an easy way to let you serve the base domain from the Matrix server via the integrated webserver (`matrix-nginx-proxy`). + +Just **adjust your DNS records**, so that your base domain is pointed to the Matrix server's IP address **and use the following configuration**: + +```yaml +matrix_nginx_proxy_base_domain_serving_enabled: true +``` + +Doing this, the playbook will: + +- obtain an SSL certificate for the base domain, just like it does for all other domains (see [how we handle SSL certificates](configuring-playbook-ssl-certificates.md)) + +- serve the `/.well-known/matrix/*` files which are necessary for [Federation Server Discovery](configuring-well-known.md#introduction-to-client-server-discovery) (also see [Server Delegation](howto-server-delegation.md)) and [Client-Server discovery](configuring-well-known.md#introduction-to-client-server-discovery) + +- serve a simple homepage at `https://DOMAIN` with content `Hello from DOMAIN` (configurable via the `matrix_nginx_proxy_base_domain_homepage_template` variable) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index bcaef80a..28d50542 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -15,7 +15,7 @@ Things discussed in this document: - [Not bothering with SSL certificates](#not-bothering-with-ssl-certificates), if you're using [your own webserver](docs/configuring-playbook-own-webserver.md) and would rather this playbook leaves SSL certificate management to you -- [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server (perhaps your base domain?) and would like the playbook to help you obtain and renew certificates for those domains automatically. +- [Obtaining SSL certificates for additional domains](#obtaining-ssl-certificates-for-additional-domains), if you'd like to host additional domains on the Matrix server and would like the playbook to help you obtain and renew certificates for those domains automatically ## Using self-signed SSL certificates @@ -64,6 +64,7 @@ By default, it obtains certificates for: - `matrix.` (`matrix_server_fqn_matrix`) - possibly for `riot.`, unless you have disabled the Riot component using `matrix_riot_web_enabled: false` - possibly for `dimension.`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md). +- possibly for your base domain (``), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md) If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too. To do that, simply define your own custom configuration like this: @@ -85,7 +86,7 @@ After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually ob - re-run the SSL part of the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-ssl,start` -The certificate files would be available in `/matrix/ssl/config/live//...`. +The certificate files would be available in `/matrix/ssl/config/live//...`. For automated certificate renewal to work, each port `80` vhost for each domain you are obtaining certificates for needs to forward requests for `/.well-known/acme-challenge` to the certbot container we use for renewal. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 4951d8d4..c56cf11d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -41,6 +41,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced) +- [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional) + - [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced) - [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 193d380b..59807f28 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -39,7 +39,13 @@ To learn how to set it up, read the Installing section below. ## Installing well-known files on the base domain's server -To implement the two service discovery mechanisms, your base domain's server (e.g. `example.com`) needs to support HTTPS. +To implement the two service discovery mechanisms, your base domain's server (e.g. `example.com`) needs to run an HTTPS-capable webserver. + +If you don't have a server for your base domain at all, you can use the Matrix server for this. +See [Serving the base domain](configuring-playbook-base-domain-serving.md) to learn how the playbook can help you set it up. +If you decide to go this route, you don't need to read ahead in this document. When **Serving the base domain**, the playbook takes care to serve the appropriate well-known files automatically. + +If you're managing the base domain by yourself somehow, you'll need to set up serving of some `/.well-known/matrix/*` files from it via HTTPS. To make things easy for you to set up, this playbook generates and hosts 2 well-known files on the Matrix domain's server (e.g. `https://matrix.example.com/.well-known/matrix/server` and `https://matrix.example.com/.well-known/matrix/client`), even though this is the wrong place to host them. diff --git a/docs/prerequisites.md b/docs/prerequisites.md index cf270e5d..0fc5f5c9 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -8,7 +8,7 @@ - either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. -- an HTTPS-capable web server at the base domain name (``) which is capable of serving static files (unless you decide to use DNS SRV records for [Server Delegation](howto-server-delegation.md)) +- an HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). - properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 9f06d8fe..a93467ca 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -246,6 +246,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | ([matrix_server_fqn_riot] if matrix_riot_web_enabled else []) + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + + + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) }} ###################################################################### diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 19b09f30..8117cb89 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -21,6 +21,27 @@ matrix_nginx_proxy_systemd_wanted_services_list: [] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] +# Controls whether matrix-nginx-proxy should serve the base domain. +# +# This is useful for when you only have your Matrix server, but you need to serve +# to serve `/.well-known/matrix/*` files from the base domain for the needs of +# Server-Discovery (Federation) and for Client-Discovery. +# +# Besides serving these Matrix files, a homepage would be served with content +# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable. +# You can also put additional files to use for this webpage +# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory. +matrix_nginx_proxy_base_domain_serving_enabled: false +matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}" +matrix_nginx_proxy_base_domain_homepage_template: |- + + + + + Hello from {{ matrix_domain }}! + + + # Controls whether proxying the riot domain should be done. matrix_nginx_proxy_proxy_riot_enabled: false matrix_nginx_proxy_proxy_riot_hostname: "{{ matrix_server_fqn_riot }}" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index ef628e24..d0075702 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -66,6 +66,31 @@ mode: 0644 when: "matrix_nginx_proxy_proxy_dimension_enabled" +- name: Ensure Matrix nginx-proxy data directory for base domain exists + file: + path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_nginx_proxy_base_domain_serving_enabled" + +- name: Ensure Matrix nginx-proxy homepage for base domain exists + copy: + content: "{{ matrix_nginx_proxy_base_domain_homepage_template }}" + dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "matrix_nginx_proxy_base_domain_serving_enabled" + +- name: Ensure Matrix nginx-proxy configuration for base domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" + mode: 0644 + when: "matrix_nginx_proxy_base_domain_serving_enabled" + # # Tasks related to setting up matrix-nginx-proxy # @@ -145,6 +170,18 @@ state: absent when: "not matrix_nginx_proxy_proxy_dimension_enabled" +- name: Ensure Matrix nginx-proxy homepage for base domain deleted + file: + path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" + state: absent + when: "not matrix_nginx_proxy_base_domain_serving_enabled" + +- name: Ensure Matrix nginx-proxy configuration for base domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" + state: absent + when: "not matrix_nginx_proxy_base_domain_serving_enabled" + - name: Ensure Matrix nginx-proxy configuration for main config override deleted file: path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 new file mode 100644 index 00000000..679f3efa --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -0,0 +1,52 @@ +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_base_domain_hostname }}; + + server_tokens off; + + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } +} + +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_base_domain_hostname }}; + + server_tokens off; + root /nginx-data/matrix-domain; + + gzip on; + gzip_types text/plain application/json; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + ssl_prefer_server_ciphers on; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + location /.well-known/matrix { + root {{ matrix_static_files_base_path }}; + {# + A somewhat long expires value is used to prevent outages + in case this is unreachable due to network failure. + #} + expires 4h; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } +} From b066f8a0d8c25b3fd9039102fb20299c3e6b0f85 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Mar 2019 07:36:28 +0200 Subject: [PATCH 0435/2384] Do not try to start matrix-coturn.service if not enabled --- roles/matrix-coturn/tasks/init.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index f25b2ed7..7d19d48d 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -1,2 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}" \ No newline at end of file + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}" + when: "matrix_coturn_enabled" From 2d56ff0afa20db03c339a8358ac181229e6f510a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Mar 2019 07:40:51 +0200 Subject: [PATCH 0436/2384] Skip some uninstall tasks if not necessary to run --- roles/matrix-corporal/tasks/setup_corporal.yml | 1 + roles/matrix-coturn/tasks/setup_coturn.yml | 1 + roles/matrix-mailer/tasks/setup_mailer.yml | 1 + roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 1 + roles/matrix-riot-web/tasks/setup_riot_web.yml | 1 + roles/matrix-synapse/tasks/setup_synapse_goofys.yml | 1 + 6 files changed, 6 insertions(+) diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index 0bfba48a..816f05c1 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -51,6 +51,7 @@ stat: path: "/etc/systemd/system/matrix-corporal.service" register: matrix_corporal_service_stat + when: "not matrix_corporal_enabled" - name: Ensure matrix-corporal is stopped service: diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 5dd0db41..6fd3ea72 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -58,6 +58,7 @@ stat: path: "/etc/systemd/system/matrix-coturn.service" register: matrix_coturn_service_stat + when: "not matrix_coturn_enabled" - name: Ensure matrix-coturn is stopped service: diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index 9f57f8b7..46445092 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -46,6 +46,7 @@ stat: path: "/etc/systemd/system/matrix-mailer.service" register: matrix_mailer_service_stat + when: "not matrix_mailer_enabled" - name: Ensure matrix-mailer is stopped service: diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index d0075702..c0188a4e 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -132,6 +132,7 @@ stat: path: "/etc/systemd/system/matrix-nginx-proxy.service" register: matrix_nginx_proxy_service_stat + when: "not matrix_nginx_proxy_enabled" - name: Ensure matrix-nginx-proxy is stopped service: diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index 9828ae2a..a8a314b0 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -60,6 +60,7 @@ stat: path: "/etc/systemd/system/matrix-riot-web.service" register: matrix_riot_web_service_stat + when: "not matrix_riot_web_enabled" - name: Ensure matrix-riot-web is stopped service: diff --git a/roles/matrix-synapse/tasks/setup_synapse_goofys.yml b/roles/matrix-synapse/tasks/setup_synapse_goofys.yml index ae4349cd..7cb1d513 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_goofys.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_goofys.yml @@ -53,6 +53,7 @@ stat: path: "/etc/systemd/system/matrix-goofys.service" register: matrix_goofys_service_stat + when: "not matrix_s3_media_store_enabled" - name: Ensure matrix-goofys is stopped service: From 10d92931219ffd71626f070cfc2457bca8716fcc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Mar 2019 08:23:10 +0200 Subject: [PATCH 0437/2384] Indicate that TURN ports are a range --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 0fc5f5c9..23cb19b3 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -12,6 +12,6 @@ - properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) -- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), `49152-49172/udp` (TURN over UDP). +- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP). When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From ceba99eed37421d3371d712aaa22394f61a817fb Mon Sep 17 00:00:00 2001 From: Lorrin Nelson Date: Wed, 13 Mar 2019 22:23:35 -0700 Subject: [PATCH 0438/2384] Make federation self-check conditional on matrix_synapse_federation_enabled --- roles/matrix-synapse/tasks/self_check_federation_api.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index 235036cf..e13387e0 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -11,8 +11,14 @@ - name: Fail if Matrix Federation API not working fail: msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" - when: "result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api" + when: "matrix_synapse_federation_enabled and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)" + +- name: Fail if Matrix Federation API unexpectedly enabled + fail: + msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled." + when: "matrix_synapse_federation_enabled == false and not result_matrix_synapse_federation_api.failed" - name: Report working Matrix Federation API debug: msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working" + when: "matrix_synapse_federation_enabled" From 71c7c74b7bbeda00a8cfda289dcdac603da84f33 Mon Sep 17 00:00:00 2001 From: Lee Verberne Date: Sat, 16 Mar 2019 07:16:20 +0100 Subject: [PATCH 0439/2384] Allow configuring push content for matrix-synapse This allows overriding the default value for `include_content`. Setting this to false allows homeserver admins to ensure that message content isn't sent in the clear through third party servers. --- roles/matrix-synapse/defaults/main.yml | 5 +++++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 5 ++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a2b9b24d..7cbdc669 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -140,6 +140,11 @@ matrix_synapse_app_service_config_files: [] # any password providers have been enabled or not. matrix_synapse_password_providers_enabled: false +# Whether clients can request to include message content in push notifications +# sent through third party servers. Setting this to false requires mobile clients +# to load message content directly from the homeserver. +matrix_synapse_push_include_content: true + # Enable exposure of metrics to Prometheus # See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.rst matrix_synapse_metrics_enabled: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 36333788..57e093df 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -847,9 +847,8 @@ password_providers: # For modern android devices the notification content will still appear # because it is loaded by the app. iPhone, however will send a # notification saying only that a message arrived and who it came from. -# -#push: -# include_content: true +push: + include_content: {{ matrix_synapse_push_include_content }} # spam_checker: From d90bc20690b415ac3b5cb5bb73fe8379fb57fac8 Mon Sep 17 00:00:00 2001 From: Lee Verberne Date: Sat, 16 Mar 2019 20:35:11 +0100 Subject: [PATCH 0440/2384] Use common path for systemctl in lets encrypt cron Currently the nginx reload cron fails on Debian 9 because the path to systemctl is /bin/systemctl rather than /usr/bin/systemctl. CentOS 7 places systemctl in both /bin and /usr/bin, so we can just use /bin/systemctl as the full path. --- roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 78f1458b..16f7c2fe 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -92,7 +92,7 @@ hour: 4 minute: 20 day: "*/5" - job: /usr/bin/systemctl reload matrix-nginx-proxy.service + job: /bin/systemctl reload matrix-nginx-proxy.service when: matrix_nginx_proxy_enabled when: "matrix_ssl_retrieval_method == 'lets-encrypt'" From ae912c4529cab0790e951fb55c3d205760edb377 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 16 Mar 2019 15:51:41 -0500 Subject: [PATCH 0441/2384] Update homeserver.yaml with some new options we could enable --- .../templates/synapse/homeserver.yaml.j2 | 150 ++++++++++++------ 1 file changed, 103 insertions(+), 47 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 36333788..9d663118 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -33,11 +33,6 @@ pid_file: /homeserver.pid # # cpu_affinity: 0xFFFFFFFF -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. -# -# web_client_location: "/path/to/web/root" - # The public-facing base URL that clients use to access this HS # (not including _matrix/...). This is the same URL a user would # enter into the 'custom HS URL' field on their client. If you @@ -64,6 +59,13 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # (except those sent by local server admins). The default is False. # block_non_admin_invites: True +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# +# enable_search: false + # Restrict federation to the following whitelist of domains. # N.B. we recommend also firewalling your federation listener to limit # inbound federation traffic as early as possible, rather than relying @@ -137,8 +139,6 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # static: static resources under synapse/static (/_matrix/static). (Mostly # useful for 'fallback authentication'.) # -# webclient: A web client. Requires web_client_location to be set. -# listeners: {% if matrix_synapse_metrics_enabled %} - type: metrics @@ -192,41 +192,33 @@ listeners: # bind_addresses: ['::1', '127.0.0.1'] # type: manhole -# Homeserver blocking -# + +## Homeserver blocking ## + # How to reach the server admin, used in ResourceLimitError # admin_contact: 'mailto:admin@server.com' -# -# Global block config -# + +# Global blocking # hs_disabled: False # hs_disabled_message: 'Human readable reason for why the HS is blocked' # hs_disabled_limit_type: 'error code(str), to help clients decode reason' -# + # Monthly Active User Blocking -# -# Enables monthly active user checking # limit_usage_by_mau: False # max_mau_value: 50 # mau_trial_days: 2 -# + # If enabled, the metrics for the number of monthly active users will # be populated, however no one will be limited. If limit_usage_by_mau # is true, this is implied to be true. # mau_stats_only: False -# + # Sometimes the server admin will want to ensure certain accounts are # never blocked by mau checking. These accounts are specified here. # # mau_limit_reserved_threepids: # - medium: 'email' # address: 'reserved_user@example.com' -# -# Room searching -# -# If disabled, new messages will not be indexed for searching and users -# will receive errors when searching for messages. Defaults to enabled. -# enable_search: true ## TLS ## @@ -321,7 +313,8 @@ tls_fingerprints: [] -# Database configuration +## Database ## + database: # The database engine name name: "psycopg2" @@ -337,6 +330,7 @@ database: event_cache_size: "{{ matrix_synapse_event_cache_size }}" +## Logging ## # A yaml python logging config file log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" @@ -369,6 +363,15 @@ federation_rc_reject_limit: 50 # single server federation_rc_concurrent: 3 +# Number of registration requests a client can send per second. +# Defaults to 1/minute (0.17). +# rc_registration_requests_per_second: 0.17 + +# Number of registration requests a client can send before being +# throttled. +# Defaults to 3. +# rc_registration_request_burst_count: 3.0 + # Directory where uploaded images and attachments are stored. @@ -404,7 +407,7 @@ max_image_pixels: "32M" # from a precalculated list. dynamic_thumbnails: false -# List of thumbnail to precalculate when an image is uploaded. +# List of thumbnails to precalculate when an image is uploaded. thumbnail_sizes: - width: 32 height: 32 @@ -494,7 +497,6 @@ max_spider_size: "10M" - ## Captcha ## # See docs/CAPTCHA_SETUP for full details of configuring this. @@ -510,13 +512,13 @@ recaptcha_private_key: "YOUR_PRIVATE_KEY" enable_registration_captcha: False # A secret key used to bypass the captcha test entirely. -#captcha_bypass_secret: "YOUR_SECRET_HERE" +# captcha_bypass_secret: "YOUR_SECRET_HERE" # The API endpoint to use for verifying m.login.recaptcha responses. -recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" -## Turn ## +## TURN ## # The public URIs of the TURN server to give to clients turn_uris: {{ matrix_synapse_turn_uris|to_json }} @@ -526,8 +528,8 @@ turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }} # The Username and password if the TURN server needs them and # does not use a token -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" +# turn_username: "TURNSERVER_USERNAME" +# turn_password: "TURNSERVER_PASSWORD" # How long generated TURN credentials last turn_user_lifetime: "1h" @@ -541,6 +543,8 @@ turn_allow_guests: False ## Registration ## +# Registration can be rate-limited using the parameters in the "Ratelimiting" +# section of this file. # Enable registration for new users. enable_registration: {{ matrix_synapse_enable_registration|to_json }} @@ -603,8 +607,6 @@ trusted_third_party_id_servers: # Users who register on this homeserver will automatically be joined # to these rooms -#auto_join_rooms: -# - "#example:example.com" {% if matrix_synapse_auto_join_rooms|length > 0 %} auto_join_rooms: {{ matrix_synapse_auto_join_rooms|to_nice_yaml }} @@ -624,6 +626,16 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms }} enable_metrics: {{ matrix_synapse_metrics_enabled }} report_stats: {{ matrix_synapse_report_stats|to_json }} +# Enable sentry integration +# NOTE: While attempts are made to ensure that the logs don't contain +# any sensitive information, this cannot be guaranteed. By enabling +# this option the sentry server may therefore receive sensitive +# information, and it in turn may then diseminate sensitive information +# through insecure notification channels if so configured. +# +# sentry: +# dsn: "..." + ## API Configuration ## @@ -689,7 +701,8 @@ perspectives: # Enable SAML2 for registration and login. Uses pysaml2. # -# saml2_config: +# `sp_config` is the configuration for the pysaml2 Service Provider. +# See pysaml2 docs for format of config. # # # The following is the configuration for the pysaml2 Service Provider. # # See pysaml2 docs for format of config. @@ -848,8 +861,8 @@ password_providers: # because it is loaded by the app. iPhone, however will send a # notification saying only that a message arrived and who it came from. # -#push: -# include_content: true +# push: +# include_content: true # spam_checker: @@ -875,8 +888,8 @@ enable_group_creation: false # UPDATE user_directory_stream_pos SET stream_id = NULL; # on your database to tell it to rebuild the user_directory search indexes. # -#user_directory: -# search_all_users: false +# user_directory: +# search_all_users: false # User Consent configuration @@ -955,12 +968,55 @@ enable_group_creation: false # on this server. # # The format of this option is a list of rules that contain globs that -# match against user_id and the new alias (fully qualified with server -# name). The action in the first rule that matches is taken, which can -# currently either be "allow" or "deny". -# -# If no rules match the request is denied. -alias_creation_rules: - - user_id: "*" - alias: "*" - action: allow +# match against user_id, room_id and the new alias (fully qualified with +# server name). The action in the first rule that matches is taken, +# which can currently either be "allow" or "deny". +# +# Missing user_id/room_id/alias fields default to "*". +# +# If no rules match the request is denied. An empty list means no one +# can create aliases. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# alias: Matches against the alias being created +# room_id: Matches against the room ID the alias is being pointed at +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +# alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +# The `room_list_publication_rules` option controls who can publish and +# which rooms can be published in the public room list. +# +# The format of this option is the same as that for +# `alias_creation_rules`. +# +# If the room has one or more aliases associated with it, only one of +# the aliases needs to match the alias rule. If there are no aliases +# then only rules with `alias: *` match. +# +# If no rules match the request is denied. An empty list means no one +# can publish rooms. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# room_id: Matches against the room ID being published +# alias: Matches against any current local or canonical aliases +# associated with the room +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +# room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow From 2f1662626e9a86f8451179c3a4a8c18c87b5ab7f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 17 Mar 2019 20:51:12 +0200 Subject: [PATCH 0442/2384] Use |to_json for matrix_synapse_push_include_content Doing this for consistency. Related to #117 (Github Pull Request). --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 57e093df..55dfe316 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -848,7 +848,7 @@ password_providers: # because it is loaded by the app. iPhone, however will send a # notification saying only that a message arrived and who it came from. push: - include_content: {{ matrix_synapse_push_include_content }} + include_content: {{ matrix_synapse_push_include_content|to_json }} # spam_checker: From c0dc56324a47fa7aeacb4858796bb2499eaa7dfa Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Mon, 18 Mar 2019 11:18:30 +0000 Subject: [PATCH 0443/2384] Add config options to turnserver.conf --- .../matrix-coturn/templates/turnserver.conf.j2 | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index a91aa5e0..2e8701fc 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -11,3 +11,20 @@ no-cli no-tls no-dtls prod +no-tcp-relay +{% if matrix_coturn_user_quota is defined %} +user-quota={{ matrix_coturn_user_quota }} +{% endif %} +{% if matrix_coturn_total_quota is defined %} +total-quota={{ matrix_coturn_total_quota }} +{% endif %} +{% if matrix_coturn_denied_peer_ips is defined %} +{% for ip_range in matrix_coturn_denied_peer_ips %} +denied-peer-ip={{ ip_range }} +{% endfor %} +{% endif %} +{% if matrix_coturn_allowed_peer_ips is defined %} +{% for ip_range in matrix_coturn_allowed_peer_ips %} +allowed-peer-ip={{ ip_range }} +{% endfor %} +{% endif %} From 9d236c5466f8ad33243e2fbde92ff4bff9cc322b Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Mon, 18 Mar 2019 11:44:40 +0000 Subject: [PATCH 0444/2384] Add defaults for ips --- roles/matrix-coturn/defaults/main.yml | 2 ++ roles/matrix-coturn/templates/turnserver.conf.j2 | 4 ---- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index df1cc20b..a97f04a6 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -17,3 +17,5 @@ matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" +matrix_coturn_allowed_peer_ips: [] +matrix_coturn_denied_peer_ips: [] diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 2e8701fc..9c4880fd 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -18,13 +18,9 @@ user-quota={{ matrix_coturn_user_quota }} {% if matrix_coturn_total_quota is defined %} total-quota={{ matrix_coturn_total_quota }} {% endif %} -{% if matrix_coturn_denied_peer_ips is defined %} {% for ip_range in matrix_coturn_denied_peer_ips %} denied-peer-ip={{ ip_range }} {% endfor %} -{% endif %} -{% if matrix_coturn_allowed_peer_ips is defined %} {% for ip_range in matrix_coturn_allowed_peer_ips %} allowed-peer-ip={{ ip_range }} {% endfor %} -{% endif %} From e367a2d0de39e6602cae4b91dff9a39695ec66c0 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Mon, 18 Mar 2019 11:58:52 +0000 Subject: [PATCH 0445/2384] Add nulls for quotas as well --- roles/matrix-coturn/defaults/main.yml | 2 ++ roles/matrix-coturn/templates/turnserver.conf.j2 | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index a97f04a6..5b7dbbe9 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -19,3 +19,5 @@ matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_coturn_allowed_peer_ips: [] matrix_coturn_denied_peer_ips: [] +matrix_coturn_user_quota: null +matrix_coturn_total_quota: null diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 9c4880fd..a2689bc2 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -12,10 +12,10 @@ no-tls no-dtls prod no-tcp-relay -{% if matrix_coturn_user_quota is defined %} +{% if matrix_coturn_user_quota != None %} user-quota={{ matrix_coturn_user_quota }} {% endif %} -{% if matrix_coturn_total_quota is defined %} +{% if matrix_coturn_total_quota != None %} total-quota={{ matrix_coturn_total_quota }} {% endif %} {% for ip_range in matrix_coturn_denied_peer_ips %} From c6858d2a084e8c56e31eef58434f1768643b5f68 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 18 Mar 2019 17:04:40 +0200 Subject: [PATCH 0446/2384] Define matrix_coturn_turn_external_ip_address in the playbook group vars This is more explicit than hiding it in the role defaults. People who reuse the roles in their own playbook (and not only) may incorrectly define `ansible_host` to be a hostname or some local address. Making it more explicit is more likely to prevent such mistakes. --- group_vars/matrix-servers | 1 + roles/matrix-coturn/defaults/main.yml | 4 +++- roles/matrix-coturn/tasks/validate_config.yml | 3 ++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index a93467ca..404fc6e3 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -90,6 +90,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati ###################################################################### matrix_coturn_enabled: true +matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" ###################################################################### # diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 5b7dbbe9..d43d4d1c 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -16,7 +16,9 @@ matrix_coturn_turn_static_auth_secret: "" matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 -matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" +# The external IP address of the machine where Coturn is. +matrix_coturn_turn_external_ip_address: '' + matrix_coturn_allowed_peer_ips: [] matrix_coturn_denied_peer_ips: [] matrix_coturn_user_quota: null diff --git a/roles/matrix-coturn/tasks/validate_config.yml b/roles/matrix-coturn/tasks/validate_config.yml index c62b56d3..39019982 100644 --- a/roles/matrix-coturn/tasks/validate_config.yml +++ b/roles/matrix-coturn/tasks/validate_config.yml @@ -6,4 +6,5 @@ You need to define a required configuration setting (`{{ item }}`) for using Coturn. when: "vars[item] == ''" with_items: - - "matrix_coturn_turn_static_auth_secret" \ No newline at end of file + - "matrix_coturn_turn_external_ip_address" + - "matrix_coturn_turn_static_auth_secret" From 24cf27c60c2d8c12f1f9c340f587a53cb76784de Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 18 Mar 2019 17:36:00 +0200 Subject: [PATCH 0447/2384] Isolate Coturn from services in the default Docker network Most (all?) of our Matrix services are running in the `matrix` network, so they were safe -- not accessible from Coturn to begin with. Isolating Coturn into its own network is a security improvement for people who were starting other services in the default Docker network. Those services were potentially reachable over the private Docker network from Coturn. Discussed in #120 (Github Pull Request) --- group_vars/matrix-servers | 1 + roles/matrix-coturn/defaults/main.yml | 9 +++++++++ roles/matrix-coturn/tasks/setup_coturn.yml | 16 ++++++++++++++++ .../templates/systemd/matrix-coturn.service.j2 | 1 + 4 files changed, 27 insertions(+) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 404fc6e3..949dc246 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -90,6 +90,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati ###################################################################### matrix_coturn_enabled: true + matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" ###################################################################### diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index d43d4d1c..4ae29a34 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,6 +2,15 @@ matrix_coturn_enabled: true matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1" +# The Docker network that Coturn would be put into. +# +# Because Coturn relays traffic to unvalidated IP addresses, +# using a dedicated network, isolated from other Docker (and local) services is preferrable. +# +# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also +# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking. +matrix_coturn_docker_network: "matrix-coturn" + matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 6fd3ea72..88a35618 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -25,6 +25,22 @@ mode: 0644 when: matrix_coturn_enabled +# `docker_network` doesn't work as expected when the given network +# is a substring of a network that already exists. +# +# See our other comments in `roles/matrix-base/tasks/setup_matrix_base.yml` +- name: Check existence of Coturn network in Docker + shell: + cmd: "docker network ls -q --filter='name=^{{ matrix_coturn_docker_network }}$'" + register: matrix_coturn_result_docker_network + changed_when: false + when: matrix_coturn_enabled + +- name: Create Coturn network in Docker + shell: + cmd: "docker network create --driver=bridge {{ matrix_coturn_docker_network }}" + when: "matrix_coturn_enabled and matrix_coturn_result_docker_network.stdout == ''" + - name: Ensure matrix-coturn.service installed template: src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 980ca984..59f18e53 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -15,6 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ --cap-drop=ALL \ --read-only \ --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ + --network={{ matrix_coturn_docker_network }} \ -p 3478:3478 \ -p 3478:3478/udp \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ From d18fe3610f94a61513c0c51e628167d4107541f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 18 Mar 2019 20:45:17 +0200 Subject: [PATCH 0448/2384] Fix syntax problems in example Apache configuration Related to #121 (Github Issue) --- examples/apache/matrix-riot-web.conf | 4 ++-- examples/apache/matrix-synapse.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/apache/matrix-riot-web.conf b/examples/apache/matrix-riot-web.conf index 6fadd5a8..1774fc4a 100644 --- a/examples/apache/matrix-riot-web.conf +++ b/examples/apache/matrix-riot-web.conf @@ -4,12 +4,12 @@ ServerName riot.DOMAIN + ProxyVia On + # Map /.well-known/acme-challenge to the certbot server # If you manage SSL certificates by yourself, this will differ. ProxyPreserveHost On - ProxyRequests Off - ProxyVia On ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index eae8dde4..fb6cb5bb 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -3,12 +3,12 @@ ServerName matrix.DOMAIN + ProxyVia On + # Map /.well-known/acme-challenge to the certbot server # If you manage SSL certificates by yourself, this will differ. ProxyPreserveHost On - ProxyRequests Off - ProxyVia On ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge From 8660cd421e80b268632f02db2faa19a02d0c9749 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 18 Mar 2019 21:17:37 +0200 Subject: [PATCH 0449/2384] Add example Apache configuration for Dimension Discussed in #121 (Github Issue). --- examples/apache/matrix-dimension.conf | 41 +++++++++++++++++++++++++++ examples/apache/matrix-riot-web.conf | 2 +- examples/apache/matrix-synapse.conf | 2 +- 3 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 examples/apache/matrix-dimension.conf diff --git a/examples/apache/matrix-dimension.conf b/examples/apache/matrix-dimension.conf new file mode 100644 index 00000000..9078cd87 --- /dev/null +++ b/examples/apache/matrix-dimension.conf @@ -0,0 +1,41 @@ +# This is a sample file demonstrating how to set up reverse-proxy for dimension.DOMAIN. +# If you're not using Dimension (`matrix_dimension_enabled: false`, which is also the default), you won't need this. + + + ServerName dimension.DOMAIN + + ProxyVia On + + # Map /.well-known/acme-challenge to the certbot server + # If you manage SSL certificates by yourself, this will differ. + + ProxyPreserveHost On + ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge + + + Redirect permanent / https://dimension.DOMAIN/ + + + + ServerName dimension.DOMAIN + + SSLEngine On + + # If you manage SSL certificates by yourself, these paths will differ. + SSLCertificateFile /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem + SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem + + SSLProxyEngine on + SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + + ProxyPreserveHost On + ProxyRequests Off + ProxyVia On + + ProxyPass / http://127.0.0.1:8184/ + ProxyPassReverse / http://127.0.0.1:8184/ + + ErrorLog ${APACHE_LOG_DIR}/dimension.DOMAIN-error.log + CustomLog ${APACHE_LOG_DIR}/dimension.DOMAIN-access.log combined + diff --git a/examples/apache/matrix-riot-web.conf b/examples/apache/matrix-riot-web.conf index 1774fc4a..85769785 100644 --- a/examples/apache/matrix-riot-web.conf +++ b/examples/apache/matrix-riot-web.conf @@ -1,4 +1,4 @@ -# This is a sample file demonstrating how to set up reverse-proxy for the riot.DOMAIN. +# This is a sample file demonstrating how to set up reverse-proxy for riot.DOMAIN. # If you're not using Riot (`matrix_riot_web_enabled: false`), you won't need this. diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index fb6cb5bb..4f32c2ed 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -1,4 +1,4 @@ -# This is a sample file demonstrating how to set up reverse-proxy for the matrix.DOMAIN +# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN ServerName matrix.DOMAIN From a50ea0f0a91dad2f2c03393794732e1ee77dfbb2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 Mar 2019 08:00:48 +0200 Subject: [PATCH 0450/2384] Update riot-web (1.0.3 -> 1.0.4) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index bec25468..1d080333 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.3" +matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.4" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 018aeed5e9777deee33aa1bd5394572235b46bdd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 Mar 2019 09:16:30 +0200 Subject: [PATCH 0451/2384] Add support for mounting additional volumes to matrix-coturn --- roles/matrix-coturn/defaults/main.yml | 6 ++++++ .../templates/systemd/matrix-coturn.service.j2 | 3 +++ 2 files changed, 9 insertions(+) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 4ae29a34..7edd559b 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -17,6 +17,12 @@ matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" # List of systemd services that matrix-coturn.service depends on matrix_coturn_systemd_required_services_list: ['docker.service'] +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically at runtime. You can provide a different default value, +# if you wish to mount your own files into the container. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +matrix_coturn_container_additional_volumes: [] + # A shared secret (between Synapse and Coturn) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: "" diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 59f18e53..5cf569c2 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -20,6 +20,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ -p 3478:3478/udp \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ + {% for volume in matrix_coturn_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} {{ matrix_coturn_docker_image }} \ -c /turnserver.conf ExecStop=-/usr/bin/docker kill matrix-coturn From 59e37105e8a79df6c35f543c3d0922297d129d38 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 Mar 2019 10:24:39 +0200 Subject: [PATCH 0452/2384] Add TLS support to Coturn --- CHANGELOG.md | 23 +++++++++++++++ docs/prerequisites.md | 2 +- group_vars/matrix-servers | 16 ++++++++-- roles/matrix-coturn/defaults/main.yml | 7 +++++ roles/matrix-coturn/tasks/setup_coturn.yml | 29 +++++++++++++++++-- .../systemd/matrix-coturn.service.j2 | 10 +++++++ .../templates/turnserver.conf.j2 | 12 ++++++++ setup.yml | 2 +- 8 files changed, 95 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 31d25995..3112657b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,26 @@ +# 2019-03-19 + +## TLS support for Coturn + +We've added TLS support to the Coturn TURN server installed by the playbook by default. +The certificates from the Matrix domain will be used for the Coturn server. + +This feature is enabled by default for new installations. +To make use of TLS support for your existing Matrix server's Coturn, make sure to rebuild both Coturn and Synapse: + +```bash +ansible-playbook -i inventory/hosts setup.yml --tags=setup-coturn,setup-synapse,start +``` + +People who have an extra firewall (besides the iptables firewall, which Docker manages automatically), will need to open these additional firewall ports: `5349/tcp` (TURN over TCP) and `5349/udp` (TURN over UDP). + +People who build their own custom playbook from our roles should be aware that: + +- the `matrix-coturn` role and actually starting Coturn (e.g. `--tags=start`), requires that certificates are already put in place. For this reason, it's usually a good idea to have the `matrix-coturn` role execute after `matrix-nginx-proxy` (which retrieves the certificates). + +- there are a few variables that can help you enable TLS support for Coturn. See the `matrix-coturn` section in [group_vars/matrix-servers](./group_vars/matrix-servers). + + # 2019-03-12 ## matrix-nginx-proxy support for serving the base domain diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 23cb19b3..66c7c2b2 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -12,6 +12,6 @@ - properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) -- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (STUN over TCP), `3478/udp` (STUN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP). +- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP). When ready to proceed, continue with [Configuring DNS](configuring-dns.md). diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 949dc246..45d25178 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -93,6 +93,14 @@ matrix_coturn_enabled: true matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" +matrix_coturn_tls_enabled: true +matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" +matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem" +matrix_coturn_container_additional_volumes: + - src: "{{ matrix_ssl_config_dir_path }}" + dst: "{{ matrix_ssl_config_dir_path }}" + options: ro + ###################################################################### # # /matrix-coturn @@ -351,11 +359,15 @@ matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}" +# Even if TURN doesn't support TLS (it does by default), +# it doesn't hurt to try a secure connection anyway. matrix_synapse_turn_uris: | {{ [ - 'turn:' + matrix_server_fqn_matrix + ':3478?transport=udp', - 'turn:' + matrix_server_fqn_matrix + ':3478?transport=tcp', + 'turns:' + matrix_server_fqn_matrix + '?transport=udp', + 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', + 'turn:' + matrix_server_fqn_matrix + '?transport=udp', + 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', ] if matrix_coturn_enabled else [] diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 7edd559b..b70c4058 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -38,3 +38,10 @@ matrix_coturn_allowed_peer_ips: [] matrix_coturn_denied_peer_ips: [] matrix_coturn_user_quota: null matrix_coturn_total_quota: null + +# To enable TLS, you need to provide paths to certificates. +# Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths. +# Files on the host can be mounted into the container using `matrix_coturn_container_additional_volumes`. +matrix_coturn_tls_enabled: false +matrix_coturn_tls_cert_path: ~ +matrix_coturn_tls_key_path: ~ diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 88a35618..619ed378 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -61,15 +61,40 @@ immediate: yes permanent: yes with_items: - - '3478/tcp' # STUN - - '3478/udp' # STUN + - '3478/tcp' + - '3478/udp' + - '5349/tcp' + - '5349/udp' - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'" +# This may be unnecessary when more long-lived certificates are used. +# We optimize for the common use-case though (short-lived Let's Encrypt certificates). +# Reloading doesn't hurt anyway, so there's no need to make this more flexible. +- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload) + cron: + user: root + cron_file: matrix-coturn-ssl-reload + name: matrix-coturn-ssl-reload + state: present + hour: 4 + minute: 20 + day: "*/5" + job: /bin/systemctl reload matrix-coturn.service + when: matrix_coturn_enabled and matrix_coturn_tls_enabled + + # # Tasks related to getting rid of Coturn (if it was previously enabled) # +- name: Ensure matrix-coturn-ssl-reload cronjob removed + cron: + user: root + cron_file: matrix-coturn-ssl-reload + state: absent + when: "not matrix_coturn_enabled or not matrix_coturn_tls_enabled" + - name: Check existence of matrix-coturn service stat: path: "/etc/systemd/system/matrix-coturn.service" diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 5cf569c2..b2d909f2 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -9,15 +9,19 @@ After={{ service }} Type=simple ExecStartPre=-/usr/bin/docker kill matrix-coturn ExecStartPre=-/usr/bin/docker rm matrix-coturn + ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --entrypoint=turnserver \ --read-only \ --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ --network={{ matrix_coturn_docker_network }} \ -p 3478:3478 \ -p 3478:3478/udp \ + -p 5349:5349 \ + -p 5349:5349/udp \ -p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ {% for volume in matrix_coturn_container_additional_volumes %} @@ -25,8 +29,14 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ {% endfor %} {{ matrix_coturn_docker_image }} \ -c /turnserver.conf + ExecStop=-/usr/bin/docker kill matrix-coturn ExecStop=-/usr/bin/docker rm matrix-coturn + +# This only reloads certificates (not other configuration). +# See: https://github.com/coturn/coturn/pull/236 +ExecReload=/usr/bin/docker exec matrix-coturn kill -USR2 1 + Restart=always RestartSec=30 diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index a2689bc2..2bf7649c 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -1,23 +1,35 @@ use-auth-secret static-auth-secret={{ matrix_coturn_turn_static_auth_secret }} realm=turn.{{ matrix_server_fqn_matrix }} + min-port={{ matrix_coturn_turn_udp_min_port }} max-port={{ matrix_coturn_turn_udp_max_port }} external-ip={{ matrix_coturn_turn_external_ip_address }} + log-file=stdout pidfile=/var/tmp/turnserver.pid userdb=/var/tmp/turnserver.db + no-cli + +{% if matrix_coturn_tls_enabled %} +cert={{ matrix_coturn_tls_cert_path }} +pkey={{ matrix_coturn_tls_key_path }} +{% else %} no-tls no-dtls +{% endif %} + prod no-tcp-relay + {% if matrix_coturn_user_quota != None %} user-quota={{ matrix_coturn_user_quota }} {% endif %} {% if matrix_coturn_total_quota != None %} total-quota={{ matrix_coturn_total_quota }} {% endif %} + {% for ip_range in matrix_coturn_denied_peer_ips %} denied-peer-ip={{ ip_range }} {% endfor %} diff --git a/setup.yml b/setup.yml index 3db1e5ca..e2978f59 100755 --- a/setup.yml +++ b/setup.yml @@ -6,7 +6,6 @@ roles: - matrix-base - matrix-mailer - - matrix-coturn - matrix-postgres - matrix-corporal - matrix-synapse @@ -14,4 +13,5 @@ - matrix-mxisd - matrix-dimension - matrix-nginx-proxy + - matrix-coturn - matrix-common-after From 1939fc9113cee4cdb189614d315e619be10ece17 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 Mar 2019 18:23:54 +0200 Subject: [PATCH 0453/2384] Improve documentation a bit --- docs/configuring-playbook-base-domain-serving.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-base-domain-serving.md b/docs/configuring-playbook-base-domain-serving.md index b937a4ba..5105731d 100644 --- a/docs/configuring-playbook-base-domain-serving.md +++ b/docs/configuring-playbook-base-domain-serving.md @@ -10,9 +10,9 @@ Usually, there are 2 options: - either get a separate server for the base domain, just for serving the files necessary for [Server Delegation via a well-known file](howto-server-delegation.md#server-delegation-via-a-well-known-file) -- or, arrange for the Matrix server to serve the base domain. This involves [using your own webserver](configuring-playbook-own-webserver.md) or making the integrated webserver somehow serve your base domain (possible, but complicated). +- or, arrange for the Matrix server to serve the base domain. This either involves you [using your own webserver](configuring-playbook-own-webserver.md) or making the integrated webserver (`matrix-nginx-proxy`) serve the base domain for you. -To solve this problem, we've created an easy way to let you serve the base domain from the Matrix server via the integrated webserver (`matrix-nginx-proxy`). +We let you do the latter. With some easy changes, we make it possible to serve the base domain from the Matrix server via the integrated webserver (`matrix-nginx-proxy`). Just **adjust your DNS records**, so that your base domain is pointed to the Matrix server's IP address **and use the following configuration**: From 73af8f7bbb5c22a29be59baf8bedf06b76f70fce Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Mar 2019 09:39:17 +0200 Subject: [PATCH 0454/2384] Make self-check not validate self-signed certificates By default, `--tags=self-check` no longer validates certificates when `matrix_ssl_retrieval_method` is set to `self-signed`. Besides this default, people can also enable/disable validation using the individual role variables manually. Fixes #124 (Github Issue) --- group_vars/matrix-servers | 8 ++++++++ roles/matrix-mxisd/defaults/main.yml | 3 +++ roles/matrix-mxisd/tasks/self_check_mxisd.yml | 1 + roles/matrix-nginx-proxy/defaults/main.yml | 3 +++ roles/matrix-nginx-proxy/tasks/self_check_well_known.yml | 2 ++ .../tasks/self_check_well_known_file.yml | 2 ++ roles/matrix-riot-web/defaults/main.yml | 3 +++ roles/matrix-riot-web/tasks/self_check_riot_web.yml | 1 + roles/matrix-synapse/defaults/main.yml | 6 ++++-- roles/matrix-synapse/tasks/self_check_client_api.yml | 1 + roles/matrix-synapse/tasks/self_check_federation_api.yml | 2 +- 11 files changed, 29 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 45d25178..7ded5ff4 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -181,6 +181,8 @@ matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 +matrix_mxisd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" + matrix_mxisd_systemd_wanted_services_list: | {{ (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) @@ -238,6 +240,8 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" +matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" + matrix_nginx_proxy_systemd_wanted_services_list: | {{ (['matrix-synapse.service']) @@ -313,6 +317,8 @@ matrix_riot_web_integrations_rest_url: "{{ matrix_dimension_integrations_rest_ur matrix_riot_web_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" matrix_riot_web_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" +matrix_riot_web_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" + ###################################################################### # # /matrix-riot-web @@ -375,6 +381,8 @@ matrix_synapse_turn_uris: | matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" +matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" + matrix_synapse_systemd_required_services_list: | {{ (['docker.service']) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index b28c20f6..cb83674c 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -55,6 +55,9 @@ matrix_mxisd_threepid_medium_email_custom_session_validation_template: "" matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: "" matrix_mxisd_threepid_medium_email_custom_matrixid_template: "" +# Controls whether the self-check feature should validate SSL certificates. +matrix_mxisd_self_check_validate_certificates: true + # Default mxisd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml index 1ca9a39b..26dccb76 100644 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ b/roles/matrix-mxisd/tasks/self_check_mxisd.yml @@ -7,6 +7,7 @@ uri: url: "{{ mxisd_url_endpoint_public }}" follow_redirects: false + validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}" register: result_mxisd ignore_errors: true diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8117cb89..a7ed92d4 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -104,6 +104,9 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # Specifies which SSL protocols to use when serving Riot and Synapse matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" +# Controls whether the self-check feature should validate SSL certificates. +matrix_nginx_proxy_self_check_validate_certificates: true + # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 2ea110bf..5f2138a4 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -7,6 +7,7 @@ purpose: Client Discovery cors: true follow_redirects: false + validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - block: - set_fact: @@ -15,6 +16,7 @@ purpose: Server Discovery cors: false follow_redirects: true + validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - name: Determine domains that we require certificates for (mxisd) set_fact: diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml index 6467cedb..91dbcdc8 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -11,6 +11,7 @@ url: "{{ well_known_url_matrix }}" follow_redirects: false return_content: true + validate_certs: "{{ well_known_file_check.validate_certs }}" register: result_well_known_matrix ignore_errors: true @@ -37,6 +38,7 @@ url: "{{ well_known_url_identity }}" follow_redirects: "{{ well_known_file_check.follow_redirects }}" return_content: true + validate_certs: "{{ well_known_file_check.validate_certs }}" register: result_well_known_identity ignore_errors: true diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 1d080333..77534983 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -25,3 +25,6 @@ matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" # By default, there's no Riot homepage (when logged in). If you wish to have one, # point this to a `home.html` template file on your local filesystem. matrix_riot_web_embedded_pages_home_path: ~ + +# Controls whether the self-check feature should validate SSL certificates. +matrix_riot_web_self_check_validate_certificates: true diff --git a/roles/matrix-riot-web/tasks/self_check_riot_web.yml b/roles/matrix-riot-web/tasks/self_check_riot_web.yml index 1e10566f..f16e210b 100644 --- a/roles/matrix-riot-web/tasks/self_check_riot_web.yml +++ b/roles/matrix-riot-web/tasks/self_check_riot_web.yml @@ -7,6 +7,7 @@ uri: url: "{{ riot_web_url_endpoint_public }}" follow_redirects: false + validate_certs: "{{ matrix_riot_web_self_check_validate_certificates }}" register: result_riot_web ignore_errors: true diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 7cbdc669..5e74d760 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -202,6 +202,8 @@ matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" matrix_s3_media_store_region: "eu-central-1" +# Controls whether the self-check feature should validate SSL certificates. +matrix_synapse_self_check_validate_certificates: true # Matrix mautrix is a Matrix <-> Telegram bridge # Enable telegram bridge @@ -673,7 +675,7 @@ matrix_appservice_discord_configuration_yaml: | database: filename: "/data/discord.db" userStorePath: "/data/user-store.db" - roomStorePath: "/data/room-store.db" + roomStorePath: "/data/room-store.db" matrix_appservice_discord_configuration_extension_yaml: | # This is a sample of the config file showing all avaliable options. @@ -765,7 +767,7 @@ matrix_appservice_discord_configuration_extension_yaml: | # # (Copies of a sent message may arrive from discord before we've # # fininished handling it, causing us to echo it back to the room) # discordSendDelay: 750 - + matrix_appservice_discord_configuration_extension: "{{ matrix_appservice_irc_configuration_extension_yaml|from_yaml if matrix_appservice_irc_configuration_extension_yaml|from_yaml else {} }}" matrix_appservice_discord_configuration: "{{ matrix_appservice_discord_configuration_yaml|from_yaml|combine(matrix_appservice_discord_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-synapse/tasks/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml index 654f6a1a..888ff210 100644 --- a/roles/matrix-synapse/tasks/self_check_client_api.yml +++ b/roles/matrix-synapse/tasks/self_check_client_api.yml @@ -4,6 +4,7 @@ uri: url: "{{ matrix_synapse_client_api_url_endpoint_public }}" follow_redirects: false + validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_client_api ignore_errors: true diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index e13387e0..db3070f7 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -4,7 +4,7 @@ uri: url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" follow_redirects: false - validate_certs: false + validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_federation_api ignore_errors: true From cbd629e7eafb0d475ecd16a261a8380addf3affa Mon Sep 17 00:00:00 2001 From: Borjan Tchakaloff Date: Fri, 22 Mar 2019 17:44:24 +0100 Subject: [PATCH 0455/2384] Specify that cron is likely required on the server When using Let's Encrypt SSL certificates, a cronjob is set up to automatically renew them. Though it does require a `cron`-compatible program on the server. This fixes the error that is caused by the `/etc/cron.d` directory not existing and the `ansible-cron` module trying to write out a file there -- without checking if the directory exists first. --- docs/prerequisites.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 66c7c2b2..ad82470c 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -4,6 +4,8 @@ - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). +- a `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates. *This can be ignored if you use your own SSL certificates.* + - the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. - either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. From d9c6884b6a36064ab1189442812d5379b0cfe428 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Mar 2019 18:50:41 +0200 Subject: [PATCH 0456/2384] Update mautrix-telegram (0.4.0 -> 0.5.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5e74d760..94f6867a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -209,7 +209,7 @@ matrix_synapse_self_check_validate_certificates: true # Enable telegram bridge matrix_mautrix_telegram_enabled: false -matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.4.0" +matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.5.1" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" From 60b0ba379b26753e9c5480d104112a8223f05618 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Mar 2019 20:36:23 +0200 Subject: [PATCH 0457/2384] Update riot-web (1.0.4 -> 1.0.5) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 77534983..754c9e53 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.4" +matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.5" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From c6f1f7aa23de474fbea7209b327e0584581176d8 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 1 Apr 2019 11:26:46 -0500 Subject: [PATCH 0458/2384] Update Synapse (0.99.2 -> 0.99.3) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 94f6867a..0748027b 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.2-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3-py3" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" From 95e4234dca1ea7834f03c263f4a635758994c368 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Apr 2019 19:54:45 +0300 Subject: [PATCH 0459/2384] Update nginx (1.15.9 -> 1.15.10) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a7ed92d4..687be900 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # those as more frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.15.9-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.15.10-alpine" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" From 77359ae867e1ebb6078c9f6e82fdc7c8851a71cd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Apr 2019 21:22:05 +0300 Subject: [PATCH 0460/2384] Synchronize Synapse config with the sample from 0.99.3 --- .../templates/synapse/homeserver.yaml.j2 | 608 +++++++++++------- 1 file changed, 372 insertions(+), 236 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4bb2f647..a9c398bd 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1,13 +1,16 @@ # vim:ft=yaml + ## Server ## # The domain name of the server, with optional explicit port. # This is used by remote servers to connect to this server, # e.g. matrix.org, localhost:8080, etc. # This is also the last part of your UserID. +# server_name: "{{ matrix_domain }}" # When running as a daemon, the file to store the pid in +# pid_file: /homeserver.pid # CPU affinity mask. Setting this restricts the CPUs on which the @@ -31,40 +34,51 @@ pid_file: /homeserver.pid # # This setting requires the affinity package to be installed! # -# cpu_affinity: 0xFFFFFFFF +#cpu_affinity: 0xFFFFFFFF + +# The path to the web client which will be served at /_matrix/client/ +# if 'webclient' is configured under the 'listeners' configuration. +# +#web_client_location: "/path/to/web/root" # The public-facing base URL that clients use to access this HS # (not including _matrix/...). This is the same URL a user would # enter into the 'custom HS URL' field on their client. If you # use synapse with a reverse proxy, this should be the URL to reach # synapse via the proxy. +# public_baseurl: https://{{ matrix_server_fqn_matrix }}/ # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the # hard limit. -soft_file_limit: 0 +# +#soft_file_limit: 0 # Set to false to disable presence tracking on this homeserver. +# use_presence: {{ matrix_synapse_use_presence|to_json }} # The GC threshold parameters to pass to `gc.set_threshold`, if defined -# gc_thresholds: [700, 10, 10] +# +#gc_thresholds: [700, 10, 10] # Set the limit on the returned events in the timeline in the get # and sync operations. The default value is -1, means no upper limit. -# filter_timeline_limit: 5000 +# +#filter_timeline_limit: 5000 # Whether room invites to users on this server should be blocked # (except those sent by local server admins). The default is False. -# block_non_admin_invites: True +# +#block_non_admin_invites: True # Room searching # # If disabled, new messages will not be indexed for searching and users # will receive errors when searching for messages. Defaults to enabled. # -# enable_search: false +#enable_search: false # Restrict federation to the following whitelist of domains. # N.B. we recommend also firewalling your federation listener to limit @@ -72,7 +86,7 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # purely on this application-layer restriction. If not specified, the # default is to whitelist everything. # -# federation_domain_whitelist: +#federation_domain_whitelist: # - lon.example.com # - nyc.example.com # - syd.example.com @@ -139,6 +153,8 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # static: static resources under synapse/static (/_matrix/static). (Mostly # useful for 'fallback authentication'.) # +# webclient: A web client. Requires web_client_location to be set. +# listeners: {% if matrix_synapse_metrics_enabled %} - type: metrics @@ -196,29 +212,33 @@ listeners: ## Homeserver blocking ## # How to reach the server admin, used in ResourceLimitError -# admin_contact: 'mailto:admin@server.com' +# +#admin_contact: 'mailto:admin@server.com' # Global blocking -# hs_disabled: False -# hs_disabled_message: 'Human readable reason for why the HS is blocked' -# hs_disabled_limit_type: 'error code(str), to help clients decode reason' +# +#hs_disabled: False +#hs_disabled_message: 'Human readable reason for why the HS is blocked' +#hs_disabled_limit_type: 'error code(str), to help clients decode reason' # Monthly Active User Blocking -# limit_usage_by_mau: False -# max_mau_value: 50 -# mau_trial_days: 2 +# +#limit_usage_by_mau: False +#max_mau_value: 50 +#mau_trial_days: 2 # If enabled, the metrics for the number of monthly active users will # be populated, however no one will be limited. If limit_usage_by_mau # is true, this is implied to be true. -# mau_stats_only: False +# +#mau_stats_only: False # Sometimes the server admin will want to ensure certain accounts are # never blocked by mau checking. These accounts are specified here. # -# mau_limit_reserved_threepids: -# - medium: 'email' -# address: 'reserved_user@example.com' +#mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' ## TLS ## @@ -230,9 +250,15 @@ listeners: # See 'ACME support' below to enable auto-provisioning this certificate via # Let's Encrypt. # +# If supplying your own, be sure to use a `.pem` file that includes the +# full certificate chain including any intermediate certificates (for +# instance, if using certbot, use `fullchain.pem` as your certificate, +# not `cert.pem`). +# tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} # PEM-encoded private key for TLS +# tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # ACME support: This will configure Synapse to request a valid TLS certificate @@ -260,28 +286,42 @@ acme: # ACME support is disabled by default. Uncomment the following line # (and tls_certificate_path and tls_private_key_path above) to enable it. # - # enabled: true + #enabled: true # Endpoint to use to request certificates. If you only want to test, # use Let's Encrypt's staging url: # https://acme-staging.api.letsencrypt.org/directory # - # url: https://acme-v01.api.letsencrypt.org/directory + #url: https://acme-v01.api.letsencrypt.org/directory # Port number to listen on for the HTTP-01 challenge. Change this if # you are forwarding connections through Apache/Nginx/etc. # - # port: 80 + #port: 80 # Local addresses to listen on for incoming connections. # Again, you may want to change this if you are forwarding connections # through Apache/Nginx/etc. # - # bind_addresses: ['::', '0.0.0.0'] + #bind_addresses: ['::', '0.0.0.0'] # How many days remaining on a certificate before it is renewed. # - # reprovision_threshold: 30 + #reprovision_threshold: 30 + + # The domain that the certificate should be for. Normally this + # should be the same as your Matrix domain (i.e., 'server_name'), but, + # by putting a file at 'https:///.well-known/matrix/server', + # you can delegate incoming traffic to another server. If you do that, + # you should give the target of the delegation here. + # + # For example: if your 'server_name' is 'example.com', but + # 'https://example.com/.well-known/matrix/server' delegates to + # 'matrix.example.com', you should put 'matrix.example.com' here. + # + # If not set, defaults to your 'server_name'. + # + #domain: matrix.example.com # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that @@ -308,8 +348,7 @@ acme: # openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' # or by checking matrix.org/federationtester/api/report?server_name=$host # -tls_fingerprints: [] -# tls_fingerprints: [{"sha256": ""}] +#tls_fingerprints: [{"sha256": ""}] @@ -327,108 +366,158 @@ database: cp_max: 10 # Number of events to cache in memory. +# event_cache_size: "{{ matrix_synapse_event_cache_size }}" ## Logging ## # A yaml python logging config file +# log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" ## Ratelimiting ## # Number of messages a client can send per second +# rc_messages_per_second: {{ matrix_synapse_rc_messages_per_second }} # Number of message a client can send before being throttled +# rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} +# Ratelimiting settings for registration and login. +# +# Each ratelimiting configuration is made of two parameters: +# - per_second: number of requests a client can send per second. +# - burst_count: number of requests a client can send before being throttled. +# +# Synapse currently uses the following configurations: +# - one for registration that ratelimits registration requests based on the +# client's IP address. +# - one for login that ratelimits login requests based on the client's IP +# address. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into, based on the amount of failed login +# attempts for this account. +# +# The defaults are as shown below. +# +#rc_registration: +# per_second: 0.17 +# burst_count: 3 +# +#rc_login: +# address: +# per_second: 0.17 +# burst_count: 3 +# account: +# per_second: 0.17 +# burst_count: 3 +# failed_attempts: +# per_second: 0.17 +# burst_count: 3 + # The federation window size in milliseconds -federation_rc_window_size: 1000 +# +#federation_rc_window_size: 1000 # The number of federation requests from a single server in a window # before the server will delay processing the request. -federation_rc_sleep_limit: 10 +# +#federation_rc_sleep_limit: 10 # The duration in milliseconds to delay processing events from # remote servers by if they go over the sleep limit. -federation_rc_sleep_delay: 500 +# +#federation_rc_sleep_delay: 500 # The maximum number of concurrent federation requests allowed # from a single server -federation_rc_reject_limit: 50 +# +#federation_rc_reject_limit: 50 # The number of federation requests to concurrently process from a # single server -federation_rc_concurrent: 3 - -# Number of registration requests a client can send per second. -# Defaults to 1/minute (0.17). -# rc_registration_requests_per_second: 0.17 +# +#federation_rc_concurrent: 3 -# Number of registration requests a client can send before being -# throttled. -# Defaults to 3. -# rc_registration_request_burst_count: 3.0 +# Target outgoing federation transaction frequency for sending read-receipts, +# per-room. +# +# If we end up trying to send out more read-receipts, they will get buffered up +# into fewer transactions. +# +#federation_rr_transactions_per_room_per_second: 50 # Directory where uploaded images and attachments are stored. +# media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" # Media storage providers allow media to be stored in different # locations. -# media_storage_providers: -# - module: file_system -# # Whether to write new local files. -# store_local: false -# # Whether to write new remote media -# store_remote: false -# # Whether to block upload requests waiting for write to this -# # provider to complete -# store_synchronous: false -# config: -# directory: /mnt/some/other/directory +# +#media_storage_providers: +# - module: file_system +# # Whether to write new local files. +# store_local: false +# # Whether to write new remote media +# store_remote: false +# # Whether to block upload requests waiting for write to this +# # provider to complete +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory # Directory where in-progress uploads are stored. +# uploads_path: "/matrix-run/uploads" # The largest allowed upload size in bytes +# max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # Maximum number of pixels that will be thumbnailed -max_image_pixels: "32M" +# +#max_image_pixels: 32M # Whether to generate new thumbnails on the fly to precisely match # the resolution requested by the client. If true then whenever # a new resolution is requested by the client the server will # generate a new thumbnail. If false the server will pick a thumbnail # from a precalculated list. -dynamic_thumbnails: false +# +#dynamic_thumbnails: false # List of thumbnails to precalculate when an image is uploaded. -thumbnail_sizes: -- width: 32 - height: 32 - method: crop -- width: 96 - height: 96 - method: crop -- width: 320 - height: 240 - method: scale -- width: 640 - height: 480 - method: scale -- width: 800 - height: 600 - method: scale +# +#thumbnail_sizes: +# - width: 32 +# height: 32 +# method: crop +# - width: 96 +# height: 96 +# method: crop +# - width: 320 +# height: 240 +# method: scale +# - width: 640 +# height: 480 +# method: scale +# - width: 800 +# height: 600 +# method: scale # Is the preview URL API enabled? If enabled, you *must* specify # an explicit url_preview_ip_range_blacklist of IPs that the spider is # denied from accessing. -url_preview_enabled: True +# +#url_preview_enabled: false # List of IP address CIDR ranges that the URL preview spider is denied # from accessing. There are no defaults: you must explicitly @@ -438,16 +527,16 @@ url_preview_enabled: True # synapse to issue arbitrary GET requests to your internal services, # causing serious security issues. # -url_preview_ip_range_blacklist: -- '127.0.0.0/8' -- '10.0.0.0/8' -- '172.16.0.0/12' -- '192.168.0.0/16' -- '100.64.0.0/10' -- '169.254.0.0/16' -- '::1/128' -- 'fe80::/64' -- 'fc00::/7' +#url_preview_ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '169.254.0.0/16' +# - '::1/128' +# - 'fe80::/64' +# - 'fc00::/7' # # List of IP address CIDR ranges that the URL preview spider is allowed # to access even if they are specified in url_preview_ip_range_blacklist. @@ -455,8 +544,8 @@ url_preview_ip_range_blacklist: # target IP ranges - e.g. for enabling URL previews for a specific private # website only visible in your network. # -# url_preview_ip_range_whitelist: -# - '192.168.1.1' +#url_preview_ip_range_whitelist: +# - '192.168.1.1' # Optional list of URL matches that the URL preview spider is # denied from accessing. You should use url_preview_ip_range_blacklist @@ -474,105 +563,118 @@ url_preview_ip_range_blacklist: # specified component matches for a given list item succeed, the URL is # blacklisted. # -# url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' +#url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' # -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' # -# # blacklist all plain HTTP URLs -# - scheme: 'http' +# # blacklist all plain HTTP URLs +# - scheme: 'http' # -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' # -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' # The largest allowed URL preview spidering size in bytes -max_spider_size: "10M" - +# +#max_spider_size: 10M ## Captcha ## # See docs/CAPTCHA_SETUP for full details of configuring this. # This Home Server's ReCAPTCHA public key. -recaptcha_public_key: "YOUR_PUBLIC_KEY" +# +#recaptcha_public_key: "YOUR_PUBLIC_KEY" # This Home Server's ReCAPTCHA private key. -recaptcha_private_key: "YOUR_PRIVATE_KEY" +# +#recaptcha_private_key: "YOUR_PRIVATE_KEY" # Enables ReCaptcha checks when registering, preventing signup # unless a captcha is answered. Requires a valid ReCaptcha # public/private key. -enable_registration_captcha: False +# +#enable_registration_captcha: false # A secret key used to bypass the captcha test entirely. -# captcha_bypass_secret: "YOUR_SECRET_HERE" +# +#captcha_bypass_secret: "YOUR_SECRET_HERE" # The API endpoint to use for verifying m.login.recaptcha responses. -recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" +# +#recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" ## TURN ## # The public URIs of the TURN server to give to clients +# turn_uris: {{ matrix_synapse_turn_uris|to_json }} # The shared secret used to compute passwords for the TURN server +# turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }} # The Username and password if the TURN server needs them and # does not use a token -# turn_username: "TURNSERVER_USERNAME" -# turn_password: "TURNSERVER_PASSWORD" +# +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" # How long generated TURN credentials last -turn_user_lifetime: "1h" +# +#turn_user_lifetime: 1h # Whether guests should be allowed to use the TURN server. # This defaults to True, otherwise VoIP will be unreliable for guests. # However, it does introduce a slight security risk as it allows users to # connect to arbitrary endpoints without having first signed up for a # valid account (e.g. by passing a CAPTCHA). +# turn_allow_guests: False ## Registration ## +# # Registration can be rate-limited using the parameters in the "Ratelimiting" # section of this file. # Enable registration for new users. +# enable_registration: {{ matrix_synapse_enable_registration|to_json }} # The user must provide all of the below types of 3PID when registering. # -# registrations_require_3pid: -# - email -# - msisdn +#registrations_require_3pid: +# - email +# - msisdn # Explicitly disable asking for MSISDNs from the registration # flow (overrides registrations_require_3pid if MSISDNs are set as required) # -# disable_msisdn_registration = True +#disable_msisdn_registration: true # Mandate that users are only allowed to associate certain formats of # 3PIDs with accounts on this server. # -# allowed_local_3pids: -# - medium: email -# pattern: '.*@matrix\.org' -# - medium: email -# pattern: '.*@vector\.im' -# - medium: msisdn -# pattern: '\+44' +#allowed_local_3pids: +# - medium: email +# pattern: '.*@matrix\.org' +# - medium: email +# pattern: '.*@vector\.im' +# - medium: msisdn +# pattern: '\+44' -# If set, allows registration by anyone who also has the shared -# secret, even if registration is otherwise disabled. +# If set, allows registration of standard or admin accounts by anyone who +# has the shared secret, even if registration is otherwise disabled. +# registration_shared_secret: {{ matrix_synapse_registration_shared_secret|to_json }} # Set the number of bcrypt rounds used to generate password hash. @@ -580,12 +682,14 @@ registration_shared_secret: {{ matrix_synapse_registration_shared_secret|to_json # The default number is 12 (which equates to 2^12 rounds). # N.B. that increasing this will exponentially increase the time required # to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. -bcrypt_rounds: 12 +# +#bcrypt_rounds: 12 # Allows users to register as guests without a password/email/etc, and # participate in rooms hosted on this server which have been made # accessible to anonymous users. -allow_guest_access: False +# +#allow_guest_access: false # The identity server which we suggest that clients should use when users log # in on this server. @@ -593,13 +697,14 @@ allow_guest_access: False # (By default, no suggestion is made, so it is left up to the client. # This setting is ignored unless public_baseurl is also set.) # -# default_identity_server: https://matrix.org +#default_identity_server: https://matrix.org # The list of identity servers trusted to verify third party # identifiers by this server. # # Also defines the ID server which will be called when an account is # deactivated (one will be picked arbitrarily). +# {% if matrix_synapse_trusted_third_party_id_servers|length > 0 %} trusted_third_party_id_servers: {{ matrix_synapse_trusted_third_party_id_servers|to_nice_yaml }} @@ -607,6 +712,9 @@ trusted_third_party_id_servers: # Users who register on this homeserver will automatically be joined # to these rooms +# +#auto_join_rooms: +# - "#example:example.com" {% if matrix_synapse_auto_join_rooms|length > 0 %} auto_join_rooms: {{ matrix_synapse_auto_join_rooms|to_nice_yaml }} @@ -617,14 +725,16 @@ auto_join_rooms: # homeserver registers. # Setting to false means that if the rooms are not manually created, # users cannot be auto-joined since they do not exist. -autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms }} +# +autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} ## Metrics ### # Enable collection and rendering of performance metrics -enable_metrics: {{ matrix_synapse_metrics_enabled }} -report_stats: {{ matrix_synapse_report_stats|to_json }} +# +enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} + # Enable sentry integration # NOTE: While attempts are made to ensure that the logs don't contain @@ -633,50 +743,61 @@ report_stats: {{ matrix_synapse_report_stats|to_json }} # information, and it in turn may then diseminate sensitive information # through insecure notification channels if so configured. # -# sentry: +#sentry: # dsn: "..." +# Whether or not to report anonymized homeserver usage statistics. +report_stats: {{ matrix_synapse_report_stats|to_json }} + ## API Configuration ## # A list of event types that will be included in the room_invite_state -room_invite_state_types: - - "m.room.join_rules" - - "m.room.canonical_alias" - - "m.room.avatar" - - "m.room.encryption" - - "m.room.name" +# +#room_invite_state_types: +# - "m.room.join_rules" +# - "m.room.canonical_alias" +# - "m.room.avatar" +# - "m.room.encryption" +# - "m.room.name" -# A list of application service config file to use +# A list of application service config files to use +# app_service_config_files: {{ matrix_synapse_app_service_config_files }} -# Whether or not to track application service IP addresses. Implicitly +# Uncomment to enable tracking of application service IP addresses. Implicitly # enables MAU tracking for application service users. -track_appservice_user_ips: False +# +#track_appservice_user_ips: True # a secret which is used to sign access tokens. If none is specified, # the registration_shared_secret is used, if one is given; otherwise, # a secret key is derived from the signing key. +# macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }} # Used to enable access token expiration. -expire_access_token: False +# +#expire_access_token: False # a secret which is used to calculate HMACs for form values, to stop # falsification of values. Must be specified for the User Consent # forms to work. +# form_secret: {{ matrix_synapse_form_secret|to_json }} ## Signing Keys ## # Path to the signing key to sign messages with +# signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" # The keys that the server used to sign messages with but won't use # to sign new messages. E.g. it has lost its private key -old_signing_keys: {} +# +#old_signing_keys: # "ed25519:auto": # # Base64 encoded public key # key: "The public part of your old signing key." @@ -687,16 +808,17 @@ old_signing_keys: {} # Used to set the valid_until_ts in /key/v2 APIs. # Determines how quickly servers will query to check which keys # are still valid. -key_refresh_interval: "1d" # 1 Day. +# +#key_refresh_interval: 1d # The trusted servers to download signing keys from. -perspectives: - servers: - "matrix.org": - verify_keys: - "ed25519:auto": - key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" - +# +#perspectives: +# servers: +# "matrix.org": +# verify_keys: +# "ed25519:auto": +# key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" # Enable SAML2 for registration and login. Uses pysaml2. @@ -704,48 +826,47 @@ perspectives: # `sp_config` is the configuration for the pysaml2 Service Provider. # See pysaml2 docs for format of config. # -# # The following is the configuration for the pysaml2 Service Provider. -# # See pysaml2 docs for format of config. -# # -# # Default values will be used for the 'entityid' and 'service' settings, -# # so it is not normally necessary to specify them unless you need to -# # override them. +# Default values will be used for the 'entityid' and 'service' settings, +# so it is not normally necessary to specify them unless you need to +# override them. # -# sp_config: -# # point this to the IdP's metadata. You can use either a local file or -# # (preferably) a URL. -# metadata: -# # local: ["saml2/idp.xml"] -# remote: -# - url: https://our_idp/metadata.xml +#saml2_config: +# sp_config: +# # point this to the IdP's metadata. You can use either a local file or +# # (preferably) a URL. +# metadata: +# #local: ["saml2/idp.xml"] +# remote: +# - url: https://our_idp/metadata.xml # -# # The following is just used to generate our metadata xml, and you -# # may well not need it, depending on your setup. Alternatively you -# # may need a whole lot more detail - see the pysaml2 docs! +# # The rest of sp_config is just used to generate our metadata xml, and you +# # may well not need it, depending on your setup. Alternatively you +# # may need a whole lot more detail - see the pysaml2 docs! # -# description: ["My awesome SP", "en"] -# name: ["Test SP", "en"] +# description: ["My awesome SP", "en"] +# name: ["Test SP", "en"] # -# organization: -# name: Example com -# display_name: -# - ["Example co", "en"] -# url: "http://example.com" +# organization: +# name: Example com +# display_name: +# - ["Example co", "en"] +# url: "http://example.com" # -# contact_person: -# - given_name: Bob -# sur_name: "the Sysadmin" -# email_address": ["admin@example.com"] -# contact_type": technical +# contact_person: +# - given_name: Bob +# sur_name: "the Sysadmin" +# email_address": ["admin@example.com"] +# contact_type": technical # -# # Instead of putting the config inline as above, you can specify a -# # separate pysaml2 configuration file: -# # -# # config_path: "/data/sp_conf.py" +# # Instead of putting the config inline as above, you can specify a +# # separate pysaml2 configuration file: +# # +# config_path: "/data/sp_conf.py" # Enable CAS for registration and login. +# #cas_config: # enabled: true # server_url: "https://cas-server.com" @@ -756,18 +877,20 @@ perspectives: # The JWT needs to contain a globally unique "sub" (subject) claim. # -# jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" - +#jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" -# Enable password for login. password_config: - enabled: true + # Uncomment to disable password login + # + #enabled: false + # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! + # pepper: {{ matrix_synapse_password_config_pepper|to_json }} @@ -795,20 +918,20 @@ email: {% endif %} -# password_providers: -# - module: "ldap_auth_provider.LdapAuthProvider" -# config: -# enabled: true -# uri: "ldap://ldap.example.com:389" -# start_tls: true -# base: "ou=users,dc=example,dc=com" -# attributes: -# uid: "cn" -# mail: "email" -# name: "givenName" -# #bind_dn: -# #bind_password: -# #filter: "(objectClass=posixAccount)" +#password_providers: +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" {% if matrix_synapse_password_providers_enabled %} password_providers: {% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} @@ -856,40 +979,47 @@ password_providers: # notification request includes the content of the event (other details # like the sender are still included). For `event_id_only` push, it # has no effect. - +# # For modern android devices the notification content will still appear # because it is loaded by the app. iPhone, however will send a # notification saying only that a message arrived and who it came from. - +# push: include_content: {{ matrix_synapse_push_include_content|to_json }} -# spam_checker: -# module: "my_custom_project.SuperSpamChecker" -# config: -# example_option: 'things' +#spam_checker: +# module: "my_custom_project.SuperSpamChecker" +# config: +# example_option: 'things' -# Whether to allow non server admins to create groups on this server -enable_group_creation: false +# Uncomment to allow non-server-admin users to create groups on this server +# +#enable_group_creation: true # If enabled, non server admins can only create groups with local parts # starting with this prefix -# group_creation_prefix: "unofficial/" +# +#group_creation_prefix: "unofficial/" # User Directory configuration # +# 'enabled' defines whether users can search the user directory. If +# false then empty responses are returned to all queries. Defaults to +# true. +# # 'search_all_users' defines whether to search all users visible to your HS # when searching the user directory, rather than limiting to users visible # in public rooms. Defaults to false. If you set it True, you'll have to run # UPDATE user_directory_stream_pos SET stream_id = NULL; # on your database to tell it to rebuild the user_directory search indexes. # -# user_directory: -# search_all_users: false +#user_directory: +# enabled: true +# search_all_users: false # User Consent configuration @@ -926,20 +1056,20 @@ enable_group_creation: false # for an account. Has no effect unless `require_at_registration` is enabled. # Defaults to "Privacy Policy". # -# user_consent: -# template_dir: res/templates/privacy -# version: 1.0 -# server_notice_content: -# msgtype: m.text -# body: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# send_server_notice_to_guests: True -# block_events_error: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# require_at_registration: False -# policy_name: Privacy Policy +#user_consent: +# template_dir: res/templates/privacy +# version: 1.0 +# server_notice_content: +# msgtype: m.text +# body: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# send_server_notice_to_guests: True +# block_events_error: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# require_at_registration: False +# policy_name: Privacy Policy # @@ -956,14 +1086,20 @@ enable_group_creation: false # It's also possible to override the room name, the display name of the # "notices" user, and the avatar for the user. # -# server_notices: -# system_mxid_localpart: notices -# system_mxid_display_name: "Server Notices" -# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" -# room_name: "Server Notices" +#server_notices: +# system_mxid_localpart: notices +# system_mxid_display_name: "Server Notices" +# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" +# room_name: "Server Notices" +# Uncomment to disable searching the public room list. When disabled +# blocks searching local and remote room lists for local and remote +# users by always returning an empty list for all queries. +# +#enable_room_list_search: false + # The `alias_creation` option controls who's allowed to create aliases # on this server. # @@ -986,11 +1122,11 @@ enable_group_creation: false # # The default is: # -# alias_creation_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow +#alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow # The `room_list_publication_rules` option controls who can publish and # which rooms can be published in the public room list. @@ -1007,7 +1143,7 @@ enable_group_creation: false # # Options for the rules include: # -# user_id: Matches against the creator of the alias +# user_id: Matches agaisnt the creator of the alias # room_id: Matches against the room ID being published # alias: Matches against any current local or canonical aliases # associated with the room @@ -1015,8 +1151,8 @@ enable_group_creation: false # # The default is: # -# room_list_publication_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow +#room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow From 631b7cc6a673f74c7edcdb286ff5e0a843e82adb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Apr 2019 21:40:14 +0300 Subject: [PATCH 0461/2384] Add support for adjusting Synapse rate-limiting configuration --- docs/configuring-playbook-matrix-corporal.md | 16 +++++++++++++- roles/matrix-synapse/defaults/main.yml | 22 +++++++++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 8 +++++++ 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index 4afb0065..cba68f74 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -36,6 +36,20 @@ matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE" # If you need to change the reconciliator user's id from the default (matrix-corporal).. # In any case, you need to make sure this Matrix user is created on your server. matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" + +# Because Corporal peridoically performs lots of user logins from the same IP, +# you may need raise Synapse's ratelimits. +# The values below are just an example. Tweak to your use-case (number of users, etc.) +matrix_synapse_rc_login: + address: + per_second: 50 + burst_count: 300 + account: + per_second: 0.17 + burst_count: 3 + failed_attempts: + per_second: 0.17 + burst_count: 3 ``` Matrix Corporal operates with a specific Matrix user on your server. @@ -57,4 +71,4 @@ The following local filesystem paths are mounted in the `matrix-corporal` contai - `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write) -As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container path `/etc/matrix-corporal` \ No newline at end of file +As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container path `/etc/matrix-corporal` diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 0748027b..49525a75 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -68,6 +68,28 @@ matrix_synapse_root_log_level: "INFO" matrix_synapse_rc_messages_per_second: 0.2 matrix_synapse_rc_message_burst_count: 10.0 +matrix_synapse_rc_registration: + per_second: 0.17 + burst_count: 3 + +matrix_synapse_rc_login: + address: + per_second: 0.17 + burst_count: 3 + account: + per_second: 0.17 + burst_count: 3 + failed_attempts: + per_second: 0.17 + burst_count: 3 + +matrix_synapse_federation_rc_window_size: 1000 +matrix_synapse_federation_rc_sleep_limit: 10 +matrix_synapse_federation_rc_sleep_delay: 500 +matrix_synapse_federation_rc_reject_limit: 50 +matrix_synapse_federation_rc_concurrent: 3 +matrix_synapse_federation_rr_transactions_per_room_per_second: 50 + # Controls whether the TLS federation listener is enabled (tcp/8448). # Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). # Note that federation may potentially be enabled as non-TLS on tcp/8048 as well. diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index a9c398bd..6b24ae8b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -409,6 +409,7 @@ rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} #rc_registration: # per_second: 0.17 # burst_count: 3 +rc_registration: {{ matrix_synapse_rc_registration|to_json }} # #rc_login: # address: @@ -420,30 +421,36 @@ rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} # failed_attempts: # per_second: 0.17 # burst_count: 3 +rc_login: {{ matrix_synapse_rc_login|to_json }} # The federation window size in milliseconds # #federation_rc_window_size: 1000 +federation_rc_window_size: {{ matrix_synapse_federation_rc_window_size }} # The number of federation requests from a single server in a window # before the server will delay processing the request. # #federation_rc_sleep_limit: 10 +federation_rc_sleep_limit: {{ matrix_synapse_federation_rc_sleep_limit }} # The duration in milliseconds to delay processing events from # remote servers by if they go over the sleep limit. # #federation_rc_sleep_delay: 500 +federation_rc_sleep_delay: {{ matrix_synapse_federation_rc_sleep_delay }} # The maximum number of concurrent federation requests allowed # from a single server # #federation_rc_reject_limit: 50 +federation_rc_reject_limit: {{ matrix_synapse_federation_rc_reject_limit }} # The number of federation requests to concurrently process from a # single server # #federation_rc_concurrent: 3 +federation_rc_concurrent: {{ matrix_synapse_federation_rc_concurrent }} # Target outgoing federation transaction frequency for sending read-receipts, # per-room. @@ -452,6 +459,7 @@ rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} # into fewer transactions. # #federation_rr_transactions_per_room_per_second: 50 +federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }} From 64556569da78e2c9626c053d8e65cc4f0e8c05bf Mon Sep 17 00:00:00 2001 From: NullIsNot0 Date: Tue, 2 Apr 2019 07:20:25 +0300 Subject: [PATCH 0462/2384] Update Riot Web from 1.0.5 to 1.0.6 --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 754c9e53..4e2c74cc 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.5" +matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.6" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 82b46400729dbfbe59ee22ff51845811e2a0de5b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Apr 2019 10:28:23 +0300 Subject: [PATCH 0463/2384] Use a more suitable Docker image for running Ansible Inspired by #128 (Github Issue), we've created a new Docker image to replace https://hub.docker.com/r/qmxme/ansible Adding dnspython or dig to `qmxme/ansible` doesn't seem like a good idea (that might be accepted by them), given that it's specific to our use case. That's why we'll be maintaining our own image from now on. --- docs/ansible.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index 1d2946d5..13d297de 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -40,7 +40,7 @@ If you find yourself needing to resort to such hacks, please consider reporting ## Using Ansible via Docker -Alternatively, you can run Ansible itself from a Docker container on your computer. +Alternatively, you can run Ansible on your computer from inside a Docker container (powered by the [devture/ansible](https://hub.docker.com/r/devture/ansible/) Docker image). Here's a sample command to get you started (run this from the playbook's directory): @@ -50,7 +50,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -qmxme/ansible +devture/ansible:2.7.0-r1 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). From 9202b2b8d9ab6fb5a989341047277189f39acc95 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Apr 2019 11:19:06 +0300 Subject: [PATCH 0464/2384] Ensure systemd services are running when doing --tags=start Fixes #129 (Github Issue). Unfortunately, we rely on `service_facts`, which is only available in Ansible >= 2.5. There's little reason to stick to an old version such as Ansible 2.4: - some time has passed since we've raised version requirements - it's time to move into the future (a little bit) - we've recently (in 82b46400729d) improved the way one can run Ansible in a Docker container From now on, Ansible >= 2.5 is required. --- docs/ansible.md | 6 +++--- roles/matrix-base/tasks/sanity_check.yml | 4 ++-- roles/matrix-common-after/tasks/start.yml | 25 ++++++++++++++++++++++- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index 13d297de..0987ca7f 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -8,9 +8,9 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv ## Supported Ansible versions -Generally, Ansible 2.4 or later is required. +Ansible 2.5 or newer is required. -If you're on Ansible 2.5.x, then at least Ansible 2.5.2 is required. +If you're on Ansible 2.5.x, due to bugs in Ansible 2.5.0 and 2.5.1, at least Ansible 2.5.2 is required. ## Checking your Ansible version @@ -20,7 +20,7 @@ The playbook will try to detect it and tell you if you're on an unsupported vers To manually check which verison of Ansible you're on, run: `ansible --version`. -If you're on an old version of Ansible, you should upgrade to a newer version. +If you're on an old version of Ansible, you should [upgrade Ansible to a newer version](#upgrading-ansible) or [use Ansible via Docker](#using-ansible-via-docker). ## Upgrading Ansible diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 0bff6a6b..b2d8c249 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -3,10 +3,10 @@ - set_fact: matrix_ansible_outdated_fail_msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" -- name: Fail if running on Ansible < 2.4 +- name: Fail if running on Ansible < 2.5 fail: msg: "{{ matrix_ansible_outdated_fail_msg }}" - when: "ansible_version.major <= 2 and ansible_version.minor < 4" + when: "ansible_version.major <= 2 and ansible_version.minor < 5" # Ansible 2.5.0 and 2.5.1 are known to have a bug with `include_tasks` + `with_items`. # The bug has been fixed in Ansible 2.5.2. diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 688b9244..f0015428 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -15,4 +15,27 @@ name: "{{ item }}" enabled: yes state: started - with_items: "{{ matrix_systemd_services_list }}" \ No newline at end of file + with_items: "{{ matrix_systemd_services_list }}" + +# If we check service state immediately, we may succeed, +# because it takes some time for the service to attempt to start and actually fail. +# +# Waiting too long (30s) may not work for a similar reason, +# as we may run into systemd's automatic restart logic retrying the service. +- name: Wait a bit, so that services can start (or fail) + wait_for: + timeout: 5 + delegate_to: 127.0.0.1 + become: false + +- name: Populate service facts + service_facts: + +- name: Fail if service isn't detected to be running + fail: + msg: >- + {{ item }} was not detected to be running. + It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). + Try running `systemctl status {{ item }}` and `systemctl -fu {{ item }}` on the server to investigate. + with_items: "{{ matrix_systemd_services_list }}" + when: "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" From 0b034ac34b0215352f3a4de241cbb643901aa68b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Apr 2019 11:28:51 +0300 Subject: [PATCH 0465/2384] Update changelog --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3112657b..4703013c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2019-04-03 + +## Ansible >= 2.5 is required + +Due to recent playbook improvements and the fact that the world keeps turning, we're bumping the [version requirement for Ansible](docs/ansible.md#supported-ansible-versions) (2.4 -> 2.5). + +We've also started building our own Docker image of Ansible ([devture/ansible](https://hub.docker.com/r/devture/ansible/)), which is useful for people who can't upgrade their local Ansible installation (see [Using Ansible via Docker](docs/ansible.md#using-ansible-via-docker)). + + # 2019-03-19 ## TLS support for Coturn From af1c9ae59d5ebbe8a46d98466d99aa353a4b4a93 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Apr 2019 11:34:49 +0300 Subject: [PATCH 0466/2384] Do not force firewalld on people In most cases, there's not really a need to touch the system firewall, as Docker manages iptables by itself (see https://docs.docker.com/network/iptables/). All ports exposed by Docker containers are automatically whitelisted in iptables and wired to the correct container. This made installing firewalld and whitelisting ports pointless, as far as this playbook's services are concerned. People that wish to install firewalld (for other reasons), can do so manually from now on. This is inspired by and fixes #97 (Github Issue). --- roles/matrix-base/tasks/setup_server_base.yml | 8 -------- roles/matrix-coturn/tasks/setup_coturn.yml | 14 -------------- .../matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 11 ----------- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 11 ----------- roles/matrix-synapse/tasks/setup_synapse_main.yml | 9 --------- 5 files changed, 53 deletions(-) diff --git a/roles/matrix-base/tasks/setup_server_base.yml b/roles/matrix-base/tasks/setup_server_base.yml index 5a41bd73..f4a8352f 100644 --- a/roles/matrix-base/tasks/setup_server_base.yml +++ b/roles/matrix-base/tasks/setup_server_base.yml @@ -23,7 +23,6 @@ - bash-completion - docker-ce - docker-python - - firewalld - ntp - fuse state: latest @@ -67,13 +66,6 @@ update_cache: yes when: ansible_os_family == 'Debian' -- name: Ensure firewalld is started and autoruns - service: - name: firewalld - state: started - enabled: yes - when: ansible_os_family == 'RedHat' - - name: Ensure Docker is started and autoruns service: name: docker diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 619ed378..9f79f4c8 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -54,20 +54,6 @@ daemon_reload: yes when: "matrix_coturn_enabled and matrix_coturn_systemd_service_result.changed" -- name: Allow access to Coturn ports in firewalld - firewalld: - port: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - '3478/tcp' - - '3478/udp' - - '5349/tcp' - - '5349/udp' - - "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN - when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'" - # This may be unnecessary when more long-lived certificates are used. # We optimize for the common use-case though (short-lived Let's Encrypt certificates). # Reloading doesn't hurt anyway, so there's no need to make this more flexible. diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index c0188a4e..9f834560 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -99,17 +99,6 @@ name: "{{ matrix_nginx_proxy_docker_image }}" when: matrix_nginx_proxy_enabled -- name: Allow access to nginx proxy ports in firewalld - firewalld: - service: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - "http" - - "https" - when: "matrix_nginx_proxy_enabled and ansible_os_family == 'RedHat'" - - name: Ensure matrix-nginx-proxy.service installed template: src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 16f7c2fe..e4613ed7 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -33,17 +33,6 @@ - "{{ matrix_ssl_lets_encrypt_support_email }}" when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item is none" -- name: Allow access to HTTP/HTTPS in firewalld - firewalld: - service: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - http - - https - when: "matrix_ssl_retrieval_method == 'lets-encrypt' and ansible_os_family == 'RedHat'" - - name: Ensure certbot Docker image is pulled docker_image: name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index e2d7baea..388e28ce 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -77,12 +77,3 @@ dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 -- name: Allow access to Matrix ports in firewalld - firewalld: - port: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - '8448/tcp' # Matrix federation - when: ansible_os_family == 'RedHat' From 841b525e7fe9eff0ecc12472ac3a6367ff1c43d9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 5 Apr 2019 11:06:49 +0300 Subject: [PATCH 0467/2384] Suggest ansible_ssh_pipelining=yes for hosts --- examples/hosts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/examples/hosts b/examples/hosts index 1f1a6e72..bcb4f740 100644 --- a/examples/hosts +++ b/examples/hosts @@ -1,2 +1,9 @@ [matrix-servers] -matrix. ansible_host= ansible_ssh_user=root +# We explicitly ask for your server's external IP address, because the same value is used for configuring Coturn. +# +# To connect using a non-root user (and elevate to root with sudo later), +# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root` +# +# For improved Ansible performance, SSH pipelining is enabled by default (`ansible_ssh_pipelining=yes`). +# If this causes SSH connection troubles, feel free to disable it. +matrix. ansible_host= ansible_ssh_user=root ansible_ssh_pipelining=yes From b5fbec8d836b13288b01b8a126bf33a4b3686a68 Mon Sep 17 00:00:00 2001 From: Alexander Acevedo Date: Fri, 5 Apr 2019 05:33:38 -0400 Subject: [PATCH 0468/2384] add goofys custom Creates the configuration variable to toggle custom endpoint and the default custom endpoint. --- roles/matrix-synapse/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 49525a75..7438f032 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -218,7 +218,9 @@ matrix_synapse_ext_password_provider_ldap_filter: "" matrix_s3_media_store_enabled: false +matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" +matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" From c55e49d7332d8eae10290ea79e1fb2b756d47213 Mon Sep 17 00:00:00 2001 From: Alexander Acevedo Date: Fri, 5 Apr 2019 05:48:31 -0400 Subject: [PATCH 0469/2384] add custom endpoint to matrix-goofys.service.j2 This (should) check if custom endpoint is enabled. --- .../templates/goofys/systemd/matrix-goofys.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index c123b2c4..0c7d1acf 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -20,7 +20,7 @@ ExecStart=/usr/bin/docker run --rm --name %n \ --env-file={{ matrix_synapse_config_dir_path }}/env-goofys \ --entrypoint /bin/sh \ {{ matrix_s3_goofys_docker_image }} \ - -c 'goofys -f --storage-class=STANDARD_IA --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' + -c 'goofys -f{% if matrix_s3_media_store_custom_endpoint_enabled is false %} --storage-class=STANDARD_IA{% endif %}{% matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{matrix_s3_media_store_custom_endpoint}}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min ExecStop=-/usr/bin/docker stop %n ExecStop=-/usr/bin/docker kill %n From 3ffb03f20e3469667b87370b4328d09a3ee55a17 Mon Sep 17 00:00:00 2001 From: Alexander Acevedo Date: Fri, 5 Apr 2019 05:54:58 -0400 Subject: [PATCH 0470/2384] missing whitespace --- .../templates/goofys/systemd/matrix-goofys.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index 0c7d1acf..20b0b430 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -20,7 +20,7 @@ ExecStart=/usr/bin/docker run --rm --name %n \ --env-file={{ matrix_synapse_config_dir_path }}/env-goofys \ --entrypoint /bin/sh \ {{ matrix_s3_goofys_docker_image }} \ - -c 'goofys -f{% if matrix_s3_media_store_custom_endpoint_enabled is false %} --storage-class=STANDARD_IA{% endif %}{% matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{matrix_s3_media_store_custom_endpoint}}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' + -c 'goofys -f{% if matrix_s3_media_store_custom_endpoint_enabled is false %} --storage-class=STANDARD_IA{% endif %}{% matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min ExecStop=-/usr/bin/docker stop %n ExecStop=-/usr/bin/docker kill %n From 3953705682e380465be5c1b6e7c856b0e94bbcaa Mon Sep 17 00:00:00 2001 From: Alexander Acevedo Date: Fri, 5 Apr 2019 05:56:36 -0400 Subject: [PATCH 0471/2384] add custom endpoint environment variable --- roles/matrix-synapse/templates/goofys/env-goofys.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/goofys/env-goofys.j2 b/roles/matrix-synapse/templates/goofys/env-goofys.j2 index a9e4b692..bb5812fc 100644 --- a/roles/matrix-synapse/templates/goofys/env-goofys.j2 +++ b/roles/matrix-synapse/templates/goofys/env-goofys.j2 @@ -1,2 +1,3 @@ AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} -AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} \ No newline at end of file +AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} +{% matrix_s3_media_store_custom_endpoint_enabled %}ENDPOINT={{ matrix_s3_media_store_custom_endpoint }}{% endif %} From 6cc6638098e36bb458ad2f7bc7f20fad5eb3b66a Mon Sep 17 00:00:00 2001 From: Alexander Acevedo Date: Fri, 5 Apr 2019 06:01:58 -0400 Subject: [PATCH 0472/2384] revert 3953705682e380465be5c1b6e7c856b0e94bbcaa that's not how it works --- roles/matrix-synapse/templates/goofys/env-goofys.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-synapse/templates/goofys/env-goofys.j2 b/roles/matrix-synapse/templates/goofys/env-goofys.j2 index bb5812fc..dd47a548 100644 --- a/roles/matrix-synapse/templates/goofys/env-goofys.j2 +++ b/roles/matrix-synapse/templates/goofys/env-goofys.j2 @@ -1,3 +1,2 @@ AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} -{% matrix_s3_media_store_custom_endpoint_enabled %}ENDPOINT={{ matrix_s3_media_store_custom_endpoint }}{% endif %} From 901516d806b5dc798a316581e124bcb1f0b62cf9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Apr 2019 12:32:55 +0300 Subject: [PATCH 0473/2384] Update matrix-corporal (1.3.0 -> 1.4.0) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index ca89d481..a1406f03 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -9,7 +9,7 @@ matrix_corporal_container_expose_ports: false # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_docker_image: "devture/matrix-corporal:1.3.0" +matrix_corporal_docker_image: "devture/matrix-corporal:1.4.0" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" From bec59c06bb3b726fbbffe15d6f19bf319463a7a9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 Apr 2019 09:33:24 +0300 Subject: [PATCH 0474/2384] Update images --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- roles/matrix-riot-web/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 687be900..3576f4c4 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -133,7 +133,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.31.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.33.1" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 4e2c74cc..5f2ad164 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.6" +matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.7" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 9a05b030cb84d56e3d3f750dddd32125b0f3aacc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 10 Apr 2019 08:45:02 +0300 Subject: [PATCH 0475/2384] Fix unknown tag error when generating Goofys service `{% matrix_s3_media_store_custom_endpoint_enabled %}` should have been `{% if matrix_s3_media_store_custom_endpoint_enabled %}` instead. Related to #132 (Github Pull Request). --- .../templates/goofys/systemd/matrix-goofys.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index 20b0b430..e5fd8738 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -20,7 +20,7 @@ ExecStart=/usr/bin/docker run --rm --name %n \ --env-file={{ matrix_synapse_config_dir_path }}/env-goofys \ --entrypoint /bin/sh \ {{ matrix_s3_goofys_docker_image }} \ - -c 'goofys -f{% if matrix_s3_media_store_custom_endpoint_enabled is false %} --storage-class=STANDARD_IA{% endif %}{% matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' + -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min ExecStop=-/usr/bin/docker stop %n ExecStop=-/usr/bin/docker kill %n From 382e53bdeea6a818511ecd13bcb7f1857960547b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 Apr 2019 09:54:42 +0300 Subject: [PATCH 0476/2384] Make examples/hosts look cleaner Putting a lot of comments inbetween `[matrix-servers]` and the example host line may make someone decide to clean up the comment and accidentally skip-over the `[matrix-servers]` part. --- examples/hosts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/hosts b/examples/hosts index bcb4f740..c623aa43 100644 --- a/examples/hosts +++ b/examples/hosts @@ -1,4 +1,3 @@ -[matrix-servers] # We explicitly ask for your server's external IP address, because the same value is used for configuring Coturn. # # To connect using a non-root user (and elevate to root with sudo later), @@ -6,4 +5,6 @@ # # For improved Ansible performance, SSH pipelining is enabled by default (`ansible_ssh_pipelining=yes`). # If this causes SSH connection troubles, feel free to disable it. + +[matrix-servers] matrix. ansible_host= ansible_ssh_user=root ansible_ssh_pipelining=yes From 596f2ec1e24e1bee4e4be76ee637640107d1b064 Mon Sep 17 00:00:00 2001 From: NullIsNot0 Date: Sun, 14 Apr 2019 16:09:29 +0300 Subject: [PATCH 0477/2384] Make Dimension communicat to Synapse through Docker network Media is pulled from client side, so we specify external Matrix DNS name as mediaUrl --- roles/matrix-dimension/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index ee1b18a0..43841fee 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -45,7 +45,7 @@ matrix_dimension_configuration_yaml: | # The URL that Dimension, go-neb, and other services provisioned by Dimension should # use to access the homeserver with. - clientServerUrl: "https://{{ matrix_server_fqn_matrix }}" + clientServerUrl: "http://matrix-synapse:8008" # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address @@ -54,7 +54,7 @@ matrix_dimension_configuration_yaml: | # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. - #mediaUrl: "https://t2bot.io" + mediaUrl: "https://{{ matrix_server_fqn_matrix }}" # The access token Dimension should use for miscellaneous access to the homeserver. This # should be for a user on the configured homeserver: any user will do, however it is From eab8f31eedac8722639b925955bdeee724cd6018 Mon Sep 17 00:00:00 2001 From: Lyubomir Popov Date: Tue, 16 Apr 2019 12:40:38 +0300 Subject: [PATCH 0478/2384] Add additional room config options: - matrix_enable_room_list_search - Controls whether searching the public room list is enabled. - matrix_alias_creation_rules - Controls who's allowed to create aliases on this server. - matrix_room_list_publication_rules - Controls who can publish and which rooms can be published in the public room list. --- roles/matrix-synapse/defaults/main.yml | 16 ++++++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 7438f032..d6a4f047 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -797,3 +797,19 @@ matrix_appservice_discord_configuration_extension: "{{ matrix_appservice_irc_con matrix_appservice_discord_configuration: "{{ matrix_appservice_discord_configuration_yaml|from_yaml|combine(matrix_appservice_discord_configuration_extension, recursive=True) }}" +# Controls whether searching the public room list is enabled. +matrix_enable_room_list_search: true + +# Controls who's allowed to create aliases on this server. +matrix_alias_creation_rules: + - user_id: "*" + alias: "*" + room_id: "*" + action: allow + +# Controls who can publish and which rooms can be published in the public room list. +matrix_room_list_publication_rules: + - user_id: "*" + alias: "*" + room_id: "*" + action: allow diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 6b24ae8b..41649e5c 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1108,6 +1108,8 @@ push: # #enable_room_list_search: false +enable_room_list_search: {{ matrix_enable_room_list_search|to_json }} + # The `alias_creation` option controls who's allowed to create aliases # on this server. # @@ -1136,6 +1138,8 @@ push: # room_id: "*" # action: allow +alias_creation_rules: {{ matrix_alias_creation_rules|to_json }} + # The `room_list_publication_rules` option controls who can publish and # which rooms can be published in the public room list. # @@ -1164,3 +1168,5 @@ push: # alias: "*" # room_id: "*" # action: allow + +room_list_publication_rules: {{ matrix_room_list_publication_rules|to_json }} \ No newline at end of file From c1a9549d54538cf35076f2a6a19e13004a483a06 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Apr 2019 13:08:15 +0300 Subject: [PATCH 0479/2384] Mention matrix_coturn_turn_external_ip_address in examples/hosts --- examples/hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/hosts b/examples/hosts index c623aa43..67dc3519 100644 --- a/examples/hosts +++ b/examples/hosts @@ -1,4 +1,5 @@ # We explicitly ask for your server's external IP address, because the same value is used for configuring Coturn. +# If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`. # # To connect using a non-root user (and elevate to root with sudo later), # replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root` From 9c401efb2daa3015d1f039e719e6abb9616fca25 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Apr 2019 13:08:36 +0300 Subject: [PATCH 0480/2384] Add a note about beta/pre-release distros --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index ad82470c..b3d4cf04 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -1,6 +1,6 @@ # Prerequisites -- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. This playbook can take over your whole server or co-exist with other services that you have there. +- **CentOS** (7.0+), **Debian** (9/Stretch+) or **Ubuntu** (16.04+) server. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). From 265dc2949d411a868b65955dd3702ea1c2861ab3 Mon Sep 17 00:00:00 2001 From: jreichmann Date: Tue, 16 Apr 2019 19:36:03 +0200 Subject: [PATCH 0481/2384] Added example Caddyfiles for the containers --- examples/caddy/Caddyfile | 46 +++++++++++++++++++++++++++++++++ examples/caddy/matrix-dimension | 7 +++++ examples/caddy/matrix-riot-web | 7 +++++ examples/caddy/matrix-synapse | 26 +++++++++++++++++++ examples/caddy/matrix-util | 7 +++++ 5 files changed, 93 insertions(+) create mode 100755 examples/caddy/Caddyfile create mode 100644 examples/caddy/matrix-dimension create mode 100644 examples/caddy/matrix-riot-web create mode 100644 examples/caddy/matrix-synapse create mode 100644 examples/caddy/matrix-util diff --git a/examples/caddy/Caddyfile b/examples/caddy/Caddyfile new file mode 100755 index 00000000..3a2e247b --- /dev/null +++ b/examples/caddy/Caddyfile @@ -0,0 +1,46 @@ +https://matrix.finallycoffee.eu { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + root /matrix_static + header / { + Access-Control-Allow-Origin * + Strict-Transport-Security "max-age=31536000;" + X-Frame-Options "DENY" + X-XSS-Protection "1; mode=block" + } + proxy /_matrix/identity matrix-mxisd:8090 { + transparent + } + proxy /_matrix matrix-synapse:8008 { + transparent + } +} + +https://dimension.matrix.finallycoffee.eu { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + header / { + Access-Control-Allow-Origin * + } + proxy / http://matrix-dimension:8184 { + transparent + header_upstream X-Forwarded-For {remote} + header_upstream Host {host} + websocket + } +} + +https://chat.finallycoffee.eu { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + proxy / matrix-riot-web:8080 { + transparent + } +} + +# Federation listens on all IPs because older Synapse versions do not support SNI +https://:8448 { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + proxy /_matrix matrix-synapse:8048 { + transparent + } +} + + diff --git a/examples/caddy/matrix-dimension b/examples/caddy/matrix-dimension new file mode 100644 index 00000000..6defb0d2 --- /dev/null +++ b/examples/caddy/matrix-dimension @@ -0,0 +1,7 @@ +https://dimension.DOMAIN { + tls /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem + + proxy / http://127.0.0.1:8134/ { + transparent + } +} diff --git a/examples/caddy/matrix-riot-web b/examples/caddy/matrix-riot-web new file mode 100644 index 00000000..28df6cd2 --- /dev/null +++ b/examples/caddy/matrix-riot-web @@ -0,0 +1,7 @@ +https://riot.DOMAIN { + tls /matrix/ssl/config/live/riot.DOMAIN/fullchain.pem /matrix/ssl/config/live/riot.DOMAIN/privkey.pem + + proxy / http://127.0.0.1:8765 { + transparent + } +} diff --git a/examples/caddy/matrix-synapse b/examples/caddy/matrix-synapse new file mode 100644 index 00000000..800d7f7b --- /dev/null +++ b/examples/caddy/matrix-synapse @@ -0,0 +1,26 @@ +https://matrix.DOMAIN { + tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem + + root /matrix/static-files + + header { + Access-Control-Allow-Origin * + Strict-Transport-Security "mag=age=31536000;" + X-Frame-Options "DENY" + X-XSS-Protection "1; mode=block" + } + + proxy /_matrix/identity matrix-msisd:8090 { + transparent + } + + proxy /_matrix/client/r0/user_directory/search matrix-msisd:8090 { + transparent + } + + proxy / matrix-synapse:8008 { + transparent + without /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search + } + +} diff --git a/examples/caddy/matrix-util b/examples/caddy/matrix-util new file mode 100644 index 00000000..191f7758 --- /dev/null +++ b/examples/caddy/matrix-util @@ -0,0 +1,7 @@ +:80 { + # Redirect ACME-Challenge traffic to port 2402 + proxy /.well-known/acme-challenge http://127.0.0.1:2402 + + # Redirect all other traffic to HTTPS + redir / https://{host}{uri} 301 +} From 6d49fdea215d319c44282edfa155e8e8af1e8812 Mon Sep 17 00:00:00 2001 From: jreichmann Date: Tue, 16 Apr 2019 19:38:43 +0200 Subject: [PATCH 0482/2384] Remove single all-host config file (used as source for examples) --- examples/caddy/Caddyfile | 46 ---------------------------------------- 1 file changed, 46 deletions(-) delete mode 100755 examples/caddy/Caddyfile diff --git a/examples/caddy/Caddyfile b/examples/caddy/Caddyfile deleted file mode 100755 index 3a2e247b..00000000 --- a/examples/caddy/Caddyfile +++ /dev/null @@ -1,46 +0,0 @@ -https://matrix.finallycoffee.eu { - tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - root /matrix_static - header / { - Access-Control-Allow-Origin * - Strict-Transport-Security "max-age=31536000;" - X-Frame-Options "DENY" - X-XSS-Protection "1; mode=block" - } - proxy /_matrix/identity matrix-mxisd:8090 { - transparent - } - proxy /_matrix matrix-synapse:8008 { - transparent - } -} - -https://dimension.matrix.finallycoffee.eu { - tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - header / { - Access-Control-Allow-Origin * - } - proxy / http://matrix-dimension:8184 { - transparent - header_upstream X-Forwarded-For {remote} - header_upstream Host {host} - websocket - } -} - -https://chat.finallycoffee.eu { - tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - proxy / matrix-riot-web:8080 { - transparent - } -} - -# Federation listens on all IPs because older Synapse versions do not support SNI -https://:8448 { - tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - proxy /_matrix matrix-synapse:8048 { - transparent - } -} - - From 084be8a1948efc17954502bfc14000c1cb466c4c Mon Sep 17 00:00:00 2001 From: jreichmann Date: Tue, 16 Apr 2019 19:41:38 +0200 Subject: [PATCH 0483/2384] Added comments noting that the TLS Certs might differ when using own certs --- examples/caddy/matrix-riot-web | 1 + examples/caddy/matrix-synapse | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/caddy/matrix-riot-web b/examples/caddy/matrix-riot-web index 28df6cd2..8c195725 100644 --- a/examples/caddy/matrix-riot-web +++ b/examples/caddy/matrix-riot-web @@ -1,4 +1,5 @@ https://riot.DOMAIN { + # These might differ if you are supplying your own certificates tls /matrix/ssl/config/live/riot.DOMAIN/fullchain.pem /matrix/ssl/config/live/riot.DOMAIN/privkey.pem proxy / http://127.0.0.1:8765 { diff --git a/examples/caddy/matrix-synapse b/examples/caddy/matrix-synapse index 800d7f7b..8cb9805a 100644 --- a/examples/caddy/matrix-synapse +++ b/examples/caddy/matrix-synapse @@ -1,4 +1,5 @@ https://matrix.DOMAIN { + # If you use your own certificates, your path may differ tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem root /matrix/static-files @@ -10,14 +11,15 @@ https://matrix.DOMAIN { X-XSS-Protection "1; mode=block" } + # Identity server traffic proxy /_matrix/identity matrix-msisd:8090 { transparent } - proxy /_matrix/client/r0/user_directory/search matrix-msisd:8090 { transparent } + # Synapse Client<>Server API proxy / matrix-synapse:8008 { transparent without /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search From aba8327991c7ff3e284d90d9318d7590c31ce68d Mon Sep 17 00:00:00 2001 From: jreichmann Date: Tue, 16 Apr 2019 19:46:17 +0200 Subject: [PATCH 0484/2384] Give a hint to look into the examples if using caddy --- docs/configuring-playbook-own-webserver.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 448f5d03..1f4ff863 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -49,6 +49,9 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration. +## Using your own external caddy webserver + +After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory for a sample configuration. ## Using another external webserver From deeefac84cad6a0f0fb150be029553b4fe7069ac Mon Sep 17 00:00:00 2001 From: p5t2vspoqqw Date: Wed, 17 Apr 2019 13:42:09 +0200 Subject: [PATCH 0485/2384] add ngnix-status to config add doc --- docs/configuring-playbook-ngnix.md | 13 +++++++++++++ docs/configuring-playbook.md | 2 ++ roles/matrix-nginx-proxy/defaults/main.yml | 2 ++ .../templates/nginx/conf.d/matrix-domain.conf.j2 | 9 +++++++++ 4 files changed, 26 insertions(+) create mode 100644 docs/configuring-playbook-ngnix.md diff --git a/docs/configuring-playbook-ngnix.md b/docs/configuring-playbook-ngnix.md new file mode 100644 index 00000000..81081e8b --- /dev/null +++ b/docs/configuring-playbook-ngnix.md @@ -0,0 +1,13 @@ +# Configure Ngnix (optional, advanced) + +By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443. +If that's alright, you can skip this. + + +## Using Ngnix status + +This will serve a statuspage to the hosting machine only. Useful for monitoring software like [longview](https://www.linode.com/docs/platform/longview/longview-app-for-nginx/) + +```yaml +matrix_nginx_proxy_nginx_status_enabled: true +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index c56cf11d..309fff09 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -43,6 +43,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional) +- [Configure Ngnix (optional, advanced)](configuring-playbook-ngnix.md) (optional, advanced) + - [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced) - [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3576f4c4..54e25194 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,7 @@ matrix_nginx_proxy_enabled: true +matrix_nginx_proxy_nginx_status_enabled: false + # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # those as more frequently out of date. diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 679f3efa..b63f9fbc 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -4,6 +4,15 @@ server { server_tokens off; + {% if matrix_nginx_proxy_nginx_status_enabled %} + location /nginx_status { + stub_status on; + access_log off; + allow {{ ansible_default_ipv4.address }}; + deny all; + } + {% endif %} + location /.well-known/acme-challenge { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} From a4da1535dd267f4eb4bb6a3f4cf40bbb8003682a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Apr 2019 09:54:18 +0300 Subject: [PATCH 0486/2384] Split additional configuration options in groups It's too many configuration options to keep them in a single list. Trying to put some order. --- docs/configuring-playbook.md | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index c56cf11d..fad46203 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -27,11 +27,12 @@ When you're done with all the configuration you'd like to do, continue with [Ins ## Other configuration options -- [Enabling Telemetry for your Matrix server](configuring-playbook-telemetry.md) (optional) +### Additional useful services -- [Controlling Matrix federation](configuring-playbook-federation.md) (optional) +- [Setting up the Dimension Integration Manager](configuring-playbook-dimension.md) (optional, but recommended; after [installing](installing.md)) -- [Adjusting email-sending settings](configuring-playbook-email.md) (optional) + +### Core service adjustments - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) @@ -45,6 +46,18 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced) + +### Server connectivity + +- [Enabling Telemetry for your Matrix server](configuring-playbook-telemetry.md) (optional) + +- [Controlling Matrix federation](configuring-playbook-federation.md) (optional) + +- [Adjusting email-sending settings](configuring-playbook-email.md) (optional) + + +### Authentication and user-related + - [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced) - [Setting up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) (optional, advanced) @@ -53,6 +66,9 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) + +### Bridging other networks + - [Setting up Mautrix Telegram bridging](configuring-playbook-bridge-mautrix-telegram.md) (optional) - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional) @@ -60,5 +76,3 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional) - -- [Setting up Dimension](configuring-playbook-dimension.md) (optional) From 9ea5088761e2e97770f20e598b790e9e155bebdf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Apr 2019 09:57:41 +0300 Subject: [PATCH 0487/2384] Add TURN server configuration documentation --- docs/configuring-playbook-turn.md | 33 +++++++++++++++++++++++++++++++ docs/configuring-playbook.md | 2 ++ 2 files changed, 35 insertions(+) create mode 100644 docs/configuring-playbook-turn.md diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md new file mode 100644 index 00000000..547f2bef --- /dev/null +++ b/docs/configuring-playbook-turn.md @@ -0,0 +1,33 @@ +# TURN server + +The playbook installs a [Coturn](https://github.com/coturn/coturn) TURN server by default, so that clients can make audio/video calls even from [NAT](https://en.wikipedia.org/wiki/Network_address_translation)-ed networks. + +By default, the Synapse chat server is configured, so that it points to the Coturn TURN server installed by the playbook. + + +## Disabling Coturn + +If, for some reason, you'd like to prevent the playbook from installing Coturn, you can use the following configuration: + +```yaml +matrix_coturn_enabled: false +``` + +In that case, Synapse would not point to any Coturn servers and audio/video call functionality may fail. + + +## Using your own external Coturn server + +If you'd like to use another TURN server (be it Coturn or some other one), you can configure the playbook like this: + +```yaml +# Disable integrated Coturn server +matrix_coturn_enabled: false + +# Point Synapse to your other Coturn server +matrix_synapse_turn_uris: +- turns:HOSTNAME_OR_IP?transport=udp +- turns:HOSTNAME_OR_IP?transport=tcp +- turn:HOSTNAME_OR_IP?transport=udp +- turn:HOSTNAME_OR_IP?transport=tcp +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index fad46203..37de226a 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -46,6 +46,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced) +- [Adjusting TURN server configuration](configuring-playbook-turn.md) (optional, advanced) + ### Server connectivity From 18a562c000e818674a44d212418894285de0a480 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 21 Apr 2019 08:57:49 +0300 Subject: [PATCH 0488/2384] Upgrade services --- roles/matrix-mailer/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- roles/matrix-riot-web/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index f4b2e917..ffd00e36 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -2,7 +2,7 @@ matrix_mailer_enabled: true matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer" -matrix_mailer_docker_image: "devture/exim-relay:4.91-r1-0" +matrix_mailer_docker_image: "devture/exim-relay:4.91-r3-0" # The user/group that the container runs with. # These match the `exim` user/group within the container image. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3576f4c4..674757f9 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # those as more frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.15.10-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.15.12-alpine" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 5f2ad164..4c6424dc 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.7" +matrix_riot_web_docker_image: "bubuntux/riot-web:v1.0.8" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 39566aa7fe17cd80dfb78f430bd27946a51a693b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Apr 2019 10:06:42 +0300 Subject: [PATCH 0489/2384] Generate a Synapse signing key file, if missing The code used to check for a `homeserver.yaml` file and generate a configuration (+ key) only if such a configuration file didn't exist. Certain rare cases (setting up with one server name and then changing to another) lead to `homeserver.yaml` being there, but a `matrix.DOMAIN.signing.key` file missing (because the domain changed). A new signing key file would never get generated, because `homeserver.yaml`'s existence used to be (incorrectly) satisfactory for us. From now on, we don't mix things up like that. We don't care about `homeserver.yaml` anymore, but rather about the actual signing key. The rest of the configuration (`homeserver.yaml` and `matrix.DOMAIN.log.config`) is rebuilt by us in any case, so whether it exists or not is irrelevant and doesn't need checking. --- .../matrix-synapse/tasks/setup_synapse_main.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 388e28ce..f1bb1430 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -22,17 +22,19 @@ docker_image: name: "{{ matrix_synapse_docker_image }}" -- name: Check if a Matrix Synapse configuration exists +- name: Check if a Synapse signing key exists stat: - path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" - register: matrix_synapse_config_stat + path: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" + register: matrix_synapse_signing_key_stat -# We do this mostly so that the keys would get generated. -# We'll replace the rest of the configuration with our own templates below. +# We do this so that the signing key would get generated. +# +# This will also generate a default homeserver.yaml configuration file and a log configuration file. +# We don't care about those configuraiton files, as we replace them with our own anyway (see below). # # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent version, which is not available for a lot of people yet. -- name: Generate initial Matrix config +- name: Generate initial Matrix config and signing key command: | docker run --rm @@ -45,7 +47,7 @@ -e SYNAPSE_REPORT_STATS=no {{ matrix_synapse_docker_image }} generate - when: "not matrix_synapse_config_stat.stat.exists" + when: "not matrix_synapse_signing_key_stat.stat.exists" - name: Ensure Matrix homeserver config installed template: From 892abdc7004ce53638027f8bc392bd2260334780 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Apr 2019 10:20:56 +0300 Subject: [PATCH 0490/2384] Do not refer to Synapse as "Matrix Synapse" --- README.md | 2 +- docs/configuring-playbook-s3.md | 6 +++--- docs/importing-media-store.md | 4 ++-- docs/importing-postgres.md | 2 +- docs/importing-sqlite.md | 8 ++++---- roles/matrix-synapse/defaults/main.yml | 10 +++++----- roles/matrix-synapse/tasks/import_media_store.yml | 2 +- roles/matrix-synapse/tasks/register_user.yml | 2 +- roles/matrix-synapse/tasks/setup_synapse_main.yml | 12 ++++++------ roles/matrix-synapse/tasks/setup_synapse_pre.yml | 4 ++-- .../synapse/systemd/matrix-synapse.service.j2 | 2 +- 11 files changed, 27 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index cc3c8fe4..388b1c29 100644 --- a/README.md +++ b/README.md @@ -92,7 +92,7 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w This playbook sets up your server using the following Docker images: -- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Matrix Synapse](https://github.com/matrix-org/synapse) server +- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver - [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md index e0687d8d..dda75cf2 100644 --- a/docs/configuring-playbook-s3.md +++ b/docs/configuring-playbook-s3.md @@ -1,9 +1,9 @@ # Storing Matrix media files on Amazon S3 (optional) -By default, this playbook configures your server to store Matrix Synapse's content repository (`media_store`) files on the local filesystem. +By default, this playbook configures your server to store Synapse's content repository (`media_store`) files on the local filesystem. If that's alright, you can skip this. -If you'd like to store Matrix Synapse's content repository (`media_store`) files on Amazon S3, +If you'd like to store Synapse's content repository (`media_store`) files on Amazon S3, you can let this playbook configure [Goofys](https://github.com/kahing/goofys) for you. You'll need an Amazon S3 bucket and some IAM user credentials (access key + secret key) with full write access to the bucket. Example security policy: @@ -36,4 +36,4 @@ matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "access-key-goes-here" matrix_s3_media_store_aws_secret_key: "secret-key-goes-here" matrix_s3_media_store_region: "eu-central-1" -``` \ No newline at end of file +``` diff --git a/docs/importing-media-store.md b/docs/importing-media-store.md index 7aa6c5b5..0d86370b 100644 --- a/docs/importing-media-store.md +++ b/docs/importing-media-store.md @@ -1,6 +1,6 @@ # Importing `media_store` data files from an existing installation (optional) -Run this if you'd like to import your `media_store` files from a previous installation of Matrix Synapse. +Run this if you'd like to import your `media_store` files from a previous installation of Synapse. ## Prerequisites @@ -19,4 +19,4 @@ Run this command (make sure to replace `` with a pat ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_media_store=' --tags=import-media-store -**Note**: `` must be a file path to a `media_store` directory on the server (not on your local machine!). \ No newline at end of file +**Note**: `` must be a file path to a `media_store` directory on the server (not on your local machine!). diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 7fd1ba97..878888f0 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -1,6 +1,6 @@ # Importing an existing Postgres database from another installation (optional) -Run this if you'd like to import your database from a previous installation of Matrix Synapse. +Run this if you'd like to import your database from a previous installation of Synapse. (don't forget to import your `media_store` files as well - see [the importing-media-store guide](importing-media-store.md)). diff --git a/docs/importing-sqlite.md b/docs/importing-sqlite.md index af705a79..cb30d098 100644 --- a/docs/importing-sqlite.md +++ b/docs/importing-sqlite.md @@ -1,12 +1,12 @@ # Importing an existing SQLite database from another installation (optional) -Run this if you'd like to import your database from a previous default installation of Matrix Synapse. +Run this if you'd like to import your database from a previous default installation of Synapse. (don't forget to import your `media_store` files as well - see [the importing-media-store guide](importing-media-store.md)). -While this playbook always sets up PostgreSQL, by default a Matrix Synapse installation would run +While this playbook always sets up PostgreSQL, by default a Synapse installation would run using an SQLite database. -If you have such a Matrix Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you. +If you have such a Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you. ## Prerequisites @@ -20,4 +20,4 @@ Run this command (make sure to replace `` with a f ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=' --tags=import-sqlite-db -**Note**: `` must be a file path to a `homeserver.db` file on the server (not on your local machine!). \ No newline at end of file +**Note**: `` must be a file path to a `homeserver.db` file on the server (not on your local machine!). diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d6a4f047..8edc6b62 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -119,26 +119,26 @@ matrix_synapse_auto_join_rooms: [] # automatically if they don't already exist. matrix_synapse_autocreate_auto_join_rooms: true -# Controls password-peppering for Matrix Synapse. Not to be changed after initial setup. +# Controls password-peppering for Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" -# Controls the number of events that Matrix Synapse caches in memory. +# Controls the number of events that Synapse caches in memory. matrix_synapse_event_cache_size: "100K" -# Controls cache sizes for Matrix Synapse via the SYNAPSE_CACHE_FACTOR environment variable. +# Controls cache sizes for Synapse via the SYNAPSE_CACHE_FACTOR environment variable. # Raise this to increase cache sizes or lower it to potentially lower memory use. # To learn more, see: # - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram # - https://github.com/matrix-org/synapse/issues/3939 matrix_synapse_cache_factor: 0.5 -# Controls whether Matrix Synapse will federate at all. +# Controls whether Synapse will federate at all. # Disable this to completely isolate your server from the rest of the Matrix network. # Also see: `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled, # but want to stop the TLS listener (port 8448). matrix_synapse_federation_enabled: true -# A list of domain names that are allowed to federate with the given Matrix Synapse server. +# A list of domain names that are allowed to federate with the given Synapse server. # An empty list value (`[]`) will also effectively stop federation, but if that's the desired # result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. matrix_synapse_federation_domain_whitelist: ~ diff --git a/roles/matrix-synapse/tasks/import_media_store.yml b/roles/matrix-synapse/tasks/import_media_store.yml index f3f606fd..8d964715 100644 --- a/roles/matrix-synapse/tasks/import_media_store.yml +++ b/roles/matrix-synapse/tasks/import_media_store.yml @@ -73,7 +73,7 @@ # We don't chown for Goofys, because due to the way it's mounted, # all files become owned by whoever needs to own them. -- name: Ensure Matrix Synapse is started (if it previously was) +- name: Ensure Synapse is started (if it previously was) service: name: "{{ item }}" state: started diff --git a/roles/matrix-synapse/tasks/register_user.yml b/roles/matrix-synapse/tasks/register_user.yml index 1a4bd446..c476adfe 100644 --- a/roles/matrix-synapse/tasks/register_user.yml +++ b/roles/matrix-synapse/tasks/register_user.yml @@ -22,7 +22,7 @@ daemon_reload: yes register: start_result -- name: Wait a while, so that Matrix Synapse can manage to start +- name: Wait a while, so that Synapse can manage to start pause: seconds: 7 when: start_result.changed diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index f1bb1430..6e56b659 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -1,7 +1,7 @@ --- # This will throw a Permission Denied error if already mounted using fuse -- name: Check Matrix Synapse media store path +- name: Check Synapse media store path stat: path: "{{ matrix_synapse_media_store_path }}" register: local_path_media_store_stat @@ -9,7 +9,7 @@ # This is separate and conditional, to ensure we don't execute it # if the path already exists or we failed to check, because it's mounted using fuse. -- name: Ensure Matrix media store path exists +- name: Ensure Synapse media store path exists file: path: "{{ matrix_synapse_media_store_path }}" state: directory @@ -18,7 +18,7 @@ group: "{{ matrix_user_username }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" -- name: Ensure Matrix Docker image is pulled +- name: Ensure Synapse Docker image is pulled docker_image: name: "{{ matrix_synapse_docker_image }}" @@ -34,7 +34,7 @@ # # We don't use the `docker_container` module, because using it with `cap_drop` requires # a very recent version, which is not available for a lot of people yet. -- name: Generate initial Matrix config and signing key +- name: Generate initial Synapse config and signing key command: | docker run --rm @@ -49,13 +49,13 @@ generate when: "not matrix_synapse_signing_key_stat.stat.exists" -- name: Ensure Matrix homeserver config installed +- name: Ensure Synapse homeserver config installed template: src: "{{ matrix_synapse_template_synapse_homeserver }}" dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" mode: 0644 -- name: Ensure Matrix log config installed +- name: Ensure Synapse log config installed template: src: "{{ matrix_synapse_template_synapse_log }}" dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.log.config" diff --git a/roles/matrix-synapse/tasks/setup_synapse_pre.yml b/roles/matrix-synapse/tasks/setup_synapse_pre.yml index 2871ef26..f95c3eb2 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_pre.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_pre.yml @@ -4,7 +4,7 @@ matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}" matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}" -- name: Ensure Matrix Synapse paths exist +- name: Ensure Synapse paths exist file: path: "{{ item }}" state: directory @@ -17,4 +17,4 @@ - "{{ matrix_synapse_ext_path }}" # We handle matrix_synapse_media_store_path elsewhere (in setup_synapse_main.yml), # because if it's using Goofys and it's already mounted (from before), - # trying to chown/chmod it here will cause trouble. \ No newline at end of file + # trying to chown/chmod it here will cause trouble. diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index f11e99d4..fe8d0c8a 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -1,5 +1,5 @@ [Unit] -Description=Matrix Synapse server +Description=Synapse server {% for service in matrix_synapse_systemd_required_services_list %} Requires={{ service }} After={{ service }} From 7ee6927ca92e6acae0ddb313877cd9b2e7dc7ee1 Mon Sep 17 00:00:00 2001 From: p5t2vspoqqw Date: Tue, 23 Apr 2019 09:44:02 +0200 Subject: [PATCH 0491/2384] add suggested change; correct indent --- docs/configuring-playbook-ngnix.md | 8 +++++++ roles/matrix-nginx-proxy/defaults/main.yml | 7 ++++-- .../nginx/conf.d/matrix-domain.conf.j2 | 24 ++++++++++--------- 3 files changed, 26 insertions(+), 13 deletions(-) diff --git a/docs/configuring-playbook-ngnix.md b/docs/configuring-playbook-ngnix.md index 81081e8b..e2a46a72 100644 --- a/docs/configuring-playbook-ngnix.md +++ b/docs/configuring-playbook-ngnix.md @@ -11,3 +11,11 @@ This will serve a statuspage to the hosting machine only. Useful for monitoring ```yaml matrix_nginx_proxy_nginx_status_enabled: true ``` + +In default ```matrix_nginx_proxy_nginx_status_enabled``` will add the local ip adress. If you wish to listen to other ip-adresses provide a list: + +```yaml +matrix_nginx_proxy_nginx_status_allowed_addresses: +- 8.8.8.8 +- 1.1.1.1 +``` diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 54e25194..7c9739c3 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,7 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_nginx_status_enabled: false - # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # those as more frequently out of date. @@ -142,3 +140,8 @@ matrix_ssl_lets_encrypt_support_email: ~ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" + + +# ngnix status page configurations. +matrix_nginx_proxy_nginx_status_enabled: false +matrix_nginx_proxy_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index b63f9fbc..f33d6959 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -4,25 +4,27 @@ server { server_tokens off; - {% if matrix_nginx_proxy_nginx_status_enabled %} - location /nginx_status { - stub_status on; - access_log off; - allow {{ ansible_default_ipv4.address }}; - deny all; - } - {% endif %} +{% if matrix_nginx_proxy_nginx_status_enabled %} + location /nginx_status { + stub_status on; + access_log off; +{% for address in matrix_nginx_proxy_nginx_status_allowed_addresses %} + allow {{ address }}; +{% endfor %} + deny all; + } +{% endif %} location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} +{% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; set $backend "matrix-certbot:8080"; proxy_pass http://$backend; - {% else %} +{% else %} {# Generic configuration for use outside of our container setup #} proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} +{% endif %} } location / { From ec0f93622746c579ea6dc0540e1673ba153f84f3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Apr 2019 17:49:03 +0300 Subject: [PATCH 0492/2384] Try SSL renewal more frequently and reload later It doesn't hurt to attempt renewal more frequently, as it only does real work if it's actually necessary. Reloading, we postpone some more, because certbot adds some random delay (between 1 and 8 * 60 seconds) when renewing. We want to ensure we reload at least 8 minutes later, which wasn't the case. To make it even safer (in case future certbot versions use a longer delay), we reload a whole hour later. We're in no rush to start using the new certificates anyway, especially given that we attempt renewal often. Somewhat fixes #146 (Github Issue) --- .../matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index e4613ed7..771081b1 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -69,7 +69,7 @@ state: present hour: 4 minute: 15 - day: "*/5" + day: "*" job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew - name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload) @@ -78,9 +78,9 @@ cron_file: matrix-ssl-lets-encrypt name: matrix-nginx-proxy-reload state: present - hour: 4 + hour: 5 minute: 20 - day: "*/5" + day: "*" job: /bin/systemctl reload matrix-nginx-proxy.service when: matrix_nginx_proxy_enabled when: "matrix_ssl_retrieval_method == 'lets-encrypt'" From ca15d219b9a63f08667fc45d1a5f2518ce1d5244 Mon Sep 17 00:00:00 2001 From: Daniel Hoffend Date: Thu, 25 Apr 2019 01:05:28 +0200 Subject: [PATCH 0493/2384] make welcome.html customizable --- group_vars/matrix-servers | 2 + roles/matrix-riot-web/defaults/main.yml | 3 + .../matrix-riot-web/tasks/setup_riot_web.yml | 1 + .../systemd/matrix-riot-web.service.j2 | 1 + .../matrix-riot-web/templates/welcome.html.j2 | 194 ++++++++++++++++++ 5 files changed, 201 insertions(+) create mode 100644 roles/matrix-riot-web/templates/welcome.html.j2 diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 7ded5ff4..facf1b84 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -319,6 +319,8 @@ matrix_riot_web_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations matrix_riot_web_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_riot_web_registration_enabled: "{{ matrix_synapse_enable_registration }}" + ###################################################################### # # /matrix-riot-web diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 4c6424dc..b1112eee 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -28,3 +28,6 @@ matrix_riot_web_embedded_pages_home_path: ~ # Controls whether the self-check feature should validate SSL certificates. matrix_riot_web_self_check_validate_certificates: true + +# don't show the registration button on welcome page +matrix_riot_web_registration_enabled: false diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index a8a314b0..62eb750b 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -28,6 +28,7 @@ with_items: - {src: "{{ role_path }}/templates/config.json.j2", name: "config.json"} - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + - {src: "{{ role_path }}/templates/welcome.html.j2", name: "welcome.html"} - {src: "{{ matrix_riot_web_embedded_pages_home_path }}", name: "home.html"} when: "matrix_riot_web_enabled and item.src is not none" diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 2b57f27c..06f60cc5 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -25,6 +25,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ {% if matrix_riot_web_embedded_pages_home_path is not none %} -v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \ {% endif %} + -v {{ matrix_riot_web_data_path }}/welcome.html:/etc/riot-web/welcome.html:ro \ {{ matrix_riot_web_docker_image }} ExecStop=-/usr/bin/docker kill matrix-riot-web ExecStop=-/usr/bin/docker rm matrix-riot-web diff --git a/roles/matrix-riot-web/templates/welcome.html.j2 b/roles/matrix-riot-web/templates/welcome.html.j2 new file mode 100644 index 00000000..6456e947 --- /dev/null +++ b/roles/matrix-riot-web/templates/welcome.html.j2 @@ -0,0 +1,194 @@ + + +
+ + + +

_t("Welcome to Riot.im")

+

_t("Decentralised, encrypted chat & collaboration powered by [matrix]")

+
+
+ +
_t("Sign In")
+
+{% if matrix_riot_web_registration_enabled %} + +
_t("Create Account")
+
+{% endif %} +
+{% if matrix_riot_web_disable_guests != true %} + + +
+
+
_t("Need help?")
+ +
_t("Chat with Riot Bot")
+
+
+
+
_t("Explore rooms")
+ +
_t("Room Directory")
+
+
+
+ +{% endif %} +
+
From 8624cf4a57be11acd0d9803844dd57ea65c2257f Mon Sep 17 00:00:00 2001 From: Ciaran Ainsworth Date: Fri, 26 Apr 2019 14:11:40 +0100 Subject: [PATCH 0494/2384] Fixed default url preview settings --- .../templates/synapse/homeserver.yaml.j2 | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 41649e5c..4c8b9654 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -525,7 +525,7 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # an explicit url_preview_ip_range_blacklist of IPs that the spider is # denied from accessing. # -#url_preview_enabled: false +url_preview_enabled: true # List of IP address CIDR ranges that the URL preview spider is denied # from accessing. There are no defaults: you must explicitly @@ -534,18 +534,18 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # to connect to, otherwise anyone in any Matrix room could cause your # synapse to issue arbitrary GET requests to your internal services, # causing serious security issues. -# -#url_preview_ip_range_blacklist: -# - '127.0.0.0/8' -# - '10.0.0.0/8' -# - '172.16.0.0/12' -# - '192.168.0.0/16' -# - '100.64.0.0/10' -# - '169.254.0.0/16' -# - '::1/128' -# - 'fe80::/64' -# - 'fc00::/7' -# + +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + # List of IP address CIDR ranges that the URL preview spider is allowed # to access even if they are specified in url_preview_ip_range_blacklist. # This is useful for specifying exceptions to wide-ranging blacklisted @@ -590,8 +590,8 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' # The largest allowed URL preview spidering size in bytes -# -#max_spider_size: 10M + +max_spider_size: 10M ## Captcha ## From 6aa6633ee7052010d7f087488584bf9ea50115a2 Mon Sep 17 00:00:00 2001 From: Hugues De Keyzer Date: Sat, 27 Apr 2019 21:54:21 +0200 Subject: [PATCH 0495/2384] Fix value of nginx-proxy tmpfs size Use an int conversion in the computation of the value of matrix_nginx_proxy_tmp_directory_size_mb, to have the integer value multiplied by 50 instead of having the string repeated 50 times. --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 674757f9..beb0850e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -92,7 +92,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_c matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. -matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb * 50 }}" +matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" # A list of strings containing additional configuration blocks to add to the matrix domain's server configuration. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] From 1e344d5a7ab382b9cfbe67ce78523deb1f5c9495 Mon Sep 17 00:00:00 2001 From: Hugues De Keyzer Date: Sat, 27 Apr 2019 22:12:05 +0200 Subject: [PATCH 0496/2384] Remove hardcoded values in matrix-remove-all Use matrix_docker_network and matrix_base_data_path in matrix-remove-all instead of hardcoded default values. --- .../templates/usr-local-bin/matrix-remove-all.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index fc1ab5ba..9fad37d9 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -26,9 +26,9 @@ else echo "Remove every docker images" docker rmi $(docker images -aq) echo "Remove docker matrix network" - docker network rm matrix - echo "Remove /matrix directory" - rm -fr /matrix + docker network rm {{ matrix_docker_network }} + echo "Remove {{ matrix_base_data_path }} directory" + rm -fr "{{ matrix_base_data_path }}" exit 0 fi From ed442af96f354713696e10804cb20998a555ee1d Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 27 Apr 2019 16:28:40 -0500 Subject: [PATCH 0497/2384] Update mxisd (1.3.1 -> 1.4.1) --- roles/matrix-mxisd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index cb83674c..441a49cc 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -1,6 +1,6 @@ matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.3.1" +matrix_mxisd_docker_image: "kamax/mxisd:1.4.1" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" From 5586eaddefca72cf73425d6d8867e2f8686ef322 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 25 Apr 2019 16:27:45 -0500 Subject: [PATCH 0498/2384] Set Riot's enable_presence_by_hs_url to false if presence is disabled --- roles/matrix-riot-web/templates/config.json.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 9477e53c..207b58fd 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -14,6 +14,11 @@ "servers": {{ matrix_riot_web_roomdir_servers|to_json }} }, "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }}, + {% if matrix_synapse_use_presence|to_json %} + "enable_presence_by_hs_url": { + {{ matrix_riot_web_default_hs_url|to_json }}: false + }, + {% endif %} "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|to_json }} } From e42fe4b18c81f891c56eb5257f60dc95c36e9166 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 27 Apr 2019 17:09:21 -0500 Subject: [PATCH 0499/2384] Include Slavi's improvements to keep roles independent --- group_vars/matrix-servers | 7 +++++++ roles/matrix-riot-web/defaults/main.yml | 3 +++ roles/matrix-riot-web/templates/config.json.j2 | 6 ++---- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index facf1b84..6f104892 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -321,6 +321,13 @@ matrix_riot_web_self_check_validate_certificates: "{{ false if matrix_ssl_retrie matrix_riot_web_registration_enabled: "{{ matrix_synapse_enable_registration }}" +matrix_riot_web_enable_presence_by_hs_url: | + {{ + none + if matrix_synapse_use_presence + else {matrix_riot_web_default_hs_url: false} + }} + ###################################################################### # # /matrix-riot-web diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index b1112eee..e17663b0 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -31,3 +31,6 @@ matrix_riot_web_self_check_validate_certificates: true # don't show the registration button on welcome page matrix_riot_web_registration_enabled: false + +# Controls whether Riot shows the presence features +matrix_riot_web_enable_presence_by_hs_url: ~ diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 207b58fd..477fe4da 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -14,10 +14,8 @@ "servers": {{ matrix_riot_web_roomdir_servers|to_json }} }, "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }}, - {% if matrix_synapse_use_presence|to_json %} - "enable_presence_by_hs_url": { - {{ matrix_riot_web_default_hs_url|to_json }}: false - }, + {% if matrix_riot_web_enable_presence_by_hs_url is not none %} + "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|to_json }}, {% endif %} "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|to_json }} From 00ec22688aee5840bfdfa96348a9de402433c3b7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 Apr 2019 10:15:46 +0300 Subject: [PATCH 0500/2384] Upgrade mxisd (1.4.1 -> 1.4.2) Looks like we may not have to do this, since 1.4.2 fixes edge cases for people who used the broken 1.4.0 release. We jumped straight to 1.4.1, so maybe we're okay. Still, upgrading anyway, just in case. --- roles/matrix-mxisd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index 441a49cc..caaccfd0 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -1,6 +1,6 @@ matrix_mxisd_enabled: true -matrix_mxisd_docker_image: "kamax/mxisd:1.4.1" +matrix_mxisd_docker_image: "kamax/mxisd:1.4.2" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" From 7c246b4a99c4c9e748476ce478149a88e3e70eef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 Apr 2019 11:02:13 +0300 Subject: [PATCH 0501/2384] Make error about unset matrix_ssl_lets_encrypt_support_email more descriptive Previously, we'd show an error like this: {"changed": false, "item": null, "msg": "Detected an undefined required variable"} .. which didn't mention the variable name (`matrix_ssl_lets_encrypt_support_email`). --- roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 771081b1..629f24c7 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -30,8 +30,8 @@ fail: msg: "Detected an undefined required variable" with_items: - - "{{ matrix_ssl_lets_encrypt_support_email }}" - when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item is none" + - "matrix_ssl_lets_encrypt_support_email" + when: "matrix_ssl_retrieval_method == 'lets-encrypt' and vars[item] is none" - name: Ensure certbot Docker image is pulled docker_image: From 3387035400ab7cc2f588fb096cfac446f2b25d10 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Apr 2019 08:51:03 +0300 Subject: [PATCH 0502/2384] Enable Native Python Types for Jinja2 Helps with #151 (Github Pull Request), but only for Ansible >= 2.7 and when Jinja >= 2.10 is in use. For other version combinations we still need the workaround proposed in the pull rqeuest. --- ansible.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible.cfg b/ansible.cfg index 48bc18c4..4f7b0e99 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1,4 @@ [defaults] retry_files_enabled = False +# jinja2_native helps with problems like https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/151 +jinja2_native = True From 5be1d50b3ad1f51ed523a1224c8c9ab128aae034 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Apr 2019 09:07:05 +0300 Subject: [PATCH 0503/2384] Revert "Enable Native Python Types for Jinja2" This reverts commit 3387035400ab7cc2f588fb096cfac446f2b25d10. Enabling `jinja2_native` does help with the issue it is trying to address - #151 (Github Pull Request), but it introduces a regression when generating templates. An example is `roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2`, which yields a strange resulting value of: ``` location /.well-known/acme-challenge { resolver 127.0.0.11 valid=5s; set $backend "matrix-certbot:8080"; proxy_pass http://$backend; resolver 127.0.0.11 valid=5s; set $backend "matrix-certbot:8080"; proxy_pass http://$backend; } ``` For whatever reason (still to be investigated), the `if` block's contents seem to have been outputted twice. Reverting until this is resolved. Until then, #151 would rely on the workaround and not on `jinja2_native`. --- ansible.cfg | 2 -- 1 file changed, 2 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index 4f7b0e99..48bc18c4 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,4 +1,2 @@ [defaults] retry_files_enabled = False -# jinja2_native helps with problems like https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/151 -jinja2_native = True From bf77f776a2f9578eeac6b81b159ba5959718c9ac Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Tue, 30 Apr 2019 11:55:31 +0200 Subject: [PATCH 0504/2384] Add variable to disable homeserver url preview --- roles/matrix-synapse/defaults/main.yml | 4 ++++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8edc6b62..ee454b5a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -167,6 +167,10 @@ matrix_synapse_password_providers_enabled: false # to load message content directly from the homeserver. matrix_synapse_push_include_content: true +# If url previews should be generated. This will cause a request from Synapse to +# URLs shared by users. +matrix_synapse_url_preview_enabled: true + # Enable exposure of metrics to Prometheus # See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.rst matrix_synapse_metrics_enabled: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4c8b9654..c5edf9b1 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -525,7 +525,7 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # an explicit url_preview_ip_range_blacklist of IPs that the spider is # denied from accessing. # -url_preview_enabled: true +url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} # List of IP address CIDR ranges that the URL preview spider is denied # from accessing. There are no defaults: you must explicitly @@ -1169,4 +1169,4 @@ alias_creation_rules: {{ matrix_alias_creation_rules|to_json }} # room_id: "*" # action: allow -room_list_publication_rules: {{ matrix_room_list_publication_rules|to_json }} \ No newline at end of file +room_list_publication_rules: {{ matrix_room_list_publication_rules|to_json }} From 134faa3139c16ccae648fed34638ddd108d7c97e Mon Sep 17 00:00:00 2001 From: Lyubomir Popov Date: Tue, 30 Apr 2019 16:30:26 +0300 Subject: [PATCH 0505/2384] Add the ability to update user passwords with ansible (when using the matrix-postgres container). --- docs/README.md | 2 + docs/updating-users-passwords.md | 19 ++++++++ roles/matrix-base/defaults/main.yml | 1 + roles/matrix-base/tasks/setup_server_base.yml | 4 +- .../matrix-postgres/tasks/setup_postgres.yml | 7 +++ ...trix-postgres-update-user-password-hash.j2 | 15 ++++++ roles/matrix-synapse/tasks/main.yml | 5 ++ .../tasks/setup_synapse_main.yml | 6 +++ .../tasks/update_user_password.yml | 48 +++++++++++++++++++ .../matrix-synapse-generate-password-hash.j2 | 31 ++++++++++++ 10 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 docs/updating-users-passwords.md create mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 create mode 100644 roles/matrix-synapse/tasks/update_user_password.yml create mode 100644 roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 diff --git a/docs/README.md b/docs/README.md index 1718c6ac..f623085b 100644 --- a/docs/README.md +++ b/docs/README.md @@ -12,6 +12,8 @@ - [Registering users](registering-users.md) +- [Updating users passwords](updating-users-passwords.md) + - [Configuring service discovery via .well-known](configuring-well-known.md) - [Maintenance / checking if services work](maintenance-checking-services.md) diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md new file mode 100644 index 00000000..72b1f278 --- /dev/null +++ b/docs/updating-users-passwords.md @@ -0,0 +1,19 @@ +# Updating users passwords + +If you are using the matrix-postgres container(default), you can do it via this Ansible playbook (make sure to edit the `` and `` part below): + + ansible-playbook -i inventory/hosts setup.yml --extra-vars='username= password=' --tags=update-user-password + +**Note**: `` is just a plain username (like `john`), not your full `@:` identifier. + +**You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot./`. + +If you are NOT using the matrix-postgres container, you can generate the password hash by using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)): + + docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml + +and then connecting to the postgres server and executing: + + UPDATE users SET password_hash = '' WHERE name = '@someone:server.com' + +where `` is the hash returned by the docker command above. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 86369408..ab38084b 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -48,6 +48,7 @@ run_import_postgres: true run_upgrade_postgres: true run_start: true run_register_user: true +run_update_user_password: true run_import_sqlite_db: true run_import_media_store: true run_self_check: true diff --git a/roles/matrix-base/tasks/setup_server_base.yml b/roles/matrix-base/tasks/setup_server_base.yml index f4a8352f..2ccdbd83 100644 --- a/roles/matrix-base/tasks/setup_server_base.yml +++ b/roles/matrix-base/tasks/setup_server_base.yml @@ -25,6 +25,7 @@ - docker-python - ntp - fuse + - expect state: latest update_cache: yes when: ansible_distribution == 'CentOS' @@ -62,13 +63,14 @@ - python-docker - ntp - fuse + - expect state: latest update_cache: yes when: ansible_os_family == 'Debian' - name: Ensure Docker is started and autoruns service: - name: docker + name: docker state: started enabled: yes diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index e22e1024..659650db 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -123,3 +123,10 @@ debug: msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists" + +- name: Ensure matrix-postgres-update-user-password-hash script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" + dest: "/usr/local/bin/matrix-postgres-update-user-password-hash" + mode: 0750 + when: matrix_postgres_enabled \ No newline at end of file diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 new file mode 100644 index 00000000..bd99211c --- /dev/null +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -0,0 +1,15 @@ +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" " + exit 1 +fi + +docker run \ + --rm \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ + --network {{ matrix_docker_network }} \ + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 1049cb5f..058cf05f 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -37,3 +37,8 @@ when: run_self_check tags: - self-check + +- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" + when: run_update_user_password + tags: + - update-user-password \ No newline at end of file diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 6e56b659..7be5f045 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -79,3 +79,9 @@ dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 +- name: Ensure matrix-synapse-generate-password-hash script created + template: + src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2" + dest: "/usr/local/bin/matrix-synapse-generate-password-hash" + mode: 0750 + diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml new file mode 100644 index 00000000..c464e0d7 --- /dev/null +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -0,0 +1,48 @@ +--- + +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Fail if not using matrix-postgres container + fail: + msg: "This command is working only when matrix-postgres container is being used" + when: "not matrix_postgres_enabled" + +- name: Ensure matrix-synapse is started + service: + name: matrix-synapse + state: started + daemon_reload: yes + register: start_result + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: postgres_start_result + + +- name: Wait a while, so that Matrix Synapse can manage to start + pause: + seconds: 7 + when: start_result.changed + +- name: Wait a while, so that Matrix Postgres can manage to start + pause: + seconds: 7 + when: postgres_start_result.changed + +- name: Generate password hash + shell: "/usr/local/bin/matrix-synapse-generate-password-hash {{ password }}" + register: password_hash + +- name: Update user password hash + shell: "/usr/local/bin/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'" diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 new file mode 100644 index 00000000..c6858aa8 --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 @@ -0,0 +1,31 @@ +#!/usr/bin/env expect + +# Read the password string +set pass [lindex $argv 0] + +# Check if password was provided +if { $pass == "" } { + puts "Usage: $argv0 " + exit 1 +} + +# Disable output +log_user 0 + +# Execute password hashing script +spawn docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml +expect "Password: " +send "$pass\r" +expect "Confirm password: " +send "$pass\r" +expect "%" + +# Save the hash output to a variable +set output $expect_out(buffer) + +# Trim the whitespace +regexp {\S+} $output passwordHash + +# Output the password hash +puts -nonewline stdout $passwordHash +close stdout From 75b1528d139117f5cfc19151b6af3838b6a3aad0 Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Tue, 30 Apr 2019 16:35:18 +0200 Subject: [PATCH 0506/2384] Add the possibility to pass extra flags to the docker container --- roles/matrix-corporal/defaults/main.yml | 3 +++ .../templates/systemd/matrix-corporal.service.j2 | 3 +++ roles/matrix-coturn/defaults/main.yml | 3 +++ roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 3 +++ roles/matrix-dimension/defaults/main.yml | 3 +++ .../templates/systemd/matrix-dimension.service.j2 | 3 +++ roles/matrix-mailer/defaults/main.yml | 3 +++ roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 3 +++ roles/matrix-mxisd/defaults/main.yml | 3 +++ roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 | 3 +++ roles/matrix-nginx-proxy/defaults/main.yml | 3 +++ .../templates/systemd/matrix-nginx-proxy.service.j2 | 3 +++ roles/matrix-postgres/defaults/main.yml | 3 +++ .../templates/systemd/matrix-postgres.service.j2 | 3 +++ roles/matrix-riot-web/defaults/main.yml | 3 +++ .../templates/systemd/matrix-riot-web.service.j2 | 3 +++ roles/matrix-synapse/defaults/main.yml | 3 +++ .../templates/synapse/systemd/matrix-synapse.service.j2 | 3 +++ 18 files changed, 54 insertions(+) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index a1406f03..09bdbb56 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -6,6 +6,9 @@ matrix_corporal_enabled: true # Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container. matrix_corporal_container_expose_ports: false +# A list of extra arguments to pass to the container +matrix_corporal_container_extra_arguments: [] + # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 4035aa65..d0adbf9d 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -22,6 +22,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ -v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \ -v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \ -v {{ matrix_corporal_var_dir_path }}:/var/matrix-corporal:rw \ + {% for arg in matrix_corporal_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_corporal_docker_image }} \ /matrix-corporal -config=/etc/matrix-corporal/config.json ExecStop=-/usr/bin/docker kill matrix-corporal diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index b70c4058..b12cabe7 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -23,6 +23,9 @@ matrix_coturn_systemd_required_services_list: ['docker.service'] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_coturn_container_additional_volumes: [] +# A list of extra arguments to pass to the container +matrix_coturn_container_extra_arguments: [] + # A shared secret (between Synapse and Coturn) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_coturn_turn_static_auth_secret: "" diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index b2d909f2..c1f00789 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -27,6 +27,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ {% for volume in matrix_coturn_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} + {% for arg in matrix_coturn_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_coturn_docker_image }} \ -c /turnserver.conf diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 43841fee..b8acb9d7 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -20,6 +20,9 @@ matrix_dimension_user_gid: 1000 matrix_dimension_container_expose_port: false +# A list of extra arguments to pass to the container +matrix_dimension_container_extra_arguments: [] + matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot" matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar" matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 12f111f3..c176b3e7 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -19,6 +19,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ -p 127.0.0.1:8184:8184 \ {% endif %} -v {{ matrix_dimension_base_path }}:/data:rw \ + {% for arg in matrix_dimension_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_dimension_docker_image }} ExecStop=-/usr/bin/docker kill matrix-dimension ExecStop=-/usr/bin/docker rm matrix-dimension diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index ffd00e36..184fd3cc 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -9,6 +9,9 @@ matrix_mailer_docker_image: "devture/exim-relay:4.91-r3-0" matrix_mailer_container_user_uid: 100 matrix_mailer_container_user_gid: 101 +# A list of extra arguments to pass to the container +matrix_mailer_container_extra_arguments: [] + matrix_mailer_sender_address: "matrix@{{ matrix_domain }}" matrix_mailer_relay_use: false matrix_mailer_relay_host_name: "mail.example.com" diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index f9e1348e..de07a687 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -16,6 +16,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_mailer_base_path }}/env-mailer \ --hostname={{ matrix_server_fqn_matrix }} \ + {% for arg in matrix_mailer_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_mailer_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mailer ExecStop=-/usr/bin/docker rm matrix-mailer diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index caaccfd0..9ddeb72e 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -8,6 +8,9 @@ matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" # Controls whether the mxisd web server's port (`8090`) is exposed outside of the container. matrix_mxisd_container_expose_port: false +# A list of extra arguments to pass to the container +matrix_mxisd_container_extra_arguments: [] + # List of systemd services that matrix-mxisd.service depends on matrix_mxisd_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 index de0c0681..6d951643 100644 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 @@ -27,6 +27,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ {% endif %} -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ + {% for arg in matrix_mxisd_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_mxisd_docker_image }} ExecStop=-/usr/bin/docker kill matrix-mxisd diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index beb0850e..96ceccd9 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -21,6 +21,9 @@ matrix_nginx_proxy_systemd_wanted_services_list: [] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] +# A list of extra arguments to pass to the container +matrix_nginx_proxy_container_extra_arguments: [] + # Controls whether matrix-nginx-proxy should serve the base domain. # # This is useful for when you only have your Matrix server, but you need to serve diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index cb2c4da2..d3cf4044 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -33,6 +33,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ {% for volume in matrix_nginx_proxy_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} + {% for arg in matrix_nginx_proxy_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_nginx_proxy_docker_image }} ExecStop=-/usr/bin/docker kill matrix-nginx-proxy diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 4b26f42d..1729a275 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -12,3 +12,6 @@ matrix_postgres_docker_image_v9: "postgres:9.6.12-alpine" matrix_postgres_docker_image_v10: "postgres:10.7-alpine" matrix_postgres_docker_image_v11: "postgres:11.2-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}" + +# A list of extra arguments to pass to the container +matrix_postgres_container_extra_arguments: [] diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 0d2b9fcf..14321efd 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -18,6 +18,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data:rw \ -v /etc/passwd:/etc/passwd:ro \ + {% for arg in matrix_postgres_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_postgres_docker_image_to_use }} ExecStop=-/usr/bin/docker stop matrix-postgres ExecStop=-/usr/bin/docker rm matrix-postgres diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index e17663b0..10c5773a 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -6,6 +6,9 @@ matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" matrix_riot_web_container_expose_port: false +# A list of extra arguments to pass to the container +matrix_riot_web_container_extra_arguments: [] + # List of systemd services that matrix-riot-web.service depends on matrix_riot_web_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 06f60cc5..a270e0e3 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -26,6 +26,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ -v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \ {% endif %} -v {{ matrix_riot_web_data_path }}/welcome.html:/etc/riot-web/welcome.html:ro \ + {% for arg in matrix_riot_web_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_riot_web_docker_image }} ExecStop=-/usr/bin/docker kill matrix-riot-web ExecStop=-/usr/bin/docker rm matrix-riot-web diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ee454b5a..56e81d02 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -24,6 +24,9 @@ matrix_appservice_discord_container_expose_client_server_api_port: false # Controls whether the matrix-synapse container exposes the metrics port (tcp/9100). matrix_synapse_container_expose_metrics_port: false +# A list of extra arguments to pass to the container +matrix_synapse_container_extra_arguments: [] + # List of systemd services that matrix-synapse.service depends on matrix_synapse_systemd_required_services_list: ['docker.service'] diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index fe8d0c8a..2470256c 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -46,6 +46,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} + {% for arg in matrix_synapse_container_extra_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_synapse_docker_image }} \ -m synapse.app.homeserver -c /data/homeserver.yaml From 0e391b5870e4f6d4b88b7076ab2577f3e0f4e9b6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Apr 2019 18:25:57 +0300 Subject: [PATCH 0507/2384] Add explicit |int casting for more variables As discussed in #151 (Github Pull Request), it's a good idea to not selectively apply casting, but to do it in all cases involving arithmetic operations. --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index beb0850e..2c99c84f 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -87,7 +87,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048" -matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 3 }}" +matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" From a206b65ed7e1d5f2e1e8af48a7537c8dbe0913be Mon Sep 17 00:00:00 2001 From: Lyubomir Popov Date: Fri, 3 May 2019 11:02:17 +0300 Subject: [PATCH 0508/2384] Use the '-p' non-interactive option to generate password hash instead of 'expect' --- roles/matrix-base/tasks/setup_server_base.yml | 2 -- .../tasks/setup_synapse_main.yml | 6 ---- .../tasks/update_user_password.yml | 2 +- .../matrix-synapse-generate-password-hash.j2 | 31 ------------------- 4 files changed, 1 insertion(+), 40 deletions(-) delete mode 100644 roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 diff --git a/roles/matrix-base/tasks/setup_server_base.yml b/roles/matrix-base/tasks/setup_server_base.yml index 2ccdbd83..1aadfb12 100644 --- a/roles/matrix-base/tasks/setup_server_base.yml +++ b/roles/matrix-base/tasks/setup_server_base.yml @@ -25,7 +25,6 @@ - docker-python - ntp - fuse - - expect state: latest update_cache: yes when: ansible_distribution == 'CentOS' @@ -63,7 +62,6 @@ - python-docker - ntp - fuse - - expect state: latest update_cache: yes when: ansible_os_family == 'Debian' diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml index 7be5f045..6e56b659 100644 --- a/roles/matrix-synapse/tasks/setup_synapse_main.yml +++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml @@ -79,9 +79,3 @@ dest: "/usr/local/bin/matrix-synapse-register-user" mode: 0750 -- name: Ensure matrix-synapse-generate-password-hash script created - template: - src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2" - dest: "/usr/local/bin/matrix-synapse-generate-password-hash" - mode: 0750 - diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index c464e0d7..d28adfb4 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -41,7 +41,7 @@ when: postgres_start_result.changed - name: Generate password hash - shell: "/usr/local/bin/matrix-synapse-generate-password-hash {{ password }}" + shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}" register: password_hash - name: Update user password hash diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 deleted file mode 100644 index c6858aa8..00000000 --- a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2 +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env expect - -# Read the password string -set pass [lindex $argv 0] - -# Check if password was provided -if { $pass == "" } { - puts "Usage: $argv0 " - exit 1 -} - -# Disable output -log_user 0 - -# Execute password hashing script -spawn docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -expect "Password: " -send "$pass\r" -expect "Confirm password: " -send "$pass\r" -expect "%" - -# Save the hash output to a variable -set output $expect_out(buffer) - -# Trim the whitespace -regexp {\S+} $output passwordHash - -# Output the password hash -puts -nonewline stdout $passwordHash -close stdout From 172d59ba05486640c4e67a500ef9edb021a743ca Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 3 May 2019 10:37:14 -0500 Subject: [PATCH 0509/2384] Fix template indentation --- roles/matrix-mxisd/defaults/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index caaccfd0..e2864062 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -107,23 +107,23 @@ matrix_mxisd_configuration_yaml: | {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} generators: template: - {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} + {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} invite: '/var/mxisd/invite-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} session: - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} validation: '/var/mxisd/validate-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} unbind: frandulent: '/var/mxisd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} + {% endif %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} generic: matrixId: '/var/mxisd/mxid-template.eml' - {% endif %} + {% endif %} {% endif %} synapseSql: From 4e998f52c52ef0ef6fc188150db0c2b62cd9a233 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Fri, 3 May 2019 17:39:43 +0100 Subject: [PATCH 0510/2384] urlencode mxisd password --- group_vars/matrix-servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 6f104892..b85b2f5a 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -169,7 +169,7 @@ matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" # your own configuration in `matrix_mxisd_configuration_extension_yaml`. matrix_mxisd_synapsesql_enabled: true matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password }} +matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password|urlencode() }} matrix_mxisd_dns_overwrite_enabled: true matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" From d1646bb49772e13bea551ce4903fd311b38554b2 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 3 May 2019 12:07:58 -0500 Subject: [PATCH 0511/2384] Update Synapse (0.99.3 -> 0.99.3.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 15 +++++++++++---- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8edc6b62..be449a46 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3-py3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3.1" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4c8b9654..386c392b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -521,9 +521,10 @@ max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # height: 600 # method: scale -# Is the preview URL API enabled? If enabled, you *must* specify -# an explicit url_preview_ip_range_blacklist of IPs that the spider is -# denied from accessing. +# Is the preview URL API enabled? +# +# 'false' by default: uncomment the following to enable it (and specify a +# url_preview_ip_range_blacklist blacklist). # url_preview_enabled: true @@ -534,7 +535,13 @@ url_preview_enabled: true # to connect to, otherwise anyone in any Matrix room could cause your # synapse to issue arbitrary GET requests to your internal services, # causing serious security issues. - +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This must be specified if url_preview_enabled is set. It is recommended that +# you uncomment the following list as a starting point. +# url_preview_ip_range_blacklist: - '127.0.0.0/8' - '10.0.0.0/8' From 8051ea9ef9230fc0183d0c56978b00b28c866fec Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 3 May 2019 13:34:45 -0500 Subject: [PATCH 0512/2384] Update Synapse (0.99.3.1 -> 0.99.3.2) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index be449a46..abf85ad1 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3.1" +matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.3.2" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" From e1d0667ead744d38b85e3b5947060c908ba9d05a Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Fri, 3 May 2019 22:23:03 +0100 Subject: [PATCH 0513/2384] url encode username as well --- group_vars/matrix-servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index b85b2f5a..44318970 100755 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -169,7 +169,7 @@ matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" # your own configuration in `matrix_mxisd_configuration_extension_yaml`. matrix_mxisd_synapsesql_enabled: true matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user }}&password={{ matrix_synapse_database_password|urlencode() }} +matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} matrix_mxisd_dns_overwrite_enabled: true matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" From e6fecd51d50e82cac25d00cff1c94eb89875a56b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 May 2019 11:04:52 +0300 Subject: [PATCH 0514/2384] Explain DNS SRV vs /.well-known/matrix/server better Hopefully, we no longer lead people to believe that DNS SRV records are going away forever and for all use-cases. Fixes #156 (Github Issue) --- docs/configuring-dns.md | 4 ++-- docs/configuring-well-known.md | 14 +++++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index f6f7906c..7638033b 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -54,9 +54,9 @@ The SRV record should look like this: - Name: `_matrix._tcp` (use this text as-is) - Content: `10 0 8448 matrix.` (replace `` with your own) -A [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) is superseding the `_matrix._tcp` SRV record. **During the transition phase, you'll need to set up both mechanisms**. We'll instruct you how to set up the file-based mechanism after the [installation phase](installing.md) for this playbook. +A [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) is superseding the `_matrix._tcp` SRV record for our use case. **During the transition phase, you'll need to set up both mechanisms**. We'll instruct you how to set up the file-based mechanism after the [installation phase](installing.md) for this playbook. -Doing delegation/redirection of Matrix services using a DNS SRV record (`_matrix._tcp`) is a **temporary measure** that is only necessary before Synapse v1.0 is released. +Doing delegation/redirection of Matrix services using a DNS SRV record (`_matrix._tcp`) is a **temporary measure** for our use-case, that will only be necessary before Synapse v1.0 is released. As more and more people upgrade to the Synapse v0.99 transitional release and just before the final Synapse v1.0 gets released, at some point in the near future **you will need to remove the `_matrix._tcp` SRV record** and leave only the [new file-based mechanism for Federation Server Discovery](configuring-well-known.md#introduction-to-federation-server-discovery) in place. diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 59807f28..50344c05 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -13,15 +13,19 @@ There are 2 types of well-known service discovery that Matrix makes use of: All services created by this playbook are meant to be installed on their own server (such as `matrix.`). -As [per the Server-Server specification](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), to use a Matrix user identifier like `@:` while hosting services on a subdomain like `matrix.`, we need to instruct the Matrix network of such a delegation/redirection by means of setting up a `/.well-known/matrix/server` file on the base domain (`). +As [per the Server-Server specification](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), to use a Matrix user identifier like `@:` while hosting services on a subdomain like `matrix.`, the Matrix network needs to be instructed of such delegation/redirection. -We have discussed this same thing already in the "`_matrix._tcp` SRV record setup (temporary requirement)" section of [Configuring DNS](configuring-dns.md). +Server delegation can be configured using DNS SRV records or by setting up a `/.well-known/matrix/server` file on the base domain (``). -In short, you are required to set up both a `_matrix._tcp` DNS SRV record and the `/.well-known/matrix/server` file at the moment. +We have discussed the DNS SRV record method already in the "`_matrix._tcp` SRV record setup (temporary requirement)" section of [Configuring DNS](configuring-dns.md). -As the Synapse server progresses towards v1.0, only the `/.well-known/matrix/server` file will be used. At that future moment, you would need to remove the `_matrix._tcp` SRV record because Synapse v1.0+ will do the wrong thing if a SRV record exists. During the transitional phase (before Synapse 1.0), we do need to have both a SRV record and a `/.well-known/matrix/server` file, in order to federate correctly with v0.99 and older Synapse versions. +Both methods have their place and will continue to do so. Usually, you would need to use just one of these delegation methods. +For simplicity reasons, our setup advocates for the `/.well-known/matrix/server` method and guides you into using that. +For backward compatibility with older Synapse servers (< v0.99), however, for now you are also required to set up a `_matrix._tcp` DNS SRV record (in addition to the `/.well-known/matrix/server` file on the base domain). -To learn how to set it up, read the Installing section below. +As the Synapse server progresses towards v1.0, only the `/.well-known/matrix/server` file will be used by us, unless you have a more special setup necessitating a DNS SRV record. At that future moment, you would need to remove the `_matrix._tcp` SRV record because Synapse v1.0+ will do the wrong thing if a SRV record exists. + +To learn how to set up `/.well-known/matrix/server`, read the Installing section below. ## Introduction to Client Server Discovery From ed0ecf5bea979864cb0e1cbab6da75f318484989 Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Mon, 6 May 2019 10:10:27 +0200 Subject: [PATCH 0515/2384] string before to_json when string value is expected This prevents Ansible from sometimes failing to decrypt vault variables --- .../matrix-riot-web/templates/config.json.j2 | 16 +++---- .../templates/synapse/homeserver.yaml.j2 | 48 +++++++++---------- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 477fe4da..5ae601a4 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -1,23 +1,23 @@ { - "default_hs_url": {{ matrix_riot_web_default_hs_url|to_json }}, - "default_is_url": {{ matrix_riot_web_default_is_url|to_json }}, + "default_hs_url": {{ matrix_riot_web_default_hs_url|string|to_json }}, + "default_is_url": {{ matrix_riot_web_default_is_url|string|to_json }}, "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }}, "disable_guests": {{ matrix_riot_web_disable_guests|to_json }}, "brand": "Riot", - "integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|to_json }}, - "integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|to_json }}, + "integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|string|to_json }}, + "integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|string|to_json }}, "integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }}, - "integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|to_json }}, + "integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|string|to_json }}, "bug_report_endpoint_url": "https://riot.im/bugreports/submit", "enableLabs": true, "roomDirectory": { "servers": {{ matrix_riot_web_roomdir_servers|to_json }} }, - "welcomeUserId": {{ matrix_riot_web_welcome_user_id|to_json }}, + "welcomeUserId": {{ matrix_riot_web_welcome_user_id|string|to_json }}, {% if matrix_riot_web_enable_presence_by_hs_url is not none %} - "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|to_json }}, + "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|string|to_json }}, {% endif %} "embeddedPages": { - "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|to_json }} + "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string}to_json }} } } diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index c5edf9b1..5b9b7f77 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -255,11 +255,11 @@ listeners: # instance, if using certbot, use `fullchain.pem` as your certificate, # not `cert.pem`). # -tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} +tls_certificate_path: {{ matrix_synapse_tls_certificate_path|string|to_json }} # PEM-encoded private key for TLS # -tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} +tls_private_key_path: {{ matrix_synapse_tls_private_key_path|string|to_json }} # ACME support: This will configure Synapse to request a valid TLS certificate # for your configured `server_name` via Let's Encrypt. @@ -358,8 +358,8 @@ database: # The database engine name name: "psycopg2" args: - user: {{ matrix_synapse_database_user|to_json }} - password: {{ matrix_synapse_database_password|to_json }} + user: {{ matrix_synapse_database_user|string|to_json }} + password: {{ matrix_synapse_database_password|string|to_json }} database: "{{ matrix_synapse_database_database }}" host: "{{ matrix_synapse_database_host }}" cp_min: 5 @@ -628,7 +628,7 @@ turn_uris: {{ matrix_synapse_turn_uris|to_json }} # The shared secret used to compute passwords for the TURN server # -turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }} +turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} # The Username and password if the TURN server needs them and # does not use a token @@ -683,7 +683,7 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }} # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # -registration_shared_secret: {{ matrix_synapse_registration_shared_secret|to_json }} +registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. @@ -784,7 +784,7 @@ app_service_config_files: {{ matrix_synapse_app_service_config_files }} # the registration_shared_secret is used, if one is given; otherwise, # a secret key is derived from the signing key. # -macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }} +macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} # Used to enable access token expiration. # @@ -794,7 +794,7 @@ macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|to_json }} # falsification of values. Must be specified for the User Consent # forms to work. # -form_secret: {{ matrix_synapse_form_secret|to_json }} +form_secret: {{ matrix_synapse_form_secret|string|to_json }} ## Signing Keys ## @@ -899,7 +899,7 @@ password_config: # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP! # - pepper: {{ matrix_synapse_password_config_pepper|to_json }} + pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} @@ -914,15 +914,15 @@ password_config: {% if matrix_synapse_email_enabled %} email: enable_notifs: true - smtp_host: {{ matrix_synapse_email_smtp_host|to_json }} - smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} + smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} + smtp_port: {{ matrix_synapse_email_smtp_port|string|to_json }} require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} - notif_from: {{ matrix_synapse_email_notif_from|to_json }} + notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} app_name: Matrix notif_template_html: notif_mail.html notif_template_text: notif_mail.txt notif_for_new_users: True - riot_base_url: {{ matrix_synapse_email_riot_base_url|to_json }} + riot_base_url: {{ matrix_synapse_email_riot_base_url|string|to_json }} {% endif %} @@ -945,12 +945,12 @@ password_providers: {% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} - module: "shared_secret_authenticator.SharedSecretAuthenticator" config: - sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|to_json }} + sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} {% endif %} {% if matrix_synapse_ext_password_provider_rest_auth_enabled %} - module: "rest_auth_provider.RestAuthProvider" config: - endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|to_json }} + endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} policy: registration: username: @@ -965,16 +965,16 @@ password_providers: - module: "ldap_auth_provider.LdapAuthProvider" config: enabled: true - uri: {{ matrix_synapse_ext_password_provider_ldap_uri|to_json }} - start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} - base: {{ matrix_synapse_ext_password_provider_ldap_base|to_json }} + uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} + start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|string|to_json }} + base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} attributes: - uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|to_json }} - mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|to_json }} - name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|to_json }} - bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|to_json }} - bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|to_json }} - filter: {{ matrix_synapse_ext_password_provider_ldap_filter|to_json }} + uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} + mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} + name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} + bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} + bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} + filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} {% endif %} {% endif %} From 9ea593df3763130620274e0d265a32bd654e9c1b Mon Sep 17 00:00:00 2001 From: Sylvia van Os Date: Tue, 7 May 2019 09:35:51 +0200 Subject: [PATCH 0516/2384] Fix incorrect casts --- roles/matrix-riot-web/templates/config.json.j2 | 4 ++-- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 5ae601a4..0179cc35 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -15,9 +15,9 @@ }, "welcomeUserId": {{ matrix_riot_web_welcome_user_id|string|to_json }}, {% if matrix_riot_web_enable_presence_by_hs_url is not none %} - "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|string|to_json }}, + "enable_presence_by_hs_url": {{ matrix_riot_web_enable_presence_by_hs_url|to_json }}, {% endif %} "embeddedPages": { - "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string}to_json }} + "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }} } } diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 5b9b7f77..e0ff67d3 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -255,11 +255,11 @@ listeners: # instance, if using certbot, use `fullchain.pem` as your certificate, # not `cert.pem`). # -tls_certificate_path: {{ matrix_synapse_tls_certificate_path|string|to_json }} +tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} # PEM-encoded private key for TLS # -tls_private_key_path: {{ matrix_synapse_tls_private_key_path|string|to_json }} +tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # ACME support: This will configure Synapse to request a valid TLS certificate # for your configured `server_name` via Let's Encrypt. @@ -915,7 +915,7 @@ password_config: email: enable_notifs: true smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} - smtp_port: {{ matrix_synapse_email_smtp_port|string|to_json }} + smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} app_name: Matrix From 07e7d518d53961e57d2d2a9506aaf3aa98c07d6f Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Tue, 7 May 2019 05:57:20 -0500 Subject: [PATCH 0517/2384] Revert "Fix template indentation" This reverts commit 172d59ba05486640c4e67a500ef9edb021a743ca. --- roles/matrix-mxisd/defaults/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index e2864062..caaccfd0 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -107,23 +107,23 @@ matrix_mxisd_configuration_yaml: | {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} generators: template: - {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} + {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} invite: '/var/mxisd/invite-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} session: - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} + {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} validation: '/var/mxisd/validate-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} unbind: frandulent: '/var/mxisd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} + {% endif %} + {% endif %} + {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} generic: matrixId: '/var/mxisd/mxid-template.eml' - {% endif %} + {% endif %} {% endif %} synapseSql: From 3abed49764900f23ae0b8de5d0fa8b7a6ae1b66f Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Tue, 7 May 2019 06:02:38 -0500 Subject: [PATCH 0518/2384] Fix jinja config for indented code blocks --- roles/matrix-dimension/defaults/main.yml | 3 +-- roles/matrix-mxisd/defaults/main.yml | 1 + roles/matrix-synapse/defaults/main.yml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 43841fee..211e8988 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -31,6 +31,7 @@ matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_di # For a more advanced customization, you can extend the default (see `matrix_dimension_configuration_extension_yaml`) # or completely replace this variable with your own template. matrix_dimension_configuration_yaml: | + #jinja2: lstrip_blocks: True # The web settings for the service (API and UI). # It is best to have this run on localhost and use a reverse proxy to access Dimension. web: @@ -125,5 +126,3 @@ matrix_dimension_configuration_extension_yaml: | # Holds the final Dimension configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_dimension_configuration_yaml`. matrix_dimension_configuration: "{{ matrix_dimension_configuration_yaml|from_yaml|combine(matrix_dimension_configuration_extension, recursive=True) }}" - - diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index caaccfd0..4b2b22ff 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -64,6 +64,7 @@ matrix_mxisd_self_check_validate_certificates: true # For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) # or completely replace this variable with your own template. matrix_mxisd_configuration_yaml: | + #jinja2: lstrip_blocks: True matrix: domain: {{ matrix_domain }} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ee454b5a..813d5a0f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -267,6 +267,7 @@ matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" matrix_appservice_irc_configuration_yaml: | + #jinja2: lstrip_blocks: True homeserver: url: "https://{{ matrix_server_fqn_matrix }}" domain: "{{ matrix_domain }}" From c451025134c63b429a5853a7d77e7b2f3736fd14 Mon Sep 17 00:00:00 2001 From: Hugues De Keyzer Date: Tue, 7 May 2019 21:23:35 +0200 Subject: [PATCH 0519/2384] Fix indentation in templates Use Jinja2 lstrip_blocks option in templates to ensure consistent indentation in generated files. --- .../templates/static-files/well-known/matrix-client.j2 | 1 + .../templates/static-files/well-known/matrix-server.j2 | 1 + roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 | 1 + roles/matrix-corporal/templates/config.json.j2 | 1 + .../matrix-corporal/templates/systemd/matrix-corporal.service.j2 | 1 + roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 1 + roles/matrix-coturn/templates/turnserver.conf.j2 | 1 + .../templates/systemd/matrix-dimension.service.j2 | 1 + roles/matrix-mailer/templates/env-mailer.j2 | 1 + roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 1 + roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 | 1 + .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 1 + .../templates/nginx/conf.d/matrix-domain.conf.j2 | 1 + .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 1 + .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 1 + .../matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 | 1 + .../templates/nginx/matrix-synapse-metrics-htpasswd.j2 | 1 + roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 | 1 + .../templates/systemd/matrix-nginx-proxy.service.j2 | 1 + .../usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 | 1 + roles/matrix-postgres/templates/env-postgres-psql.j2 | 1 + roles/matrix-postgres/templates/env-postgres-server.j2 | 1 + .../matrix-postgres/templates/systemd/matrix-postgres.service.j2 | 1 + .../templates/usr-local-bin/matrix-make-user-admin.j2 | 1 + .../templates/usr-local-bin/matrix-postgres-cli.j2 | 1 + .../usr-local-bin/matrix-postgres-update-user-password-hash.j2 | 1 + roles/matrix-riot-web/templates/config.json.j2 | 1 + roles/matrix-riot-web/templates/nginx.conf.j2 | 1 + .../matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 | 1 + roles/matrix-riot-web/templates/welcome.html.j2 | 1 + .../systemd/matrix-appservice-discord.service.j2 | 1 + .../ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 | 1 + .../matrix-synapse/templates/ext/mautrix-telegram/config.yaml.j2 | 1 + .../mautrix-telegram/systemd/matrix-mautrix-telegram.service.j2 | 1 + .../matrix-synapse/templates/ext/mautrix-whatsapp/config.yaml.j2 | 1 + .../mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 | 1 + roles/matrix-synapse/templates/goofys/env-goofys.j2 | 1 + .../templates/goofys/systemd/matrix-goofys.service.j2 | 1 + roles/matrix-synapse/templates/synapse/env-synapse.j2 | 1 + roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 1 + roles/matrix-synapse/templates/synapse/synapse.log.config.j2 | 1 + .../templates/synapse/systemd/matrix-synapse.service.j2 | 1 + .../synapse/usr-local-bin/matrix-synapse-register-user.j2 | 1 + 43 files changed, 43 insertions(+) diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index e3b0d767..120f9c97 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" { "m.homeserver": { "base_url": "{{ matrix_homeserver_url }}" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 index a8e19167..de0f5722 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" { "m.server": "{{ matrix_server_fqn_matrix }}:8448" } diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 9fad37d9..ac810595 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash if [ "$(id -u)" != "0" ]; then diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index 378b2c19..e2333bcc 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" { "Matrix": { "HomeserverDomainName": "{{ matrix_corporal_matrix_homeserver_domain_name }}", diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index d0adbf9d..74de9680 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Corporal {% for service in matrix_corporal_systemd_required_services_list %} diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index c1f00789..e288c0e5 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Coturn server {% for service in matrix_coturn_systemd_required_services_list %} diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 2bf7649c..3fcf0b67 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" use-auth-secret static-auth-secret={{ matrix_coturn_turn_static_auth_secret }} realm=turn.{{ matrix_server_fqn_matrix }} diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index c176b3e7..bd04be18 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Dimension After=docker.service diff --git a/roles/matrix-mailer/templates/env-mailer.j2 b/roles/matrix-mailer/templates/env-mailer.j2 index 7765b8f9..180bc500 100644 --- a/roles/matrix-mailer/templates/env-mailer.j2 +++ b/roles/matrix-mailer/templates/env-mailer.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" {% if matrix_mailer_relay_use %} SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port }} {% endif %} diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index de07a687..9b07f6c7 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix mailer After=docker.service diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 index 6d951643..d30ba718 100644 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix mxisd Identity server {% for service in matrix_mxisd_systemd_required_services_list %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 1886496b..dbfe96ce 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 679f3efa..0d234827 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_base_domain_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 661a5f31..4a97ebfa 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_proxy_riot_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 00e7a1be..8298a4d5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 index ed171cfa..290e1a98 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" # The default is aligned to the CPU's cache size, # which can sometimes be too low to handle our 2 vhosts (Synapse and Riot). # diff --git a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 index 27cf298f..1a7247ac 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 @@ -1,2 +1,3 @@ +#jinja2: lstrip_blocks: "True" # User and password for protecting /_synapse/metrics URI prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index 3382d6c6..51aa8a00 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" # This is a custom nginx configuration file that we use in the container (instead of the default one), # because it allows us to run nginx with a non-root user. # diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index d3cf4044..1a154c0d 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix nginx-proxy server {% for service in matrix_nginx_proxy_systemd_required_services_list %} diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 7e561017..93306d78 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash # For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) diff --git a/roles/matrix-postgres/templates/env-postgres-psql.j2 b/roles/matrix-postgres/templates/env-postgres-psql.j2 index c503450a..c61927a3 100644 --- a/roles/matrix-postgres/templates/env-postgres-psql.j2 +++ b/roles/matrix-postgres/templates/env-postgres-psql.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" PGUSER={{ matrix_postgres_connection_username }} PGPASSWORD={{ matrix_postgres_connection_password }} PGDATABASE={{ matrix_postgres_db_name }} \ No newline at end of file diff --git a/roles/matrix-postgres/templates/env-postgres-server.j2 b/roles/matrix-postgres/templates/env-postgres-server.j2 index f9ff4dc3..34f75aee 100644 --- a/roles/matrix-postgres/templates/env-postgres-server.j2 +++ b/roles/matrix-postgres/templates/env-postgres-server.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" POSTGRES_USER={{ matrix_postgres_connection_username }} POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} POSTGRES_DB={{ matrix_postgres_db_name }} \ No newline at end of file diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 14321efd..2d1c9118 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Postgres server After=docker.service diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 index 20f9fda2..f8daa6a7 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash if [ $# -ne 1 ]; then diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 index 34836629..8f0c4c5b 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash docker run \ diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 index bd99211c..d950ce97 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" #!/bin/bash if [ $# -ne 2 ]; then diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 0179cc35..92753a15 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" { "default_hs_url": {{ matrix_riot_web_default_hs_url|string|to_json }}, "default_is_url": {{ matrix_riot_web_default_is_url|string|to_json }}, diff --git a/roles/matrix-riot-web/templates/nginx.conf.j2 b/roles/matrix-riot-web/templates/nginx.conf.j2 index 84789954..fba16bbd 100644 --- a/roles/matrix-riot-web/templates/nginx.conf.j2 +++ b/roles/matrix-riot-web/templates/nginx.conf.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" # This is a custom nginx configuration file that we use in the container (instead of the default one), # because it allows us to run nginx with a non-root user. # diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index a270e0e3..63a6c7a6 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True" [Unit] Description=Matrix riot-web server {% for service in matrix_riot_web_systemd_required_services_list %} diff --git a/roles/matrix-riot-web/templates/welcome.html.j2 b/roles/matrix-riot-web/templates/welcome.html.j2 index 6456e947..319f9795 100644 --- a/roles/matrix-riot-web/templates/welcome.html.j2 +++ b/roles/matrix-riot-web/templates/welcome.html.j2 @@ -1,3 +1,4 @@ +#jinja2: lstrip_blocks: "True"
- - + + -

_t("Welcome to Riot.im")

-

_t("Decentralised, encrypted chat & collaboration powered by [matrix]")

+

{{ matrix_riot_web_welcome_headline }}

+

{{ matrix_riot_web_welcome_text }}

From 0322a5443a6b05ef0e4c6ec5b76d4a46792198a8 Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Tue, 3 Mar 2020 22:16:52 +0100 Subject: [PATCH 0947/2384] additional customizations of welcome page --- roles/matrix-riot-web/defaults/main.yml | 13 +++++++++++++ roles/matrix-riot-web/templates/config.json.j2 | 5 +++++ 2 files changed, 18 insertions(+) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 8b19f297..4fe8703a 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -32,7 +32,20 @@ matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" # Branding of riot web matrix_riot_web_brand: "Riot" +# Links, shown in footer of welcome page: +# [{"text": "Link text", "url": "https://link.target"}, {"text": "Other link"}] +matrix_riot_web_welcome_footerlinks: false + +# URL to image, shown during Login +matrix_riot_web_welcome_authlogo: false + +# URL to Wallpaper, shown in background of welcome page +matrix_riot_web_welcome_background: false + +# URL to Logo on welcome page matrix_riot_web_welcome_logo: "welcome/images/logo.svg" + +# URL of link on welcome image matrix_riot_web_welcome_logo_link: "https://riot.im" matrix_riot_web_welcome_headline: "_t('Welcome to Riot.im')" diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 635c06f5..a950f70e 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -29,5 +29,10 @@ {% endif %} "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }} + }, + "branding": { + "authFooterLinks": {{ matrix_riot_web_welcome_footerlinks|to_json }}, + "authHeaderLogoUrl": {{ matrix_riot_web_welcome_authlogo|to_json }}, + "welcomeBackgroundUrl": {{ matrix_riot_web_welcome_background|to_json }} } } From 054e6fed0cef8e883d99351539cd3ade1c5a3f50 Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Tue, 3 Mar 2020 22:27:39 +0100 Subject: [PATCH 0948/2384] rearrange main.yml of riot-web and use same logo URL for both logos --- roles/matrix-riot-web/defaults/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 4fe8703a..828532f5 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -32,16 +32,6 @@ matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" # Branding of riot web matrix_riot_web_brand: "Riot" -# Links, shown in footer of welcome page: -# [{"text": "Link text", "url": "https://link.target"}, {"text": "Other link"}] -matrix_riot_web_welcome_footerlinks: false - -# URL to image, shown during Login -matrix_riot_web_welcome_authlogo: false - -# URL to Wallpaper, shown in background of welcome page -matrix_riot_web_welcome_background: false - # URL to Logo on welcome page matrix_riot_web_welcome_logo: "welcome/images/logo.svg" @@ -51,6 +41,16 @@ matrix_riot_web_welcome_logo_link: "https://riot.im" matrix_riot_web_welcome_headline: "_t('Welcome to Riot.im')" matrix_riot_web_welcome_text: "_t('Decentralised, encrypted chat & collaboration powered by [matrix]')" +# Links, shown in footer of welcome page: +# [{"text": "Link text", "url": "https://link.target"}, {"text": "Other link"}] +matrix_riot_web_welcome_footerlinks: false + +# URL to image, shown during Login +matrix_riot_web_welcome_authlogo: "{{ matrix_riot_web_welcome_logo }}" + +# URL to Wallpaper, shown in background of welcome page +matrix_riot_web_welcome_background: false + # By default, there's no Riot homepage (when logged in). If you wish to have one, # point this to a `home.html` template file on your local filesystem. matrix_riot_web_embedded_pages_home_path: ~ From 00596452c2e2ff3c33b7ada41a06da4383c8ffdb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 5 Mar 2020 10:53:31 +0200 Subject: [PATCH 0949/2384] Update riot-web (1.5.11 -> 1.5.12) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index be19fef9..c192e42d 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.11" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.12" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 46664c4758a5e51545850f8f298525caf654fafc Mon Sep 17 00:00:00 2001 From: Stefan Warnat Date: Fri, 6 Mar 2020 14:31:15 +0100 Subject: [PATCH 0950/2384] Adjust variable names --- roles/matrix-riot-web/defaults/main.yml | 6 +++--- roles/matrix-riot-web/templates/config.json.j2 | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 828532f5..981978d2 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -43,13 +43,13 @@ matrix_riot_web_welcome_text: "_t('Decentralised, encrypted chat & collabora # Links, shown in footer of welcome page: # [{"text": "Link text", "url": "https://link.target"}, {"text": "Other link"}] -matrix_riot_web_welcome_footerlinks: false +matrix_riot_web_branding_authFooterLinks: ~ # URL to image, shown during Login -matrix_riot_web_welcome_authlogo: "{{ matrix_riot_web_welcome_logo }}" +matrix_riot_web_branding_authHeaderLogoUrl: "{{ matrix_riot_web_welcome_logo }}" # URL to Wallpaper, shown in background of welcome page -matrix_riot_web_welcome_background: false +matrix_riot_web_branding_welcomeBackgroundUrl: ~ # By default, there's no Riot homepage (when logged in). If you wish to have one, # point this to a `home.html` template file on your local filesystem. diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index a950f70e..b82d53e0 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -31,8 +31,8 @@ "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }} }, "branding": { - "authFooterLinks": {{ matrix_riot_web_welcome_footerlinks|to_json }}, - "authHeaderLogoUrl": {{ matrix_riot_web_welcome_authlogo|to_json }}, - "welcomeBackgroundUrl": {{ matrix_riot_web_welcome_background|to_json }} + "authFooterLinks": {{ matrix_riot_web_branding_authFooterLinks|to_json }}, + "authHeaderLogoUrl": {{ matrix_riot_web_branding_authHeaderLogoUrl|to_json }}, + "welcomeBackgroundUrl": {{ matrix_riot_web_branding_welcomeBackgroundUrl|to_json }} } } From c55682d0992ddfb7449d0cb27fe03781c8571b05 Mon Sep 17 00:00:00 2001 From: David Gnedt Date: Fri, 6 Mar 2020 17:48:16 +0100 Subject: [PATCH 0951/2384] Update synapse-janitor to support current synapse database schema --- roles/matrix-postgres/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 961aa081..91656ff6 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -30,4 +30,4 @@ matrix_postgres_container_extra_arguments: [] # Takes an ":" or "" value (e.g. "127.0.0.1:5432"), or empty string to not expose. matrix_postgres_container_postgres_bind_port: "" -matrix_postgres_tool_synapse_janitor: "https://raw.githubusercontent.com/xwiki-labs/synapse_scripts/0b3f035951932ceb396631de3fc701043b9723bc/synapse_janitor.sql" +matrix_postgres_tool_synapse_janitor: "https://raw.githubusercontent.com/xwiki-labs/synapse_scripts/a9188ff175ae581610f92d58ea6eac9a114d854b/synapse_janitor.sql" From 310aa685f94e0c65b960be4f11964f8981c8a77d Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 8 Mar 2020 00:24:00 +0100 Subject: [PATCH 0952/2384] refactor based on Slavi's requests --- group_vars/matrix_servers | 16 -------- roles/matrix-base/defaults/main.yml | 10 ++--- roles/matrix-base/tasks/server_base/setup.yml | 2 +- roles/matrix-base/tasks/setup_matrix_base.yml | 7 ---- .../defaults/main.yml | 2 + .../tasks/setup_install.yml | 35 +++++++++--------- .../defaults/main.yml | 2 + .../tasks/setup_install.yml | 37 ++++++++++--------- roles/matrix-coturn/defaults/main.yml | 2 + roles/matrix-coturn/tasks/setup_coturn.yml | 21 ++++++++--- roles/matrix-mxisd/defaults/main.yml | 2 + roles/matrix-mxisd/tasks/setup_mxisd.yml | 27 +++++--------- roles/matrix-riot-web/defaults/main.yml | 2 + .../matrix-riot-web/tasks/setup_riot_web.yml | 15 +++++--- roles/matrix-synapse/defaults/main.yml | 2 + roles/matrix-synapse/tasks/setup_synapse.yml | 1 + .../tasks/synapse/setup_install.yml | 10 ++--- 17 files changed, 94 insertions(+), 99 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 51365d74..5efde0c9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -678,19 +678,3 @@ matrix_synapse_systemd_wanted_services_list: | # /matrix-synapse # ###################################################################### - - - -###################################################################### -# -# raspberry pi -# -###################################################################### - -matrix_raspberry_pi: "false" - -###################################################################### -# -# /raspberry pi -# -###################################################################### diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index a9fd6224..a58e3bc4 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -26,13 +26,6 @@ matrix_base_data_path: "/matrix" matrix_base_data_path_mode: "750" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" -matrix_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src" -matrix_docker_synapse_src_files_path: "{{ matrix_docker_src_files_path }}/synapse" -matrix_docker_riot_web_src_files_path: "{{ matrix_docker_src_files_path }}/riot-web" -matrix_docker_coturn_src_files_path: "{{ matrix_docker_src_files_path }}/coturn" -matrix_docker_mxisd_src_files_path: "{{ matrix_docker_src_files_path }}/mxisd" -matrix_docker_mautrix_facebook_src_files_path: "{{ matrix_docker_src_files_path }}/mautrix-facebook" -matrix_docker_mautrix_hangouts_src_files_path: "{{ matrix_docker_src_files_path }}/mautrix-hangouts" matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" @@ -73,3 +66,6 @@ run_setup: true run_self_check: true run_start: true run_stop: true + +# Raspberry pi depoly TODO: it should be identified based on the operating system +matrix_raspberry_pi_deploy: false \ No newline at end of file diff --git a/roles/matrix-base/tasks/server_base/setup.yml b/roles/matrix-base/tasks/server_base/setup.yml index bd52a0e7..1ce62158 100644 --- a/roles/matrix-base/tasks/server_base/setup.yml +++ b/roles/matrix-base/tasks/server_base/setup.yml @@ -7,7 +7,7 @@ when: (ansible_os_family == 'Debian') and (ansible_lsb.id != 'Raspbian') - include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml" - when: "matrix_raspberry_pi" + when: "matrix_raspberry_pi_deploy" - name: Ensure Docker is started and autoruns service: diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 77665f6b..b4aa92b9 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -22,13 +22,6 @@ group: "{{ matrix_user_username }}" with_items: - "{{ matrix_base_data_path }}" - - { src: "{{ matrix_docker_src_files_path }}", when: "{{ matrix_raspberry_pi }}" } - - { src: "{{ matrix_docker_synapse_src_files_path }}", when: "{{ matrix_raspberry_pi }}" } - - { src: "{{ matrix_docker_riot_web_src_files_path }}", when: "{{ matrix_raspberry_pi }}" } - - { src: "{{ matrix_docker_coturn_src_files_path }}", when: "{{ matrix_coturn_enabled }}"} - - { src: "{{ matrix_docker_mxisd_src_files_path }}", when: "{{ matrix_mxisd_enabled }}"} - - { src: "{{ matrix_docker_mautrix_facebook_src_files_path }}", when: "{{ matrix_mautrix_facebook_enabled }}"} - - { src: "{{ matrix_docker_mautrix_hangouts_src_files_path }}", when: "{{ matrix_mautrix_hangouts_enabled }}"} # `docker_network` doesn't work as expected when the given network # is a substring of a network that already exists. diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index bf57e926..6503a275 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -2,6 +2,7 @@ # See: https://github.com/tulir/mautrix-facebook matrix_mautrix_facebook_enabled: true +matrix_mautrix_facebook_self_build: false # See: https://mau.dev/tulir/mautrix-facebook/container_registry matrix_mautrix_facebook_docker_image: "dock.mau.dev/tulir/mautrix-facebook:latest" @@ -10,6 +11,7 @@ matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_doc matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook" matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/config" matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data" +matrix_docker_mautrix_facebook_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src" matrix_mautrix_facebook_homeserver_address: 'http://matrix-synapse:8008' matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}' diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index a8c7cdf1..7b83ae4e 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -14,17 +14,30 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}" - when: matrix_mautrix_facebook_enabled|bool and not matrix_raspberry_pi + when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_self_build -- name: Ensure Mautrix Facebook repository is present on Raspberry pi +- name: Ensure Mautrix Facebook paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_mautrix_facebook_base_path }}" + - "{{ matrix_mautrix_facebook_config_path }}" + - "{{ matrix_mautrix_facebook_data_path }}" + - { src: "{{ matrix_docker_mautrix_facebook_src_files_path }}", when: "{{ matrix_mautrix_facebook_self_build }}" } + +- name: Ensure Mautrix Facebook repository is present on self-build git: repo: https://github.com/tulir/mautrix-facebook.git dest: "{{ matrix_docker_mautrix_facebook_src_files_path }}" # version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_mautrix_facebook_enabled|bool and matrix_raspberry_pi" + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_self_build" -- name: Ensure Mautrix Facebook Docker image is build (Raspberry pi) +- name: Ensure Mautrix Facebook Docker image is build docker_image: name: "{{ matrix_mautrix_facebook_docker_image }}" source: build @@ -32,19 +45,7 @@ dockerfile: Dockerfile path: "{{ matrix_docker_mautrix_facebook_src_files_path }}" pull: yes - when: "matrix_mautrix_facebook_enabled|bool and matrix_raspberry_pi" - -- name: Ensure Mautrix Facebook paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - "{{ matrix_mautrix_facebook_base_path }}" - - "{{ matrix_mautrix_facebook_config_path }}" - - "{{ matrix_mautrix_facebook_data_path }}" + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_self_build" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index fdb2c639..e136dd1e 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -2,6 +2,7 @@ # See: https://github.com/tulir/mautrix-hangouts matrix_mautrix_hangouts_enabled: true +matrix_mautrix_hangouts_self_build: true # See: https://mau.dev/tulir/mautrix-hangouts/container_registry matrix_mautrix_hangouts_docker_image: "dock.mau.dev/tulir/mautrix-hangouts:latest" @@ -10,6 +11,7 @@ matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_doc matrix_mautrix_hangouts_base_path: "{{ matrix_base_data_path }}/mautrix-hangouts" matrix_mautrix_hangouts_config_path: "{{ matrix_mautrix_hangouts_base_path }}/config" matrix_mautrix_hangouts_data_path: "{{ matrix_mautrix_hangouts_base_path }}/data" +matrix_docker_mautrix_hangouts_src_files_path: "{{ matrix_mautrix_hangouts_base_path }}/docker-src" matrix_mautrix_hangouts_public_endpoint: '/mautrix-hangouts' diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 90206fd6..4a5c9103 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -14,16 +14,31 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_hangouts_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_docker_image_force_pull }}" - when: matrix_mautrix_hangouts_enabled|bool and not matrix_raspberry_pi + when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_self_build -- name: Ensure Mautrix Hangots repository is present on Raspberry pi +- name: Ensure Mautrix Hangouts paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_mautrix_hangouts_base_path }}" + - "{{ matrix_mautrix_hangouts_config_path }}" + - "{{ matrix_mautrix_hangouts_data_path }}" + - { src: "{{ matrix_docker_mautrix_hangouts_src_files_path }}", when: "{{ matrix_mautrix_hangouts_self_build }}" } + + when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_self_build + +- name: Ensure Mautrix Hangots repository is present on self build git: repo: https://github.com/tulir/mautrix-hangouts.git dest: "{{ matrix_docker_mautrix_hangouts_src_files_path }}" force: "yes" - when: "matrix_mautrix_hangouts_enabled|bool and matrix_raspberry_pi" + when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_self_build" -- name: Ensure Mautrix Hangouts Docker image is build (Raspberry pi) +- name: Ensure Mautrix Hangouts Docker image is build docker_image: name: "{{ matrix_mautrix_hangouts_docker_image }}" source: build @@ -31,19 +46,7 @@ dockerfile: Dockerfile path: "{{ matrix_docker_mautrix_hangouts_src_files_path }}" pull: yes - when: "matrix_mautrix_hangouts_enabled|bool and matrix_raspberry_pi" - -- name: Ensure Mautrix Hangouts paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - "{{ matrix_mautrix_hangouts_base_path }}" - - "{{ matrix_mautrix_hangouts_config_path }}" - - "{{ matrix_mautrix_hangouts_data_path }}" + when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_self_build" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 4bcbb223..c6a02184 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,4 +1,5 @@ matrix_coturn_enabled: true +matrix_coturn_self_build: false matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" @@ -13,6 +14,7 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(' matrix_coturn_docker_network: "matrix-coturn" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" +matrix_docker_coturn_src_files_path: "{{ matrix_coturn_base_path }}/docker-src" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" # List of systemd services that matrix-coturn.service depends on diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index bdd7d774..9a50859a 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -4,23 +4,34 @@ # Tasks related to setting up Coturn # +- name: Ensure Matrix Coturn path exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { src: "{{ matrix_docker_coturn_src_files_path }}", when: "{{ matrix_coturn_self_build }}"} + when: matrix_riot_web_enabled|bool + - name: Ensure Coturn image is pulled docker_image: name: "{{ matrix_coturn_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}" - when: matrix_coturn_enabled|bool and not matrix_raspberry_pi + when: matrix_coturn_enabled|bool and not matrix_coturn_self_build -- name: Ensure Coturn repository is present on Raspberry pi +- name: Ensure Coturn repository is present on self-build git: repo: https://github.com/instrumentisto/coturn-docker-image.git dest: "{{ matrix_docker_coturn_src_files_path }}" version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_coturn_enabled|bool and matrix_raspberry_pi" + when: "matrix_coturn_enabled|bool and matrix_coturn_self_build" -- name: Ensure Coturn Docker image is build (Raspberry pi) +- name: Ensure Coturn Docker image is build docker_image: name: "{{ matrix_coturn_docker_image }}" source: build @@ -28,7 +39,7 @@ dockerfile: Dockerfile path: "{{ matrix_docker_coturn_src_files_path }}" pull: yes - when: "matrix_coturn_enabled|bool and matrix_raspberry_pi" + when: "matrix_coturn_enabled|bool and matrix_coturn_self_build" - name: Ensure Coturn configuration path exists file: diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index 286839da..b9bebb0b 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -2,11 +2,13 @@ # See: https://github.com/kamax-matrix/mxisd matrix_mxisd_enabled: true +matrix_mxisd_self_build: false matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" +matrix_docker_mxisd_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index b0132722..b01abef3 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -14,6 +14,7 @@ with_items: - "{{ matrix_mxisd_config_path }}" - "{{ matrix_mxisd_data_path }}" + - { src: "{{ matrix_docker_mxisd_src_files_path }}", when: "{{ matrix_mxisd_self_build }}"} when: matrix_mxisd_enabled|bool - name: Ensure mxisd image is pulled @@ -22,39 +23,29 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mxisd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}" - when: matrix_mxisd_enabled|bool and not matrix_raspberry_pi + when: matrix_mxisd_enabled|bool and not matrix_mxisd_self_build -- name: Ensure gradel is installed on Raspberry pi for building +- name: Ensure gradel is installed for self-building apt: name: - gradle state: present update_cache: yes - when: "matrix_mxisd_enabled|bool and matrix_raspberry_pi" + when: "matrix_mxisd_enabled|bool and matrix_mxisd_self_build" -- name: Ensure mxisd repository is present on Raspberry pi +- name: Ensure mxisd repository is present on self-build git: repo: https://github.com/kamax-matrix/mxisd.git dest: "{{ matrix_docker_mxisd_src_files_path }}" version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_mxisd_enabled|bool and matrix_raspberry_pi" - -# - name: Ensure mxisd Docker image is build (Raspberry pi) -# docker_image: -# name: "{{ matrix_mxisd_docker_image }}" -# source: build -# build: -# dockerfile: Dockerfile -# path: "{{ matrix_docker_mxisd_src_files_path }}" -# pull: yes -# when: "matrix_mxisd_enabled|bool and matrix_raspberry_pi" - -- name: Ensure mxisd Docker image is build (Raspberry pi) + when: "matrix_mxisd_enabled|bool and matrix_mxisd_self_build" + +- name: Ensure mxisd Docker image is build shell: "./gradlew dockerBuild" args: chdir: "{{ matrix_docker_mxisd_src_files_path }}" - when: "matrix_mxisd_enabled|bool and matrix_raspberry_pi" + when: "matrix_mxisd_enabled|bool and matrix_mxisd_self_build" - name: Ensure mxisd config installed copy: diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index e707a61a..0a37c965 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,9 +1,11 @@ matrix_riot_web_enabled: true +matrix_riot_web_self_build: false matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.12" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" +matrix_docker_riot_web_src_files_path: "{{ matrix_riot_web_data_path }}/docker-src" # Controls whether the matrix-riot-web container exposes its HTTP port (tcp/8080 in the container). # diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index fcaaeeec..ef0ec91d 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -6,11 +6,14 @@ - name: Ensure Matrix riot-web path exists file: - path: "{{ matrix_riot_web_data_path }}" + path: "{{ item }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_riot_web_data_path }}" + - { src: "{{ matrix_docker_riot_web_src_files_path }}", when: "{{ matrix_riot_web_self_build }}" } when: matrix_riot_web_enabled|bool - name: Ensure riot-web Docker image is pulled @@ -19,17 +22,17 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_riot_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_riot_web_docker_image_force_pull }}" - when: matrix_riot_web_enabled|bool and not matrix_raspberry_pi + when: matrix_riot_web_enabled|bool and not matrix_riot_web_self_build -- name: Ensure Riot Web repository is present on Raspberry pi +- name: Ensure Riot Web repository is present on self-build git: repo: https://github.com/vector-im/riot-web.git dest: "{{ matrix_docker_riot_web_src_files_path }}" version: "v{{ matrix_riot_web_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_riot_web_enabled|bool and matrix_raspberry_pi" + when: "matrix_riot_web_enabled|bool and matrix_riot_web_self_build" -- name: Ensure Riot Web Docker image is build (Raspberry pi) +- name: Ensure Riot Web Docker image is build docker_image: name: "{{ matrix_riot_web_docker_image }}" source: build @@ -37,7 +40,7 @@ dockerfile: Dockerfile path: "{{ matrix_docker_riot_web_src_files_path }}" pull: yes - when: "matrix_riot_web_enabled|bool and matrix_raspberry_pi" + when: "matrix_riot_web_enabled|bool and matrix_self_build" - name: Ensure Matrix riot-web configuration installed copy: diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 05ad9126..309d4396 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -2,11 +2,13 @@ # See: https://github.com/matrix-org/synapse matrix_synapse_enabled: true +matrix_synapse_self_build: false matrix_synapse_docker_image: "matrixdotorg/synapse:v1.11.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" +matrix_docker_synapse_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index b565a4d2..c5d6beef 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -11,6 +11,7 @@ - "{{ matrix_synapse_config_dir_path }}" - "{{ matrix_synapse_run_path }}" - "{{ matrix_synapse_ext_path }}" + - { src: "{{ matrix_docker_synapse_src_files_path }}", when: "{{ matrix_synapse_self_build }}" } # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), # because if it's using Goofys and it's already mounted (from before), # trying to chown/chmod it here will cause trouble. diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index 33f04a28..2188b1bd 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -18,15 +18,15 @@ group: "{{ matrix_user_username }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" -- name: Ensure Synapse repository is present on Raspberry pi +- name: Ensure Synapse repository is present on self-build git: repo: https://github.com/matrix-org/synapse.git dest: "{{ matrix_docker_synapse_src_files_path }}" version: "{{ matrix_synapse_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_raspberry_pi" + when: "matrix_synapse_self_build" -- name: Ensure Synapse Docker image is build (Raspberry pi) +- name: Ensure Synapse Docker image is build docker_image: name: "{{ matrix_synapse_docker_image }}" source: build @@ -34,7 +34,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_docker_synapse_src_files_path }}" pull: yes - when: "matrix_raspberry_pi" + when: "matrix_synapse_self_build" - name: Ensure Synapse Docker image is pulled docker_image: @@ -42,7 +42,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_synapse_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_docker_image_force_pull }}" - when: "not matrix_raspberry_pi" + when: "not matrix_synapse_self_build" - name: Check if a Synapse signing key exists stat: From a5d94eec0b62f02cf31c1537ed1e9bfb0024903c Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 8 Mar 2020 00:28:14 +0100 Subject: [PATCH 0953/2384] refactor variable names --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- .../matrix-bridge-mautrix-facebook/tasks/setup_install.yml | 6 +++--- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 2 +- .../matrix-bridge-mautrix-hangouts/tasks/setup_install.yml | 6 +++--- roles/matrix-coturn/defaults/main.yml | 2 +- roles/matrix-coturn/tasks/setup_coturn.yml | 6 +++--- roles/matrix-mxisd/defaults/main.yml | 2 +- roles/matrix-mxisd/tasks/setup_mxisd.yml | 6 +++--- roles/matrix-riot-web/defaults/main.yml | 2 +- roles/matrix-riot-web/tasks/setup_riot_web.yml | 6 +++--- roles/matrix-synapse/defaults/main.yml | 2 +- roles/matrix-synapse/tasks/setup_synapse.yml | 2 +- roles/matrix-synapse/tasks/synapse/setup_install.yml | 4 ++-- 13 files changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 6503a275..93a3134b 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -11,7 +11,7 @@ matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_doc matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook" matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/config" matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data" -matrix_docker_mautrix_facebook_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src" +matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src" matrix_mautrix_facebook_homeserver_address: 'http://matrix-synapse:8008' matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}' diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 7b83ae4e..1088f0b4 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -27,12 +27,12 @@ - "{{ matrix_mautrix_facebook_base_path }}" - "{{ matrix_mautrix_facebook_config_path }}" - "{{ matrix_mautrix_facebook_data_path }}" - - { src: "{{ matrix_docker_mautrix_facebook_src_files_path }}", when: "{{ matrix_mautrix_facebook_self_build }}" } + - { src: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_self_build }}" } - name: Ensure Mautrix Facebook repository is present on self-build git: repo: https://github.com/tulir/mautrix-facebook.git - dest: "{{ matrix_docker_mautrix_facebook_src_files_path }}" + dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" # version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_self_build" @@ -43,7 +43,7 @@ source: build build: dockerfile: Dockerfile - path: "{{ matrix_docker_mautrix_facebook_src_files_path }}" + path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" pull: yes when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_self_build" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index e136dd1e..0f3b14c5 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -11,7 +11,7 @@ matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_doc matrix_mautrix_hangouts_base_path: "{{ matrix_base_data_path }}/mautrix-hangouts" matrix_mautrix_hangouts_config_path: "{{ matrix_mautrix_hangouts_base_path }}/config" matrix_mautrix_hangouts_data_path: "{{ matrix_mautrix_hangouts_base_path }}/data" -matrix_docker_mautrix_hangouts_src_files_path: "{{ matrix_mautrix_hangouts_base_path }}/docker-src" +matrix_mautrix_hangouts_docker_src_files_path: "{{ matrix_mautrix_hangouts_base_path }}/docker-src" matrix_mautrix_hangouts_public_endpoint: '/mautrix-hangouts' diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 4a5c9103..e18778b2 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -27,14 +27,14 @@ - "{{ matrix_mautrix_hangouts_base_path }}" - "{{ matrix_mautrix_hangouts_config_path }}" - "{{ matrix_mautrix_hangouts_data_path }}" - - { src: "{{ matrix_docker_mautrix_hangouts_src_files_path }}", when: "{{ matrix_mautrix_hangouts_self_build }}" } + - { src: "{{ matrix_mautrix_hangouts_docker_src_files_path }}", when: "{{ matrix_mautrix_hangouts_self_build }}" } when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_self_build - name: Ensure Mautrix Hangots repository is present on self build git: repo: https://github.com/tulir/mautrix-hangouts.git - dest: "{{ matrix_docker_mautrix_hangouts_src_files_path }}" + dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" force: "yes" when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_self_build" @@ -44,7 +44,7 @@ source: build build: dockerfile: Dockerfile - path: "{{ matrix_docker_mautrix_hangouts_src_files_path }}" + path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" pull: yes when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_self_build" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index c6a02184..a8b71bcb 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -14,7 +14,7 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(' matrix_coturn_docker_network: "matrix-coturn" matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" -matrix_docker_coturn_src_files_path: "{{ matrix_coturn_base_path }}/docker-src" +matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" # List of systemd services that matrix-coturn.service depends on diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 9a50859a..ec7a452e 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -12,7 +12,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - { src: "{{ matrix_docker_coturn_src_files_path }}", when: "{{ matrix_coturn_self_build }}"} + - { src: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_self_build }}"} when: matrix_riot_web_enabled|bool - name: Ensure Coturn image is pulled @@ -26,7 +26,7 @@ - name: Ensure Coturn repository is present on self-build git: repo: https://github.com/instrumentisto/coturn-docker-image.git - dest: "{{ matrix_docker_coturn_src_files_path }}" + dest: "{{ matrix_coturn_docker_src_files_path }}" version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" when: "matrix_coturn_enabled|bool and matrix_coturn_self_build" @@ -37,7 +37,7 @@ source: build build: dockerfile: Dockerfile - path: "{{ matrix_docker_coturn_src_files_path }}" + path: "{{ matrix_coturn_docker_src_files_path }}" pull: yes when: "matrix_coturn_enabled|bool and matrix_coturn_self_build" diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index b9bebb0b..b3a921bb 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" -matrix_docker_mxisd_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src" +matrix_mxisd_docker_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index b01abef3..92b7163b 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -14,7 +14,7 @@ with_items: - "{{ matrix_mxisd_config_path }}" - "{{ matrix_mxisd_data_path }}" - - { src: "{{ matrix_docker_mxisd_src_files_path }}", when: "{{ matrix_mxisd_self_build }}"} + - { src: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_self_build }}"} when: matrix_mxisd_enabled|bool - name: Ensure mxisd image is pulled @@ -36,7 +36,7 @@ - name: Ensure mxisd repository is present on self-build git: repo: https://github.com/kamax-matrix/mxisd.git - dest: "{{ matrix_docker_mxisd_src_files_path }}" + dest: "{{ matrix_mxisd_docker_src_files_path }}" version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" force: "yes" when: "matrix_mxisd_enabled|bool and matrix_mxisd_self_build" @@ -44,7 +44,7 @@ - name: Ensure mxisd Docker image is build shell: "./gradlew dockerBuild" args: - chdir: "{{ matrix_docker_mxisd_src_files_path }}" + chdir: "{{ matrix_mxisd_docker_src_files_path }}" when: "matrix_mxisd_enabled|bool and matrix_mxisd_self_build" - name: Ensure mxisd config installed diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 0a37c965..bdbce0f3 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -5,7 +5,7 @@ matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.12" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" -matrix_docker_riot_web_src_files_path: "{{ matrix_riot_web_data_path }}/docker-src" +matrix_riot_web_docker_src_files_path: "{{ matrix_riot_web_data_path }}/docker-src" # Controls whether the matrix-riot-web container exposes its HTTP port (tcp/8080 in the container). # diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index ef0ec91d..9161c817 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -13,7 +13,7 @@ group: "{{ matrix_user_username }}" with_items: - "{{ matrix_riot_web_data_path }}" - - { src: "{{ matrix_docker_riot_web_src_files_path }}", when: "{{ matrix_riot_web_self_build }}" } + - { src: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_self_build }}" } when: matrix_riot_web_enabled|bool - name: Ensure riot-web Docker image is pulled @@ -27,7 +27,7 @@ - name: Ensure Riot Web repository is present on self-build git: repo: https://github.com/vector-im/riot-web.git - dest: "{{ matrix_docker_riot_web_src_files_path }}" + dest: "{{ matrix_riot_web_docker_src_files_path }}" version: "v{{ matrix_riot_web_docker_image.split(':')[1] }}" force: "yes" when: "matrix_riot_web_enabled|bool and matrix_riot_web_self_build" @@ -38,7 +38,7 @@ source: build build: dockerfile: Dockerfile - path: "{{ matrix_docker_riot_web_src_files_path }}" + path: "{{ matrix_riot_web_docker_src_files_path }}" pull: yes when: "matrix_riot_web_enabled|bool and matrix_self_build" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 309d4396..1f0d49d8 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_docker_image: "matrixdotorg/synapse:v1.11.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" -matrix_docker_synapse_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" +matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index c5d6beef..0ce851c7 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -11,7 +11,7 @@ - "{{ matrix_synapse_config_dir_path }}" - "{{ matrix_synapse_run_path }}" - "{{ matrix_synapse_ext_path }}" - - { src: "{{ matrix_docker_synapse_src_files_path }}", when: "{{ matrix_synapse_self_build }}" } + - { src: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_self_build }}" } # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), # because if it's using Goofys and it's already mounted (from before), # trying to chown/chmod it here will cause trouble. diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index 2188b1bd..481429a4 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -21,7 +21,7 @@ - name: Ensure Synapse repository is present on self-build git: repo: https://github.com/matrix-org/synapse.git - dest: "{{ matrix_docker_synapse_src_files_path }}" + dest: "{{ matrix_synapse_docker_src_files_path }}" version: "{{ matrix_synapse_docker_image.split(':')[1] }}" force: "yes" when: "matrix_synapse_self_build" @@ -32,7 +32,7 @@ source: build build: dockerfile: docker/Dockerfile - path: "{{ matrix_docker_synapse_src_files_path }}" + path: "{{ matrix_synapse_docker_src_files_path }}" pull: yes when: "matrix_synapse_self_build" From 6232a81caf2d9c72394306ea6f2c6d638770b6f2 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 8 Mar 2020 19:04:41 +0100 Subject: [PATCH 0954/2384] check if target distro is Raspbian and install docker accordingly --- roles/matrix-base/defaults/main.yml | 3 --- roles/matrix-base/tasks/server_base/setup.yml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index a58e3bc4..b4fef1dd 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -66,6 +66,3 @@ run_setup: true run_self_check: true run_start: true run_stop: true - -# Raspberry pi depoly TODO: it should be identified based on the operating system -matrix_raspberry_pi_deploy: false \ No newline at end of file diff --git a/roles/matrix-base/tasks/server_base/setup.yml b/roles/matrix-base/tasks/server_base/setup.yml index 1ce62158..70b2e4fc 100644 --- a/roles/matrix-base/tasks/server_base/setup.yml +++ b/roles/matrix-base/tasks/server_base/setup.yml @@ -7,7 +7,7 @@ when: (ansible_os_family == 'Debian') and (ansible_lsb.id != 'Raspbian') - include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml" - when: "matrix_raspberry_pi_deploy" + when: (ansible_os_family == 'Debian') and (ansible_lsb.id == 'Raspbian') - name: Ensure Docker is started and autoruns service: From 3c8535c3bce0a99badd0c6efa858686445448a2a Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 8 Mar 2020 19:17:10 +0100 Subject: [PATCH 0955/2384] check ansible version for self-building in every role --- roles/matrix-base/tasks/sanity_check.yml | 7 ------- roles/matrix-bridge-mautrix-facebook/tasks/init.yml | 7 +++++++ roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 7 +++++++ roles/matrix-coturn/tasks/init.yml | 7 +++++++ roles/matrix-mxisd/tasks/init.yml | 7 +++++++ roles/matrix-riot-web/tasks/init.yml | 7 +++++++ roles/matrix-synapse/tasks/init.yml | 7 +++++++ 7 files changed, 42 insertions(+), 7 deletions(-) diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index a0a92a22..b2d8c249 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -44,10 +44,3 @@ - "{{ matrix_server_fqn_matrix }}" - "{{ matrix_server_fqn_riot }}" when: "item != item|lower" - -# ansible lower than 2.8, does not support docker_image build parameters -# for Raspberry pi it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and targeting Raspberry pi - fail: - msg: "To target Raspberry pi, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_raspberry_pi" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 92f97867..85bb3838 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -14,3 +14,10 @@ + {{ ["/matrix-mautrix-facebook-registration.yaml"] }} when: matrix_mautrix_facebook_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_self_build" \ No newline at end of file diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index e4f48afc..b276a1f6 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -60,3 +60,10 @@ URL endpoint to the matrix-mautrix-hangouts container. You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable. when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_self_build" diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index 603b536a..9b97ce6a 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -1,3 +1,10 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}" when: matrix_coturn_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_self_build" diff --git a/roles/matrix-mxisd/tasks/init.yml b/roles/matrix-mxisd/tasks/init.yml index 94543b35..dcae446e 100644 --- a/roles/matrix-mxisd/tasks/init.yml +++ b/roles/matrix-mxisd/tasks/init.yml @@ -1,3 +1,10 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}" when: matrix_mxisd_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Mxisd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_self_build" diff --git a/roles/matrix-riot-web/tasks/init.yml b/roles/matrix-riot-web/tasks/init.yml index 52c096ee..4fc4e658 100644 --- a/roles/matrix-riot-web/tasks/init.yml +++ b/roles/matrix-riot-web/tasks/init.yml @@ -1,3 +1,10 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-riot-web'] }}" when: matrix_riot_web_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Riot Web image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_riot_web_self_build" diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index d5f64862..b91c42cb 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -5,3 +5,10 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys'] }}" when: matrix_s3_media_store_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_self_build" From a164fe485e03a36065cdf7809f67631ba6c20f8e Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sat, 14 Mar 2020 19:14:39 +0100 Subject: [PATCH 0956/2384] fix wrong variable name --- roles/matrix-riot-web/tasks/setup_riot_web.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index 9161c817..2216a0ff 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -40,7 +40,7 @@ dockerfile: Dockerfile path: "{{ matrix_riot_web_docker_src_files_path }}" pull: yes - when: "matrix_riot_web_enabled|bool and matrix_self_build" + when: "matrix_riot_web_enabled|bool and matrix_riot_web_self_build" - name: Ensure Matrix riot-web configuration installed copy: From 2d537484d5c40d6ec93dbe2a12d1edc806f79b89 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sat, 14 Mar 2020 19:16:29 +0100 Subject: [PATCH 0957/2384] introduce variable --- roles/matrix-base/defaults/main.yml | 4 ++++ roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 2 +- roles/matrix-coturn/defaults/main.yml | 2 +- roles/matrix-mxisd/defaults/main.yml | 2 +- roles/matrix-riot-web/defaults/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 2 +- 6 files changed, 9 insertions(+), 5 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index b4fef1dd..c2a81c29 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -66,3 +66,7 @@ run_setup: true run_self_check: true run_start: true run_stop: true + +# Building every docker image from source on the target host +# Controlling docker image build is possible on a per unit base +matrix_container_images_self_build: false \ No newline at end of file diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 0f3b14c5..89eea352 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -2,7 +2,7 @@ # See: https://github.com/tulir/mautrix-hangouts matrix_mautrix_hangouts_enabled: true -matrix_mautrix_hangouts_self_build: true +matrix_mautrix_hangouts_self_build: "{{ matrix_container_images_self_build }}" # See: https://mau.dev/tulir/mautrix-hangouts/container_registry matrix_mautrix_hangouts_docker_image: "dock.mau.dev/tulir/mautrix-hangouts:latest" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index a8b71bcb..214401b8 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,5 +1,5 @@ matrix_coturn_enabled: true -matrix_coturn_self_build: false +matrix_coturn_self_build: "{{ matrix_container_images_self_build }}" matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index b3a921bb..e882bc13 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -2,7 +2,7 @@ # See: https://github.com/kamax-matrix/mxisd matrix_mxisd_enabled: true -matrix_mxisd_self_build: false +matrix_mxisd_self_build: "{{ matrix_container_images_self_build }}" matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index bdbce0f3..efccdf21 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,5 +1,5 @@ matrix_riot_web_enabled: true -matrix_riot_web_self_build: false +matrix_riot_web_self_build: "{{ matrix_container_images_self_build }}" matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.12" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 1f0d49d8..1a992a97 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -2,7 +2,7 @@ # See: https://github.com/matrix-org/synapse matrix_synapse_enabled: true -matrix_synapse_self_build: false +matrix_synapse_self_build: "{{ matrix_container_images_self_build }}" matrix_synapse_docker_image: "matrixdotorg/synapse:v1.11.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 976f1a4582069abcf99d2f535a5379551d6048c2 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sat, 14 Mar 2020 19:54:13 +0100 Subject: [PATCH 0958/2384] fix riot-web version strip --- roles/matrix-riot-web/tasks/setup_riot_web.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index 2216a0ff..2dac85cf 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -28,7 +28,7 @@ git: repo: https://github.com/vector-im/riot-web.git dest: "{{ matrix_riot_web_docker_src_files_path }}" - version: "v{{ matrix_riot_web_docker_image.split(':')[1] }}" + version: "{{ matrix_riot_web_docker_image.split(':')[1] }}" force: "yes" when: "matrix_riot_web_enabled|bool and matrix_riot_web_self_build" From 30fd1ab2d658ccfd6f02df917727fdda47b755f1 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sat, 14 Mar 2020 20:40:31 +0100 Subject: [PATCH 0959/2384] add forgotten support for variable for matrix-bridge-mautrix-facebook role --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 93a3134b..9acf2228 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -2,7 +2,7 @@ # See: https://github.com/tulir/mautrix-facebook matrix_mautrix_facebook_enabled: true -matrix_mautrix_facebook_self_build: false +matrix_mautrix_facebook_self_build: "{{ matrix_container_images_self_build }}" # See: https://mau.dev/tulir/mautrix-facebook/container_registry matrix_mautrix_facebook_docker_image: "dock.mau.dev/tulir/mautrix-facebook:latest" From 447dd94ff97d89549179b6d14ce09d20e69eb20f Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sat, 14 Mar 2020 20:41:01 +0100 Subject: [PATCH 0960/2384] update documentation --- docs/prerequisites.md | 2 +- docs/raspberry-pi.md | 17 ----------------- docs/self-build.md | 17 +++++++++++++++++ 3 files changed, 18 insertions(+), 18 deletions(-) delete mode 100644 docs/raspberry-pi.md create mode 100644 docs/self-build.md diff --git a/docs/prerequisites.md b/docs/prerequisites.md index a8b1e6ad..4e72e2ea 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -1,6 +1,6 @@ # Prerequisites -- An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+) or **Ubuntu** (16.04+). This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however some workarounnd exist for the [Raspberry Pi](raspberry-pi.md). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +- An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+) or **Ubuntu** (16.04+). This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Self-Building](self-building.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). diff --git a/docs/raspberry-pi.md b/docs/raspberry-pi.md deleted file mode 100644 index d5cd0f07..00000000 --- a/docs/raspberry-pi.md +++ /dev/null @@ -1,17 +0,0 @@ -# Raspberry Pi - -The playbook support for Raspberry Pi is now in beta(ish). The problem is that, docker containers are not architecture independent, and most of them are not build for arm. Some roles have been updated, so they built the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd). - -To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your vars.yaml file: -``` -matrix_raspberry_pi = true -``` - -List of roles that builtds the image: -- synapse -- coturn -- mxisd -- matrix-bridge-mautrix-facebook -- matrix-bridge-mautrix-hangouts - -nginx hopefully works as it has an arm image already. diff --git a/docs/self-build.md b/docs/self-build.md new file mode 100644 index 00000000..b95f60a9 --- /dev/null +++ b/docs/self-build.md @@ -0,0 +1,17 @@ +# Self building + +The playbook supports the self building of a couple of components. This may be useful for architectures beside x86_64 that have no docker images right now (e g. the armv7 for the Raspberry Pi). Some roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd). + +To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your vars.yaml file: +``` +matrix_container_images_self_build = true +``` +Setting that variable will self-build every role where applicable. Self-building can be set on a per-role basis as well. + +List of roles where self-building the docker image is currently possible: +- synapse +- riot-web +- coturn +- mxisd +- matrix-bridge-mautrix-facebook +- matrix-bridge-mautrix-hangouts From 8fe97abe7db32d06b72a7edc0b62de991e3e3331 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 15 Mar 2020 10:10:41 +0200 Subject: [PATCH 0961/2384] Wire matrix_container_images_self_build to self_build variables via group_vars/matrix_servers This keeps the roles cleaner and more independent of matrix-base, which may be important for people building their own playbook out of the individual roles and not using the matrix-base role. --- group_vars/matrix_servers | 12 ++++++++++++ .../matrix-bridge-mautrix-facebook/defaults/main.yml | 3 ++- .../matrix-bridge-mautrix-hangouts/defaults/main.yml | 3 ++- roles/matrix-coturn/defaults/main.yml | 3 ++- roles/matrix-mxisd/defaults/main.yml | 3 ++- roles/matrix-riot-web/defaults/main.yml | 3 ++- roles/matrix-synapse/defaults/main.yml | 3 ++- 7 files changed, 24 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5efde0c9..601b05ff 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -172,6 +172,8 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | # We don't enable bridges by default. matrix_mautrix_facebook_enabled: false +matrix_mautrix_facebook_self_build: "{{ matrix_container_images_self_build }}" + matrix_mautrix_facebook_systemd_required_services_list: | {{ ['docker.service'] @@ -201,6 +203,8 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mautrix_hangouts_enabled: false +matrix_mautrix_hangouts_self_build: "{{ matrix_container_images_self_build }}" + matrix_mautrix_hangouts_systemd_required_services_list: | {{ ['docker.service'] @@ -329,6 +333,8 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati matrix_coturn_enabled: true +matrix_coturn_self_build: "{{ matrix_container_images_self_build }}" + matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_coturn_tls_enabled: true @@ -415,6 +421,8 @@ matrix_mailer_enabled: true # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. matrix_mxisd_enabled: true +matrix_mxisd_self_build: "{{ matrix_container_images_self_build }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # mxisd's web-server port. @@ -559,6 +567,8 @@ matrix_postgres_db_name: "homeserver" # If you wish to connect to your Matrix server by other means, you may wish to disable this. matrix_riot_web_enabled: true +matrix_riot_web_self_build: "{{ matrix_container_images_self_build }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the riot-web HTTP port to the local host. @@ -600,6 +610,8 @@ matrix_riot_web_welcome_user_id: ~ # ###################################################################### +matrix_synapse_self_build: "{{ matrix_container_images_self_build }}" + # When mxisd is enabled, we can use it instead of the default public Identity servers. matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 9acf2228..cd1770d4 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -2,7 +2,8 @@ # See: https://github.com/tulir/mautrix-facebook matrix_mautrix_facebook_enabled: true -matrix_mautrix_facebook_self_build: "{{ matrix_container_images_self_build }}" + +matrix_mautrix_facebook_self_build: false # See: https://mau.dev/tulir/mautrix-facebook/container_registry matrix_mautrix_facebook_docker_image: "dock.mau.dev/tulir/mautrix-facebook:latest" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 89eea352..de31d83e 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -2,7 +2,8 @@ # See: https://github.com/tulir/mautrix-hangouts matrix_mautrix_hangouts_enabled: true -matrix_mautrix_hangouts_self_build: "{{ matrix_container_images_self_build }}" + +matrix_mautrix_hangouts_self_build: false # See: https://mau.dev/tulir/mautrix-hangouts/container_registry matrix_mautrix_hangouts_docker_image: "dock.mau.dev/tulir/mautrix-hangouts:latest" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 214401b8..cbcc135e 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,5 +1,6 @@ matrix_coturn_enabled: true -matrix_coturn_self_build: "{{ matrix_container_images_self_build }}" + +matrix_coturn_self_build: false matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index e882bc13..b291c5ce 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -2,7 +2,8 @@ # See: https://github.com/kamax-matrix/mxisd matrix_mxisd_enabled: true -matrix_mxisd_self_build: "{{ matrix_container_images_self_build }}" + +matrix_mxisd_self_build: false matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index efccdf21..cafe4ceb 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,5 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_self_build: "{{ matrix_container_images_self_build }}" + +matrix_riot_web_self_build: false matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.12" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 1a992a97..f3e6d4fe 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -2,7 +2,8 @@ # See: https://github.com/matrix-org/synapse matrix_synapse_enabled: true -matrix_synapse_self_build: "{{ matrix_container_images_self_build }}" + +matrix_synapse_self_build: false matrix_synapse_docker_image: "matrixdotorg/synapse:v1.11.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 2b85fde103f0a80223fdf6708225979e5818431d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 15 Mar 2020 10:15:27 +0200 Subject: [PATCH 0962/2384] Rename some variables for consistency --- group_vars/matrix_servers | 12 ++++++------ .../matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-facebook/tasks/init.yml | 2 +- .../tasks/setup_install.yml | 8 ++++---- .../matrix-bridge-mautrix-hangouts/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 2 +- .../tasks/setup_install.yml | 10 +++++----- roles/matrix-coturn/defaults/main.yml | 2 +- roles/matrix-coturn/tasks/init.yml | 2 +- roles/matrix-coturn/tasks/setup_coturn.yml | 8 ++++---- roles/matrix-mxisd/defaults/main.yml | 2 +- roles/matrix-mxisd/tasks/init.yml | 2 +- roles/matrix-mxisd/tasks/setup_mxisd.yml | 10 +++++----- roles/matrix-riot-web/defaults/main.yml | 2 +- roles/matrix-riot-web/tasks/init.yml | 2 +- roles/matrix-riot-web/tasks/setup_riot_web.yml | 8 ++++---- roles/matrix-synapse/defaults/main.yml | 2 +- roles/matrix-synapse/tasks/init.yml | 2 +- roles/matrix-synapse/tasks/setup_synapse.yml | 2 +- roles/matrix-synapse/tasks/synapse/setup_install.yml | 6 +++--- 20 files changed, 44 insertions(+), 44 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 601b05ff..f722e265 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -172,7 +172,7 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | # We don't enable bridges by default. matrix_mautrix_facebook_enabled: false -matrix_mautrix_facebook_self_build: "{{ matrix_container_images_self_build }}" +matrix_mautrix_facebook_container_image_self_build: "{{ matrix_container_images_self_build }}" matrix_mautrix_facebook_systemd_required_services_list: | {{ @@ -203,7 +203,7 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mautrix_hangouts_enabled: false -matrix_mautrix_hangouts_self_build: "{{ matrix_container_images_self_build }}" +matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_container_images_self_build }}" matrix_mautrix_hangouts_systemd_required_services_list: | {{ @@ -333,7 +333,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati matrix_coturn_enabled: true -matrix_coturn_self_build: "{{ matrix_container_images_self_build }}" +matrix_coturn_container_image_self_build: "{{ matrix_container_images_self_build }}" matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" @@ -421,7 +421,7 @@ matrix_mailer_enabled: true # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. matrix_mxisd_enabled: true -matrix_mxisd_self_build: "{{ matrix_container_images_self_build }}" +matrix_mxisd_container_image_self_build: "{{ matrix_container_images_self_build }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -567,7 +567,7 @@ matrix_postgres_db_name: "homeserver" # If you wish to connect to your Matrix server by other means, you may wish to disable this. matrix_riot_web_enabled: true -matrix_riot_web_self_build: "{{ matrix_container_images_self_build }}" +matrix_riot_web_container_image_self_build: "{{ matrix_container_images_self_build }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -610,7 +610,7 @@ matrix_riot_web_welcome_user_id: ~ # ###################################################################### -matrix_synapse_self_build: "{{ matrix_container_images_self_build }}" +matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_build }}" # When mxisd is enabled, we can use it instead of the default public Identity servers. matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index cd1770d4..30693bd5 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -3,7 +3,7 @@ matrix_mautrix_facebook_enabled: true -matrix_mautrix_facebook_self_build: false +matrix_mautrix_facebook_container_image_self_build: false # See: https://mau.dev/tulir/mautrix-facebook/container_registry matrix_mautrix_facebook_docker_image: "dock.mau.dev/tulir/mautrix-facebook:latest" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 85bb3838..c9688cf0 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -20,4 +20,4 @@ - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_self_build" \ No newline at end of file + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 1088f0b4..c21ba216 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -14,7 +14,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}" - when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_self_build + when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_container_image_self_build - name: Ensure Mautrix Facebook paths exist file: @@ -27,7 +27,7 @@ - "{{ matrix_mautrix_facebook_base_path }}" - "{{ matrix_mautrix_facebook_config_path }}" - "{{ matrix_mautrix_facebook_data_path }}" - - { src: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_self_build }}" } + - { src: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}" } - name: Ensure Mautrix Facebook repository is present on self-build git: @@ -35,7 +35,7 @@ dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" # version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_self_build" + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" - name: Ensure Mautrix Facebook Docker image is build docker_image: @@ -45,7 +45,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_self_build" + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index de31d83e..5284bc82 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -3,7 +3,7 @@ matrix_mautrix_hangouts_enabled: true -matrix_mautrix_hangouts_self_build: false +matrix_mautrix_hangouts_container_image_self_build: false # See: https://mau.dev/tulir/mautrix-hangouts/container_registry matrix_mautrix_hangouts_docker_image: "dock.mau.dev/tulir/mautrix-hangouts:latest" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index b276a1f6..9dd09d81 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -66,4 +66,4 @@ - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index e18778b2..beed38a7 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -14,7 +14,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_hangouts_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_docker_image_force_pull }}" - when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_self_build + when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_container_image_self_build - name: Ensure Mautrix Hangouts paths exist file: @@ -27,16 +27,16 @@ - "{{ matrix_mautrix_hangouts_base_path }}" - "{{ matrix_mautrix_hangouts_config_path }}" - "{{ matrix_mautrix_hangouts_data_path }}" - - { src: "{{ matrix_mautrix_hangouts_docker_src_files_path }}", when: "{{ matrix_mautrix_hangouts_self_build }}" } + - { src: "{{ matrix_mautrix_hangouts_docker_src_files_path }}", when: "{{ matrix_mautrix_hangouts_container_image_self_build }}" } - when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_self_build + when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_container_image_self_build - name: Ensure Mautrix Hangots repository is present on self build git: repo: https://github.com/tulir/mautrix-hangouts.git dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" force: "yes" - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_self_build" + when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build" - name: Ensure Mautrix Hangouts Docker image is build docker_image: @@ -46,7 +46,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_self_build" + when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index cbcc135e..06063e3b 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,6 +1,6 @@ matrix_coturn_enabled: true -matrix_coturn_self_build: false +matrix_coturn_container_image_self_build: false matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index 9b97ce6a..b59feebd 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -7,4 +7,4 @@ - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index ec7a452e..bd6ef0c9 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -12,7 +12,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - { src: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_self_build }}"} + - { src: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"} when: matrix_riot_web_enabled|bool - name: Ensure Coturn image is pulled @@ -21,7 +21,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}" - when: matrix_coturn_enabled|bool and not matrix_coturn_self_build + when: matrix_coturn_enabled|bool and not matrix_coturn_container_image_self_build - name: Ensure Coturn repository is present on self-build git: @@ -29,7 +29,7 @@ dest: "{{ matrix_coturn_docker_src_files_path }}" version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_coturn_enabled|bool and matrix_coturn_self_build" + when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build" - name: Ensure Coturn Docker image is build docker_image: @@ -39,7 +39,7 @@ dockerfile: Dockerfile path: "{{ matrix_coturn_docker_src_files_path }}" pull: yes - when: "matrix_coturn_enabled|bool and matrix_coturn_self_build" + when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build" - name: Ensure Coturn configuration path exists file: diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index b291c5ce..605f4028 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -3,7 +3,7 @@ matrix_mxisd_enabled: true -matrix_mxisd_self_build: false +matrix_mxisd_container_image_self_build: false matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mxisd/tasks/init.yml b/roles/matrix-mxisd/tasks/init.yml index dcae446e..dcf1d053 100644 --- a/roles/matrix-mxisd/tasks/init.yml +++ b/roles/matrix-mxisd/tasks/init.yml @@ -7,4 +7,4 @@ - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mxisd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_container_image_self_build" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index 92b7163b..6bcdfb4f 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -14,7 +14,7 @@ with_items: - "{{ matrix_mxisd_config_path }}" - "{{ matrix_mxisd_data_path }}" - - { src: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_self_build }}"} + - { src: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"} when: matrix_mxisd_enabled|bool - name: Ensure mxisd image is pulled @@ -23,7 +23,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mxisd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}" - when: matrix_mxisd_enabled|bool and not matrix_mxisd_self_build + when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build - name: Ensure gradel is installed for self-building apt: @@ -31,7 +31,7 @@ - gradle state: present update_cache: yes - when: "matrix_mxisd_enabled|bool and matrix_mxisd_self_build" + when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - name: Ensure mxisd repository is present on self-build git: @@ -39,13 +39,13 @@ dest: "{{ matrix_mxisd_docker_src_files_path }}" version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_mxisd_enabled|bool and matrix_mxisd_self_build" + when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - name: Ensure mxisd Docker image is build shell: "./gradlew dockerBuild" args: chdir: "{{ matrix_mxisd_docker_src_files_path }}" - when: "matrix_mxisd_enabled|bool and matrix_mxisd_self_build" + when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - name: Ensure mxisd config installed copy: diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index cafe4ceb..08b141a1 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -1,6 +1,6 @@ matrix_riot_web_enabled: true -matrix_riot_web_self_build: false +matrix_riot_web_container_image_self_build: false matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.12" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-riot-web/tasks/init.yml b/roles/matrix-riot-web/tasks/init.yml index 4fc4e658..7c8a1550 100644 --- a/roles/matrix-riot-web/tasks/init.yml +++ b/roles/matrix-riot-web/tasks/init.yml @@ -7,4 +7,4 @@ - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Riot Web image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_riot_web_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_riot_web_container_image_self_build" diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index 2dac85cf..2509dbc9 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -13,7 +13,7 @@ group: "{{ matrix_user_username }}" with_items: - "{{ matrix_riot_web_data_path }}" - - { src: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_self_build }}" } + - { src: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" } when: matrix_riot_web_enabled|bool - name: Ensure riot-web Docker image is pulled @@ -22,7 +22,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_riot_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_riot_web_docker_image_force_pull }}" - when: matrix_riot_web_enabled|bool and not matrix_riot_web_self_build + when: matrix_riot_web_enabled|bool and not matrix_riot_web_container_image_self_build - name: Ensure Riot Web repository is present on self-build git: @@ -30,7 +30,7 @@ dest: "{{ matrix_riot_web_docker_src_files_path }}" version: "{{ matrix_riot_web_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_riot_web_enabled|bool and matrix_riot_web_self_build" + when: "matrix_riot_web_enabled|bool and matrix_riot_web_container_image_self_build" - name: Ensure Riot Web Docker image is build docker_image: @@ -40,7 +40,7 @@ dockerfile: Dockerfile path: "{{ matrix_riot_web_docker_src_files_path }}" pull: yes - when: "matrix_riot_web_enabled|bool and matrix_riot_web_self_build" + when: "matrix_riot_web_enabled|bool and matrix_riot_web_container_image_self_build" - name: Ensure Matrix riot-web configuration installed copy: diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f3e6d4fe..fe9f5545 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -3,7 +3,7 @@ matrix_synapse_enabled: true -matrix_synapse_self_build: false +matrix_synapse_container_image_self_build: false matrix_synapse_docker_image: "matrixdotorg/synapse:v1.11.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index b91c42cb..004a2a92 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -11,4 +11,4 @@ - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index 0ce851c7..8d5f72d2 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -11,7 +11,7 @@ - "{{ matrix_synapse_config_dir_path }}" - "{{ matrix_synapse_run_path }}" - "{{ matrix_synapse_ext_path }}" - - { src: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_self_build }}" } + - { src: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" } # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), # because if it's using Goofys and it's already mounted (from before), # trying to chown/chmod it here will cause trouble. diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index 481429a4..41534d2b 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -24,7 +24,7 @@ dest: "{{ matrix_synapse_docker_src_files_path }}" version: "{{ matrix_synapse_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_synapse_self_build" + when: "matrix_synapse_container_image_self_build" - name: Ensure Synapse Docker image is build docker_image: @@ -34,7 +34,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_synapse_docker_src_files_path }}" pull: yes - when: "matrix_synapse_self_build" + when: "matrix_synapse_container_image_self_build" - name: Ensure Synapse Docker image is pulled docker_image: @@ -42,7 +42,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_synapse_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_docker_image_force_pull }}" - when: "not matrix_synapse_self_build" + when: "not matrix_synapse_container_image_self_build" - name: Check if a Synapse signing key exists stat: From 063e988db2962945b82e28360232db0a0e3797d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 15 Mar 2020 11:26:24 +0200 Subject: [PATCH 0963/2384] Make gradle installation fail in a friendlier way on CentOS --- roles/matrix-mxisd/tasks/setup_mxisd.yml | 45 +++++++++++++----------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index 6bcdfb4f..27c00c70 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -25,26 +25,31 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}" when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build -- name: Ensure gradel is installed for self-building - apt: - name: - - gradle - state: present - update_cache: yes - when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - -- name: Ensure mxisd repository is present on self-build - git: - repo: https://github.com/kamax-matrix/mxisd.git - dest: "{{ matrix_mxisd_docker_src_files_path }}" - version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" - force: "yes" - when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - -- name: Ensure mxisd Docker image is build - shell: "./gradlew dockerBuild" - args: - chdir: "{{ matrix_mxisd_docker_src_files_path }}" +- block: + - name: Ensure gradle is installed for self-building + apt: + name: + - gradle + state: present + update_cache: yes + when: (ansible_os_family == 'Debian') + + - name: Ensure gradle is installed for self-building + fail: + msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time" + when: ansible_distribution == 'CentOS' + + - name: Ensure mxisd repository is present on self-build + git: + repo: https://github.com/kamax-matrix/mxisd.git + dest: "{{ matrix_mxisd_docker_src_files_path }}" + version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" + force: "yes" + + - name: Ensure mxisd Docker image is built + shell: "./gradlew dockerBuild" + args: + chdir: "{{ matrix_mxisd_docker_src_files_path }}" when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - name: Ensure mxisd config installed From 3cee815baf8110e14baa0c7ea29733cf87cd260e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 15 Mar 2020 11:34:35 +0200 Subject: [PATCH 0964/2384] Fix some typos --- docs/self-build.md | 6 +++--- .../matrix-bridge-mautrix-facebook/tasks/setup_install.yml | 2 +- .../matrix-bridge-mautrix-hangouts/tasks/setup_install.yml | 2 +- roles/matrix-coturn/tasks/setup_coturn.yml | 2 +- roles/matrix-riot-web/tasks/setup_riot_web.yml | 2 +- roles/matrix-synapse/tasks/synapse/setup_install.yml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/self-build.md b/docs/self-build.md index b95f60a9..44b66076 100644 --- a/docs/self-build.md +++ b/docs/self-build.md @@ -2,11 +2,11 @@ The playbook supports the self building of a couple of components. This may be useful for architectures beside x86_64 that have no docker images right now (e g. the armv7 for the Raspberry Pi). Some roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd). -To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your vars.yaml file: -``` +To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: +```yaml matrix_container_images_self_build = true ``` -Setting that variable will self-build every role where applicable. Self-building can be set on a per-role basis as well. +Setting that variable will self-build every role which supports self-building. Self-building can be set on a per-role basis as well. List of roles where self-building the docker image is currently possible: - synapse diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index c21ba216..5a70c2e4 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -37,7 +37,7 @@ force: "yes" when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" -- name: Ensure Mautrix Facebook Docker image is build +- name: Ensure Mautrix Facebook Docker image is built docker_image: name: "{{ matrix_mautrix_facebook_docker_image }}" source: build diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index beed38a7..db1fe736 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -38,7 +38,7 @@ force: "yes" when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build" -- name: Ensure Mautrix Hangouts Docker image is build +- name: Ensure Mautrix Hangouts Docker image is built docker_image: name: "{{ matrix_mautrix_hangouts_docker_image }}" source: build diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index bd6ef0c9..d86e4b22 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -31,7 +31,7 @@ force: "yes" when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build" -- name: Ensure Coturn Docker image is build +- name: Ensure Coturn Docker image is built docker_image: name: "{{ matrix_coturn_docker_image }}" source: build diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index 2509dbc9..feccbe81 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -32,7 +32,7 @@ force: "yes" when: "matrix_riot_web_enabled|bool and matrix_riot_web_container_image_self_build" -- name: Ensure Riot Web Docker image is build +- name: Ensure Riot Web Docker image is built docker_image: name: "{{ matrix_riot_web_docker_image }}" source: build diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index 41534d2b..cf24cefb 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -26,7 +26,7 @@ force: "yes" when: "matrix_synapse_container_image_self_build" -- name: Ensure Synapse Docker image is build +- name: Ensure Synapse Docker image is built docker_image: name: "{{ matrix_synapse_docker_image }}" source: build From 8dd187ac55c3ed19b39412e2858a826ebeb91a0d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 15 Mar 2020 12:54:41 +0200 Subject: [PATCH 0965/2384] Update changelog and documentation --- CHANGELOG.md | 10 ++++++++++ docs/{self-build.md => self-building.md} | 6 ++++-- 2 files changed, 14 insertions(+), 2 deletions(-) rename docs/{self-build.md => self-building.md} (52%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32153869..5ab03e7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +# 2020-03-15 + +## Raspberry Pi support + +The playbook supports installing to a Raspberry Pi server, for at least some of the services. + +Since most ready-made container images do not support that architecture, we achieve this by building images locally on the device itself. +See our [Self-building documentation page](docs/self-building.md) for how to get started. + + # 2020-02-26 ## Riot-web themes are here diff --git a/docs/self-build.md b/docs/self-building.md similarity index 52% rename from docs/self-build.md rename to docs/self-building.md index 44b66076..a4d6fad9 100644 --- a/docs/self-build.md +++ b/docs/self-building.md @@ -1,6 +1,6 @@ -# Self building +# Self-building -The playbook supports the self building of a couple of components. This may be useful for architectures beside x86_64 that have no docker images right now (e g. the armv7 for the Raspberry Pi). Some roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd). +The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd). To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: ```yaml @@ -15,3 +15,5 @@ List of roles where self-building the docker image is currently possible: - mxisd - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts + +Adding self-building support to other roles is welcome. Feel free to contribute! From bca8afc3c52c3cbd930c0fe8935ca32b483ac5fa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 15 Mar 2020 12:58:28 +0200 Subject: [PATCH 0966/2384] =?UTF-8?q?Update=20changelog=20to=20credit=20Ge?= =?UTF-8?q?rgely=20Horv=C3=A1th?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Related to #386 (Github Pull Request) --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ab03e7e..31771186 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## Raspberry Pi support -The playbook supports installing to a Raspberry Pi server, for at least some of the services. +Thanks to [Gergely Horváth](https://github.com/hooger)'s effort, the playbook supports installing to a Raspberry Pi server, for at least some of the services. Since most ready-made container images do not support that architecture, we achieve this by building images locally on the device itself. See our [Self-building documentation page](docs/self-building.md) for how to get started. From 22ce50875a9a5635b0b1771b6c66a35ed8fa88fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 15 Mar 2020 13:04:55 +0200 Subject: [PATCH 0967/2384] Mention that root access is a requirement Fixes #396 (Github Issue). --- docs/prerequisites.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 4e72e2ea..e72b3496 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -2,6 +2,8 @@ - An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+) or **Ubuntu** (16.04+). This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Self-Building](self-building.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +- `root` access to your server (or a user capable of elevating to `root` via `sudo`). + - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). - a `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.* From bfd87000cc0947efd2fe169f467b582b4201925a Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 18 Mar 2020 06:40:01 -0500 Subject: [PATCH 0968/2384] Update riot-web (1.5.12 -> 1.5.13) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 08b141a1..e0002326 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.12" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.13" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From e36de7e627fdc3338b6f3d66f920d9d6d3b037e1 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 18 Mar 2020 06:50:51 -0500 Subject: [PATCH 0969/2384] Update postgres (12.1 -> 12.2, etc) --- roles/matrix-postgres/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 91656ff6..4089793a 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -8,10 +8,10 @@ matrix_postgres_db_name: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "postgres:9.6.16-alpine" -matrix_postgres_docker_image_v10: "postgres:10.11-alpine" -matrix_postgres_docker_image_v11: "postgres:11.6-alpine" -matrix_postgres_docker_image_v12: "postgres:12.1-alpine" +matrix_postgres_docker_image_v9: "postgres:9.6.17-alpine" +matrix_postgres_docker_image_v10: "postgres:10.12-alpine" +matrix_postgres_docker_image_v11: "postgres:11.7-alpine" +matrix_postgres_docker_image_v12: "postgres:12.2-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}" # This variable is assigned at runtime. Overriding its value has no effect. From 4065d74a5fc5ec97d4dfc6f4e5543615212a9576 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 18 Mar 2020 06:53:59 -0500 Subject: [PATCH 0970/2384] Update nginx (1.17.8 -> 1.17.9) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index f9ebe419..a14c1333 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.17.8-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.17.9-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" From c7440b723a0d1af1e0fbf16d6a9f9ec67e038004 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 18 Mar 2020 06:54:10 -0500 Subject: [PATCH 0971/2384] Update certbot (1.2.0 -> 1.3.0) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a14c1333..aeede0e2 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -205,7 +205,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v1.2.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v1.3.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From 027056e0273be8d260648e2472c28a0d4752b802 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 18 Mar 2020 18:24:03 +0200 Subject: [PATCH 0972/2384] Fix weird path creation Fixes #403 (Github Issue). --- .../tasks/setup_install.yml | 11 ++++++----- .../tasks/setup_install.yml | 13 ++++++------- roles/matrix-coturn/tasks/setup_coturn.yml | 6 +++--- roles/matrix-mxisd/tasks/setup_mxisd.yml | 10 +++++----- roles/matrix-riot-web/tasks/setup_riot_web.yml | 8 ++++---- roles/matrix-synapse/tasks/setup_synapse.yml | 12 ++++++------ 6 files changed, 30 insertions(+), 30 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 5a70c2e4..2656c5ae 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -18,16 +18,17 @@ - name: Ensure Mautrix Facebook paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_mautrix_facebook_base_path }}" - - "{{ matrix_mautrix_facebook_config_path }}" - - "{{ matrix_mautrix_facebook_data_path }}" - - { src: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}" } + - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_data_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}" } + when: item.when|bool - name: Ensure Mautrix Facebook repository is present on self-build git: diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index db1fe736..a30367f3 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -18,18 +18,17 @@ - name: Ensure Mautrix Hangouts paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_mautrix_hangouts_base_path }}" - - "{{ matrix_mautrix_hangouts_config_path }}" - - "{{ matrix_mautrix_hangouts_data_path }}" - - { src: "{{ matrix_mautrix_hangouts_docker_src_files_path }}", when: "{{ matrix_mautrix_hangouts_container_image_self_build }}" } - - when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_container_image_self_build + - { path: "{{ matrix_mautrix_hangouts_base_path }}", when: true } + - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true } + - { path: "{{ matrix_mautrix_hangouts_data_path }}", when: true } + - { path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}", when: "{{ matrix_mautrix_hangouts_container_image_self_build }}" } + when: matrix_mautrix_hangouts_enabled|bool and item.when|bool - name: Ensure Mautrix Hangots repository is present on self build git: diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index d86e4b22..479e6044 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -6,14 +6,14 @@ - name: Ensure Matrix Coturn path exists file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - { src: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"} - when: matrix_riot_web_enabled|bool + - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"} + when: matrix_riot_web_enabled|bool and item.when - name: Ensure Coturn image is pulled docker_image: diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index 27c00c70..aa780119 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -6,16 +6,16 @@ - name: Ensure mxisd paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_mxisd_config_path }}" - - "{{ matrix_mxisd_data_path }}" - - { src: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"} - when: matrix_mxisd_enabled|bool + - { path: "{{ matrix_mxisd_config_path }}", when: true } + - { path: "{{ matrix_mxisd_data_path }}", when: true } + - { path: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"} + when: matrix_mxisd_enabled|bool and item.when - name: Ensure mxisd image is pulled docker_image: diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index feccbe81..e78da350 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -6,15 +6,15 @@ - name: Ensure Matrix riot-web path exists file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_riot_web_data_path }}" - - { src: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" } - when: matrix_riot_web_enabled|bool + - { path: "{{ matrix_riot_web_data_path }}", when: true } + - { path: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" } + when: matrix_riot_web_enabled|bool and item.when - name: Ensure riot-web Docker image is pulled docker_image: diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index 8d5f72d2..c40ae170 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -2,20 +2,20 @@ - name: Ensure Synapse paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_synapse_config_dir_path }}" - - "{{ matrix_synapse_run_path }}" - - "{{ matrix_synapse_ext_path }}" - - { src: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" } + - { path: "{{ matrix_synapse_config_dir_path }}", when: true } + - { path: "{{ matrix_synapse_run_path }}", when: true } + - { path: "{{ matrix_synapse_ext_path }}", when: true } + - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" } # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), # because if it's using Goofys and it's already mounted (from before), # trying to chown/chmod it here will cause trouble. - when: "matrix_synapse_enabled|bool or matrix_s3_media_store_enabled|bool" + when: "(matrix_synapse_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" - import_tasks: "{{ role_path }}/tasks/ext/setup.yml" From 364742aa356a13304200e1ce6c0ff1c2d5950a9d Mon Sep 17 00:00:00 2001 From: ayounggun Date: Fri, 20 Mar 2020 20:45:53 +0000 Subject: [PATCH 0973/2384] how to activate dimensions I am new to synapse. Thanks so much for these playbooks! I wasn't sure how you actual activate dimensions after setting these variables. Should you re run ansible-playbook -i inventory/hosts setup.yml --tags=setup-all ansible-playbook -i inventory/hosts setup.yml --tags=start ? If so perhaps you could tell the readers to do this somewhere in the help file Thanks =] --- docs/configuring-playbook-dimension.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 70aeabb2..97ced6bd 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -43,6 +43,13 @@ Add access token to your configuration file (`inventory/host_vars/matrix. Date: Sat, 21 Mar 2020 00:12:26 +0200 Subject: [PATCH 0974/2384] Move things around a bit --- docs/configuring-playbook-dimension.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 97ced6bd..bfd3648a 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -41,17 +41,16 @@ Add access token to your configuration file (`inventory/host_vars/matrix. Date: Sat, 21 Mar 2020 00:13:31 +0200 Subject: [PATCH 0975/2384] Minor fixup --- docs/configuring-playbook-dimension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index bfd3648a..99de20d6 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -41,9 +41,9 @@ Add access token to your configuration file (`inventory/host_vars/matrix. Date: Mon, 23 Mar 2020 15:03:40 +0100 Subject: [PATCH 0976/2384] Release synapse v.1.12.0 --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index fe9f5545..f896f232 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.11.1" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 9032151486042230262469b403e73c7edaf2758d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 23 Mar 2020 16:15:03 +0200 Subject: [PATCH 0977/2384] Update Synapse configuration for v1.12.0 Some options are no longer required and have sensible default values. --- .../templates/synapse/homeserver.yaml.j2 | 23 +++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 49a9a906..b3adcac9 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1358,6 +1358,25 @@ saml2_config: # #grandfathered_mxid_source_attribute: upn + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page to display to users if something goes wrong during the + # authentication process: 'saml_error.html'. + # + # This template doesn't currently need any variable to render. + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + # Enable CAS for registration and login. @@ -1508,10 +1527,6 @@ email: # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates # #template_dir: "res/templates" - notif_template_html: notif_mail.html - notif_template_text: notif_mail.txt - expiry_template_html: notice_expiry.html - expiry_template_text: notice_expiry.txt {% endif %} From 2c2b55a669cba657ac0537c6f0914f9229776326 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 23 Mar 2020 17:13:58 +0200 Subject: [PATCH 0978/2384] Mark dimension DNS record as optional --- docs/configuring-dns.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 678c1679..aefaabf9 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -18,12 +18,15 @@ If you decide to go with the alternative method ([Server Delegation via a DNS SR ## General outline of DNS settings you need to do -| Type | Host | Priority | Weight | Port | Target | -| ----- | ----------------------- | -------- | ------ | ---- | ---------------------- | -| A | `matrix` | - | - | - | `matrix-server-IP` | -| CNAME | `riot` | - | - | - | `matrix.` | -| CNAME | `dimension` | - | - | - | `matrix.` | -| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | +| Type | Host | Priority | Weight | Port | Target | +| ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- | +| A | `matrix` | - | - | - | `matrix-server-IP` | +| CNAME | `riot` | - | - | - | `matrix.` | +| CNAME | `dimension` (*) | - | - | - | `matrix.` | +| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | + + +DNS records marked with `(*)` above are optional. They refer to services that will not be installed by default (see the section below). If you won't be installing these services, feel free to skip creating these DNS records. ## Subdomains setup From cdd9ee1962a88ce57dbf958fec655647fb163d1f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 23 Mar 2020 17:19:15 +0200 Subject: [PATCH 0979/2384] Add Jitsi support --- docs/configuring-dns.md | 3 + docs/configuring-playbook-jitsi.md | 39 +++++++ group_vars/matrix_servers | 45 ++++++++ roles/matrix-base/defaults/main.yml | 5 +- roles/matrix-jitsi/defaults/main.yml | 109 ++++++++++++++++++ roles/matrix-jitsi/tasks/init.yml | 3 + roles/matrix-jitsi/tasks/main.yml | 33 ++++++ roles/matrix-jitsi/tasks/setup_jitsi_base.yml | 20 ++++ .../matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 86 ++++++++++++++ roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 86 ++++++++++++++ .../tasks/setup_jitsi_prosody.yml | 86 ++++++++++++++ roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 87 ++++++++++++++ roles/matrix-jitsi/templates/jicofo/env.j2 | 17 +++ .../jicofo/matrix-jitsi-jicofo.service.j2 | 31 +++++ roles/matrix-jitsi/templates/jvb/env.j2 | 14 +++ .../templates/jvb/matrix-jitsi-jvb.service.j2 | 37 ++++++ roles/matrix-jitsi/templates/prosody/env.j2 | 31 +++++ .../prosody/matrix-jitsi-prosody.service.j2 | 31 +++++ roles/matrix-jitsi/templates/web/env.j2 | 28 +++++ .../templates/web/matrix-jitsi-web.service.j2 | 35 ++++++ roles/matrix-nginx-proxy/defaults/main.yml | 7 ++ .../tasks/setup_nginx_proxy.yml | 13 +++ .../nginx/conf.d/matrix-jitsi.conf.j2 | 72 ++++++++++++ roles/matrix-riot-web/defaults/main.yml | 2 + .../matrix-riot-web/templates/config.json.j2 | 6 + setup.yml | 1 + 26 files changed, 926 insertions(+), 1 deletion(-) create mode 100644 docs/configuring-playbook-jitsi.md create mode 100644 roles/matrix-jitsi/defaults/main.yml create mode 100644 roles/matrix-jitsi/tasks/init.yml create mode 100644 roles/matrix-jitsi/tasks/main.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_base.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_web.yml create mode 100644 roles/matrix-jitsi/templates/jicofo/env.j2 create mode 100644 roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 create mode 100644 roles/matrix-jitsi/templates/jvb/env.j2 create mode 100644 roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 create mode 100644 roles/matrix-jitsi/templates/prosody/env.j2 create mode 100644 roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 create mode 100644 roles/matrix-jitsi/templates/web/env.j2 create mode 100644 roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index aefaabf9..735b348f 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -23,6 +23,7 @@ If you decide to go with the alternative method ([Server Delegation via a DNS SR | A | `matrix` | - | - | - | `matrix-server-IP` | | CNAME | `riot` | - | - | - | `matrix.` | | CNAME | `dimension` (*) | - | - | - | `matrix.` | +| CNAME | `jitsi` (*) | - | - | - | `matrix.` | | SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | @@ -38,6 +39,8 @@ If you'd rather instruct the playbook not to install Riot (`matrix_riot_web_enab The `dimension.` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.` DNS record. +The `jitsi.` subdomain may be necessary, because this playbook could install the [Jitsi video-conferencing platform](https://jitsi.org/) for you. Jitsi installation is disabled by default, because it may be heavy and is not a core required component. To learn how to install it, see our [Jitsi](configuring-playbook-jitsi.md) guide. If you do not wish to set up Jitsi, feel free to skip the `jitsi.` DNS record. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md new file mode 100644 index 00000000..b2afac46 --- /dev/null +++ b/docs/configuring-playbook-jitsi.md @@ -0,0 +1,39 @@ +# Jitsi + +The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing platform and integrate it with [Riot](configuring-playbook-riot-web.md). + +Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services. + +The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). + + +## Prerequisites + +Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. See [Configuring DNS](configuring-dns.md). + +You may also need to open the following ports to your server: + +- `udp/10000` - RTP media over UDP +- `tcp/4443` - RTP media fallback over TCP + + +## Installation + +Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_enabled: true + +# We only need this temporarily - until Jitsi integration in riot-web is finalized. +# Remove this line in the future, to switch back to a stable riot-web version. +matrix_riot_web_docker_image: "vectorim/riot-web:develop" +``` + +Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` + +.. and fully reload your riot-web page (at `riot.DOMAIN`). + +Starting a video-conference in a room with more than 2 members should then create a Jitsi widget which utilizes your self-hosted Jitsi server. + + +**NOTE**: the playbook currently configures the Jitsi JVB component to use Google's STUN servers even in cases where our own [Coturn TURN server](configuring-playbook-turn.md) is enabled (it is by default). This is because JVB fails to discover its own external IP correctly when pointed to our own Coturn server. The failure happens because JVB reaches Coturn via the localnetwork and discovers a local Docker IP address instead of the public one, leading to a non-working service. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f722e265..8e3c7ed6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -392,6 +392,46 @@ matrix_email2matrix_enabled: false +###################################################################### +# +# matrix-jitsi +# +###################################################################### + +matrix_jitsi_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the Jitsi HTTP port to the local host. +matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12080' }}" + +matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" +matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" +matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" + +# TODO. Using our own STUN server fails, so we're using Google's STUN servers (the default for the matrix-jitsi role). +# +# When using our STUN server, JVB tries to discover its own IP by contacting it and gets a local Docker IP address instead of the external one. +# > matrix-jitsi-jvb[30965]: JVB 2020-03-23 14:52:59.253 INFO: [21] org.ice4j.ice.harvest.StunMappingCandidateHarvester.discover() Discovered public address 172.19.0.1:60385/udp from STUN server x.x.x.x:5349/udp using local address 172.18.0.10:0/udp +# +# matrix_jitsi_jvb_stun_servers: | +# {{ +# [ +# matrix_server_fqn_matrix + ':5349', +# matrix_server_fqn_matrix + ':3478', +# ] +# if matrix_coturn_enabled +# else [ 'stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] +# }} + +###################################################################### +# +# /matrix-jitsi +# +###################################################################### + + + ###################################################################### # # matrix-mailer @@ -482,6 +522,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -525,6 +566,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + + ([matrix_server_fqn_jitsi]) + + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) }} @@ -596,6 +639,8 @@ matrix_riot_web_enable_presence_by_hs_url: | matrix_riot_web_welcome_user_id: ~ +matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}" + ###################################################################### # # /matrix-riot-web diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index c2a81c29..0be463d1 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -18,6 +18,9 @@ matrix_server_fqn_riot: "riot.{{ matrix_domain }}" # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" +# This is where you access Jitsi. +matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" + matrix_user_username: "matrix" matrix_user_uid: 991 matrix_user_gid: 991 @@ -69,4 +72,4 @@ run_stop: true # Building every docker image from source on the target host # Controlling docker image build is possible on a per unit base -matrix_container_images_self_build: false \ No newline at end of file +matrix_container_images_self_build: false diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml new file mode 100644 index 00000000..284e6f61 --- /dev/null +++ b/roles/matrix-jitsi/defaults/main.yml @@ -0,0 +1,109 @@ +matrix_jitsi_enabled: true + +matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" + +matrix_jitsi_enable_auth: false +matrix_jitsi_enable_guests: false +matrix_jitsi_enable_recording: true +matrix_jitsi_enable_transcriptions: true + +matrix_jitsi_timezone: UTC + +matrix_jitsi_xmpp_domain: matrix-jitsi-web +matrix_jitsi_xmpp_server: matrix-jitsi-prosody +matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi +matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280 +matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi +matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi +matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi + +matrix_jitsi_recorder_domain: recorder.meet.jitsi + + +matrix_jitsi_jibri_brewery_muc: jibribrewery +matrix_jitsi_jibri_pending_timeout: 90 +matrix_jitsi_jibri_xmpp_user: jibri +matrix_jitsi_jibri_xmpp_password: jibri-password +matrix_jitsi_jibri_recorder_user: recorder +matrix_jitsi_jibri_recorder_password: recorder-password + + +matrix_jitsi_web_docker_image: "jitsi/web:4101" +matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" + +matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" +matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config" +matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts" + +matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" + +# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:12080"), or empty string to not expose. +matrix_jitsi_web_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_jitsi_web_container_extra_arguments: [] + +# List of systemd services that matrix-jitsi-web.service depends on +matrix_jitsi_web_systemd_required_services_list: ['docker.service'] + + +matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101" +matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" + +matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" +matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" + +# A list of extra arguments to pass to the container +matrix_jitsi_prosody_container_extra_arguments: [] + +# List of systemd services that matrix-jitsi-prosody.service depends on +matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] + + +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4101" +matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" + +matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" +matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config" + +# A list of extra arguments to pass to the container +matrix_jitsi_jicofo_container_extra_arguments: [] + +# List of systemd services that matrix-jitsi-jicofo.service depends on +matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] + +matrix_jitsi_jicofo_component_secret: s3cr37 +matrix_jitsi_jicofo_auth_user: focus +matrix_jitsi_jicofo_auth_password: passw0rd + + +matrix_jitsi_jvb_docker_image: "jitsi/jvb:4101" +matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" + +matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" +matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config" + +# A list of extra arguments to pass to the container +matrix_jitsi_jvb_container_extra_arguments: [] + +# List of systemd services that matrix-jitsi-jvb.service depends on +matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] + +matrix_jitsi_jvb_auth_user: jvb +matrix_jitsi_jvb_auth_password: passw0rd +matrix_jitsi_jvb_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] +matrix_jitsi_jvb_brewery_muc: jvbbrewery +matrix_jitsi_jvb_rtp_udp_port: 10000 +matrix_jitsi_jvb_rtp_tcp_port: 4443 + +# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:10000"), or empty string to not expose. +matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}" + +# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:4443"), or empty string to not expose. +matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}" diff --git a/roles/matrix-jitsi/tasks/init.yml b/roles/matrix-jitsi/tasks/init.yml new file mode 100644 index 00000000..328a3a25 --- /dev/null +++ b/roles/matrix-jitsi/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web', 'matrix-jitsi-prosody', 'matrix-jitsi-jicofo', 'matrix-jitsi-jvb'] }}" + when: matrix_jitsi_enabled|bool diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml new file mode 100644 index 00000000..2bc4a57f --- /dev/null +++ b/roles/matrix-jitsi/tasks/main.yml @@ -0,0 +1,33 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_web.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml new file mode 100644 index 00000000..fcfbb8f6 --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml @@ -0,0 +1,20 @@ +--- + +# +# Tasks related to setting up jitsi +# + +- name: Ensure Matrix jitsi base path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_jitsi_base_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +# +# Tasks related to getting rid of jitsi (if it was previously enabled) +# diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml new file mode 100644 index 00000000..7d1bc815 --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -0,0 +1,86 @@ +--- + +# +# Tasks related to setting up jitsi-jicofo +# + +- name: Ensure Matrix jitsi-jicofo path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true } + - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +- name: Ensure jitsi-jicofo Docker image is pulled + docker_image: + name: "{{ matrix_jitsi_jicofo_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}" + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-jicofo environment variables file created + template: + src: "{{ role_path }}/templates/jicofo/env.j2" + dest: "{{ matrix_jitsi_jicofo_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + +- name: Ensure matrix-jitsi-jicofo.service installed + template: + src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2" + dest: "/etc/systemd/system/matrix-jitsi-jicofo.service" + mode: 0644 + register: matrix_jitsi_jicofo_systemd_service_result + when: matrix_jitsi_enabled|bool + +- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service installation + service: + daemon_reload: yes + when: "matrix_jitsi_enabled and matrix_jitsi_jicofo_systemd_service_result.changed" + +# +# Tasks related to getting rid of jitsi-jicofo (if it was previously enabled) +# + +- name: Check existence of matrix-jitsi-jicofo service + stat: + path: "/etc/systemd/system/matrix-jitsi-jicofo.service" + register: matrix_jitsi_jicofo_service_stat + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure matrix-jitsi-jicofo is stopped + service: + name: matrix-jitsi-jicofo + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" + +- name: Ensure matrix-jitsi-jicofo.service doesn't exist + file: + path: "/etc/systemd/system/matrix-jitsi-jicofo.service" + state: absent + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service removal + service: + daemon_reload: yes + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" + +- name: Ensure Matrix jitsi-jicofo paths doesn't exist + file: + path: "{{ matrix_jitsi_jicofo_base_path }}" + state: absent + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure jitsi-jicofo Docker image doesn't exist + docker_image: + name: "{{ matrix_jitsi_jicofo_docker_image }}" + state: absent + when: "not matrix_jitsi_enabled|bool" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml new file mode 100644 index 00000000..bd6e97d8 --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -0,0 +1,86 @@ +--- + +# +# Tasks related to setting up jitsi-jvb +# + +- name: Ensure Matrix jitsi-jvb path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true } + - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +- name: Ensure jitsi-jvb Docker image is pulled + docker_image: + name: "{{ matrix_jitsi_jvb_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}" + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-jvb environment variables file created + template: + src: "{{ role_path }}/templates/jvb/env.j2" + dest: "{{ matrix_jitsi_jvb_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + +- name: Ensure matrix-jitsi-jvb.service installed + template: + src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" + dest: "/etc/systemd/system/matrix-jitsi-jvb.service" + mode: 0644 + register: matrix_jitsi_jvb_systemd_service_result + when: matrix_jitsi_enabled|bool + +- name: Ensure systemd reloaded after matrix-jitsi-jvb.service installation + service: + daemon_reload: yes + when: "matrix_jitsi_enabled and matrix_jitsi_jvb_systemd_service_result.changed" + +# +# Tasks related to getting rid of jitsi-jvb (if it was previously enabled) +# + +- name: Check existence of matrix-jitsi-jvb service + stat: + path: "/etc/systemd/system/matrix-jitsi-jvb.service" + register: matrix_jitsi_jvb_service_stat + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure matrix-jitsi-jvb is stopped + service: + name: matrix-jitsi-jvb + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" + +- name: Ensure matrix-jitsi-jvb.service doesn't exist + file: + path: "/etc/systemd/system/matrix-jitsi-jvb.service" + state: absent + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-jitsi-jvb.service removal + service: + daemon_reload: yes + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" + +- name: Ensure Matrix jitsi-jvb paths doesn't exist + file: + path: "{{ matrix_jitsi_jvb_base_path }}" + state: absent + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure jitsi-jvb Docker image doesn't exist + docker_image: + name: "{{ matrix_jitsi_jvb_docker_image }}" + state: absent + when: "not matrix_jitsi_enabled|bool" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml new file mode 100644 index 00000000..6ea70248 --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -0,0 +1,86 @@ +--- + +# +# Tasks related to setting up jitsi-prosody +# + +- name: Ensure Matrix jitsi-prosody path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true } + - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +- name: Ensure jitsi-prosody Docker image is pulled + docker_image: + name: "{{ matrix_jitsi_prosody_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-prosody environment variables file created + template: + src: "{{ role_path }}/templates/prosody/env.j2" + dest: "{{ matrix_jitsi_prosody_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + +- name: Ensure matrix-jitsi-prosody.service installed + template: + src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" + dest: "/etc/systemd/system/matrix-jitsi-prosody.service" + mode: 0644 + register: matrix_jitsi_prosody_systemd_service_result + when: matrix_jitsi_enabled|bool + +- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation + service: + daemon_reload: yes + when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" + +# +# Tasks related to getting rid of jitsi-prosody (if it was previously enabled) +# + +- name: Check existence of matrix-jitsi-prosody service + stat: + path: "/etc/systemd/system/matrix-jitsi-prosody.service" + register: matrix_jitsi_prosody_service_stat + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure matrix-jitsi-prosody is stopped + service: + name: matrix-jitsi-prosody + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" + +- name: Ensure matrix-jitsi-prosody.service doesn't exist + file: + path: "/etc/systemd/system/matrix-jitsi-prosody.service" + state: absent + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal + service: + daemon_reload: yes + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" + +- name: Ensure Matrix jitsi-prosody paths doesn't exist + file: + path: "{{ matrix_jitsi_prosody_base_path }}" + state: absent + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure jitsi-prosody Docker image doesn't exist + docker_image: + name: "{{ matrix_jitsi_prosody_docker_image }}" + state: absent + when: "not matrix_jitsi_enabled|bool" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml new file mode 100644 index 00000000..7d363543 --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -0,0 +1,87 @@ +--- + +# +# Tasks related to setting up jitsi-web +# + +- name: Ensure Matrix jitsi-web path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_jitsi_web_base_path }}", when: true } + - { path: "{{ matrix_jitsi_web_config_path }}", when: true } + - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +- name: Ensure jitsi-web Docker image is pulled + docker_image: + name: "{{ matrix_jitsi_web_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}" + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-web environment variables file created + template: + src: "{{ role_path }}/templates/web/env.j2" + dest: "{{ matrix_jitsi_web_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + +- name: Ensure matrix-jitsi-web.service installed + template: + src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2" + dest: "/etc/systemd/system/matrix-jitsi-web.service" + mode: 0644 + register: matrix_jitsi_web_systemd_service_result + when: matrix_jitsi_enabled|bool + +- name: Ensure systemd reloaded after matrix-jitsi-web.service installation + service: + daemon_reload: yes + when: "matrix_jitsi_enabled and matrix_jitsi_web_systemd_service_result.changed" + +# +# Tasks related to getting rid of jitsi-web (if it was previously enabled) +# + +- name: Check existence of matrix-jitsi-web service + stat: + path: "/etc/systemd/system/matrix-jitsi-web.service" + register: matrix_jitsi_web_service_stat + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure matrix-jitsi-web is stopped + service: + name: matrix-jitsi-web + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" + +- name: Ensure matrix-jitsi-web.service doesn't exist + file: + path: "/etc/systemd/system/matrix-jitsi-web.service" + state: absent + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-jitsi-web.service removal + service: + daemon_reload: yes + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" + +- name: Ensure Matrix jitsi-web paths doesn't exist + file: + path: "{{ matrix_jitsi_web_base_path }}" + state: absent + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure jitsi-web Docker image doesn't exist + docker_image: + name: "{{ matrix_jitsi_web_docker_image }}" + state: absent + when: "not matrix_jitsi_enabled|bool" diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 new file mode 100644 index 00000000..a402d2d7 --- /dev/null +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -0,0 +1,17 @@ +ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} + +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} + +JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} + +JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} + +JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} +JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} + +TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 new file mode 100644 index 00000000..53f08688 --- /dev/null +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -0,0 +1,31 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix jitsi-jicofo server +{% for service in matrix_jitsi_jicofo_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jicofo +ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jicofo + +ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jicofo \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ + -v {{ matrix_jitsi_jicofo_config_path }}:/config \ + {% for arg in matrix_jitsi_jicofo_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_jitsi_jicofo_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-jitsi-jicofo +ExecStop=-/usr/bin/docker rm matrix-jitsi-jicofo +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jitsi-jicofo + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 new file mode 100644 index 00000000..0b88f8cc --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -0,0 +1,14 @@ +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} + +JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} +JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} +JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} +JVB_TCP_HARVESTER_DISABLED=false +JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} + +JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} + +TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 new file mode 100644 index 00000000..5df5807a --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -0,0 +1,37 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix jitsi-jvb server +{% for service in matrix_jitsi_jvb_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jvb +ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb + +ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_jvb_base_path }}/env \ + {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} + -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ + {% endif %} + {% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %} + -p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \ + {% endif %} + -v {{ matrix_jitsi_jvb_config_path }}:/config \ + {% for arg in matrix_jitsi_jvb_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_jitsi_jvb_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-jitsi-jvb +ExecStop=-/usr/bin/docker rm matrix-jitsi-jvb +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jitsi-jvb + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 new file mode 100644 index 00000000..caa79213 --- /dev/null +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -0,0 +1,31 @@ +AUTH_TYPE=internal + +ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} + +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} + +XMPP_MODULES= +XMPP_MUC_MODULES= +XMPP_INTERNAL_MUC_MODULES= + +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} + +JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} + +JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} + +JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} +JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} + +JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} +JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} + +TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 new file mode 100644 index 00000000..bf43021d --- /dev/null +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -0,0 +1,31 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix jitsi-prosody server +{% for service in matrix_jitsi_prosody_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-jitsi-prosody +ExecStartPre=-/usr/bin/docker rm matrix-jitsi-prosody + +ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_prosody_base_path }}/env \ + -v {{ matrix_jitsi_prosody_config_path }}:/config \ + {% for arg in matrix_jitsi_prosody_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_jitsi_prosody_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-jitsi-prosody +ExecStop=-/usr/bin/docker rm matrix-jitsi-prosody +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jitsi-prosody + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 new file mode 100644 index 00000000..b85e9af5 --- /dev/null +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -0,0 +1,28 @@ +ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} + +ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} + +DISABLE_HTTPS=1 + +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} + +PUBLIC_URL={{ matrix_jitsi_web_public_url }} + +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} +XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} + +TZ={{ matrix_jitsi_timezone }} + +JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} +JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} +JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} +JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} +JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} +JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} + +ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 new file mode 100644 index 00000000..deed5025 --- /dev/null +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -0,0 +1,35 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix jitsi-web server +{% for service in matrix_jitsi_web_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-jitsi-web +ExecStartPre=-/usr/bin/docker rm matrix-jitsi-web + +ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-web \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_web_base_path }}/env \ + {% if matrix_jitsi_web_container_http_host_bind_port %} + -p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \ + {% endif %} + -v {{ matrix_jitsi_web_config_path }}:/config \ + -v {{ matrix_jitsi_web_transcripts_path }}:/usr/share/jitsi-meet/transcripts \ + {% for arg in matrix_jitsi_web_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_jitsi_web_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-jitsi-web +ExecStop=-/usr/bin/docker rm matrix-jitsi-web +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jitsi-web + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index aeede0e2..5bf0fc0c 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -105,6 +105,10 @@ matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_proxy_dimension_enabled: false matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" +# Controls whether proxying the jitsi domain should be done. +matrix_nginx_proxy_proxy_jitsi_enabled: false +matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" + # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -164,6 +168,9 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the matrix dimension's server configuration. matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to the jitsi's server configuration. +matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to the matrix domain server configuration. matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index a4e3a538..b5d7ad6b 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -66,6 +66,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_dimension_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_jitsi_enabled|bool + - name: Ensure Matrix nginx-proxy data directory for base domain exists file: path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain" @@ -163,6 +170,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_jitsi_enabled|bool" + - name: Ensure Matrix nginx-proxy homepage for base domain deleted file: path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 new file mode 100644 index 00000000..7488d611 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -0,0 +1,72 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; +{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-jitsi-web:80"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:12080; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + ssl_prefer_server_ciphers on; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index e0002326..808d4ffd 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -58,6 +58,8 @@ matrix_riot_web_branding_welcomeBackgroundUrl: ~ # point this to a `home.html` template file on your local filesystem. matrix_riot_web_embedded_pages_home_path: ~ +matrix_riot_web_jitsi_preferredDomain: '' + # Controls whether the self-check feature should validate SSL certificates. matrix_riot_web_self_check_validate_certificates: true diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index b82d53e0..41cbee7c 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -30,6 +30,12 @@ "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }} }, + {% if matrix_riot_web_jitsi_preferredDomain is not none %} + "jitsi": { + "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }}, + "externalApiUrl": "https://{{ matrix_riot_web_jitsi_preferredDomain }}/libs/external_api.min.js" + }, + {% endif %} "branding": { "authFooterLinks": {{ matrix_riot_web_branding_authFooterLinks|to_json }}, "authHeaderLogoUrl": {{ matrix_riot_web_branding_authHeaderLogoUrl|to_json }}, diff --git a/setup.yml b/setup.yml index 429a6c4f..61d448f3 100755 --- a/setup.yml +++ b/setup.yml @@ -18,6 +18,7 @@ - matrix-bridge-mautrix-whatsapp - matrix-synapse - matrix-riot-web + - matrix-jitsi - matrix-mxisd - matrix-dimension - matrix-email2matrix From ecd35a8ddb7b81ede4d5ce844f5b536c6ca4067f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 23 Mar 2020 21:03:04 +0200 Subject: [PATCH 0980/2384] Clarify webserver group membership requirement Discussed in #412 (Github Issue). --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index d686c947..4adcd934 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -22,7 +22,7 @@ For an alternative, make sure to check Method #2 as well. No matter which external webserver you decide to go with, you'll need to: -1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx` +1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it. 2) Edit your configuration file (`inventory/host_vars/matrix./vars.yml`) to disable the integrated nginx server: From d605b219a24435923103bf37b0fd58b26c4280fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Mar 2020 09:35:21 +0200 Subject: [PATCH 0981/2384] Manage Jitsi configuration by ourselves for most components We do this for 2 reasons: - so we can control things which are not controllable using environment variables (for example `stunServers` in jitsi/web, since we don't wish to use the hardcoded Google STUN servers if our own Coturn is enabled) - so playbook variable changes will properly rebuild the configuration. When using Jitsi environment variables, the configuration is only built once (the first time) and never rebuilt again. This is not the consistent with the rest of the playbook and with how Ansible operates. We're not perfect at it (yet), because we still let the Jitsi containers generate some files on their own, but we are closer and it should be good enough for most things. Related to #415 (Github Pull Request). --- docs/configuring-playbook-jitsi.md | 3 - group_vars/matrix_servers | 23 +- roles/matrix-jitsi/defaults/main.yml | 7 + .../matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 10 + roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 11 +- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 10 + .../templates/jicofo/logging.properties.j2 | 20 + .../jicofo/sip-communicator.properties.j2 | 5 + roles/matrix-jitsi/templates/jvb/env.j2 | 14 - .../templates/jvb/logging.properties.j2 | 13 + .../templates/jvb/matrix-jitsi-jvb.service.j2 | 1 - .../jvb/sip-communicator.properties.j2 | 19 + roles/matrix-jitsi/templates/web/config.js.j2 | 486 ++++++++++++++++++ .../templates/web/interface_config.js.j2 | 230 +++++++++ 14 files changed, 816 insertions(+), 36 deletions(-) create mode 100644 roles/matrix-jitsi/templates/jicofo/logging.properties.j2 create mode 100644 roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 delete mode 100644 roles/matrix-jitsi/templates/jvb/env.j2 create mode 100644 roles/matrix-jitsi/templates/jvb/logging.properties.j2 create mode 100644 roles/matrix-jitsi/templates/jvb/sip-communicator.properties.j2 create mode 100644 roles/matrix-jitsi/templates/web/config.js.j2 create mode 100644 roles/matrix-jitsi/templates/web/interface_config.js.j2 diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index b2afac46..7239758b 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -34,6 +34,3 @@ Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags= .. and fully reload your riot-web page (at `riot.DOMAIN`). Starting a video-conference in a room with more than 2 members should then create a Jitsi widget which utilizes your self-hosted Jitsi server. - - -**NOTE**: the playbook currently configures the Jitsi JVB component to use Google's STUN servers even in cases where our own [Coturn TURN server](configuring-playbook-turn.md) is enabled (it is by default). This is because JVB fails to discover its own external IP correctly when pointed to our own Coturn server. The failure happens because JVB reaches Coturn via the localnetwork and discovers a local Docker IP address instead of the public one, leading to a non-working service. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8e3c7ed6..84d24aa9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -409,20 +409,15 @@ matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | passw matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" -# TODO. Using our own STUN server fails, so we're using Google's STUN servers (the default for the matrix-jitsi role). -# -# When using our STUN server, JVB tries to discover its own IP by contacting it and gets a local Docker IP address instead of the external one. -# > matrix-jitsi-jvb[30965]: JVB 2020-03-23 14:52:59.253 INFO: [21] org.ice4j.ice.harvest.StunMappingCandidateHarvester.discover() Discovered public address 172.19.0.1:60385/udp from STUN server x.x.x.x:5349/udp using local address 172.18.0.10:0/udp -# -# matrix_jitsi_jvb_stun_servers: | -# {{ -# [ -# matrix_server_fqn_matrix + ':5349', -# matrix_server_fqn_matrix + ':3478', -# ] -# if matrix_coturn_enabled -# else [ 'stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] -# }} +matrix_jitsi_web_stun_servers: | + {{ + [ + matrix_server_fqn_matrix + ':5349', + matrix_server_fqn_matrix + ':3478', + ] + if matrix_coturn_enabled + else [ 'stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] + }} ###################################################################### # diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 284e6f61..ae5dcb8f 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -37,6 +37,9 @@ matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" +# STUN servers used in the web UI. Feel free to point them to your own STUN server. +matrix_jitsi_web_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] + # Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:12080"), or empty string to not expose. @@ -93,7 +96,11 @@ matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jits matrix_jitsi_jvb_auth_user: jvb matrix_jitsi_jvb_auth_password: passw0rd + +# STUN servers used by JVB on the server-side, so it can discover its own external IP address. +# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. matrix_jitsi_jvb_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] + matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 matrix_jitsi_jvb_rtp_tcp_port: 4443 diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml index 7d1bc815..98ebfb25 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -31,6 +31,16 @@ mode: 0640 when: matrix_jitsi_enabled|bool +- name: Ensure jitsi-jicofo configuration files created + template: + src: "{{ role_path }}/templates/jicofo/{{ item }}.j2" + dest: "{{ matrix_jitsi_jicofo_config_path }}/{{ item }}" + mode: 0644 + with_items: + - sip-communicator.properties + - logging.properties + when: matrix_jitsi_enabled|bool + - name: Ensure matrix-jitsi-jicofo.service installed template: src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index bd6e97d8..86067c23 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -24,11 +24,14 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}" when: matrix_jitsi_enabled|bool -- name: Ensure jitsi-jvb environment variables file created +- name: Ensure jitsi-jvb configuration files created template: - src: "{{ role_path }}/templates/jvb/env.j2" - dest: "{{ matrix_jitsi_jvb_base_path }}/env" - mode: 0640 + src: "{{ role_path }}/templates/jvb/{{ item }}.j2" + dest: "{{ matrix_jitsi_jvb_config_path }}/{{ item }}" + mode: 0644 + with_items: + - sip-communicator.properties + - logging.properties when: matrix_jitsi_enabled|bool - name: Ensure matrix-jitsi-jvb.service installed diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 7d363543..93d69023 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -32,6 +32,16 @@ mode: 0640 when: matrix_jitsi_enabled|bool +- name: Ensure jitsi-web configuration files created + template: + src: "{{ role_path }}/templates/web/{{ item }}.j2" + dest: "{{ matrix_jitsi_web_config_path }}/{{ item }}" + mode: 0644 + with_items: + - config.js + - interface_config.js + when: matrix_jitsi_enabled|bool + - name: Ensure matrix-jitsi-web.service installed template: src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2" diff --git a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 new file mode 100644 index 00000000..7eba95af --- /dev/null +++ b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 @@ -0,0 +1,20 @@ +handlers= java.util.logging.ConsoleHandler + +java.util.logging.ConsoleHandler.level = ALL +java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter + +net.java.sip.communicator.util.ScLogFormatter.programname=Jicofo + +.level=INFO +net.sf.level=SEVERE +net.java.sip.communicator.plugin.reconnectplugin.level=FINE +org.ice4j.level=SEVERE +org.jitsi.impl.neomedia.level=SEVERE + +# Do not worry about missing strings +net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE + +#net.java.sip.communicator.service.protocol.level=ALL + +# Enable debug packets logging +#org.jitsi.impl.protocol.xmpp.level=FINE diff --git a/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 new file mode 100644 index 00000000..6736becc --- /dev/null +++ b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 @@ -0,0 +1,5 @@ +org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true +org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} + +org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} +org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90 diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 deleted file mode 100644 index 0b88f8cc..00000000 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ /dev/null @@ -1,14 +0,0 @@ -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} - -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} -JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} -JVB_TCP_HARVESTER_DISABLED=false -JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} - -JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} - -TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 new file mode 100644 index 00000000..48c1e9fa --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 @@ -0,0 +1,13 @@ +handlers= java.util.logging.ConsoleHandler + +java.util.logging.ConsoleHandler.level = ALL +java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter + +net.java.sip.communicator.util.ScLogFormatter.programname=JVB + +.level=INFO + +org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE + +# All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. +org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 5df5807a..03aef079 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -14,7 +14,6 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ --log-driver=none \ --network={{ matrix_docker_network }} \ - --env-file={{ matrix_jitsi_jvb_base_path }}/env \ {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ {% endif %} diff --git a/roles/matrix-jitsi/templates/jvb/sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jvb/sip-communicator.properties.j2 new file mode 100644 index 00000000..173af0b6 --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/sip-communicator.properties.j2 @@ -0,0 +1,19 @@ +org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} +org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false +org.jitsi.videobridge.TCP_HARVESTER_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} + +{% if matrix_jitsi_jvb_stun_servers|length > 0 %} +org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES={{ matrix_jitsi_jvb_stun_servers|join(',') }} +{% endif %} + +org.jitsi.videobridge.xmpp.user.shard.HOSTNAME={{ matrix_jitsi_xmpp_server }} +org.jitsi.videobridge.xmpp.user.shard.DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +org.jitsi.videobridge.xmpp.user.shard.USERNAME={{ matrix_jitsi_jvb_auth_user }} +org.jitsi.videobridge.xmpp.user.shard.PASSWORD={{ matrix_jitsi_jvb_auth_password }} +org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} +org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=matrix-jitsi-jvb +org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true + +org.jitsi.videobridge.ENABLE_STATISTICS=true +org.jitsi.videobridge.STATISTICS_TRANSPORT=muc +org.jitsi.videobridge.STATISTICS_INTERVAL=5000 diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 new file mode 100644 index 00000000..f18471e1 --- /dev/null +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -0,0 +1,486 @@ +/* eslint-disable no-unused-vars, no-var */ + +var config = { + // Configuration + // + + // Alternative location for the configuration. + // configLocation: './config.json', + + // Custom function which given the URL path should return a room name. + // getroomnode: function (path) { return 'someprefixpossiblybasedonpath'; }, + + + // Connection + // + + hosts: { + // XMPP domain. + domain: '{{ matrix_jitsi_xmpp_domain }}', + + {% if matrix_jitsi_enable_guests %} + // When using authentication, domain for guest users. + anonymousdomain: 'guest.example.com', + + // Domain for authenticated users. Defaults to . + authdomain: '{{ matrix_jitsi_xmpp_domain }}', + {% endif %} + + // Jirecon recording component domain. + // jirecon: 'jirecon.{{ matrix_jitsi_xmpp_domain }}', + + // Call control component (Jigasi). + // call_control: 'callcontrol.{{ matrix_jitsi_xmpp_domain }}', + + // Focus component domain. Defaults to focus.. + // focus: 'focus.{{ matrix_jitsi_xmpp_domain }}', + + // XMPP MUC domain. FIXME: use XEP-0030 to discover it. + muc: {{ matrix_jitsi_xmpp_muc_domain|to_json }}, + }, + + // BOSH URL. FIXME: use XEP-0156 to discover it. + bosh: '/http-bind', + + // The name of client node advertised in XEP-0115 'c' stanza + clientNode: 'http://jitsi.org/jitsimeet', + + // The real JID of focus participant - can be overridden here + focusUserJid: {{ matrix_jitsi_jicofo_auth_user|to_json }} + '@' + {{ matrix_jitsi_xmpp_auth_domain|to_json }}, + + + // Testing / experimental features. + // + + testing: { + // Enables experimental simulcast support on Firefox. + enableFirefoxSimulcast: false, + + // P2P test mode disables automatic switching to P2P when there are 2 + // participants in the conference. + p2pTestMode: false + + // Enables the test specific features consumed by jitsi-meet-torture + // testMode: false + }, + + // Disables ICE/UDP by filtering out local and remote UDP candidates in + // signalling. + // webrtcIceUdpDisable: false, + + // Disables ICE/TCP by filtering out local and remote TCP candidates in + // signalling. + // webrtcIceTcpDisable: false, + + + // Media + // + + // Audio + + // Disable measuring of audio levels. + // disableAudioLevels: false, + + // Start the conference in audio only mode (no video is being received nor + // sent). + // startAudioOnly: false, + + // Every participant after the Nth will start audio muted. + // startAudioMuted: 10, + + // Start calls with audio muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithAudioMuted: false, + + // Enabling it (with #params) will disable local audio output of remote + // participants and to enable it back a reload is needed. + // startSilent: false + + // Video + + // Sets the preferred resolution (height) for local video. Defaults to 720. + // resolution: 720, + + // w3c spec-compliant video constraints to use for video capture. Currently + // used by browsers that return true from lib-jitsi-meet's + // util#browser#usesNewGumFlow. The constraints are independency from + // this config's resolution value. Defaults to requesting an ideal aspect + // ratio of 16:9 with an ideal resolution of 720. + // constraints: { + // video: { + // aspectRatio: 16 / 9, + // height: { + // ideal: 720, + // max: 720, + // min: 240 + // } + // } + // }, + + // Enable / disable simulcast support. + // disableSimulcast: false, + + // Enable / disable layer suspension. If enabled, endpoints whose HD + // layers are not in use will be suspended (no longer sent) until they + // are requested again. + // enableLayerSuspension: false, + + // Suspend sending video if bandwidth estimation is too low. This may cause + // problems with audio playback. Disabled until these are fixed. + disableSuspendVideo: true, + + // Every participant after the Nth will start video muted. + // startVideoMuted: 10, + + // Start calls with video muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithVideoMuted: false, + + // If set to true, prefer to use the H.264 video codec (if supported). + // Note that it's not recommended to do this because simulcast is not + // supported when using H.264. For 1-to-1 calls this setting is enabled by + // default and can be toggled in the p2p section. + // preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // Desktop sharing + + // The ID of the jidesha extension for Chrome. + desktopSharingChromeExtId: null, + + // Whether desktop sharing should be disabled on Chrome. + // desktopSharingChromeDisabled: false, + + // The media sources to use when using screen sharing with the Chrome + // extension. + desktopSharingChromeSources: [ 'screen', 'window', 'tab' ], + + // Required version of Chrome extension + desktopSharingChromeMinExtVersion: '0.1', + + // Whether desktop sharing should be disabled on Firefox. + // desktopSharingFirefoxDisabled: false, + + // Optional desktop sharing frame rate options. Default value: min:5, max:5. + // desktopSharingFrameRate: { + // min: 5, + // max: 5 + // }, + + // Try to start calls with screen-sharing instead of camera video. + // startScreenSharing: false, + + // Recording +hiddenDomain: {{ matrix_jitsi_recorder_domain|to_json }}, + + // Whether to enable file recording or not. + fileRecordingsEnabled: {{ matrix_jitsi_enable_recording|to_json }}, + // Enable the dropbox integration. + // dropbox: { + // appKey: '' // Specify your app key here. + // // A URL to redirect the user to, after authenticating + // // by default uses: + // // 'https://{{ matrix_jitsi_xmpp_domain }}/static/oauth.html' + // redirectURI: + // 'https://{{ matrix_jitsi_xmpp_domain }}/subfolder/static/oauth.html' + // }, + // When integrations like dropbox are enabled only that will be shown, + // by enabling fileRecordingsServiceEnabled, we show both the integrations + // and the generic recording service (its configuration and storage type + // depends on jibri configuration) + // fileRecordingsServiceEnabled: false, + // Whether to show the possibility to share file recording with other people + // (e.g. meeting participants), based on the actual implementation + // on the backend. + // fileRecordingsServiceSharingEnabled: false, + + // Whether to enable live streaming or not. + liveStreamingEnabled: {{ matrix_jitsi_enable_recording|to_json }}, + + // Transcription (in interface_config, + // subtitles and buttons can be configured) + transcribingEnabled: {{ matrix_jitsi_enable_transcriptions|to_json }}, + + // Misc + + // Default value for the channel "last N" attribute. -1 for unlimited. + channelLastN: -1, + + // Disables or enables RTX (RFC 4588) (defaults to false). + // disableRtx: false, + + // Disables or enables TCC (the default is in Jicofo and set to true) + // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting + // affects congestion control, it practically enables send-side bandwidth + // estimations. + // enableTcc: true, + + // Disables or enables REMB (the default is in Jicofo and set to false) + // (draft-alvestrand-rmcat-remb-03). This setting affects congestion + // control, it practically enables recv-side bandwidth estimations. When + // both TCC and REMB are enabled, TCC takes precedence. When both are + // disabled, then bandwidth estimations are disabled. + // enableRemb: false, + + // Defines the minimum number of participants to start a call (the default + // is set in Jicofo and set to 2). + // minParticipants: 2, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // Enable IPv6 support. + // useIPv6: true, + + // Enables / disables a data communication channel with the Videobridge. + // Values can be 'datachannel', 'websocket', true (treat it as + // 'datachannel'), undefined (treat it as 'datachannel') and false (don't + // open any channel). + // openBridgeChannel: true, + + + // UI + // + + // Use display name as XMPP nickname. + // useNicks: false, + + // Require users to always specify a display name. + // requireDisplayName: true, + + // Whether to use a welcome page or not. In case it's false a random room + // will be joined when no room is specified. + enableWelcomePage: true, + + // Enabling the close page will ignore the welcome page redirection when + // a call is hangup. + // enableClosePage: false, + + // Disable hiding of remote thumbnails when in a 1-on-1 conference call. + // disable1On1Mode: false, + + // Default language for the user interface. + // defaultLanguage: 'en', + + // If true all users without a token will be considered guests and all users + // with token will be considered non-guests. Only guests will be allowed to + // edit their profile. + enableUserRolesBasedOnToken: false, + + // Whether or not some features are checked based on token. + // enableFeaturesBasedOnToken: false, + + // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests. + // lockRoomGuestEnabled: false, + + // When enabled the password used for locking a room is restricted to up to the number of digits specified + // roomPasswordNumberOfDigits: 10, + // default: roomPasswordNumberOfDigits: false, + + // Message to show the users. Example: 'The service will be down for + // maintenance at 01:00 AM GMT, + // noticeMessage: '', + + // Enables calendar integration, depends on googleApiApplicationClientID + // and microsoftApiApplicationClientID + // enableCalendarIntegration: false, + + // Stats + // + + // Whether to enable stats collection or not in the TraceablePeerConnection. + // This can be useful for debugging purposes (post-processing/analysis of + // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth + // estimation tests. + // gatherStats: false, + + // To enable sending statistics to callstats.io you must provide the + // Application ID and Secret. + // callStatsID: '', + // callStatsSecret: '', + + // enables callstatsUsername to be reported as statsId and used + // by callstats as repoted remote id + // enableStatsID: false + + // enables sending participants display name to callstats + // enableDisplayNameInStats: false + + + // Privacy + // + + // If third party requests are disabled, no other server will be contacted. + // This means avatars will be locally generated and callstats integration + // will not function. + // disableThirdPartyRequests: false, + + + // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. + // + + p2p: { + // Enables peer to peer mode. When enabled the system will try to + // establish a direct connection when there are exactly 2 participants + // in the room. If that succeeds the conference will stop sending data + // through the JVB and use the peer to peer connection instead. When a + // 3rd participant joins the conference will be moved back to the JVB + // connection. + enabled: true, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // The STUN servers that will be used in the peer to peer connections + {% if matrix_jitsi_web_stun_servers|length > 0 %} + stunServers: [ + {% for url in matrix_jitsi_web_stun_servers %} + { urls: {{ url|to_json }} }{% if not loop.last %},{% endif %} + {% endfor %} + ], + {% endif %} + + // Sets the ICE transport policy for the p2p connection. At the time + // of this writing the list of possible values are 'all' and 'relay', + // but that is subject to change in the future. The enum is defined in + // the WebRTC standard: + // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. + // If not set, the effective value is 'all'. + // iceTransportPolicy: 'all', + + // If set to true, it will prefer to use H.264 for P2P calls (if H.264 + // is supported). + preferH264: true + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // How long we're going to wait, before going back to P2P after the 3rd + // participant has left the conference (to filter out page reload). + // backToP2PDelay: 5 + }, + + analytics: { + // The Google Analytics Tracking ID: + // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' + + // The Amplitude APP Key: + // amplitudeAPPKey: '' + + // Array of script URLs to load as lib-jitsi-meet "analytics handlers". + // scriptURLs: [ + // "libs/analytics-ga.min.js", // google-analytics + // "https://example.com/my-custom-analytics.js" + // ], + }, + + // Information about the jitsi-meet instance we are connecting to, including + // the user region as seen by the server. + deploymentInfo: { + // shard: "shard1", + // region: "europe", + // userRegion: "asia" + } + + // Local Recording + // + + // localRecording: { + // Enables local recording. + // Additionally, 'localrecording' (all lowercase) needs to be added to + // TOOLBAR_BUTTONS in interface_config.js for the Local Recording + // button to show up on the toolbar. + // + // enabled: true, + // + + // The recording format, can be one of 'ogg', 'flac' or 'wav'. + // format: 'flac' + // + + // } + + // Options related to end-to-end (participant to participant) ping. + // e2eping: { + // // The interval in milliseconds at which pings will be sent. + // // Defaults to 10000, set to <= 0 to disable. + // pingInterval: 10000, + // + // // The interval in milliseconds at which analytics events + // // with the measured RTT will be sent. Defaults to 60000, set + // // to <= 0 to disable. + // analyticsInterval: 60000, + // } + + // If set, will attempt to use the provided video input device label when + // triggering a screenshare, instead of proceeding through the normal flow + // for obtaining a desktop stream. + // NOTE: This option is experimental and is currently intended for internal + // use only. + // _desktopSharingSourceDevice: 'sample-id-or-label' + + // If true, any checks to handoff to another application will be prevented + // and instead the app will continue to display in the current browser. + // disableDeepLinking: false + + // A property to disable the right click context menu for localVideo + // the menu has option to flip the locally seen video for local presentations + // disableLocalVideoFlip: false + + // List of undocumented settings used in jitsi-meet + /** + _immediateReloadThreshold + autoRecord + autoRecordToken + debug + debugAudioLevels + deploymentInfo + dialInConfCodeUrl + dialInNumbersUrl + dialOutAuthUrl + dialOutCodesUrl + disableRemoteControl + displayJids + etherpad_base + externalConnectUrl + firefox_fake_device + googleApiApplicationClientID + iAmRecorder + iAmSipGateway + microsoftApiApplicationClientID + peopleSearchQueryTypes + peopleSearchUrl + requireDisplayName + tokenAuthUrl + */ + + // List of undocumented settings used in lib-jitsi-meet + /** + _peerConnStatusOutOfLastNTimeout + _peerConnStatusRtcMuteTimeout + abTesting + avgRtpStatsN + callStatsConfIDNamespace + callStatsCustomScriptUrl + desktopSharingSources + disableAEC + disableAGC + disableAP + disableHPF + disableNS + enableLipSync + enableTalkWhileMuted + forceJVB121Ratio + hiddenDomain + ignoreStartMuted + nick + startBitrate + */ + +}; + +/* eslint-enable no-unused-vars, no-var */ diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 new file mode 100644 index 00000000..dd5abc59 --- /dev/null +++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2 @@ -0,0 +1,230 @@ +/* eslint-disable no-unused-vars, no-var, max-len */ + +var interfaceConfig = { + // TO FIX: this needs to be handled from SASS variables. There are some + // methods allowing to use variables both in css and js. + DEFAULT_BACKGROUND: '#474747', + + /** + * Whether or not the blurred video background for large video should be + * displayed on browsers that can support it. + */ + DISABLE_VIDEO_BACKGROUND: false, + + INITIAL_TOOLBAR_TIMEOUT: 20000, + TOOLBAR_TIMEOUT: 4000, + TOOLBAR_ALWAYS_VISIBLE: false, + DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', + DEFAULT_LOCAL_DISPLAY_NAME: 'me', + SHOW_JITSI_WATERMARK: true, + JITSI_WATERMARK_LINK: 'https://jitsi.org', + + // if watermark is disabled by default, it can be shown only for guests + SHOW_WATERMARK_FOR_GUESTS: true, + SHOW_BRAND_WATERMARK: false, + BRAND_WATERMARK_LINK: '', + SHOW_POWERED_BY: false, + SHOW_DEEP_LINKING_IMAGE: false, + GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true, + DISPLAY_WELCOME_PAGE_CONTENT: true, + APP_NAME: 'Jitsi Meet', + NATIVE_APP_NAME: 'Jitsi Meet', + PROVIDER_NAME: 'Jitsi', + LANG_DETECTION: false, // Allow i18n to detect the system language + INVITATION_POWERED_BY: true, + + /** + * If we should show authentication block in profile + */ + AUTHENTICATION_ENABLE: true, + + /** + * The name of the toolbar buttons to display in the toolbar. If present, + * the button will display. Exceptions are "livestreaming" and "recording" + * which also require being a moderator and some values in config.js to be + * enabled. Also, the "profile" button will not display for user's with a + * jwt. + */ + TOOLBAR_BUTTONS: [ + {% if matrix_jitsi_enable_transcriptions %} + 'closedcaptions', + {% endif %} + + 'microphone', 'camera', 'desktop', 'fullscreen', + 'fodeviceselection', 'hangup', 'profile', 'info', 'chat', 'recording', + 'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand', + 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', + 'tileview', 'videobackgroundblur' + ], + + SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ], + + // Determines how the video would fit the screen. 'both' would fit the whole + // screen, 'height' would fit the original video height to the height of the + // screen, 'width' would fit the original video width to the width of the + // screen respecting ratio. + VIDEO_LAYOUT_FIT: 'both', + + /** + * Whether to only show the filmstrip (and hide the toolbar). + */ + filmStripOnly: false, + + /** + * Whether to show thumbnails in filmstrip as a column instead of as a row. + */ + VERTICAL_FILMSTRIP: true, + + // A html text to be shown to guests on the close page, false disables it + CLOSE_PAGE_GUEST_HINT: false, + RANDOM_AVATAR_URL_PREFIX: false, + RANDOM_AVATAR_URL_SUFFIX: false, + FILM_STRIP_MAX_HEIGHT: 120, + + // Enables feedback star animation. + ENABLE_FEEDBACK_ANIMATION: false, + DISABLE_FOCUS_INDICATOR: false, + DISABLE_DOMINANT_SPEAKER_INDICATOR: false, + + /** + * Whether the speech to text transcription subtitles panel is disabled. + * If {@code undefined}, defaults to {@code false}. + * + * @type {boolean} + */ + DISABLE_TRANSCRIPTION_SUBTITLES: false, + + /** + * Whether the ringing sound in the call/ring overlay is disabled. If + * {@code undefined}, defaults to {@code false}. + * + * @type {boolean} + */ + DISABLE_RINGING: false, + AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)', + AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)', + POLICY_LOGO: null, + LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 + REMOTE_THUMBNAIL_RATIO: 1, // 1:1 + // Documentation reference for the live streaming feature. + LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', + + /** + * Whether the mobile app Jitsi Meet is to be promoted to participants + * attempting to join a conference in a mobile Web browser. If + * {@code undefined}, defaults to {@code true}. + * + * @type {boolean} + */ + MOBILE_APP_PROMO: true, + + /** + * Maximum coeficient of the ratio of the large video to the visible area + * after the large video is scaled to fit the window. + * + * @type {number} + */ + MAXIMUM_ZOOMING_COEFFICIENT: 1.3, + + /* + * If indicated some of the error dialogs may point to the support URL for + * help. + */ + SUPPORT_URL: 'https://github.com/jitsi/jitsi-meet/issues/new', + + /** + * Whether the connection indicator icon should hide itself based on + * connection strength. If true, the connection indicator will remain + * displayed while the participant has a weak connection and will hide + * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is + * strong. + * + * @type {boolean} + */ + CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, + + /** + * How long the connection indicator should remain displayed before hiding. + * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. + * + * @type {number} + */ + CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, + + /** + * If true, hides the connection indicators completely. + * + * @type {boolean} + */ + CONNECTION_INDICATOR_DISABLED: false, + + /** + * If true, hides the video quality label indicating the resolution status + * of the current large video. + * + * @type {boolean} + */ + VIDEO_QUALITY_LABEL_DISABLED: false, + + /** + * If true, will display recent list + * + * @type {boolean} + */ + RECENT_LIST_ENABLED: true, + + // Names of browsers which should show a warning stating the current browser + // has a suboptimal experience. Browsers which are not listed as optimal or + // unsupported are considered suboptimal. Valid values are: + // chrome, chromium, edge, electron, firefox, nwjs, opera, safari + OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron' ], + + // Browsers, in addition to those which do not fully support WebRTC, that + // are not supported and should show the unsupported browser page. + UNSUPPORTED_BROWSERS: [], + + /** + * A UX mode where the last screen share participant is automatically + * pinned. Valid values are the string "remote-only" so remote participants + * get pinned but not local, otherwise any truthy value for all participants, + * and any falsy value to disable the feature. + * + * Note: this mode is experimental and subject to breakage. + */ + AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only' + + /** + * How many columns the tile view can expand to. The respected range is + * between 1 and 5. + */ + // TILE_VIEW_MAX_COLUMNS: 5, + + /** + * Specify custom URL for downloading android mobile app. + */ + // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet', + + /** + * Specify URL for downloading ios mobile app. + */ + // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905', + + /** + * Specify mobile app scheme for opening the app from the mobile browser. + */ + // APP_SCHEME: 'org.jitsi.meet', + + /** + * Specify the Android app package name. + */ + // ANDROID_APP_PACKAGE: 'org.jitsi.meet', + + /** + * Override the behavior of some notifications to remain displayed until + * explicitly dismissed through a user action. The value is how long, in + * milliseconds, those notifications should remain displayed. + */ + // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, +}; + +/* eslint-enable no-unused-vars, no-var, max-len */ From 8ff55bcd14160a2dafa06caeb5cefe71e6d0bc8a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Mar 2020 15:30:14 +0200 Subject: [PATCH 0982/2384] Update documentation and changelog --- CHANGELOG.md | 9 +++++++++ README.md | 10 ++++++++++ docs/configuring-playbook-jitsi.md | 7 +++++-- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 31771186..24a6af08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-03-24 + +## Jitsi support + +The playbook can now (optionally) install the [Jitsi](https://jitsi.org/) video-conferencing platform and integrate it with [Riot](docs/configuring-playbook-riot-web.md). + +See our [Jitsi documentation page](docs/configuring-playbook-jitsi.md) to get started. + + # 2020-03-15 ## Raspberry Pi support diff --git a/README.md b/README.md index bf6398cd..a991e533 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients +- (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. @@ -144,6 +146,14 @@ This playbook sets up your server using the following Docker images: - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) +- [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) + +- [jitsi/jicofo](https://hub.docker.com/r/jitsi/jicofo) - the [Jitsi](https://jitsi.org/) Focus component (optional) + +- [jitsi/prosody](https://hub.docker.com/r/jitsi/prosody) - the [Jitsi](https://jitsi.org/) Prosody XMPP server component (optional) + +- [jitsi/jvb](https://hub.docker.com/r/jitsi/jvb) - the [Jitsi](https://jitsi.org/) Video Bridge component (optional) + ## Deficiencies diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 7239758b..0d030d4e 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -31,6 +31,9 @@ matrix_riot_web_docker_image: "vectorim/riot-web:develop" Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` -.. and fully reload your riot-web page (at `riot.DOMAIN`). -Starting a video-conference in a room with more than 2 members should then create a Jitsi widget which utilizes your self-hosted Jitsi server. +## Usage + +You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. + +To use it via riot-web, make sure you've installed the `develop` version and fully reloaded your riot-web page (at `riot.DOMAIN`). Starting a video-conference in a room containing more than 2 members should then create a Jitsi widget which utilizes your self-hosted Jitsi server. From fcb4f2579d9f21336595091aead80468cc3c2764 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Mar 2020 16:15:52 +0200 Subject: [PATCH 0983/2384] Upgrade matrix-corporal (1.7.1 -> 1.7.2) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 81d2c16c..9b0c9188 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -19,7 +19,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_docker_image: "devture/matrix-corporal:1.7.1" +matrix_corporal_docker_image: "devture/matrix-corporal:1.7.2" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" From e06ac41db1653583419c6818d8ffc999bb52a2a3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Mar 2020 16:21:26 +0200 Subject: [PATCH 0984/2384] Do not try to obtain jitsi.DOMAIN certificate if Jitsi is disabled --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 84d24aa9..c2dd5786 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -561,7 +561,7 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + - ([matrix_server_fqn_jitsi]) + ([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else []) + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) }} From 0e69a5103606a564e154b2ccad8d650840de8edf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Mar 2020 16:41:24 +0200 Subject: [PATCH 0985/2384] Upgrade matrix-corporal (1.7.2 -> 1.8.0) --- roles/matrix-corporal/defaults/main.yml | 5 ++++- roles/matrix-corporal/templates/config.json.j2 | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 9b0c9188..9430f053 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -19,7 +19,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_docker_image: "devture/matrix-corporal:1.7.2" +matrix_corporal_docker_image: "devture/matrix-corporal:1.8.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" @@ -46,8 +46,11 @@ matrix_corporal_matrix_timeout_milliseconds: 45000 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" +matrix_corporal_http_gateway_timeout_milliseconds: 60000 + matrix_corporal_http_api_enabled: false matrix_corporal_http_api_auth_token: "" +matrix_corporal_http_api_timeout_milliseconds: 15000 # Matrix Corporal policy provider configuration (goes directly into the configuration's `PolicyProvider` value) matrix_corporal_policy_provider_config: "" diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index 378b2c19..dff73830 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -13,13 +13,15 @@ }, "HttpGateway": { - "ListenAddress": "0.0.0.0:41080" + "ListenAddress": "0.0.0.0:41080", + "TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }} }, "HttpApi": { "Enabled": {{ matrix_corporal_http_api_enabled|to_json }}, "ListenAddress": "0.0.0.0:41081", - "AuthorizationBearerToken": "{{ matrix_corporal_http_api_auth_token }}" + "AuthorizationBearerToken": "{{ matrix_corporal_http_api_auth_token }}", + "TimeoutMilliseconds": {{ matrix_corporal_http_api_timeout_milliseconds }} }, "PolicyProvider": {{ matrix_corporal_policy_provider_config }}, From 0f39cb99877a335a97a37677a067c59f9d5dd372 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Mar 2020 17:57:33 +0200 Subject: [PATCH 0986/2384] Fix incorrect server_name for Jitsi Fixes #417 (Github Issue) --- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 7488d611..c6689172 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -56,7 +56,7 @@ server { listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; + server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; server_tokens off; root /dev/null; From e5849801c624a2e1787a397fcf15556ed5f03593 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Mar 2020 18:26:52 +0200 Subject: [PATCH 0987/2384] Add Jitsi reference to Configuring Playbook docs page --- docs/configuring-playbook.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 4d84fac3..051abf16 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -31,6 +31,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Dimension Integration Manager](configuring-playbook-dimension.md) (optional, but recommended; after [installing](installing.md)) +- [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md) (optional) + ### Core service adjustments From eebc6e13f804fc757ab6d5b3d5512dc3a7866f11 Mon Sep 17 00:00:00 2001 From: mooomooo Date: Tue, 24 Mar 2020 11:27:58 -0700 Subject: [PATCH 0988/2384] Made directory variables for /etc/systemd/system , /etc/cron.d , /usr/local/bin --- roles/matrix-base/defaults/main.yml | 3 +++ roles/matrix-base/tasks/setup_matrix_base.yml | 2 +- .../templates/usr-local-bin/matrix-remove-all.j2 | 6 +++--- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 4 ++-- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 4 ++-- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 4 ++-- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 4 ++-- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 4 ++-- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 4 ++-- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 4 ++-- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 4 ++-- roles/matrix-corporal/tasks/setup_corporal.yml | 8 ++++---- roles/matrix-coturn/tasks/setup_coturn.yml | 6 +++--- roles/matrix-dimension/tasks/setup_dimension.yml | 6 +++--- .../tasks/setup_email2matrix.yml | 6 +++--- roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 6 +++--- roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 6 +++--- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 6 +++--- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 6 +++--- roles/matrix-mailer/tasks/setup_mailer.yml | 6 +++--- roles/matrix-mxisd/tasks/setup_mxisd.yml | 6 +++--- .../tasks/setup_nginx_proxy.yml | 6 +++--- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 12 ++++++------ .../tasks/migrate_postgres_data_directory.yml | 2 +- roles/matrix-postgres/tasks/setup_postgres.yml | 16 ++++++++-------- roles/matrix-riot-web/tasks/setup_riot_web.yml | 6 +++--- .../tasks/goofys/setup_install.yml | 2 +- .../tasks/goofys/setup_uninstall.yml | 4 ++-- roles/matrix-synapse/tasks/register_user.yml | 2 +- .../tasks/synapse/setup_install.yml | 4 ++-- .../tasks/synapse/setup_uninstall.yml | 4 ++-- .../tasks/update_user_password.yml | 2 +- 40 files changed, 92 insertions(+), 89 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 0be463d1..6800df86 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -29,6 +29,9 @@ matrix_base_data_path: "/matrix" matrix_base_data_path_mode: "750" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" +matrix_systemd_path: "/etc/systemd/system" +matrix_cron_path: "/etc/cron.d" +matrix_local_bin_path: "/usr/local/bin" matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index b4aa92b9..24217883 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -52,6 +52,6 @@ - name: Ensure matrix-remove-all script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2" - dest: "/usr/local/bin/matrix-remove-all" + dest: "{{ matrix_local_bin_path }}/matrix-remove-all" mode: 0750 diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index ac810595..972919e3 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -15,15 +15,15 @@ if [ "$sure" != "Yes, I really want to remove everything!" ]; then exit 0 else echo "Stop and remove matrix services" - for s in $(find /etc/systemd/system/ -name "matrix-*" -printf "%f\n"); do + for s in $(find {{ matrix_systemd_path }}/ -name "matrix-*" -printf "%f\n"); do systemctl stop $s - rm -f /etc/systemd/system/$s + rm -f {{ matrix_systemd_path }}/$s done systemctl daemon-reload echo "Remove matrix cronjobs" find /etc/cron.d/ -name "matrix-*" -delete echo "Remove matrix scripts" - find /usr/local/bin/ -name "matrix-*" -delete + find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete echo "Remove every docker images" docker rmi $(docker images -aq) echo "Remove docker matrix network" diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index 6f4f5979..e2144f6a 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -72,7 +72,7 @@ - name: Ensure matrix-appservice-discord.service installed template: src: "{{ role_path }}/templates/systemd/matrix-appservice-discord.service.j2" - dest: "/etc/systemd/system/matrix-appservice-discord.service" + dest: "{{ matrix_systemd_path }}/matrix-appservice-discord.service" mode: 0644 register: matrix_appservice_discord_systemd_service_result diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml index 6790f203..4e8c1fdc 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-appservice-discord service stat: - path: "/etc/systemd/system/matrix-appservice-discord.service" + path: "{{ matrix_systemd_path }}/matrix-appservice-discord.service" register: matrix_appservice_discord_service_stat - name: Ensure matrix-appservice-discord is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-appservice-discord.service doesn't exist file: - path: "/etc/systemd/system/matrix-appservice-discord.service" + path: "{{ matrix_systemd_path }}/matrix-appservice-discord.service" state: absent when: "matrix_appservice_discord_service_stat.stat.exists" diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index e2c2c2b6..1c69b2a8 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -139,7 +139,7 @@ - name: Ensure matrix-appservice-irc.service installed template: src: "{{ role_path }}/templates/systemd/matrix-appservice-irc.service.j2" - dest: "/etc/systemd/system/matrix-appservice-irc.service" + dest: "{{ matrix_systemd_path }}/matrix-appservice-irc.service" mode: 0644 register: matrix_appservice_irc_systemd_service_result diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml index ce65d0e6..2b5e5dfd 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-appservice-irc service stat: - path: "/etc/systemd/system/matrix-appservice-irc.service" + path: "{{ matrix_systemd_path }}/matrix-appservice-irc.service" register: matrix_appservice_irc_service_stat - name: Ensure matrix-appservice-irc is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-appservice-irc.service doesn't exist file: - path: "/etc/systemd/system/matrix-appservice-irc.service" + path: "{{ matrix_systemd_path }}/matrix-appservice-irc.service" state: absent when: "matrix_appservice_irc_service_stat.stat.exists" diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index 1e8bc9cd..b4132e96 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -38,7 +38,7 @@ - name: Ensure matrix-appservice-slack.service installed template: src: "{{ role_path }}/templates/systemd/matrix-appservice-slack.service.j2" - dest: "/etc/systemd/system/matrix-appservice-slack.service" + dest: "{{ matrix_systemd_path }}/matrix-appservice-slack.service" mode: 0644 register: matrix_appservice_slack_systemd_service_result diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml index 92bee3e6..0b83d02e 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-appservice-slack service stat: - path: "/etc/systemd/system/matrix-appservice-slack.service" + path: "{{ matrix_systemd_path }}/matrix-appservice-slack.service" register: matrix_appservice_slack_service_stat - name: Ensure matrix-appservice-slack is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-appservice-slack.service doesn't exist file: - path: "/etc/systemd/system/matrix-appservice-slack.service" + path: "{{ matrix_systemd_path }}/matrix-appservice-slack.service" state: absent when: "matrix_appservice_slack_service_stat.stat.exists" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml index 94b4ef0c..5d167dc0 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -54,7 +54,7 @@ - name: Ensure matrix-appservice-webhooks.service installed template: src: "{{ role_path }}/templates/systemd/matrix-appservice-webhooks.service.j2" - dest: "/etc/systemd/system/matrix-appservice-webhooks.service" + dest: "{{ matrix_systemd_path }}/matrix-appservice-webhooks.service" mode: 0644 register: matrix_appservice_webhooks_systemd_service_result diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml index 605b2525..d8e973ce 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-appservice-webhooks service stat: - path: "/etc/systemd/system/matrix-appservice-webhooks.service" + path: "{{ matrix_systemd_path }}/matrix-appservice-webhooks.service" register: matrix_appservice_webhooks_service_stat - name: Ensure matrix-appservice-webhooks is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-appservice-webhooks.service doesn't exist file: - path: "/etc/systemd/system/matrix-appservice-webhooks.service" + path: "{{ matrix_systemd_path }}/matrix-appservice-webhooks.service" state: absent when: "matrix_appservice_webhooks_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 2656c5ae..77f3346f 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -84,7 +84,7 @@ - name: Ensure matrix-mautrix-facebook.service installed template: src: "{{ role_path }}/templates/systemd/matrix-mautrix-facebook.service.j2" - dest: "/etc/systemd/system/matrix-mautrix-facebook.service" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" mode: 0644 register: matrix_mautrix_facebook_systemd_service_result diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml index 06c9b499..efc8aa74 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-mautrix-facebook service stat: - path: "/etc/systemd/system/matrix-mautrix-facebook.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" register: matrix_mautrix_facebook_service_stat - name: Ensure matrix-mautrix-facebook is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-mautrix-facebook.service doesn't exist file: - path: "/etc/systemd/system/matrix-mautrix-facebook.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-facebook.service" state: absent when: "matrix_mautrix_facebook_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index a30367f3..db1dc884 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -83,7 +83,7 @@ - name: Ensure matrix-mautrix-hangouts.service installed template: src: "{{ role_path }}/templates/systemd/matrix-mautrix-hangouts.service.j2" - dest: "/etc/systemd/system/matrix-mautrix-hangouts.service" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-hangouts.service" mode: 0644 register: matrix_mautrix_hangouts_systemd_service_result diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml index ef33e238..14413e94 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-mautrix-hangouts service stat: - path: "/etc/systemd/system/matrix-mautrix-hangouts.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-hangouts.service" register: matrix_mautrix_hangouts_service_stat - name: Ensure matrix-mautrix-hangouts is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-mautrix-hangouts.service doesn't exist file: - path: "/etc/systemd/system/matrix-mautrix-hangouts.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-hangouts.service" state: absent when: "matrix_mautrix_hangouts_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index a5f6983a..1c8b063d 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -63,7 +63,7 @@ - name: Ensure matrix-mautrix-telegram.service installed template: src: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2" - dest: "/etc/systemd/system/matrix-mautrix-telegram.service" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-telegram.service" mode: 0644 register: matrix_mautrix_telegram_systemd_service_result diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml index 190c1840..b14bd737 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-mautrix-telegram service stat: - path: "/etc/systemd/system/matrix-mautrix-telegram.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-telegram.service" register: matrix_mautrix_telegram_service_stat - name: Ensure matrix-mautrix-telegram is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-mautrix-telegram.service doesn't exist file: - path: "/etc/systemd/system/matrix-mautrix-telegram.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-telegram.service" state: absent when: "matrix_mautrix_telegram_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 0806e559..a818afb1 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -72,7 +72,7 @@ - name: Ensure matrix-mautrix-whatsapp.service installed template: src: "{{ role_path }}/templates/systemd/matrix-mautrix-whatsapp.service.j2" - dest: "/etc/systemd/system/matrix-mautrix-whatsapp.service" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-whatsapp.service" mode: 0644 register: matrix_mautrix_whatsapp_systemd_service_result diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml index 7f5e6559..93f5c4c8 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-mautrix-whatsapp service stat: - path: "/etc/systemd/system/matrix-mautrix-whatsapp.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-whatsapp.service" register: matrix_mautrix_whatsapp_service_stat - name: Ensure matrix-mautrix-whatsapp is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-mautrix-whatsapp.service doesn't exist file: - path: "/etc/systemd/system/matrix-mautrix-whatsapp.service" + path: "{{ matrix_systemd_path }}/matrix-mautrix-whatsapp.service" state: absent when: "matrix_mautrix_whatsapp_service_stat.stat.exists" diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index d3e4f907..2e09f013 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -37,7 +37,7 @@ - name: Ensure matrix-corporal.service installed template: src: "{{ role_path }}/templates/systemd/matrix-corporal.service.j2" - dest: "/etc/systemd/system/matrix-corporal.service" + dest: "{{ matrix_systemd_path }}/matrix-corporal.service" mode: 0644 register: matrix_corporal_systemd_service_result when: matrix_corporal_enabled|bool @@ -54,7 +54,7 @@ - name: Check existence of matrix-corporal service stat: - path: "/etc/systemd/system/matrix-corporal.service" + path: "{{ matrix_systemd_path }}/matrix-corporal.service" register: matrix_corporal_service_stat when: "not matrix_corporal_enabled|bool" @@ -68,7 +68,7 @@ - name: Ensure matrix-corporal.service doesn't exist file: - path: "/etc/systemd/system/matrix-corporal.service" + path: "{{ matrix_systemd_path }}/matrix-corporal.service" state: absent when: "not matrix_corporal_enabled|bool and matrix_corporal_service_stat.stat.exists" @@ -82,7 +82,7 @@ path: "{{ item }}" state: absent with_items: - - /etc/systemd/system/matrix-corporal.service + - "{{ matrix_systemd_path }}/matrix-corporal.service" - "{{ matrix_corporal_config_dir_path }}/config.json" when: "not matrix_corporal_enabled|bool" diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 479e6044..8a2ad3bd 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -77,7 +77,7 @@ - name: Ensure matrix-coturn.service installed template: src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" - dest: "/etc/systemd/system/matrix-coturn.service" + dest: "{{ matrix_systemd_path }}/matrix-coturn.service" mode: 0644 register: matrix_coturn_systemd_service_result when: matrix_coturn_enabled|bool @@ -116,7 +116,7 @@ - name: Check existence of matrix-coturn service stat: - path: "/etc/systemd/system/matrix-coturn.service" + path: "{{ matrix_systemd_path }}/matrix-coturn.service" register: matrix_coturn_service_stat when: "not matrix_coturn_enabled|bool" @@ -130,7 +130,7 @@ - name: Ensure matrix-coturn.service doesn't exist file: - path: "/etc/systemd/system/matrix-coturn.service" + path: "{{ matrix_systemd_path }}/matrix-coturn.service" state: absent when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml index 0b52c5a2..2437a547 100644 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -33,7 +33,7 @@ - name: Ensure matrix-dimension.service installed template: src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2" - dest: "/etc/systemd/system/matrix-dimension.service" + dest: "{{ matrix_systemd_path }}/matrix-dimension.service" mode: 0644 register: matrix_dimension_systemd_service_result when: matrix_dimension_enabled|bool @@ -49,7 +49,7 @@ - name: Check existence of matrix-dimension service stat: - path: "/etc/systemd/system/matrix-dimension.service" + path: "{{ matrix_systemd_path }}/matrix-dimension.service" register: matrix_dimension_service_stat when: "not matrix_dimension_enabled|bool" @@ -63,7 +63,7 @@ - name: Ensure matrix-dimension.service doesn't exist file: - path: "/etc/systemd/system/matrix-dimension.service" + path: "{{ matrix_systemd_path }}/matrix-dimension.service" state: absent when: "not matrix_dimension_enabled|bool and matrix_dimension_service_stat.stat.exists" diff --git a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml index 9d9109e3..1e64627a 100644 --- a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml +++ b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml @@ -36,7 +36,7 @@ - name: Ensure matrix-email2matrix.service installed template: src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2" - dest: "/etc/systemd/system/matrix-email2matrix.service" + dest: "{{ matrix_systemd_path }}/matrix-email2matrix.service" mode: 0644 register: matrix_email2matrix_systemd_service_result when: matrix_email2matrix_enabled|bool @@ -52,7 +52,7 @@ - name: Check existence of matrix-email2matrix service stat: - path: "/etc/systemd/system/matrix-email2matrix.service" + path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" register: matrix_email2matrix_service_stat when: "not matrix_email2matrix_enabled|bool" @@ -66,7 +66,7 @@ - name: Ensure matrix-email2matrix.service doesn't exist file: - path: "/etc/systemd/system/matrix-email2matrix.service" + path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" state: absent when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml index 98ebfb25..b7ff409a 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -44,7 +44,7 @@ - name: Ensure matrix-jitsi-jicofo.service installed template: src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2" - dest: "/etc/systemd/system/matrix-jitsi-jicofo.service" + dest: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service" mode: 0644 register: matrix_jitsi_jicofo_systemd_service_result when: matrix_jitsi_enabled|bool @@ -60,7 +60,7 @@ - name: Check existence of matrix-jitsi-jicofo service stat: - path: "/etc/systemd/system/matrix-jitsi-jicofo.service" + path: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service" register: matrix_jitsi_jicofo_service_stat when: "not matrix_jitsi_enabled|bool" @@ -74,7 +74,7 @@ - name: Ensure matrix-jitsi-jicofo.service doesn't exist file: - path: "/etc/systemd/system/matrix-jitsi-jicofo.service" + path: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service" state: absent when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index 86067c23..e4d652ed 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -37,7 +37,7 @@ - name: Ensure matrix-jitsi-jvb.service installed template: src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" - dest: "/etc/systemd/system/matrix-jitsi-jvb.service" + dest: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service" mode: 0644 register: matrix_jitsi_jvb_systemd_service_result when: matrix_jitsi_enabled|bool @@ -53,7 +53,7 @@ - name: Check existence of matrix-jitsi-jvb service stat: - path: "/etc/systemd/system/matrix-jitsi-jvb.service" + path: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service" register: matrix_jitsi_jvb_service_stat when: "not matrix_jitsi_enabled|bool" @@ -67,7 +67,7 @@ - name: Ensure matrix-jitsi-jvb.service doesn't exist file: - path: "/etc/systemd/system/matrix-jitsi-jvb.service" + path: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service" state: absent when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 6ea70248..e783aad9 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -34,7 +34,7 @@ - name: Ensure matrix-jitsi-prosody.service installed template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" - dest: "/etc/systemd/system/matrix-jitsi-prosody.service" + dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" mode: 0644 register: matrix_jitsi_prosody_systemd_service_result when: matrix_jitsi_enabled|bool @@ -50,7 +50,7 @@ - name: Check existence of matrix-jitsi-prosody service stat: - path: "/etc/systemd/system/matrix-jitsi-prosody.service" + path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" register: matrix_jitsi_prosody_service_stat when: "not matrix_jitsi_enabled|bool" @@ -64,7 +64,7 @@ - name: Ensure matrix-jitsi-prosody.service doesn't exist file: - path: "/etc/systemd/system/matrix-jitsi-prosody.service" + path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" state: absent when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 93d69023..3610a084 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -45,7 +45,7 @@ - name: Ensure matrix-jitsi-web.service installed template: src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2" - dest: "/etc/systemd/system/matrix-jitsi-web.service" + dest: "{{ matrix_systemd_path }}/matrix-jitsi-web.service" mode: 0644 register: matrix_jitsi_web_systemd_service_result when: matrix_jitsi_enabled|bool @@ -61,7 +61,7 @@ - name: Check existence of matrix-jitsi-web service stat: - path: "/etc/systemd/system/matrix-jitsi-web.service" + path: "{{ matrix_systemd_path }}/matrix-jitsi-web.service" register: matrix_jitsi_web_service_stat when: "not matrix_jitsi_enabled|bool" @@ -75,7 +75,7 @@ - name: Ensure matrix-jitsi-web.service doesn't exist file: - path: "/etc/systemd/system/matrix-jitsi-web.service" + path: "{{ matrix_systemd_path }}/matrix-jitsi-web.service" state: absent when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index c357ead3..e216915f 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -31,7 +31,7 @@ - name: Ensure matrix-mailer.service installed template: src: "{{ role_path }}/templates/systemd/matrix-mailer.service.j2" - dest: "/etc/systemd/system/matrix-mailer.service" + dest: "{{ matrix_systemd_path }}/matrix-mailer.service" mode: 0644 register: matrix_mailer_systemd_service_result when: matrix_mailer_enabled|bool @@ -47,7 +47,7 @@ - name: Check existence of matrix-mailer service stat: - path: "/etc/systemd/system/matrix-mailer.service" + path: "{{ matrix_systemd_path }}/matrix-mailer.service" register: matrix_mailer_service_stat when: "not matrix_mailer_enabled|bool" @@ -61,7 +61,7 @@ - name: Ensure matrix-mailer.service doesn't exist file: - path: "/etc/systemd/system/matrix-mailer.service" + path: "{{ matrix_systemd_path }}/matrix-mailer.service" state: absent when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index aa780119..cc7712bb 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -78,7 +78,7 @@ - name: Ensure matrix-mxisd.service installed template: src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" - dest: "/etc/systemd/system/matrix-mxisd.service" + dest: "{{ matrix_systemd_path }}/matrix-mxisd.service" mode: 0644 register: matrix_mxisd_systemd_service_result when: matrix_mxisd_enabled|bool @@ -94,7 +94,7 @@ - name: Check existence of matrix-mxisd service stat: - path: "/etc/systemd/system/matrix-mxisd.service" + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" register: matrix_mxisd_service_stat - name: Ensure matrix-mxisd is stopped @@ -107,7 +107,7 @@ - name: Ensure matrix-mxisd.service doesn't exist file: - path: "/etc/systemd/system/matrix-mxisd.service" + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" state: absent when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index b5d7ad6b..6db5d978 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -112,7 +112,7 @@ - name: Ensure matrix-nginx-proxy.service installed template: src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" - dest: "/etc/systemd/system/matrix-nginx-proxy.service" + dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service" mode: 0644 register: matrix_nginx_proxy_systemd_service_result when: matrix_nginx_proxy_enabled|bool @@ -129,7 +129,7 @@ - name: Check existence of matrix-nginx-proxy service stat: - path: "/etc/systemd/system/matrix-nginx-proxy.service" + path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service" register: matrix_nginx_proxy_service_stat when: "not matrix_nginx_proxy_enabled|bool" @@ -143,7 +143,7 @@ - name: Ensure matrix-nginx-proxy.service doesn't exist file: - path: "/etc/systemd/system/matrix-nginx-proxy.service" + path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service" state: absent when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 88bdb977..e6542545 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -7,9 +7,9 @@ path: "{{ item }}" state: absent with_items: - - /usr/local/bin/matrix-ssl-certificates-renew - - /etc/cron.d/matrix-ssl-certificate-renewal - - /etc/cron.d/matrix-nginx-proxy-periodic-restarter + - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew" + - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" + - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" # @@ -51,7 +51,7 @@ - name: Ensure Let's Encrypt SSL renewal script installed template: src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" - dest: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew + dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" mode: 0750 when: "matrix_ssl_retrieval_method == 'lets-encrypt'" @@ -73,7 +73,7 @@ hour: "4" minute: "15" day: "*" - job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew + job: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload) cron: @@ -113,6 +113,6 @@ - name: Ensure Let's Encrypt SSL renewal script removed file: - path: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew + path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" state: absent when: "matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml index 22d584a9..599d45b5 100644 --- a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml +++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml @@ -62,7 +62,7 @@ - name: Ensure outdated matrix-postgres.service doesn't exist file: - path: "/etc/systemd/system/matrix-postgres.service" + path: "{{ matrix_systemd_path }}/matrix-postgres.service" state: absent when: "result_pg_old_data_dir_stat.stat.exists" diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 16c27677..355898b6 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -69,34 +69,34 @@ - name: Ensure matrix-postgres-cli script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" - dest: "/usr/local/bin/matrix-postgres-cli" + dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli" mode: 0750 when: matrix_postgres_enabled|bool - name: Ensure matrix-change-user-admin-status script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" - dest: "/usr/local/bin/matrix-change-user-admin-status" + dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status" mode: 0750 when: matrix_postgres_enabled|bool - name: (Migration) Ensure old matrix-make-user-admin script deleted file: - path: "/usr/local/bin/matrix-make-user-admin" + path: "{{ matrix_local_bin_path }}/matrix-make-user-admin" state: absent when: matrix_postgres_enabled|bool - name: Ensure matrix-postgres-update-user-password-hash script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" - dest: "/usr/local/bin/matrix-postgres-update-user-password-hash" + dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash" mode: 0750 when: matrix_postgres_enabled|bool - name: Ensure matrix-postgres.service installed template: src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" - dest: "/etc/systemd/system/matrix-postgres.service" + dest: "{{ matrix_systemd_path }}/matrix-postgres.service" mode: 0644 register: matrix_postgres_systemd_service_result when: matrix_postgres_enabled|bool @@ -112,7 +112,7 @@ - name: Check existence of matrix-postgres service stat: - path: "/etc/systemd/system/matrix-postgres.service" + path: "{{ matrix_systemd_path }}/matrix-postgres.service" register: matrix_postgres_service_stat when: "not matrix_postgres_enabled|bool" @@ -125,7 +125,7 @@ - name: Ensure matrix-postgres.service doesn't exist file: - path: "/etc/systemd/system/matrix-postgres.service" + path: "{{ matrix_systemd_path }}/matrix-postgres.service" state: absent when: "not matrix_postgres_enabled|bool and matrix_postgres_service_stat.stat.exists" @@ -148,7 +148,7 @@ - name: Remove Postgres scripts file: - path: "/usr/local/bin/{{ item }}" + path: "{{ matrix_local_bin_path }}/{{ item }}" state: absent with_items: - matrix-postgres-cli diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index e78da350..a1d25fc6 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -75,7 +75,7 @@ - name: Ensure matrix-riot-web.service installed template: src: "{{ role_path }}/templates/systemd/matrix-riot-web.service.j2" - dest: "/etc/systemd/system/matrix-riot-web.service" + dest: "{{ matrix_systemd_path }}/matrix-riot-web.service" mode: 0644 register: matrix_riot_web_systemd_service_result when: matrix_riot_web_enabled|bool @@ -91,7 +91,7 @@ - name: Check existence of matrix-riot-web service stat: - path: "/etc/systemd/system/matrix-riot-web.service" + path: "{{ matrix_systemd_path }}/matrix-riot-web.service" register: matrix_riot_web_service_stat when: "not matrix_riot_web_enabled|bool" @@ -105,7 +105,7 @@ - name: Ensure matrix-riot-web.service doesn't exist file: - path: "/etc/systemd/system/matrix-riot-web.service" + path: "{{ matrix_systemd_path }}/matrix-riot-web.service" state: absent when: "not matrix_riot_web_enabled|bool and matrix_riot_web_service_stat.stat.exists" diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index 9a4b9a7e..efd9d46c 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -31,7 +31,7 @@ - name: Ensure matrix-goofys.service installed template: src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" - dest: "/etc/systemd/system/matrix-goofys.service" + dest: "{{ matrix_systemd_path }}/matrix-goofys.service" mode: 0644 register: matrix_goofys_systemd_service_result diff --git a/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml b/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml index 076f9a37..91d43456 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml @@ -1,6 +1,6 @@ - name: Check existence of matrix-goofys service stat: - path: "/etc/systemd/system/matrix-goofys.service" + path: "{{ matrix_systemd_path }}/matrix-goofys.service" register: matrix_goofys_service_stat - name: Ensure matrix-goofys is stopped @@ -13,7 +13,7 @@ - name: Ensure matrix-goofys.service doesn't exist file: - path: "/etc/systemd/system/matrix-goofys.service" + path: "{{ matrix_systemd_path }}/matrix-goofys.service" state: absent when: "matrix_goofys_service_stat.stat.exists" diff --git a/roles/matrix-synapse/tasks/register_user.yml b/roles/matrix-synapse/tasks/register_user.yml index 5f0cd9ff..da0e28c3 100644 --- a/roles/matrix-synapse/tasks/register_user.yml +++ b/roles/matrix-synapse/tasks/register_user.yml @@ -28,4 +28,4 @@ when: "start_result.changed" - name: Register user - shell: "/usr/local/bin/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" + shell: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index cf24cefb..f10614e7 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -90,7 +90,7 @@ - name: Ensure matrix-synapse.service installed template: src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" - dest: "/etc/systemd/system/matrix-synapse.service" + dest: "{{ matrix_systemd_path }}/matrix-synapse.service" mode: 0644 register: matrix_synapse_systemd_service_result @@ -102,5 +102,5 @@ - name: Ensure matrix-synapse-register-user script created template: src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" - dest: "/usr/local/bin/matrix-synapse-register-user" + dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user" mode: 0750 diff --git a/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml index 241c6937..f1cdf167 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml @@ -1,6 +1,6 @@ - name: Check existence of matrix-synapse service stat: - path: "/etc/systemd/system/matrix-synapse.service" + path: "{{ matrix_systemd_path }}/matrix-synapse.service" register: matrix_synapse_service_stat - name: Ensure matrix-synapse is stopped @@ -13,7 +13,7 @@ - name: Ensure matrix-synapse.service doesn't exist file: - path: "/etc/systemd/system/matrix-synapse.service" + path: "{{ matrix_systemd_path }}/matrix-synapse.service" state: absent when: "matrix_synapse_service_stat.stat.exists" diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index e3bc97b7..5d63f8cb 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -45,4 +45,4 @@ register: password_hash - name: Update user password hash - shell: "/usr/local/bin/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'" + shell: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'" From 3860709e19d6943d620dfa1c9a8dd5442a51b3a1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 25 Mar 2020 18:03:45 +0200 Subject: [PATCH 0989/2384] Ensure matrix-mautrix-hangouts-db container is killed/removed --- .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index e241db3d..c110ed79 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -11,8 +11,8 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mautrix-hangouts -ExecStartPre=-/usr/bin/docker rm matrix-mautrix-hangouts +ExecStartPre=-/usr/bin/docker kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db +ExecStartPre=-/usr/bin/docker rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-hangouts-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ From 9b6289b08cfc8ac94caef81ae1c55301e952d048 Mon Sep 17 00:00:00 2001 From: PlanetSmasher Date: Fri, 27 Mar 2020 07:37:37 +0100 Subject: [PATCH 0990/2384] clarify the config path (#420) * clarify the config path added path to the correct vars.yaml in matrix-synapse * Fix configuration path Co-authored-by: Slavi Pantaleev --- docs/configuring-playbook-shared-secret-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-shared-secret-auth.md b/docs/configuring-playbook-shared-secret-auth.md index 0ec60d2e..87b151a4 100644 --- a/docs/configuring-playbook-shared-secret-auth.md +++ b/docs/configuring-playbook-shared-secret-auth.md @@ -4,7 +4,7 @@ The playbook can install and configure [matrix-synapse-shared-secret-auth](https See that project's documentation to learn what it does and why it might be useful to you. -If you decide that you'd like to let this playbook install it for you, you need some configuration like this: +If you decide that you'd like to let this playbook install it for you, you need some configuration (`inventory/host_vars/matrix./vars.yml`) like this: ```yaml matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true From 695d2c3ea53fcf9570942a1da0e99b1fb0fa081e Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 27 Mar 2020 23:33:38 -0500 Subject: [PATCH 0991/2384] Flip around Jitsi port format to match other ports This matches the way the ports are written in prerequisites.md and is the format that UFW likes. --- docs/configuring-playbook-jitsi.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 0d030d4e..67d2830c 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -13,8 +13,8 @@ Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. You may also need to open the following ports to your server: -- `udp/10000` - RTP media over UDP -- `tcp/4443` - RTP media fallback over TCP +- `10000/udp` - RTP media over UDP +- `4443/tcp` - RTP media fallback over TCP ## Installation From d84b2868b72ca4faa4e840263bb87900d661e65a Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Sat, 28 Mar 2020 11:39:15 +0100 Subject: [PATCH 0992/2384] Added basic changes to make it compatible with Archlinux --- roles/matrix-base/tasks/sanity_check.yml | 7 +++++++ roles/matrix-base/tasks/server_base/setup.yml | 5 ++++- .../tasks/server_base/setup_archlinux.yml | 21 +++++++++++++++++++ roles/matrix-mxisd/tasks/setup_mxisd.yml | 8 +++++++ .../tasks/ssl/setup_ssl_self_signed.yml | 8 +++++++ .../synapse-simple-antispam/setup_install.yml | 8 +++++++ 6 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-base/tasks/server_base/setup_archlinux.yml diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index b2d8c249..b0e1c8b6 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -44,3 +44,10 @@ - "{{ matrix_server_fqn_matrix }}" - "{{ matrix_server_fqn_riot }}" when: "item != item|lower" + +- name: Fail if using python2 on Archlinux + fail: + msg: "Detected that you're using python2 when installing onto Archlinux. Archlinux by default only supports python3." + when: + - ansible_distribution == 'Archlinux' + - ansible_python.version.major != 3 diff --git a/roles/matrix-base/tasks/server_base/setup.yml b/roles/matrix-base/tasks/server_base/setup.yml index 70b2e4fc..73abbec2 100644 --- a/roles/matrix-base/tasks/server_base/setup.yml +++ b/roles/matrix-base/tasks/server_base/setup.yml @@ -9,6 +9,9 @@ - include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml" when: (ansible_os_family == 'Debian') and (ansible_lsb.id == 'Raspbian') +- include_tasks: "{{ role_path }}/tasks/server_base/setup_archlinux.yml" + when: ansible_distribution == 'Archlinux' + - name: Ensure Docker is started and autoruns service: name: docker @@ -17,6 +20,6 @@ - name: Ensure ntpd is started and autoruns service: - name: "{{ 'ntpd' if ansible_os_family == 'RedHat' else 'ntp' }}" + name: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" state: started enabled: yes diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml new file mode 100644 index 00000000..2edd2e71 --- /dev/null +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -0,0 +1,21 @@ +--- + +- name: Install host dependencies + pacman: + name: + - bash-completion + - python-docker + - ntp + # TODO This needs to be verified. Which version do we need? + - fuse3 + - cronie + - python-dnspython + state: latest + update_cache: yes + +- name: Ensure Docker is installed + apt: + name: + - docker + state: latest + when: matrix_docker_installation_enabled|bool diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index cc7712bb..456bbf95 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -39,6 +39,14 @@ msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time" when: ansible_distribution == 'CentOS' + - name: Ensure gradle is installed for self-building (Archlinux) + pacman: + name: + - gradle + state: latest + update_cache: yes + when: ansible_distribution == 'Archlinux' + - name: Ensure mxisd repository is present on self-build git: repo: https://github.com/kamax-matrix/mxisd.git diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml index 437c8f68..9d459969 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -16,6 +16,14 @@ update_cache: no when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" +- name: Ensure OpenSSL installed (Archlinux) + pacman: + name: + - openssl + state: latest + update_cache: no + when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux' + - name: Generate self-signed certificates include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml index 5c20d869..067aeb3c 100644 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -21,6 +21,14 @@ update_cache: no when: "ansible_os_family == 'Debian'" +- name: Ensure git installed (Archlinux) + pacman + name: + - git + state: present + update_cache: no + when: "ansible_distribution == 'Archlinux'" + - name: Clone synapse-simple-antispam git repository git: repo: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url }}" From 2849f0b1b851e83283226698e8ba1b6d13173d75 Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Sat, 28 Mar 2020 11:39:35 +0100 Subject: [PATCH 0993/2384] Changed task titles to be consistent --- roles/matrix-mxisd/tasks/setup_mxisd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml index 456bbf95..0ad36301 100644 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml @@ -26,7 +26,7 @@ when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build - block: - - name: Ensure gradle is installed for self-building + - name: Ensure gradle is installed for self-building (Debian) apt: name: - gradle @@ -34,7 +34,7 @@ update_cache: yes when: (ansible_os_family == 'Debian') - - name: Ensure gradle is installed for self-building + - name: Ensure gradle is installed for self-building (CentOS) fail: msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time" when: ansible_distribution == 'CentOS' From 26bc66117daad960edf112fdf6b3e6b1ccee25ea Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Sat, 28 Mar 2020 11:42:41 +0100 Subject: [PATCH 0994/2384] Removed redunadant waiting --- roles/matrix-synapse/tasks/update_user_password.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index 5d63f8cb..b0187004 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -33,12 +33,7 @@ - name: Wait a while, so that Matrix Synapse can manage to start pause: seconds: 7 - when: "start_result.changed" - -- name: Wait a while, so that Matrix Postgres can manage to start - pause: - seconds: 7 - when: "postgres_start_result.changed" + when: "start_result.changed" or "postgres_start_result.changed" - name: Generate password hash shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}" From 4bc73ff4bb0f69c87030e61b050be33b191444c8 Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Sat, 28 Mar 2020 11:57:32 +0100 Subject: [PATCH 0995/2384] Removed autoinstallation of cron due to documentation --- roles/matrix-base/tasks/server_base/setup_archlinux.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index 2edd2e71..1d3cbd53 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -8,7 +8,6 @@ - ntp # TODO This needs to be verified. Which version do we need? - fuse3 - - cronie - python-dnspython state: latest update_cache: yes From 8c9b5ea6dd3191e349336230ed9c57f3a82e5a17 Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Sat, 28 Mar 2020 13:00:01 +0100 Subject: [PATCH 0996/2384] Removed a few syntax bugs in Archlinux configuration --- roles/matrix-base/tasks/server_base/setup_archlinux.yml | 2 +- roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml | 2 +- .../tasks/ext/synapse-simple-antispam/setup_install.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index 1d3cbd53..e68e4e99 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -13,7 +13,7 @@ update_cache: yes - name: Ensure Docker is installed - apt: + pacman: name: - docker state: latest diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml index 9d459969..8fa316da 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -22,7 +22,7 @@ - openssl state: latest update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux' + when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux'" - name: Generate self-signed certificates include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml index 067aeb3c..611325c0 100644 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -22,7 +22,7 @@ when: "ansible_os_family == 'Debian'" - name: Ensure git installed (Archlinux) - pacman + pacman: name: - git state: present From 51c271905dee12673f46043df91340f2fd6cc6a4 Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Sat, 28 Mar 2020 13:00:56 +0100 Subject: [PATCH 0997/2384] Removed bug in enhanced waiting --- roles/matrix-synapse/tasks/update_user_password.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index b0187004..0d77f5dd 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -33,7 +33,7 @@ - name: Wait a while, so that Matrix Synapse can manage to start pause: seconds: 7 - when: "start_result.changed" or "postgres_start_result.changed" + when: "start_result.changed or postgres_start_result.changed" - name: Generate password hash shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}" From 3f62ff11204f26a2087a7721a2c847c65b2dc559 Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Sat, 28 Mar 2020 17:33:35 +0100 Subject: [PATCH 0998/2384] Overcame bug in current systemd --- roles/matrix-common-after/tasks/start.yml | 30 ++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 6a531814..18d3a2c3 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -30,6 +30,7 @@ - name: Populate service facts service_facts: + when: ansible_distribution != 'Archlinux' - name: Fail if service isn't detected to be running fail: @@ -38,4 +39,31 @@ It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. with_items: "{{ matrix_systemd_services_list }}" - when: "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" + when: + - "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" + - ansible_distribution != 'Archlinux' + +# Currently there is a bug in ansible that renders is incompatible with systemd. +# service_facts is not collecting the data successfully. +# Therefore iterating here manually +- name: Fetch systemd information + systemd: + name: "{{ item }}" + register: systemdstatus + with_items: "{{ matrix_systemd_services_list }}" + when: + - ansible_distribution == 'Archlinux' + +- name: Fail if service isn't detected to be running + fail: + msg: >- + {{ item.item }} was not detected to be running. + It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). + Try running `systemctl status {{ item.item }}` and `journalctl -fu {{ item.item }}` on the server to investigate. + with_items: "{{ systemdstatus.results }}" + loop_control: + label: "{{ item.name }}" + when: + #- "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" + - "item.status['ActiveState'] != 'active'" + - "ansible_distribution == 'Archlinux'" From 1b87dbf54b8a2f304c9a2342209b7306df2221dc Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Sat, 28 Mar 2020 17:33:51 +0100 Subject: [PATCH 0999/2384] Added documentation to README file --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index e72b3496..3427c8a3 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -1,6 +1,6 @@ # Prerequisites -- An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+) or **Ubuntu** (16.04+). This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Self-Building](self-building.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +- An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+), **Ubuntu** (16.04+), or **Archlinux**. This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Self-Building](self-building.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. - `root` access to your server (or a user capable of elevating to `root` via `sudo`). From ac6011519056d738f8d7f16f4644de91b36647cf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 29 Mar 2020 10:11:04 +0300 Subject: [PATCH 1000/2384] Fix git installation bug during synapse-simple-antispam installation Fixes #424 (Github Issue). --- .../tasks/ext/synapse-simple-antispam/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml index 611325c0..69e55a39 100644 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -16,7 +16,7 @@ - name: Ensure git installed (Debian) apt: name: - - openssl + - git state: present update_cache: no when: "ansible_os_family == 'Debian'" From a8f4b2a7553257e13030c372b954a3bcc841a39a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 29 Mar 2020 10:16:25 +0300 Subject: [PATCH 1001/2384] Update docs Related to #425 (Github Pull Request). --- CHANGELOG.md | 7 +++++++ README.md | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24a6af08..f8898755 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# 2020-03-29 + +## Archlinux support + +Thanks to [Christian](https://github.com/christianlupus)'s efforts, the playbook now supports installing to an [Archlinux](https://www.archlinux.org/) server. + + # 2020-03-24 ## Jitsi support diff --git a/README.md b/README.md index a991e533..7e64d893 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one **can be re-ran many times** without causing trouble -- works on both **CentOS** (7.0+) and Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+) +- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux** - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place From c655a6467aaf9434fd9673a2ad020758dab329fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 29 Mar 2020 15:48:46 +0300 Subject: [PATCH 1002/2384] Fix --tags=start regression Related to #425 (Github Pull Request) --- roles/matrix-common-after/tasks/start.yml | 67 +++++++++++------------ 1 file changed, 31 insertions(+), 36 deletions(-) diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 18d3a2c3..069fb346 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -28,42 +28,37 @@ delegate_to: 127.0.0.1 become: false -- name: Populate service facts - service_facts: - when: ansible_distribution != 'Archlinux' +- block: + - name: Populate service facts + service_facts: -- name: Fail if service isn't detected to be running - fail: - msg: >- - {{ item }} was not detected to be running. - It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). - Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. - with_items: "{{ matrix_systemd_services_list }}" - when: - - "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" - - ansible_distribution != 'Archlinux' + - name: Fail if service isn't detected to be running + fail: + msg: >- + {{ item }} was not detected to be running. + It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). + Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. + with_items: "{{ matrix_systemd_services_list }}" + when: + - "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" + when: " ansible_distribution != 'Archlinux'" -# Currently there is a bug in ansible that renders is incompatible with systemd. -# service_facts is not collecting the data successfully. -# Therefore iterating here manually -- name: Fetch systemd information - systemd: - name: "{{ item }}" - register: systemdstatus - with_items: "{{ matrix_systemd_services_list }}" - when: - - ansible_distribution == 'Archlinux' +- block: + # Currently there is a bug in ansible that renders is incompatible with systemd. + # service_facts is not collecting the data successfully. + # Therefore iterating here manually + - name: Fetch systemd information + systemd: + name: "{{ item }}" + register: systemdstatus + with_items: "{{ matrix_systemd_services_list }}" -- name: Fail if service isn't detected to be running - fail: - msg: >- - {{ item.item }} was not detected to be running. - It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). - Try running `systemctl status {{ item.item }}` and `journalctl -fu {{ item.item }}` on the server to investigate. - with_items: "{{ systemdstatus.results }}" - loop_control: - label: "{{ item.name }}" - when: - #- "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" - - "item.status['ActiveState'] != 'active'" - - "ansible_distribution == 'Archlinux'" + - name: Fail if service isn't detected to be running + fail: + msg: >- + {{ item.item }} was not detected to be running. + It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). + Try running `systemctl status {{ item.item }}` and `journalctl -fu {{ item.item }}` on the server to investigate. + with_items: "{{ systemdstatus.results }}" + when: "item.status['ActiveState'] != 'active'" + when: "ansible_distribution == 'Archlinux'" From 82989b662aa02eb8b804d9977b2633c658bfb3c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Corni=C3=A8re?= Date: Sun, 29 Mar 2020 23:49:09 +0200 Subject: [PATCH 1003/2384] Fix bad network and bad path to postgre env --- .../usr-local-bin/matrix-change-user-admin-status.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 index 5f66ca6c..861a0d0d 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -13,7 +13,7 @@ docker run \ --rm \ --user=991:991 \ --cap-drop=ALL \ - --env-file=/matrix/postgres/env-postgres-psql \ - --network matrix \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ + --network {{ matrix_docker_network }} \ postgres:12.1-alpine \ - psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" \ No newline at end of file + psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" From 067588b26293b3a627dc12fb4009c3238f8707de Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Mar 2020 16:54:18 +0300 Subject: [PATCH 1004/2384] Upgrade riot-web --- docs/configuring-playbook-jitsi.md | 6 +----- roles/matrix-riot-web/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 67d2830c..f163976d 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -23,10 +23,6 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true - -# We only need this temporarily - until Jitsi integration in riot-web is finalized. -# Remove this line in the future, to switch back to a stable riot-web version. -matrix_riot_web_docker_image: "vectorim/riot-web:develop" ``` Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` @@ -36,4 +32,4 @@ Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags= You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. -To use it via riot-web, make sure you've installed the `develop` version and fully reloaded your riot-web page (at `riot.DOMAIN`). Starting a video-conference in a room containing more than 2 members should then create a Jitsi widget which utilizes your self-hosted Jitsi server. +To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 808d4ffd..9db8b9b8 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.13" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.14" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 26b73e3a4bb977f42fc6a5592b83d38e8ee4741e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Mar 2020 17:00:10 +0300 Subject: [PATCH 1005/2384] Do not install unnecessary bash-completion --- roles/matrix-base/tasks/server_base/setup_archlinux.yml | 1 - roles/matrix-base/tasks/server_base/setup_centos.yml | 1 - roles/matrix-base/tasks/server_base/setup_debian.yml | 1 - roles/matrix-base/tasks/server_base/setup_raspbian.yml | 1 - 4 files changed, 4 deletions(-) diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index e68e4e99..144e8b75 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -3,7 +3,6 @@ - name: Install host dependencies pacman: name: - - bash-completion - python-docker - ntp # TODO This needs to be verified. Which version do we need? diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 2554e26e..945c86ef 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -20,7 +20,6 @@ - name: Ensure yum packages are installed yum: name: - - bash-completion - docker-python - ntp - fuse diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index c8325324..9438a5f4 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -27,7 +27,6 @@ - name: Ensure APT packages are installed apt: name: - - bash-completion - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" - ntp - fuse diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index e9284284..3a62a5db 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -27,7 +27,6 @@ - name: Ensure APT packages are installed apt: name: - - bash-completion - python-docker - ntp - fuse From ca04ca9ffef0384e435b259d6e0131cfcdd21171 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Mar 2020 17:04:56 +0300 Subject: [PATCH 1006/2384] Make it possible to change Jitsi web UI language Fixes #427 (Github Issue). --- roles/matrix-jitsi/defaults/main.yml | 3 +++ roles/matrix-jitsi/templates/web/config.js.j2 | 2 +- roles/matrix-jitsi/templates/web/interface_config.js.j2 | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index ae5dcb8f..6eb36577 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -51,6 +51,9 @@ matrix_jitsi_web_container_extra_arguments: [] # List of systemd services that matrix-jitsi-web.service depends on matrix_jitsi_web_systemd_required_services_list: ['docker.service'] +matrix_jitsi_web_config_defaultLanguage: 'en' +matrix_jitsi_web_interface_config_lang_detection: false + matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index f18471e1..72bffbd5 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -263,7 +263,7 @@ hiddenDomain: {{ matrix_jitsi_recorder_domain|to_json }}, // disable1On1Mode: false, // Default language for the user interface. - // defaultLanguage: 'en', + defaultLanguage: {{ matrix_jitsi_web_config_defaultLanguage|to_json }}, // If true all users without a token will be considered guests and all users // with token will be considered non-guests. Only guests will be allowed to diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 index dd5abc59..737b924e 100644 --- a/roles/matrix-jitsi/templates/web/interface_config.js.j2 +++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2 @@ -30,7 +30,7 @@ var interfaceConfig = { APP_NAME: 'Jitsi Meet', NATIVE_APP_NAME: 'Jitsi Meet', PROVIDER_NAME: 'Jitsi', - LANG_DETECTION: false, // Allow i18n to detect the system language + LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language INVITATION_POWERED_BY: true, /** From 584418ae0f07590f60162debcdac68f400b82deb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 31 Mar 2020 10:30:07 +0300 Subject: [PATCH 1007/2384] Fix broken link --- docs/configuring-playbook-bridge-appservice-discord.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 1db2aed6..0db6b048 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -6,9 +6,9 @@ See the project's [documentation](https://github.com/Half-Shot/matrix-appservice Setup Instructions: -loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up) +loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up). -1. Create a Discord Application [here](https://discordapp.com/developers/applications/me/create). +1. Create a Discord Application [here](https://discordapp.com/developers/applications). 2. Retrieve Client ID and Bot token from this Application. 3. Enable the bridge with the following configuration in your `vars.yml` file: From bb2b2b4f1c00e2a599880ca47874ad9642b0167c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 31 Mar 2020 11:13:45 +0300 Subject: [PATCH 1008/2384] Clarify Discord bridging docs --- docs/configuring-playbook-bridge-appservice-discord.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 0db6b048..8e9803f6 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -9,8 +9,9 @@ Setup Instructions: loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up). 1. Create a Discord Application [here](https://discordapp.com/developers/applications). -2. Retrieve Client ID and Bot token from this Application. -3. Enable the bridge with the following configuration in your `vars.yml` file: +2. Retrieve Client ID. +3. Create a bot from the Bot tab and retrieve the Bot token. +4. Enable the bridge with the following configuration in your `vars.yml` file: ```yaml matrix_appservice_discord_enabled: true From 8bcc9712d06b8f39a461842dd37663ccd41f41b7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 31 Mar 2020 11:45:32 +0300 Subject: [PATCH 1009/2384] Make follow_redirects configurable when checking /.well-known/matrix/client Discussed in #101 (Github Issue). --- roles/matrix-nginx-proxy/defaults/main.yml | 6 ++++++ roles/matrix-nginx-proxy/tasks/self_check_well_known.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 5bf0fc0c..8f3f0481 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -184,6 +184,12 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true +# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource. +# +# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be, +# so we default to not following redirects as well. +matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none + # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 1e274ee3..6aaf9cb3 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -6,7 +6,7 @@ - path: /.well-known/matrix/client purpose: Client Discovery cors: true - follow_redirects: none + follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}" validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - block: From b450afc12e73ca353a1979a07a9c4f2957e17558 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Apr 2020 11:34:53 +0300 Subject: [PATCH 1010/2384] Make Discord bridge docs better --- ...ring-playbook-bridge-appservice-discord.md | 27 +++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 8e9803f6..dbd11226 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -4,9 +4,10 @@ The playbook can install and configure [matrix-appservice-discord](https://githu See the project's [documentation](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/README.md) to learn what it does and why it might be useful to you. -Setup Instructions: -loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up). +## Setup Instructions + +Instructions loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up). 1. Create a Discord Application [here](https://discordapp.com/developers/applications). 2. Retrieve Client ID. @@ -25,3 +26,25 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" 7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: `discordapp.com/channels/guild_id/channel_id` Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. + + +## Getting Administrator access in a room + +By default, you won't have Administrator access in rooms created by the bridge. + +To [adjust room access privileges](#adjusting-room-access-privileges) or do various other things (change the room name subsequently, etc.), you'd wish to become an Administrator. + +There's the Discord bridge's guide for [setting privileges on bridge managed rooms](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#set-privileges-on-bridge-managed-rooms). To do the same with our container setup, run the following command on the server: + +``` +docker exec -it matrix-appservice-discord /bin/sh -c 'cp /build/tools/adminme.js /tmp/adminme.js && cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /tmp/adminme.js -c /cfg/config.yaml -r "!ROOM_ID:SERVER" -u "@USER:SERVER" -p 100' +``` + + +## Adjusting room access privileges + +All rooms created by the bridge are **listed publicly** in your server's directory and **joinable by everyone** by default. + +To get more control of them, [make yourself a room Administrator](#getting-administrator-access-in-a-room) first. + +You can then unlist the room from the directory and change the join rules. From e1774c648a0de8778cbdee8f2b81ab887becff72 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Apr 2020 18:11:12 +0300 Subject: [PATCH 1011/2384] Upgrade riot-web (v1.5.14 -> v1.5.15) --- roles/matrix-riot-web/defaults/main.yml | 2 +- roles/matrix-riot-web/templates/config.json.j2 | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 9db8b9b8..e55de534 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.14" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.15" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 41cbee7c..43d50ab5 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -32,8 +32,7 @@ }, {% if matrix_riot_web_jitsi_preferredDomain is not none %} "jitsi": { - "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }}, - "externalApiUrl": "https://{{ matrix_riot_web_jitsi_preferredDomain }}/libs/external_api.min.js" + "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }} }, {% endif %} "branding": { From 187dedf9204334043c330b4062f0dc69e15993d9 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 31 Dec 2019 21:35:37 +0100 Subject: [PATCH 1012/2384] Duplicate matrix-mxisd role for matrix-ma1sd fork (adapting strings and URLs) --- ...mxisd.md => configuring-playbook-ma1sd.md} | 0 roles/matrix-ma1sd/defaults/main.yml | 175 +++++++++++++++++ .../tasks/init.yml | 8 +- roles/matrix-ma1sd/tasks/main.yml | 21 +++ roles/matrix-ma1sd/tasks/self_check_ma1sd.yml | 21 +++ roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 137 ++++++++++++++ roles/matrix-ma1sd/tasks/validate_config.yml | 57 ++++++ .../templates/systemd/matrix-ma1sd.service.j2 | 46 +++++ roles/matrix-ma1sd/vars/main.yml | 5 + roles/matrix-mxisd/defaults/main.yml | 178 ------------------ roles/matrix-mxisd/tasks/main.yml | 21 --- roles/matrix-mxisd/tasks/self_check_mxisd.yml | 21 --- roles/matrix-mxisd/tasks/setup_mxisd.yml | 137 -------------- roles/matrix-mxisd/tasks/validate_config.yml | 57 ------ .../templates/systemd/matrix-mxisd.service.j2 | 46 ----- roles/matrix-mxisd/vars/main.yml | 5 - 16 files changed, 466 insertions(+), 469 deletions(-) rename docs/{configuring-playbook-mxisd.md => configuring-playbook-ma1sd.md} (100%) create mode 100644 roles/matrix-ma1sd/defaults/main.yml rename roles/{matrix-mxisd => matrix-ma1sd}/tasks/init.yml (70%) create mode 100644 roles/matrix-ma1sd/tasks/main.yml create mode 100644 roles/matrix-ma1sd/tasks/self_check_ma1sd.yml create mode 100644 roles/matrix-ma1sd/tasks/setup_ma1sd.yml create mode 100644 roles/matrix-ma1sd/tasks/validate_config.yml create mode 100644 roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 create mode 100644 roles/matrix-ma1sd/vars/main.yml delete mode 100644 roles/matrix-mxisd/defaults/main.yml delete mode 100644 roles/matrix-mxisd/tasks/main.yml delete mode 100644 roles/matrix-mxisd/tasks/self_check_mxisd.yml delete mode 100644 roles/matrix-mxisd/tasks/setup_mxisd.yml delete mode 100644 roles/matrix-mxisd/tasks/validate_config.yml delete mode 100644 roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 delete mode 100644 roles/matrix-mxisd/vars/main.yml diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-ma1sd.md similarity index 100% rename from docs/configuring-playbook-mxisd.md rename to docs/configuring-playbook-ma1sd.md diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml new file mode 100644 index 00000000..f3f604d3 --- /dev/null +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -0,0 +1,175 @@ +# ma1sd is a Federated Matrix Identity Server +# See: https://github.com/ma1uta/ma1sd + +matrix_ma1sd_enabled: true + +matrix_ma1sd_docker_image: "ma1uta/ma1sd:1.4.6" +matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" + +matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" +matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" +matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" + +# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. +matrix_ma1sd_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_ma1sd_container_extra_arguments: [] + +# List of systemd services that matrix-ma1sd.service depends on +matrix_ma1sd_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-ma1sd.service wants +matrix_ma1sd_systemd_wanted_services_list: [] + +# Your identity server is private by default. +# To ensure maximum discovery, you can make your identity server +# also forward lookups to the central matrix.org Identity server +# (at the cost of potentially leaking all your contacts information). +# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups +matrix_ma1sd_matrixorg_forwarding_enabled: false + +# ma1sd has serveral supported identity stores. +# One of them is storing identities directly in Synapse's database. +# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md +matrix_ma1sd_synapsesql_enabled: false +matrix_ma1sd_synapsesql_type: "" +matrix_ma1sd_synapsesql_connection: "" + +# Setting up email-sending settings is required for using ma1sd. +matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1 +matrix_ma1sd_threepid_medium_email_connectors_smtp_login: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_password: "" + +# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly. +# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd, +# so that ma1sd can rewrite the original URL to one that would reach the homeserver. +matrix_ma1sd_dns_overwrite_enabled: false +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" + +# Override the default email templates +# To use this, fill in the template variables with the full desired template as a multi-line YAML variable +# +# More info: +# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md +# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email +matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false +matrix_ma1sd_threepid_medium_email_custom_invite_template: "" +matrix_ma1sd_threepid_medium_email_custom_session_validation_template: "" +matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template: "" +matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_ma1sd_self_check_validate_certificates: true + +# Controls ma1sd logging verbosity for troubleshooting. +# +# According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity +matrix_ma1sd_verbose_logging: false + +# Default ma1sd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_ma1sd_configuration_yaml: | + #jinja2: lstrip_blocks: True + matrix: + domain: {{ matrix_domain }} + + server: + name: {{ matrix_server_fqn_matrix }} + + key: + path: /var/ma1sd/sign.key + + storage: + provider: + sqlite: + database: /var/ma1sd/ma1sd.db + + {% if matrix_ma1sd_dns_overwrite_enabled %} + dns: + overwrite: + homeserver: + client: + - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} + value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} + {% endif %} + + {% if matrix_ma1sd_matrixorg_forwarding_enabled %} + forward: + servers: ['matrix-org'] + {% endif %} + + threepid: + medium: + email: + identity: + from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} + connectors: + smtp: + host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} + {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} + generators: + template: + {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} + invite: '/var/ma1sd/invite-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + session: + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} + validation: '/var/ma1sd/validate-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + unbind: + frandulent: '/var/ma1sd/unbind-fraudulent.eml' + {% endif %} + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} + generic: + matrixId: '/var/ma1sd/mxid-template.eml' + {% endif %} + {% endif %} + + synapseSql: + enabled: {{ matrix_ma1sd_synapsesql_enabled }} + type: {{ matrix_ma1sd_synapsesql_type }} + connection: {{ matrix_ma1sd_synapsesql_connection }} + +matrix_ma1sd_configuration_extension_yaml: | + # Your custom YAML configuration for ma1sd goes here. + # This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_ma1sd_configuration_yaml`. + # + # Example configuration extension follows: + # + # ldap: + # enabled: true + # connection: + # host: ldapHostnameOrIp + # tls: false + # port: 389 + # baseDNs: ['OU=Users,DC=example,DC=org'] + # bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org + # bindPassword: TheUserPassword + +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final ma1sd configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`. +matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml|from_yaml|combine(matrix_ma1sd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml similarity index 70% rename from roles/matrix-mxisd/tasks/init.yml rename to roles/matrix-ma1sd/tasks/init.yml index dcf1d053..31a2e28f 100644 --- a/roles/matrix-mxisd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,10 +1,10 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}" - when: matrix_mxisd_enabled|bool + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}" + when: matrix_ma1sd_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: - msg: "To self build Mxisd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_container_image_self_build" + msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" diff --git a/roles/matrix-ma1sd/tasks/main.yml b/roles/matrix-ma1sd/tasks/main.yml new file mode 100644 index 00000000..f5ac34d6 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_ma1sd_enabled|bool" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/setup_ma1sd.yml" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_ma1sd_enabled|bool" + tags: + - self-check diff --git a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml new file mode 100644 index 00000000..2e081263 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml @@ -0,0 +1,21 @@ +--- + +- set_fact: + ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" + +- name: Check ma1sd Identity Service + uri: + url: "{{ ma1sd_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}" + register: result_ma1sd + ignore_errors: true + +- name: Fail if ma1sd Identity Service not working + fail: + msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}" + when: "result_ma1sd.failed or 'json' not in result_ma1sd" + +- name: Report working ma1sd Identity Service + debug: + msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml new file mode 100644 index 00000000..483d7f9c --- /dev/null +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -0,0 +1,137 @@ +--- + +# +# Tasks related to setting up ma1sd +# + +- name: Ensure ma1sd paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_ma1sd_config_path }}", when: true } + - { path: "{{ matrix_ma1sd_data_path }}", when: true } + - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} + when: matrix_ma1sd_enabled|bool and item.when + +- name: Ensure ma1sd image is pulled + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}" + when: matrix_ma1sd_enabled|bool and not matrix_ma1sd_container_image_self_build + +- block: + - name: Ensure gradle is installed for self-building (Debian) + apt: + name: + - gradle + state: present + update_cache: yes + when: (ansible_os_family == 'Debian') + + - name: Ensure gradle is installed for self-building (CentOS) + fail: + msg: "Installing gradle on CentOS is currently not supported, so self-building ma1sd cannot happen at this time" + when: ansible_distribution == 'CentOS' + + - name: Ensure gradle is installed for self-building (Archlinux) + pacman: + name: + - gradle + state: latest + update_cache: yes + when: ansible_distribution == 'Archlinux' + + - name: Ensure ma1sd repository is present on self-build + git: + repo: https://github.com/ma1uta/ma1sd.git + dest: "{{ matrix_ma1sd_docker_src_files_path }}" + version: "v{{ matrix_ma1sd_docker_image.split(':')[1] }}" + force: "yes" + + - name: Ensure ma1sd Docker image is built + shell: "./gradlew dockerBuild" + args: + chdir: "{{ matrix_ma1sd_docker_src_files_path }}" + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build" + +- name: Ensure ma1sd config installed + copy: + content: "{{ matrix_ma1sd_configuration|to_nice_yaml }}" + dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_ma1sd_enabled|bool + +- name: Ensure custom templates are installed if any + copy: + content: "{{ item.value }}" + dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" + +- name: Ensure matrix-ma1sd.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + mode: 0644 + register: matrix_ma1sd_systemd_service_result + when: matrix_ma1sd_enabled|bool + +- name: Ensure systemd reloaded after matrix-ma1sd.service installation + service: + daemon_reload: yes + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_systemd_service_result.changed" + +# +# Tasks related to getting rid of ma1sd (if it was previously enabled) +# + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure matrix-ma1sd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + state: absent + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-ma1sd.service removal + service: + daemon_reload: yes + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure Matrix ma1sd paths don't exist + file: + path: "{{ matrix_ma1sd_base_path }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" + +- name: Ensure ma1sd Docker image doesn't exist + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml new file mode 100644 index 00000000..07a17006 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -0,0 +1,57 @@ +--- + +- name: (Deprecation) Warn about ma1sd variables that are not used anymore + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of extending ma1sd configuration. + See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples. + when: "item in vars" + with_items: + - 'matrix_ma1sd_ldap_enabled' + - 'matrix_ma1sd_ldap_connection_host' + - 'matrix_ma1sd_ldap_connection_tls' + - 'matrix_ma1sd_ldap_connection_port' + - 'matrix_ma1sd_ldap_connection_baseDn' + - 'matrix_ma1sd_ldap_connection_baseDns' + - 'matrix_ma1sd_ldap_connection_bindDn' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_filter' + - 'matrix_ma1sd_ldap_attribute_uid_type' + - 'matrix_ma1sd_ldap_attribute_uid_value' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_attribute_name' + - 'matrix_ma1sd_ldap_attribute_threepid_email' + - 'matrix_ma1sd_ldap_attribute_threepid_msisdn' + - 'matrix_ma1sd_ldap_identity_filter' + - 'matrix_ma1sd_ldap_identity_medium' + - 'matrix_ma1sd_ldap_auth_filter' + - 'matrix_ma1sd_ldap_directory_filter' + - 'matrix_ma1sd_template_config' + +- name: Ensure ma1sd configuration does not contain any dot-notation keys + fail: + msg: > + Since version 1.3.0, ma1sd will not accept property-style configuration keys. + You have defined a key (`{{ item.key }}`) which contains a dot. + Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade-Notes#v130 + when: "'.' in item.key" + with_dict: "{{ matrix_ma1sd_configuration }}" + +- name: Fail if required ma1sd settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using ma1sd. + when: "vars[item] == ''" + with_items: + - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" + + +- name: (Deprecation) Catch and report renamed ma1sd variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 new file mode 100644 index 00000000..b316fc2b --- /dev/null +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix ma1sd Identity server +{% for service in matrix_ma1sd_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_ma1sd_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-ma1sd +ExecStartPre=-/usr/bin/docker rm matrix-ma1sd + +# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, +# so /tmp needs to be mounted with an exec option. +ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,exec,nosuid,size=10m \ + --network={{ matrix_docker_network }} \ + {% if matrix_ma1sd_container_http_host_bind_port %} + -p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \ + {% endif %} + {% if matrix_ma1sd_verbose_logging %} + -e MA1SD_LOG_LEVEL=debug \ + {% endif %} + -v {{ matrix_ma1sd_config_path }}:/etc/ma1sd:ro \ + -v {{ matrix_ma1sd_data_path }}:/var/ma1sd:rw \ + {% for arg in matrix_ma1sd_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_ma1sd_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-ma1sd +ExecStop=-/usr/bin/docker rm matrix-ma1sd +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-ma1sd + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-ma1sd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml new file mode 100644 index 00000000..dfaf58bd --- /dev/null +++ b/roles/matrix-ma1sd/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml deleted file mode 100644 index 605f4028..00000000 --- a/roles/matrix-mxisd/defaults/main.yml +++ /dev/null @@ -1,178 +0,0 @@ -# mxisd is a Federated Matrix Identity Server -# See: https://github.com/kamax-matrix/mxisd - -matrix_mxisd_enabled: true - -matrix_mxisd_container_image_self_build: false - -matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" -matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" - -matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" -matrix_mxisd_docker_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src" -matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" -matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" - -# Controls whether the matrix-mxisd container exposes its HTTP port (tcp/8090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. -matrix_mxisd_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_mxisd_container_extra_arguments: [] - -# List of systemd services that matrix-mxisd.service depends on -matrix_mxisd_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-mxisd.service wants -matrix_mxisd_systemd_wanted_services_list: [] - -# Your identity server is private by default. -# To ensure maximum discovery, you can make your identity server -# also forward lookups to the central matrix.org Identity server -# (at the cost of potentially leaking all your contacts information). -# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups -matrix_mxisd_matrixorg_forwarding_enabled: false - -# mxisd has serveral supported identity stores. -# One of them is storing identities directly in Synapse's database. -# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md -matrix_mxisd_synapsesql_enabled: false -matrix_mxisd_synapsesql_type: "" -matrix_mxisd_synapsesql_connection: "" - -# Setting up email-sending settings is required for using mxisd. -matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1 -matrix_mxisd_threepid_medium_email_connectors_smtp_login: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_password: "" - -# DNS overwrites are useful for telling mxisd how it can reach the homeserver directly. -# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to mxisd, -# so that mxisd can rewrite the original URL to one that would reach the homeserver. -matrix_mxisd_dns_overwrite_enabled: false -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" - -# Override the default email templates -# To use this, fill in the template variables with the full desired template as a multi-line YAML variable -# -# More info: -# https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md -# https://github.com/kamax-matrix/mxisd/tree/master/src/main/resources/threepids/email -matrix_mxisd_threepid_medium_email_custom_templates_enabled: false -matrix_mxisd_threepid_medium_email_custom_invite_template: "" -matrix_mxisd_threepid_medium_email_custom_session_validation_template: "" -matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: "" -matrix_mxisd_threepid_medium_email_custom_matrixid_template: "" - -# Controls whether the self-check feature should validate SSL certificates. -matrix_mxisd_self_check_validate_certificates: true - -# Controls mxisd logging verbosity for troubleshooting. -# -# According to: https://github.com/kamax-matrix/mxisd/blob/master/docs/troubleshooting.md#increase-verbosity -matrix_mxisd_verbose_logging: false - -# Default mxisd configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_mxisd_configuration_yaml: | - #jinja2: lstrip_blocks: True - matrix: - domain: {{ matrix_domain }} - - server: - name: {{ matrix_server_fqn_matrix }} - - key: - path: /var/mxisd/sign.key - - storage: - provider: - sqlite: - database: /var/mxisd/mxisd.db - - {% if matrix_mxisd_dns_overwrite_enabled %} - dns: - overwrite: - homeserver: - client: - - name: {{ matrix_mxisd_dns_overwrite_homeserver_client_name }} - value: {{ matrix_mxisd_dns_overwrite_homeserver_client_value }} - {% endif %} - - {% if matrix_mxisd_matrixorg_forwarding_enabled %} - forward: - servers: ['matrix-org'] - {% endif %} - - threepid: - medium: - email: - identity: - from: {{ matrix_mxisd_threepid_medium_email_identity_from }} - connectors: - smtp: - host: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_host }} - port: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_port }} - tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }} - login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }} - password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }} - {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} - generators: - template: - {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} - invite: '/var/mxisd/invite-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - session: - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} - validation: '/var/mxisd/validate-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - unbind: - frandulent: '/var/mxisd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} - generic: - matrixId: '/var/mxisd/mxid-template.eml' - {% endif %} - {% endif %} - - synapseSql: - enabled: {{ matrix_mxisd_synapsesql_enabled }} - type: {{ matrix_mxisd_synapsesql_type }} - connection: {{ matrix_mxisd_synapsesql_connection }} - -matrix_mxisd_configuration_extension_yaml: | - # Your custom YAML configuration for mxisd goes here. - # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_mxisd_configuration_yaml`. - # - # Example configuration extension follows: - # - # ldap: - # enabled: true - # connection: - # host: ldapHostnameOrIp - # tls: false - # port: 389 - # baseDNs: ['OU=Users,DC=example,DC=org'] - # bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org - # bindPassword: TheUserPassword - -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final mxisd configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. -matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml deleted file mode 100644 index 31970db4..00000000 --- a/roles/matrix-mxisd/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_mxisd_enabled|bool" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check|bool and matrix_mxisd_enabled|bool" - tags: - - self-check diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml deleted file mode 100644 index 137907bb..00000000 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- set_fact: - mxisd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" - -- name: Check mxisd Identity Service - uri: - url: "{{ mxisd_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}" - register: result_mxisd - ignore_errors: true - -- name: Fail if mxisd Identity Service not working - fail: - msg: "Failed checking mxisd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}" - when: "result_mxisd.failed or 'json' not in result_mxisd" - -- name: Report working mxisd Identity Service - debug: - msg: "mxisd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml deleted file mode 100644 index 0ad36301..00000000 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- - -# -# Tasks related to setting up mxisd -# - -- name: Ensure mxisd paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - { path: "{{ matrix_mxisd_config_path }}", when: true } - - { path: "{{ matrix_mxisd_data_path }}", when: true } - - { path: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"} - when: matrix_mxisd_enabled|bool and item.when - -- name: Ensure mxisd image is pulled - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mxisd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}" - when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build - -- block: - - name: Ensure gradle is installed for self-building (Debian) - apt: - name: - - gradle - state: present - update_cache: yes - when: (ansible_os_family == 'Debian') - - - name: Ensure gradle is installed for self-building (CentOS) - fail: - msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time" - when: ansible_distribution == 'CentOS' - - - name: Ensure gradle is installed for self-building (Archlinux) - pacman: - name: - - gradle - state: latest - update_cache: yes - when: ansible_distribution == 'Archlinux' - - - name: Ensure mxisd repository is present on self-build - git: - repo: https://github.com/kamax-matrix/mxisd.git - dest: "{{ matrix_mxisd_docker_src_files_path }}" - version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" - force: "yes" - - - name: Ensure mxisd Docker image is built - shell: "./gradlew dockerBuild" - args: - chdir: "{{ matrix_mxisd_docker_src_files_path }}" - when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - -- name: Ensure mxisd config installed - copy: - content: "{{ matrix_mxisd_configuration|to_nice_yaml }}" - dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: matrix_mxisd_enabled|bool - -- name: Ensure custom templates are installed if any - copy: - content: "{{ item.value }}" - dest: "{{ matrix_mxisd_data_path }}/{{ item.location }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} - when: "matrix_mxisd_enabled|bool and matrix_mxisd_threepid_medium_email_custom_templates_enabled|bool and item.value" - -- name: Ensure matrix-mxisd.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mxisd.service" - mode: 0644 - register: matrix_mxisd_systemd_service_result - when: matrix_mxisd_enabled|bool - -- name: Ensure systemd reloaded after matrix-mxisd.service installation - service: - daemon_reload: yes - when: "matrix_mxisd_enabled|bool and matrix_mxisd_systemd_service_result.changed" - -# -# Tasks related to getting rid of mxisd (if it was previously enabled) -# - -- name: Check existence of matrix-mxisd service - stat: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - register: matrix_mxisd_service_stat - -- name: Ensure matrix-mxisd is stopped - service: - name: matrix-mxisd - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure matrix-mxisd.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - state: absent - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mxisd.service removal - service: - daemon_reload: yes - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure Matrix mxisd paths don't exist - file: - path: "{{ matrix_mxisd_base_path }}" - state: absent - when: "not matrix_mxisd_enabled|bool" - -- name: Ensure mxisd Docker image doesn't exist - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - state: absent - when: "not matrix_mxisd_enabled|bool" diff --git a/roles/matrix-mxisd/tasks/validate_config.yml b/roles/matrix-mxisd/tasks/validate_config.yml deleted file mode 100644 index 200a43a3..00000000 --- a/roles/matrix-mxisd/tasks/validate_config.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: (Deprecation) Warn about mxisd variables that are not used anymore - fail: - msg: > - The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of extending mxisd configuration. - See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples. - when: "item in vars" - with_items: - - 'matrix_mxisd_ldap_enabled' - - 'matrix_mxisd_ldap_connection_host' - - 'matrix_mxisd_ldap_connection_tls' - - 'matrix_mxisd_ldap_connection_port' - - 'matrix_mxisd_ldap_connection_baseDn' - - 'matrix_mxisd_ldap_connection_baseDns' - - 'matrix_mxisd_ldap_connection_bindDn' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_filter' - - 'matrix_mxisd_ldap_attribute_uid_type' - - 'matrix_mxisd_ldap_attribute_uid_value' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_attribute_name' - - 'matrix_mxisd_ldap_attribute_threepid_email' - - 'matrix_mxisd_ldap_attribute_threepid_msisdn' - - 'matrix_mxisd_ldap_identity_filter' - - 'matrix_mxisd_ldap_identity_medium' - - 'matrix_mxisd_ldap_auth_filter' - - 'matrix_mxisd_ldap_directory_filter' - - 'matrix_mxisd_template_config' - -- name: Ensure mxisd configuration does not contain any dot-notation keys - fail: - msg: > - Since version 1.3.0, mxisd will not accept property-style configuration keys. - You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130 - when: "'.' in item.key" - with_dict: "{{ matrix_mxisd_configuration }}" - -- name: Fail if required mxisd settings not defined - fail: - msg: > - You need to define a required configuration setting (`{{ item }}`) for using mxisd. - when: "vars[item] == ''" - with_items: - - "matrix_mxisd_threepid_medium_email_connectors_smtp_host" - - -- name: (Deprecation) Catch and report renamed mxisd variables - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_mxisd_container_expose_port', 'new': ''} diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 deleted file mode 100644 index d60740f5..00000000 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ /dev/null @@ -1,46 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix mxisd Identity server -{% for service in matrix_mxisd_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_mxisd_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mxisd -ExecStartPre=-/usr/bin/docker rm matrix-mxisd - -# mxisd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, -# so /tmp needs to be mounted with an exec option. -ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,exec,nosuid,size=10m \ - --network={{ matrix_docker_network }} \ - {% if matrix_mxisd_container_http_host_bind_port %} - -p {{ matrix_mxisd_container_http_host_bind_port }}:8090 \ - {% endif %} - {% if matrix_mxisd_verbose_logging %} - -e MXISD_LOG_LEVEL=debug \ - {% endif %} - -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ - -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ - {% for arg in matrix_mxisd_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_mxisd_docker_image }} - -ExecStop=-/usr/bin/docker kill matrix-mxisd -ExecStop=-/usr/bin/docker rm matrix-mxisd -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-mxisd - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-mxisd/vars/main.yml b/roles/matrix-mxisd/vars/main.yml deleted file mode 100644 index f5fbf9ad..00000000 --- a/roles/matrix-mxisd/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file From 5fedd6cbf03be1b049d3f9b57dc090fa9195abec Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 7 Jan 2020 19:04:26 +0100 Subject: [PATCH 1013/2384] Replace mxisd with ma1sd in docs, fixing URLs --- README.md | 6 +-- docs/configuring-dns.md | 2 +- docs/configuring-playbook-ldap-auth.md | 4 +- docs/configuring-playbook-ma1sd.md | 49 +++++++++++++------------ docs/configuring-playbook-rest-auth.md | 4 +- docs/configuring-playbook.md | 2 +- docs/maintenance-and-troubleshooting.md | 4 +- 7 files changed, 36 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 7e64d893..b16a8dfe 100644 --- a/README.md +++ b/README.md @@ -20,13 +20,13 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Synapse server by default -- (optional, default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server +- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) -- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module +- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module - (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module @@ -112,7 +112,7 @@ This playbook sets up your server using the following Docker images: - [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Riot.im](https://about.riot.im/) web client (optional) -- [kamax/mxisd](https://hub.docker.com/r/kamax/mxisd/) - the [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server (optional) +- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) - [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 735b348f..29ddc61e 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -44,7 +44,7 @@ The `jitsi.` subdomain may be necessary, because this playbook coul ## `_matrix-identity._tcp` SRV record setup -To make the [mxisd](https://github.com/kamax-io/mxisd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: +To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: - Name: `_matrix-identity._tcp` (use this text as-is) - Content: `10 0 443 matrix.` (replace `` with your own) diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md index c9f15c31..5144323a 100644 --- a/docs/configuring-playbook-ldap-auth.md +++ b/docs/configuring-playbook-ldap-auth.md @@ -28,5 +28,5 @@ If you wish for users to **authenticate only against configured password provide matrix_synapse_password_config_localdb_enabled: false ``` -## Using mxisd Identity Server for authentication -If you wish to use the mxisd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md#authentication). \ No newline at end of file +## Using ma1sd Identity Server for authentication +If you wish to use the ma1sd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md#authentication). diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index 29cec488..da9ff21e 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -1,52 +1,53 @@ -# Adjusting mxisd Identity Server configuration (optional) +# Adjusting ma1sd Identity Server configuration (optional) -By default, this playbook configures an [mxisd](https://github.com/kamax-io/mxisd) Identity Server for you. +By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. This server is private by default, potentially at the expense of user discoverability. +ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21. ## Matrix.org lookup forwarding To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information). -Enabling this is discouraged and you'd better [learn more](https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups) before proceeding. +Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding. Enabling matrix.org forwarding can happen with the following configuration: ```yaml -matrix_mxisd_matrixorg_forwarding_enabled: true +matrix_ma1sd_matrixorg_forwarding_enabled: true ``` ## Customizing email templates -If you'd like to change the default email templates used by mxisd, take a look at the `matrix_mxisd_threepid_medium_email_custom_` variables -(in the `roles/matrix-mxisd/defaults/main.yml` file. +If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables +(in the `roles/matrix-ma1sd/defaults/main.yml` file. -## mxisd-controlled Registration +## ma1sd-controlled Registration -To use the [Registration](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) feature of mxisd, you can make use of the following variables: +To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables: - `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse - `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering -- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to mxisd (instead of Synapse), so it can apply its additional functionality +- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality -- `matrix_mxisd_configuration_extension_yaml` - to configure mxisd as required. See the [Registration feature's docs](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_mxisd_configuration_extension_yaml`. +- `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`. ## Authentication -[Authentication](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server: +[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server: ```yaml matrix_synapse_ext_password_provider_rest_auth_enabled: true -# matrix-mxisd is the hostname of the mxisd Docker container -matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090" +# matrix-ma1sd is the hostname of the ma1sd Docker container +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090" -matrix_mxisd_configuration_extension_yaml: | +matrix_ma1sd_configuration_extension_yaml: | ldap: enabled: true connection: @@ -54,7 +55,7 @@ matrix_mxisd_configuration_extension_yaml: | tls: false port: 389 baseDNs: ['OU=Users,DC=example,DC=org'] - bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org + bindDn: CN=My ma1sd User,OU=Users,DC=example,DC=org bindPassword: TheUserPassword ``` @@ -62,24 +63,24 @@ matrix_mxisd_configuration_extension_yaml: | What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services. -A few variables can be toggled in this playbook to alter the mxisd configuration that gets generated. +A few variables can be toggled in this playbook to alter the ma1sd configuration that gets generated. -Still, mxisd can do much more. -You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more details and configuration options. +Still, ma1sd can do much more. +You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options. -To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable +To use a more custom configuration, you can define a `matrix_ma1sd_configuration_extension_yaml` string variable and put your configuration in it. -To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-mxisd/defaults/main.yml) of the mxisd component. +To learn more about how to do this, refer to the information about `matrix_ma1sd_configuration_extension_yaml` in the [default variables file](../roles/matrix-ma1sd/defaults/main.yml) of the ma1sd component. ## Troubleshooting -If email address validation emails sent by mxisd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). +If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). -If you'd like additional logging information, temporarily enable verbose logging for mxisd. +If you'd like additional logging information, temporarily enable verbose logging for ma1sd. Example configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`): ```yaml -matrix_mxisd_verbose_logging: true -``` \ No newline at end of file +matrix_ma1sd_verbose_logging: true +``` diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index f35c0f49..23644c9e 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -1,6 +1,6 @@ # Setting up the REST authentication password provider module (optional, advanced) -The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. +The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) for you. See that project's documentation to learn what it does and why it might be useful to you. @@ -8,7 +8,7 @@ If you decide that you'd like to let this playbook install it for you, you need ```yaml matrix_synapse_ext_password_provider_rest_auth_enabled: true -matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090" +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090" matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 051abf16..4d0d2093 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -44,7 +44,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) -- [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) +- [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) (optional) - [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced) diff --git a/docs/maintenance-and-troubleshooting.md b/docs/maintenance-and-troubleshooting.md index 5dd1ee3f..bccf3e2e 100644 --- a/docs/maintenance-and-troubleshooting.md +++ b/docs/maintenance-and-troubleshooting.md @@ -38,6 +38,6 @@ Re-run the playbook after making these configuration changes. See the dedicated [PostgreSQL Maintenance](maintenance-postgres.md) documentation page. -## Mxisd +## Ma1sd -See the dedicated [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) documentation page. \ No newline at end of file +See the dedicated [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) documentation page. From 9d0803cdf934775c7c5338643a3b79957eb451af Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 8 Jan 2020 22:26:24 +0100 Subject: [PATCH 1014/2384] Specify up-to-date version 2.2.2 of ma1sd docker image --- roles/matrix-ma1sd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index f3f604d3..4ae87e3d 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -3,7 +3,7 @@ matrix_ma1sd_enabled: true -matrix_ma1sd_docker_image: "ma1uta/ma1sd:1.4.6" +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.2.2" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" From 874e2e1fc0b775ff20f500e7b7f49aa23112a892 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 8 Jan 2020 22:31:44 +0100 Subject: [PATCH 1015/2384] Rename variables (s/mxisd/ma1sd/) and adapt roles --- group_vars/matrix_servers | 56 +++++++++---------- roles/matrix-base/tasks/main.yml | 2 +- roles/matrix-base/tasks/self_check_dns.yml | 8 +-- roles/matrix-nginx-proxy/defaults/main.yml | 10 ++-- .../tasks/self_check_well_known.yml | 2 +- setup.yml | 2 +- 6 files changed, 40 insertions(+), 40 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c2dd5786..9efd1539 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -435,7 +435,7 @@ matrix_jitsi_web_stun_servers: | # By default, this playbook sets up a postfix mailer server (running in a container). # This is so that Synapse can send email reminders for unread messages. -# Other services (like mxisd), also use the mailer. +# Other services (like ma1sd), also use the mailer. matrix_mailer_enabled: true ###################################################################### @@ -448,41 +448,41 @@ matrix_mailer_enabled: true ###################################################################### # -# matrix-mxisd +# matrix-ma1sd # ###################################################################### -# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). +# By default, this playbook installs the ma1sd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. -matrix_mxisd_enabled: true +matrix_ma1sd_enabled: true -matrix_mxisd_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_ma1sd_container_image_self_build: "{{ matrix_container_images_self_build }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. +# Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# mxisd's web-server port. -matrix_mxisd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" +# ma1sd's web-server port. +matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" # We enable Synapse integration via its Postgres database by default. # When using another Identity store, you might wish to disable this and define -# your own configuration in `matrix_mxisd_configuration_extension_yaml`. -matrix_mxisd_synapsesql_enabled: true -matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} +# your own configuration in `matrix_ma1sd_configuration_extension_yaml`. +matrix_ma1sd_synapsesql_enabled: true +matrix_ma1sd_synapsesql_type: postgresql +matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} -matrix_mxisd_dns_overwrite_enabled: true -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" +matrix_ma1sd_dns_overwrite_enabled: true +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" # By default, we send mail through the `matrix-mailer` service. -matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 +matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0 -matrix_mxisd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" -matrix_mxisd_systemd_wanted_services_list: | +matrix_ma1sd_systemd_wanted_services_list: | {{ (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + @@ -493,7 +493,7 @@ matrix_mxisd_systemd_wanted_services_list: | ###################################################################### # -# /matrix-mxisd +# /matrix-ma1sd # ###################################################################### @@ -523,8 +523,8 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enable matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" -matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. @@ -536,7 +536,7 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" @@ -548,7 +548,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + - (['matrix-mxisd.service'] if matrix_mxisd_enabled else []) + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + (['matrix-riot-web.service'] if matrix_riot_web_enabled else []) }} @@ -652,8 +652,8 @@ matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jit matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_build }}" -# When mxisd is enabled, we can use it instead of the default public Identity servers. -matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" +# When ma1sd is enabled, we can use it instead of the default public Identity servers. +matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 909cad20..827a4101 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -21,7 +21,7 @@ when: run_setup|bool tags: - setup-all - - setup-mxisd + - setup-ma1sd - setup-synapse - setup-nginx-proxy diff --git a/roles/matrix-base/tasks/self_check_dns.yml b/roles/matrix-base/tasks/self_check_dns.yml index d17b2149..57c07b2b 100644 --- a/roles/matrix-base/tasks/self_check_dns.yml +++ b/roles/matrix-base/tasks/self_check_dns.yml @@ -5,16 +5,16 @@ - block: - set_fact: - dns_srv_record_check_mxisd: + dns_srv_record_check_ma1sd: service_and_protocol: "_matrix-identity._tcp" domain: "{{ (matrix_domain + '.') }}" expected_target: "{{ (matrix_server_fqn_matrix + '.') }}" expected_port: 443 - - name: Determine domains that we require certificates for (mxisd) + - name: Determine domains that we require certificates for (ma1sd) set_fact: - dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_mxisd] }}" - when: matrix_mxisd_enabled|bool + dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_ma1sd] }}" + when: matrix_ma1sd_enabled|bool - name: Perform DNS SRV checks include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8f3f0481..12d314f5 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -116,21 +116,21 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:410 # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. -# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. -# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 6aaf9cb3..be1b6555 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -18,7 +18,7 @@ follow_redirects: safe validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - - name: Determine domains that we require certificates for (mxisd) + - name: Determine domains that we require certificates for (ma1sd) set_fact: well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" when: matrix_well_known_matrix_server_enabled|bool diff --git a/setup.yml b/setup.yml index 61d448f3..5baee8f3 100755 --- a/setup.yml +++ b/setup.yml @@ -19,7 +19,7 @@ - matrix-synapse - matrix-riot-web - matrix-jitsi - - matrix-mxisd + - matrix-ma1sd - matrix-dimension - matrix-email2matrix - matrix-nginx-proxy From 8c5c2e5eec2dfe54d8b2540b122996b07a0ce174 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Fri, 27 Mar 2020 19:31:15 +0100 Subject: [PATCH 1016/2384] Bump ma1sd version to 2.3.0 --- roles/matrix-ma1sd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 4ae87e3d..68635811 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -3,7 +3,7 @@ matrix_ma1sd_enabled: true -matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.2.2" +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" From c2d384d2ef0070097baf39df8858638dc8829286 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 10:43:40 +0200 Subject: [PATCH 1017/2384] some more mxisd to ma1sd string/URL replacements --- docs/self-building.md | 4 ++-- roles/matrix-ma1sd/tasks/validate_config.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index a4d6fad9..6b9a46d4 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -1,6 +1,6 @@ # Self-building -The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd). +The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for ma1sd). To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: ```yaml @@ -12,7 +12,7 @@ List of roles where self-building the docker image is currently possible: - synapse - riot-web - coturn -- mxisd +- ma1sd - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 07a17006..3adb4756 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -34,7 +34,7 @@ msg: > Since version 1.3.0, ma1sd will not accept property-style configuration keys. You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade-Notes#v130 + Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130 when: "'.' in item.key" with_dict: "{{ matrix_ma1sd_configuration }}" From ed34d0ac396658a265e5fbeed131439a669d5898 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 10:50:07 +0200 Subject: [PATCH 1018/2384] fix "noeol" ("No newline at end of file" == missing 0A byte at file end) --- roles/matrix-ma1sd/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml index dfaf58bd..b6c97a59 100644 --- a/roles/matrix-ma1sd/vars/main.yml +++ b/roles/matrix-ma1sd/vars/main.yml @@ -2,4 +2,4 @@ # Doing `|from_yaml` when the extension contains nothing yields an empty string (""). # We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. -matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" From 92672f89490003ef0c4c35ca039ae74a608ebe91 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 10:55:35 +0200 Subject: [PATCH 1019/2384] matrix-ma1sd/tasks/validate_config.yml: can ansible process regex in when statements? --- roles/matrix-ma1sd/tasks/validate_config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 3adb4756..edbd5419 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -55,3 +55,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} + - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} From e4ceeccd1464b9840d8d88245f7f786f63103026 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 17:19:40 +0200 Subject: [PATCH 1020/2384] Add mxisd => ma1sd migration task --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 79 ++++++++++++++++++++++ roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 3 + 2 files changed, 82 insertions(+) create mode 100644 roles/matrix-ma1sd/tasks/migrate_mxisd.yml diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml new file mode 100644 index 00000000..2d92de62 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -0,0 +1,79 @@ +--- + +# This task is for migrating existing mxisd data when transitioning to the ma1sd fork. + +- name: Check for existent mxisd data + stat: + path: "{{ matrix_base_data_path }}/mxisd" + register: ma1sd_migrate_mxisd_data_dir_stat + +- name: Warn if mxisd data detected + debug: + msg: > + You seem to have an existing mxisd data folder in `{{ matrix_base_data_path }}`. + We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Check existence of old matrix-mxisd service + stat: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + register: matrix_mxisd_service_stat + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure matrix-mxisd is stopped + service: + name: matrix-mxisd + state: stopped + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_mxisd_service_stat.stat.exists" + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure ma1sd data path exist + file: + path: "{{ matrix_ma1sd_data_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Copy mxisd data files to ma1sd folder + copy: + src: "{{ item }}" + dest: "{{ matrix_ma1sd_data_path }}/" + mode: "preserve" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_base_data_path }}/mxisd/data/mxisd.db" + - "{{ matrix_base_data_path }}/mxisd/data/sign.key" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Rename mxisd folder + command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure outdated matrix-mxisd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + state: absent + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure systemd reloaded after removing outdated matrix-mxisd.service + service: + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + + diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index 483d7f9c..c197b64f 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -4,6 +4,9 @@ # Tasks related to setting up ma1sd # +- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" + when: matrix_ma1sd_enabled|bool + - name: Ensure ma1sd paths exist file: path: "{{ item.path }}" From 4172345d34ae75f039db49bd81ceca33ee483da8 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 17:20:06 +0200 Subject: [PATCH 1021/2384] Fix regex matching against old variable names in ma1sd validation task --- roles/matrix-ma1sd/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index edbd5419..da2bdc1b 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -52,7 +52,7 @@ msg: >- Your configuration contains a variable, which now has a different name. Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} From 59ccff9babcbf79fe6dac31600d01b057a9b1412 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:27:22 +0300 Subject: [PATCH 1022/2384] Fix mxisd -> ma1sd file copying When the playbook executes on a remote host (as it usually does), we need to explicitly say `src` is a remote file and not relative to the playbook. --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 2d92de62..256e83fe 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -52,6 +52,7 @@ - name: Copy mxisd data files to ma1sd folder copy: src: "{{ item }}" + remote_src: true dest: "{{ matrix_ma1sd_data_path }}/" mode: "preserve" owner: "{{ matrix_user_username }}" From be1951133889018bf780a9caa99c2a9e7bbdecdc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:28:44 +0300 Subject: [PATCH 1023/2384] Add missing container self-build variables for ma1sd --- roles/matrix-ma1sd/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 68635811..144f4932 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -3,10 +3,13 @@ matrix_ma1sd_enabled: true +matrix_ma1sd_container_image_self_build: false + matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" +matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src" matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" From a4ea2f850b7e71cbc470f9bc6a9270a45c8f4cbc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:42:14 +0300 Subject: [PATCH 1024/2384] Provide a friendlier migration message from people using matrix_mxisd_ variables --- roles/matrix-ma1sd/tasks/validate_config.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index da2bdc1b..691fe0ac 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -46,7 +46,6 @@ with_items: - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" - - name: (Deprecation) Catch and report renamed ma1sd variables fail: msg: >- @@ -55,4 +54,13 @@ when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} + +- name: (Deprecation) Catch and report mxisd variables + fail: + msg: >- + mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork. + The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names. + Please change your configuration (vars.yml) to rename all mxisd variables (`{{ item.old }}` -> `{{ item.new }}`). + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" + with_items: - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} From a0b82d223419431153601144441553a755ee97a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:53:31 +0300 Subject: [PATCH 1025/2384] Fix mxisd -> ma1sd data migration (mxisd.db -> ma1sd.db) --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 256e83fe..424880e2 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -51,15 +51,15 @@ - name: Copy mxisd data files to ma1sd folder copy: - src: "{{ item }}" + src: "{{ item.src }}" remote_src: true - dest: "{{ matrix_ma1sd_data_path }}/" + dest: "{{ matrix_ma1sd_data_path }}/{{ item.dst_name }}" mode: "preserve" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_base_data_path }}/mxisd/data/mxisd.db" - - "{{ matrix_base_data_path }}/mxisd/data/sign.key" + - {"src": "{{ matrix_base_data_path }}/mxisd/data/mxisd.db", "dst_name": "ma1sd.db"} + - {"src": "{{ matrix_base_data_path }}/mxisd/data/sign.key", "dst_name": "sign.key"} when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - name: Rename mxisd folder From 845f5f007b3ab8d3479e1ecd1d9ff9e07f5474fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 10:08:37 +0300 Subject: [PATCH 1026/2384] Make Synapse use ma1sd (if enabled) for threepid registration --- group_vars/matrix_servers | 5 +++++ roles/matrix-synapse/defaults/main.yml | 8 ++++++++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9efd1539..e9dbffb5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -655,6 +655,11 @@ matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_buil # When ma1sd is enabled, we can use it instead of the default public Identity servers. matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}" +# When ma1sd is enabled, we can use it to validate email addresses and phone numbers. +# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. +matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, # you can expose Synapse's ports to the host. diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f896f232..38cd2321 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -164,6 +164,14 @@ matrix_synapse_enable_group_creation: false # A list of 3PID types which users must supply when registering (possible values: email, msisdn). matrix_synapse_registrations_require_3pid: [] +# The server to use for email threepid validation. When empty, Synapse does it by itself. +# Otherwise, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_email: '' + +# The server to use for phone number threepid validation. When empty, validation cannot happen, as Synapse doesn't support it. +# To make it work, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_msisdn: '' + # Users who register on this homeserver will automatically be joined to these rooms. # Rooms are to be specified using addresses (e.g. `#address:example.com`) matrix_synapse_auto_join_rooms: [] diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index b3adcac9..310421e9 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1060,8 +1060,8 @@ trusted_third_party_id_servers: # If a delegate is specified, the config option public_baseurl must also be filled out. # account_threepid_delegates: - #email: https://example.com # Delegate email sending to example.com - #msisdn: http://localhost:8090 # Delegate SMS sending to this local process + email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} + msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} # Users who register on this homeserver will automatically be joined # to these rooms From 7266542356691a0a3f109c4f4d43898a24721dff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 10:41:36 +0300 Subject: [PATCH 1027/2384] Announce ma1sd -> mxisd migration --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f8898755..72ead398 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2020-04-03 + +## (Potential Backward Compatibility Break) ma1sd replaces mxisd + +The [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. + +**If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook. + +**If you're doing something more special** (defining custom `matrix_mxisd_*` variables), the playbook will ask you to rename them to `matrix_ma1sd_*`. +You're also encouraged to test that ma1sd works well for such a more custom setup. + + # 2020-03-29 ## Archlinux support From 2fad4ee7d8482d48c099e66e327cb95bc28c2d74 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 10:43:47 +0300 Subject: [PATCH 1028/2384] Adjust changelog to give credit where credit is due --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72ead398..d4c4e74f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## (Potential Backward Compatibility Break) ma1sd replaces mxisd -The [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. +Thanks to [Marcel Partap](https://github.com/eMPee584)'s efforts, the [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has finally been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. **If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook. From 229c8e1c38599a8f75c77d1afd811607b3959426 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 11:14:34 +0300 Subject: [PATCH 1029/2384] Adjust name in changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4c4e74f..ab19c5b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ You're also encouraged to test that ma1sd works well for such a more custom setu ## Archlinux support -Thanks to [Christian](https://github.com/christianlupus)'s efforts, the playbook now supports installing to an [Archlinux](https://www.archlinux.org/) server. +Thanks to [Christian Lupus](https://github.com/christianlupus)'s efforts, the playbook now supports installing to an [Archlinux](https://www.archlinux.org/) server. # 2020-03-24 From c2d0304eb18a849f7383db3aed4c1d079c94955a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 11:17:05 +0300 Subject: [PATCH 1030/2384] Fix incorrect URL --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ab19c5b6..ce8f9f3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## (Potential Backward Compatibility Break) ma1sd replaces mxisd -Thanks to [Marcel Partap](https://github.com/eMPee584)'s efforts, the [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has finally been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. +Thanks to [Marcel Partap](https://github.com/eMPee584)'s efforts, the [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has finally been replaced by [ma1sd](https://github.com/ma1uta/ma1sd), a compatible fork. **If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook. From c3efd2966ffe9d8396e133ad4d9f32c77c8b3aba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 13:12:03 +0300 Subject: [PATCH 1031/2384] Fix mxisd -> ma1sd migration for older versions of Ansible --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 45 +++++++++------------- roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 6 +-- 2 files changed, 22 insertions(+), 29 deletions(-) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 424880e2..0331f7b9 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -4,13 +4,13 @@ - name: Check for existent mxisd data stat: - path: "{{ matrix_base_data_path }}/mxisd" + path: "{{ matrix_base_data_path }}/mxisd/data" register: ma1sd_migrate_mxisd_data_dir_stat - name: Warn if mxisd data detected debug: msg: > - You seem to have an existing mxisd data folder in `{{ matrix_base_data_path }}`. + You seem to have an existing mxisd folder in `{{ matrix_base_data_path }}/mxisd`. We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" @@ -40,41 +40,34 @@ daemon_reload: yes when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" -- name: Ensure ma1sd data path exist - file: - path: "{{ matrix_ma1sd_data_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" +# We use shell commands for the migration, because the Ansible copy module cannot +# recursively copy remote directories (like `/matrix/mxisd/data/sign.key`) in older versions of Ansible. +- block: + - name: Copy mxisd data files to ma1sd folder + command: "cp -ar {{ matrix_base_data_path }}/mxisd/data {{ matrix_ma1sd_base_path }}" -- name: Copy mxisd data files to ma1sd folder - copy: - src: "{{ item.src }}" - remote_src: true - dest: "{{ matrix_ma1sd_data_path }}/{{ item.dst_name }}" - mode: "preserve" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - {"src": "{{ matrix_base_data_path }}/mxisd/data/mxisd.db", "dst_name": "ma1sd.db"} - - {"src": "{{ matrix_base_data_path }}/mxisd/data/sign.key", "dst_name": "sign.key"} - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + - name: Check existence of mxisd.db file + stat: + path: "{{ matrix_ma1sd_data_path }}/mxisd.db" + register: matrix_ma1sd_mxisd_db_stat -- name: Rename mxisd folder - command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" + - name: Rename database (mxisd.db -> ma1sd.db) + command: "mv {{ matrix_ma1sd_data_path }}/mxisd.db {{ matrix_ma1sd_data_path }}/ma1sd.db" + when: "matrix_ma1sd_mxisd_db_stat.stat.exists" + + - name: Rename mxisd folder + command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - name: Ensure outdated matrix-mxisd.service doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-mxisd.service" state: absent - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + when: "matrix_ma1sd_service_stat.stat.exists" - name: Ensure systemd reloaded after removing outdated matrix-mxisd.service service: daemon_reload: yes - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + when: "matrix_ma1sd_service_stat.stat.exists" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index c197b64f..57fc019a 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -4,9 +4,6 @@ # Tasks related to setting up ma1sd # -- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" - when: matrix_ma1sd_enabled|bool - - name: Ensure ma1sd paths exist file: path: "{{ item.path }}" @@ -20,6 +17,9 @@ - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} when: matrix_ma1sd_enabled|bool and item.when +- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" + when: matrix_ma1sd_enabled|bool + - name: Ensure ma1sd image is pulled docker_image: name: "{{ matrix_ma1sd_docker_image }}" From 5927ed56b0d4ef12d36bbce42ebbac76c96755e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 13:55:23 +0300 Subject: [PATCH 1032/2384] Fix matrix_ma1sd_service_stat.stat.exists sometimes being undefined --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 0331f7b9..1d966204 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -18,14 +18,13 @@ stat: path: "{{ matrix_systemd_path }}/matrix-mxisd.service" register: matrix_mxisd_service_stat - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - name: Ensure matrix-mxisd is stopped service: name: matrix-mxisd state: stopped daemon_reload: yes - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_mxisd_service_stat.stat.exists" + when: "matrix_mxisd_service_stat.stat.exists" - name: Check existence of matrix-ma1sd service stat: @@ -63,11 +62,11 @@ file: path: "{{ matrix_systemd_path }}/matrix-mxisd.service" state: absent - when: "matrix_ma1sd_service_stat.stat.exists" + when: "matrix_mxisd_service_stat.stat.exists" - name: Ensure systemd reloaded after removing outdated matrix-mxisd.service service: daemon_reload: yes - when: "matrix_ma1sd_service_stat.stat.exists" + when: "matrix_mxisd_service_stat.stat.exists" From f78fa3f32879836f5dfc7d9e5b80369814b50f76 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 14:26:30 +0300 Subject: [PATCH 1033/2384] Upgrade Synapse (1.12.0 -> 1.12.3) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 38cd2321..e2ab5fb8 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.3" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 4ed0632327248515d91f480fb8441f57a1ca94c5 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Fri, 3 Apr 2020 18:36:23 +0200 Subject: [PATCH 1034/2384] fix jitsi guests mode according to docker-jitsi-meet repo --- roles/matrix-jitsi/templates/web/config.js.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index 72bffbd5..8a167c8a 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -18,9 +18,11 @@ var config = { // XMPP domain. domain: '{{ matrix_jitsi_xmpp_domain }}', + {% if matrix_jitsi_enable_auth %} {% if matrix_jitsi_enable_guests %} // When using authentication, domain for guest users. - anonymousdomain: 'guest.example.com', + anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}', + {% endif %} // Domain for authenticated users. Defaults to . authdomain: '{{ matrix_jitsi_xmpp_domain }}', From ea072eb38d598098f7d57df2a0e5befb10feabaf Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 4 Apr 2020 02:16:20 +0200 Subject: [PATCH 1035/2384] add missing jitsi auth URL conditional --- .../templates/jicofo/sip-communicator.properties.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 index 6736becc..c62e04ff 100644 --- a/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 +++ b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 @@ -3,3 +3,7 @@ org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_x org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90 + +{% if matrix_jitsi_enable_auth %} +org.jitsi.jicofo.auth.URL=XMPP:{{ matrix_jitsi_xmpp_domain }} +{% endif %} From 9adddb19e2311165bb60b3d0a53394fd8d9be86e Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 4 Apr 2020 03:34:49 +0200 Subject: [PATCH 1036/2384] fix whitespace --- roles/matrix-jitsi/templates/web/config.js.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index 8a167c8a..3d7e5de7 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -21,7 +21,7 @@ var config = { {% if matrix_jitsi_enable_auth %} {% if matrix_jitsi_enable_guests %} // When using authentication, domain for guest users. - anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}', + anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}', {% endif %} // Domain for authenticated users. Defaults to . From 697e91aa059cd436a36c9ece7dc7c3e343144c8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alin=20Tr=C4=83istaru?= Date: Sun, 29 Mar 2020 09:48:46 +0300 Subject: [PATCH 1037/2384] jitsi-web: add more defaults --- roles/matrix-jitsi/defaults/main.yml | 17 ++++++++++- roles/matrix-jitsi/templates/web/config.js.j2 | 2 ++ .../templates/web/interface_config.js.j2 | 28 +++++++++---------- 3 files changed, 32 insertions(+), 15 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 6eb36577..6fa4c340 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -53,7 +53,22 @@ matrix_jitsi_web_systemd_required_services_list: ['docker.service'] matrix_jitsi_web_config_defaultLanguage: 'en' matrix_jitsi_web_interface_config_lang_detection: false - +matrix_jitsi_web_config_start_with_audio_muted: false +matrix_jitsi_web_config_start_with_video_muted: false +matrix_jitsi_web_interface_config_show_jitsi_watermark: true +matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" +matrix_jitsi_web_interface_config_show_brand_watermark: false +matrix_jitsi_web_interface_config_brand_watermark_link: "" +matrix_jitsi_web_interface_config_show_watermark_for_guests: true +matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true +matrix_jitsi_web_interface_config_display_welcome_page_content: true +matrix_jitsi_web_interface_config_app_name: "Jitsi Meet" +matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" +matrix_jitsi_web_interface_config_provider_name: "Jitsi" +matrix_jitsi_web_interface_config_invitation_powered_by: true +matrix_jitsi_web_interface_config_show_powered_by: false +matrix_jitsi_web_interface_config_disable_transcription_subtitles: false +matrix_jisti_web_interface_config_show_deep_linking_image: false matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index 8a167c8a..58bcaf10 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -93,6 +93,7 @@ var config = { // Start calls with audio muted. Unlike the option above, this one is only // applied locally. FIXME: having these 2 options is confusing. // startWithAudioMuted: false, + startWithAudioMuted: {{ matrix_jitsi_web_config_start_with_audio_muted|to_json }}, // Enabling it (with #params) will disable local audio output of remote // participants and to enable it back a reload is needed. @@ -137,6 +138,7 @@ var config = { // Start calls with video muted. Unlike the option above, this one is only // applied locally. FIXME: having these 2 options is confusing. // startWithVideoMuted: false, + startWithVideoMuted: {{ matrix_jitsi_web_config_start_with_video_muted|to_json }}, // If set to true, prefer to use the H.264 video codec (if supported). // Note that it's not recommended to do this because simulcast is not diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 index 737b924e..c56f8c8c 100644 --- a/roles/matrix-jitsi/templates/web/interface_config.js.j2 +++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2 @@ -16,22 +16,22 @@ var interfaceConfig = { TOOLBAR_ALWAYS_VISIBLE: false, DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', DEFAULT_LOCAL_DISPLAY_NAME: 'me', - SHOW_JITSI_WATERMARK: true, - JITSI_WATERMARK_LINK: 'https://jitsi.org', + SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }}, + JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }}, // if watermark is disabled by default, it can be shown only for guests - SHOW_WATERMARK_FOR_GUESTS: true, - SHOW_BRAND_WATERMARK: false, - BRAND_WATERMARK_LINK: '', - SHOW_POWERED_BY: false, - SHOW_DEEP_LINKING_IMAGE: false, - GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true, - DISPLAY_WELCOME_PAGE_CONTENT: true, - APP_NAME: 'Jitsi Meet', - NATIVE_APP_NAME: 'Jitsi Meet', - PROVIDER_NAME: 'Jitsi', + SHOW_WATERMARK_FOR_GUESTS: {{ matrix_jitsi_web_interface_config_show_watermark_for_guests|to_json }}, + SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }}, + BRAND_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_brand_watermark_link|to_json }}, + SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }}, + SHOW_DEEP_LINKING_IMAGE: {{ matrix_jisti_web_interface_config_show_deep_linking_image|to_json }}, + GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }}, + DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }}, + APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }}, + NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }}, + PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }}, LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language - INVITATION_POWERED_BY: true, + INVITATION_POWERED_BY: {{ matrix_jitsi_web_interface_config_invitation_powered_by|to_json }}, /** * If we should show authentication block in profile @@ -92,7 +92,7 @@ var interfaceConfig = { * * @type {boolean} */ - DISABLE_TRANSCRIPTION_SUBTITLES: false, + DISABLE_TRANSCRIPTION_SUBTITLES: {{ matrix_jitsi_web_interface_config_disable_transcription_subtitles|to_json }}, /** * Whether the ringing sound in the call/ring overlay is disabled. If From d781c8fdf9bb111cddd45eed8cc63aa841eb7eb7 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 5 Apr 2020 03:30:14 +0200 Subject: [PATCH 1038/2384] add optional Jitsi internal auth+guests docs improve readability --- docs/configuring-playbook-jitsi.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f163976d..a0c1c441 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -25,8 +25,34 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: matrix_jitsi_enabled: true ``` +## (Optional) configure internal Jitsi authentication and guests mode + +By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration. +If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room. +If you prefer an open Jitsi instance, please skip to [Apply changes](#apply-changes). + +Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_enable_auth: true +matrix_jitsi_enable_guests: true +``` + +## Apply changes + Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` +## Required if configuring Jitsi with its internal authentication: register new users + +Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. +Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: + +```bash +docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register matrix-jitsi-web +``` + +Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. + ## Usage From 604e581a970c3565f18af5a072c402fe9d374f86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alin=20Tr=C4=83istaru?= Date: Sun, 5 Apr 2020 09:42:52 +0300 Subject: [PATCH 1039/2384] add ntpd defaults --- roles/matrix-base/defaults/main.yml | 3 +++ roles/matrix-base/tasks/server_base/setup.yml | 4 ++-- roles/matrix-base/tasks/server_base/setup_archlinux.yml | 2 +- roles/matrix-base/tasks/server_base/setup_centos.yml | 2 +- roles/matrix-base/tasks/server_base/setup_debian.yml | 2 +- roles/matrix-base/tasks/server_base/setup_raspbian.yml | 2 +- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 6800df86..c6ed430b 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -33,6 +33,9 @@ matrix_systemd_path: "/etc/systemd/system" matrix_cron_path: "/etc/cron.d" matrix_local_bin_path: "/usr/local/bin" +matrix_ntpd_package: "ntp" +matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" + matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" matrix_identity_server_url: ~ diff --git a/roles/matrix-base/tasks/server_base/setup.yml b/roles/matrix-base/tasks/server_base/setup.yml index 73abbec2..2425c82b 100644 --- a/roles/matrix-base/tasks/server_base/setup.yml +++ b/roles/matrix-base/tasks/server_base/setup.yml @@ -18,8 +18,8 @@ state: started enabled: yes -- name: Ensure ntpd is started and autoruns +- name: "Ensure {{ matrix_ntpd_service }} is started and autoruns" service: - name: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" + name: "{{ matrix_ntpd_service }}" state: started enabled: yes diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index 144e8b75..3814305d 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -4,7 +4,7 @@ pacman: name: - python-docker - - ntp + - "{{ matrix_ntpd_package }}" # TODO This needs to be verified. Which version do we need? - fuse3 - python-dnspython diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 945c86ef..77b2866a 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -21,7 +21,7 @@ yum: name: - docker-python - - ntp + - "{{ matrix_ntpd_package }}" - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 9438a5f4..c54b3cb6 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -28,7 +28,7 @@ apt: name: - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" - - ntp + - "{{ matrix_ntpd_package }}" - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index 3a62a5db..a9a5d20a 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -28,7 +28,7 @@ apt: name: - python-docker - - ntp + - "{{ matrix_ntpd_package }}" - fuse state: latest update_cache: yes From a04c67dbc4e00a76c6a4fe1b818f4f5727d8040e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 Apr 2020 10:01:55 +0300 Subject: [PATCH 1040/2384] Add information about rebuilding Jitsi Prosody configuration --- docs/configuring-playbook-jitsi.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index a0c1c441..9156f92b 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -51,7 +51,13 @@ Please SSH into your matrix host machine and execute the following command targe docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register matrix-jitsi-web ``` -Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. +Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. + +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to: +- stop all Jitsi services (`systemctl stop matrix-jitsi-*`) +- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`) +- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) +- try the previously-failing command once again ## Usage From 0ee2060c3131c2ab9e1894df61fe0154dda386b0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 Apr 2020 10:03:51 +0300 Subject: [PATCH 1041/2384] Reorganize paragraphs a bit --- docs/configuring-playbook-jitsi.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 9156f92b..c2834244 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -28,8 +28,10 @@ matrix_jitsi_enabled: true ## (Optional) configure internal Jitsi authentication and guests mode By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration. + +If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes). + If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room. -If you prefer an open Jitsi instance, please skip to [Apply changes](#apply-changes). Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: From 70010c26abf542539ca3b3b5c66dca43ced602a4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 Apr 2020 10:27:52 +0300 Subject: [PATCH 1042/2384] Update changelog with information on private Jitsi Related to #436 (Github Pull Request). --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ce8f9f3b..af2c8910 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2020-04-05 + +## Private Jitsi support + +The [Jitsi support](#jitsi-support) we had landed a few weeks ago was working well, but it was always open to the whole world. + +Running such an open instance is not desirable to most people, so [teutat3s](https://github.com/teutat3s) has contributed support for making Jitsi use authentication. + +To make your Jitsi server more private, see the [configure internal Jitsi authentication and guests mode](docs/configuring-playbook-jitsi.md#optional-configure-internal-jitsi-authentication-and-guests-mode) section in our Jitsi documentation. + + # 2020-04-03 ## (Potential Backward Compatibility Break) ma1sd replaces mxisd From eb8e162ac2a9def47e5b0c3c30924104b2ae1de7 Mon Sep 17 00:00:00 2001 From: Sean O'Neil Date: Sun, 5 Apr 2020 11:36:08 -0700 Subject: [PATCH 1043/2384] Update Caddy example in configuring-well-known to Caddy version 2 --- docs/configuring-well-known.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 621dec0e..8bf84ed1 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -107,7 +107,9 @@ server { **For Caddy**, it would be something like this: ```caddy -proxy /.well-known/matrix https://matrix.DOMAIN +reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN { + header_up Host {http.reverse_proxy.upstream.hostport} +} ``` **For HAProxy**, it would be something like this: From 3d096a2b13866f2d60fdd4d0d91211aa8cad53cf Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Mon, 6 Apr 2020 18:36:17 +0200 Subject: [PATCH 1044/2384] make selfbuild be forced on (and only) git master change --- roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 77f3346f..82b55cea 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -36,17 +36,19 @@ dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" # version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" + register: matrix_mautrix_facebook_git_pull_results when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" - name: Ensure Mautrix Facebook Docker image is built docker_image: name: "{{ matrix_mautrix_facebook_docker_image }}" source: build + force_source: yes build: dockerfile: Dockerfile path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_git_pull_results.changed" - name: Check if an old database file already exists stat: From 17e7bae2cc502b5b0f7de88f1e73aff3baefc453 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Mon, 6 Apr 2020 18:42:15 +0200 Subject: [PATCH 1045/2384] make selfbuild be forced on (and only) git master change --- roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index db1dc884..ae962d34 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -35,17 +35,19 @@ repo: https://github.com/tulir/mautrix-hangouts.git dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" force: "yes" + register: matrix_mautrix_hangouts_git_pull_results when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build" - name: Ensure Mautrix Hangouts Docker image is built docker_image: name: "{{ matrix_mautrix_hangouts_docker_image }}" source: build + force_source: yes build: dockerfile: Dockerfile path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build" + when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_git_pull_results.changed" - name: Check if an old database file already exists stat: From fab1e23609f05a15a1f2b327df394986a06d5dd4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Apr 2020 21:35:49 +0300 Subject: [PATCH 1046/2384] Make a few more Jitsi Meet options configurable --- roles/matrix-jitsi/defaults/main.yml | 5 ++++- roles/matrix-jitsi/templates/web/config.js.j2 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 6fa4c340..1fed1744 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -52,9 +52,12 @@ matrix_jitsi_web_container_extra_arguments: [] matrix_jitsi_web_systemd_required_services_list: ['docker.service'] matrix_jitsi_web_config_defaultLanguage: 'en' -matrix_jitsi_web_interface_config_lang_detection: false matrix_jitsi_web_config_start_with_audio_muted: false matrix_jitsi_web_config_start_with_video_muted: false +matrix_jitsi_web_config_testing_enableFirefoxSimulcast: false +matrix_jitsi_web_config_testing_p2pTestMode: false + +matrix_jitsi_web_interface_config_lang_detection: false matrix_jitsi_web_interface_config_show_jitsi_watermark: true matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" matrix_jitsi_web_interface_config_show_brand_watermark: false diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index df57ca5c..7e24d30b 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -56,11 +56,11 @@ var config = { testing: { // Enables experimental simulcast support on Firefox. - enableFirefoxSimulcast: false, + enableFirefoxSimulcast: {{ matrix_jitsi_web_config_testing_enableFirefoxSimulcast|to_json }}, // P2P test mode disables automatic switching to P2P when there are 2 // participants in the conference. - p2pTestMode: false + p2pTestMode: {{ matrix_jitsi_web_config_testing_p2pTestMode|to_json }} // Enables the test specific features consumed by jitsi-meet-torture // testMode: false From f9d39f1c0cdb1f73000a254a43792d9c00f61f2b Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Wed, 8 Apr 2020 01:59:30 +0200 Subject: [PATCH 1047/2384] update Jitsi, add generate-jitsi-passwords script --- .gitignore | 1 + docs/configuring-playbook-jitsi.md | 11 ++++ inventory/scripts/generate-jitsi-passwords.sh | 50 +++++++++++++++++++ roles/matrix-jitsi/defaults/main.yml | 8 +-- 4 files changed, 66 insertions(+), 4 deletions(-) create mode 100755 inventory/scripts/generate-jitsi-passwords.sh diff --git a/.gitignore b/.gitignore index e3f61b55..32ab139f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ /inventory/* !/inventory/.gitkeep !/inventory/host_vars/.gitkeep +!/inventory/scripts /roles/*/files/scratchpad diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index c2834244..017cb4eb 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -25,6 +25,17 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: matrix_jitsi_enabled: true ``` +## Securing your Jitsi instance with strong passwords + +Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance. +Execute the following commands in your terminal from the root of this repo: +```bash +cd inventory/scripts +bash generate-jitsi-passwords.sh +``` + +The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration. + ## (Optional) configure internal Jitsi authentication and guests mode By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration. diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh new file mode 100755 index 00000000..2f0cb00c --- /dev/null +++ b/inventory/scripts/generate-jitsi-passwords.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# This is a bash script for generating strong passwords for the Jitsi role in this ansible project: +# https://github.com/spantaleev/matrix-docker-ansible-deploy + +# This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.' +# it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory + +function generatePassword() { + openssl rand -hex 16 +} + +# helper function to get the matrix domain in the host_vars directory +function get_domain_dir() { + counter=0 + + for f in *; do + counter=$(( counter + 1 )) + if [ ! -d "$f" ]; then + echo "Error: could not find directory 'matrix.your.domain'" + echo "Did you create it already? Please first setup your matrix homeserver before running this script." + echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" + exit 1 + elif [[ "$counter" -gt 1 ]]; then + echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." + echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." + echo "Cannot continue script, exiting." + exit 1 + fi + + # Will not set domain if zero or multiple directories are detected + domain=$f + done +} + +cd ../host_vars +get_domain_dir + +JICOFO_COMPONENT_SECRET=`generatePassword` +JICOFO_AUTH_PASSWORD=`generatePassword` +JVB_AUTH_PASSWORD=`generatePassword` +JIBRI_RECORDER_PASSWORD=`generatePassword` +JIBRI_XMPP_PASSWORD=`generatePassword` + +echo "" >> ../host_vars/${domain}/vars.yml +echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 1fed1744..55f82677 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -28,7 +28,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: recorder-password -matrix_jitsi_web_docker_image: "jitsi/web:4101" +matrix_jitsi_web_docker_image: "jitsi/web:4384" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -73,7 +73,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -86,7 +86,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4101" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -103,7 +103,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: passw0rd -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4101" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From 6a9eb89ea6ac5ce59bcdd023884fd8bdb782006f Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Wed, 8 Apr 2020 02:04:59 +0200 Subject: [PATCH 1048/2384] fix whitespace --- inventory/scripts/generate-jitsi-passwords.sh | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh index 2f0cb00c..244d977f 100755 --- a/inventory/scripts/generate-jitsi-passwords.sh +++ b/inventory/scripts/generate-jitsi-passwords.sh @@ -12,21 +12,21 @@ function generatePassword() { # helper function to get the matrix domain in the host_vars directory function get_domain_dir() { counter=0 - + for f in *; do counter=$(( counter + 1 )) if [ ! -d "$f" ]; then - echo "Error: could not find directory 'matrix.your.domain'" - echo "Did you create it already? Please first setup your matrix homeserver before running this script." - echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" - exit 1 - elif [[ "$counter" -gt 1 ]]; then - echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." - echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." - echo "Cannot continue script, exiting." - exit 1 - fi - + echo "Error: could not find directory 'matrix.your.domain'" + echo "Did you create it already? Please first setup your matrix homeserver before running this script." + echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" + exit 1 + elif [[ "$counter" -gt 1 ]]; then + echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." + echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." + echo "Cannot continue script, exiting." + exit 1 + fi + # Will not set domain if zero or multiple directories are detected domain=$f done From f798605836e46cc73daa8da937a7ea46d7778087 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 09:37:54 +0300 Subject: [PATCH 1049/2384] Undefine Jitsi secrets and require their (re-)definition --- docs/configuring-playbook-jitsi.md | 24 ++++++++++++++++---- roles/matrix-jitsi/defaults/main.yml | 10 ++++---- roles/matrix-jitsi/tasks/main.yml | 6 +++++ roles/matrix-jitsi/tasks/validate_config.yml | 21 +++++++++++++++++ 4 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 roles/matrix-jitsi/tasks/validate_config.yml diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 017cb4eb..028d2b15 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -66,11 +66,7 @@ docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua reg Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. -**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to: -- stop all Jitsi services (`systemctl stop matrix-jitsi-*`) -- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`) -- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) -- try the previously-failing command once again +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). ## Usage @@ -78,3 +74,21 @@ Run this command for each user you would like to create, replacing `` You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. + + +## Troubleshooting + +### Rebuilding your Jitsi installation + +**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. + +We normally don't require such manual intervention for other services, for Jitsi services generate a lot of configuration files on their own. + +These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh. + +To rebuild your Jitsi configuration: + +- SSH into the server and do this: + - stop all Jitsi services (`systemctl stop matrix-jitsi-*`). + - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`) +- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 55f82677..83511c4c 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -23,9 +23,9 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri -matrix_jitsi_jibri_xmpp_password: jibri-password +matrix_jitsi_jibri_xmpp_password: '' matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: recorder-password +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_web_docker_image: "jitsi/web:4384" @@ -98,9 +98,9 @@ matrix_jitsi_jicofo_container_extra_arguments: [] # List of systemd services that matrix-jitsi-jicofo.service depends on matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] -matrix_jitsi_jicofo_component_secret: s3cr37 +matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus -matrix_jitsi_jicofo_auth_password: passw0rd +matrix_jitsi_jicofo_auth_password: '' matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" @@ -116,7 +116,7 @@ matrix_jitsi_jvb_container_extra_arguments: [] matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] matrix_jitsi_jvb_auth_user: jvb -matrix_jitsi_jvb_auth_password: passw0rd +matrix_jitsi_jvb_auth_password: '' # STUN servers used by JVB on the server-side, so it can discover its own external IP address. # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml index 2bc4a57f..e4f3508f 100644 --- a/roles/matrix-jitsi/tasks/main.yml +++ b/roles/matrix-jitsi/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_jitsi_enabled|bool" + tags: + - setup-all + - setup-jitsi + - import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" when: run_setup|bool tags: diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml new file mode 100644 index 00000000..ea92c914 --- /dev/null +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -0,0 +1,21 @@ +--- + +- name: Fail if required Jitsi settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + If you had setup Jitsi successfully before and it's just now that you're observing this failure, + it means that your installation may be using some default passwords that the playbook used to define until now. + This is not secure and we urge you to rebuild your Jitsi setup. + Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). + when: "vars[item] == ''" + with_items: + - "matrix_jitsi_jibri_xmpp_password" + - "matrix_jitsi_jibri_recorder_password" + - "matrix_jitsi_jicofo_component_secret" + - "matrix_jitsi_jicofo_auth_password" + - "matrix_jitsi_jvb_auth_password" From 976ccf3880561346853c7cd9292f8b19b9a64a14 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 09:39:38 +0300 Subject: [PATCH 1050/2384] Fix typo --- docs/configuring-playbook-jitsi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 028d2b15..c7245e92 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -82,7 +82,7 @@ To use it via riot-web (the one configured by the playbook at `https://riot.DOMA **If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. -We normally don't require such manual intervention for other services, for Jitsi services generate a lot of configuration files on their own. +We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own. These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh. From b181f0268072a80b541e1e519c32c2def730dc5c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 09:55:44 +0300 Subject: [PATCH 1051/2384] Use dollar sign instead of backtick Co-Authored-By: Sandro --- inventory/scripts/generate-jitsi-passwords.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh index 244d977f..ae6d471a 100755 --- a/inventory/scripts/generate-jitsi-passwords.sh +++ b/inventory/scripts/generate-jitsi-passwords.sh @@ -35,11 +35,11 @@ function get_domain_dir() { cd ../host_vars get_domain_dir -JICOFO_COMPONENT_SECRET=`generatePassword` -JICOFO_AUTH_PASSWORD=`generatePassword` -JVB_AUTH_PASSWORD=`generatePassword` -JIBRI_RECORDER_PASSWORD=`generatePassword` -JIBRI_XMPP_PASSWORD=`generatePassword` +JICOFO_COMPONENT_SECRET=$(generatePassword) +JICOFO_AUTH_PASSWORD=$(generatePassword) +JVB_AUTH_PASSWORD=$(generatePassword) +JIBRI_RECORDER_PASSWORD=$(generatePassword) +JIBRI_XMPP_PASSWORD=$(generatePassword) echo "" >> ../host_vars/${domain}/vars.yml echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml From 1b27e0f812c652eb91504c3d8af24264b10039ce Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 10:05:10 +0300 Subject: [PATCH 1052/2384] Make generate-jitsi-passwords.sh less magical --- docs/configuring-playbook-jitsi.md | 16 +++---- inventory/scripts/generate-jitsi-passwords.sh | 44 +++++-------------- 2 files changed, 17 insertions(+), 43 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index c7245e92..1a3f10c7 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -23,18 +23,16 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true -``` - -## Securing your Jitsi instance with strong passwords -Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance. -Execute the following commands in your terminal from the root of this repo: -```bash -cd inventory/scripts -bash generate-jitsi-passwords.sh +# Run `bash inventory/scripts/generate-jitsi-passwords.sh` to generate these passwords, +# or define your own strong passwords manually. +matrix_jitsi_jicofo_component_secret: "" +matrix_jitsi_jicofo_auth_password: "" +matrix_jitsi_jvb_auth_password: "" +matrix_jitsi_jibri_recorder_password: "" +matrix_jitsi_jibri_xmpp_password: "" ``` -The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration. ## (Optional) configure internal Jitsi authentication and guests mode diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh index ae6d471a..eacfa7d8 100755 --- a/inventory/scripts/generate-jitsi-passwords.sh +++ b/inventory/scripts/generate-jitsi-passwords.sh @@ -2,38 +2,14 @@ # This is a bash script for generating strong passwords for the Jitsi role in this ansible project: # https://github.com/spantaleev/matrix-docker-ansible-deploy -# This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.' -# it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory - function generatePassword() { openssl rand -hex 16 } -# helper function to get the matrix domain in the host_vars directory -function get_domain_dir() { - counter=0 - - for f in *; do - counter=$(( counter + 1 )) - if [ ! -d "$f" ]; then - echo "Error: could not find directory 'matrix.your.domain'" - echo "Did you create it already? Please first setup your matrix homeserver before running this script." - echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" - exit 1 - elif [[ "$counter" -gt 1 ]]; then - echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." - echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." - echo "Cannot continue script, exiting." - exit 1 - fi - - # Will not set domain if zero or multiple directories are detected - domain=$f - done -} +echo "# If this script fails, it's likely because you don't have the openssl tool installed." +echo "# Install it before using this script, or simply create your own passwords manually." -cd ../host_vars -get_domain_dir +echo "" JICOFO_COMPONENT_SECRET=$(generatePassword) JICOFO_AUTH_PASSWORD=$(generatePassword) @@ -41,10 +17,10 @@ JVB_AUTH_PASSWORD=$(generatePassword) JIBRI_RECORDER_PASSWORD=$(generatePassword) JIBRI_XMPP_PASSWORD=$(generatePassword) -echo "" >> ../host_vars/${domain}/vars.yml -echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml +echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:" +echo "" +echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET +echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD +echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD +echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD +echo "matrix_jitsi_jibri_xmpp_password: "$JIBRI_XMPP_PASSWORD From dcce276b8696fda1460bffbb6040a365eaf19bc6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 10:05:43 +0300 Subject: [PATCH 1053/2384] Rename script file --- docs/configuring-playbook-jitsi.md | 2 +- ...{generate-jitsi-passwords.sh => jitsi-generate-passwords.sh} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename inventory/scripts/{generate-jitsi-passwords.sh => jitsi-generate-passwords.sh} (100%) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 1a3f10c7..d6ff1c8a 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -24,7 +24,7 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true -# Run `bash inventory/scripts/generate-jitsi-passwords.sh` to generate these passwords, +# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords, # or define your own strong passwords manually. matrix_jitsi_jicofo_component_secret: "" matrix_jitsi_jicofo_auth_password: "" diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/jitsi-generate-passwords.sh similarity index 100% rename from inventory/scripts/generate-jitsi-passwords.sh rename to inventory/scripts/jitsi-generate-passwords.sh From 14786071afaf55ac56aecb2c2a33071af70da62c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 10:23:51 +0300 Subject: [PATCH 1054/2384] Pass JVB_AUTH_PASSWORD environment variable to make JVB startup happy We define this password in the `sip-communicator.properties` configuration file, so this is not needed for actually running JVB. However, it does a (useless) safety check during container startup, and we need to make that check happy. --- roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 7 +++++++ roles/matrix-jitsi/templates/jvb/env.j2 | 1 + .../matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 | 1 + 3 files changed, 9 insertions(+) create mode 100644 roles/matrix-jitsi/templates/jvb/env.j2 diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index e4d652ed..f442fc6e 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -34,6 +34,13 @@ - logging.properties when: matrix_jitsi_enabled|bool +- name: Ensure jitsi-jvb environment variables file created + template: + src: "{{ role_path }}/templates/jvb/env.j2" + dest: "{{ matrix_jitsi_jvb_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + - name: Ensure matrix-jitsi-jvb.service installed template: src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 new file mode 100644 index 00000000..423070db --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -0,0 +1 @@ +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 03aef079..5df5807a 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_jvb_base_path }}/env \ {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ {% endif %} From 25d51d3de3eacebd8ce61ffedc7fd967f1a11cf1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 16:46:41 +0300 Subject: [PATCH 1055/2384] Fix typo --- docs/self-building.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/self-building.md b/docs/self-building.md index 6b9a46d4..bef35852 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -4,7 +4,7 @@ The playbook supports the self-building of some of its components. This may be u To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: ```yaml -matrix_container_images_self_build = true +matrix_container_images_self_build: true ``` Setting that variable will self-build every role which supports self-building. Self-building can be set on a per-role basis as well. From 61fffa169c63e042549b7ac99dda533945ca0d69 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 19:08:15 +0300 Subject: [PATCH 1056/2384] Use Jitsi STUN servers instead of Google ones These are some new defaults that we switch to, to follow upstream changes: - https://github.com/jitsi/docker-jitsi-meet/commit/264df04 - https://github.com/jitsi/jitsi-meet/commit/3121494d4b149108bd94185e2a4b22b8eafdc794 --- group_vars/matrix_servers | 2 +- roles/matrix-jitsi/defaults/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e9dbffb5..ef753e17 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -416,7 +416,7 @@ matrix_jitsi_web_stun_servers: | matrix_server_fqn_matrix + ':3478', ] if matrix_coturn_enabled - else [ 'stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] + else [ 'meet-jit-si-turnrelay.jitsi.net:443'] }} ###################################################################### diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 83511c4c..44a279c7 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -38,7 +38,7 @@ matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" # STUN servers used in the web UI. Feel free to point them to your own STUN server. -matrix_jitsi_web_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] +matrix_jitsi_web_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] # Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). # @@ -120,7 +120,7 @@ matrix_jitsi_jvb_auth_password: '' # STUN servers used by JVB on the server-side, so it can discover its own external IP address. # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. -matrix_jitsi_jvb_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] +matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 From 110720714756d39b6e72859eb4371fd81be2c8b9 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Mon, 16 Mar 2020 20:33:11 -0400 Subject: [PATCH 1057/2384] Initial mx-puppet-skype bridge role --- group_vars/matrix_servers | 29 +++ .../defaults/main.yml | 209 ++++++++++++++++++ .../tasks/init.yml | 23 ++ .../tasks/main.yml | 21 ++ .../tasks/setup_install.yml | 93 ++++++++ .../tasks/setup_uninstall.yml | 24 ++ .../tasks/validate_config.yml | 10 + .../systemd/matrix-mx-puppet-skype.service.j2 | 38 ++++ setup.yml | 1 + 9 files changed, 448 insertions(+) create mode 100644 roles/matrix-bridge-mx-puppet-skype/defaults/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/init.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ef753e17..a1fb3740 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -290,6 +290,35 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-skype +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_skype_enabled: false + +matrix_mx_puppet_skype_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" + +matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}" + +matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-skype +# +###################################################################### + + ###################################################################### # # matrix-corporal diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml new file mode 100644 index 00000000..9eb2c964 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -0,0 +1,209 @@ +# Mx Puppet Skype is a Matrix <-> Skype bridge +# See: https://github.com/Sorunome/mx-puppet-skype + +matrix_mx_puppet_skype_enabled: true + +matrix_mx_puppet_skype_container_image_self_build: false + +matrix_mx_puppet_skype_docker_image: "sorunome/mx-puppet-skype:latest" +matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_skype_base_path: "{{ matrix_base_data_path }}/mx-puppet-skype" +matrix_mx_puppet_skype_config_path: "{{ matrix_mx_puppet_skype_base_path }}/data" +matrix_mx_puppet_skype_data_path: "{{ matrix_mx_puppet_skype_base_path }}/data" +matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_path }}/docker-src" + +matrix_mx_puppet_skype_appservice_port: "6000" + +matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_skype_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_skype_appservice_address: 'http://matrix-mx-puppet-skype:{{ matrix_mx_puppet_skype_appservice_port }}' + +# A list of extra arguments to pass to the container +matrix_mx_puppet_skype_container_extra_arguments: [] + +# List of systemd services that matrix-puppet-skype.service depends on. +matrix_mx_puppet_skype_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-puppet-skype.service wants +matrix_mx_puppet_skype_systemd_wanted_services_list: [] + +matrix_mx_puppet_skype_appservice_token: '' +matrix_mx_puppet_skype_homeserver_token: '' + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mx_puppet_skype_login_shared_secret: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_skype_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_skype_configuration_yaml: | + #jinja2: lstrip_blocks: "True" + bridge: + # Address for the bridge to bind to; if running as a Docker container, you + # probably want 0.0.0.0 here + bindAddress: 0.0.0.0 + # Port to host the bridge on which your homeserver will connect to + port: {{ matrix_mx_puppet_skype_appservice_port }} + # Name of your homeserver + domain: {{ matrix_mx_puppet_skype_homeserver_domain }} + # URL where the bridge can connect to your homeserver + homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }} + # Optionally specify a different media URL used for the media store + mediaURL: https://{{ matrix_server_fqn_matrix }} + # This enabled automatic double-puppeting: + # A map for shared secrets of the homeserver URL to the shared secret + # See https://github.com/devture/matrix-synapse-shared-secret-auth + #loginSharedSecretMap: + # yourserver.com: supersecretsharedsecret + {% if matrix_mx_puppet_skype_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_mx_puppet_skype_homeserver_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} + {% endif %} + # optionally override the display name of the bridge bot + #displayname: Protocol Bot + # optionally set the avatar of the bridge bot + #avatarUrl: mxc://yourserver.com/somefile + + logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Optionally, you can apply filters to the console logging + #console: + # level: info + # enabled: + # - Store + # disabled: + # - PresenceHandler + + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m + # Optionally enable/disable logging for certain modules + #disabled: + # - PresenceHandler + # - module: bot-sdk-MatrixLiteClient + # regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log + #enabled: + # - Store + + database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + + provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + + presence: + # Bridge online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + # if the im.vector.user_status state setting should be diabled + #disableStatusState: false + # A blacklist of remote user IDs for the im.vector.user_status state setting + #statusStateBlacklist: + # - baduser + + relay: + # Regex of Matrix IDs to allow to use the relay mode + # Same format as in provisioning + whitelist: + - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + #blacklist: + #- "@user:yourserver\\.com" + + # Map certain homeserver URLs to the C-S API endpoint + # Useful for double-puppeting if .well-known is unavailable for some reason + #homeserverUrlMap: + # yourserver.com: http://localhost:1234 + + namePatterns: + # Override the protocols set default name patterns + # Which variables are available depends on protocol implementation + user: :name + room: :name + + limits: + # Up to how many users should be auto-joined on room creation? -1 to disable + # Defaults to 200 + maxAutojoinUsers: 200 + # How long the delay between two autojoin users should be, in millisectonds. + # Defaults to 5000 + roomUserAutojoinDelay: 5000 + +matrix_mx_puppet_skype_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_skype_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_skype_configuration_yaml`. + +matrix_mx_puppet_skype_configuration_extension: "{{ matrix_mx_puppet_skype_configuration_extension_yaml|from_yaml if matrix_mx_puppet_skype_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_skype_configuration_yaml`. +matrix_mx_puppet_skype_configuration: "{{ matrix_mx_puppet_skype_configuration_yaml|from_yaml|combine(matrix_mx_puppet_skype_configuration_extension, recursive=True) }}" + +matrix_mx_puppet_skype_registration_yaml: | + as_token: "{{ matrix_mx_puppet_skype_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_skype_homeserver_token }}" + id: skype-puppet + namespaces: + users: + - exclusive: true + regex: '@_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _skypepuppet_bot + url: {{ matrix_mx_puppet_skype_appservice_address }} + +matrix_mx_puppet_skype_registration: "{{ matrix_mx_puppet_skype_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml new file mode 100644 index 00000000..099baa07 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -0,0 +1,23 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype'] }}" + when: matrix_mx_puppet_skype_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_skype_config_path }}/skype-registration.yaml,dst=/matrix-mx-puppet-skype-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-skype-registration.yaml"] }} + when: matrix_mx_puppet_skype_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/main.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/main.yml new file mode 100644 index 00000000..01ddd7d8 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_skype_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-skype + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_skype_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-skype + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_skype_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml new file mode 100644 index 00000000..46e37112 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -0,0 +1,93 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-skype role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure MX Puppet Skype image is pulled + docker_image: + name: "{{ matrix_mx_puppet_skype_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_skype_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_docker_image_force_pull }}" + when: matrix_mx_puppet_skype_enabled|bool and not matrix_mx_puppet_skype_container_image_self_build + +- name: Ensure MX Puppet Skype paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_mx_puppet_skype_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_skype_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_skype_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}", when: "{{ matrix_mx_puppet_skype_container_image_self_build }}" } + when: matrix_mx_puppet_skype_enabled|bool and item.when|bool + +- name: Ensure MX Puppet Skype repository is present on self build + git: + repo: https://github.com/Sorunome/mx-puppet-skype.git + dest: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" + force: "yes" + when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build" + +- name: Ensure MX Puppet Skype Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_skype_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_skype_base_path }}/database.db" + register: matrix_mx_puppet_skype_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-skype.service is stopped + service: + name: matrix-mx-puppet-skype + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_skype_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-skype database file to ./data directory + command: "mv {{ matrix_mx_puppet_skype_base_path }}/database.db {{ matrix_mx_puppet_skype_data_path }}/database.db" + when: "matrix_mx_puppet_skype_stat_database.stat.exists" + +- name: Ensure mx-puppet-skype config.yaml installed + copy: + content: "{{ matrix_mx_puppet_skype_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_skype_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure mx-puppet-skype skype-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_skype_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_skype_config_path }}/skype-registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure matrix-mx-puppet-skype.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-skype.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-skype.service" + mode: 0644 + register: matrix_mx_puppet_skype_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-skype.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_skype_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml new file mode 100644 index 00000000..72b3a945 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-skype service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-skype.service" + register: matrix_mx_puppet_skype_service_stat + +- name: Ensure matrix-mx-puppet-skype is stopped + service: + name: matrix-mx-puppet-skype + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_skype_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-skype.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-skype.service" + state: absent + when: "matrix_mx_puppet_skype_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-skype.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_skype_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml new file mode 100644 index 00000000..7ed433b1 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_skype_appservice_token" + - "matrix_mx_puppet_skype_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 new file mode 100644 index 00000000..de0c9d20 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -0,0 +1,38 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mx Puppet Skype server +{% for service in matrix_mx_puppet_skype_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_skype_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-skype +ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-skype + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mx_puppet_skype_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_skype_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_skype_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-mx-puppet-skype +ExecStop=-/usr/bin/docker rm matrix-mx-puppet-skype +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-skype + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 5baee8f3..bca4b240 100755 --- a/setup.yml +++ b/setup.yml @@ -16,6 +16,7 @@ - matrix-bridge-mautrix-hangouts - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp + - matrix-bridge-mx-puppet-skype - matrix-synapse - matrix-riot-web - matrix-jitsi From 53f893b77e7ab5d31413a85ff76d52a8575b6184 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Wed, 8 Apr 2020 13:18:02 -0400 Subject: [PATCH 1058/2384] Add documentations for the mx-puppet-skype bridge --- ...iguring-playbook-bridge-mx-bridge-skype.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mx-bridge-skype.md diff --git a/docs/configuring-playbook-bridge-mx-bridge-skype.md b/docs/configuring-playbook-bridge-mx-bridge-skype.md new file mode 100644 index 00000000..f39ce51e --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-bridge-skype.md @@ -0,0 +1,32 @@ +# Setting up MX Puppet Skype (optional) + +The playbook can install and configure +[mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) for you. + +See the project's +[documentation](https://github.com/tulir/mautrix-hangouts/wiki#usage) to learn +what it does and why it might be useful to you. + +To enable the [Skype](https://www.skype.com/) bridge just use the following +playbook configuration: + + +```yaml +matrix_mx_puppet_skype_enabled: true +``` + + +## Usage + +Once the bot is enabled you need to start a chat with `Skype Puppet Bridge` with +the handle `@_skypepuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +Send `link ` to the bridge bot to link your skype account. + +Once logged in, send `list` to the bot user to list the available rooms. + +Clicking rooms in the list will result in you receiving an invitation to the +bridged room. + +Also send `help` to the bot to see the commands available. From 67a5ef97ba34d8cc4a865783f657832d0148f4d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:16:10 +0300 Subject: [PATCH 1059/2384] Fix missing "stun:" prefix for jitsi/web STUN server URLs Hopefully fixes an error like this (which I haven't been able to reproduce, but..): > [modules/xmpp/strophe.util.js] : Strophe: Error: Failed to construct 'RTCPeerConnection': 'matrix.DOMAIN' is not one of the supported URL schemes 'stun', 'turn' or 'turns'. --- group_vars/matrix_servers | 6 +++--- roles/matrix-jitsi/defaults/main.yml | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ef753e17..5841b20c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -412,11 +412,11 @@ matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | passwor matrix_jitsi_web_stun_servers: | {{ [ - matrix_server_fqn_matrix + ':5349', - matrix_server_fqn_matrix + ':3478', + 'stun:' + matrix_server_fqn_matrix + ':5349', + 'stun:' + matrix_server_fqn_matrix + ':3478', ] if matrix_coturn_enabled - else [ 'meet-jit-si-turnrelay.jitsi.net:443'] + else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443'] }} ###################################################################### diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 44a279c7..fb9242ed 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -38,7 +38,8 @@ matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" # STUN servers used in the web UI. Feel free to point them to your own STUN server. -matrix_jitsi_web_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] +# Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`. +matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443'] # Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). # From 4e9976d559418ae9747ec7b255c2bab126dc309b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:26:03 +0300 Subject: [PATCH 1060/2384] Rename documentation file --- ...kype.md => configuring-playbook-bridge-mx-puppet-skype.md} | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) rename docs/{configuring-playbook-bridge-mx-bridge-skype.md => configuring-playbook-bridge-mx-puppet-skype.md} (84%) diff --git a/docs/configuring-playbook-bridge-mx-bridge-skype.md b/docs/configuring-playbook-bridge-mx-puppet-skype.md similarity index 84% rename from docs/configuring-playbook-bridge-mx-bridge-skype.md rename to docs/configuring-playbook-bridge-mx-puppet-skype.md index f39ce51e..cca5e305 100644 --- a/docs/configuring-playbook-bridge-mx-bridge-skype.md +++ b/docs/configuring-playbook-bridge-mx-puppet-skype.md @@ -3,9 +3,7 @@ The playbook can install and configure [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) for you. -See the project's -[documentation](https://github.com/tulir/mautrix-hangouts/wiki#usage) to learn -what it does and why it might be useful to you. +See the project page to learn what it does and why it might be useful to you. To enable the [Skype](https://www.skype.com/) bridge just use the following playbook configuration: From 5b8f8bc9420e23a91c15bfe7408546b6d6a46902 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:33:30 +0300 Subject: [PATCH 1061/2384] Announce Skype bridging --- CHANGELOG.md | 9 +++++++++ README.md | 2 ++ docs/configuring-playbook.md | 2 ++ 3 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index af2c8910..b849ef35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-04-09 + +## Skype bridging support + +Thanks to [Rodrigo Belem](https://github.com/rbelem)'s efforts, the playbook now supports bridging to [Skype](https://www.skype.com) via the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge. + +See our [Setting up MX Puppet Skype bridging](docs/configuring-playbook-bridge-mx-puppet-skype.md) documentation page for getting started. + + # 2020-04-05 ## Private Jitsi support diff --git a/README.md b/README.md index b16a8dfe..43125026 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,8 @@ This playbook sets up your server using the following Docker images: - [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) +- [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 4d0d2093..af00f7c0 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -97,4 +97,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (optional) +- [Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) From c1a66d3422c3b0a1676ba6358fc182668de8f4c3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:44:10 +0300 Subject: [PATCH 1062/2384] Put mx-puppet-skype configs in ./config directory, not ./data --- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 2 +- .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 3 +++ 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 9eb2c964..d4df2f0d 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mx_puppet_skype_docker_image: "sorunome/mx-puppet-skype:latest" matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" matrix_mx_puppet_skype_base_path: "{{ matrix_base_data_path }}/mx-puppet-skype" -matrix_mx_puppet_skype_config_path: "{{ matrix_mx_puppet_skype_base_path }}/data" +matrix_mx_puppet_skype_config_path: "{{ matrix_mx_puppet_skype_base_path }}/config" matrix_mx_puppet_skype_data_path: "{{ matrix_mx_puppet_skype_base_path }}/data" matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_path }}/docker-src" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 099baa07..801c71c2 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -7,7 +7,7 @@ matrix_synapse_container_extra_arguments: > {{ matrix_synapse_container_extra_arguments|default([]) }} + - ["--mount type=bind,src={{ matrix_mx_puppet_skype_config_path }}/skype-registration.yaml,dst=/matrix-mx-puppet-skype-registration.yaml,ro"] + ["--mount type=bind,src={{ matrix_mx_puppet_skype_config_path }}/registration.yaml,dst=/matrix-mx-puppet-skype-registration.yaml,ro"] matrix_synapse_app_service_config_files: > {{ matrix_synapse_app_service_config_files|default([]) }} diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 46e37112..894b0a9b 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -75,7 +75,7 @@ - name: Ensure mx-puppet-skype skype-registration.yaml installed copy: content: "{{ matrix_mx_puppet_skype_registration|to_nice_yaml }}" - dest: "{{ matrix_mx_puppet_skype_config_path }}/skype-registration.yaml" + dest: "{{ matrix_mx_puppet_skype_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index de0c9d20..cc55f324 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -22,6 +22,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_skype_config_path }}:/config:z \ -v {{ matrix_mx_puppet_skype_data_path }}:/data:z \ {% for arg in matrix_mx_puppet_skype_container_extra_arguments %} {{ arg }} \ From 7035af87d8d96c9381b47ed65a39e05ead1dc3b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:58:35 +0300 Subject: [PATCH 1063/2384] Add support for Jitsi discovery for Riot via /.well-known/matrix/client This will not work yet, as no version of Riot currently supports it. It's expected to land in riot-web v1.5.16 via matrix-org/matrix-react-sdk#4348. --- group_vars/matrix_servers | 2 ++ roles/matrix-base/defaults/main.yml | 5 +++++ .../templates/static-files/well-known/matrix-client.j2 | 5 +++++ 3 files changed, 12 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 474ef960..864cd7d4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -18,6 +18,8 @@ matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}" +matrix_riot_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}" + ###################################################################### # # /matrix-base diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index c6ed430b..7f4c6ace 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -43,6 +43,11 @@ matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ matrix_integration_manager_ui_url: ~ +# The domain name where a Jitsi server is self-hosted. +# If set, `/.well-known/matrix/client` will suggest Riot clients to use that Jitsi server. +# See: https://github.com/vector-im/riot-web/blob/develop/docs/jitsi.md#configuring-riot-to-use-your-self-hosted-jitsi-server +matrix_riot_jitsi_preferredDomain: '' + # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index 719656a4..edbaa62e 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -18,4 +18,9 @@ ] } {% endif %} + {% if matrix_riot_jitsi_preferredDomain %}, + "im.vector.riot.jitsi": { + "preferredDomain": {{ matrix_riot_jitsi_preferredDomain|to_json }} + } + {% endif %} } From ab58b3fc9ed0f0e76a781ec977ebbd7bd9f3ff2c Mon Sep 17 00:00:00 2001 From: skoal Date: Thu, 9 Apr 2020 14:31:42 +0200 Subject: [PATCH 1064/2384] Update prerequisites.md Added Jitsi firewall ports --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 3427c8a3..6b66c3d3 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -16,6 +16,6 @@ - properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) -- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP). +- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP) When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 0713570e2feebf21a598891d58a20552f6027ad1 Mon Sep 17 00:00:00 2001 From: skoal Date: Thu, 9 Apr 2020 14:40:32 +0200 Subject: [PATCH 1065/2384] Update matrix_servers turn tls port update --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 864cd7d4..419cf002 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -443,7 +443,7 @@ matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | passwor matrix_jitsi_web_stun_servers: | {{ [ - 'stun:' + matrix_server_fqn_matrix + ':5349', + 'turns:' + matrix_server_fqn_matrix + ':5349', 'stun:' + matrix_server_fqn_matrix + ':3478', ] if matrix_coturn_enabled From e6ebfbf8cc94b8a728f61faa2a4759114d590e95 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 16:07:36 +0300 Subject: [PATCH 1066/2384] Prevent conflict between Whatsapp and Skype bridge tokens Fixes an error like this: > synapse.config._base.ConfigError: Cannot reuse as_token across application services --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 864cd7d4..6135ded6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -308,9 +308,9 @@ matrix_mx_puppet_skype_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) }} -matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}" -matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" From 64de103dff0c165cb709219f4e72366ba3c7b351 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Thu, 9 Apr 2020 11:03:06 -0400 Subject: [PATCH 1067/2384] Add global var to control skype image self build --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 65ebc451..ceb5ff9f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -301,6 +301,8 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mx_puppet_skype_enabled: false +matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_container_images_self_build }}" + matrix_mx_puppet_skype_systemd_required_services_list: | {{ ['docker.service'] From 181434d9c6d5634ef367f059432a066c31c3f827 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 18:48:56 +0300 Subject: [PATCH 1068/2384] Add matrix-mx-puppet-skype to the list of roles that can self-build --- docs/self-building.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index bef35852..aae31c7b 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -8,12 +8,13 @@ matrix_container_images_self_build: true ``` Setting that variable will self-build every role which supports self-building. Self-building can be set on a per-role basis as well. -List of roles where self-building the docker image is currently possible: -- synapse -- riot-web -- coturn -- ma1sd -- matrix-bridge-mautrix-facebook -- matrix-bridge-mautrix-hangouts +List of roles where self-building the Docker image is currently possible: +- `matrix-synapse` +- `matrix-riot-web` +- `matrix-coturn` +- `matrix-ma1sd` +- `matrix-mautrix-facebook` +- `matrix-mautrix-hangouts` +- `matrix-mx-puppet-skype` Adding self-building support to other roles is welcome. Feel free to contribute! From 515160f0d71fff0a6d33f07f1eea5ff49df5db30 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 19:09:04 +0300 Subject: [PATCH 1069/2384] Fix STUN server URL for jitsi/web (turns -> stun) Discussed in #446 (Github Pull Request). --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ceb5ff9f..e80d55c3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -445,7 +445,7 @@ matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | passwor matrix_jitsi_web_stun_servers: | {{ [ - 'turns:' + matrix_server_fqn_matrix + ':5349', + 'stun:' + matrix_server_fqn_matrix + ':5349', 'stun:' + matrix_server_fqn_matrix + ':3478', ] if matrix_coturn_enabled From ddc44996e3337d00814824fdec1aec524f538c1d Mon Sep 17 00:00:00 2001 From: John Goerzen Date: Sat, 11 Apr 2020 17:07:30 -0500 Subject: [PATCH 1070/2384] Fix to avoid putting an incorrect empty jitsi.preferredDomain when no local jitsi --- roles/matrix-riot-web/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 43d50ab5..0a388e81 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -30,7 +30,7 @@ "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }} }, - {% if matrix_riot_web_jitsi_preferredDomain is not none %} + {% if matrix_riot_web_jitsi_preferredDomain is not none and matrix_riot_web_jitsi_preferredDomain != '' %} "jitsi": { "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }} }, From 69338d045a9ff7c6917216586ba1a78645afac6e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Apr 2020 01:09:22 +0300 Subject: [PATCH 1071/2384] Simplify if conditions --- roles/matrix-riot-web/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 0a388e81..adbbf8dc 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -30,7 +30,7 @@ "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }} }, - {% if matrix_riot_web_jitsi_preferredDomain is not none and matrix_riot_web_jitsi_preferredDomain != '' %} + {% if matrix_riot_web_jitsi_preferredDomain %} "jitsi": { "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }} }, From cf36dbe4f6627e64e35e9831fe4f67b5185050fb Mon Sep 17 00:00:00 2001 From: Udo Rader Date: Mon, 13 Apr 2020 11:22:13 +0200 Subject: [PATCH 1072/2384] correctly quoted and added another way to retrieve it --- docs/configuring-playbook-bridge-appservice-slack.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index afeeb658..cf087414 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -63,7 +63,7 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi * Invite the bot user to both the Slack and Matrix channels you would like to bridge using `/invite @slackbot` for slack and `/invite @slackbot:MY.DOMAIN` for matrix. - * Determine the "channel ID" that Slack uses to identify the channel, which can be found in the url https://XXX.slack.com/messages//. + * Determine the "channel ID" that Slack uses to identify the channel, which can be found in the url `https://XXX.slack.com/messages//`. Or, even simpler, if you open a channel in a browser, the URL reads like this: `https://app.slack.com/client/XXX//details/`. * Issue a link command in the administration control room with these collected values as arguments: From b6aa246f7c5cfa66078efffccb02d8d621224988 Mon Sep 17 00:00:00 2001 From: Udo Rader Date: Mon, 13 Apr 2020 17:17:19 +0200 Subject: [PATCH 1073/2384] better described how to get channel id, added a section how to unlink a channel and a troubleshooting section --- ...guring-playbook-bridge-appservice-slack.md | 35 ++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index cf087414..371195b6 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -4,7 +4,7 @@ The playbook can install and configure [matrix-appservice-slack](https://github. See the project's [documentation](https://github.com/matrix-org/matrix-appservice-slack/blob/master/README.md) to learn what it does and why it might be useful to you. -Setup Instructions: +## Setup Instructions: loosely based on [this](https://github.com/matrix-org/matrix-appservice-slack#Setup) @@ -29,7 +29,9 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi 5. Create a new Slack App [here](https://api.slack.com/apps). - Name the app & select the team/workspace this app will belong to. + Name the app "matrixbot" (or anything else you'll remember). + + Select the team/workspace this app will belong to. Click on bot users and add a new bot user. We will use this account to bridge the the rooms. @@ -61,9 +63,9 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi * Create a Matrix room in the usual manner for your client. Take a note of its Matrix room ID - it will look something like !aBcDeF:example.com. - * Invite the bot user to both the Slack and Matrix channels you would like to bridge using `/invite @slackbot` for slack and `/invite @slackbot:MY.DOMAIN` for matrix. + * Invite the bot user to both the Slack and Matrix channels you would like to bridge using `/invite @matrixbot` for slack and `/invite @slackbot:MY.DOMAIN` for matrix. - * Determine the "channel ID" that Slack uses to identify the channel, which can be found in the url `https://XXX.slack.com/messages//`. Or, even simpler, if you open a channel in a browser, the URL reads like this: `https://app.slack.com/client/XXX//details/`. + * Determine the "channel ID" that Slack uses to identify the channel. You can see it when you open a given Slack channel in a browser. The URL reads like this: `https://app.slack.com/client/XXX//details/`. * Issue a link command in the administration control room with these collected values as arguments: @@ -81,3 +83,28 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi ``` Other configuration options are available via the `matrix_appservice_slack_configuration_extension_yaml` variable. + +10. Unlinking + + Channels can be unlinked again like this: + ``` + unlink --room !the-matrix:room.id + ``` + + Unlinking doesn't only disconnect the bridge, but also makes the slackbot leave the bridged matrix room. So in case you want to re-link later, don't forget to re-invite the slackbot into this room again. + +## Troubleshooting + +* as always, check the logs: +`journalctl -fu matrix-appservice-slack` + +* linking: "Room is now pending-name" +This typically means that you haven't used the correct slack channel id. Unlink the room and recheck 'Determine the "channel ID"' from above. + +* Messages work from M to S, but not the other way around +Check you logs, if they say something like + +`WARN SlackEventHandler Ignoring message from unrecognised slack channel id : %s (%s) ` + +then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link +your room multiple times without unlinking it after each failed attempt. From cc8fc55ac6fdac94fadb01de91584b34e62ab0d6 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Wed, 15 Apr 2020 15:13:56 -0400 Subject: [PATCH 1074/2384] Upstream set mx-puppet-skype default port to 8438 --- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index d4df2f0d..c3276807 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_skype_config_path: "{{ matrix_mx_puppet_skype_base_path }}/conf matrix_mx_puppet_skype_data_path: "{{ matrix_mx_puppet_skype_base_path }}/data" matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_path }}/docker-src" -matrix_mx_puppet_skype_appservice_port: "6000" +matrix_mx_puppet_skype_appservice_port: "8438" matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008' matrix_mx_puppet_skype_homeserver_domain: '{{ matrix_domain }}' From d83236ea0e87af29fb1f81647fe92c04fb360bc5 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 17 Apr 2020 00:52:09 +0200 Subject: [PATCH 1075/2384] Fix inconsistent whitespace --- .../usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 | 2 +- .../templates/usr-local-bin/matrix-postgres-cli.j2 | 2 +- .../usr-local-bin/matrix-postgres-update-user-password-hash.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 93306d78..f7c930c0 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -11,7 +11,7 @@ docker run \ --rm \ --name=matrix-certbot \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ + --cap-drop=ALL \ --network="{{ matrix_docker_network }}" \ -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \ diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 index 8f0c4c5b..61f4cf80 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -5,7 +5,7 @@ docker run \ -it \ --rm \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ + --cap-drop=ALL \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 index d950ce97..e546b2c5 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -9,7 +9,7 @@ fi docker run \ --rm \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ + --cap-drop=ALL \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ From 88c1fbf6aa9505db0e4cc43f3a3ed322f14e4494 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 17 Apr 2020 00:54:38 +0200 Subject: [PATCH 1076/2384] Fix hardcoded values in postgres script matrix-change-user-admin-status --- .../usr-local-bin/matrix-change-user-admin-status.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 index 861a0d0d..e9c76674 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -11,9 +11,9 @@ fi docker run \ -it \ --rm \ - --user=991:991 \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ - postgres:12.1-alpine \ - psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" From 4d260c0dd533a0cf6a87d113887759660472f898 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Apr 2020 09:44:48 +0300 Subject: [PATCH 1077/2384] Add encryption configuration defaults to Mautrix bridges Related to #451 (Github Issue). --- .../matrix-bridge-mautrix-facebook/defaults/main.yml | 11 +++++++++++ .../matrix-bridge-mautrix-hangouts/defaults/main.yml | 11 +++++++++++ .../matrix-bridge-mautrix-telegram/defaults/main.yml | 12 ++++++++++++ 3 files changed, 34 insertions(+) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 30693bd5..3c09dafd 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -141,6 +141,17 @@ matrix_mautrix_facebook_configuration_yaml: | presence: true # Whether or not to update avatars when syncing all contacts at startup. update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false # Permissions for using the bridge. # Permitted values: diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 5284bc82..8de4576f 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -124,6 +124,17 @@ matrix_mautrix_hangouts_configuration_yaml: | login_shared_secret: {{ matrix_mautrix_hangouts_login_shared_secret|to_json }} # Whether or not to update avatars when syncing all contacts at startup. update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false # Public website and API configs web: diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 6cfa3abb..b491dce8 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -227,6 +227,18 @@ matrix_mautrix_telegram_configuration_yaml: | height: 256 background: "020202" # only for gif fps: 30 # only for webm + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Overrides for base power levels. initial_power_level_overrides: user: {} From 9a43cc02e0a5b46670d13c7a2c5f8388e7ba3046 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Apr 2020 09:45:35 +0300 Subject: [PATCH 1078/2384] Only install docker-python if matrix_docker_installation_enabled Should help with #300 (Github Issue). --- roles/matrix-base/tasks/server_base/setup_centos.yml | 2 +- roles/matrix-base/tasks/server_base/setup_debian.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 77b2866a..07776d7f 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -20,7 +20,6 @@ - name: Ensure yum packages are installed yum: name: - - docker-python - "{{ matrix_ntpd_package }}" - fuse state: latest @@ -30,5 +29,6 @@ yum: name: - "{{ matrix_docker_package_name }}" + - docker-python state: latest when: matrix_docker_installation_enabled|bool diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index c54b3cb6..88ea1c1d 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -27,7 +27,6 @@ - name: Ensure APT packages are installed apt: name: - - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" - "{{ matrix_ntpd_package }}" - fuse state: latest @@ -37,5 +36,6 @@ apt: name: - "{{ matrix_docker_package_name }}" + - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" state: latest when: matrix_docker_installation_enabled|bool From 43201c9e223d42ddf5fca65ca42da5bc684d2c89 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Apr 2020 22:26:55 +0300 Subject: [PATCH 1079/2384] Upgrade matrix-corporal (1.8.0 -> 1.9.0) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 9430f053..f077b465 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -19,7 +19,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_docker_image: "devture/matrix-corporal:1.8.0" +matrix_corporal_docker_image: "devture/matrix-corporal:1.9.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" From e54428b160de6720bd603610d1ebbcc5ee9d8953 Mon Sep 17 00:00:00 2001 From: Tom Date: Sat, 18 Apr 2020 00:11:30 +0100 Subject: [PATCH 1080/2384] Expose allowed local 3pids as a configurable option --- roles/matrix-synapse/defaults/main.yml | 7 +++++++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 +++ 2 files changed, 10 insertions(+) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index e2ab5fb8..f117fe93 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -164,6 +164,13 @@ matrix_synapse_enable_group_creation: false # A list of 3PID types which users must supply when registering (possible values: email, msisdn). matrix_synapse_registrations_require_3pid: [] +# A list of patterns 3pids must match in order to permit registration, e.g.: +# - medium: email +# pattern: '.*@example\.com' +# - medium: msisdn +# pattern: '\+44' +matrix_synapse_allowed_local_3pids: [] + # The server to use for email threepid validation. When empty, Synapse does it by itself. # Otherwise, this should be pointed to an identity server. matrix_synapse_account_threepid_delegates_email: '' diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 310421e9..59c35c1f 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -986,6 +986,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json # pattern: '.*@vector\.im' # - medium: msisdn # pattern: '\+44' +{% if matrix_synapse_allowed_local_3pids %} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} +{% endif %} # Enable 3PIDs lookup requests to identity servers from this server. # From 8cd9cdead0ca6e38711fed4b953db848934b180c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Apr 2020 11:05:47 +0300 Subject: [PATCH 1081/2384] Improve consistency --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 59c35c1f..08476c25 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -967,8 +967,8 @@ account_validity: #registrations_require_3pid: # - email # - msisdn -{% if matrix_synapse_registrations_require_3pid %} -registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} +{% if matrix_synapse_registrations_require_3pid|length > 0 %} +registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_nice_yaml }} {% endif %} # Explicitly disable asking for MSISDNs from the registration @@ -986,8 +986,8 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json # pattern: '.*@vector\.im' # - medium: msisdn # pattern: '\+44' -{% if matrix_synapse_allowed_local_3pids %} -allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} +{% if matrix_synapse_allowed_local_3pids|length > 0 %} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_nice_yaml }} {% endif %} # Enable 3PIDs lookup requests to identity servers from this server. From c13c29f48eae238ac1a7359cede5785635b77328 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Apr 2020 11:06:53 +0300 Subject: [PATCH 1082/2384] Fix |to_nice_yaml breaking formatting Well, actually 8cd9cde won't work, unless we put the `|to_nice_yaml` thing on a new line. We can, but that takes more lines and makes things look uglier. Using `|to_json` seems good enough. The whole file is parsed as YAML later on and merged with the `_extension` variable before being dumped as YAML again in the end. --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 08476c25..d41313e3 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -968,7 +968,7 @@ account_validity: # - email # - msisdn {% if matrix_synapse_registrations_require_3pid|length > 0 %} -registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_nice_yaml }} +registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} {% endif %} # Explicitly disable asking for MSISDNs from the registration @@ -987,7 +987,7 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_nice # - medium: msisdn # pattern: '\+44' {% if matrix_synapse_allowed_local_3pids|length > 0 %} -allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_nice_yaml }} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} {% endif %} # Enable 3PIDs lookup requests to identity servers from this server. From 203a319881ed7fb4bdbcbdb652f384d2b9327530 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sat, 18 Apr 2020 12:56:36 +0200 Subject: [PATCH 1083/2384] force build docker image if git master changes --- roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 894b0a9b..6857c6c9 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -35,6 +35,7 @@ repo: https://github.com/Sorunome/mx-puppet-skype.git dest: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" force: "yes" + register: matrix_mx_puppet_skype_git_pull_results when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build" - name: Ensure MX Puppet Skype Docker image is built @@ -45,7 +46,7 @@ dockerfile: Dockerfile path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" pull: yes - when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build" + when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build and matrix_mx_puppet_skype_git_pull_results.changed" - name: Check if an old database file already exists stat: From 3ddb8cd148435ff663bd5b71db8da83d92de9e3a Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Sat, 18 Apr 2020 19:00:20 +0200 Subject: [PATCH 1084/2384] Add support for running dimension in an unfederated environment This config change follows: https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md --- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 5ee01b61..e9faffa3 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -58,7 +58,7 @@ matrix_dimension_configuration_yaml: | # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "http://matrix-synapse:8048" + federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}" # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index d41313e3..7f9eb04f 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -226,7 +226,11 @@ listeners: x_forwarded: true resources: - - names: [client] + - names: + - client +{% if matrix_dimension_enabled and not matrix_synapse_federation_enabled %} + - openid +{% endif %} compress: false {% if matrix_synapse_federation_enabled %} From da2e90dcc1a68ce161d693cbe520ed5fafeb62de Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Sat, 18 Apr 2020 19:01:45 +0200 Subject: [PATCH 1085/2384] Remove check for "Fail if Matrix Federation is disabled" This playbook now suports running dimension in both a federated and an unfederated environment. --- roles/matrix-dimension/tasks/validate_config.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/matrix-dimension/tasks/validate_config.yml b/roles/matrix-dimension/tasks/validate_config.yml index 62f23e33..ead8352b 100644 --- a/roles/matrix-dimension/tasks/validate_config.yml +++ b/roles/matrix-dimension/tasks/validate_config.yml @@ -6,14 +6,6 @@ - "matrix_dimension_access_token" when: "matrix_dimension_enabled and vars[item] == ''" -- name: Fail if Matrix Federation is disabled - fail: - msg: >- - You need to enable Matrix Federation to use Dimension. Set `{{ item }}` to 'true'. - with_items: - - "matrix_synapse_federation_enabled" - when: "matrix_dimension_enabled|bool and not matrix_synapse_federation_enabled|bool" - - name: (Deprecation) Catch and report renamed Dimension variables fail: msg: >- From 18beb3046612fb2b4f2d665087fa2e1f425d8edb Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Sat, 18 Apr 2020 19:12:20 +0200 Subject: [PATCH 1086/2384] Update docs to reflect support for unfederated dimension --- docs/configuring-playbook-dimension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 99de20d6..40bec06b 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -4,7 +4,7 @@ If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. ## Prerequisites -For an Integration Manager like [Dimension](https://dimension.t2bot.io) to work, your server needs to have federation enabled (`matrix_synapse_federation_enabled: true`). This is the default for this playbook, so unless you've explicitly disabled federation, you're okay. +This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Other important prerequisite is the `dimension.` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. From bd61598faf37246022d073fdb91f3f546f48f3b9 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sat, 18 Apr 2020 22:55:19 +0200 Subject: [PATCH 1087/2384] add experimental(?) architecture support for arm32 and arm64 the changes are necessary because certbot images are tagged, so docker does not recognize the necessary architecture --- docs/alternative-architectures.md | 16 ++++++++++++ group_vars/matrix_servers | 30 +++++++++++++++++----- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++- 3 files changed, 42 insertions(+), 8 deletions(-) create mode 100644 docs/alternative-architectures.md diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md new file mode 100644 index 00000000..a469e422 --- /dev/null +++ b/docs/alternative-architectures.md @@ -0,0 +1,16 @@ +# Alternative architectures +As stated in the [Prerequisites](prerequisites.md), currently only x86_64 is supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used. + +To that end add the following variable to your `vars.yaml` file: +``` +matrix_architecture = +``` +Currently supported architectures are the following: +- `amd64` (the default) +- `arm64` +- `arm32` + +On most roles self-building is used if the architecture is not `amd64`. Special cases: +- matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well, +- matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well, +- matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e80d55c3..524c11cd 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -26,6 +26,20 @@ matrix_riot_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_e # ###################################################################### +###################################################################### +# +# matrix-architecture +# +###################################################################### + +matrix_architecture: "amd64" + +###################################################################### +# +# /matrix-architecture +# +###################################################################### + ###################################################################### # @@ -174,7 +188,7 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | # We don't enable bridges by default. matrix_mautrix_facebook_enabled: false -matrix_mautrix_facebook_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_mautrix_facebook_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}" matrix_mautrix_facebook_systemd_required_services_list: | {{ @@ -205,7 +219,7 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mautrix_hangouts_enabled: false -matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_mautrix_hangouts_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}" matrix_mautrix_hangouts_systemd_required_services_list: | {{ @@ -301,7 +315,7 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mx_puppet_skype_enabled: false -matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_mx_puppet_skype_systemd_required_services_list: | {{ @@ -366,7 +380,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati matrix_coturn_enabled: true -matrix_coturn_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" @@ -489,7 +503,7 @@ matrix_mailer_enabled: true # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. matrix_ma1sd_enabled: true -matrix_ma1sd_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -599,6 +613,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) }} +matrix_ssl_architecture: "{{ matrix_architecture }}" + ###################################################################### # # /matrix-nginx-proxy @@ -638,7 +654,7 @@ matrix_postgres_db_name: "homeserver" # If you wish to connect to your Matrix server by other means, you may wish to disable this. matrix_riot_web_enabled: true -matrix_riot_web_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_riot_web_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" # Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -683,7 +699,7 @@ matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jit # ###################################################################### -matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_synapse_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" # When ma1sd is enabled, we can use it instead of the default public Identity servers. matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 12d314f5..35c6adfc 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -213,12 +213,14 @@ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none # plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy. matrix_ssl_retrieval_method: "lets-encrypt" +matrix_ssl_architecture: "amd64" + # The list of domains that this role will obtain certificates for. matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v1.3.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.3.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From b5844d2395f9d55afe83bd963f768055f06dbd96 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 19 Apr 2020 13:31:36 +0200 Subject: [PATCH 1088/2384] shortening line based on @spantaleev 's comment --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 524c11cd..517c299f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -188,7 +188,7 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | # We don't enable bridges by default. matrix_mautrix_facebook_enabled: false -matrix_mautrix_facebook_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}" +matrix_mautrix_facebook_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_facebook_systemd_required_services_list: | {{ @@ -219,7 +219,7 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mautrix_hangouts_enabled: false -matrix_mautrix_hangouts_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}" +matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_hangouts_systemd_required_services_list: | {{ From 7dba695713fd1855d0b3d13a7f905259996398eb Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 19 Apr 2020 13:32:27 +0200 Subject: [PATCH 1089/2384] clarification for the list of implementation details --- docs/alternative-architectures.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index a469e422..5fb0c8ea 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -10,7 +10,10 @@ Currently supported architectures are the following: - `arm64` - `arm32` -On most roles self-building is used if the architecture is not `amd64`. Special cases: +## Implementation details +This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection. + +On most roles self-building is used if the architecture is not `amd64`, however there are some special cases: - matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well, - matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well, - matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling. From 441278412b4839a70f500a053c0137bc0de08c8e Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 19 Apr 2020 13:51:26 +0200 Subject: [PATCH 1090/2384] add explicit information for the Rapsberry pi --- docs/alternative-architectures.md | 5 +++++ docs/prerequisites.md | 2 +- docs/self-building.md | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index 5fb0c8ea..b38f1cdc 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -10,6 +10,11 @@ Currently supported architectures are the following: - `arm64` - `arm32` +so for the Raspberry Pi the following should be in your `vars.yaml` file: +``` +matrix_architecture = "arm32" +``` + ## Implementation details This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection. diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 6b66c3d3..9a26d769 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -1,6 +1,6 @@ # Prerequisites -- An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+), **Ubuntu** (16.04+), or **Archlinux**. This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Self-Building](self-building.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +- An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+), **Ubuntu** (16.04+), or **Archlinux**. This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Alternative Architectures](alternative-architectures.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. - `root` access to your server (or a user capable of elevating to `root` via `sudo`). diff --git a/docs/self-building.md b/docs/self-building.md index aae31c7b..85d09812 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -1,5 +1,7 @@ # Self-building +**Caution: self-building does not have to be used on its own. See the [Alternative Architectures](alternative-architectures.md) page.** + The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for ma1sd). To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: From 588e97a97c30bb26e9761ca81e5dae640ea56dae Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 19 Apr 2020 14:02:32 +0200 Subject: [PATCH 1091/2384] link to self-building from implementation subsection --- docs/alternative-architectures.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index b38f1cdc..01f6946f 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -18,7 +18,7 @@ matrix_architecture = "arm32" ## Implementation details This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection. -On most roles self-building is used if the architecture is not `amd64`, however there are some special cases: +On most roles [self-building](self-building.md) is used if the architecture is not `amd64`, however there are some special cases: - matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well, - matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well, - matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling. From e2de6a156978c642b8ddf81462e2a1a0a97b7737 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Sun, 19 Apr 2020 08:38:53 -0500 Subject: [PATCH 1092/2384] Update nginx (1.17.9 -> 1.17.10) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 12d314f5..3bbd2c9b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.17.9-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.17.10-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" From 353bc7c3624f6b7186d65757e7b66bc8e6e56e2c Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Fri, 10 Apr 2020 23:44:53 +0200 Subject: [PATCH 1093/2384] Add initial support for synapse workers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit · needs documentation; no checks yet for port clashes or typos in worker name · according to https://github.com/matrix-org/synapse/wiki/Workers-setup-with-nginx#results about 90% of requests go to the synchrotron endpoint · thus, the synchrotron worker is especially suited to be load-balanced · most of the other workers are documented to support only a single instance · https://github.com/matrix-org/synapse/blob/master/docs/workers.md --- roles/matrix-synapse/defaults/main.yml | 37 +++++++++++++++++ roles/matrix-synapse/tasks/setup_synapse.yml | 2 + roles/matrix-synapse/tasks/workers/setup.yml | 7 ++++ .../tasks/workers/setup_install.yml | 41 +++++++++++++++++++ .../tasks/workers/setup_uninstall.yml | 34 +++++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 38 +++++++++++++++++ .../systemd/matrix-synapse-worker@.service.j2 | 29 +++++++++++++ .../templates/synapse/worker.yaml.j2 | 29 +++++++++++++ 8 files changed, 217 insertions(+) create mode 100644 roles/matrix-synapse/tasks/workers/setup.yml create mode 100644 roles/matrix-synapse/tasks/workers/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/workers/setup_uninstall.yml create mode 100644 roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 create mode 100644 roles/matrix-synapse/templates/synapse/worker.yaml.j2 diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f117fe93..dcd42ab8 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -258,6 +258,43 @@ matrix_synapse_metrics_port: 9100 # See https://github.com/matrix-org/synapse/blob/master/docs/manhole.md matrix_synapse_manhole_enabled: false +# Enable support for Synapse workers +matrix_synapse_workers_enabled: false + +# List of workers to spawn +matrix_synapse_workers_enabled_list: [] + +# Default list of workers to spawn +matrix_synapse_workers_enabled_list: + - { worker: synchrotron, port: 8082 } + - { worker: synchrotron, port: 8083 } + - { worker: synchrotron, port: 8084 } + - { worker: appservice, port: 8085 } + - { worker: client_reader, port: 8086 } + - { worker: event_creator, port: 8087 } + - { worker: federation_reader, port: 8088 } + - { worker: federation_sender, port: 8089 } + - { worker: frontend_proxy, port: 8090 } + - { worker: media_repository, port: 8091 } + - { worker: pusher, port: 8092 } + - { worker: user_dir, port: 8093 } + +# The list of available workers (2020-04-14) +matrix_synapse_workers_avail_list: + - appservice + - client_reader + - event_creator + - federation_reader + - federation_sender + - frontend_proxy + - media_repository + - pusher + - synchrotron + - user_dir + +# Ports used for communication between main synapse process and workers +matrix_synapse_replication_tcp_port: 9092 +matrix_synapse_replication_http_port: 9093 # Send ERROR logs to sentry.io for easier tracking # To set this up: go to sentry.io, create a python project, and set diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index c40ae170..ad1b24e6 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -19,6 +19,8 @@ - import_tasks: "{{ role_path }}/tasks/ext/setup.yml" +- import_tasks: "{{ role_path }}/tasks/workers/setup.yml" + - import_tasks: "{{ role_path }}/tasks/synapse/setup.yml" - import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/matrix-synapse/tasks/workers/setup.yml b/roles/matrix-synapse/tasks/workers/setup.yml new file mode 100644 index 00000000..faf2899e --- /dev/null +++ b/roles/matrix-synapse/tasks/workers/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/workers/setup_install.yml" + when: "matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool" + +- import_tasks: "{{ role_path }}/tasks/workers/setup_uninstall.yml" + when: "not matrix_synapse_workers_enabled|bool" diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml new file mode 100644 index 00000000..1f23d0c5 --- /dev/null +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -0,0 +1,41 @@ +--- + +- name: Ensure synapse worker base service file installed + template: + src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse-worker@.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-synapse-worker@.service" + mode: 0644 + register: matrix_synapse_worker_systemd_service_result + +- name: Ensure previous worker service symlinks are cleaned (FIXME) + file: + path: "{{ item.root + '/' + item.path }}" + state: absent + when: + - item.state == 'link' + - item.path is match('matrix-synapse-worker@*.service') + with_filetree: + - "{{ matrix_systemd_path }}/matrix-synapse.service.wants" + +- name: Ensure systemd reloaded the worker service unit + service: + daemon_reload: yes + +- name: Ensure individual worker service symlinks exist + service: + name: "matrix-synapse-worker@{{ item.worker }}:{{ item.port }}.service" + enabled: true + with_items: "{{ matrix_synapse_workers_enabled_list }}" + +- name: Ensure creation of specific worker configs + template: + src: "{{ role_path }}/templates/synapse/worker.yaml.j2" + dest: "{{ matrix_synapse_config_dir_path }}/worker.{{ item.worker }}:{{ item.port }}.yaml" + with_list: "{{ matrix_synapse_workers_enabled_list }}" + +- name: Add workers to synapse.wants list + set_fact: + matrix_synapse_systemd_wanted_services_list: > + {{ matrix_synapse_systemd_wanted_services_list + + ['matrix-synapse-worker@' + item.worker + ':' + item.port|string + '.service'] }} + with_items: "{{ matrix_synapse_workers_enabled_list }}" diff --git a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml new file mode 100644 index 00000000..86430879 --- /dev/null +++ b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml @@ -0,0 +1,34 @@ +--- + +- name: Ensure individual worker services are stopped + service: + name: "matrix-synapse-worker@{{ item.worker }}:{{ item.port }}.service" + state: stopped + with_items: "{{ matrix_synapse_workers_enabled_list }}" + +# As we cannot know the ports of workers removed from the enabled_list.. +# => .. just kill them all (FIXME?) +- name: Ensure previous worker service symlinks are cleaned + file: + path: "{{ item.root + '/' + item.path }}" + state: absent + when: + - item.state == 'link' + - item.path is match('matrix-synapse-worker@*.service') + with_filetree: + - "{{ matrix_systemd_path }}/matrix-synapse.service.wants" + +- name: Ensure synapse worker base service file gets removed + file: + path: "{{ matrix_systemd_path }}/matrix-synapse-worker@.service" + state: absent + register: matrix_synapse_worker_systemd_service_result + +- name: Remove workers from synapse.wants list + set_fact: + matrix_synapse_systemd_wanted_services_list: "{{ matrix_synapse_systemd_wanted_services_list | reject('search', item) | list }}" + with_items: "{{ matrix_synapse_workers_avail_list }}" + +- name: Ensure systemd noticed removal of worker service units + service: + daemon_reload: yes diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index d41313e3..fde097f0 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -251,6 +251,44 @@ listeners: type: manhole {% endif %} +{% if matrix_synapse_workers_enabled %} + # c.f. https://github.com/matrix-org/synapse/tree/master/docs/workers.md + # TCP replication: streaming data from the master to the workers + - port: {{ matrix_synapse_replication_tcp_port }} + bind_addresses: ['0.0.0.0'] + type: replication + + # HTTP replication: for the workers to send data to the main synapse process + - port: {{ matrix_synapse_replication_http_port }} + bind_addresses: ['0.0.0.0'] + type: http + resources: + - names: [replication] + +# c.f. https://github.com/matrix-org/synapse/tree/master/contrib/systemd-with-workers/README.md +worker_app: synapse.app.homeserver + +# thx https://oznetnerd.com/2017/04/18/jinja2-selectattr-filter/ +# reduce the main worker's offerings to core homeserver business +{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'appservice')|list %} +notify_appservices: false +{% endif %} +{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'federation_sender')|list %} +send_federation: false +{% endif %} +{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'media_repository')|list %} +enable_media_repo: false +{% endif %} +{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'pusher')|list %} +start_pushers: false +{% endif %} +{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'user_dir')|list %} +update_user_directory: false +{% endif %} + +# rather let systemd handle the forking +daemonize: false +{% endif %} ## Homeserver blocking ## diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 new file mode 100644 index 00000000..a46517c4 --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 @@ -0,0 +1,29 @@ +#jinja2: lstrip_blocks: "True" +# c.f. https://github.com/matrix-org/synapse/pull/4662 +[Unit] +Description=Synapse Matrix Worker +After=matrix-synapse.service +BindsTo=matrix-synapse.service + +[Service] +Type=simple + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +# systemd ftw 🤦‍♂️ +# https://github.com/systemd/systemd/issues/14895#issuecomment-594123923 +ExecStart=/bin/sh -c "WORKER=%i; WORKER=$${WORKER%%:*}; \ + exec /usr/bin/docker exec \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + matrix-synapse \ + python -m synapse.app.$${WORKER} -c /data/homeserver.yaml -c /data/worker.%i.yaml" + +ExecStop=/usr/bin/docker exec matrix-synapse pkill -f %i +KillMode=process +Restart=always +RestartSec=10 +SyslogIdentifier=matrix-synapse-%i + +[Install] +WantedBy=matrix-synapse.service diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 new file mode 100644 index 00000000..37a5f87b --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -0,0 +1,29 @@ +#jinja2: lstrip_blocks: "True" +worker_app: synapse.app.{{ item.worker }} + +worker_replication_host: 127.0.0.1 +worker_replication_port: {{ matrix_synapse_replication_tcp_port }} +worker_replication_http_port: {{ matrix_synapse_replication_http_port }} + +{% if item.worker not in [ 'appservice', 'federation_sender', 'pusher' ] %} +worker_listeners: + - type: http + port: {{ item.port }} + resources: + - names: +{% if item.worker in [ 'synchrotron', 'client_reader', 'event_creator', 'frontend_proxy', 'user_dir' ] %} + - client +{% elif item.worker in [ 'federation_reader' ] %} + - federation +{% elif item.worker in [ 'media_repository' ] %} + - media +{% endif %} +{% endif %} + +{% if item.worker == 'frontend_proxy' %} +worker_main_http_uri: http://127.0.0.1:8008 +{% endif %} + +worker_daemonize: false +worker_pid_file: /matrix-run/{{ item.worker }}.port{{ item.port }}.pid +worker_log_config: /data/{{ matrix_server_fqn_matrix }}.log.config From a14b9c09adee37282b2deb7d0ff63594b5174107 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sat, 11 Apr 2020 03:08:59 +0200 Subject: [PATCH 1094/2384] Add to synapse nginx template conditional URL rewrites for workers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit · 😅 How to keep this in sync with the matrix-synapse documentation? · regex location matching is expensive · nginx syntax limit: one location only per block / statement · thus, lots of duplicate statements in this file --- .../nginx/conf.d/matrix-synapse.conf.j2 | 110 ++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 99662515..0f4982cc 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -101,6 +101,93 @@ } {% endif %} + {% if synchrotron_workers %} + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L134 #} + location /_matrix/client/r0/sync { + proxy_pass http://synchrotron$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + location /_matrix/client/r0/events { + proxy_pass http://synchrotron$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + location /_matrix/client/r0/initialSync { + proxy_pass http://synchrotron$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + location ~ ^/_matrix/client/r0/rooms/[^/]+/initialSync$ { + proxy_pass http://synchrotron$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + + {% set client_reader_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'client_reader')|first %} + {% if client_reader_worker %} + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L252 #} + location ^/_matrix/client/(versions$|(api/v1|r0|unstable)/(publicRooms$|rooms/.*/joined_me|rooms/.*/context/.|rooms/.*/members$|rooms/.*/messages$|rooms/.*/state$|login$|account/3pid$|keys/query$|keys/changes$|voip/turnServer$|joined_groups$|publicised_groups$|publicised_groups/|pushrules/.*$|groups/.*$|register$|auth/.*/fallback/web$)) { + proxy_pass http://127.0.0.1:{{ client_reader_worker.port }}$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + + {% set media_repository_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'media_repository')|first %} + {% if media_repository_worker %} + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L219 #} + location /_matrix/media/ { + proxy_pass http://127.0.0.1:{{ media_repository_worker.port }}$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L223 #} + location ~ ^/_synapse/admin/v1/(purge_media_cache|room/.*/media.*|user/.*/media.*|media/.*|quarantine_media/.*)$ { + proxy_pass http://127.0.0.1:{{ media_repository_worker.port }}$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + + {% set event_creator_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'event_creator')|first %} + {% if event_creator_worker %} + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L323 #} + location ~ ^/_matrix/client/(api/v1|r0|unstable)/(rooms/.*/send|rooms/.*/state/|rooms/.*/(join|invite|leave|ban|unban|kick)$|join/|profile/) { + proxy_pass http://127.0.0.1:{{ event_creator_worker.port }}$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + + {% set frontend_proxy_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'frontend_proxy')|first %} + {% if frontend_proxy_worker %} + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L302 #} + location ~ ^/_matrix/client/(api/v1|r0|unstable)/keys/upload { + proxy_pass http://127.0.0.1:{{ frontend_proxy_worker.port }}$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% if not matrix_synapse_use_presence %} + location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { + proxy_pass http://127.0.0.1:{{ frontend_proxy_worker.port }}$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + {% endif %} + + {% set user_dir_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'user_dir')|first %} + {% if user_dir_worker %} + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L290 #} + location ~ ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ { + proxy_pass http://127.0.0.1:{{ user_dir_worker.port }}$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -174,6 +261,19 @@ } {% endmacro %} +{% set synchrotron_workers = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'synchrotron')|list %} +{% if synchrotron_workers %} +upstream synchrotron { + # ensures that requests from the same client will always be passed + # to the same server (except when this server is unavailable) + ip_hash; + + {% for worker in synchrotron_workers %} + server 127.0.0.1:{{ worker.port }}; + {% endfor %} +} +{% endif %} + server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; @@ -255,6 +355,16 @@ server { ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; {% endif %} + {% set federation_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'federation_reader')|first %} + {% if federation_worker %} + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L160 #} + location ~ ^(/_matrix/federation/v1/event/|/_matrix/federation/v1/state/|/_matrix/federation/v1/state_ids/|/_matrix/federation/v1/backfill/|/_matrix/federation/v1/get_missing_events/|/_matrix/federation/v1/publicRooms|/_matrix/federation/v1/query/|/_matrix/federation/v1/make_join/|/_matrix/federation/v1/make_leave/|/_matrix/federation/v1/send_join/|/_matrix/federation/v2/send_join/|/_matrix/federation/v1/send_leave/|/_matrix/federation/v2/send_leave/|/_matrix/federation/v1/invite/|/_matrix/federation/v2/invite/|/_matrix/federation/v1/query_auth/|/_matrix/federation/v1/event_auth/|/_matrix/federation/v1/exchange_third_party_invite/|/_matrix/federation/v1/user/devices/|/_matrix/federation/v1/send/|/_matrix/federation/v1/get_groups_publicised$|/_matrix/key/v2/query|/_matrix/federation/v1/groups/) { + proxy_pass http://127.0.0.1:{{ federation_worker.port }}$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + location / { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} From cf452fdf0a1ece84ae4c54e6a73a8618114c5132 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 19 Apr 2020 10:16:01 +0200 Subject: [PATCH 1095/2384] Fix corner-cases found through testing (aka ansible is nuts) --- roles/matrix-synapse/tasks/workers/setup.yml | 1 + roles/matrix-synapse/tasks/workers/setup_install.yml | 3 ++- .../matrix-synapse/tasks/workers/setup_uninstall.yml | 12 ++++++++---- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/roles/matrix-synapse/tasks/workers/setup.yml b/roles/matrix-synapse/tasks/workers/setup.yml index faf2899e..4951ac2d 100644 --- a/roles/matrix-synapse/tasks/workers/setup.yml +++ b/roles/matrix-synapse/tasks/workers/setup.yml @@ -1,4 +1,5 @@ --- +# a negative when condition will not actually prevent ansible from executing loops in imported tasks! - import_tasks: "{{ role_path }}/tasks/workers/setup_install.yml" when: "matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool" diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index 1f23d0c5..0031c236 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -12,8 +12,9 @@ path: "{{ item.root + '/' + item.path }}" state: absent when: + - matrix_synapse_workers_enabled|bool - item.state == 'link' - - item.path is match('matrix-synapse-worker@*.service') + - item.path is match('matrix-synapse-worker@.*\\.service') with_filetree: - "{{ matrix_systemd_path }}/matrix-synapse.service.wants" diff --git a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml index 86430879..d1e7e3b5 100644 --- a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml @@ -1,10 +1,13 @@ --- -- name: Ensure individual worker services are stopped +- name: Populate service facts + service_facts: + +- name: Ensure any worker services are stopped service: - name: "matrix-synapse-worker@{{ item.worker }}:{{ item.port }}.service" + name: "{{ item.key }}" state: stopped - with_items: "{{ matrix_synapse_workers_enabled_list }}" + with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker@.+\\.service')|list|items2dict }}" # As we cannot know the ports of workers removed from the enabled_list.. # => .. just kill them all (FIXME?) @@ -13,8 +16,9 @@ path: "{{ item.root + '/' + item.path }}" state: absent when: + - not matrix_synapse_workers_enabled|bool - item.state == 'link' - - item.path is match('matrix-synapse-worker@*.service') + - item.path is match('matrix-synapse-worker@.*\\.service') with_filetree: - "{{ matrix_systemd_path }}/matrix-synapse.service.wants" From 66a40735126c361e396dde47e9f96c9fe9664ee4 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 19 Apr 2020 17:42:51 +0200 Subject: [PATCH 1096/2384] Publish synapse worker ports, need to be accessible to nginx --- .../templates/synapse/systemd/matrix-synapse.service.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 0bd2c25d..700e4134 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -44,6 +44,11 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %} -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} + {% if matrix_synapse_workers_enabled %} + {% for worker in matrix_synapse_workers_enabled_list %} + -p {{ worker.port }}:{{ worker.port }} \ + {% endfor %} + {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data:ro \ -v {{ matrix_synapse_run_path }}:/matrix-run:rw \ -v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \ From e4763c21bc4a2e3a053629618d7ba7c78e120f92 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 19 Apr 2020 18:41:27 +0200 Subject: [PATCH 1097/2384] nginx config: route traffic to workers on matrix-synapse FIXME: horrid duplication in template file --- .../nginx/conf.d/matrix-synapse.conf.j2 | 133 +++++++++++------- 1 file changed, 80 insertions(+), 53 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 0f4982cc..d7a1e6b3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -127,65 +127,86 @@ {% set client_reader_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'client_reader')|first %} {% if client_reader_worker %} - {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L252 #} - location ^/_matrix/client/(versions$|(api/v1|r0|unstable)/(publicRooms$|rooms/.*/joined_me|rooms/.*/context/.|rooms/.*/members$|rooms/.*/messages$|rooms/.*/state$|login$|account/3pid$|keys/query$|keys/changes$|voip/turnServer$|joined_groups$|publicised_groups$|publicised_groups/|pushrules/.*$|groups/.*$|register$|auth/.*/fallback/web$)) { - proxy_pass http://127.0.0.1:{{ client_reader_worker.port }}$request_uri; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L252 #} + location ^/_matrix/client/(versions$|(api/v1|r0|unstable)/(publicRooms$|rooms/.*/joined_me|rooms/.*/context/.|rooms/.*/members$|rooms/.*/messages$|rooms/.*/state$|login$|account/3pid$|keys/query$|keys/changes$|voip/turnServer$|joined_groups$|publicised_groups$|publicised_groups/|pushrules/.*$|groups/.*$|register$|auth/.*/fallback/web$)) { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:{{ client_reader_worker.port }}" + proxy_pass http://$backend$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } {% endif %} {% set media_repository_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'media_repository')|first %} {% if media_repository_worker %} - {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L219 #} - location /_matrix/media/ { - proxy_pass http://127.0.0.1:{{ media_repository_worker.port }}$request_uri; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } - {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L223 #} - location ~ ^/_synapse/admin/v1/(purge_media_cache|room/.*/media.*|user/.*/media.*|media/.*|quarantine_media/.*)$ { - proxy_pass http://127.0.0.1:{{ media_repository_worker.port }}$request_uri; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L219 #} + location /_matrix/media/ { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:{{ media_repository_worker.port }}" + proxy_pass http://$backend$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L223 #} + location ~ ^/_synapse/admin/v1/(purge_media_cache|room/.*/media.*|user/.*/media.*|media/.*|quarantine_media/.*)$ { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:{{ media_repository_worker.port }}" + proxy_pass http://$backend$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } {% endif %} {% set event_creator_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'event_creator')|first %} {% if event_creator_worker %} - {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L323 #} - location ~ ^/_matrix/client/(api/v1|r0|unstable)/(rooms/.*/send|rooms/.*/state/|rooms/.*/(join|invite|leave|ban|unban|kick)$|join/|profile/) { - proxy_pass http://127.0.0.1:{{ event_creator_worker.port }}$request_uri; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L323 #} + location ~ ^/_matrix/client/(api/v1|r0|unstable)/(rooms/.*/send|rooms/.*/state/|rooms/.*/(join|invite|leave|ban|unban|kick)$|join/|profile/) { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:{{ event_creator_worker.port }}" + proxy_pass http://$backend$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } {% endif %} {% set frontend_proxy_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'frontend_proxy')|first %} {% if frontend_proxy_worker %} - {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L302 #} - location ~ ^/_matrix/client/(api/v1|r0|unstable)/keys/upload { - proxy_pass http://127.0.0.1:{{ frontend_proxy_worker.port }}$request_uri; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } - {% if not matrix_synapse_use_presence %} - location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { - proxy_pass http://127.0.0.1:{{ frontend_proxy_worker.port }}$request_uri; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } - {% endif %} + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L302 #} + location ~ ^/_matrix/client/(api/v1|r0|unstable)/keys/upload { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:{{ frontend_proxy_worker.port }}" + proxy_pass http://$backend$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% if not matrix_synapse_use_presence %} + location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:{{ frontend_proxy_worker.port }}" + proxy_pass http://$backend$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} {% endif %} {% set user_dir_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'user_dir')|first %} {% if user_dir_worker %} - {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L290 #} - location ~ ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ { - proxy_pass http://127.0.0.1:{{ user_dir_worker.port }}$request_uri; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L290 #} + location ~ ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:{{ user_dir_worker.port }}" + proxy_pass http://$backend$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} @@ -268,8 +289,11 @@ upstream synchrotron { # to the same server (except when this server is unavailable) ip_hash; - {% for worker in synchrotron_workers %} - server 127.0.0.1:{{ worker.port }}; + {% for synchrotron_worker in synchrotron_workers %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:{{ synchrotron_worker.port }}" + server $backend:{{ synchrotron_worker.port }}; {% endfor %} } {% endif %} @@ -355,14 +379,17 @@ server { ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; {% endif %} - {% set federation_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'federation_reader')|first %} - {% if federation_worker %} - {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L160 #} - location ~ ^(/_matrix/federation/v1/event/|/_matrix/federation/v1/state/|/_matrix/federation/v1/state_ids/|/_matrix/federation/v1/backfill/|/_matrix/federation/v1/get_missing_events/|/_matrix/federation/v1/publicRooms|/_matrix/federation/v1/query/|/_matrix/federation/v1/make_join/|/_matrix/federation/v1/make_leave/|/_matrix/federation/v1/send_join/|/_matrix/federation/v2/send_join/|/_matrix/federation/v1/send_leave/|/_matrix/federation/v2/send_leave/|/_matrix/federation/v1/invite/|/_matrix/federation/v2/invite/|/_matrix/federation/v1/query_auth/|/_matrix/federation/v1/event_auth/|/_matrix/federation/v1/exchange_third_party_invite/|/_matrix/federation/v1/user/devices/|/_matrix/federation/v1/send/|/_matrix/federation/v1/get_groups_publicised$|/_matrix/key/v2/query|/_matrix/federation/v1/groups/) { - proxy_pass http://127.0.0.1:{{ federation_worker.port }}$request_uri; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } + {% set federation_reader_worker = matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'federation_reader')|first %} + {% if federation_reader_worker %} + {# c.f. https://github.com/matrix-org/synapse/blame/master/docs/workers.md#L160 #} + location ~ ^(/_matrix/federation/v1/event/|/_matrix/federation/v1/state/|/_matrix/federation/v1/state_ids/|/_matrix/federation/v1/backfill/|/_matrix/federation/v1/get_missing_events/|/_matrix/federation/v1/publicRooms|/_matrix/federation/v1/query/|/_matrix/federation/v1/make_join/|/_matrix/federation/v1/make_leave/|/_matrix/federation/v1/send_join/|/_matrix/federation/v2/send_join/|/_matrix/federation/v1/send_leave/|/_matrix/federation/v2/send_leave/|/_matrix/federation/v1/invite/|/_matrix/federation/v2/invite/|/_matrix/federation/v1/query_auth/|/_matrix/federation/v1/event_auth/|/_matrix/federation/v1/exchange_third_party_invite/|/_matrix/federation/v1/user/devices/|/_matrix/federation/v1/send/|/_matrix/federation/v1/get_groups_publicised$|/_matrix/key/v2/query|/_matrix/federation/v1/groups/) { + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse:{{ federation_reader_worker.port }}" + proxy_pass http://$backend$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } {% endif %} location / { From 5f63d287b7dba70830c0218f18a873e02b9bd79c Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 19 Apr 2020 18:57:00 +0200 Subject: [PATCH 1098/2384] Move synapse worker ports up 10k --- roles/matrix-synapse/defaults/main.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index dcd42ab8..9e65d421 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -266,18 +266,18 @@ matrix_synapse_workers_enabled_list: [] # Default list of workers to spawn matrix_synapse_workers_enabled_list: - - { worker: synchrotron, port: 8082 } - - { worker: synchrotron, port: 8083 } - - { worker: synchrotron, port: 8084 } - - { worker: appservice, port: 8085 } - - { worker: client_reader, port: 8086 } - - { worker: event_creator, port: 8087 } - - { worker: federation_reader, port: 8088 } - - { worker: federation_sender, port: 8089 } - - { worker: frontend_proxy, port: 8090 } - - { worker: media_repository, port: 8091 } - - { worker: pusher, port: 8092 } - - { worker: user_dir, port: 8093 } + - { worker: synchrotron, port: 18082 } + - { worker: synchrotron, port: 18083 } + - { worker: synchrotron, port: 18084 } + - { worker: appservice, port: 18085 } + - { worker: client_reader, port: 18086 } + - { worker: event_creator, port: 18087 } + - { worker: federation_reader, port: 18088 } + - { worker: federation_sender, port: 18089 } + - { worker: frontend_proxy, port: 18090 } + - { worker: media_repository, port: 18091 } + - { worker: pusher, port: 18092 } + - { worker: user_dir, port: 18093 } # The list of available workers (2020-04-14) matrix_synapse_workers_avail_list: From 765c046bebcd071cde1e24d5852f8235cfe17642 Mon Sep 17 00:00:00 2001 From: Christoph Johannes Kleine Date: Sun, 19 Apr 2020 19:50:42 +0200 Subject: [PATCH 1099/2384] add missing ; to matrix-synapse.conf.j2 --- .../nginx/conf.d/matrix-synapse.conf.j2 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index d7a1e6b3..71605105 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -131,7 +131,7 @@ location ^/_matrix/client/(versions$|(api/v1|r0|unstable)/(publicRooms$|rooms/.*/joined_me|rooms/.*/context/.|rooms/.*/members$|rooms/.*/messages$|rooms/.*/state$|login$|account/3pid$|keys/query$|keys/changes$|voip/turnServer$|joined_groups$|publicised_groups$|publicised_groups/|pushrules/.*$|groups/.*$|register$|auth/.*/fallback/web$)) { {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ client_reader_worker.port }}" + set $backend "matrix-synapse:{{ client_reader_worker.port }}"; proxy_pass http://$backend$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; @@ -144,7 +144,7 @@ location /_matrix/media/ { {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ media_repository_worker.port }}" + set $backend "matrix-synapse:{{ media_repository_worker.port }}"; proxy_pass http://$backend$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; @@ -153,7 +153,7 @@ location ~ ^/_synapse/admin/v1/(purge_media_cache|room/.*/media.*|user/.*/media.*|media/.*|quarantine_media/.*)$ { {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ media_repository_worker.port }}" + set $backend "matrix-synapse:{{ media_repository_worker.port }}"; proxy_pass http://$backend$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; @@ -166,7 +166,7 @@ location ~ ^/_matrix/client/(api/v1|r0|unstable)/(rooms/.*/send|rooms/.*/state/|rooms/.*/(join|invite|leave|ban|unban|kick)$|join/|profile/) { {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ event_creator_worker.port }}" + set $backend "matrix-synapse:{{ event_creator_worker.port }}"; proxy_pass http://$backend$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; @@ -179,7 +179,7 @@ location ~ ^/_matrix/client/(api/v1|r0|unstable)/keys/upload { {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ frontend_proxy_worker.port }}" + set $backend "matrix-synapse:{{ frontend_proxy_worker.port }}"; proxy_pass http://$backend$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; @@ -188,7 +188,7 @@ location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ frontend_proxy_worker.port }}" + set $backend "matrix-synapse:{{ frontend_proxy_worker.port }}"; proxy_pass http://$backend$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; @@ -202,7 +202,7 @@ location ~ ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ { {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ user_dir_worker.port }}" + set $backend "matrix-synapse:{{ user_dir_worker.port }}"; proxy_pass http://$backend$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; @@ -292,7 +292,7 @@ upstream synchrotron { {% for synchrotron_worker in synchrotron_workers %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ synchrotron_worker.port }}" + set $backend "matrix-synapse:{{ synchrotron_worker.port }}"; server $backend:{{ synchrotron_worker.port }}; {% endfor %} } @@ -385,7 +385,7 @@ server { location ~ ^(/_matrix/federation/v1/event/|/_matrix/federation/v1/state/|/_matrix/federation/v1/state_ids/|/_matrix/federation/v1/backfill/|/_matrix/federation/v1/get_missing_events/|/_matrix/federation/v1/publicRooms|/_matrix/federation/v1/query/|/_matrix/federation/v1/make_join/|/_matrix/federation/v1/make_leave/|/_matrix/federation/v1/send_join/|/_matrix/federation/v2/send_join/|/_matrix/federation/v1/send_leave/|/_matrix/federation/v2/send_leave/|/_matrix/federation/v1/invite/|/_matrix/federation/v2/invite/|/_matrix/federation/v1/query_auth/|/_matrix/federation/v1/event_auth/|/_matrix/federation/v1/exchange_third_party_invite/|/_matrix/federation/v1/user/devices/|/_matrix/federation/v1/send/|/_matrix/federation/v1/get_groups_publicised$|/_matrix/key/v2/query|/_matrix/federation/v1/groups/) { {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ federation_reader_worker.port }}" + set $backend "matrix-synapse:{{ federation_reader_worker.port }}"; proxy_pass http://$backend$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; From 46984a4f99f1b3aece5fbce171feb43bf8e4a726 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 19 Apr 2020 19:55:43 +0200 Subject: [PATCH 1100/2384] Nginx conf: more testing less b0rk --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 71605105..68edab1d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -290,10 +290,7 @@ upstream synchrotron { ip_hash; {% for synchrotron_worker in synchrotron_workers %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse:{{ synchrotron_worker.port }}"; - server $backend:{{ synchrotron_worker.port }}; + server "matrix-synapse:{{ synchrotron_worker.port }}"; {% endfor %} } {% endif %} From 9991d545ddbec3b3686bffd3ee02aa58fcf8ca0b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 21 Apr 2020 21:48:06 +0300 Subject: [PATCH 1101/2384] Add note about synapse-janitor and require explicit confirmation for usage Fixes #465 (Github Issue). Related to https://github.com/xwiki-labs/synapse_scripts/pull/12. --- docs/maintenance-synapse.md | 8 +++++++- roles/matrix-postgres/tasks/run_synapse_janitor.yml | 7 +++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index d64b3b9f..ab33b9de 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -8,11 +8,17 @@ Table of contents: - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api), for when you wish to delete in-use (but old) data from the Synapse database -- [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state), for when you wish to compress some Synapse state tables using the [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) tool +- [Synapse maintenance](#synapse-maintenance) + - [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor) + - [Vacuuming Postgres](#vacuuming-postgres) + - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api) + - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) ## Purging unused data with synapse-janitor +**NOTE**: There are [reports](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465) that **synapse-janitor is dangerous to use and causes database corruption**. You may wish to refrain from using it. + When you **leave** and **forget** a room, Synapse can clean up its data, but currently doesn't. This **unused and unreachable data** remains in your database forever. diff --git a/roles/matrix-postgres/tasks/run_synapse_janitor.yml b/roles/matrix-postgres/tasks/run_synapse_janitor.yml index 5591b75a..4562b8ba 100644 --- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml +++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml @@ -7,6 +7,13 @@ msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot run synapse-janitor." when: "not matrix_postgres_enabled|bool" +- name: Fail if not aware of the risks + fail: + msg: >- + Using Synapse Janitor is considered dangerous and may break your database. + See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465. + If you'd like to run it anyway, add `--extra-vars='i_know_synapse_janitor_is_dangerous=1'` to your command. + when: "i_know_synapse_janitor_is_dangerous|default('') == ''" # Defaults From 3f4bc9b8818f175982e07cc5ca3cb01abfd7fd44 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 22 Apr 2020 19:01:56 +0200 Subject: [PATCH 1102/2384] Move config supprt for unfederated dimension into group_vars --- group_vars/matrix_servers | 9 +++++++++ roles/matrix-dimension/defaults/main.yml | 4 +++- roles/matrix-synapse/defaults/main.yml | 5 +++++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +----- 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e80d55c3..4c41c3b8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -402,6 +402,8 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" +matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}" + ###################################################################### # # /matrix-dimension @@ -723,6 +725,13 @@ matrix_synapse_tls_federation_listener_enabled: false matrix_synapse_tls_certificate_path: ~ matrix_synapse_tls_private_key_path: ~ +matrix_synapse_http_listener_resource_names: | + {{ + ["client"] + + + ( ["openid"] if matrix_dimension_enabled and not matrix_synapse_federation_enabled else [] ) + }} + matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" matrix_synapse_email_smtp_port: 8025 diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index e9faffa3..fafe289d 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -32,6 +32,8 @@ matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"] matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi" +matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048" + # Default Dimension configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -58,7 +60,7 @@ matrix_dimension_configuration_yaml: | # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address # through the normal federation process. - federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}" + federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" # The URL that Dimension will redirect media requests to for downloading media such as # stickers. If not supplied or left empty Dimension will use the clientServerUrl. diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f117fe93..a2fa1bea 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -137,6 +137,11 @@ matrix_synapse_tls_federation_listener_enabled: true matrix_synapse_tls_certificate_path: "/data/{{ matrix_server_fqn_matrix }}.tls.crt" matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.key" +# Resource names used by the unsecure HTTP listener. Here only the Client API +# is defined, see the homeserver config for a full list of valid resource +# names. +matrix_synapse_http_listener_resource_names: ["client"] + # Enable this to allow Synapse to report utilization statistics about your server to matrix.org # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 7f9eb04f..4479d8fc 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -226,11 +226,7 @@ listeners: x_forwarded: true resources: - - names: - - client -{% if matrix_dimension_enabled and not matrix_synapse_federation_enabled %} - - openid -{% endif %} + - names: {{ matrix_synapse_http_listener_resource_names|to_json }} compress: false {% if matrix_synapse_federation_enabled %} From b08a49d94dc67f930d925b06e428accab6c3ccad Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Wed, 22 Apr 2020 15:26:23 -0400 Subject: [PATCH 1103/2384] Allow skype more configurations for relay and provisioning --- .../defaults/main.yml | 43 +++++++++++++++---- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index c3276807..8119199d 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -16,9 +16,26 @@ matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_pa matrix_mx_puppet_skype_appservice_port: "8438" matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008' -matrix_mx_puppet_skype_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_skype_appservice_address: 'http://matrix-mx-puppet-skype:{{ matrix_mx_puppet_skype_appservice_port }}' +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_skype_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_skype_provisioning_blacklist: + +# Same as provisioning +matrix_mx_puppet_skype_relay_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Same as provisioning +matrix_mx_puppet_skype_relay_blacklist: + # A list of extra arguments to pass to the container matrix_mx_puppet_skype_container_extra_arguments: [] @@ -48,7 +65,7 @@ matrix_mx_puppet_skype_configuration_yaml: | # Port to host the bridge on which your homeserver will connect to port: {{ matrix_mx_puppet_skype_appservice_port }} # Name of your homeserver - domain: {{ matrix_mx_puppet_skype_homeserver_domain }} + domain: {{ matrix_domain }} # URL where the bridge can connect to your homeserver homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }} # Optionally specify a different media URL used for the media store @@ -60,7 +77,7 @@ matrix_mx_puppet_skype_configuration_yaml: | # yourserver.com: supersecretsharedsecret {% if matrix_mx_puppet_skype_login_shared_secret != '' %} loginSharedSecretMap: - {{ matrix_mx_puppet_skype_homeserver_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} + {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} {% endif %} # optionally override the display name of the bridge bot #displayname: Protocol Bot @@ -123,18 +140,23 @@ matrix_mx_puppet_skype_configuration_yaml: | provisioning: # Regex of Matrix IDs allowed to use the puppet bridge whitelist: + whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }} # Allow a specific user #- "@user:server\\.com" # Allow users on a specific homeserver - - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + #- "@.*:yourserver\\.com" # Allow anyone #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge #blacklist: # Disallow a specific user #- "@user:server\\.com" # Disallow users on a specific homeserver #- "@.*:yourserver\\.com" + {% if matrix_mx_puppet_skype_provisioning_blacklist %} + blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }} + {% endif %} presence: # Bridge online/offline status @@ -150,10 +172,15 @@ matrix_mx_puppet_skype_configuration_yaml: | relay: # Regex of Matrix IDs to allow to use the relay mode # Same format as in provisioning - whitelist: - - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + #whitelist: + #- "@.*:yourserver\\.com" + whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }} + #blacklist: #- "@user:yourserver\\.com" + {% if matrix_mx_puppet_skype_relay_blacklist %} + blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }} + {% endif %} # Map certain homeserver URLs to the C-S API endpoint # Useful for double-puppeting if .well-known is unavailable for some reason @@ -196,11 +223,11 @@ matrix_mx_puppet_skype_registration_yaml: | namespaces: users: - exclusive: true - regex: '@_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + regex: '@_skypepuppet_.*:{{ matrix_domain|regex_escape }}' rooms: [] aliases: - exclusive: true - regex: '#_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + regex: '#_skypepuppet_.*:{{ matrix_domain|regex_escape }}' protocols: [] rate_limited: false sender_localpart: _skypepuppet_bot From 0af5a8c4cce8e3b279158e6caa3a6e6d99c12018 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 22 Apr 2020 22:42:16 +0300 Subject: [PATCH 1104/2384] Simplify mx-puppet-skype blacklists a bit Related to #466 (Github Pull Request). --- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 8119199d..1d21835c 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -27,14 +27,14 @@ matrix_mx_puppet_skype_provisioning_whitelist: # Leave empty to disable blacklist # "@user:server.com" disallow a specific user # "@.*:yourserver.com" disallow users on a specific homeserver -matrix_mx_puppet_skype_provisioning_blacklist: +matrix_mx_puppet_skype_provisioning_blacklist: [] # Same as provisioning matrix_mx_puppet_skype_relay_whitelist: - "@.*:{{ matrix_domain|regex_escape }}" # Same as provisioning -matrix_mx_puppet_skype_relay_blacklist: +matrix_mx_puppet_skype_relay_blacklist: [] # A list of extra arguments to pass to the container matrix_mx_puppet_skype_container_extra_arguments: [] @@ -154,9 +154,7 @@ matrix_mx_puppet_skype_configuration_yaml: | #- "@user:server\\.com" # Disallow users on a specific homeserver #- "@.*:yourserver\\.com" - {% if matrix_mx_puppet_skype_provisioning_blacklist %} blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }} - {% endif %} presence: # Bridge online/offline status @@ -178,9 +176,7 @@ matrix_mx_puppet_skype_configuration_yaml: | #blacklist: #- "@user:yourserver\\.com" - {% if matrix_mx_puppet_skype_relay_blacklist %} blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }} - {% endif %} # Map certain homeserver URLs to the C-S API endpoint # Useful for double-puppeting if .well-known is unavailable for some reason From 4149e03b694286ee887af5ae5cea38a65db89759 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Sun, 12 Apr 2020 10:17:30 -0400 Subject: [PATCH 1105/2384] Initial mx-puppet-slack bridge role --- ...iguring-playbook-bridge-mx-puppet-slack.md | 34 ++++ group_vars/matrix_servers | 31 +++ .../defaults/main.yml | 181 ++++++++++++++++++ .../tasks/init.yml | 70 +++++++ .../tasks/main.yml | 21 ++ .../tasks/setup_install.yml | 93 +++++++++ .../tasks/setup_uninstall.yml | 24 +++ .../tasks/validate_config.yml | 10 + .../systemd/matrix-mx-puppet-slack.service.j2 | 41 ++++ setup.yml | 1 + 10 files changed, 506 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mx-puppet-slack.md create mode 100644 roles/matrix-bridge-mx-puppet-slack/defaults/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/init.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md new file mode 100644 index 00000000..afc1999b --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -0,0 +1,34 @@ +# Setting up MX Puppet Slack (optional) + +The playbook can install and configure +[mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) for you. + +See the project page to learn what it does and why it might be useful to you. + +To enable the [Slack](https://www.slack.com/) bridge just use the following +playbook configuration: + + +```yaml +matrix_mx_puppet_slack_enabled: true +matrix_mx_puppet_slack_client_id: "" +matrix_mx_puppet_slack_client_secret: "" +``` + + +## Usage + +Once the bot is enabled you need to start a chat with `Slack Puppet Bridge` with +the handle `@_slackpuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +Three authentication methods are available, Legacy Token, OAuth and xoxc token. +See mx-puppet-slack [documentation](https://github.com/Sorunome/mx-puppet-slack) +for more information about how to configure the bridge. + +Once logged in, send `list` to the bot user to list the available rooms. + +Clicking rooms in the list will result in you receiving an invitation to the +bridged room. + +Also send `help` to the bot to see the commands available. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f24c20fd..1403543f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -337,6 +337,37 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-slack +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_slack_enabled: false + +matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + +matrix_mx_puppet_slack_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" + +matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" + +matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-slack +# +###################################################################### + + ###################################################################### # # matrix-corporal diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml new file mode 100644 index 00000000..7648fafe --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -0,0 +1,181 @@ +# Mx Puppet Slack is a Matrix <-> Slack bridge +# See: https://github.com/Sorunome/mx-puppet-slack + +matrix_mx_puppet_slack_enabled: true + +matrix_mx_puppet_slack_container_image_self_build: false + +matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest" +matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_slack_base_path: "{{ matrix_base_data_path }}/mx-puppet-slack" +matrix_mx_puppet_slack_config_path: "{{ matrix_mx_puppet_slack_base_path }}/config" +matrix_mx_puppet_slack_data_path: "{{ matrix_mx_puppet_slack_base_path }}/data" +matrix_mx_puppet_slack_docker_src_files_path: "{{ matrix_mx_puppet_slack_base_path }}/docker-src" + +matrix_mx_puppet_slack_appservice_port: "8432" + +matrix_mx_puppet_slack_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_slack_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_slack_appservice_address: 'http://matrix-mx-puppet-slack:{{ matrix_mx_puppet_slack_appservice_port }}' + +matrix_mx_puppet_slack_client_id: '' +matrix_mx_puppet_slack_client_secret: '' +matrix_mx_puppet_slack_redirect_path: '/slack/oauth' +matrix_mx_puppet_slack_redirect_uri: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mx_puppet_slack_redirect_path }}' + +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_slack_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_slack_provisioning_blacklist: [] + +# A list of extra arguments to pass to the container +matrix_mx_puppet_slack_container_extra_arguments: [] + +# List of systemd services that matrix-puppet-slack.service depends on. +matrix_mx_puppet_slack_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-puppet-slack.service wants +matrix_mx_puppet_slack_systemd_wanted_services_list: [] + +matrix_mx_puppet_slack_appservice_token: '' +matrix_mx_puppet_slack_homeserver_token: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_slack_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_slack_configuration_yaml: | + #jinja2: lstrip_blocks: "True" + bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_slack_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_slack_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }} + + + # Slack OAuth settings. Create a slack app at https://api.slack.com/apps + oauth: + enabled: false + # Slack app credentials. + # N.B. This must be quoted so YAML wouldn't parse it as a float. + clientId: "{{ matrix_mx_puppet_slack_client_id }}" + clientSecret: {{ matrix_mx_puppet_slack_client_secret }} + # Path where to listen for OAuth redirect callbacks. + redirectPath: {{ matrix_mx_puppet_slack_redirect_path }} + # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path, + # then set this field and the Slack app redirect URI field to the former. + redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }} + + presence: + # Bridge Discord online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + + provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }} + + # Shared secret for the provisioning API for use by integration managers. + # If this is not set, the provisioning API will not be enabled. + #sharedSecret: random string + # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. + apiPrefix: /_matrix/provision + + database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + + logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m + +matrix_mx_puppet_slack_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_slack_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_slack_configuration_yaml`. + +matrix_mx_puppet_slack_configuration_extension: "{{ matrix_mx_puppet_slack_configuration_extension_yaml|from_yaml if matrix_mx_puppet_slack_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_slack_configuration_yaml`. +matrix_mx_puppet_slack_configuration: "{{ matrix_mx_puppet_slack_configuration_yaml|from_yaml|combine(matrix_mx_puppet_slack_configuration_extension, recursive=True) }}" + +matrix_mx_puppet_slack_registration_yaml: | + as_token: "{{ matrix_mx_puppet_slack_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_slack_homeserver_token }}" + id: slack-puppet + namespaces: + users: + - exclusive: true + regex: '@_slackpuppet_.*:{{ matrix_mx_puppet_slack_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#_slackpuppet_.*:{{ matrix_mx_puppet_slack_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _slackpuppet_bot + url: {{ matrix_mx_puppet_slack_appservice_address }} + +matrix_mx_puppet_slack_registration: "{{ matrix_mx_puppet_slack_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml new file mode 100644 index 00000000..0b823b2c --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -0,0 +1,70 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack'] }}" + when: matrix_mx_puppet_slack_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_slack_config_path }}/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-slack-registration.yaml"] }} + when: matrix_mx_puppet_slack_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Matrix MX Puppet Slack proxying configuration for matrix-nginx-proxy + set_fact: + matrix_mx_puppet_slack_matrix_nginx_proxy_configuration: | + location {{ matrix_mx_puppet_slack_redirect_path }} { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_mx_puppet_slack_appservice_address }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_slack_appservice_port }}; + {% endif %} + } + + - name: Register Slack Appservice proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_mx_puppet_slack_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_appservice_slack_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ something }}` + URL endpoint to the matrix-appservice-slack container. + You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. + when: "matrix_appservice_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml new file mode 100644 index 00000000..6aa0fd0f --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_slack_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-slack + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_slack_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-slack + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_slack_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml new file mode 100644 index 00000000..f4c9fc8e --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -0,0 +1,93 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-slack role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure MX Puppet Slack image is pulled + docker_image: + name: "{{ matrix_mx_puppet_slack_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_docker_image_force_pull }}" + when: matrix_mx_puppet_slack_enabled|bool and not matrix_mx_puppet_slack_container_image_self_build + +- name: Ensure MX Puppet Slack paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_mx_puppet_slack_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_slack_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_slack_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}", when: "{{ matrix_mx_puppet_slack_container_image_self_build }}" } + when: matrix_mx_puppet_slack_enabled|bool and item.when|bool + +- name: Ensure MX Puppet Slack repository is present on self build + git: + repo: https://github.com/Sorunome/mx-puppet-slack.git + dest: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" + force: "yes" + when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build" + +- name: Ensure MX Puppet Slack Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_slack_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_slack_base_path }}/database.db" + register: matrix_mx_puppet_slack_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-slack.service is stopped + service: + name: matrix-mx-puppet-slack + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_slack_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-slack database file to ./data directory + command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" + when: "matrix_mx_puppet_slack_stat_database.stat.exists" + +- name: Ensure mx-puppet-slack config.yaml installed + copy: + content: "{{ matrix_mx_puppet_slack_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_slack_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure mx-puppet-slack slack-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_slack_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_slack_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure matrix-mx-puppet-slack.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-slack.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-slack.service" + mode: 0644 + register: matrix_mx_puppet_slack_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_slack_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml new file mode 100644 index 00000000..73314a66 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-slack service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-slack.service" + register: matrix_mx_puppet_slack_service_stat + +- name: Ensure matrix-mx-puppet-slack is stopped + service: + name: matrix-mx-puppet-slack + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_slack_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-slack.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-slack.service" + state: absent + when: "matrix_mx_puppet_slack_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-slack.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_slack_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml new file mode 100644 index 00000000..3a0bca11 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_slack_appservice_token" + - "matrix_mx_puppet_slack_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 new file mode 100644 index 00000000..a86c6765 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -0,0 +1,41 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mx Puppet Slack server +{% for service in matrix_mx_puppet_slack_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_slack_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-slack +ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-slack + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_slack_config_path }}:/config:z \ + -v {{ matrix_mx_puppet_slack_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_slack_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_slack_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-mx-puppet-slack +ExecStop=-/usr/bin/docker rm matrix-mx-puppet-slack +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-slack + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index bca4b240..ff80320a 100755 --- a/setup.yml +++ b/setup.yml @@ -17,6 +17,7 @@ - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-skype + - matrix-bridge-mx-puppet-slack - matrix-synapse - matrix-riot-web - matrix-jitsi From 033dfcb26fedad7550e3d8a267c4790263f13d7f Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Wed, 22 Apr 2020 17:28:00 -0400 Subject: [PATCH 1106/2384] Remove duplicated whitelist entry in skype main.yml --- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 1d21835c..9d80ab04 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -139,7 +139,6 @@ matrix_mx_puppet_skype_configuration_yaml: | provisioning: # Regex of Matrix IDs allowed to use the puppet bridge - whitelist: whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }} # Allow a specific user #- "@user:server\\.com" From 4afc46fffe5b005b1fd3e438a58313cf40a54217 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Apr 2020 18:03:36 +0300 Subject: [PATCH 1107/2384] Announce mx-puppet-slack support Related to #454 (Github Pull Request). --- CHANGELOG.md | 9 +++++++++ README.md | 2 ++ docs/configuring-playbook-bridge-mx-puppet-slack.md | 2 +- docs/configuring-playbook.md | 2 ++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b849ef35..7cd0b4c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-04-23 + +## Slack bridging support + +Thanks to [Rodrigo Belem](https://github.com/rbelem)'s efforts, the playbook now supports bridging to [Slack](https://slack.com) via the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge. + +See our [Setting up MX Puppet Slack bridging](docs/configuring-playbook-bridge-mx-puppet-slack.md) documentation page for getting started. + + # 2020-04-09 ## Skype bridging support diff --git a/README.md b/README.md index 43125026..6f7d25e0 100644 --- a/README.md +++ b/README.md @@ -146,6 +146,8 @@ This playbook sets up your server using the following Docker images: - [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional) +- [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md index afc1999b..1f20219f 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-slack.md +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -5,7 +5,7 @@ The playbook can install and configure See the project page to learn what it does and why it might be useful to you. -To enable the [Slack](https://www.slack.com/) bridge just use the following +To enable the [Slack](https://slack.com/) bridge just use the following playbook configuration: diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index af00f7c0..7e911095 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -99,4 +99,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (optional) +- [Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) From 23bfaa72ecf5451480d8a9286ffc9f6187394a42 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 23 Apr 2020 13:30:50 -0500 Subject: [PATCH 1108/2384] Upgrade Synapse (1.12.3 -> 1.12.4) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a2fa1bea..8597c751 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.3" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.4" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 8cdf3a24f9650f91c58c4ff6b77734448200bb7c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Apr 2020 22:13:47 +0300 Subject: [PATCH 1109/2384] Fix variable name typo --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1403543f..382897fd 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -346,7 +346,7 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov # We don't enable bridges by default. matrix_mx_puppet_slack_enabled: false -matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" +matrix_mx_puppet_slack_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_mx_puppet_slack_systemd_required_services_list: | {{ From 9cc0c5955ddb6e1498cf382b31ce9532a4866351 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 24 Apr 2020 09:59:30 +0300 Subject: [PATCH 1110/2384] Use |quote in some command calls --- roles/matrix-synapse/tasks/register_user.yml | 2 +- roles/matrix-synapse/tasks/update_user_password.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/tasks/register_user.yml b/roles/matrix-synapse/tasks/register_user.yml index da0e28c3..9c2a3ea0 100644 --- a/roles/matrix-synapse/tasks/register_user.yml +++ b/roles/matrix-synapse/tasks/register_user.yml @@ -28,4 +28,4 @@ when: "start_result.changed" - name: Register user - shell: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}" + command: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username|quote }} {{ password|quote }} {{ '1' if admin == 'yes' else '0' }}" diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index 0d77f5dd..1e86bd49 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -36,8 +36,8 @@ when: "start_result.changed or postgres_start_result.changed" - name: Generate password hash - shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}" + shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" register: password_hash - name: Update user password hash - shell: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'" + command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" From 438652c732377f92d7af003e82778cffa193f4fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 27 Apr 2020 10:49:06 +0300 Subject: [PATCH 1111/2384] Switch Slack image to a working tag We've had reports of the `:latest` tag not working anymore, leading to an error as described here: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/341 --- roles/matrix-bridge-appservice-slack/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 58babbc3..d68c1178 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:latest" +matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:cadair" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" From e4f1f2c754e4c2a83584b4414af4ab41076477f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Corni=C3=A8re?= Date: Mon, 27 Apr 2020 23:40:46 +0200 Subject: [PATCH 1112/2384] Add information to make jitsi work with a client in LAN --- docs/configuring-playbook-jitsi.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index d6ff1c8a..8e28d48b 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -49,6 +49,21 @@ matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true ``` +## (Optional) Making your Jitsi server work on a LAN + +By default the Jitsi Meet instance does not work with a client in LAN (Local Area Network), even if others are connected from WAN. There are no video and audio. In the case of WAN to WAN everything is ok. + +The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add DOCKER_HOST_ADDRESS in enviornment variable to make it work. + +Here is how to do it in the playbook. + +Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_jvb_container_extra_arguments: + - '--env "DOCKER_HOST_ADDRESS="' +``` + ## Apply changes Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` From 37d427c05c884c0db8daf668479a492202afbe9b Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Tue, 28 Apr 2020 03:52:43 +0200 Subject: [PATCH 1113/2384] Update Jitsi docker images to stable 4416 --- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index fb9242ed..1e5596b3 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -28,7 +28,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' -matrix_jitsi_web_docker_image: "jitsi/web:4384" +matrix_jitsi_web_docker_image: "jitsi/web:4416" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -74,7 +74,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:4416" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -87,7 +87,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4416" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -104,7 +104,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:4416" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From 29f606bac7b1c5ab26e9c98acb14e3c990c53cec Mon Sep 17 00:00:00 2001 From: GuillauG Date: Tue, 28 Apr 2020 12:10:33 +0200 Subject: [PATCH 1114/2384] Add 'permalinkPrefix' and 'default_theme' for configuring riot web (#472) * add permalinkPrefix to riot-web config * add feature to change default theme of riot-web via its config file * remove matrix_riot_web_change_default_theme and provide sane default --- roles/matrix-riot-web/defaults/main.yml | 4 ++++ roles/matrix-riot-web/templates/config.json.j2 | 2 ++ 2 files changed, 6 insertions(+) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index e55de534..31c2c969 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -29,6 +29,7 @@ matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/" matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api" matrix_riot_web_integrations_widgets_urls: ["https://scalar.vector.im/api"] matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" +matrix_riot_web_permalinkPrefix: "https://matrix.to" # Riot public room directory server(s) matrix_riot_web_roomdir_servers: ['matrix.org'] matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org" @@ -75,6 +76,9 @@ matrix_riot_web_enable_presence_by_hs_url: ~ matrix_riot_web_themes_enabled: false matrix_riot_web_themes_repository_url: https://github.com/aaronraimist/riot-web-themes +# Controls the default riot-web theme +matrix_riot_web_default_theme: 'light' + # Controls the `settingsDefault.custom_themes` setting of the riot-web configuration. # You can use this setting to define custom themes. # diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index adbbf8dc..8738e7da 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -11,6 +11,8 @@ "settingDefaults": { "custom_themes": {{ matrix_riot_web_settingDefaults_custom_themes|to_json }} }, + "default_theme": {{ matrix_riot_web_default_theme|string|to_json }}, + "permalinkPrefix": {{ matrix_riot_web_permalinkPrefix|string|to_json }}, "disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }}, "disable_guests": {{ matrix_riot_web_disable_guests|to_json }}, "brand": {{ matrix_riot_web_brand|to_json }}, From a2df0016eb9a30bcb0024581605034dcba29a3b2 Mon Sep 17 00:00:00 2001 From: John Goerzen Date: Tue, 28 Apr 2020 11:43:52 -0500 Subject: [PATCH 1115/2384] Update matrix-appservice-irc to 0.16.0 Note the potential breaking change Resolves #474 --- CHANGELOG.md | 13 +++++++++++++ .../matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7cd0b4c3..4e018879 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +# 2020-04-28 + +## Newer IRC bridge (with potential breaking change) + +This upgrades matrix-appservice-irc from 0.14.1 to 0.16.0. Upstream +made a change to how you define manual mappings. If you added a +`mapping` to your configuration, you will need to update it accoring +to the [upstream +instructions](https://github.com/matrix-org/matrix-appservice-irc/blob/master/CHANGELOG.md#0150-2020-02-05). +If you did not include `mappings` in your configuration for IRC, no +change is necessary. `mappings` is not part of the default +configuration. + # 2020-04-23 ## Slack bridging support diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index a9b04872..acbb572b 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.14.1" +matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.16.0" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" From 669780976fbaeb93b1b80d92607cb50ce2e76d8c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Apr 2020 09:29:03 +0300 Subject: [PATCH 1116/2384] Update mappings configuration example --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index acbb572b..5f6d0503 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -235,7 +235,11 @@ matrix_appservice_irc_ircService_servers: [] # # 1:many mappings from IRC channels to room IDs on this IRC server. # # The matrix room must already exist. Your matrix client should expose # # the room ID in a "settings" page for the room. -# "#thepub": ["!kieouiJuedJoxtVdaG:localhost"] +# "#thepub": +# roomIds: ["!kieouiJuedJoxtVdaG:localhost"] +# # Channel key/password to use. Optional. If provided, matrix users do +# # not need to know the channel key in order to join the channel. +# # key: "secret" # # Configuration for virtual matrix users. The following variables are # # exposed: From 37b80d0c75d7ec4f074f96636f1cdefe61013fa7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 29 Apr 2020 17:22:18 +0300 Subject: [PATCH 1117/2384] Fix example policy provider configuration for matrix-corporal Fixes the example, to add the missing required configuration key for the HTTP policy provider. Related to #477 (Github Issue). --- docs/configuring-playbook-matrix-corporal.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index cba68f74..e983f472 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -26,7 +26,8 @@ matrix_corporal_policy_provider_config: | "Uri": "https://intranet.example.com/matrix/policy", "AuthorizationBearerToken": "SOME_SECRET", "CachePath": "/var/cache/matrix-corporal/last-policy.json", - "ReloadIntervalSeconds": 1800 + "ReloadIntervalSeconds": 1800, + "TimeoutMilliseconds": 300 } # If you also want to enable Matrix Corporal's HTTP API.. From 9d6614e80f38eb4307df48f4ebe4e59dc65c4c91 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 29 Apr 2020 17:57:38 +0200 Subject: [PATCH 1118/2384] Add support for Jitsi LDAP authentication --- roles/matrix-jitsi/defaults/main.yml | 22 +++++++++++++++++++++ roles/matrix-jitsi/templates/prosody/env.j2 | 16 ++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 1e5596b3..fc428b96 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -7,6 +7,28 @@ matrix_jitsi_enable_guests: false matrix_jitsi_enable_recording: true matrix_jitsi_enable_transcriptions: true +# Authentication type, must be one of internal, jwt or ldap. Currently only +# internal and ldap are supported by this playbook. +matrix_jitsi_auth_type: internal + +# Configuration options for LDAP authentication. For details see upstream: +# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. +# Defaults are taken from: +# https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf +matrix_jitsi_ldap_url: "" +matrix_jitsi_ldap_base: "" +matrix_jitsi_ldap_binddn: "" +matrix_jitsi_ldap_bindpw: "" +matrix_jitsi_ldap_filter: "uid=%u" +matrix_jitsi_ldap_auth_method: "bind" +matrix_jitsi_ldap_version: "3" +matrix_jitsi_ldap_use_tls: false +matrix_jitsi_ldap_tls_ciphers: "" +matrix_jitsi_ldap_tls_check_peer: false +matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" +matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" +matrix_jitsi_ldap_start_tls: false + matrix_jitsi_timezone: UTC matrix_jitsi_xmpp_domain: matrix-jitsi-web diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index caa79213..e4479b73 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -1,8 +1,22 @@ -AUTH_TYPE=internal +AUTH_TYPE={{ matrix_jitsi_auth_type }} ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +LDAP_URL={{ matrix_jitsi_ldap_url }} +LDAP_BASE={{ matrix_jitsi_ldap_base }} +LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} +LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} +LDAP_FILTER={{ matrix_jitsi_ldap_filter }} +LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} +LDAP_VERSION={{ matrix_jitsi_ldap_version }} +LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} +LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} +LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} +LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} +LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} +LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} + XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} From 32ce9866e9342a38a52c3fd0467a2f200f121d2d Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 29 Apr 2020 17:58:56 +0200 Subject: [PATCH 1119/2384] Update documentation for Jitsi LDAP authentication support --- docs/configuring-playbook-jitsi.md | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 8e28d48b..ca6fc18f 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -4,7 +4,7 @@ The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing plat Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services. -The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). +The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). You can refer to the documentation there for many of the options here. ## Prerequisites @@ -34,13 +34,13 @@ matrix_jitsi_jibri_xmpp_password: "" ``` -## (Optional) configure internal Jitsi authentication and guests mode +## (Optional) Configure Jitsi authentication and guests mode By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration. If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes). -If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room. +If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: @@ -49,11 +49,28 @@ matrix_jitsi_enable_auth: true matrix_jitsi_enable_guests: true ``` +### (Optional) LDAP authentication + +The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: + +```yaml +matrix_jitsi_enable_auth: true +matrix_jitsi_auth_type: ldap +matrix_jitsi_ldap_url: ldap://ldap.DOMAIN # or ldaps:// if using tls +matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN" +matrix_jitsi_ldap_filter: "(&(uid=%u)(employeeType=active))" +matrix_jitsi_ldap_use_tls: false +matrix_jitsi_ldap_start_tls: true +``` + +For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation. + + ## (Optional) Making your Jitsi server work on a LAN By default the Jitsi Meet instance does not work with a client in LAN (Local Area Network), even if others are connected from WAN. There are no video and audio. In the case of WAN to WAN everything is ok. -The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add DOCKER_HOST_ADDRESS in enviornment variable to make it work. +The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add `DOCKER_HOST_ADDRESS` in enviornment variable to make it work. Here is how to do it in the playbook. @@ -68,7 +85,7 @@ matrix_jitsi_jvb_container_extra_arguments: Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` -## Required if configuring Jitsi with its internal authentication: register new users +## Required if configuring Jitsi with internal authentication: register new users Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: From a0ce5eec6457b80f0b812a5c1ccefbc6d4c7c679 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 29 Apr 2020 19:00:24 +0200 Subject: [PATCH 1120/2384] Document how to point dimension jitsi widgets at your own jitsi instance This can be removed once turt2live/matrix-dimension#345 is resolved. --- docs/configuring-playbook-dimension.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 40bec06b..8dd34dcd 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -51,6 +51,12 @@ After these variables have been set, please run the following command to re-run ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ``` +## Jitsi domain + +By default dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of Jitsi widgets. For users running a self-hosted jitsi instance, you will likely want the widget to use your Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. + +In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* → *Settings* → *Widgets* → *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately. + ## Additional features To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it. From 77c760ac7d2471db8d87752fdd880ff8a64ab188 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 30 Apr 2020 10:14:46 +0300 Subject: [PATCH 1121/2384] Add some links --- docs/configuring-playbook-dimension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 8dd34dcd..ddd1d1bc 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -53,7 +53,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Jitsi domain -By default dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of Jitsi widgets. For users running a self-hosted jitsi instance, you will likely want the widget to use your Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. +By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](./configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* → *Settings* → *Widgets* → *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately. From 0029b37b9690cf26e7c904025e934217aa0062a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 30 Apr 2020 10:24:17 +0300 Subject: [PATCH 1122/2384] Improve Usage section of Jitsi docs page --- docs/configuring-playbook-jitsi.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index ca6fc18f..21a440f6 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -101,9 +101,15 @@ Run this command for each user you would like to create, replacing `` ## Usage -You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. +You can use the self-hosted Jitsi server in multiple ways: -To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. +- **by adding a widget to a room via riot-web** (the one configured by the playbook at `https://riot.DOMAIN`). Just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. + +- **by adding a widget to a room via the Dimension Integration Manager**. You'll have to point the widget to your own Jitsi server manually. See our [Dimension](./configuring-playbook-dimension.md) documentation page for more details. Naturally, Dimension would need to be installed first (the playbook doesn't install it by default). + +- **directly (without any Matrix integration)**. Just go to `https://jitsi.DOMAIN` + +**Note**: Riot apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/vector-im/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support). ## Troubleshooting From 966b74e74f75285608fff3d7b9c968856cd5316f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Sterba?= Date: Fri, 1 May 2020 14:21:07 +0200 Subject: [PATCH 1123/2384] Add caddy 1 well-known example Adjust params --- docs/configuring-well-known.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 8bf84ed1..826a7494 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -104,7 +104,7 @@ server { ``` -**For Caddy**, it would be something like this: +**For Caddy 2**, it would be something like this: ```caddy reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN { @@ -112,6 +112,14 @@ reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN { } ``` +**For Caddy 1**, it would be something like this: + +```caddy +proxy /.well-known/matrix/ https://matrix.DOMAIN { + header_upstream Host {http.reverse_proxy.upstream.hostport} +} +``` + **For HAProxy**, it would be something like this: ```haproxy From 741064a178b8bd675673235d7021132458f0956d Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 1 May 2020 19:11:55 +0200 Subject: [PATCH 1124/2384] Fix group ownership of Dimension base path and config Ansible will migrate the ownership of the base path and config path, but manual intervention will be required in order to migrate the ownership of files in those directories (i.e. dimension.db). Stop the services: (local)$ ansible-playbook -i inventory/hosts setup.yml --tags=stop Fix the permissions on the server: (server)# chown -Rv "{{ matrix_user_username }}:{{ matrix_user_username }}" "{{ matrix_dimension_base_path }}" which would typically look like: (server)# chown -Rv matrix:matrix /matrix/dimension/ Reconfigure Dimension and start the services: (local)$ ansible-playbook -i inventory/hosts setup.yml --tags=setup-dimension,start --- roles/matrix-dimension/tasks/setup_dimension.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml index 2437a547..92952146 100644 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -10,7 +10,7 @@ state: directory mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_dimension_user_gid }}" + group: "{{ matrix_user_username }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension config installed @@ -19,7 +19,7 @@ dest: "{{ matrix_dimension_base_path }}/config.yaml" mode: 0640 owner: "{{ matrix_user_username }}" - group: "{{ matrix_dimension_user_gid }}" + group: "{{ matrix_user_username }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension image is pulled From cf0e56e92b697d793da6d71258c4e9daa8ab57cc Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 1 May 2020 19:39:17 +0200 Subject: [PATCH 1125/2384] Consistent usage of matrix username and groupname, not uid and gid This should be a no-op, no migration necessary. --- roles/matrix-synapse/tasks/goofys/setup_install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index efd9d46c..f8c4b013 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -17,8 +17,8 @@ path: "{{ matrix_synapse_media_store_path }}" state: directory mode: 0750 - owner: "{{ matrix_user_uid }}" - group: "{{ matrix_user_gid }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" when: "not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists" - name: Ensure goofys environment variables file created From 7585bcc4ac50d08392cf304599a6f80033d0d339 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 1 May 2020 19:59:32 +0200 Subject: [PATCH 1126/2384] Allow the matrix user username and groupname to be configured separately No migration steps should be required. --- roles/matrix-base/defaults/main.yml | 1 + roles/matrix-base/tasks/setup_matrix_base.yml | 6 +++--- roles/matrix-base/tasks/setup_well_known.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 8 ++++---- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 10 +++++----- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 6 +++--- roles/matrix-corporal/tasks/setup_corporal.yml | 4 ++-- roles/matrix-coturn/tasks/setup_coturn.yml | 4 ++-- roles/matrix-dimension/tasks/setup_dimension.yml | 4 ++-- roles/matrix-email2matrix/tasks/setup_email2matrix.yml | 4 ++-- roles/matrix-jitsi/tasks/setup_jitsi_base.yml | 2 +- roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 2 +- roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 2 +- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 2 +- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 2 +- roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 6 +++--- roles/matrix-mailer/tasks/setup_mailer.yml | 2 +- roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 8 ++++---- roles/matrix-nginx-proxy/tasks/setup_well_known.yml | 4 ++-- roles/matrix-nginx-proxy/tasks/ssl/main.yml | 2 +- .../ssl/setup_ssl_self_signed_obtain_for_domain.yml | 2 +- roles/matrix-postgres/tasks/import_sqlite_db.yml | 2 +- .../tasks/migrate_postgres_data_directory.yml | 2 +- roles/matrix-postgres/tasks/run_synapse_janitor.yml | 2 +- roles/matrix-postgres/tasks/setup_postgres.yml | 4 ++-- roles/matrix-riot-web/tasks/setup_riot_web.yml | 6 +++--- .../tasks/ext/rest-auth/setup_install.yml | 2 +- .../tasks/ext/shared-secret-auth/setup_install.yml | 2 +- roles/matrix-synapse/tasks/goofys/setup_install.yml | 2 +- roles/matrix-synapse/tasks/import_media_store.yml | 2 +- roles/matrix-synapse/tasks/setup_synapse.yml | 2 +- roles/matrix-synapse/tasks/synapse/setup_install.yml | 4 ++-- 39 files changed, 80 insertions(+), 79 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 7f4c6ace..0885f3d8 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -22,6 +22,7 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" matrix_user_username: "matrix" +matrix_user_groupname: "matrix" matrix_user_uid: 991 matrix_user_gid: 991 diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 24217883..9afda508 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -2,7 +2,7 @@ - name: Ensure Matrix group is created group: - name: "{{ matrix_user_username }}" + name: "{{ matrix_user_groupname }}" gid: "{{ matrix_user_gid }}" state: present @@ -11,7 +11,7 @@ name: "{{ matrix_user_username }}" uid: "{{ matrix_user_uid }}" state: present - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix base path exists file: @@ -19,7 +19,7 @@ state: directory mode: "{{ matrix_base_data_path_mode }}" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_base_data_path }}" diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 36706df4..3b81ce1e 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -8,7 +8,7 @@ state: directory mode: 0755 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_static_files_base_path }}/.well-known/matrix" @@ -18,7 +18,7 @@ dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix /.well-known/matrix/server file configured template: @@ -26,7 +26,7 @@ dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_well_known_matrix_server_enabled|bool - name: Ensure Matrix /.well-known/matrix/server file deleted diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index e2144f6a..d736fa7c 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_discord_base_path }}" - "{{ matrix_appservice_discord_config_path }}" @@ -46,7 +46,7 @@ dest: "{{ matrix_appservice_discord_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure AppService Discord registration.yaml installed copy: @@ -54,7 +54,7 @@ dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" # If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated. # We intentionally suppress Ansible changes. diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 1c69b2a8..7206d25e 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_irc_base_path }}" - "{{ matrix_appservice_irc_config_path }}" @@ -50,7 +50,7 @@ dest: "{{ matrix_appservice_irc_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Check if Appservice IRC passkey exists stat: @@ -70,7 +70,7 @@ path: "{{ matrix_appservice_irc_data_path }}/passkey.pem" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" # Ideally, we'd like to generate the final registration.yaml file by ourselves. # @@ -134,7 +134,7 @@ dest: "{{ matrix_appservice_irc_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-appservice-irc.service installed template: diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index b4132e96..94e0fedf 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_slack_base_path }}" - "{{ matrix_appservice_slack_config_path }}" @@ -25,7 +25,7 @@ dest: "{{ matrix_appservice_slack_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure appservice-slack registration.yaml installed copy: @@ -33,7 +33,7 @@ dest: "{{ matrix_appservice_slack_config_path }}/slack-registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-appservice-slack.service installed template: diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml index 5d167dc0..9ddc121a 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml @@ -13,7 +13,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_appservice_webhooks_base_path }}" - "{{ matrix_appservice_webhooks_config_path }}" @@ -25,7 +25,7 @@ dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix Appservice webhooks schema.yml template exists template: @@ -33,7 +33,7 @@ dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Matrix Appservice webhooks database.json template exists template: @@ -41,7 +41,7 @@ dest: "{{ matrix_appservice_webhooks_data_path }}/database.json" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure appservice-webhooks registration.yaml installed copy: @@ -49,7 +49,7 @@ dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-appservice-webhooks.service installed template: diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 82b55cea..a1131d8e 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true } - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true } @@ -73,7 +73,7 @@ dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-facebook registration.yaml installed copy: @@ -81,7 +81,7 @@ dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-facebook.service installed template: diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index ae962d34..97893be7 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mautrix_hangouts_base_path }}", when: true } - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true } @@ -72,7 +72,7 @@ dest: "{{ matrix_mautrix_hangouts_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-hangouts registration.yaml installed copy: @@ -80,7 +80,7 @@ dest: "{{ matrix_mautrix_hangouts_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-hangouts.service installed template: diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 1c8b063d..9dc38ec2 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -21,7 +21,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_mautrix_telegram_base_path }}" - "{{ matrix_mautrix_telegram_config_path }}" @@ -50,7 +50,7 @@ dest: "{{ matrix_mautrix_telegram_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-telegram registration.yaml installed copy: @@ -58,7 +58,7 @@ dest: "{{ matrix_mautrix_telegram_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-telegram.service installed template: diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index a818afb1..6bd87bbe 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -21,7 +21,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_mautrix_whatsapp_base_path }}" - "{{ matrix_mautrix_whatsapp_config_path }}" @@ -59,7 +59,7 @@ dest: "{{ matrix_mautrix_whatsapp_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mautrix-whatsapp registration.yaml installed copy: @@ -67,7 +67,7 @@ dest: "{{ matrix_mautrix_whatsapp_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mautrix-whatsapp.service installed template: diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 6857c6c9..e88fd778 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mx_puppet_skype_base_path }}", when: true } - { path: "{{ matrix_mx_puppet_skype_config_path }}", when: true } @@ -71,7 +71,7 @@ dest: "{{ matrix_mx_puppet_skype_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mx-puppet-skype skype-registration.yaml installed copy: @@ -79,7 +79,7 @@ dest: "{{ matrix_mx_puppet_skype_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mx-puppet-skype.service installed template: diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index f4c9fc8e..ddaede72 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -22,7 +22,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_mx_puppet_slack_base_path }}", when: true } - { path: "{{ matrix_mx_puppet_slack_config_path }}", when: true } @@ -70,7 +70,7 @@ dest: "{{ matrix_mx_puppet_slack_config_path }}/config.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure mx-puppet-slack slack-registration.yaml installed copy: @@ -78,7 +78,7 @@ dest: "{{ matrix_mx_puppet_slack_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-mx-puppet-slack.service installed template: diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index 2e09f013..72b6a5b2 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_corporal_config_dir_path }}" - "{{ matrix_corporal_cache_dir_path }}" @@ -31,7 +31,7 @@ dest: "{{ matrix_corporal_config_dir_path }}/config.json" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_corporal_enabled|bool - name: Ensure matrix-corporal.service installed diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 8a2ad3bd..52db0e3e 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"} when: matrix_riot_web_enabled|bool and item.when @@ -47,7 +47,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_coturn_enabled|bool - name: Ensure turnserver.conf installed diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml index 92952146..1681a548 100644 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -10,7 +10,7 @@ state: directory mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension config installed @@ -19,7 +19,7 @@ dest: "{{ matrix_dimension_base_path }}/config.yaml" mode: 0640 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension image is pulled diff --git a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml index 1e64627a..d5fa73a5 100644 --- a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml +++ b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_email2matrix_base_path }}" - "{{ matrix_email2matrix_config_dir_path }}" @@ -21,7 +21,7 @@ src: "{{ role_path }}/templates/config.json.j2" dest: "{{ matrix_email2matrix_config_dir_path }}/config.json" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" mode: 0640 when: matrix_email2matrix_enabled|bool diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml index fcfbb8f6..408027ee 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_base_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml index b7ff409a..63da7fcf 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true } - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true } diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index f442fc6e..09055b59 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true } - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true } diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index e783aad9..4159362d 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true } - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true } diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 3610a084..6e5d20b0 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -10,7 +10,7 @@ state: directory mode: 0777 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_jitsi_web_base_path }}", when: true } - { path: "{{ matrix_jitsi_web_config_path }}", when: true } diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index 57fc019a..ee055afd 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_ma1sd_config_path }}", when: true } - { path: "{{ matrix_ma1sd_data_path }}", when: true } @@ -69,7 +69,7 @@ dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_ma1sd_enabled|bool - name: Ensure custom templates are installed if any @@ -78,7 +78,7 @@ dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index e216915f..6104edfe 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_mailer_enabled|bool - name: Ensure mailer environment variables file created diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 6db5d978..69ac36f2 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -16,7 +16,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_nginx_proxy_base_path }}" - "{{ matrix_nginx_proxy_data_path }}" @@ -34,7 +34,7 @@ src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2" dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" mode: 0400 when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool" @@ -79,7 +79,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_nginx_proxy_base_domain_serving_enabled|bool - name: Ensure Matrix nginx-proxy homepage for base domain exists @@ -88,7 +88,7 @@ dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool - name: Ensure Matrix nginx-proxy configuration for base domain exists diff --git a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml index 5cd54cc8..3e43a8c6 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml @@ -11,7 +11,7 @@ state: directory mode: 0755 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_static_files_base_path }}/.well-known/matrix" @@ -21,4 +21,4 @@ dest: "{{ matrix_static_files_base_path }}/.well-known/matrix" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" \ No newline at end of file + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml index 5402468c..6c060818 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml @@ -14,7 +14,7 @@ state: directory mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" recurse: true with_items: - "{{ matrix_ssl_log_dir_path }}" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml index 80838fa6..aea17cc0 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -17,7 +17,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" # The proper way to do this is by using a sequence of diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index 5953557b..eab4e892 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -50,7 +50,7 @@ state: directory mode: 0700 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-postgres is started service: diff --git a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml index 599d45b5..ef5fbf47 100644 --- a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml +++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml @@ -46,7 +46,7 @@ state: directory mode: 0700 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "result_pg_old_data_dir_stat.stat.exists" - block: diff --git a/roles/matrix-postgres/tasks/run_synapse_janitor.yml b/roles/matrix-postgres/tasks/run_synapse_janitor.yml index 4562b8ba..41484d79 100644 --- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml +++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml @@ -42,7 +42,7 @@ force: true mode: 0550 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-postgres is started service: diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 355898b6..e4d44392 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -38,7 +38,7 @@ state: directory mode: 0700 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - "{{ matrix_postgres_base_path }}" - "{{ matrix_postgres_data_path }}" @@ -52,7 +52,7 @@ path: "{{ matrix_postgres_data_path }}" state: directory owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" recurse: yes when: matrix_postgres_enabled|bool diff --git a/roles/matrix-riot-web/tasks/setup_riot_web.yml b/roles/matrix-riot-web/tasks/setup_riot_web.yml index a1d25fc6..f21834a8 100644 --- a/roles/matrix-riot-web/tasks/setup_riot_web.yml +++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml @@ -10,7 +10,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_riot_web_data_path }}", when: true } - { path: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" } @@ -48,7 +48,7 @@ dest: "{{ matrix_riot_web_data_path }}/config.json" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: matrix_riot_web_enabled|bool - name: Ensure Matrix riot-web config files installed @@ -57,7 +57,7 @@ dest: "{{ matrix_riot_web_data_path }}/{{ item.name }}" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - {src: "{{ role_path }}/templates/welcome.html.j2", name: "welcome.html"} diff --git a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml index 9569d71e..634b1ca5 100644 --- a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml @@ -12,7 +12,7 @@ force: true mode: 0440 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - set_fact: matrix_synapse_password_providers_enabled: true diff --git a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml index 60e5ee0c..af92041d 100644 --- a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml @@ -12,7 +12,7 @@ force: true mode: 0440 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - set_fact: matrix_synapse_password_providers_enabled: true diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index f8c4b013..93237986 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -18,7 +18,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists" - name: Ensure goofys environment variables file created diff --git a/roles/matrix-synapse/tasks/import_media_store.yml b/roles/matrix-synapse/tasks/import_media_store.yml index db68f22d..487bcb35 100644 --- a/roles/matrix-synapse/tasks/import_media_store.yml +++ b/roles/matrix-synapse/tasks/import_media_store.yml @@ -66,7 +66,7 @@ file: path: "{{ matrix_synapse_media_store_path }}" owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" recurse: yes when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index c40ae170..4fb41b1a 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -6,7 +6,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_synapse_config_dir_path }}", when: true } - { path: "{{ matrix_synapse_run_path }}", when: true } diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index f10614e7..58f4d31d 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -15,7 +15,7 @@ state: directory mode: 0750 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - name: Ensure Synapse repository is present on self-build @@ -79,7 +79,7 @@ dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" mode: 0644 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Synapse log config installed template: From d6266a8c4741fb78b97250f16c5dc9f328648b71 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Fri, 1 May 2020 21:34:42 +0200 Subject: [PATCH 1127/2384] fix skype bridge being rebuilt when upstream changed --- roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 6857c6c9..8fb94d73 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -42,6 +42,7 @@ docker_image: name: "{{ matrix_mx_puppet_skype_docker_image }}" source: build + force_source: yes build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" From e750c6c6ff6e58ea90e588499b92418a652a5ece Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Mon, 4 May 2020 09:46:45 -0500 Subject: [PATCH 1128/2384] Update coturn (4.5.1.1 -> 4.5.1.2) --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 06063e3b..ef314d89 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1" +matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.2" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" # The Docker network that Coturn would be put into. From f7fcf3590a7eb60a3aaebf19a678f3c4bef3baf2 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Mon, 4 May 2020 17:34:23 +0200 Subject: [PATCH 1129/2384] Clarify domain of Dimension admin users in docs by using matrix_domain variable --- docs/configuring-playbook-dimension.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index ddd1d1bc..24fd16e1 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -21,7 +21,9 @@ These users can modify the integrations this Dimension supports. Admin interface Add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml -matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com'] +matrix_dimension_admins: + - "@user1:{{ matrix_domain }}" + - "@user2:{{ matrix_domain }}" ``` ## Access token From a1c5a197a93d410d714215b90627bcfb007864b4 Mon Sep 17 00:00:00 2001 From: Fanch Date: Mon, 4 May 2020 21:43:54 +0200 Subject: [PATCH 1130/2384] remove default UID/GID --- roles/matrix-base/defaults/main.yml | 2 -- roles/matrix-base/tasks/setup_matrix_base.yml | 13 ++++++++++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 7f4c6ace..90061a06 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -22,8 +22,6 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" matrix_user_username: "matrix" -matrix_user_uid: 991 -matrix_user_gid: 991 matrix_base_data_path: "/matrix" matrix_base_data_path_mode: "750" diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 24217883..9720cb91 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -3,15 +3,23 @@ - name: Ensure Matrix group is created group: name: "{{ matrix_user_username }}" - gid: "{{ matrix_user_gid }}" state: present + register: matrix_group + +- name: Set Matrix Group GID Variable + set_fact: + matrix_user_gid: "{{ matrix_group.gid }}" - name: Ensure Matrix user is created user: name: "{{ matrix_user_username }}" - uid: "{{ matrix_user_uid }}" state: present group: "{{ matrix_user_username }}" + register: matrix_user + +- name: Set Matrix Group UID Variable + set_fact: + matrix_user_uid: "{{ matrix_user.uid }}" - name: Ensure Matrix base path exists file: @@ -54,4 +62,3 @@ src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2" dest: "{{ matrix_local_bin_path }}/matrix-remove-all" mode: 0750 - From 658e3361f6ba55414ae84f7a1e68e2428fad7c34 Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Tue, 5 May 2020 08:42:14 +0200 Subject: [PATCH 1131/2384] Added a documentation enhancement regarding external TURN server --- docs/configuring-playbook-turn.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index 547f2bef..c1d777a8 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -31,3 +31,12 @@ matrix_synapse_turn_uris: - turn:HOSTNAME_OR_IP?transport=udp - turn:HOSTNAME_OR_IP?transport=tcp ``` + +If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might want to enable the TURN server there too. +If you do not do it, Jitsi will fall back to an upstream service. + +```yaml +matrix_jitsi_web_stun_servers: +- stun:HOSTNAME_OR_IP:PORT +``` +You can put multiple host/port combinations if you like. From 4359571d38e0f4b1d9e5bd3477b583bd0eca16ad Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 May 2020 14:02:14 +0300 Subject: [PATCH 1132/2384] Upgrade riot-web to v1.6.0 --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 31c2c969..71255e24 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.15" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.0" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 8fea6f5130e658cd0edbf030ce61a82cf9c874b2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 09:43:30 +0300 Subject: [PATCH 1133/2384] Make sure matrix_user_uid and matrix_user_gid are always set If one runs the playbook with `--tags=setup-all`, it would have been fine. But running with a specific tag (e.g. `--tags=setup-riot-web`) would have made that initialization be skipped, and the `matrix-riot-web` role would fail, due to missing variables. --- roles/matrix-base/tasks/main.yml | 7 ++++++ roles/matrix-base/tasks/setup_matrix_base.yml | 21 ------------------ roles/matrix-base/tasks/setup_matrix_user.yml | 22 +++++++++++++++++++ 3 files changed, 29 insertions(+), 21 deletions(-) create mode 100644 roles/matrix-base/tasks/setup_matrix_user.yml diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 827a4101..c51d6811 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -12,6 +12,13 @@ tags: - setup-all +# This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`, +# which are required by many other roles. +- import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml" + when: run_setup|bool + tags: + - always + - import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" when: run_setup|bool tags: diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 9720cb91..fa26b5f5 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -1,26 +1,5 @@ --- -- name: Ensure Matrix group is created - group: - name: "{{ matrix_user_username }}" - state: present - register: matrix_group - -- name: Set Matrix Group GID Variable - set_fact: - matrix_user_gid: "{{ matrix_group.gid }}" - -- name: Ensure Matrix user is created - user: - name: "{{ matrix_user_username }}" - state: present - group: "{{ matrix_user_username }}" - register: matrix_user - -- name: Set Matrix Group UID Variable - set_fact: - matrix_user_uid: "{{ matrix_user.uid }}" - - name: Ensure Matrix base path exists file: path: "{{ item }}" diff --git a/roles/matrix-base/tasks/setup_matrix_user.yml b/roles/matrix-base/tasks/setup_matrix_user.yml new file mode 100644 index 00000000..277a41d9 --- /dev/null +++ b/roles/matrix-base/tasks/setup_matrix_user.yml @@ -0,0 +1,22 @@ +--- + +- name: Ensure Matrix group is created + group: + name: "{{ matrix_user_username }}" + state: present + register: matrix_group + +- name: Set Matrix Group GID Variable + set_fact: + matrix_user_gid: "{{ matrix_group.gid }}" + +- name: Ensure Matrix user is created + user: + name: "{{ matrix_user_username }}" + state: present + group: "{{ matrix_user_username }}" + register: matrix_user + +- name: Set Matrix Group UID Variable + set_fact: + matrix_user_uid: "{{ matrix_user.uid }}" From ccc7aaf0ce47262bebef9cfe565c8df5f4fd7ff3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 09:55:40 +0300 Subject: [PATCH 1134/2384] Fix "Migrating to a new server" flow due to dynamic user/group creation --- docs/maintenance-migrating.md | 6 ++++-- roles/matrix-base/tasks/main.yml | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index fcfe4e16..71a38e58 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,8 +1,10 @@ # Migrating to new server 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading ot less downtime -2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` +2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` 3. Copy directory `/matrix` from the old server to the new server. Make sure to preserve ownership and permissions (use `cp -p` or `rsync -ar`)! 4. Make sure your DNS records are adjusted to point to the new server's IP address 5. Remove old server from the `inventory/hosts` file and add new server. -6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`. This will create the matrix user and group and start all services on the new server +6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-system-user`. This will create the `matrix` user and group on the new server +7. Because the `matrix` user and group are created dynamically on each server, the user/group id may differ between the old and new server. We suggest that you adjust ownership of `/matrix` files manually by running this on the new server: `chown -R matrix:matrix /matrix`. +8. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` to finish the installation and start all services diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index c51d6811..a1bb6754 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -18,6 +18,7 @@ when: run_setup|bool tags: - always + - setup-system-user - import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" when: run_setup|bool From c1c8b8e62cbcdaf5a378bae7ad6f7b2e0a92db56 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 10:17:19 +0300 Subject: [PATCH 1135/2384] Warn about matrix_user_uid/matrix_user_gid We don't really need to fail in such a spectactular way, but it's probably good to do. It will only happen for people who are defining their own user/group id, which is rare. It seems like a good idea to tell them that this doesn't work as they expect anymore and to ask them to remove these variables, which otherwise give them a fake sense of hope. Related to #486 (Github Pull Request). --- roles/matrix-base/tasks/main.yml | 5 +++++ roles/matrix-base/tasks/validate_config.yml | 11 +++++++++++ 2 files changed, 16 insertions(+) create mode 100644 roles/matrix-base/tasks/validate_config.yml diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index a1bb6754..26e01996 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -2,6 +2,11 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool" + tags: + - setup-all + - import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml" when: run_setup|bool tags: diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml new file mode 100644 index 00000000..3ea1f5a1 --- /dev/null +++ b/roles/matrix-base/tasks/validate_config.yml @@ -0,0 +1,11 @@ +--- + +- name: (Deprecation) Warn about unused user/group variables + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore. + User/group creation is now dynamic. You can remove these variables from your configuration, as they have no effect on anything. + when: "item in vars" + with_items: + - 'matrix_user_uid' + - 'matrix_user_uid' From 884df93be196ba3559bc269035bb3046b3b4a141 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 10:29:43 +0300 Subject: [PATCH 1136/2384] Make it clearer that Dimension requires a dedicated user --- docs/configuring-playbook-dimension.md | 28 +++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 24fd16e1..d4de8e2b 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -4,11 +4,14 @@ If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. ## Prerequisites + This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Other important prerequisite is the `dimension.` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly. + ## Enable + [Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml @@ -17,6 +20,7 @@ matrix_dimension_enabled: true ## Define admin users + These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon. Add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): @@ -26,16 +30,21 @@ matrix_dimension_admins: - "@user2:{{ matrix_domain }}" ``` + ## Access token -You are required to specify an access token for Dimension to work. -To get an access token, follow these steps: + +We recommend that you create a dedicated Matrix user for Dimension (`dimension` is a good username). +Follow our [Registering users](registering-users.md) guide to learn how to register **a regular (non-admin) user**. + +You are required to specify an access token (belonging to this new user) for Dimension to work. +To get an access token for the Dimension user, follow these steps: 1. In a private browsing session (incognito window), open Riot. -2. It's preferable to use a dedicated user for the access token, so create and log in with that user's username and password. -3. Set the display name and avatar, if required. -4. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. -5. Copy the highlighted text to your configuration. -6. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. +2. Log in with the `dimension` user and its password. +1. Set the display name and avatar, if required. +2. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. +3. Copy the highlighted text to your configuration. +4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** @@ -47,18 +56,23 @@ matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE" For more information on how to acquire an access token, visit [https://t2bot.io/docs/access_tokens](https://t2bot.io/docs/access_tokens). + +## Installation + After these variables have been set, please run the following command to re-run setup and to restart Dimension: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ``` + ## Jitsi domain By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](./configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* → *Settings* → *Widgets* → *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately. + ## Additional features To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it. From ae1b1be3f4b6a6836e00e1371dac2662c7274048 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 11:20:14 +0300 Subject: [PATCH 1137/2384] Do not use matrix:matrix for Dimension configuration Dimension runs as the `node` user in the container (`1000:1000`). It doesn't seem like we have a way around it. Thus, its configuration must also be readable by that user (or group, in this case). --- roles/matrix-dimension/tasks/setup_dimension.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml index 1681a548..2437a547 100644 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ b/roles/matrix-dimension/tasks/setup_dimension.yml @@ -10,7 +10,7 @@ state: directory mode: 0770 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + group: "{{ matrix_dimension_user_gid }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension config installed @@ -19,7 +19,7 @@ dest: "{{ matrix_dimension_base_path }}/config.yaml" mode: 0640 owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" + group: "{{ matrix_dimension_user_gid }}" when: matrix_dimension_enabled|bool - name: Ensure Dimension image is pulled From dd527d596850574b83f7d9f4903e3191a35ed7af Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 6 May 2020 11:28:09 +0300 Subject: [PATCH 1138/2384] Ensure correct dimension.db file ownership This is mostly here to guard against problems happening due to server migration and doing `chown -R matrix:matrix /matrix`. Normally, the file is owned by `1000:1000`, as expected. If ownership changes, Dimension could still start, but it will fail the first time it tries to write to the database. Explicitly chowning before startup guards against this. Related to #485 and #486 (Github Pull Requests). Also related to ccc7aaf0ce47262beb. --- .../templates/systemd/matrix-dimension.service.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index c32027b1..0a8d0c83 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -9,6 +9,9 @@ Type=simple ExecStartPre=-/usr/bin/docker kill matrix-dimension ExecStartPre=-/usr/bin/docker rm matrix-dimension +# Fixup database ownership if it got changed somehow (during a server migration, etc.) +ExecStartPre=-/usr/bin/chown {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db + ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ --log-driver=none \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ From 787f12e70d9e5828dfbcbda6af76de5a4131ab1a Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 8 May 2020 13:56:31 -0500 Subject: [PATCH 1139/2384] Fix typo in validation --- roles/matrix-base/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml index 3ea1f5a1..52686619 100644 --- a/roles/matrix-base/tasks/validate_config.yml +++ b/roles/matrix-base/tasks/validate_config.yml @@ -8,4 +8,4 @@ when: "item in vars" with_items: - 'matrix_user_uid' - - 'matrix_user_uid' + - 'matrix_user_gid' From 89deb1b195e14136e0a3e2fe587b3d5efce712c3 Mon Sep 17 00:00:00 2001 From: Kevin Lanni Date: Sat, 9 May 2020 11:04:49 -0700 Subject: [PATCH 1140/2384] Add note about ask-become-pass This flag is necessary for Ansible to ask for the sudo password when using the non-root option as documented in the `hosts` file. Otherwise, Ansible errors out with `missing sudo password`. --- docs/installing.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/installing.md b/docs/installing.md index 1e3ebf54..43758ffb 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -10,6 +10,8 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all **Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands. +**Note**: if you **do** use SSH keys for authentication, **and** use a non-root user to *become* root (sudo), you may need to add `-K` (`--ask-become-pass`) to the above (and all other) Ansible commands. + The above command **doesn't start any services just yet** (another step does this later - below). Feel free to **re-run this setup command any time** you think something is off with the server configuration. From 308fc9c60a15b91354306bb525537b2c83e43476 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 10 May 2020 09:52:52 +0300 Subject: [PATCH 1141/2384] Fix webhooks service address when matrix-nginx-proxy disabled Fixes #494 (Github Issue). --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 382897fd..970a5703 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -88,7 +88,7 @@ matrix_appservice_webhooks_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. -matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}' }}" +matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}" From 058e3bbd7fc7eac3feb63d4114e1bcc571188850 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 10 May 2020 18:44:52 +0200 Subject: [PATCH 1142/2384] Document how to administer synapse database via tunneled web-frontend --- docs/maintenance-synapse.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index ab33b9de..b7c1ede2 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -14,6 +14,7 @@ Table of contents: - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api) - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) +- [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands ## Purging unused data with synapse-janitor @@ -76,3 +77,23 @@ Don't forget that disk space only ever gets released after a [`FULL` Postgres `V Unfortunately, at this time the playbook can't help you run this **experimental tool**. Since it's also experimental, you may wish to stay away from it, or at least [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. + +## Browse and manipulate the database + +When the [matrix admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs. +First, set up an SSH tunnel to your matrix server (skip if it is your local machine): + +``` +# you may replace 1799 with an arbitrary port unbound on both machines +ssh -L 1799:localhost:1799 matrix.DOMAIN +``` + +Then start up an ephemeral [adminer](https://www.adminer.org/) container, connecting it to the matrix-net and linking the postgresql container: + +``` +docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer +``` + +You should then be able to browse the adminer database administration GUI at http://localhost:1799/ after entering your DB credentials (found in the `host_vars` or on the server in `{{matrix_synapse_config_dir_path}}/homeserver.yaml` under `database.args`) + +⚠️ Be **very careful** with this, there is **no undo** for impromptu DB operations. From 4ff7e753b2b7471bd6a152cca76818a00aedac65 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 May 2020 11:09:22 +0300 Subject: [PATCH 1143/2384] Make it clearer where to spawn adminer --- docs/maintenance-synapse.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index b7c1ede2..9c70934d 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -88,7 +88,7 @@ First, set up an SSH tunnel to your matrix server (skip if it is your local mach ssh -L 1799:localhost:1799 matrix.DOMAIN ``` -Then start up an ephemeral [adminer](https://www.adminer.org/) container, connecting it to the matrix-net and linking the postgresql container: +Then start up an ephemeral [adminer](https://www.adminer.org/) container on the Matrix server, connecting it to the `matrix` network and linking the postgresql container: ``` docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer From 93f4111654a202158f85fa15d5ff898274ab893d Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 13 May 2020 16:15:37 +0200 Subject: [PATCH 1144/2384] Prevent 404s when Riot tries to retrieve domain-specific config.json Riot unconditionally asks for a config.${document.domain}.json, c.f. https://github.com/vector-im/riot-web/blame/develop/src/vector/getconfig.ts#L24 --- .../matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 51c61f47..364e0fa1 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -24,6 +24,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ -v /dev/null:/etc/nginx/conf.d/default.conf:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/app/config.json:ro \ + -v {{ matrix_riot_web_data_path }}/config.json:/app/config.{{ matrix_server_fqn_riot }}.json:ro \ {% if matrix_riot_web_embedded_pages_home_path is not none %} -v {{ matrix_riot_web_data_path }}/home.html:/app/home.html:ro \ {% endif %} From d430e42c99e94e763525402579d8cfd2de9d50ea Mon Sep 17 00:00:00 2001 From: chagai95 <31655082+chagai95@users.noreply.github.com> Date: Sat, 16 May 2020 14:49:12 +0200 Subject: [PATCH 1145/2384] Typo STMP -> SMTP --- docs/configuring-playbook-email.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-email.md b/docs/configuring-playbook-email.md index 0933fb54..d9721a4e 100644 --- a/docs/configuring-playbook-email.md +++ b/docs/configuring-playbook-email.md @@ -34,7 +34,7 @@ matrix_mailer_relay_auth_password: "some-password" ### Configuations for sending emails using Sendgrid -An easy and free STMP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`. +An easy and free SMTP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`. The only other thing you need to change is the `matrix_mailer_relay_auth_password`, which you can generate at https://app.sendgrid.com/settings/api_keys. The API key password looks something like `SG.955oW1mLSfwds7i9Yd6IA5Q.q8GTaB8q9kGDzasegdG6u95fQ-6zkdwrPP8bOeuI`. From c2df3d7bbfc4bd9397d5512ae80f175d4daf6004 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 16 May 2020 15:00:44 +0200 Subject: [PATCH 1146/2384] Update jitsi containers to 4548-1 --- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index fc428b96..9d79a5cd 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -50,7 +50,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' -matrix_jitsi_web_docker_image: "jitsi/web:4416" +matrix_jitsi_web_docker_image: "jitsi/web:4548-1" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -96,7 +96,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4416" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:4548-1" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -109,7 +109,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4416" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4548-1" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -126,7 +126,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4416" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:4548-1" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From fbd8f3ec9bcebcef9c09e7a345a6713a4a3c2c51 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 16 May 2020 15:12:51 +0200 Subject: [PATCH 1147/2384] Jitsi prosody: add volume /prosody-plugins-custom --- roles/matrix-jitsi/defaults/main.yml | 1 + .../templates/prosody/matrix-jitsi-prosody.service.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 9d79a5cd..bc61829e 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -101,6 +101,7 @@ matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_im matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" +matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" # A list of extra arguments to pass to the container matrix_jitsi_prosody_container_extra_arguments: [] diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index bf43021d..459a24d3 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,6 +16,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_prosody_base_path }}/env \ -v {{ matrix_jitsi_prosody_config_path }}:/config \ + -v {{ matrix_jitsi_prosody_plugins_path }}:/prosody-plugins-custom \ {% for arg in matrix_jitsi_prosody_container_extra_arguments %} {{ arg }} \ {% endfor %} From 47001258b5935e86e239b7a4acc328a76b1fa41c Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 17 May 2020 14:19:58 +0200 Subject: [PATCH 1148/2384] Ensure prosody plugin path created / permissions --- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 4159362d..66299f64 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -14,6 +14,7 @@ with_items: - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true } - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true } + - { path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true } when: matrix_jitsi_enabled|bool and item.when - name: Ensure jitsi-prosody Docker image is pulled From ba23779b05a89714d7cecb3ce9db96652cb1b56f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 17 May 2020 21:23:18 +0300 Subject: [PATCH 1149/2384] Fix incorrect Jitsi container image tags Related to #508 (Github Pull Request). --- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index bc61829e..21dae448 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -50,7 +50,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' -matrix_jitsi_web_docker_image: "jitsi/web:4548-1" +matrix_jitsi_web_docker_image: "jitsi/web:stable-4548-1" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -96,7 +96,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4548-1" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4548-1" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -110,7 +110,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4548-1" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:stable-4548-1" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -127,7 +127,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4548-1" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:stable-4548-1" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From 07ff1162661b52a0a161ec769f4ad55aa3393d4c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 May 2020 12:57:19 +0300 Subject: [PATCH 1150/2384] Do not send User Directory search requests to ma1sd for now We can undo this once https://github.com/ma1uta/ma1sd/issues/44 gets resolved. --- CHANGELOG.md | 14 ++++++++++++++ group_vars/matrix_servers | 5 ++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e018879..de86333d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +# 2020-05-19 + +## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server + +User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database. + +ma1sd current has [a security issue](https://github.com/ma1uta/ma1sd/issues/44), which made it leak information about all users - including users created by bridges, etc. + +Until the issue gets fixed, we're making User Directory search not go to ma1sd by default. You **need to re-run the playbook and restart services to apply this workaround**. + +*If you insist on restoring the old behavior* (**which has a security issue!**), you *might* use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"` + + # 2020-04-28 ## Newer IRC bridge (with potential breaking change) @@ -11,6 +24,7 @@ If you did not include `mappings` in your configuration for IRC, no change is necessary. `mappings` is not part of the default configuration. + # 2020-04-23 ## Slack bridging support diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 970a5703..6d9876ac 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -616,7 +616,10 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" +# Not proxying the user directory search to the identity server by default anymore, +# because it currently leaks data. +# See: https://github.com/ma1uta/ma1sd/issues/44 +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" From 7a2dbdc2d7c5595a6bab71295f62660d152d7eee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 May 2020 15:06:35 +0300 Subject: [PATCH 1151/2384] Update components --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- roles/matrix-riot-web/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 5f6d0503..819691f6 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.16.0" +matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.17.1" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8f329f1a..07dd2038 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -220,7 +220,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.3.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.4.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 71255e24..d8233699 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.0" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.1" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From a03e95b7eb4d20ba3765e959af332feb2ad66057 Mon Sep 17 00:00:00 2001 From: louis Date: Tue, 19 May 2020 17:06:11 +0200 Subject: [PATCH 1152/2384] enable by default v2 api prefix for ma1sd --- roles/matrix-ma1sd/defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 144f4932..a02845f9 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -76,6 +76,10 @@ matrix_ma1sd_self_check_validate_certificates: true # According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity matrix_ma1sd_verbose_logging: false +# Setting up support for API prefixes +matrix_ma1sd_v1_enabled: true +matrix_ma1sd_v2_enabled: true + # Default ma1sd configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -85,6 +89,8 @@ matrix_ma1sd_configuration_yaml: | #jinja2: lstrip_blocks: True matrix: domain: {{ matrix_domain }} + v1: {{ matrix_ma1sd_v1_enabled }} + v2: {{ matrix_ma1sd_v2_enabled }} server: name: {{ matrix_server_fqn_matrix }} From a3259bbd777da37f7446d16e049f2fb9ea8326a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 May 2020 21:15:23 +0300 Subject: [PATCH 1153/2384] Add |to_json to some variables --- roles/matrix-ma1sd/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index a02845f9..ff2f72d4 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -89,8 +89,8 @@ matrix_ma1sd_configuration_yaml: | #jinja2: lstrip_blocks: True matrix: domain: {{ matrix_domain }} - v1: {{ matrix_ma1sd_v1_enabled }} - v2: {{ matrix_ma1sd_v2_enabled }} + v1: {{ matrix_ma1sd_v1_enabled|to_json }} + v2: {{ matrix_ma1sd_v2_enabled|to_json }} server: name: {{ matrix_server_fqn_matrix }} From 8fb3ce6f6d4c312f264d613b21308d3d07cd4414 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 May 2020 21:35:32 +0300 Subject: [PATCH 1154/2384] Upgrade Synapse (v1.12.4 -> v1.13.0) --- .../tasks/import_sqlite_db.yml | 1 - roles/matrix-synapse/defaults/main.yml | 3 +- roles/matrix-synapse/tasks/setup_synapse.yml | 1 - .../templates/synapse/homeserver.yaml.j2 | 166 +++++++++++++----- .../synapse/systemd/matrix-synapse.service.j2 | 1 - 5 files changed, 123 insertions(+), 49 deletions(-) diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index eab4e892..42c39a2d 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -79,7 +79,6 @@ --network={{ matrix_docker_network }} --entrypoint=python -v {{ matrix_synapse_config_dir_path }}:/data - -v {{ matrix_synapse_run_path }}:/matrix-run -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro {{ matrix_synapse_docker_image }} /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8597c751..50d7d824 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,13 +5,12 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.4" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.13.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" -matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index 4fb41b1a..1ae7ade6 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -9,7 +9,6 @@ group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_synapse_config_dir_path }}", when: true } - - { path: "{{ matrix_synapse_run_path }}", when: true } - { path: "{{ matrix_synapse_ext_path }}", when: true } - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" } # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4479d8fc..e729c733 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -20,10 +20,15 @@ server_name: "{{ matrix_domain }}" # pid_file: /homeserver.pid -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. # -#web_client_location: "/path/to/web/root" +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ # The public-facing base URL that clients use to access this HS # (not including _matrix/...). This is the same URL a user would @@ -252,6 +257,19 @@ listeners: {% endif %} +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + ## Homeserver blocking ## # How to reach the server admin, used in ResourceLimitError @@ -410,6 +428,16 @@ retention: # longest_max_lifetime: 1y # interval: 1d +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + ## TLS ## @@ -706,20 +734,15 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire # #media_storage_providers: # - module: file_system -# # Whether to write new local files. +# # Whether to store newly uploaded local files # store_local: false -# # Whether to write new remote media +# # Whether to store newly downloaded remote files # store_remote: false -# # Whether to block upload requests waiting for write to this -# # provider to complete +# # Whether to wait for successful storage for local uploads # store_synchronous: false # config: # directory: /mnt/some/other/directory -# Directory where in-progress uploads are stored. -# -uploads_path: "/matrix-run/uploads" - # The largest allowed upload size in bytes # max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" @@ -834,6 +857,31 @@ url_preview_ip_range_blacklist: # max_spider_size: 10M +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + ## Captcha ## # See docs/CAPTCHA_SETUP for full details of configuring this. @@ -852,10 +900,6 @@ max_spider_size: 10M # #enable_registration_captcha: false -# A secret key used to bypass the captcha test entirely. -# -#captcha_bypass_secret: "YOUR_SECRET_HERE" - # The API endpoint to use for verifying m.login.recaptcha responses. # #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" @@ -1066,6 +1110,29 @@ account_threepid_delegates: email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + # Users who register on this homeserver will automatically be joined # to these rooms # @@ -1108,7 +1175,7 @@ sentry: # enabled by default, either for performance reasons or limited use. # metrics_flags: - # Publish synapse_federation_known_servers, a g auge of the number of + # Publish synapse_federation_known_servers, a gauge of the number of # servers this homeserver knows about, including itself. May cause # performance problems on large homeservers. # @@ -1272,32 +1339,32 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml # - # # By default, the user has to go to our login page first. If you'd like - # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # # 'service.sp' section: - # # - # #service: - # # sp: - # # allow_unsolicited: true - # - # # The examples below are just used to generate our metadata xml, and you - # # may well not need them, depending on your setup. Alternatively you - # # may need a whole lot more detail - see the pysaml2 docs! - # - # description: ["My awesome SP", "en"] - # name: ["Test SP", "en"] - # - # organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - # - # contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical + # # By default, the user has to go to our login page first. If you'd like + # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # # 'service.sp' section: + # # + # #service: + # # sp: + # # allow_unsolicited: true + # + # # The examples below are just used to generate our metadata xml, and you + # # may well not need them, depending on your setup. Alternatively you + # # may need a whole lot more detail - see the pysaml2 docs! + # + # description: ["My awesome SP", "en"] + # name: ["Test SP", "en"] + # + # organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + # + # contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical # Instead of putting the config inline as above, you can specify a # separate pysaml2 configuration file: @@ -1532,8 +1599,19 @@ email: #template_dir: "res/templates" {% endif %} - -#password_providers: +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +# password_providers: +# # Example config for an LDAP auth provider # - module: "ldap_auth_provider.LdapAuthProvider" # config: # enabled: true diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 0bd2c25d..e7b7f1c6 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -45,7 +45,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data:ro \ - -v {{ matrix_synapse_run_path }}:/matrix-run:rw \ -v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ From ee3944bcdb1befeaf4daa278a846084bc9087913 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Thu, 21 May 2020 11:40:40 -0500 Subject: [PATCH 1155/2384] Update postgres (12.2 -> 12.3, etc) --- roles/matrix-postgres/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 4089793a..e26c43e7 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -8,10 +8,10 @@ matrix_postgres_db_name: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "postgres:9.6.17-alpine" -matrix_postgres_docker_image_v10: "postgres:10.12-alpine" -matrix_postgres_docker_image_v11: "postgres:11.7-alpine" -matrix_postgres_docker_image_v12: "postgres:12.2-alpine" +matrix_postgres_docker_image_v9: "postgres:9.6.18-alpine" +matrix_postgres_docker_image_v10: "postgres:10.13-alpine" +matrix_postgres_docker_image_v11: "postgres:11.8-alpine" +matrix_postgres_docker_image_v12: "postgres:12.3-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}" # This variable is assigned at runtime. Overriding its value has no effect. From c1bb4f680ef96a5df8c681fcb75671e4b595dafa Mon Sep 17 00:00:00 2001 From: joao-p-marques Date: Thu, 21 May 2020 23:40:38 +0100 Subject: [PATCH 1156/2384] enable oauth --- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 7648fafe..8a993bb7 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -68,7 +68,7 @@ matrix_mx_puppet_slack_configuration_yaml: | # Slack OAuth settings. Create a slack app at https://api.slack.com/apps oauth: - enabled: false + enabled: true # Slack app credentials. # N.B. This must be quoted so YAML wouldn't parse it as a float. clientId: "{{ matrix_mx_puppet_slack_client_id }}" From afd6d7e45ab5baa316dbd677ea4f5c6321452f2e Mon Sep 17 00:00:00 2001 From: joao-p-marques Date: Thu, 21 May 2020 23:40:54 +0100 Subject: [PATCH 1157/2384] change var name to correct one --- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 0b823b2c..5781adf5 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -50,7 +50,7 @@ }} tags: - always - when: matrix_appservice_slack_enabled|bool + when: matrix_mx_puppet_slack_enabled|bool - name: Warn about reverse-proxying if matrix-nginx-proxy not used debug: @@ -60,7 +60,7 @@ Please make sure that you're proxying the `{{ something }}` URL endpoint to the matrix-appservice-slack container. You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. - when: "matrix_appservice_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" + when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here From 3198ed0dc962ef2abd9875387e61a59b307ad541 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 May 2020 11:12:06 +0300 Subject: [PATCH 1158/2384] Add missing matrix_mx_puppet_slack_container_http_host_bind_port variable --- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 5 +++++ roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 4 ++-- .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 3 +++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 8a993bb7..083910b1 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -5,6 +5,11 @@ matrix_mx_puppet_slack_enabled: true matrix_mx_puppet_slack_container_image_self_build: false +# Controls whether the mx-puppet-slack container exposes its HTTP port (tcp/8432 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. +matrix_mx_puppet_slack_container_http_host_bind_port: '' + matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest" matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 5781adf5..dac04b9b 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -57,8 +57,8 @@ msg: >- NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy reverse proxy. - Please make sure that you're proxying the `{{ something }}` - URL endpoint to the matrix-appservice-slack container. + Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}` + URL endpoint to the matrix-mx-puppet-slack container. You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index a86c6765..6db53733 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -22,6 +22,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + {% if matrix_mx_puppet_slack_container_http_host_bind_port %} + -p {{ matrix_mx_puppet_slack_container_http_host_bind_port }}:{{ matrix_mx_puppet_slack_appservice_port }} \ + {% endif %} -e CONFIG_PATH=/config/config.yaml \ -e REGISTRATION_PATH=/config/registration.yaml \ -v {{ matrix_mx_puppet_slack_config_path }}:/config:z \ From 2d75fca257db5ff754954bf2be7d6d5ad73ad6a4 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Fri, 22 May 2020 13:50:59 +0200 Subject: [PATCH 1159/2384] added matrix-sms-bridge --- group_vars/matrix_servers | 28 +++- roles/matrix-sms-bridge/defaults/main.yml | 151 ++++++++++++++++++ roles/matrix-sms-bridge/tasks/init.yml | 24 +++ roles/matrix-sms-bridge/tasks/main.yml | 21 +++ .../matrix-sms-bridge/tasks/setup_install.yml | 71 ++++++++ .../tasks/setup_uninstall.yml | 24 +++ .../tasks/validate_config.yml | 12 ++ .../systemd/matrix-sms-bridge.service.j2 | 59 +++++++ 8 files changed, 389 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-sms-bridge/defaults/main.yml create mode 100644 roles/matrix-sms-bridge/tasks/init.yml create mode 100644 roles/matrix-sms-bridge/tasks/main.yml create mode 100644 roles/matrix-sms-bridge/tasks/setup_install.yml create mode 100644 roles/matrix-sms-bridge/tasks/setup_uninstall.yml create mode 100644 roles/matrix-sms-bridge/tasks/validate_config.yml create mode 100644 roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6d9876ac..1fb1ea0f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -276,7 +276,6 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # ###################################################################### - ###################################################################### # # matrix-bridge-mautrix-whatsapp @@ -305,6 +304,33 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # ###################################################################### +###################################################################### +# +# matrix-sms-bridge +# +###################################################################### + +# We don't enable bridges by default. +matrix_sms_bridge_enabled: false + +matrix_sms_bridge_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}" + +matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}" + +matrix_sms_bridge_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.db.password') | to_uuid }}" + +###################################################################### +# +# /matrix-sms-bridge +# +###################################################################### ###################################################################### # diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml new file mode 100644 index 00000000..089b78ef --- /dev/null +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -0,0 +1,151 @@ +# matrix-sms-bridge is a Matrix <-> SMS bridge +# See: https://github.com/benkuly/matrix-sms-bridge + +matrix_sms_bridge_enabled: true + +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:latest" +matrix_sms_bridge_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" +matrix_sms_bridge_database_docker_image: "neo4j:latest" +matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" + +matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" +matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" +matrix_sms_bridge_data_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data" +matrix_sms_bridge_data_spool_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool" +matrix_sms_bridge_data_spool_inbox_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/inbox" +matrix_sms_bridge_data_spool_inbox_processed_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/inbox_processed" +matrix_sms_bridge_data_spool_outbox_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/outbox" +matrix_sms_bridge_data_spool_sent_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/sent" +matrix_sms_bridge_data_spool_error_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/error" +matrix_sms_bridge_database_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/database" + +matrix_sms_bridge_appservice_token: '' +matrix_sms_bridge_homeserver_token: '' + +matrix_sms_bridge_database_username: 'matrix-sms-bridge' +matrix_sms_bridge_database_password: '' + +matrix_sms_bridge_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_sms_bridge_container_extra_arguments: [] + +# List of systemd services that matrix-appservice-discord.service depends on. +matrix_sms_bridge_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-appservice-discord.service wants +matrix_sms_bridge_systemd_wanted_services_list: [] + +matrix_sms_bridge_appservice_url: 'http://matrix-sms-bridge:8080' +matrix_sms_bridge_database_url: 'bolt://matrix-sms-bridge-database:7687' +matrix_sms_bridge_homeserver_hostname: 'matrix-synapse' +matrix_sms_bridge_homeserver_port: '8008' + +matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" +matrix_sms_bridge_default_room: '' + +matrix_sms_bridge_gammu_modem: '' + + +matrix_sms_bridge_configuration_yaml: | + #jinja2: lstrip_blocks: "True" + + # Database connection + org: + neo4j: + driver: + uri: {{ matrix_sms_bridge_database_url }} + authentication: + username: {{ matrix_sms_bridge_database_username }} + password: {{ matrix_sms_bridge_database_password }} + + matrix: + bridge: + sms: + # (optional) SMS messages without a valid token a routed to this room. + # Note that you must invite @smsbot:yourHomeServer to this room. + defaultRoomId: "{{ matrix_sms_bridge_default_room }}" + templates: + # (optional) The message, that will be sent as SMS. Valid placeholders are {sender}, {body} and {token}. + outgoingMessage: "{sender} wrote:\n\n{body}\n\nTo answer to this message add this token to your message: {token}" + # (optional) The message, that will be sent as SMS, when an incoming SMS didn't contain a valid token + # and was routed to a default room. By default no answer will be sent. + answerInvalidTokenWithDefaultRoom: "Your token was invalid. The message will be sent to a default matrix room." + # (optional) The message, that will be sent as SMS, when an incoming SMS didn't contain a valid token + # and no default room is configured. + answerInvalidTokenWithoutDefaultRoom: "Your message did not contain any valid token. Nobody will read your message.", + # (optional) The message, that will be sent to a matrix room, when sending a bridged message via SMS failed. + sendSmsError: "Could not send SMS to this user. Please try it again later." + # (optional) The content of bridged SMS message into the default room. Valid placeholders are {sender} and {body}. + defaultRoomIncomingMessage: "{sender} wrote:\n{body}" + provider: + gammu: + # (optional) default is disabled + enabled: true + # (optional) Path to the Gammu-Inbox directory. Default is "/var/spool/gammu/inbox". + inboxPath: "{{ matrix_sms_bridge_data_path }}/spool/inbox" + # (optional) Path to the directory, where to put processed messages. Default is "/var/spool/gammu/inbox_processed". + inboxProcessedPath: "{{ matrix_sms_bridge_data_path }}/spool/inbox_processed" + bot: + # The domain-part of matrix-ids. E. g. example.org when your userIds look like @unicorn:example.org + serverName: {{ matrix_sms_bridge_homserver_domain }} + client: + homeServer: + # The hostname of your Homeserver. + hostname: {{ matrix_sms_bridge_homeserver_hostname }} + # (optional) The port of your Homeserver. Default is 443. + port: {{ matrix_sms_bridge_homeserver_port }} + # (optional) Use http or https. Default is true (so uses https). + secure: false + # The token to authenticate against the Homeserver. + token: {{ matrix_sms_bridge_appservice_token }} + appservice: + # A unique token for Homeservers to use to authenticate requests to this application service. + hsToken: {{ matrix_sms_bridge_homeserver_token }} + +matrix_sms_bridge_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_sms_bridge_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_sms_bridge_configuration_yaml`. + +matrix_sms_bridge_configuration_extension: "{{ matrix_sms_bridge_configuration_extension_yaml|from_yaml if matrix_sms_bridge_configuration_extension_yaml|from_yaml is mapping else {} }}" + +matrix_sms_bridge_gammu_configuration: | + [gammu] + Device = /dev/ttyModem + LogFile = {{ matrix_sms_bridge_data_path }}/log/gammu.log + debugLevel = 1 + + [smsd] + Service = files + LoopSleep = 2 + InboxPath = {{ matrix_sms_bridge_data_path }}/spool/inbox/ + OutboxPath = {{ matrix_sms_bridge_data_path }}/spool/outbox/ + SentSMSPath = {{ matrix_sms_bridge_data_path }}/spool/sent/ + ErrorSMSPath = {{ matrix_sms_bridge_data_path }}/spool/error/ + InboxFormat = detail + OutboxFormat = detail + TransmitFormat = auto + debugLevel = 1 + LogFile = {{ matrix_sms_bridge_data_path }}/log/smsd.log + DeliveryReport = log + DeliveryReportDelay = 7200 + HangupCalls = 1 + CheckBattery = 0 + + +matrix_sms_bridge_registration_yaml: | + id: sms + as_token: "{{ matrix_sms_bridge_appservice_token }}" + hs_token: "{{ matrix_sms_bridge_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@sms_.+:{{ matrix_sms_bridge_homserver_domain|regex_escape }}$' + url: {{ matrix_sms_bridge_appservice_url }} + sender_localpart: smsbot + rate_limited: false diff --git a/roles/matrix-sms-bridge/tasks/init.yml b/roles/matrix-sms-bridge/tasks/init.yml new file mode 100644 index 00000000..7a49e4b2 --- /dev/null +++ b/roles/matrix-sms-bridge/tasks/init.yml @@ -0,0 +1,24 @@ +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-sms-bridge role needs to execute before the matrix-synapse role. + when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge','matrix-sms-bridge-database'] }}" + when: matrix_sms_bridge_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_sms_bridge_config_path }}/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-sms-bridge-registration.yaml"] }} + when: matrix_sms_bridge_enabled|bool diff --git a/roles/matrix-sms-bridge/tasks/main.yml b/roles/matrix-sms-bridge/tasks/main.yml new file mode 100644 index 00000000..c1c499de --- /dev/null +++ b/roles/matrix-sms-bridge/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_sms_bridge_enabled|bool" + tags: + - setup-all + - setup-matrix-sms-bridge + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_sms_bridge_enabled|bool" + tags: + - setup-all + - setup-matrix-sms-bridge + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_sms_bridge_enabled|bool" + tags: + - setup-all + - setup-matrix-sms-bridge diff --git a/roles/matrix-sms-bridge/tasks/setup_install.yml b/roles/matrix-sms-bridge/tasks/setup_install.yml new file mode 100644 index 00000000..1ceb371e --- /dev/null +++ b/roles/matrix-sms-bridge/tasks/setup_install.yml @@ -0,0 +1,71 @@ +--- + +- name: Ensure matrix-sms-bridge image is pulled + docker_image: + name: "{{ matrix_sms_bridge_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sms_bridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sms_bridge_docker_image_force_pull }}" + +- name: Ensure matrix-sms-bridge databse image is pulled + docker_image: + name: "{{ matrix_sms_bridge_database_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sms_bridge_database_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sms_bridge_database_docker_image_force_pull }}" + + +- name: Ensure matrix-sms-bridge paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_sms_bridge_base_path }}" + - "{{ matrix_sms_bridge_config_path }}" + - "{{ matrix_sms_bridge_data_path }}" + - "{{ matrix_sms_bridge_data_spool_path }}" + - "{{ matrix_sms_bridge_data_spool_inbox_path }}" + - "{{ matrix_sms_bridge_data_spool_inbox_processed_path }}" + - "{{ matrix_sms_bridge_data_spool_outbox_path }}" + - "{{ matrix_sms_bridge_data_spool_sent_path }}" + - "{{ matrix_sms_bridge_data_spool_error_path }}" + - "{{ matrix_sms_bridge_database_path }}" + +- name: Ensure matrix-sms-bridge application.yml installed + copy: + content: "{{ matrix_sms_bridge_configuration|to_nice_yaml }}" + dest: "{{ matrix_sms_bridge_config_path }}/application.yml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-sms-bridge registration.yaml installed + copy: + content: "{{ matrix_sms_bridge_registration|to_nice_yaml }}" + dest: "{{ matrix_sms_bridge_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-sms-bridge gammu-smsdrc installed + copy: + content: "{{ matrix_sms_bridge_registration }}" + dest: "{{ matrix_sms_bridge_config_path }}/gammu-smsdrc" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-sms-bridge.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-sms-bridge.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" + mode: 0644 + register: matrix_sms_bridge_systemd_service_result + +- name: Ensure systemd reloaded after matrix-sms-bridge.service installation + service: + daemon_reload: yes + when: "matrix_sms_bridge_systemd_service_result.changed" diff --git a/roles/matrix-sms-bridge/tasks/setup_uninstall.yml b/roles/matrix-sms-bridge/tasks/setup_uninstall.yml new file mode 100644 index 00000000..10912700 --- /dev/null +++ b/roles/matrix-sms-bridge/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-sms-bridge service + stat: + path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" + register: matrix_sms_bridge_service_stat + +- name: Ensure matrix-sms-bridge is stopped + service: + name: matrix-sms-bridge + state: stopped + daemon_reload: yes + when: "matrix_sms_bridge_service_stat.stat.exists" + +- name: Ensure matrix-sms-bridge.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" + state: absent + when: "matrix_sms_bridge_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-sms-bridge.service removal + service: + daemon_reload: yes + when: "matrix_sms_bridge_service_stat.stat.exists" diff --git a/roles/matrix-sms-bridge/tasks/validate_config.yml b/roles/matrix-sms-bridge/tasks/validate_config.yml new file mode 100644 index 00000000..8eb7b63c --- /dev/null +++ b/roles/matrix-sms-bridge/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_sms_bridge_appservice_token" + - "matrix_sms_bridge_homeserver_token" + - "matrix_sms_bridge_database_password" + - "matrix_sms_bridge_gammu_modem" diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 new file mode 100644 index 00000000..a97db783 --- /dev/null +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -0,0 +1,59 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-sms-bridge server +{% for service in matrix_sms_bridge_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sms_bridge_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge +ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge +ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge-database +ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge-database + +ExecStartPre=/usr/bin/docker run --rm --name matrix-sms-bridge-database \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_sms_bridge_container_http_host_bind_port %} + -p {{ matrix_sms_bridge_container_http_host_bind_port }}:7687 \ + {% endif %} + -v {{ matrix_sms_bridge_database_path }}:/data:z \ + -e NEO4J_AUTH={{ matrix_sms_bridge_database_username }}/{{ matrix_sms_bridge_database_password }} + {{ matrix_sms_bridge_database_docker_image }} + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_sms_bridge_container_http_host_bind_port %} + -p {{ matrix_sms_bridge_container_http_host_bind_port }}:8080 \ + {% endif %} + -v {{ matrix_sms_bridge_config_path }}:/config:z \ + -v {{ matrix_sms_bridge_data_path }}:/data:z \ + --device {{ matrix_sms_bridge_gammu_modem }}:/dev/ttyModem + {% for arg in matrix_sms_bridge_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_sms_bridge_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-sms-bridge +ExecStop=-/usr/bin/docker rm matrix-sms-bridge +ExecStop=-/usr/bin/docker kill matrix-sms-database +ExecStop=-/usr/bin/docker rm matrix-sms-database +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sms-bridge + + [Install] +WantedBy=multi-user.target From 4913ca4bb266521815169b3f01e4972ad22c2c35 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Fri, 22 May 2020 13:59:38 +0200 Subject: [PATCH 1160/2384] matri-sms-bridge: better path handling, fixed some mistakes --- roles/matrix-sms-bridge/defaults/main.yml | 21 ++++++++++--------- roles/matrix-sms-bridge/tasks/init.yml | 2 +- .../matrix-sms-bridge/tasks/setup_install.yml | 1 + 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 089b78ef..d69724bd 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -11,6 +11,7 @@ matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" matrix_sms_bridge_data_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data" +matrix_sms_bridge_data_log_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/log" matrix_sms_bridge_data_spool_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool" matrix_sms_bridge_data_spool_inbox_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/inbox" matrix_sms_bridge_data_spool_inbox_processed_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/inbox_processed" @@ -82,10 +83,10 @@ matrix_sms_bridge_configuration_yaml: | gammu: # (optional) default is disabled enabled: true - # (optional) Path to the Gammu-Inbox directory. Default is "/var/spool/gammu/inbox". - inboxPath: "{{ matrix_sms_bridge_data_path }}/spool/inbox" - # (optional) Path to the directory, where to put processed messages. Default is "/var/spool/gammu/inbox_processed". - inboxProcessedPath: "{{ matrix_sms_bridge_data_path }}/spool/inbox_processed" + # (optional) Path to the Gammu-Inbox directory. + inboxPath: "{{ matrix_sms_bridge_data_spool_inbox_path }}" + # (optional) Path to the directory, where to put processed messages. + inboxProcessedPath: "{{ matrix_sms_bridge_data_spool_inbox_path_processed }}" bot: # The domain-part of matrix-ids. E. g. example.org when your userIds look like @unicorn:example.org serverName: {{ matrix_sms_bridge_homserver_domain }} @@ -117,21 +118,21 @@ matrix_sms_bridge_configuration_extension: "{{ matrix_sms_bridge_configuration_e matrix_sms_bridge_gammu_configuration: | [gammu] Device = /dev/ttyModem - LogFile = {{ matrix_sms_bridge_data_path }}/log/gammu.log + LogFile = {{ matrix_sms_bridge_data_log_path }}/gammu.log debugLevel = 1 [smsd] Service = files LoopSleep = 2 - InboxPath = {{ matrix_sms_bridge_data_path }}/spool/inbox/ - OutboxPath = {{ matrix_sms_bridge_data_path }}/spool/outbox/ - SentSMSPath = {{ matrix_sms_bridge_data_path }}/spool/sent/ - ErrorSMSPath = {{ matrix_sms_bridge_data_path }}/spool/error/ + InboxPath = {{ matrix_sms_bridge_data_spool_inbox_path }} + OutboxPath = {{ matrix_sms_bridge_data_spool_outbox_path }} + SentSMSPath = {{ matrix_sms_bridge_data_spool_sent_path }} + ErrorSMSPath = {{ matrix_sms_bridge_data_spool_error_path }} InboxFormat = detail OutboxFormat = detail TransmitFormat = auto debugLevel = 1 - LogFile = {{ matrix_sms_bridge_data_path }}/log/smsd.log + LogFile = {{ matrix_sms_bridge_data_log_path }}/smsd.log DeliveryReport = log DeliveryReportDelay = 7200 HangupCalls = 1 diff --git a/roles/matrix-sms-bridge/tasks/init.yml b/roles/matrix-sms-bridge/tasks/init.yml index 7a49e4b2..cca4d4c5 100644 --- a/roles/matrix-sms-bridge/tasks/init.yml +++ b/roles/matrix-sms-bridge/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge','matrix-sms-bridge-database'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge'] }}" when: matrix_sms_bridge_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-sms-bridge/tasks/setup_install.yml b/roles/matrix-sms-bridge/tasks/setup_install.yml index 1ceb371e..6a800892 100644 --- a/roles/matrix-sms-bridge/tasks/setup_install.yml +++ b/roles/matrix-sms-bridge/tasks/setup_install.yml @@ -26,6 +26,7 @@ - "{{ matrix_sms_bridge_base_path }}" - "{{ matrix_sms_bridge_config_path }}" - "{{ matrix_sms_bridge_data_path }}" + - "{{ matrix_sms_bridge_data_log_path }}" - "{{ matrix_sms_bridge_data_spool_path }}" - "{{ matrix_sms_bridge_data_spool_inbox_path }}" - "{{ matrix_sms_bridge_data_spool_inbox_processed_path }}" From 5c7e5c57bda1af540322b6c64568705fe109c285 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 May 2020 18:08:17 +0300 Subject: [PATCH 1161/2384] Upgrade riot-web (1.6.1 -> 1.6.2) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index d8233699..1dc1be04 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.1" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.2" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 4c4f208613230d652043a334b8645f8e80bfef81 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 May 2020 19:54:30 +0300 Subject: [PATCH 1162/2384] Upgrade mautrix-telegram (0.7.0 -> 0.7.2) --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index b491dce8..1e77eb02 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -4,7 +4,7 @@ matrix_mautrix_telegram_enabled: true # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.2" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" From 1ffa4a326ca44b1d0f8eb4ebaddeab265ca8cda8 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sat, 23 May 2020 13:14:24 +0200 Subject: [PATCH 1163/2384] matrix-sms-bridge: added docs, added seperate service for database, pr comments --- README.md | 4 +++ .../configuring-playbook-matrix-sms-bridge.md | 24 +++++++++++++ docs/configuring-playbook.md | 2 ++ group_vars/matrix_servers | 2 -- roles/matrix-sms-bridge/defaults/main.yml | 8 +++-- .../matrix-sms-bridge/tasks/setup_install.yml | 11 ++++-- .../tasks/setup_uninstall.yml | 22 ++++++++++-- .../matrix-sms-bridge-database.service.j2 | 36 +++++++++++++++++++ .../systemd/matrix-sms-bridge.service.j2 | 18 +--------- 9 files changed, 101 insertions(+), 26 deletions(-) create mode 100644 docs/configuring-playbook-matrix-sms-bridge.md create mode 100644 roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge-database.service.j2 diff --git a/README.md b/README.md index 6f7d25e0..a5ec78d3 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) +- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS + - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients @@ -144,6 +146,8 @@ This playbook sets up your server using the following Docker images: - [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) +- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-brdige](https://github.com/benkuly/matrix-sms-bridge) (optional) + - [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional) - [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional) diff --git a/docs/configuring-playbook-matrix-sms-bridge.md b/docs/configuring-playbook-matrix-sms-bridge.md new file mode 100644 index 00000000..ef2aeb08 --- /dev/null +++ b/docs/configuring-playbook-matrix-sms-bridge.md @@ -0,0 +1,24 @@ +# Setting up matrix-sms-bridge (optional) + +The playbook can install and configure +[matrix-sms-brdige](https://github.com/benkuly/matrix-sms-bridge) for you. + +See the project page to learn what it does and why it might be useful to you. + +To enable the bridge just use the following +playbook configuration: + + +```yaml +matrix_sms_bridge_enabled: true +matrix_sms_bridge_gammu_modem: "/path/to/modem" +# generate a secret passwort e.g. with pwgen -s 64 1 +matrix_sms_bridge_database_password: "" +# (optional) a room id to a default room +matrix_sms_bridge_default_room: "" +``` + + +## Usage + +Read the [user guide](https://github.com/benkuly/matrix-sms-bridge/blob/master/README.md#user-guide) to see how this bridge works. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 7e911095..90771cf3 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -102,3 +102,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (optional) - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) + +- [Setting up Matrix SMS bridging](configuring-playbook-matrix-sms-bridge.md) (optional) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1fb1ea0f..8ff5ce96 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -324,8 +324,6 @@ matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | pas matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}" -matrix_sms_bridge_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.db.password') | to_uuid }}" - ###################################################################### # # /matrix-sms-bridge diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index d69724bd..57a7a373 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -31,11 +31,13 @@ matrix_sms_bridge_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_sms_bridge_container_extra_arguments: [] -# List of systemd services that matrix-appservice-discord.service depends on. -matrix_sms_bridge_systemd_required_services_list: ['docker.service'] +# List of systemd services that service depends on. +matrix_sms_bridge_systemd_required_services_list: ['docker.service','matrix-sms-bridge-database.service'] +matrix_sms_bridge_database_systemd_required_services_list: ['docker.service'] -# List of systemd services that matrix-appservice-discord.service wants +# List of systemd services that service wants matrix_sms_bridge_systemd_wanted_services_list: [] +matrix_sms_bridge_database_systemd_wanted_services_list: [] matrix_sms_bridge_appservice_url: 'http://matrix-sms-bridge:8080' matrix_sms_bridge_database_url: 'bolt://matrix-sms-bridge-database:7687' diff --git a/roles/matrix-sms-bridge/tasks/setup_install.yml b/roles/matrix-sms-bridge/tasks/setup_install.yml index 6a800892..1e86f2e6 100644 --- a/roles/matrix-sms-bridge/tasks/setup_install.yml +++ b/roles/matrix-sms-bridge/tasks/setup_install.yml @@ -66,7 +66,14 @@ mode: 0644 register: matrix_sms_bridge_systemd_service_result -- name: Ensure systemd reloaded after matrix-sms-bridge.service installation +- name: Ensure matrix-sms-bridge-database.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-sms-bridge-database.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-sms-bridge-database.service" + mode: 0644 + register: matrix_sms_bridge_database_systemd_service_result + +- name: Ensure systemd reloaded after matrix-sms-bridge.service or matrix-sms-bridge-database.service installation service: daemon_reload: yes - when: "matrix_sms_bridge_systemd_service_result.changed" + when: matrix_sms_bridge_systemd_service_result.changed or matrix_sms_bridge_database_systemd_service_result.changed diff --git a/roles/matrix-sms-bridge/tasks/setup_uninstall.yml b/roles/matrix-sms-bridge/tasks/setup_uninstall.yml index 10912700..87436687 100644 --- a/roles/matrix-sms-bridge/tasks/setup_uninstall.yml +++ b/roles/matrix-sms-bridge/tasks/setup_uninstall.yml @@ -5,6 +5,11 @@ path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" register: matrix_sms_bridge_service_stat +- name: Check existence of matrix-sms-bridge-database service + stat: + path: "{{ matrix_systemd_path }}/matrix-sms-bridge-database.service" + register: matrix_sms_bridge_database_service_stat + - name: Ensure matrix-sms-bridge is stopped service: name: matrix-sms-bridge @@ -12,13 +17,26 @@ daemon_reload: yes when: "matrix_sms_bridge_service_stat.stat.exists" +- name: Ensure matrix-sms-bridge-database is stopped + service: + name: matrix-sms-bridge-database + state: stopped + daemon_reload: yes + when: "matrix_sms_bridge_database_service_stat.stat.exists" + - name: Ensure matrix-sms-bridge.service doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" state: absent when: "matrix_sms_bridge_service_stat.stat.exists" -- name: Ensure systemd reloaded after matrix-sms-bridge.service removal +- name: Ensure matrix-sms-bridge-database.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-sms-bridge-database.service" + state: absent + when: "matrix_sms_bridge_database_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-sms-bridge.service or matrix-sms-bridge-database.service removal service: daemon_reload: yes - when: "matrix_sms_bridge_service_stat.stat.exists" + when: matrix_sms_bridge_service_stat.stat.exists or matrix_sms_bridge_database_service_stat.stat.exists diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge-database.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge-database.service.j2 new file mode 100644 index 00000000..e2cad164 --- /dev/null +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge-database.service.j2 @@ -0,0 +1,36 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-sms-bridge-database server +{% for service in matrix_sms_bridge_database_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sms_bridge_database_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge-database +ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge-database + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge-database \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_sms_bridge_database_path }}:/data:z \ + -e NEO4J_AUTH={{ matrix_sms_bridge_database_username }}/{{ matrix_sms_bridge_database_password }} \ + {{ matrix_sms_bridge_database_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-sms-bridge-database +ExecStop=-/usr/bin/docker rm matrix-sms-bridge-database +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sms-bridge + + [Install] +WantedBy=multi-user.target diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index a97db783..86ac264d 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -13,20 +13,6 @@ Wants={{ service }} Type=simple ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge -ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge-database -ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge-database - -ExecStartPre=/usr/bin/docker run --rm --name matrix-sms-bridge-database \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - {% if matrix_sms_bridge_container_http_host_bind_port %} - -p {{ matrix_sms_bridge_container_http_host_bind_port }}:7687 \ - {% endif %} - -v {{ matrix_sms_bridge_database_path }}:/data:z \ - -e NEO4J_AUTH={{ matrix_sms_bridge_database_username }}/{{ matrix_sms_bridge_database_password }} - {{ matrix_sms_bridge_database_docker_image }} # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre=/bin/sleep 5 @@ -41,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endif %} -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ - --device {{ matrix_sms_bridge_gammu_modem }}:/dev/ttyModem + --device {{ matrix_sms_bridge_gammu_modem }}:/dev/ttyModem \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -49,8 +35,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ ExecStop=-/usr/bin/docker kill matrix-sms-bridge ExecStop=-/usr/bin/docker rm matrix-sms-bridge -ExecStop=-/usr/bin/docker kill matrix-sms-database -ExecStop=-/usr/bin/docker rm matrix-sms-database Restart=always RestartSec=30 SyslogIdentifier=matrix-sms-bridge From ca9d0909c7db61d6a947bdab4a9acebfa58d9086 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sat, 23 May 2020 13:48:33 +0200 Subject: [PATCH 1164/2384] added missing role --- setup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.yml b/setup.yml index ff80320a..fc0ddc2c 100755 --- a/setup.yml +++ b/setup.yml @@ -18,6 +18,7 @@ - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-skype - matrix-bridge-mx-puppet-slack + - matrix-sms-bridge - matrix-synapse - matrix-riot-web - matrix-jitsi From 9ed80e754b285fb6ed97bda31fa89199062f9fb5 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sat, 23 May 2020 13:54:07 +0200 Subject: [PATCH 1165/2384] added missing variable --- roles/matrix-sms-bridge/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 57a7a373..13263396 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -117,6 +117,8 @@ matrix_sms_bridge_configuration_extension_yaml: | matrix_sms_bridge_configuration_extension: "{{ matrix_sms_bridge_configuration_extension_yaml|from_yaml if matrix_sms_bridge_configuration_extension_yaml|from_yaml is mapping else {} }}" +matrix_sms_bridge_configuration: "{{ matrix_sms_bridge_configuration_yaml|from_yaml|combine(matrix_sms_bridge_configuration_extension, recursive=True) }}" + matrix_sms_bridge_gammu_configuration: | [gammu] Device = /dev/ttyModem From be101a3114e4e4876cd09facaec0c0843d41f2e7 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sat, 23 May 2020 14:16:44 +0200 Subject: [PATCH 1166/2384] added missing service to service list --- roles/matrix-sms-bridge/tasks/init.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sms-bridge/tasks/init.yml b/roles/matrix-sms-bridge/tasks/init.yml index cca4d4c5..7a49e4b2 100644 --- a/roles/matrix-sms-bridge/tasks/init.yml +++ b/roles/matrix-sms-bridge/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge','matrix-sms-bridge-database'] }}" when: matrix_sms_bridge_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. From c802009b5c3570eb51690ea58b4079f9d72c6016 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sat, 23 May 2020 15:12:56 +0200 Subject: [PATCH 1167/2384] fixed wrong var name --- roles/matrix-sms-bridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 13263396..8c0aa026 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -88,7 +88,7 @@ matrix_sms_bridge_configuration_yaml: | # (optional) Path to the Gammu-Inbox directory. inboxPath: "{{ matrix_sms_bridge_data_spool_inbox_path }}" # (optional) Path to the directory, where to put processed messages. - inboxProcessedPath: "{{ matrix_sms_bridge_data_spool_inbox_path_processed }}" + inboxProcessedPath: "{{ matrix_sms_bridge_data_spool_inbox_processed_path }}" bot: # The domain-part of matrix-ids. E. g. example.org when your userIds look like @unicorn:example.org serverName: {{ matrix_sms_bridge_homserver_domain }} From 63705f94f11006636214cbb90311be118ce33edd Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sat, 23 May 2020 15:30:31 +0200 Subject: [PATCH 1168/2384] removed templates --- roles/matrix-sms-bridge/defaults/main.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 8c0aa026..aa2dba7e 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -68,19 +68,6 @@ matrix_sms_bridge_configuration_yaml: | # (optional) SMS messages without a valid token a routed to this room. # Note that you must invite @smsbot:yourHomeServer to this room. defaultRoomId: "{{ matrix_sms_bridge_default_room }}" - templates: - # (optional) The message, that will be sent as SMS. Valid placeholders are {sender}, {body} and {token}. - outgoingMessage: "{sender} wrote:\n\n{body}\n\nTo answer to this message add this token to your message: {token}" - # (optional) The message, that will be sent as SMS, when an incoming SMS didn't contain a valid token - # and was routed to a default room. By default no answer will be sent. - answerInvalidTokenWithDefaultRoom: "Your token was invalid. The message will be sent to a default matrix room." - # (optional) The message, that will be sent as SMS, when an incoming SMS didn't contain a valid token - # and no default room is configured. - answerInvalidTokenWithoutDefaultRoom: "Your message did not contain any valid token. Nobody will read your message.", - # (optional) The message, that will be sent to a matrix room, when sending a bridged message via SMS failed. - sendSmsError: "Could not send SMS to this user. Please try it again later." - # (optional) The content of bridged SMS message into the default room. Valid placeholders are {sender} and {body}. - defaultRoomIncomingMessage: "{sender} wrote:\n{body}" provider: gammu: # (optional) default is disabled From fe54690ea1f266cc4825564facbe6c078b940388 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sat, 23 May 2020 15:32:16 +0200 Subject: [PATCH 1169/2384] fixed missing registration var --- roles/matrix-sms-bridge/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index aa2dba7e..8ffad09b 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -141,3 +141,5 @@ matrix_sms_bridge_registration_yaml: | url: {{ matrix_sms_bridge_appservice_url }} sender_localpart: smsbot rate_limited: false + +matrix_sms_bridge_registration: "{{ matrix_sms_bridge_registration_yaml|from_yaml }}" \ No newline at end of file From f0ff8112c74d2800354900181750cb9134fbe556 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sat, 23 May 2020 20:51:07 +0200 Subject: [PATCH 1170/2384] database admin username must be neo4j --- roles/matrix-sms-bridge/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 8ffad09b..db337313 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -23,7 +23,7 @@ matrix_sms_bridge_database_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/ matrix_sms_bridge_appservice_token: '' matrix_sms_bridge_homeserver_token: '' -matrix_sms_bridge_database_username: 'matrix-sms-bridge' +matrix_sms_bridge_database_username: 'neo4j' matrix_sms_bridge_database_password: '' matrix_sms_bridge_container_http_host_bind_port: '' From 1234cc48c5e1633e44c19ae0f86dfb54eeb0bbe6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 24 May 2020 10:55:33 +0300 Subject: [PATCH 1171/2384] Point to newer Ansible container image Using the older one likely leads to issues like #517. --- docs/ansible.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index e098c8a4..5f27a7c7 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -49,7 +49,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -devture/ansible:2.8.1-r0 +devture/ansible:2.9.7-r0 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). @@ -60,7 +60,7 @@ The `/work` directory contains the playbook's code. You can execute `ansible-playbook` commands as per normal now. -### If you don't use SSH keys for authentication +### If you don't use SSH keys for authentication If you don't use SSH keys for authentication, simply remove that whole line (`-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro`). To authenticate at your server using a password, you need to add a package. So, when you are in the shell of the ansible docker container (the previously used `docker run -it ...` command), run: From eb8e3572fda55490aee53b31489218f3e2d454b1 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 25 May 2020 15:37:46 +0200 Subject: [PATCH 1172/2384] fixed wrong behaviour of gammu --- .../templates/systemd/matrix-sms-bridge.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index 86ac264d..e963f8cf 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -27,6 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endif %} -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ + -v {{ matrix_sms_bridge_data_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ --device {{ matrix_sms_bridge_gammu_modem }}:/dev/ttyModem \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ From 469554b8363edfa910f639c4cdcf3f200242fa56 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 25 May 2020 19:04:56 +0200 Subject: [PATCH 1173/2384] try to use other mount option to prevent docker from using dir instead of file --- .../templates/systemd/matrix-sms-bridge.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index e963f8cf..1c82dc31 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -27,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endif %} -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ - -v {{ matrix_sms_bridge_data_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ + --mount type=bind,source={{ matrix_sms_bridge_data_path }}/gammu-smsdrc,target=/etc/gammu-smsdrc \ --device {{ matrix_sms_bridge_gammu_modem }}:/dev/ttyModem \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ From 1f570b3251eba6d28df14d92d398ec1ab4868c04 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 25 May 2020 19:09:08 +0200 Subject: [PATCH 1174/2384] revert last change --- .../templates/systemd/matrix-sms-bridge.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index 1c82dc31..e963f8cf 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -27,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endif %} -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ - --mount type=bind,source={{ matrix_sms_bridge_data_path }}/gammu-smsdrc,target=/etc/gammu-smsdrc \ + -v {{ matrix_sms_bridge_data_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ --device {{ matrix_sms_bridge_gammu_modem }}:/dev/ttyModem \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ From 73b71a34c86e0e8f53f60f01e03325af32dea402 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 25 May 2020 19:19:30 +0200 Subject: [PATCH 1175/2384] try to fix gammu-smsdrc is not a file --- roles/matrix-sms-bridge/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index db337313..7f048ff3 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -107,6 +107,8 @@ matrix_sms_bridge_configuration_extension: "{{ matrix_sms_bridge_configuration_e matrix_sms_bridge_configuration: "{{ matrix_sms_bridge_configuration_yaml|from_yaml|combine(matrix_sms_bridge_configuration_extension, recursive=True) }}" matrix_sms_bridge_gammu_configuration: | + #jinja2: lstrip_blocks: "True" + [gammu] Device = /dev/ttyModem LogFile = {{ matrix_sms_bridge_data_log_path }}/gammu.log From 805708e0894c88dd65a334822725577ba319da58 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 25 May 2020 19:21:07 +0200 Subject: [PATCH 1176/2384] fix wrong used paath for gammu config file --- .../templates/systemd/matrix-sms-bridge.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index e963f8cf..5475a389 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -27,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endif %} -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ - -v {{ matrix_sms_bridge_data_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ + -v {{ matrix_sms_bridge_config_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ --device {{ matrix_sms_bridge_gammu_modem }}:/dev/ttyModem \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ From f8663512de2b0997e0b4e0ac4dde956dfe6aaedd Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 25 May 2020 19:31:03 +0200 Subject: [PATCH 1177/2384] fixed wrong paths --- roles/matrix-sms-bridge/defaults/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 7f048ff3..1dccb4e8 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -73,9 +73,9 @@ matrix_sms_bridge_configuration_yaml: | # (optional) default is disabled enabled: true # (optional) Path to the Gammu-Inbox directory. - inboxPath: "{{ matrix_sms_bridge_data_spool_inbox_path }}" + inboxPath: /data/spool/inbox # (optional) Path to the directory, where to put processed messages. - inboxProcessedPath: "{{ matrix_sms_bridge_data_spool_inbox_processed_path }}" + inboxProcessedPath: /data/spool/inbox_processed bot: # The domain-part of matrix-ids. E. g. example.org when your userIds look like @unicorn:example.org serverName: {{ matrix_sms_bridge_homserver_domain }} @@ -111,21 +111,21 @@ matrix_sms_bridge_gammu_configuration: | [gammu] Device = /dev/ttyModem - LogFile = {{ matrix_sms_bridge_data_log_path }}/gammu.log + LogFile = /data/log/gammu.log debugLevel = 1 [smsd] Service = files LoopSleep = 2 - InboxPath = {{ matrix_sms_bridge_data_spool_inbox_path }} - OutboxPath = {{ matrix_sms_bridge_data_spool_outbox_path }} - SentSMSPath = {{ matrix_sms_bridge_data_spool_sent_path }} - ErrorSMSPath = {{ matrix_sms_bridge_data_spool_error_path }} + InboxPath = /data/spool/inbox + OutboxPath = /data/spool/outbox + SentSMSPath = /data/spool/sent + ErrorSMSPath = /data/spool/error InboxFormat = detail OutboxFormat = detail TransmitFormat = auto debugLevel = 1 - LogFile = {{ matrix_sms_bridge_data_log_path }}/smsd.log + LogFile = /data/log/smsd.log DeliveryReport = log DeliveryReportDelay = 7200 HangupCalls = 1 From ecf3116c4ab450e2ca54208d25044517a8b4e5c9 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 25 May 2020 19:34:40 +0200 Subject: [PATCH 1178/2384] fixed wrong gammu config dest --- roles/matrix-sms-bridge/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sms-bridge/tasks/setup_install.yml b/roles/matrix-sms-bridge/tasks/setup_install.yml index 1e86f2e6..47454b27 100644 --- a/roles/matrix-sms-bridge/tasks/setup_install.yml +++ b/roles/matrix-sms-bridge/tasks/setup_install.yml @@ -53,7 +53,7 @@ - name: Ensure matrix-sms-bridge gammu-smsdrc installed copy: - content: "{{ matrix_sms_bridge_registration }}" + content: "{{ matrix_sms_bridge_gammu_configuration }}" dest: "{{ matrix_sms_bridge_config_path }}/gammu-smsdrc" mode: 0644 owner: "{{ matrix_user_username }}" From a7fd27c43c0d8bd56f92163a896c72001d99a5c2 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 25 May 2020 19:36:19 +0200 Subject: [PATCH 1179/2384] removed jinja command --- roles/matrix-sms-bridge/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 1dccb4e8..428560f5 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -107,8 +107,6 @@ matrix_sms_bridge_configuration_extension: "{{ matrix_sms_bridge_configuration_e matrix_sms_bridge_configuration: "{{ matrix_sms_bridge_configuration_yaml|from_yaml|combine(matrix_sms_bridge_configuration_extension, recursive=True) }}" matrix_sms_bridge_gammu_configuration: | - #jinja2: lstrip_blocks: "True" - [gammu] Device = /dev/ttyModem LogFile = /data/log/gammu.log From a353217cf3723c6ade1e6f3075977c69fcc5089d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 26 May 2020 09:49:12 +0300 Subject: [PATCH 1180/2384] Add delivery_receipts option for matrix-bridge-mautrix-facebook --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 3c09dafd..2f737afd 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -153,6 +153,10 @@ matrix_mautrix_facebook_configuration_yaml: | # This will cause the bridge bot to be in private chats for the encryption to work properly. default: false + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Facebook. + delivery_receipts: false + # Permissions for using the bridge. # Permitted values: # user - Use the bridge with puppeting. From 3d63ee6d13bbf087e8538b3927ffd4f8f345efe5 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Tue, 26 May 2020 18:12:26 +0200 Subject: [PATCH 1181/2384] add group dialout to container --- .../templates/systemd/matrix-sms-bridge.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index 5475a389..5c3b9544 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -20,6 +20,7 @@ ExecStartPre=/bin/sleep 5 ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --group-add dialout \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_sms_bridge_container_http_host_bind_port %} From e4f128a1ba02bf45709e0d7111abe352135630fd Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Tue, 26 May 2020 18:19:22 +0200 Subject: [PATCH 1182/2384] fixed wrong gammu path --- roles/matrix-sms-bridge/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 428560f5..faf2b6fc 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -115,10 +115,10 @@ matrix_sms_bridge_gammu_configuration: | [smsd] Service = files LoopSleep = 2 - InboxPath = /data/spool/inbox - OutboxPath = /data/spool/outbox - SentSMSPath = /data/spool/sent - ErrorSMSPath = /data/spool/error + InboxPath = /data/spool/inbox/ + OutboxPath = /data/spool/outbox/ + SentSMSPath = /data/spool/sent/ + ErrorSMSPath = /data/spool/error/ InboxFormat = detail OutboxFormat = detail TransmitFormat = auto From 256de59a7535f629074b1bedae8cf0991c4af67d Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 27 May 2020 14:33:17 +0200 Subject: [PATCH 1183/2384] Add note on port forwarding to docs when running Jitsi behind NAT --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 9a26d769..61975654 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -16,6 +16,6 @@ - properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) -- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP) +- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of [STUN](../roles/matrix-jitsi/defaults/main.yml#L147) in JVB. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 1b47197c91a245cbb97d54b87d25e79ace3427db Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 27 May 2020 15:55:11 +0200 Subject: [PATCH 1184/2384] Minor docs formatting cleanup --- docs/prerequisites.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 61975654..c6dc7e6c 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -6,16 +6,16 @@ - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). -- a `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.* +- A `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.* -- the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. +- The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. -- either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. +- Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. -- an HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). +- An HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). -- properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) +- Properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)). -- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of [STUN](../roles/matrix-jitsi/defaults/main.yml#L147) in JVB. +- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of [STUN](../roles/matrix-jitsi/defaults/main.yml#L147) in JVB. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 84e2e31d07b0f1d02cb78d8c59e5125f0b64339b Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 27 May 2020 16:40:05 +0200 Subject: [PATCH 1185/2384] Linking to a file is more robust than linking to a line number --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index c6dc7e6c..a465a93a 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -16,6 +16,6 @@ - Properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)). -- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of [STUN](../roles/matrix-jitsi/defaults/main.yml#L147) in JVB. +- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml). When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From cb94167ccbce28dc79ab704b9f034c18e984f990 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 27 May 2020 17:00:44 +0200 Subject: [PATCH 1186/2384] Add missing parenthesis in docs --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index a465a93a..5f551eb4 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -16,6 +16,6 @@ - Properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)). -- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml). +- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 5ace3f4a1cb8b03573011f18c17b276eca67e077 Mon Sep 17 00:00:00 2001 From: Ugurtan Date: Wed, 27 May 2020 18:13:36 +0200 Subject: [PATCH 1187/2384] fix for importing sqllite database the current version fails the import, because the volume for the media is missing. It still fails if you have the optional shared secret password provider is enabled, so that might need another mount. Commenting out the password provider in the hoimeserver.yaml during the run works as well. --- roles/matrix-postgres/tasks/import_sqlite_db.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index 42c39a2d..850ee370 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -79,6 +79,7 @@ --network={{ matrix_docker_network }} --entrypoint=python -v {{ matrix_synapse_config_dir_path }}:/data + -v {{ matrix_synapse_config_dir_path }}:/matrix-media-store-parent/media-store -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro {{ matrix_synapse_docker_image }} /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml From 6334f6c1ea14e4e57e2fa88e3513ee776189be21 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 27 May 2020 18:53:52 +0200 Subject: [PATCH 1188/2384] Remove hardcoded command paths in systemd unit files Depending on the distro, common commands like sleep and chown may either be located in /bin or /usr/bin. Systemd added path lookup to ExecStart in v239, allowing only the command name to be put in unit files and not the full path as historically required. At least Ubuntu 18.04 LTS is however still on v237 so we should maintain portability for a while longer. --- roles/matrix-base/defaults/main.yml | 5 +++++ .../systemd/matrix-appservice-discord.service.j2 | 12 ++++++------ .../systemd/matrix-appservice-irc.service.j2 | 12 ++++++------ .../systemd/matrix-appservice-slack.service.j2 | 12 ++++++------ .../systemd/matrix-appservice-webhooks.service.j2 | 12 ++++++------ .../systemd/matrix-mautrix-facebook.service.j2 | 14 +++++++------- .../systemd/matrix-mautrix-hangouts.service.j2 | 14 +++++++------- .../systemd/matrix-mautrix-telegram.service.j2 | 14 +++++++------- .../systemd/matrix-mautrix-whatsapp.service.j2 | 12 ++++++------ .../systemd/matrix-mx-puppet-skype.service.j2 | 12 ++++++------ .../systemd/matrix-mx-puppet-slack.service.j2 | 12 ++++++------ .../templates/systemd/matrix-corporal.service.j2 | 10 +++++----- .../templates/systemd/matrix-coturn.service.j2 | 12 ++++++------ .../templates/systemd/matrix-dimension.service.j2 | 12 ++++++------ .../systemd/matrix-email2matrix.service.j2 | 10 +++++----- .../jicofo/matrix-jitsi-jicofo.service.j2 | 10 +++++----- .../templates/jvb/matrix-jitsi-jvb.service.j2 | 10 +++++----- .../prosody/matrix-jitsi-prosody.service.j2 | 10 +++++----- .../templates/web/matrix-jitsi-web.service.j2 | 10 +++++----- .../templates/systemd/matrix-ma1sd.service.j2 | 10 +++++----- .../templates/systemd/matrix-mailer.service.j2 | 10 +++++----- .../systemd/matrix-nginx-proxy.service.j2 | 12 ++++++------ .../templates/systemd/matrix-postgres.service.j2 | 10 +++++----- .../templates/systemd/matrix-riot-web.service.j2 | 10 +++++----- .../goofys/systemd/matrix-goofys.service.j2 | 14 +++++++------- .../synapse/systemd/matrix-synapse.service.j2 | 14 +++++++------- 26 files changed, 150 insertions(+), 145 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 1844f299..b596b85f 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -32,6 +32,11 @@ matrix_systemd_path: "/etc/systemd/system" matrix_cron_path: "/etc/cron.d" matrix_local_bin_path: "/usr/local/bin" +matrix_host_command_docker: "/usr/bin/env docker" +matrix_host_command_sleep: "/usr/bin/env sleep" +matrix_host_command_chown: "/usr/bin/env chown" +matrix_host_command_fusermount: "/usr/bin/env fusermount" + matrix_ntpd_package: "ntp" matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 9b0ac514..d512cd88 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-appservice-discord -ExecStartPre=-/usr/bin/docker rm matrix-appservice-discord +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-discord +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-discord # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-discord \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \ {{ matrix_appservice_discord_docker_image }} \ node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml -ExecStop=-/usr/bin/docker kill matrix-appservice-discord -ExecStop=-/usr/bin/docker rm matrix-appservice-discord +ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-discord +ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-discord Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 53e5b8e3..aa6141d6 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-appservice-irc -ExecStartPre=-/usr/bin/docker rm matrix-appservice-irc +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-irc +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-irc # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -34,8 +34,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ {{ matrix_appservice_irc_docker_image }} \ -c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999' -ExecStop=-/usr/bin/docker kill matrix-appservice-irc -ExecStop=-/usr/bin/docker rm matrix-appservice-irc +ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-irc +ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-irc Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index 8b3d1f9d..de773ff9 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-appservice-slack -ExecStartPre=-/usr/bin/docker rm matrix-appservice-slack +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-slack +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-slack # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-appservice-slack \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-slack \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-slack \ {{ matrix_appservice_slack_docker_image }} \ node app.js -p {{matrix_appservice_slack_matrix_port}} -c /config/config.yaml -f /config/slack-registration.yaml -ExecStop=-/usr/bin/docker kill matrix-appservice-slack -ExecStop=-/usr/bin/docker rm matrix-appservice-slack +ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-slack +ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-slack Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index cde798df..b05f8a27 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-appservice-webhooks -ExecStartPre=-/usr/bin/docker rm matrix-appservice-webhooks +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-webhooks \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \ {{ matrix_appservice_webhooks_docker_image }} \ node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml -ExecStop=-/usr/bin/docker kill matrix-appservice-webhooks -ExecStop=-/usr/bin/docker rm matrix-appservice-webhooks +ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks +ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-webhooks diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index e0ac9084..444423c1 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -11,9 +11,9 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mautrix-facebook -ExecStartPre=-/usr/bin/docker rm matrix-mautrix-facebook -ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-facebook-db \ +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook +ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -23,9 +23,9 @@ ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-facebook-db \ alembic -x config=/config/config.yaml upgrade head # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-facebook \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -38,8 +38,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-facebook \ {{ matrix_mautrix_facebook_docker_image }} \ python3 -m mautrix_facebook -c /config/config.yaml -ExecStop=-/usr/bin/docker kill matrix-mautrix-facebook -ExecStop=-/usr/bin/docker rm matrix-mautrix-facebook +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index c110ed79..f33aff63 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -11,9 +11,9 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db -ExecStartPre=-/usr/bin/docker rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db -ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-hangouts-db \ +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db +ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -23,9 +23,9 @@ ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-hangouts-db \ alembic -x config=/config/config.yaml upgrade head # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-hangouts \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -38,8 +38,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-hangouts \ {{ matrix_mautrix_hangouts_docker_image }} \ python3 -m mautrix_hangouts -c /config/config.yaml -ExecStop=-/usr/bin/docker kill matrix-mautrix-hangouts -ExecStop=-/usr/bin/docker rm matrix-mautrix-hangouts +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-hangouts diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index 02264236..2c9986b4 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -11,9 +11,9 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mautrix-telegram -ExecStartPre=-/usr/bin/docker rm matrix-mautrix-telegram -ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-telegram-db \ +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram +ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -23,9 +23,9 @@ ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-telegram-db \ alembic -x config=/config/config.yaml upgrade head # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -41,8 +41,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \ {{ matrix_mautrix_telegram_docker_image }} \ python3 -m mautrix_telegram -c /config/config.yaml -ExecStop=-/usr/bin/docker kill matrix-mautrix-telegram -ExecStop=-/usr/bin/docker rm matrix-mautrix-telegram +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-telegram diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index d864c041..7dd25140 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mautrix-whatsapp -ExecStartPre=-/usr/bin/docker rm matrix-mautrix-whatsapp +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-whatsapp \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -31,8 +31,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \ {{ matrix_mautrix_whatsapp_docker_image }} \ /usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml -ExecStop=-/usr/bin/docker kill matrix-mautrix-whatsapp -ExecStop=-/usr/bin/docker rm matrix-mautrix-whatsapp +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-whatsapp diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index cc55f324..a6860b69 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-skype -ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-skype +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-skype \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -31,8 +31,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \ {% endfor %} {{ matrix_mx_puppet_skype_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-mx-puppet-skype -ExecStop=-/usr/bin/docker rm matrix-mx-puppet-skype +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index 6db53733..3ce0e18b 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -11,13 +11,13 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-slack -ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-slack +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack # Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +ExecStartPre={{ matrix_host_command_sleep }} 5 -ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-slack \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -34,8 +34,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \ {% endfor %} {{ matrix_mx_puppet_slack_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-mx-puppet-slack -ExecStop=-/usr/bin/docker rm matrix-mx-puppet-slack +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-slack diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index ae4830ff..533ece0a 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-corporal -ExecStartPre=-/usr/bin/docker rm matrix-corporal +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-corporal +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-corporal -ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -32,8 +32,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ {{ matrix_corporal_docker_image }} \ /matrix-corporal -config=/etc/matrix-corporal/config.json -ExecStop=-/usr/bin/docker kill matrix-corporal -ExecStop=-/usr/bin/docker rm matrix-corporal +ExecStop=-{{ matrix_host_command_docker }} kill matrix-corporal +ExecStop=-{{ matrix_host_command_docker }} rm matrix-corporal Restart=always RestartSec=30 SyslogIdentifier=matrix-corporal diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 35198616..a6d19705 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-coturn -ExecStartPre=-/usr/bin/docker rm matrix-coturn +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-coturn +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-coturn -ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -40,12 +40,12 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \ {{ matrix_coturn_docker_image }} \ -c /turnserver.conf -ExecStop=-/usr/bin/docker kill matrix-coturn -ExecStop=-/usr/bin/docker rm matrix-coturn +ExecStop=-{{ matrix_host_command_docker }} kill matrix-coturn +ExecStop=-{{ matrix_host_command_docker }} rm matrix-coturn # This only reloads certificates (not other configuration). # See: https://github.com/coturn/coturn/pull/236 -ExecReload=/usr/bin/docker exec matrix-coturn kill -USR2 1 +ExecReload={{ matrix_host_command_docker }} exec matrix-coturn kill -USR2 1 Restart=always RestartSec=30 diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 0a8d0c83..db9d58a8 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -6,13 +6,13 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-dimension -ExecStartPre=-/usr/bin/docker rm matrix-dimension +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension # Fixup database ownership if it got changed somehow (during a server migration, etc.) -ExecStartPre=-/usr/bin/chown {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db +ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db -ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \ --log-driver=none \ --user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \ --cap-drop=ALL \ @@ -29,8 +29,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ {% endfor %} {{ matrix_dimension_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-dimension -ExecStop=-/usr/bin/docker rm matrix-dimension +ExecStop=-{{ matrix_host_command_docker }} kill matrix-dimension +ExecStop=-{{ matrix_host_command_docker }} rm matrix-dimension Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index eb7e125b..52806f35 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -6,10 +6,10 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-email2matrix -ExecStartPre=-/usr/bin/docker rm matrix-email2matrix +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-email2matrix +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-email2matrix -ExecStart=/usr/bin/docker run --rm --name matrix-email2matrix \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -22,8 +22,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-email2matrix \ {% endfor %} {{ matrix_email2matrix_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-email2matrix -ExecStop=-/usr/bin/docker rm matrix-email2matrix +ExecStop=-{{ matrix_host_command_docker }} kill matrix-email2matrix +ExecStop=-{{ matrix_host_command_docker }} rm matrix-email2matrix Restart=always RestartSec=30 SyslogIdentifier=matrix-email2matrix diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index 53f08688..3512b3af 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jicofo -ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jicofo +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo -ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jicofo \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ @@ -21,8 +21,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jicofo \ {% endfor %} {{ matrix_jitsi_jicofo_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-jitsi-jicofo -ExecStop=-/usr/bin/docker rm matrix-jitsi-jicofo +ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo +ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jicofo diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 5df5807a..a189df9c 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jvb -ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb -ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_jvb_base_path }}/env \ @@ -27,8 +27,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ {% endfor %} {{ matrix_jitsi_jvb_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-jitsi-jvb -ExecStop=-/usr/bin/docker rm matrix-jitsi-jvb +ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb +ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jvb diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 459a24d3..30801d77 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-jitsi-prosody -ExecStartPre=-/usr/bin/docker rm matrix-jitsi-prosody +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody -ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_prosody_base_path }}/env \ @@ -22,8 +22,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \ {% endfor %} {{ matrix_jitsi_prosody_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-jitsi-prosody -ExecStop=-/usr/bin/docker rm matrix-jitsi-prosody +ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody +ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-prosody diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index deed5025..1f8a890b 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-jitsi-web -ExecStartPre=-/usr/bin/docker rm matrix-jitsi-web +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-web +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-web -ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-web \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_web_base_path }}/env \ @@ -25,8 +25,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-web \ {% endfor %} {{ matrix_jitsi_web_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-jitsi-web -ExecStop=-/usr/bin/docker rm matrix-jitsi-web +ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-web +ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-web Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-web diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index b316fc2b..80370088 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -11,12 +11,12 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-ma1sd -ExecStartPre=-/usr/bin/docker rm matrix-ma1sd +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-ma1sd +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-ma1sd # ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, # so /tmp needs to be mounted with an exec option. -ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -36,8 +36,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \ {% endfor %} {{ matrix_ma1sd_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-ma1sd -ExecStop=-/usr/bin/docker rm matrix-ma1sd +ExecStop=-{{ matrix_host_command_docker }} kill matrix-ma1sd +ExecStop=-{{ matrix_host_command_docker }} rm matrix-ma1sd Restart=always RestartSec=30 SyslogIdentifier=matrix-ma1sd diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index cf54a8e9..1371a861 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -6,10 +6,10 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mailer -ExecStartPre=-/usr/bin/docker rm matrix-mailer +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer -ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ --log-driver=none \ --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ --cap-drop=ALL \ @@ -24,8 +24,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \ {% endfor %} {{ matrix_mailer_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-mailer -ExecStop=-/usr/bin/docker rm matrix-mailer +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mailer +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mailer Restart=always RestartSec=30 SyslogIdentifier=matrix-mailer diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 5b4dfb2a..7a385a64 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -11,10 +11,10 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy -ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy -ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -43,9 +43,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-nginx-proxy -ExecStop=-/usr/bin/docker rm matrix-nginx-proxy -ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload +ExecStop=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy +ExecStop=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy +ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 SyslogIdentifier=matrix-nginx-proxy diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 4a197003..8e6392c1 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -6,10 +6,10 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker stop matrix-postgres -ExecStartPre=-/usr/bin/docker rm matrix-postgres +ExecStartPre=-{{ matrix_host_command_docker }} stop matrix-postgres +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-postgres -ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -28,8 +28,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \ {% endfor %} {{ matrix_postgres_docker_image_to_use }} -ExecStop=-/usr/bin/docker stop matrix-postgres -ExecStop=-/usr/bin/docker rm matrix-postgres +ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres +ExecStop=-{{ matrix_host_command_docker }} rm matrix-postgres Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 364e0fa1..37aff5cd 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -8,10 +8,10 @@ After={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-riot-web -ExecStartPre=-/usr/bin/docker rm matrix-riot-web +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-riot-web +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-riot-web -ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-riot-web \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -34,8 +34,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ {% endfor %} {{ matrix_riot_web_docker_image }} -ExecStop=-/usr/bin/docker kill matrix-riot-web -ExecStop=-/usr/bin/docker rm matrix-riot-web +ExecStop=-{{ matrix_host_command_docker }} kill matrix-riot-web +ExecStop=-{{ matrix_host_command_docker }} rm matrix-riot-web Restart=always RestartSec=30 SyslogIdentifier=matrix-riot-web diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index d2cc0b87..d9d752c2 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -6,10 +6,10 @@ Requires=docker.service [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill %n -ExecStartPre=-/usr/bin/docker rm %n +ExecStartPre=-{{ matrix_host_command_docker }} kill %n +ExecStartPre=-{{ matrix_host_command_docker }} rm %n -ExecStart=/usr/bin/docker run --rm --name %n \ +ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ -v /etc/passwd:/etc/passwd:ro \ @@ -25,10 +25,10 @@ ExecStart=/usr/bin/docker run --rm --name %n \ -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min -ExecStop=-/usr/bin/docker stop %n -ExecStop=-/usr/bin/docker kill %n -ExecStop=-/usr/bin/docker rm %n -ExecStop=-/bin/fusermount -u {{ matrix_synapse_media_store_path }} +ExecStop=-{{ matrix_host_command_docker }} stop %n +ExecStop=-{{ matrix_host_command_docker }} kill %n +ExecStop=-{{ matrix_host_command_docker }} rm %n +ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_synapse_media_store_path }} Restart=always RestartSec=5 SyslogIdentifier=matrix-goofys diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index e7b7f1c6..c782aa66 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -11,16 +11,16 @@ Wants={{ service }} [Service] Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-synapse -ExecStartPre=-/usr/bin/docker rm matrix-synapse +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse {% if matrix_s3_media_store_enabled %} # Allow for some time before starting, so that media store can mount. # Mounting can happen later too, but if we start writing, # we'd write files to the local filesystem and fusermount will complain. -ExecStartPre=/bin/sleep 3 +ExecStartPre={{ matrix_host_command_sleep }} 3 {% endif %} -ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -55,9 +55,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ {{ matrix_synapse_docker_image }} \ -m synapse.app.homeserver -c /data/homeserver.yaml -ExecStop=-/usr/bin/docker kill matrix-synapse -ExecStop=-/usr/bin/docker rm matrix-synapse -ExecReload=/usr/bin/docker exec matrix-synapse kill -HUP 1 +ExecStop=-{{ matrix_host_command_docker }} kill matrix-synapse +ExecStop=-{{ matrix_host_command_docker }} rm matrix-synapse +ExecReload={{ matrix_host_command_docker }} exec matrix-synapse kill -HUP 1 Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse From 6e3b877dc2a2d715beeee891321fa469f9714719 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 27 May 2020 22:18:24 +0200 Subject: [PATCH 1189/2384] Remove hardcoded command paths in playbook shell usage --- roles/matrix-base/defaults/main.yml | 1 + .../matrix-bridge-appservice-discord/tasks/setup_install.yml | 2 +- roles/matrix-bridge-appservice-irc/tasks/setup_install.yml | 4 ++-- .../tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml | 4 ++-- roles/matrix-postgres/tasks/import_postgres.yml | 2 +- roles/matrix-postgres/tasks/run_synapse_janitor.yml | 2 +- roles/matrix-postgres/tasks/run_vacuum.yml | 2 +- roles/matrix-postgres/tasks/upgrade_postgres.yml | 4 ++-- roles/matrix-synapse/tasks/update_user_password.yml | 2 +- 9 files changed, 12 insertions(+), 11 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index b596b85f..c8ea52c7 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -36,6 +36,7 @@ matrix_host_command_docker: "/usr/bin/env docker" matrix_host_command_sleep: "/usr/bin/env sleep" matrix_host_command_chown: "/usr/bin/env chown" matrix_host_command_fusermount: "/usr/bin/env fusermount" +matrix_host_command_openssl: "/usr/bin/env openssl" matrix_ntpd_package: "ntp" matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index d736fa7c..3678b35b 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -60,7 +60,7 @@ # We intentionally suppress Ansible changes. - name: Generate AppService Discord invite link shell: >- - /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen + {{ matrix_host_command_docker }} run --rm --name matrix-appservice-discord-link-gen --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -v {{ matrix_appservice_discord_config_path }}:/cfg diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 7206d25e..5e313347 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -58,7 +58,7 @@ register: irc_passkey_file - name: Generate Appservice IRC passkey if it doesn't exist - shell: /usr/bin/openssl genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" become: true become_user: "{{ matrix_user_username }}" when: "not irc_passkey_file.stat.exists" @@ -93,7 +93,7 @@ # to produce a final registration.yaml file, as we desire. - name: Generate Appservice IRC registration-template.yaml shell: >- - /usr/bin/docker run --rm --name matrix-appservice-irc-gen + {{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc-gen --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -v {{ matrix_appservice_irc_config_path }}:/config:z diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 19500b15..e80b655d 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -16,7 +16,7 @@ # We suppress the error, as we'll try another method below. - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly) shell: >- - /usr/bin/docker run + {{ matrix_host_command_docker }} run --rm --name=matrix-certbot --user={{ matrix_user_uid }}:{{ matrix_user_gid }} @@ -43,7 +43,7 @@ # and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`. - name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy) shell: >- - /usr/bin/docker run + {{ matrix_host_command_docker }} run --rm --name=matrix-certbot --user={{ matrix_user_uid }}:{{ matrix_user_gid }} diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index ba237d6a..e58711f1 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -63,7 +63,7 @@ - name: Generate Postgres database import command set_fact: matrix_postgres_import_command: >- - /usr/bin/docker run --rm --name matrix-postgres-import + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} diff --git a/roles/matrix-postgres/tasks/run_synapse_janitor.yml b/roles/matrix-postgres/tasks/run_synapse_janitor.yml index 41484d79..d7f283be 100644 --- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml +++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml @@ -66,7 +66,7 @@ - name: Generate Postgres database synapse-janitor command set_fact: matrix_postgres_synapse_janitor_command: >- - /usr/bin/docker run --rm --name matrix-postgres-synapse-janitor + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-janitor --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} diff --git a/roles/matrix-postgres/tasks/run_vacuum.yml b/roles/matrix-postgres/tasks/run_vacuum.yml index 3c3292ff..19a27562 100644 --- a/roles/matrix-postgres/tasks/run_vacuum.yml +++ b/roles/matrix-postgres/tasks/run_vacuum.yml @@ -45,7 +45,7 @@ - name: Generate Postgres database vacuum command set_fact: matrix_postgres_vacuum_command: >- - /usr/bin/docker run --rm --name matrix-postgres-synapse-vacuum + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-vacuum --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml index 8a3886b3..73263695 100644 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -79,7 +79,7 @@ # we need to remove these from the dump, or we'll get errors saying these already exist. - name: Perform Postgres database dump command: >- - /usr/bin/docker run --rm --name matrix-postgres-dump + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-dump --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --network={{ matrix_docker_network }} --env-file={{ matrix_postgres_base_path }}/env-postgres-psql @@ -123,7 +123,7 @@ - name: Generate Postgres database import command set_fact: matrix_postgres_import_command: >- - /usr/bin/docker run --rm --name matrix-postgres-import + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml index 1e86bd49..78136785 100644 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -36,7 +36,7 @@ when: "start_result.changed or postgres_start_result.changed" - name: Generate password hash - shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" + shell: "{{ matrix_host_command_docker }} exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" register: password_hash - name: Update user password hash From 74df10633a295fa4f4402e523e8f4bfea4a95dd8 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Wed, 27 May 2020 22:52:51 +0200 Subject: [PATCH 1190/2384] Remove hardcoded command paths in playbook cron usage --- roles/matrix-base/defaults/main.yml | 1 + roles/matrix-coturn/tasks/setup_coturn.yml | 2 +- roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index c8ea52c7..1aa09800 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -37,6 +37,7 @@ matrix_host_command_sleep: "/usr/bin/env sleep" matrix_host_command_chown: "/usr/bin/env chown" matrix_host_command_fusermount: "/usr/bin/env fusermount" matrix_host_command_openssl: "/usr/bin/env openssl" +matrix_host_command_systemctl: "/usr/bin/env systemctl" matrix_ntpd_package: "ntp" matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 52db0e3e..272a36f2 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -99,7 +99,7 @@ hour: "4" minute: "20" day: "*/5" - job: /bin/systemctl reload matrix-coturn.service + job: "{{ matrix_host_command_systemctl }} reload matrix-coturn.service" when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index e6542545..08dc6e58 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -84,7 +84,7 @@ hour: "5" minute: "20" day: "*" - job: /bin/systemctl reload matrix-nginx-proxy.service + job: "{{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service" when: matrix_nginx_proxy_enabled|bool when: "matrix_ssl_retrieval_method == 'lets-encrypt'" From 45ba01510dd3a88d8ac1ffb586d0ef5e5a275305 Mon Sep 17 00:00:00 2001 From: tctovsli Date: Thu, 28 May 2020 14:04:37 +0200 Subject: [PATCH 1191/2384] Synapse v.1.14.0 --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 50d7d824..77397850 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.13.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.14.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 8bae39050e8637769d3373f46e231599da070ed6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 28 May 2020 15:23:05 +0300 Subject: [PATCH 1192/2384] Update settings for Synapse v1.14.0 --- roles/matrix-synapse/defaults/main.yml | 6 +- .../synapse-simple-antispam/setup_install.yml | 13 +- .../matrix-synapse/tasks/validate_config.yml | 1 + .../templates/synapse/homeserver.yaml.j2 | 290 ++++++++++++++++-- .../synapse/systemd/matrix-synapse.service.j2 | 1 - 5 files changed, 273 insertions(+), 38 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 77397850..ef8cca83 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -202,12 +202,12 @@ matrix_synapse_password_config_localdb_enabled: true # Controls the number of events that Synapse caches in memory. matrix_synapse_event_cache_size: "100K" -# Controls cache sizes for Synapse via the SYNAPSE_CACHE_FACTOR environment variable. +# Controls cache sizes for Synapse. # Raise this to increase cache sizes or lower it to potentially lower memory use. # To learn more, see: # - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram # - https://github.com/matrix-org/synapse/issues/3939 -matrix_synapse_cache_factor: 0.5 +matrix_synapse_caches_global_factor: 0.5 # Controls whether Synapse will federate at all. # Disable this to completely isolate your server from the rest of the Matrix network. @@ -357,7 +357,7 @@ matrix_synapse_default_room_version: "5" # # If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime. # If not, you can also control its value manually. -matrix_synapse_spam_checker: ~ +matrix_synapse_spam_checker: [] matrix_synapse_trusted_key_servers: - server_name: "matrix.org" diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml index 69e55a39..2599e7f1 100644 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -38,10 +38,15 @@ become_user: "{{ matrix_user_username }}" - set_fact: - matrix_synapse_spam_checker: - module: "synapse_simple_antispam.AntiSpamInvites" - config: - blocked_homeservers: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers }}" + matrix_synapse_spam_checker: > + {{ matrix_synapse_spam_checker }} + + + [{ + "module": "synapse_simple_antispam.AntiSpamInvites", + "config": { + "blocked_homeservers": {{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers }} + } + }] matrix_synapse_container_extra_arguments: > {{ matrix_synapse_container_extra_arguments|default([]) }} diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index f3a4a869..01368cc8 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -31,3 +31,4 @@ - {'old': 'matrix_synapse_container_expose_client_api_port', 'new': ''} - {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': ''} - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} + - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e729c733..15b06c87 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -320,22 +320,27 @@ listeners: # Used by phonehome stats to group together related servers. #server_context: context -# Resource-constrained homeserver Settings +# Resource-constrained homeserver settings # -# If limit_remote_rooms.enabled is True, the room complexity will be -# checked before a user joins a new remote room. If it is above -# limit_remote_rooms.complexity, it will disallow joining or -# instantly leave. +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. # -# limit_remote_rooms.complexity_error can be set to customise the text -# displayed to the user when a room above the complexity threshold has -# its join cancelled. +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. # -# Uncomment the below lines to enable: -#limit_remote_rooms: -# enabled: True -# complexity: 1.0 -# complexity_error: "This room is too complex." +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + #enabled: true + + # the limit above which rooms cannot be joined. The default is 1.0. + # + #complexity: 0.5 + + # override the error which is returned when the room is too complex. + # + #complexity_error: "This room is too complex." # Whether to require a user to be in the room to add an alias to it. # Defaults to 'true'. @@ -605,6 +610,50 @@ acme: +## Caching ## + +# Caching can be configured through the following options. +# +# A cache 'factor' is a multiplier that can be applied to each of +# Synapse's caches in order to increase or decrease the maximum +# number of entries that can be stored. + +# The number of events to cache in memory. Not affected by +# caches.global_factor. +# +event_cache_size: "{{ matrix_synapse_event_cache_size }}" + +caches: + # Controls the global cache factor, which is the default cache factor + # for all caches if a specific factor for that cache is not otherwise + # set. + # + # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment + # variable. Setting by environment variable takes priority over + # setting through the config file. + # + # Defaults to 0.5, which will half the size of all caches. + # + global_factor: {{ matrix_synapse_caches_global_factor }} + + # A dictionary of cache name to cache factor for that individual + # cache. Overrides the global cache factor for a given cache. + # + # These can also be set through environment variables comprised + # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital + # letters and underscores. Setting by environment variable + # takes priority over setting through the config file. + # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 + # + # Some caches have '*' and other characters that are not + # alphanumeric or underscores. These caches can be named with or + # without the special characters stripped. For example, to specify + # the cache factor for `*stateGroupCache*` via an environment + # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. + # + per_cache_factors: + #get_users_who_share_room_with_user: 2.0 + ## Database ## database: @@ -618,10 +667,6 @@ database: cp_min: 5 cp_max: 10 -# Number of events to cache in memory. -# -event_cache_size: "{{ matrix_synapse_event_cache_size }}" - ## Logging ## @@ -884,25 +929,28 @@ url_preview_accept_language: ## Captcha ## -# See docs/CAPTCHA_SETUP for full details of configuring this. +# See docs/CAPTCHA_SETUP.md for full details of configuring this. -# This homeserver's ReCAPTCHA public key. +# This homeserver's ReCAPTCHA public key. Must be specified if +# enable_registration_captcha is enabled. # #recaptcha_public_key: "YOUR_PUBLIC_KEY" -# This homeserver's ReCAPTCHA private key. +# This homeserver's ReCAPTCHA private key. Must be specified if +# enable_registration_captcha is enabled. # #recaptcha_private_key: "YOUR_PRIVATE_KEY" -# Enables ReCaptcha checks when registering, preventing signup +# Uncomment to enable ReCaptcha checks when registering, preventing signup # unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. +# public/private key. Defaults to 'false'. # -#enable_registration_captcha: false +#enable_registration_captcha: true # The API endpoint to use for verifying m.login.recaptcha responses. +# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". # -#recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" +#recaptcha_siteverify_api: "https://my.recaptcha.site" ## TURN ## @@ -1182,6 +1230,7 @@ metrics_flags: #known_servers: true # Whether or not to report anonymized homeserver usage statistics. +# report_stats: {{ matrix_synapse_report_stats|to_json }} # The endpoint to report the anonymized homeserver usage statistics to. @@ -1448,6 +1497,94 @@ saml2_config: #template_dir: "res/templates" +# Enable OpenID Connect for registration and login. Uses authlib. +# +oidc_config: + # enable OpenID Connect. Defaults to false. + # + #enabled: true + + # use the OIDC discovery mechanism to discover endpoints. Defaults to true. + # + #discover: true + + # the OIDC issuer. Used to validate tokens and discover the providers endpoints. Required. + # + #issuer: "https://accounts.example.com/" + + # oauth2 client id to use. Required. + # + #client_id: "provided-by-your-issuer" + + # oauth2 client secret to use. Required. + # + #client_secret: "provided-by-your-issuer" + + # auth method to use when exchanging the token. + # Valid values are "client_secret_basic" (default), "client_secret_post" and "none". + # + #client_auth_method: "client_secret_basic" + + # list of scopes to ask. This should include the "openid" scope. Defaults to ["openid"]. + # + #scopes: ["openid"] + + # the oauth2 authorization endpoint. Required if provider discovery is disabled. + # + #authorization_endpoint: "https://accounts.example.com/oauth2/auth" + + # the oauth2 token endpoint. Required if provider discovery is disabled. + # + #token_endpoint: "https://accounts.example.com/oauth2/token" + + # the OIDC userinfo endpoint. Required if discovery is disabled and the "openid" scope is not asked. + # + #userinfo_endpoint: "https://accounts.example.com/userinfo" + + # URI where to fetch the JWKS. Required if discovery is disabled and the "openid" scope is used. + # + #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + + # skip metadata verification. Defaults to false. + # Use this if you are connecting to a provider that is not OpenID Connect compliant. + # Avoid this in production. + # + #skip_verification: false + + + # An external module can be provided here as a custom solution to mapping + # attributes returned from a OIDC provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. + # + #module: mapping_provider.OidcMappingProvider + + # Custom configuration values for the module. Below options are intended + # for the built-in provider, they should be changed if using a custom + # module. This section will be passed as a Python dictionary to the + # module's `parse_config` method. + # + # Below is the config of the default mapping provider, based on Jinja2 + # templates. Those templates are used to render user attributes, where the + # userinfo object is available through the `user` variable. + # + config: + # name of the claim containing a unique identifier for the user. + # Defaults to `sub`, which OpenID Connect compliant providers should provide. + # + #subject_claim: "sub" + + # Jinja2 template for the localpart of the MXID + # + localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + + # Jinja2 template for the display name to set on first login. Optional. + # + #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" + + # Enable CAS for registration and login. # @@ -1455,10 +1592,96 @@ saml2_config: # enabled: true # server_url: "https://cas-server.com" # service_url: "https://homeserver.domain.com:8448" +# #displayname_attribute: name # #required_attributes: # # name: value +# Additional settings to use with single-sign on systems such as SAML2 and CAS. +# +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given three variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. Needs manual escaping + # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * server_name: the homeserver's name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * description: the operation which the user is being asked to confirm + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + # The JWT needs to contain a globally unique "sub" (subject) claim. # #jwt_config: @@ -1501,8 +1724,8 @@ email: # Username/password for authentication to the SMTP server. By default, no # authentication is attempted. # - # smtp_user: "exampleusername" - # smtp_pass: "examplepassword" + #smtp_user: "exampleusername" + #smtp_pass: "examplepassword" # Uncomment the following to require TLS transport security for SMTP. # By default, Synapse will connect over plain text, and will then switch to @@ -1681,10 +1904,17 @@ push: include_content: {{ matrix_synapse_push_include_content|to_json }} -#spam_checker: -# module: "my_custom_project.SuperSpamChecker" -# config: -# example_option: 'things' +# Spam checkers are third-party modules that can block specific actions +# of local users, such as creating rooms and registering undesirable +# usernames, as well as remote users by redacting incoming events. +# +# spam_checker: + #- module: "my_custom_project.SuperSpamChecker" + # config: + # example_option: 'things' + #- module: "some_other_project.BadEventStopper" + # config: + # example_stop_events_from: ['@bad:example.com'] spam_checker: {{ matrix_synapse_spam_checker|to_json }} # Uncomment to allow non-server-admin users to create groups on this server diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index e7b7f1c6..874450cf 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -28,7 +28,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ - -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ {% if matrix_synapse_container_client_api_host_bind_port %} -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \ {% endif %} From 2952b2e7f34abc6414d417768da50643c8cb2c99 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 29 May 2020 10:38:12 +0300 Subject: [PATCH 1193/2384] Mention pwgen for generating a strong shared secret --- docs/configuring-playbook-shared-secret-auth.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-shared-secret-auth.md b/docs/configuring-playbook-shared-secret-auth.md index 87b151a4..21d1c332 100644 --- a/docs/configuring-playbook-shared-secret-auth.md +++ b/docs/configuring-playbook-shared-secret-auth.md @@ -11,6 +11,8 @@ matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE ``` +You can generate a strong shared secret with a command like this: `pwgen -s 64 1` + ## Authenticating only using a password provider From de1164d0a2d09c272196c27e81e70a20e266082e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Jun 2020 22:32:19 +0300 Subject: [PATCH 1194/2384] Fix typos and improve wording --- docs/maintenance-upgrading-services.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/maintenance-upgrading-services.md b/docs/maintenance-upgrading-services.md index 8530d8bc..fe289a86 100644 --- a/docs/maintenance-upgrading-services.md +++ b/docs/maintenance-upgrading-services.md @@ -4,14 +4,14 @@ This playbook not only installs the various Matrix services for you, but can als If you want to be notified when new versions of Synapse are released, you should join the Synapse Homeowners room: [#homeowners:matrix.org](https://matrix.to/#/#homeowners:matrix.org). -To upgrade the services: +To upgrade services: - update your playbook directory (`git pull`), so you'd obtain everything new we've done -- take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incomptabile changes that you need to take care of +- take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incompatible changes that you need to take care of - re-run the [playbook setup](installing.md): `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all` - restart the services: `ansible-playbook -i inventory/hosts setup.yml --tags=start` -**Note**: major version upgrades are not done to the internal PostgreSQL database. To upgrade that one, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql). +**Note**: major version upgrades to the internal PostgreSQL database are not done automatically. To upgrade it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql). From 4d8ca303d6bb07ac1d32226cdb642f0333d66761 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 Jun 2020 00:22:15 +0300 Subject: [PATCH 1195/2384] Fix typos --- docs/alternative-architectures.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index 01f6946f..07510d8a 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -3,7 +3,7 @@ As stated in the [Prerequisites](prerequisites.md), currently only x86_64 is sup To that end add the following variable to your `vars.yaml` file: ``` -matrix_architecture = +matrix_architecture: ``` Currently supported architectures are the following: - `amd64` (the default) @@ -12,7 +12,7 @@ Currently supported architectures are the following: so for the Raspberry Pi the following should be in your `vars.yaml` file: ``` -matrix_architecture = "arm32" +matrix_architecture: "arm32" ``` ## Implementation details From 0b7d6744bfd64b1c6be1131d3d68bd93fba2f9b2 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Tue, 2 Jun 2020 08:39:30 +0200 Subject: [PATCH 1196/2384] added more docs and timeout value --- docs/configuring-playbook-matrix-sms-bridge.md | 6 ++++++ roles/matrix-sms-bridge/defaults/main.yml | 3 +++ .../templates/systemd/matrix-sms-bridge.service.j2 | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-sms-bridge.md b/docs/configuring-playbook-matrix-sms-bridge.md index ef2aeb08..00aaecec 100644 --- a/docs/configuring-playbook-matrix-sms-bridge.md +++ b/docs/configuring-playbook-matrix-sms-bridge.md @@ -5,6 +5,8 @@ The playbook can install and configure See the project page to learn what it does and why it might be useful to you. +First you need to ensure, that the bridge has unix read and write rights to your modem. On debian based distributions there is nothing to do. On others distributions you either add a group `dialout` to your host and assign it to your modem or you give the matrix user or group access to your modem. + To enable the bridge just use the following playbook configuration: @@ -16,6 +18,10 @@ matrix_sms_bridge_gammu_modem: "/path/to/modem" matrix_sms_bridge_database_password: "" # (optional) a room id to a default room matrix_sms_bridge_default_room: "" +# (optional) gammu reset frequency (see https://wammu.eu/docs/manual/smsd/config.html#option-ResetFrequency) +matrix_sms_bridge_gammu_reset_frequency: 3600 +# (optional) group with unix read and write rights to modem +matrix_sms_bridge_modem_group: 'dialout' ``` diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index faf2b6fc..610b8f46 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -48,6 +48,8 @@ matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" matrix_sms_bridge_default_room: '' matrix_sms_bridge_gammu_modem: '' +matrix_sms_bridge_modem_group: 'dialout' +matrix_sms_bridge_gammu_reset_frequency: 0 matrix_sms_bridge_configuration_yaml: | @@ -122,6 +124,7 @@ matrix_sms_bridge_gammu_configuration: | InboxFormat = detail OutboxFormat = detail TransmitFormat = auto + ResetFrequency = {{ matrix_sms_bridge_gammu_reset_frequency }} debugLevel = 1 LogFile = /data/log/smsd.log DeliveryReport = log diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index 5c3b9544..cf8ab9fe 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -20,7 +20,7 @@ ExecStartPre=/bin/sleep 5 ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --group-add dialout \ + --group-add {{ matrix_sms_bridge_modem_group }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_sms_bridge_container_http_host_bind_port %} From f383b152da8f0c5fcc68fcbf237fc8054465c41b Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Tue, 2 Jun 2020 14:49:55 +0200 Subject: [PATCH 1197/2384] removed gammu reset frequency because the tty port will change --- docs/configuring-playbook-matrix-sms-bridge.md | 4 +--- roles/matrix-sms-bridge/defaults/main.yml | 3 --- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/docs/configuring-playbook-matrix-sms-bridge.md b/docs/configuring-playbook-matrix-sms-bridge.md index 00aaecec..b3629ce5 100644 --- a/docs/configuring-playbook-matrix-sms-bridge.md +++ b/docs/configuring-playbook-matrix-sms-bridge.md @@ -17,9 +17,7 @@ matrix_sms_bridge_gammu_modem: "/path/to/modem" # generate a secret passwort e.g. with pwgen -s 64 1 matrix_sms_bridge_database_password: "" # (optional) a room id to a default room -matrix_sms_bridge_default_room: "" -# (optional) gammu reset frequency (see https://wammu.eu/docs/manual/smsd/config.html#option-ResetFrequency) -matrix_sms_bridge_gammu_reset_frequency: 3600 +matrix_sms_bridge_default_room: "" # (optional) group with unix read and write rights to modem matrix_sms_bridge_modem_group: 'dialout' ``` diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 610b8f46..1e0bfaa3 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -49,8 +49,6 @@ matrix_sms_bridge_default_room: '' matrix_sms_bridge_gammu_modem: '' matrix_sms_bridge_modem_group: 'dialout' -matrix_sms_bridge_gammu_reset_frequency: 0 - matrix_sms_bridge_configuration_yaml: | #jinja2: lstrip_blocks: "True" @@ -124,7 +122,6 @@ matrix_sms_bridge_gammu_configuration: | InboxFormat = detail OutboxFormat = detail TransmitFormat = auto - ResetFrequency = {{ matrix_sms_bridge_gammu_reset_frequency }} debugLevel = 1 LogFile = /data/log/smsd.log DeliveryReport = log From cd179288053b628e7e2962744e1d56094e4902e8 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Tue, 2 Jun 2020 14:56:22 +0200 Subject: [PATCH 1198/2384] revert remove of frequency --- docs/configuring-playbook-matrix-sms-bridge.md | 4 +++- roles/matrix-sms-bridge/defaults/main.yml | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-sms-bridge.md b/docs/configuring-playbook-matrix-sms-bridge.md index b3629ce5..00aaecec 100644 --- a/docs/configuring-playbook-matrix-sms-bridge.md +++ b/docs/configuring-playbook-matrix-sms-bridge.md @@ -17,7 +17,9 @@ matrix_sms_bridge_gammu_modem: "/path/to/modem" # generate a secret passwort e.g. with pwgen -s 64 1 matrix_sms_bridge_database_password: "" # (optional) a room id to a default room -matrix_sms_bridge_default_room: "" +matrix_sms_bridge_default_room: "" +# (optional) gammu reset frequency (see https://wammu.eu/docs/manual/smsd/config.html#option-ResetFrequency) +matrix_sms_bridge_gammu_reset_frequency: 3600 # (optional) group with unix read and write rights to modem matrix_sms_bridge_modem_group: 'dialout' ``` diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 1e0bfaa3..610b8f46 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -49,6 +49,8 @@ matrix_sms_bridge_default_room: '' matrix_sms_bridge_gammu_modem: '' matrix_sms_bridge_modem_group: 'dialout' +matrix_sms_bridge_gammu_reset_frequency: 0 + matrix_sms_bridge_configuration_yaml: | #jinja2: lstrip_blocks: "True" @@ -122,6 +124,7 @@ matrix_sms_bridge_gammu_configuration: | InboxFormat = detail OutboxFormat = detail TransmitFormat = auto + ResetFrequency = {{ matrix_sms_bridge_gammu_reset_frequency }} debugLevel = 1 LogFile = /data/log/smsd.log DeliveryReport = log From 2fd8216fbc4d0525da3d65b7abb44e266baca5f9 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Tue, 2 Jun 2020 18:27:33 +0200 Subject: [PATCH 1199/2384] try to fix device reconnect issues --- docs/configuring-playbook-matrix-sms-bridge.md | 4 +++- roles/matrix-sms-bridge/defaults/main.yml | 3 ++- .../templates/systemd/matrix-sms-bridge.service.j2 | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-matrix-sms-bridge.md b/docs/configuring-playbook-matrix-sms-bridge.md index 00aaecec..4a486774 100644 --- a/docs/configuring-playbook-matrix-sms-bridge.md +++ b/docs/configuring-playbook-matrix-sms-bridge.md @@ -13,7 +13,7 @@ playbook configuration: ```yaml matrix_sms_bridge_enabled: true -matrix_sms_bridge_gammu_modem: "/path/to/modem" +matrix_sms_bridge_gammu_modem: "/dev/serial/by-id/myDeviceId" # generate a secret passwort e.g. with pwgen -s 64 1 matrix_sms_bridge_database_password: "" # (optional) a room id to a default room @@ -22,6 +22,8 @@ matrix_sms_bridge_default_room: "" matrix_sms_bridge_gammu_reset_frequency: 3600 # (optional) group with unix read and write rights to modem matrix_sms_bridge_modem_group: 'dialout' +# (optional) cgroup major number to allow access to devices, that gets reconnected (e.g. due to reset) +matrix_sms_bridge_cgroup_major_number: '188' ``` diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 610b8f46..0bbdc5a0 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -48,6 +48,7 @@ matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" matrix_sms_bridge_default_room: '' matrix_sms_bridge_gammu_modem: '' +matrix_sms_bridge_cgroup_major_number: '188' matrix_sms_bridge_modem_group: 'dialout' matrix_sms_bridge_gammu_reset_frequency: 0 @@ -110,7 +111,7 @@ matrix_sms_bridge_configuration: "{{ matrix_sms_bridge_configuration_yaml|from_y matrix_sms_bridge_gammu_configuration: | [gammu] - Device = /dev/ttyModem + Device = {{ matrix_sms_bridge_gammu_modem }} LogFile = /data/log/gammu.log debugLevel = 1 diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index cf8ab9fe..bb43a4b8 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -29,7 +29,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ -v {{ matrix_sms_bridge_config_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ - --device {{ matrix_sms_bridge_gammu_modem }}:/dev/ttyModem \ + --device-cgroup-rule='c {{ matrix_sms_bridge_cgroup_major_number }}:* rmw' \ + --device {{ matrix_sms_bridge_gammu_modem }}:{{ matrix_sms_bridge_gammu_modem }} \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} From 26846a5f6c4e9293dede8001f20828e2be227125 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Tue, 2 Jun 2020 22:04:52 +0200 Subject: [PATCH 1200/2384] try privileged way --- docs/configuring-playbook-matrix-sms-bridge.md | 2 -- roles/matrix-sms-bridge/defaults/main.yml | 1 - .../templates/systemd/matrix-sms-bridge.service.j2 | 4 ++-- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-matrix-sms-bridge.md b/docs/configuring-playbook-matrix-sms-bridge.md index 4a486774..31a85228 100644 --- a/docs/configuring-playbook-matrix-sms-bridge.md +++ b/docs/configuring-playbook-matrix-sms-bridge.md @@ -22,8 +22,6 @@ matrix_sms_bridge_default_room: "" matrix_sms_bridge_gammu_reset_frequency: 3600 # (optional) group with unix read and write rights to modem matrix_sms_bridge_modem_group: 'dialout' -# (optional) cgroup major number to allow access to devices, that gets reconnected (e.g. due to reset) -matrix_sms_bridge_cgroup_major_number: '188' ``` diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 0bbdc5a0..6465a9d4 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -48,7 +48,6 @@ matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" matrix_sms_bridge_default_room: '' matrix_sms_bridge_gammu_modem: '' -matrix_sms_bridge_cgroup_major_number: '188' matrix_sms_bridge_modem_group: 'dialout' matrix_sms_bridge_gammu_reset_frequency: 0 diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index bb43a4b8..f0634dbe 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -29,8 +29,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ -v {{ matrix_sms_bridge_config_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ - --device-cgroup-rule='c {{ matrix_sms_bridge_cgroup_major_number }}:* rmw' \ - --device {{ matrix_sms_bridge_gammu_modem }}:{{ matrix_sms_bridge_gammu_modem }} \ + --privileged \ + -v /dev:/dev \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} From 5da31ba57989e5cc97a3fa1c57849daa55ec80d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Jun 2020 09:33:28 +0300 Subject: [PATCH 1201/2384] Move configuration templates outside of defaults/main.yml files --- .../defaults/main.yml | 95 +---- .../templates/config.yaml.j2 | 93 ++++ .../defaults/main.yml | 136 +----- .../templates/config.yaml.j2 | 134 ++++++ .../defaults/main.yml | 16 +- .../templates/config.yaml.j2 | 14 + .../defaults/main.yml | 30 +- .../templates/config.yaml.j2 | 28 ++ .../defaults/main.yml | 159 +------ .../templates/config.yaml.j2 | 157 +++++++ .../defaults/main.yml | 147 +------ .../templates/config.yaml.j2 | 145 +++++++ .../defaults/main.yml | 400 +----------------- .../templates/config.yaml.j2 | 397 +++++++++++++++++ .../defaults/main.yml | 170 +------- .../templates/config.yaml.j2 | 169 ++++++++ .../defaults/main.yml | 140 +----- .../templates/config.yaml.j2 | 138 ++++++ .../defaults/main.yml | 94 +--- .../templates/config.yaml.j2 | 92 ++++ roles/matrix-dimension/defaults/main.yml | 84 +--- .../matrix-dimension/templates/config.yaml.j2 | 81 ++++ roles/matrix-ma1sd/defaults/main.yml | 71 +--- roles/matrix-ma1sd/templates/ma1sd.yaml.j2 | 69 +++ 24 files changed, 1529 insertions(+), 1530 deletions(-) create mode 100644 roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-appservice-webhooks/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 create mode 100644 roles/matrix-dimension/templates/config.yaml.j2 create mode 100644 roles/matrix-ma1sd/templates/ma1sd.yaml.j2 diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 0192f97d..97ad8e89 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -39,100 +39,7 @@ matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}" matrix_appservice_discord_bridge_disablePresence: false matrix_appservice_discord_bridge_enableSelfServiceBridging: false -matrix_appservice_discord_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - bridge: - # Domain part of the bridge, e.g. matrix.org - domain: {{ matrix_appservice_discord_bridge_domain }} - # This should be your publically facing URL because Discord may use it to - # fetch media from the media store. - homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }} - # Interval at which to process users in the 'presence queue'. If you have - # 5 users, one user will be processed every 500 milliseconds according to the - # value below. This has a minimum value of 250. - # WARNING: This has a high chance of spamming the homeserver with presence - # updates since it will send one each time somebody changes state or is online. - presenceInterval: 500 - # Disable setting presence for 'ghost users' which means Discord users on Matrix - # will not be shown as away or online. - disablePresence: {{ matrix_appservice_discord_bridge_disablePresence|to_json }} - # Disable sending typing notifications when somebody on Discord types. - disableTypingNotifications: false - # Disable deleting messages on Discord if a message is redacted on Matrix. - disableDeletionForwarding: false - # Enable users to bridge rooms using !discord commands. See - # https://t2bot.io/discord for instructions. - enableSelfServiceBridging: {{ matrix_appservice_discord_bridge_enableSelfServiceBridging|to_json }} - # Disable sending of read receipts for Matrix events which have been - # successfully bridged to Discord. - disableReadReceipts: false - # Disable Join Leave echos from matrix - disableJoinLeaveNotifications: false - # Authentication configuration for the discord bot. - auth: - clientID: {{ matrix_appservice_discord_client_id|string|to_json }} - botToken: {{ matrix_appservice_discord_bot_token }} - logging: - # What level should the logger output to the console at. - console: "warn" #silly, verbose, info, http, warn, error, silent - lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format - # files: - # - file: "debug.log" - # disable: - # - "PresenceHandler" # Will not capture presence logging - # - file: "warn.log" # Will capture warnings - # level: "warn" - # - file: "botlogs.log" # Will capture logs from DiscordBot - # level: "info" - # enable: - # - "DiscordBot" - database: - userStorePath: "/data/user-store.db" - roomStorePath: "/data/room-store.db" - # You may either use SQLite or Postgresql for the bridge database, which contains - # important mappings for events and user puppeting configurations. - # Use the filename option for SQLite, or connString for Postgresql. - # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite - # WARNING: You will almost certainly be fine with sqlite unless your bridge - # is in heavy demand and you suffer from IO slowness. - filename: "/data/discord.db" - # connString: "postgresql://user:password@localhost/database_name" - room: - # Set the default visibility of alias rooms, defaults to "public". - # One of: "public", "private" - defaultVisibility: "public" - channel: - # Pattern of the name given to bridged rooms. - # Can use :guild for the guild name and :name for the channel name. - namePattern: "[Discord] :guild :name" - # Changes made to rooms when a channel is deleted. - deleteOptions: - # Prefix the room name with a string. - #namePrefix: "[Deleted]" - # Prefix the room topic with a string. - #topicPrefix: "This room has been deleted" - # Disable people from talking in the room by raising the event PL to 50 - disableMessaging: false - # Remove the discord alias from the room. - unsetRoomAlias: true - # Remove the room from the directory. - unlistFromDirectory: true - # Set the room to be unavaliable for joining without an invite. - setInviteOnly: true - # Make all the discord users leave the room. - ghostsLeave: true - limits: - # Delay in milliseconds between discord users joining a room. - roomGhostJoinDelay: 6000 - # Delay in milliseconds before sending messages to discord to avoid echos. - # (Copies of a sent message may arrive from discord before we've - # fininished handling it, causing us to echo it back to the room) - discordSendDelay: 750 - ghosts: - # Pattern for the ghosts nick, available is :nick, :username, :tag and :id - nickPattern: ":nick" - # Pattern for the ghosts username, available is :username, :tag and :id - usernamePattern: ":username#:tag" +matrix_appservice_discord_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_discord_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 new file mode 100644 index 00000000..e91c60de --- /dev/null +++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 @@ -0,0 +1,93 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Domain part of the bridge, e.g. matrix.org + domain: {{ matrix_appservice_discord_bridge_domain }} + # This should be your publically facing URL because Discord may use it to + # fetch media from the media store. + homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }} + # Interval at which to process users in the 'presence queue'. If you have + # 5 users, one user will be processed every 500 milliseconds according to the + # value below. This has a minimum value of 250. + # WARNING: This has a high chance of spamming the homeserver with presence + # updates since it will send one each time somebody changes state or is online. + presenceInterval: 500 + # Disable setting presence for 'ghost users' which means Discord users on Matrix + # will not be shown as away or online. + disablePresence: {{ matrix_appservice_discord_bridge_disablePresence|to_json }} + # Disable sending typing notifications when somebody on Discord types. + disableTypingNotifications: false + # Disable deleting messages on Discord if a message is redacted on Matrix. + disableDeletionForwarding: false + # Enable users to bridge rooms using !discord commands. See + # https://t2bot.io/discord for instructions. + enableSelfServiceBridging: {{ matrix_appservice_discord_bridge_enableSelfServiceBridging|to_json }} + # Disable sending of read receipts for Matrix events which have been + # successfully bridged to Discord. + disableReadReceipts: false + # Disable Join Leave echos from matrix + disableJoinLeaveNotifications: false +# Authentication configuration for the discord bot. +auth: + clientID: {{ matrix_appservice_discord_client_id|string|to_json }} + botToken: {{ matrix_appservice_discord_bot_token }} +logging: + # What level should the logger output to the console at. + console: "warn" #silly, verbose, info, http, warn, error, silent + lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format + # files: + # - file: "debug.log" + # disable: + # - "PresenceHandler" # Will not capture presence logging + # - file: "warn.log" # Will capture warnings + # level: "warn" + # - file: "botlogs.log" # Will capture logs from DiscordBot + # level: "info" + # enable: + # - "DiscordBot" +database: + userStorePath: "/data/user-store.db" + roomStorePath: "/data/room-store.db" + # You may either use SQLite or Postgresql for the bridge database, which contains + # important mappings for events and user puppeting configurations. + # Use the filename option for SQLite, or connString for Postgresql. + # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite + # WARNING: You will almost certainly be fine with sqlite unless your bridge + # is in heavy demand and you suffer from IO slowness. + filename: "/data/discord.db" + # connString: "postgresql://user:password@localhost/database_name" +room: + # Set the default visibility of alias rooms, defaults to "public". + # One of: "public", "private" + defaultVisibility: "public" +channel: + # Pattern of the name given to bridged rooms. + # Can use :guild for the guild name and :name for the channel name. + namePattern: "[Discord] :guild :name" + # Changes made to rooms when a channel is deleted. + deleteOptions: + # Prefix the room name with a string. + #namePrefix: "[Deleted]" + # Prefix the room topic with a string. + #topicPrefix: "This room has been deleted" + # Disable people from talking in the room by raising the event PL to 50 + disableMessaging: false + # Remove the discord alias from the room. + unsetRoomAlias: true + # Remove the room from the directory. + unlistFromDirectory: true + # Set the room to be unavaliable for joining without an invite. + setInviteOnly: true + # Make all the discord users leave the room. + ghostsLeave: true +limits: + # Delay in milliseconds between discord users joining a room. + roomGhostJoinDelay: 6000 + # Delay in milliseconds before sending messages to discord to avoid echos. + # (Copies of a sent message may arrive from discord before we've + # fininished handling it, causing us to echo it back to the room) + discordSendDelay: 750 +ghosts: + # Pattern for the ghosts nick, available is :nick, :username, :tag and :id + nickPattern: ":nick" + # Pattern for the ghosts username, available is :username, :tag and :id + usernamePattern: ":username#:tag" diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 819691f6..2cbb3e5f 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -346,141 +346,7 @@ matrix_appservice_irc_systemd_wanted_services_list: [] matrix_appservice_irc_appservice_token: '' matrix_appservice_irc_homeserver_token: '' -matrix_appservice_irc_configuration_yaml: | - #jinja2: lstrip_blocks: True - homeserver: - # The URL to the home server for client-server API calls, also used to form the - # media URLs as displayed in bridged IRC channels: - url: {{ matrix_appservice_irc_homeserver_url }} - # - # The URL of the homeserver hosting media files. This is only used to transform - # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By - # default, this is the homeserver URL, specified above. - # - media_url: {{ matrix_appservice_irc_homeserver_media_url }} - - # Drop Matrix messages which are older than this number of seconds, according to - # the event's origin_server_ts. - # If the bridge is down for a while, the homeserver will attempt to send all missed - # events on reconnection. These events may be hours old, which can be confusing to - # IRC users if they are then bridged. This option allows these old messages to be - # dropped. - # CAUTION: This is a very coarse heuristic. Federated homeservers may have different - # clock times and hence produce different origin_server_ts values, which may be old - # enough to cause *all* events from the homeserver to be dropped. - # Default: 0 (don't ever drop) - # dropMatrixMessagesAfterSecs: 300 # 5 minutes - - # The 'domain' part for user IDs on this home server. Usually (but not always) - # is the "domain name" part of the HS URL. - domain: {{ matrix_appservice_irc_homeserver_domain }} - - # Should presence be enabled for matrix clients on this bridge. If disabled on the - # homeserver then it should also be disabled here to avoid excess traffic. - # Default: true - enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }} - - ircService: - # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot - # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in - # the database. - # - # To generate a .pem file: - # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 - # - # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords - # for storage in the database. Passwords are stored by using the admin room command - # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of - # the Matrix user, this password will be sent as the server password (PASS command). - passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification - - # Config for Matrix -> IRC bridging - matrixHandler: - # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). - eventCacheSize: 4096 - - servers: {{ matrix_appservice_irc_ircService_servers|to_json }} - - # Configuration for an ident server. If you are running a public bridge it is - # advised you setup an ident server so IRC mods can ban specific matrix users - # rather than the application service itself. - ident: - # True to listen for Ident requests and respond with the - # matrix user's user_id (converted to ASCII, respecting RFC 1413). - # Default: false. - enabled: false - # The port to listen on for incoming ident requests. - # Ports below 1024 require root to listen on, and you may not want this to - # run as root. Instead, you can get something like an Apache to yank up - # incoming requests to 113 to a high numbered port. Set the port to listen - # on instead of 113 here. - # Default: 113. - port: 1113 - # The address to listen on for incoming ident requests. - # Default: 0.0.0.0 - address: "::" - - # Configuration for logging. Optional. Default: console debug level logging - # only. - logging: - # Level to log on console/logfile. One of error|warn|info|debug - level: "debug" - # The file location to log to. This is relative to the project directory. - #logfile: "debug.log" - # The file location to log errors to. This is relative to the project - # directory. - #errfile: "errors.log" - # Whether to log to the console or not. - toConsole: true - # The max number of files to keep. Files will be overwritten eventually due - # to rotations. - maxFiles: 5 - - # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: - # $ npm install prom-client@6.3.0 - # Metrics will then be available via GET /metrics on the bridge listening port (-p). - metrics: - # Whether to actually enable the metric endpoint. Default: false - enabled: true - # When collecting remote user active times, which "buckets" should be used. Defaults are given below. - # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). - remoteUserAgeBuckets: - - "1h" - - "1d" - - "1w" - - # Configuration for the provisioning API. - # - # GET /_matrix/provision/link - # GET /_matrix/provision/unlink - # GET /_matrix/provision/listlinks - # - provisioning: - # True to enable the provisioning HTTP endpoint. Default: false. - enabled: false - # The number of seconds to wait before giving up on getting a response from - # an IRC channel operator. If the channel operator does not respond within the - # allotted time period, the provisioning request will fail. - # Default: 300 seconds (5 mins) - requestTimeoutSeconds: 300 - - # Options here are generally only applicable to large-scale bridges and may have - # consequences greater than other options in this configuration file. - advanced: - # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited - # however for large bridges it is important to rate limit the bridge to avoid - # accidentally overloading the homeserver. Defaults to 1000, which should be - # enough for the vast majority of use cases. - maxHttpSockets: 1000 - - # Use an external database to store bridge state. - database: - # database engine (must be 'postgres' or 'nedb'). Default: nedb - engine: "nedb" - # Either a PostgreSQL connection string, or a path to the NeDB storage directory. - # For postgres, it must start with postgres:// - # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: "nedb:///data" +matrix_appservice_irc_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_irc_configuration_extension_yaml: | # Your custom YAML configuration for Appservice IRC servers goes here. diff --git a/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 new file mode 100644 index 00000000..3daa1898 --- /dev/null +++ b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 @@ -0,0 +1,134 @@ +#jinja2: lstrip_blocks: True +homeserver: + # The URL to the home server for client-server API calls, also used to form the + # media URLs as displayed in bridged IRC channels: + url: {{ matrix_appservice_irc_homeserver_url }} + # + # The URL of the homeserver hosting media files. This is only used to transform + # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By + # default, this is the homeserver URL, specified above. + # + media_url: {{ matrix_appservice_irc_homeserver_media_url }} + + # Drop Matrix messages which are older than this number of seconds, according to + # the event's origin_server_ts. + # If the bridge is down for a while, the homeserver will attempt to send all missed + # events on reconnection. These events may be hours old, which can be confusing to + # IRC users if they are then bridged. This option allows these old messages to be + # dropped. + # CAUTION: This is a very coarse heuristic. Federated homeservers may have different + # clock times and hence produce different origin_server_ts values, which may be old + # enough to cause *all* events from the homeserver to be dropped. + # Default: 0 (don't ever drop) + # dropMatrixMessagesAfterSecs: 300 # 5 minutes + + # The 'domain' part for user IDs on this home server. Usually (but not always) + # is the "domain name" part of the HS URL. + domain: {{ matrix_appservice_irc_homeserver_domain }} + + # Should presence be enabled for matrix clients on this bridge. If disabled on the + # homeserver then it should also be disabled here to avoid excess traffic. + # Default: true + enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }} + +ircService: + # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot + # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in + # the database. + # + # To generate a .pem file: + # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + # + # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords + # for storage in the database. Passwords are stored by using the admin room command + # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of + # the Matrix user, this password will be sent as the server password (PASS command). + passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification + + # Config for Matrix -> IRC bridging + matrixHandler: + # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). + eventCacheSize: 4096 + + servers: {{ matrix_appservice_irc_ircService_servers|to_json }} + + # Configuration for an ident server. If you are running a public bridge it is + # advised you setup an ident server so IRC mods can ban specific matrix users + # rather than the application service itself. + ident: + # True to listen for Ident requests and respond with the + # matrix user's user_id (converted to ASCII, respecting RFC 1413). + # Default: false. + enabled: false + # The port to listen on for incoming ident requests. + # Ports below 1024 require root to listen on, and you may not want this to + # run as root. Instead, you can get something like an Apache to yank up + # incoming requests to 113 to a high numbered port. Set the port to listen + # on instead of 113 here. + # Default: 113. + port: 1113 + # The address to listen on for incoming ident requests. + # Default: 0.0.0.0 + address: "::" + + # Configuration for logging. Optional. Default: console debug level logging + # only. + logging: + # Level to log on console/logfile. One of error|warn|info|debug + level: "debug" + # The file location to log to. This is relative to the project directory. + #logfile: "debug.log" + # The file location to log errors to. This is relative to the project + # directory. + #errfile: "errors.log" + # Whether to log to the console or not. + toConsole: true + # The max number of files to keep. Files will be overwritten eventually due + # to rotations. + maxFiles: 5 + + # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: + # $ npm install prom-client@6.3.0 + # Metrics will then be available via GET /metrics on the bridge listening port (-p). + metrics: + # Whether to actually enable the metric endpoint. Default: false + enabled: true + # When collecting remote user active times, which "buckets" should be used. Defaults are given below. + # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). + remoteUserAgeBuckets: + - "1h" + - "1d" + - "1w" + + # Configuration for the provisioning API. + # + # GET /_matrix/provision/link + # GET /_matrix/provision/unlink + # GET /_matrix/provision/listlinks + # + provisioning: + # True to enable the provisioning HTTP endpoint. Default: false. + enabled: false + # The number of seconds to wait before giving up on getting a response from + # an IRC channel operator. If the channel operator does not respond within the + # allotted time period, the provisioning request will fail. + # Default: 300 seconds (5 mins) + requestTimeoutSeconds: 300 + +# Options here are generally only applicable to large-scale bridges and may have +# consequences greater than other options in this configuration file. +advanced: + # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited + # however for large bridges it is important to rate limit the bridge to avoid + # accidentally overloading the homeserver. Defaults to 1000, which should be + # enough for the vast majority of use cases. + maxHttpSockets: 1000 + +# Use an external database to store bridge state. +database: + # database engine (must be 'postgres' or 'nedb'). Default: nedb + engine: "nedb" + # Either a PostgreSQL connection string, or a path to the NeDB storage directory. + # For postgres, it must start with postgres:// + # For NeDB, it must start with nedb://. The path is relative to the project directory. + connectionString: "nedb:///data" diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index d68c1178..58dde6a0 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -45,21 +45,7 @@ matrix_appservice_slack_appservice_token: '' matrix_appservice_slack_homeserver_token: '' matrix_appservice_slack_id_token: '' -matrix_appservice_slack_configuration_yaml: | - slack_hook_port: {{ matrix_appservice_slack_slack_port }} - inbound_uri_prefix: "{{ matrix_appservice_slack_inbound_uri_prefix }}" - bot_username: "{{ matrix_appservice_slack_bot_name }}" - username_prefix: {{ matrix_appservice_slack_user_prefix }} - - homeserver: - media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" - url: "{{ matrix_appservice_slack_homeserver_url }}" - server_name: "{{ matrix_domain }}" - - dbdir: "/data" - - matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}" - +matrix_appservice_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_slack_configuration_extension_yaml: | #slack_hook_port: 9898 diff --git a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 new file mode 100644 index 00000000..8f48d317 --- /dev/null +++ b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 @@ -0,0 +1,14 @@ +#jinja2: lstrip_blocks: True +slack_hook_port: {{ matrix_appservice_slack_slack_port }} +inbound_uri_prefix: "{{ matrix_appservice_slack_inbound_uri_prefix }}" +bot_username: "{{ matrix_appservice_slack_bot_name }}" +username_prefix: {{ matrix_appservice_slack_user_prefix }} + +homeserver: + media_url: "{{ matrix_appservice_slack_homeserver_media_url }}" + url: "{{ matrix_appservice_slack_homeserver_url }}" + server_name: "{{ matrix_domain }}" + +dbdir: "/data" + +matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 1b2c9940..0fb5abbc 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -49,35 +49,7 @@ matrix_appservice_webhooks_api_secret: '' # Logging information (info and verbose is available) default is: info matrix_appservice_webhooks_log_level: 'info' -matrix_appservice_webhooks_configuration_yaml: | - - # Configuration specific to the application service. All fields (unless otherwise marked) are required. - homeserver: - # The domain for the client-server API calls. - url: "{{ matrix_appservice_webhooks_homeserver_url }}" - - # The domain part for user IDs on this home server. Usually, but not always, this is the same as the - # home server's URL. - domain: "{{ matrix_domain }}" - - # Configuration specific to the bridge. All fields (unless otherwise marked) are required. - webhookBot: - # The localpart to use for the bot. May require re-registering the application service. - localpart: "_webhook" - - # Provisioning API options - provisioning: - # Your secret for the API. Required for all provisioning API requests. - secret: '{{ matrix_appservice_webhooks_api_secret }}' - - # Configuration related to the web portion of the bridge. Handles the inbound webhooks - web: - hookUrlBase: "{{ matrix_appservice_webhooks_inbound_uri_prefix }}" - - logging: - console: true - consoleLevel: {{ matrix_appservice_webhooks_log_level }} - writeFiles: false +matrix_appservice_webhooks_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_webhooks_configuration_extension_yaml: | # diff --git a/roles/matrix-bridge-appservice-webhooks/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-webhooks/templates/config.yaml.j2 new file mode 100644 index 00000000..49751624 --- /dev/null +++ b/roles/matrix-bridge-appservice-webhooks/templates/config.yaml.j2 @@ -0,0 +1,28 @@ +#jinja2: lstrip_blocks: True +# Configuration specific to the application service. All fields (unless otherwise marked) are required. +homeserver: + # The domain for the client-server API calls. + url: "{{ matrix_appservice_webhooks_homeserver_url }}" + + # The domain part for user IDs on this home server. Usually, but not always, this is the same as the + # home server's URL. + domain: "{{ matrix_domain }}" + +# Configuration specific to the bridge. All fields (unless otherwise marked) are required. +webhookBot: + # The localpart to use for the bot. May require re-registering the application service. + localpart: "_webhook" + +# Provisioning API options +provisioning: + # Your secret for the API. Required for all provisioning API requests. + secret: '{{ matrix_appservice_webhooks_api_secret }}' + +# Configuration related to the web portion of the bridge. Handles the inbound webhooks +web: + hookUrlBase: "{{ matrix_appservice_webhooks_inbound_uri_prefix }}" + +logging: + console: true + consoleLevel: {{ matrix_appservice_webhooks_log_level }} + writeFiles: false diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 2f737afd..610bcc11 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -38,164 +38,7 @@ matrix_mautrix_facebook_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mautrix_facebook_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_facebook_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - # Homeserver details - homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_facebook_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_facebook_homeserver_domain }} - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - - # Application service host/registration related details - # Changing these values requires regeneration of the registration. - appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_facebook_appservice_address }} - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 29319 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname - database: sqlite:////data/mautrix-facebook.db - - # Public part of web server for out-of-Matrix interaction with the bridge. - public: - # Whether or not the public-facing endpoints should be enabled. - enabled: false - # The prefix to use in the public-facing endpoints. - prefix: /public - # The base URL where the public-facing endpoints are available. The prefix is not added - # implicitly. - external: https://example.com/public - - # The unique ID of this appservice. - id: facebook - # Username of the appservice bot. - bot_username: facebookbot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Facebook bridge bot - bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv - - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_facebook_appservice_token }}" - hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" - - # Bridge config - bridge: - # Localpart template of MXIDs for Facebook users. - # {userid} is replaced with the user ID of the Facebook user. - username_template: "facebook_{userid}" - # Localpart template for per-user room grouping community IDs. - # The bridge will create these communities and add all of the specific user's portals to the community. - # {localpart} is the MXID localpart and {server} is the MXID server part of the user. - # - # `facebook_{localpart}={server}` is a good value. - community_template: null - # Displayname template for Facebook users. - # {displayname} is replaced with the display name of the Facebook user - # as defined below in displayname_preference. - # Keys available for displayname_preference are also available here. - displayname_template: '{displayname} (FB)' - # Available keys: - # "name" (full name) - # "first_name" - # "last_name" - # "nickname" - # "own_nickname" (user-specific!) - displayname_preference: - - name - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!fb" - - # Number of chats to sync (and create portals for) on startup/login. - # Maximum 20, set 0 to disable automatic syncing. - initial_chat_sync: 10 - # Whether or not the Facebook users of logged in Matrix users should be - # invited to private chats when the user sends a message from another client. - invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Facebook account. - sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - login_shared_secret: {{ matrix_mautrix_facebook_login_shared_secret|to_json }} - # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast - # presence, but then it won't send other users' presence to the client. - presence: true - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. - # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. - encryption: - # Allow encryption, work in group chat rooms with e2ee enabled - allow: false - # Default to encryption, force-enable encryption in all portals the bridge creates - # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false - - # Whether or not the bridge should send a read receipt from the bridge bot when a message has - # been sent to Facebook. - delivery_receipts: false - - # Permissions for using the bridge. - # Permitted values: - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - '{{ matrix_mautrix_facebook_homeserver_domain }}': user - - # Python logging configuration. - # - # See section 16.7.2 of the Python documentation for more info: - # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema - logging: - version: 1 - formatters: - colored: - (): mautrix_facebook.util.ColorFormatter - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - normal: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - console: - class: logging.StreamHandler - formatter: colored - loggers: - mau: - level: DEBUG - fbchat: - level: DEBUG - hbmqtt: - level: INFO - aiohttp: - level: INFO - root: - level: DEBUG - handlers: [console] +matrix_mautrix_facebook_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mautrix_facebook_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 new file mode 100644 index 00000000..887f3df8 --- /dev/null +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -0,0 +1,157 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_facebook_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_facebook_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_facebook_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29319 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:////data/mautrix-facebook.db + + # Public part of web server for out-of-Matrix interaction with the bridge. + public: + # Whether or not the public-facing endpoints should be enabled. + enabled: false + # The prefix to use in the public-facing endpoints. + prefix: /public + # The base URL where the public-facing endpoints are available. The prefix is not added + # implicitly. + external: https://example.com/public + + # The unique ID of this appservice. + id: facebook + # Username of the appservice bot. + bot_username: facebookbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Facebook bridge bot + bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_facebook_appservice_token }}" + hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for Facebook users. + # {userid} is replaced with the user ID of the Facebook user. + username_template: "facebook_{userid}" + # Localpart template for per-user room grouping community IDs. + # The bridge will create these communities and add all of the specific user's portals to the community. + # {localpart} is the MXID localpart and {server} is the MXID server part of the user. + # + # `facebook_{localpart}={server}` is a good value. + community_template: null + # Displayname template for Facebook users. + # {displayname} is replaced with the display name of the Facebook user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{displayname} (FB)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!fb" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 10 + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Facebook account. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_facebook_login_shared_secret|to_json }} + # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast + # presence, but then it won't send other users' presence to the client. + presence: true + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Facebook. + delivery_receipts: false + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_facebook_homeserver_domain }}': user + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_facebook.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + fbchat: + level: DEBUG + hbmqtt: + level: INFO + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 8de4576f..31f4fe98 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -40,152 +40,7 @@ matrix_mautrix_hangouts_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mautrix_hangouts_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_hangouts_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - # Homeserver details - homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_hangouts_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_hangouts_homeserver_domain }} - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - - # Application service host/registration related details - # Changing these values requires regeneration of the registration. - appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_hangouts_appservice_address }} - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 8080 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname - database: sqlite:////data/mautrix-hangouts.db - - # The unique ID of this appservice. - id: hangouts - # Username of the appservice bot. - bot_username: hangoutsbot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Hangouts bridge bot - bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy - - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_hangouts_appservice_token }}" - hs_token: "{{ matrix_mautrix_hangouts_homeserver_token }}" - - # Bridge config - bridge: - # Localpart template of MXIDs for Hangouts users. - # {userid} is replaced with the user ID of the Hangouts user. - username_template: "hangouts_{userid}" - # Displayname template for Hangouts users. - # {displayname} is replaced with the display name of the Hangouts user - # as defined below in displayname_preference. - # Keys available for displayname_preference are also available here. - displayname_template: '{full_name} (Hangouts)' - # Available keys: - # "name" (full name) - # "first_name" - # "last_name" - # "nickname" - # "own_nickname" (user-specific!) - displayname_preference: - - name - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!HO" - - # Number of chats to sync (and create portals for) on startup/login. - # Maximum 20, set 0 to disable automatic syncing. - initial_chat_sync: 20 - # Whether or not the Hangouts users of logged in Matrix users should be - # invited to private chats when the user sends a message from another client. - invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Hangouts account. - sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - login_shared_secret: {{ matrix_mautrix_hangouts_login_shared_secret|to_json }} - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. - # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. - encryption: - # Allow encryption, work in group chat rooms with e2ee enabled - allow: false - # Default to encryption, force-enable encryption in all portals the bridge creates - # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false - - # Public website and API configs - web: - # Auth server config - auth: - # Publicly accessible base URL for the login endpoints. - # The prefix below is not implicitly added. This URL and all subpaths should be proxied - # or otherwise pointed to the appservice's webserver to the path specified below (prefix). - # This path should usually include a trailing slash. - # Internal prefix in the appservice web server for the login endpoints. - public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_hangouts_public_endpoint }}/login" - prefix: "{{ matrix_mautrix_hangouts_public_endpoint }}/login" - - - # Permissions for using the bridge. - # Permitted values: - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - '{{ matrix_mautrix_hangouts_homeserver_domain }}': user - - # Python logging configuration. - # - # See section 16.7.2 of the Python documentation for more info: - # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema - logging: - version: 1 - formatters: - colored: - (): mautrix_hangouts.util.ColorFormatter - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - normal: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - console: - class: logging.StreamHandler - formatter: colored - loggers: - mau: - level: DEBUG - hangups: - level: DEBUG - aiohttp: - level: INFO - root: - level: DEBUG - handlers: [console] +matrix_mautrix_hangouts_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mautrix_hangouts_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 new file mode 100644 index 00000000..f274b203 --- /dev/null +++ b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 @@ -0,0 +1,145 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_hangouts_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_hangouts_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_hangouts_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:////data/mautrix-hangouts.db + + # The unique ID of this appservice. + id: hangouts + # Username of the appservice bot. + bot_username: hangoutsbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Hangouts bridge bot + bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_hangouts_appservice_token }}" + hs_token: "{{ matrix_mautrix_hangouts_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for Hangouts users. + # {userid} is replaced with the user ID of the Hangouts user. + username_template: "hangouts_{userid}" + # Displayname template for Hangouts users. + # {displayname} is replaced with the display name of the Hangouts user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: '{full_name} (Hangouts)' + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!HO" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 20 + # Whether or not the Hangouts users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Hangouts account. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_hangouts_login_shared_secret|to_json }} + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + + # Public website and API configs + web: + # Auth server config + auth: + # Publicly accessible base URL for the login endpoints. + # The prefix below is not implicitly added. This URL and all subpaths should be proxied + # or otherwise pointed to the appservice's webserver to the path specified below (prefix). + # This path should usually include a trailing slash. + # Internal prefix in the appservice web server for the login endpoints. + public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_hangouts_public_endpoint }}/login" + prefix: "{{ matrix_mautrix_hangouts_public_endpoint }}/login" + + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_hangouts_homeserver_domain }}': user + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_hangouts.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + hangups: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 1e77eb02..d3990b68 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -51,405 +51,7 @@ matrix_mautrix_telegram_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mautrix_telegram_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_telegram_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - # Homeserver details - homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_telegram_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_telegram_homeserver_domain }} - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - - # Application service host/registration related details - # Changing these values requires regeneration of the registration. - appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_telegram_appservice_address }} - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 8080 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname - database: sqlite:////data/mautrix-telegram.db - - # Public part of web server for out-of-Matrix interaction with the bridge. - # Used for things like login if the user wants to make sure the 2FA password isn't stored in - # the HS database. - public: - # Whether or not the public-facing endpoints should be enabled. - enabled: true - # The prefix to use in the public-facing endpoints. - prefix: {{ matrix_mautrix_telegram_public_endpoint }} - # The base URL where the public-facing endpoints are available. The prefix is not added - # implicitly. - external: {{ matrix_mautrix_telegram_appservice_public_external }} - - # Provisioning API part of the web server for automated portal creation and fetching information. - # Used by things like Dimension (https://dimension.t2bot.io/). - provisioning: - # Whether or not the provisioning API should be enabled. - enabled: false - # The prefix to use in the provisioning API endpoints. - prefix: /_matrix/provision/v1 - # The shared secret to authorize users of the API. - # Set to "generate" to generate and save a new token. - shared_secret: generate - - # The unique ID of this appservice. - id: telegram - # Username of the appservice bot. - bot_username: telegrambot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Telegram bridge bot - bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX - - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_telegram_appservice_token }}" - hs_token: "{{ matrix_mautrix_telegram_homeserver_token }}" - - # Bridge config - bridge: - # Localpart template of MXIDs for Telegram users. - # {userid} is replaced with the user ID of the Telegram user. - username_template: "telegram_{userid}" - # Localpart template of room aliases for Telegram portal rooms. - # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) - alias_template: "telegram_{groupname}" - # Displayname template for Telegram users. - # {displayname} is replaced with the display name of the Telegram user. - displayname_template: "{displayname} (Telegram)" - - # Set the preferred order of user identifiers which to use in the Matrix puppet display name. - # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user - # ID is used. - # - # If the bridge is working properly, a phone number or an username should always be known, but - # the other one can very well be empty. - # - # Valid keys: - # "full name" (First and/or last name) - # "full name reversed" (Last and/or first name) - # "first name" - # "last name" - # "username" - # "phone number" - displayname_preference: - - full name - - username - - phone number - # Maximum length of displayname - displayname_max_length: 100 - - # Maximum number of members to sync per portal when starting up. Other members will be - # synced when they send messages. The maximum is 10000, after which the Telegram server - # will not send any more members. - # Defaults to no local limit (-> limited to 10000 by server) - max_initial_member_sync: -1 - # Whether or not to sync the member list in channels. - # If no channel admins have logged into the bridge, the bridge won't be able to sync the member - # list regardless of this setting. - sync_channel_members: true - # Whether or not to skip deleted members when syncing members. - skip_deleted_members: true - # Whether or not to automatically synchronize contacts and chats of Matrix users logged into - # their Telegram account at startup. - startup_sync: true - # Number of most recently active dialogs to check when syncing chats. - # Dialogs include groups and private chats, but only groups are synced. - # Set to 0 to remove limit. - sync_dialog_limit: 30 - # Whether or not to sync and create portals for direct chats at startup. - sync_direct_chats: false - # The maximum number of simultaneous Telegram deletions to handle. - # A large number of simultaneous redactions could put strain on your homeserver. - max_telegram_delete: 10 - # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames) - # at startup and when creating a bridge. - sync_matrix_state: true - # Allow logging in within Matrix. If false, the only way to log in is using the out-of-Matrix - # login website (see appservice.public config section) - allow_matrix_login: true - # Whether or not to bridge plaintext highlights. - # Only enable this if your displayname_template has some static part that the bridge can use to - # reliably identify what is a plaintext highlight. - plaintext_highlights: false - # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix. - public_portals: true - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Telegram account. - sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - login_shared_secret: {{ matrix_mautrix_telegram_login_shared_secret|to_json }} - # Set to false to disable link previews in messages sent to Telegram. - telegram_link_preview: true - # Use inline images instead of a separate message for the caption. - # N.B. Inline images are not supported on all clients (e.g. Riot iOS). - inline_images: false - # Maximum size of image in megabytes before sending to Telegram as a document. - image_as_file_size: 10 - # Maximum size of Telegram documents in megabytes to bridge. - max_document_size: 100 - # Enable experimental parallel file transfer, which makes uploads/downloads much faster by - # streaming from/to Matrix and using many connections for Telegram. - # Note that generating HQ thumbnails for videos is not possible with streamed transfers. - parallel_file_transfer: false - # Whether or not created rooms should have federation enabled. - # If false, created portal rooms will never be federated. - federate_rooms: true - # Settings for converting animated stickers. - animated_sticker: - # Format to which animated stickers should be converted. - # disable - No conversion, send as-is (gzipped lottie) - # png - converts to non-animated png (fastest), - # gif - converts to animated gif, but loses transparency - # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support - target: gif - # Arguments for converter. All converters take width and height. - # GIF converter takes background as a hex color. - args: - width: 256 - height: 256 - background: "020202" # only for gif - fps: 30 # only for webm - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. - # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. - encryption: - # Allow encryption, work in group chat rooms with e2ee enabled - allow: false - # Default to encryption, force-enable encryption in all portals the bridge creates - # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: false - - # Overrides for base power levels. - initial_power_level_overrides: - user: {} - group: {} - - # Whether to bridge Telegram bot messages as m.notices or m.texts. - bot_messages_as_notices: true - bridge_notices: - # Whether or not Matrix bot messages (type m.notice) should be bridged. - default: false - # List of user IDs for whom the previous flag is flipped. - # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but - # notices from users listed here will be bridged. - exceptions: [] - - # Some config options related to Telegram message deduplication. - # The default values are usually fine, but some debug messages/warnings might recommend you - # change these. - deduplication: - # Whether or not to check the database if the message about to be sent is a duplicate. - pre_db_check: false - # The number of latest events to keep when checking for duplicates. - # You might need to increase this on high-traffic bridge instances. - cache_queue_length: 20 - - - # The formats to use when sending messages to Telegram via the relay bot. - # - # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users. - # - # Available variables: - # $sender_displayname - The display name of the sender (e.g. Example User) - # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) - # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) - # $message - The message content as HTML - message_formats: - m.text: "$sender_displayname: $message" - m.notice: "$sender_displayname: $message" - m.emote: "* $sender_displayname $message" - m.file: "$sender_displayname sent a file: $message" - m.image: "$sender_displayname sent an image: $message" - m.audio: "$sender_displayname sent an audio file: $message" - m.video: "$sender_displayname sent a video: $message" - m.location: "$sender_displayname sent a location: $message" - # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated - # users are sent to telegram. All fields in message_formats are supported. Additionally, the - # Telegram user info is available in the following variables: - # $displayname - Telegram displayname - # $username - Telegram username (may not exist) - # $mention - Telegram @username or displayname mention (depending on which exists) - emote_format: "* $mention $formatted_body" - - # The formats to use when sending state events to Telegram via the relay bot. - # - # Variables from `message_formats` that have the `sender_` prefix are available without the prefix. - # In name_change events, `$prev_displayname` is the previous displayname. - # - # Set format to an empty string to disable the messages for that event. - state_event_formats: - join: "$displayname joined the room." - leave: "$displayname left the room." - name_change: "$prev_displayname changed their name to $displayname" - - # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and - # `filter-mode` management commands. - # - # Filters do not affect direct chats. - # An empty blacklist will essentially disable the filter. - filter: - # Filter mode to use. Either "blacklist" or "whitelist". - # If the mode is "blacklist", the listed chats will never be bridged. - # If the mode is "whitelist", only the listed chats can be bridged. - mode: blacklist - # The list of group/channel IDs to filter. - list: [] - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!tg" - - # Permissions for using the bridge. - # Permitted values: - # relaybot - Only use the bridge via the relaybot, no access to commands. - # user - Relaybot level + access to commands to create bridges. - # puppeting - User level + logging in with a Telegram account. - # full - Full access to use the bridge, i.e. previous levels + Matrix login. - # admin - Full access to use the bridge and some extra administration commands. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - '{{ matrix_mautrix_telegram_homeserver_domain }}': full - - # Options related to the message relay Telegram bot. - relaybot: - private_chat: - # List of users to invite to the portal when someone starts a private chat with the bot. - # If empty, private chats with the bot won't create a portal. - invite: [] - # Whether or not to bridge state change messages in relaybot private chats. - state_changes: true - # When private_chat_invite is empty, this message is sent to users /starting the - # relaybot. Telegram's "markdown" is supported. - message: This is a Matrix bridge relaybot and does not support direct chats - # List of users to invite to all group chat portals created by the bridge. - group_chat_invite: [] - # Whether or not the relaybot should not bridge events in unbridged group chats. - # If false, portals will be created when the relaybot receives messages, just like normal - # users. This behavior is usually not desirable, as it interferes with manually bridging - # the chat to another room. - ignore_unbridged_group_chat: true - # Whether or not to allow creating portals from Telegram. - authless_portals: true - # Whether or not to allow Telegram group admins to use the bot commands. - whitelist_group_admins: true - # Whether or not to ignore incoming events sent by the relay bot. - ignore_own_incoming_events: true - # List of usernames/user IDs who are also allowed to use the bot commands. - whitelist: [] - - # Telegram config - telegram: - # Get your own API keys at https://my.telegram.org/apps - api_id: {{ matrix_mautrix_telegram_api_id }} - api_hash: {{ matrix_mautrix_telegram_api_hash }} - # (Optional) Create your own bot at https://t.me/BotFather - bot_token: {{ matrix_mautrix_telegram_bot_token }} - - # Telethon connection options. - connection: - # The timeout in seconds to be used when connecting. - timeout: 120 - # How many times the reconnection should retry, either on the initial connection or when - # Telegram disconnects us. May be set to a negative or null value for infinite retries, but - # this is not recommended, since the program can get stuck in an infinite loop. - retries: 5 - # The delay in seconds to sleep between automatic reconnections. - retry_delay: 1 - # The threshold below which the library should automatically sleep on flood wait errors - # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold - # is 20s, the library will sleep automatically. If the error was for 21s, it would raise - # the error instead. Values larger than a day (86400) will be changed to a day. - flood_sleep_threshold: 60 - # How many times a request should be retried. Request are retried when Telegram is having - # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when - # there's a migrate error. May take a negative or null value for infinite retries, but this - # is not recommended, since some requests can always trigger a call fail (such as searching - # for messages). - request_retries: 5 - - # Device info sent to Telegram. - device_info: - # "auto" = OS name+version. - device_model: auto - # "auto" = Telethon version. - system_version: auto - # "auto" = mautrix-telegram version. - app_version: auto - lang_code: en - system_lang_code: en - - # Custom server to connect to. - server: - # Set to true to use these server settings. If false, will automatically - # use production server assigned by Telegram. Set to false in production. - enabled: false - # The DC ID to connect to. - dc: 2 - # The IP to connect to. - ip: 149.154.167.40 - # The port to connect to. 443 may not work, 80 is better and both are equally secure. - port: 80 - - # Telethon proxy configuration. - # You must install PySocks from pip for proxies to work. - proxy: - # Allowed types: disabled, socks4, socks5, http - type: disabled - # Proxy IP address and port. - address: 127.0.0.1 - port: 1080 - # Whether or not to perform DNS resolving remotely. - rdns: true - # Proxy authentication (optional). - username: "" - password: "" - - # Python logging configuration. - # - # See section 16.7.2 of the Python documentation for more info: - # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema - logging: - version: 1 - formatters: - precise: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - console: - class: logging.StreamHandler - formatter: precise - loggers: - mau: - level: DEBUG - telethon: - level: DEBUG - aiohttp: - level: INFO - root: - level: DEBUG - handlers: [console] - +matrix_mautrix_telegram_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mautrix_telegram_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 new file mode 100644 index 00000000..2a5b5785 --- /dev/null +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -0,0 +1,397 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_telegram_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_telegram_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_telegram_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: sqlite:////data/mautrix-telegram.db + + # Public part of web server for out-of-Matrix interaction with the bridge. + # Used for things like login if the user wants to make sure the 2FA password isn't stored in + # the HS database. + public: + # Whether or not the public-facing endpoints should be enabled. + enabled: true + # The prefix to use in the public-facing endpoints. + prefix: {{ matrix_mautrix_telegram_public_endpoint }} + # The base URL where the public-facing endpoints are available. The prefix is not added + # implicitly. + external: {{ matrix_mautrix_telegram_appservice_public_external }} + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like Dimension (https://dimension.t2bot.io/). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: false + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The unique ID of this appservice. + id: telegram + # Username of the appservice bot. + bot_username: telegrambot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Telegram bridge bot + bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_telegram_appservice_token }}" + hs_token: "{{ matrix_mautrix_telegram_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for Telegram users. + # {userid} is replaced with the user ID of the Telegram user. + username_template: "telegram_{userid}" + # Localpart template of room aliases for Telegram portal rooms. + # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} ) + alias_template: "telegram_{groupname}" + # Displayname template for Telegram users. + # {displayname} is replaced with the display name of the Telegram user. + displayname_template: "{displayname} (Telegram)" + + # Set the preferred order of user identifiers which to use in the Matrix puppet display name. + # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user + # ID is used. + # + # If the bridge is working properly, a phone number or an username should always be known, but + # the other one can very well be empty. + # + # Valid keys: + # "full name" (First and/or last name) + # "full name reversed" (Last and/or first name) + # "first name" + # "last name" + # "username" + # "phone number" + displayname_preference: + - full name + - username + - phone number + # Maximum length of displayname + displayname_max_length: 100 + + # Maximum number of members to sync per portal when starting up. Other members will be + # synced when they send messages. The maximum is 10000, after which the Telegram server + # will not send any more members. + # Defaults to no local limit (-> limited to 10000 by server) + max_initial_member_sync: -1 + # Whether or not to sync the member list in channels. + # If no channel admins have logged into the bridge, the bridge won't be able to sync the member + # list regardless of this setting. + sync_channel_members: true + # Whether or not to skip deleted members when syncing members. + skip_deleted_members: true + # Whether or not to automatically synchronize contacts and chats of Matrix users logged into + # their Telegram account at startup. + startup_sync: true + # Number of most recently active dialogs to check when syncing chats. + # Dialogs include groups and private chats, but only groups are synced. + # Set to 0 to remove limit. + sync_dialog_limit: 30 + # Whether or not to sync and create portals for direct chats at startup. + sync_direct_chats: false + # The maximum number of simultaneous Telegram deletions to handle. + # A large number of simultaneous redactions could put strain on your homeserver. + max_telegram_delete: 10 + # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames) + # at startup and when creating a bridge. + sync_matrix_state: true + # Allow logging in within Matrix. If false, the only way to log in is using the out-of-Matrix + # login website (see appservice.public config section) + allow_matrix_login: true + # Whether or not to bridge plaintext highlights. + # Only enable this if your displayname_template has some static part that the bridge can use to + # reliably identify what is a plaintext highlight. + plaintext_highlights: false + # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix. + public_portals: true + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Telegram account. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_telegram_login_shared_secret|to_json }} + # Set to false to disable link previews in messages sent to Telegram. + telegram_link_preview: true + # Use inline images instead of a separate message for the caption. + # N.B. Inline images are not supported on all clients (e.g. Riot iOS). + inline_images: false + # Maximum size of image in megabytes before sending to Telegram as a document. + image_as_file_size: 10 + # Maximum size of Telegram documents in megabytes to bridge. + max_document_size: 100 + # Enable experimental parallel file transfer, which makes uploads/downloads much faster by + # streaming from/to Matrix and using many connections for Telegram. + # Note that generating HQ thumbnails for videos is not possible with streamed transfers. + parallel_file_transfer: false + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for converting animated stickers. + animated_sticker: + # Format to which animated stickers should be converted. + # disable - No conversion, send as-is (gzipped lottie) + # png - converts to non-animated png (fastest), + # gif - converts to animated gif, but loses transparency + # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support + target: gif + # Arguments for converter. All converters take width and height. + # GIF converter takes background as a hex color. + args: + width: 256 + height: 256 + background: "020202" # only for gif + fps: 30 # only for webm + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + + # Overrides for base power levels. + initial_power_level_overrides: + user: {} + group: {} + + # Whether to bridge Telegram bot messages as m.notices or m.texts. + bot_messages_as_notices: true + bridge_notices: + # Whether or not Matrix bot messages (type m.notice) should be bridged. + default: false + # List of user IDs for whom the previous flag is flipped. + # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but + # notices from users listed here will be bridged. + exceptions: [] + + # Some config options related to Telegram message deduplication. + # The default values are usually fine, but some debug messages/warnings might recommend you + # change these. + deduplication: + # Whether or not to check the database if the message about to be sent is a duplicate. + pre_db_check: false + # The number of latest events to keep when checking for duplicates. + # You might need to increase this on high-traffic bridge instances. + cache_queue_length: 20 + + + # The formats to use when sending messages to Telegram via the relay bot. + # + # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $message - The message content as HTML + message_formats: + m.text: "$sender_displayname: $message" + m.notice: "$sender_displayname: $message" + m.emote: "* $sender_displayname $message" + m.file: "$sender_displayname sent a file: $message" + m.image: "$sender_displayname sent an image: $message" + m.audio: "$sender_displayname sent an audio file: $message" + m.video: "$sender_displayname sent a video: $message" + m.location: "$sender_displayname sent a location: $message" + # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated + # users are sent to telegram. All fields in message_formats are supported. Additionally, the + # Telegram user info is available in the following variables: + # $displayname - Telegram displayname + # $username - Telegram username (may not exist) + # $mention - Telegram @username or displayname mention (depending on which exists) + emote_format: "* $mention $formatted_body" + + # The formats to use when sending state events to Telegram via the relay bot. + # + # Variables from `message_formats` that have the `sender_` prefix are available without the prefix. + # In name_change events, `$prev_displayname` is the previous displayname. + # + # Set format to an empty string to disable the messages for that event. + state_event_formats: + join: "$displayname joined the room." + leave: "$displayname left the room." + name_change: "$prev_displayname changed their name to $displayname" + + # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and + # `filter-mode` management commands. + # + # Filters do not affect direct chats. + # An empty blacklist will essentially disable the filter. + filter: + # Filter mode to use. Either "blacklist" or "whitelist". + # If the mode is "blacklist", the listed chats will never be bridged. + # If the mode is "whitelist", only the listed chats can be bridged. + mode: blacklist + # The list of group/channel IDs to filter. + list: [] + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!tg" + + # Permissions for using the bridge. + # Permitted values: + # relaybot - Only use the bridge via the relaybot, no access to commands. + # user - Relaybot level + access to commands to create bridges. + # puppeting - User level + logging in with a Telegram account. + # full - Full access to use the bridge, i.e. previous levels + Matrix login. + # admin - Full access to use the bridge and some extra administration commands. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + '{{ matrix_mautrix_telegram_homeserver_domain }}': full + + # Options related to the message relay Telegram bot. + relaybot: + private_chat: + # List of users to invite to the portal when someone starts a private chat with the bot. + # If empty, private chats with the bot won't create a portal. + invite: [] + # Whether or not to bridge state change messages in relaybot private chats. + state_changes: true + # When private_chat_invite is empty, this message is sent to users /starting the + # relaybot. Telegram's "markdown" is supported. + message: This is a Matrix bridge relaybot and does not support direct chats + # List of users to invite to all group chat portals created by the bridge. + group_chat_invite: [] + # Whether or not the relaybot should not bridge events in unbridged group chats. + # If false, portals will be created when the relaybot receives messages, just like normal + # users. This behavior is usually not desirable, as it interferes with manually bridging + # the chat to another room. + ignore_unbridged_group_chat: true + # Whether or not to allow creating portals from Telegram. + authless_portals: true + # Whether or not to allow Telegram group admins to use the bot commands. + whitelist_group_admins: true + # Whether or not to ignore incoming events sent by the relay bot. + ignore_own_incoming_events: true + # List of usernames/user IDs who are also allowed to use the bot commands. + whitelist: [] + +# Telegram config +telegram: + # Get your own API keys at https://my.telegram.org/apps + api_id: {{ matrix_mautrix_telegram_api_id }} + api_hash: {{ matrix_mautrix_telegram_api_hash }} + # (Optional) Create your own bot at https://t.me/BotFather + bot_token: {{ matrix_mautrix_telegram_bot_token }} + + # Telethon connection options. + connection: + # The timeout in seconds to be used when connecting. + timeout: 120 + # How many times the reconnection should retry, either on the initial connection or when + # Telegram disconnects us. May be set to a negative or null value for infinite retries, but + # this is not recommended, since the program can get stuck in an infinite loop. + retries: 5 + # The delay in seconds to sleep between automatic reconnections. + retry_delay: 1 + # The threshold below which the library should automatically sleep on flood wait errors + # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold + # is 20s, the library will sleep automatically. If the error was for 21s, it would raise + # the error instead. Values larger than a day (86400) will be changed to a day. + flood_sleep_threshold: 60 + # How many times a request should be retried. Request are retried when Telegram is having + # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when + # there's a migrate error. May take a negative or null value for infinite retries, but this + # is not recommended, since some requests can always trigger a call fail (such as searching + # for messages). + request_retries: 5 + + # Device info sent to Telegram. + device_info: + # "auto" = OS name+version. + device_model: auto + # "auto" = Telethon version. + system_version: auto + # "auto" = mautrix-telegram version. + app_version: auto + lang_code: en + system_lang_code: en + + # Custom server to connect to. + server: + # Set to true to use these server settings. If false, will automatically + # use production server assigned by Telegram. Set to false in production. + enabled: false + # The DC ID to connect to. + dc: 2 + # The IP to connect to. + ip: 149.154.167.40 + # The port to connect to. 443 may not work, 80 is better and both are equally secure. + port: 80 + + # Telethon proxy configuration. + # You must install PySocks from pip for proxies to work. + proxy: + # Allowed types: disabled, socks4, socks5, http + type: disabled + # Proxy IP address and port. + address: 127.0.0.1 + port: 1080 + # Whether or not to perform DNS resolving remotely. + rdns: true + # Proxy authentication (optional). + username: "" + password: "" + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + precise: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: precise + loggers: + mau: + level: DEBUG + telethon: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index f83c78f0..e9929f96 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -35,175 +35,7 @@ matrix_mautrix_whatsapp_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mautrix_whatsapp_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mautrix_whatsapp_configuration_yaml: | - # Homeserver details. - homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_whatsapp_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_whatsapp_homeserver_domain }} - # Application service host/registration related details. - # Changing these values requires regeneration of the registration. - - appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_whatsapp_appservice_address }} - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 8080 - - # Database config. - database: - # The database type. "sqlite3" and "postgres" are supported. - type: sqlite3 - # The database URI. - # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string - # Postgres: Connection string. For example, postgres://user:password@host/database - uri: mautrix-whatsapp.db - # Maximum number of connections. Mostly relevant for Postgres. - max_open_conns: 20 - max_idle_conns: 2 - - # Path to the Matrix room state store. - state_store_path: ./mx-state.json - - # The unique ID of this appservice. - id: whatsapp - # Appservice bot details. - bot: - # Username of the appservice bot. - username: whatsappbot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - displayname: WhatsApp bridge bot - avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr - - # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. - as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}" - hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}" - - # Bridge config - bridge: - # Localpart template of MXIDs for WhatsApp users. - # {{ '{{.}}' }} is replaced with the phone number of the WhatsApp user. - username_template: "{{ 'whatsapp_{{.}}' }}" - # Displayname template for WhatsApp users. - # {{ '{{.Notify'}}' }} - nickname set by the WhatsApp user - # {{ '{{.Jid}}' }} - phone number (international format) - # The following variables are also available, but will cause problems on multi-user instances: - # {{ '{{.Name}}' }} - display name from contact list - # {{ '{{.Short}}' }} - short display name from contact list - displayname_template: "{{ '{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)' }}" - # WhatsApp connection timeout in seconds. - connection_timeout: 20 - # Maximum number of times to retry connecting on connection error. - max_connection_attempts: 3 - # Number of seconds to wait between connection attempts. - # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts - connection_retry_delay: -1 - # Whether or not the bridge should send a notice to the user's management room when it retries connecting. - # If false, it will only report when it stops retrying. - report_connection_retry: true - # Maximum number of seconds to wait for chats to be sent at startup. - # If this is too low and you have lots of chats, it could cause backfilling to fail. - chat_list_wait: 30 - # Maximum number of seconds to wait to sync portals before force unlocking message processing. - # If this is too low and you have lots of chats, it could cause backfilling to fail. - portal_sync_wait: 600 - - # Whether or not to send call start/end notices to Matrix. - call_notices: - start: true - end: true - - # Number of chats to sync for new users. - initial_chat_sync_count: 10 - # Number of old messages to fill when creating new portal rooms. - initial_history_fill_count: 20 - # Maximum number of chats to sync when recovering from downtime. - # Set to -1 to sync all new chats during downtime. - recovery_chat_sync_limit: -1 - # Whether or not to sync history when recovering from downtime. - recovery_history_backfill: true - # Maximum number of seconds since last message in chat to skip - # syncing the chat in any case. This setting will take priority - # over both recovery_chat_sync_limit and initial_chat_sync_count. - # Default is 3 days = 259200 seconds - sync_max_chat_age: 259200 - - # Whether or not to sync with custom puppets to receive EDUs that - # are not normally sent to appservices. - sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - login_shared_secret: {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }} - - # Whether or not to invite own WhatsApp user's Matrix puppet into private - # chat portals when backfilling if needed. - # This always uses the default puppet instead of custom puppets due to - # rate limits and timestamp massaging. - invite_own_puppet_for_backfilling: true - # Whether or not to explicitly set the avatar and room name for private - # chat portal rooms. This can be useful if the previous field works fine, - # but causes room avatar/name bugs. - private_chat_portal_meta: false - - # Allow invite permission for user. User can invite any bots to room with whatsapp - # users (private chat and groups) - allow_user_invite: false - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!wa" - - # Permissions for using the bridge. - # Permitted values: - # user - Access to use the bridge to chat with a WhatsApp account. - # admin - User level and some additional administration tools - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user - - relaybot: - # Whether or not relaybot support is enabled. - enabled: false - # The management room for the bot. This is where all status notifications are posted and - # in this room, you can use `!wa ` instead of `!wa relaybot `. Omitting - # the command prefix completely like in user management rooms is not possible. - management: '!foo:example.com' - # List of users to invite to all created rooms that include the relaybot. - invites: [] - # The formats to use when sending messages to WhatsApp via the relaybot. - message_formats: - m.text: "{{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" - m.notice: "{{ '{{ .Sender.Displayname }}' }}:: {{ '{{ .Message }}' }}" - m.emote: "* {{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" - m.file: "{{ '{{ .Sender.Displayname }}' }}: sent a file" - m.image: "{{ '{{ .Sender.Displayname }}' }}: sent an image" - m.audio: "{{ '{{ .Sender.Displayname }}' }}: sent an audio file" - m.video: "{{ '{{ .Sender.Displayname }}' }}: sent a video" - m.location: "{{ '{{ .Sender.Displayname }}' }}: sent a location" - # Logging config. - logging: - # The directory for log files. Will be created if not found. - directory: ./logs - # Available variables: .Date for the file date and .Index for different log files on the same day. - file_name_format: "{{ '{{.Date}}-{{.Index}}.log' }}" - # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants - file_date_format: "2006-01-02" - # Log file permissions. - file_mode: 0600 - # Timestamp format for log entries in the Go time format. - timestamp_format: "Jan _2, 2006 15:04:05" - # Minimum severity for log messages. - # Options: debug, info, warn, error, fatal - print_level: debug +matrix_mautrix_whatsapp_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mautrix_whatsapp_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 new file mode 100644 index 00000000..a527a188 --- /dev/null +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -0,0 +1,169 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_whatsapp_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_whatsapp_homeserver_domain }} +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. + +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_whatsapp_appservice_address }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 8080 + + # Database config. + database: + # The database type. "sqlite3" and "postgres" are supported. + type: sqlite3 + # The database URI. + # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database + uri: mautrix-whatsapp.db + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + + # Path to the Matrix room state store. + state_store_path: ./mx-state.json + + # The unique ID of this appservice. + id: whatsapp + # Appservice bot details. + bot: + # Username of the appservice bot. + username: whatsappbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: WhatsApp bridge bot + avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}" + hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}" + +# Bridge config +bridge: + # Localpart template of MXIDs for WhatsApp users. + # {{ '{{.}}' }} is replaced with the phone number of the WhatsApp user. + username_template: "{{ 'whatsapp_{{.}}' }}" + # Displayname template for WhatsApp users. + # {{ '{{.Notify'}}' }} - nickname set by the WhatsApp user + # {{ '{{.Jid}}' }} - phone number (international format) + # The following variables are also available, but will cause problems on multi-user instances: + # {{ '{{.Name}}' }} - display name from contact list + # {{ '{{.Short}}' }} - short display name from contact list + displayname_template: "{{ '{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)' }}" + # WhatsApp connection timeout in seconds. + connection_timeout: 20 + # Maximum number of times to retry connecting on connection error. + max_connection_attempts: 3 + # Number of seconds to wait between connection attempts. + # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts + connection_retry_delay: -1 + # Whether or not the bridge should send a notice to the user's management room when it retries connecting. + # If false, it will only report when it stops retrying. + report_connection_retry: true + # Maximum number of seconds to wait for chats to be sent at startup. + # If this is too low and you have lots of chats, it could cause backfilling to fail. + chat_list_wait: 30 + # Maximum number of seconds to wait to sync portals before force unlocking message processing. + # If this is too low and you have lots of chats, it could cause backfilling to fail. + portal_sync_wait: 600 + + # Whether or not to send call start/end notices to Matrix. + call_notices: + start: true + end: true + + # Number of chats to sync for new users. + initial_chat_sync_count: 10 + # Number of old messages to fill when creating new portal rooms. + initial_history_fill_count: 20 + # Maximum number of chats to sync when recovering from downtime. + # Set to -1 to sync all new chats during downtime. + recovery_chat_sync_limit: -1 + # Whether or not to sync history when recovering from downtime. + recovery_history_backfill: true + # Maximum number of seconds since last message in chat to skip + # syncing the chat in any case. This setting will take priority + # over both recovery_chat_sync_limit and initial_chat_sync_count. + # Default is 3 days = 259200 seconds + sync_max_chat_age: 259200 + + # Whether or not to sync with custom puppets to receive EDUs that + # are not normally sent to appservices. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }} + + # Whether or not to invite own WhatsApp user's Matrix puppet into private + # chat portals when backfilling if needed. + # This always uses the default puppet instead of custom puppets due to + # rate limits and timestamp massaging. + invite_own_puppet_for_backfilling: true + # Whether or not to explicitly set the avatar and room name for private + # chat portal rooms. This can be useful if the previous field works fine, + # but causes room avatar/name bugs. + private_chat_portal_meta: false + + # Allow invite permission for user. User can invite any bots to room with whatsapp + # users (private chat and groups) + allow_user_invite: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!wa" + + # Permissions for using the bridge. + # Permitted values: + # user - Access to use the bridge to chat with a WhatsApp account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user + + relaybot: + # Whether or not relaybot support is enabled. + enabled: false + # The management room for the bot. This is where all status notifications are posted and + # in this room, you can use `!wa ` instead of `!wa relaybot `. Omitting + # the command prefix completely like in user management rooms is not possible. + management: '!foo:example.com' + # List of users to invite to all created rooms that include the relaybot. + invites: [] + # The formats to use when sending messages to WhatsApp via the relaybot. + message_formats: + m.text: "{{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" + m.notice: "{{ '{{ .Sender.Displayname }}' }}:: {{ '{{ .Message }}' }}" + m.emote: "* {{ '{{ .Sender.Displayname }}' }}: {{ '{{ .Message }}' }}" + m.file: "{{ '{{ .Sender.Displayname }}' }}: sent a file" + m.image: "{{ '{{ .Sender.Displayname }}' }}: sent an image" + m.audio: "{{ '{{ .Sender.Displayname }}' }}: sent an audio file" + m.video: "{{ '{{ .Sender.Displayname }}' }}: sent a video" + m.location: "{{ '{{ .Sender.Displayname }}' }}: sent a location" +# Logging config. +logging: + # The directory for log files. Will be created if not found. + directory: ./logs + # Available variables: .Date for the file date and .Index for different log files on the same day. + file_name_format: "{{ '{{.Date}}-{{.Index}}.log' }}" + # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants + file_date_format: "2006-01-02" + # Log file permissions. + file_mode: 0600 + # Timestamp format for log entries in the Go time format. + timestamp_format: "Jan _2, 2006 15:04:05" + # Minimum severity for log messages. + # Options: debug, info, warn, error, fatal + print_level: debug diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 9d80ab04..8b977acf 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -56,145 +56,7 @@ matrix_mx_puppet_skype_login_shared_secret: '' # # For a more advanced customization, you can extend the default (see `matrix_mx_puppet_skype_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mx_puppet_skype_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - bridge: - # Address for the bridge to bind to; if running as a Docker container, you - # probably want 0.0.0.0 here - bindAddress: 0.0.0.0 - # Port to host the bridge on which your homeserver will connect to - port: {{ matrix_mx_puppet_skype_appservice_port }} - # Name of your homeserver - domain: {{ matrix_domain }} - # URL where the bridge can connect to your homeserver - homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }} - # Optionally specify a different media URL used for the media store - mediaURL: https://{{ matrix_server_fqn_matrix }} - # This enabled automatic double-puppeting: - # A map for shared secrets of the homeserver URL to the shared secret - # See https://github.com/devture/matrix-synapse-shared-secret-auth - #loginSharedSecretMap: - # yourserver.com: supersecretsharedsecret - {% if matrix_mx_puppet_skype_login_shared_secret != '' %} - loginSharedSecretMap: - {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} - {% endif %} - # optionally override the display name of the bridge bot - #displayname: Protocol Bot - # optionally set the avatar of the bridge bot - #avatarUrl: mxc://yourserver.com/somefile - - logging: - # Log level of console output - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - console: info - # Optionally, you can apply filters to the console logging - #console: - # level: info - # enabled: - # - Store - # disabled: - # - PresenceHandler - - # Date and time formatting - lineDateFormat: MMM-D HH:mm:ss.SSS - # Logging files - # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m - # Optionally enable/disable logging for certain modules - #disabled: - # - PresenceHandler - # - module: bot-sdk-MatrixLiteClient - # regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log - #enabled: - # - Store - - database: - # Use Postgres as a database backend - # If set, will be used instead of SQLite3 - # Connection string to connect to the Postgres instance - # with username "user", password "pass", host "localhost" and database name "dbname". - # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" - # Use SQLite3 as a database backend - # The name of the database file - filename: /data/database.db - - provisioning: - # Regex of Matrix IDs allowed to use the puppet bridge - whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }} - # Allow a specific user - #- "@user:server\\.com" - # Allow users on a specific homeserver - #- "@.*:yourserver\\.com" - # Allow anyone - #- ".*" - - # Regex of Matrix IDs forbidden from using the puppet bridge - #blacklist: - # Disallow a specific user - #- "@user:server\\.com" - # Disallow users on a specific homeserver - #- "@.*:yourserver\\.com" - blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }} - - presence: - # Bridge online/offline status - enabled: true - # How often to send status to the homeserver in milliseconds - interval: 500 - # if the im.vector.user_status state setting should be diabled - #disableStatusState: false - # A blacklist of remote user IDs for the im.vector.user_status state setting - #statusStateBlacklist: - # - baduser - - relay: - # Regex of Matrix IDs to allow to use the relay mode - # Same format as in provisioning - #whitelist: - #- "@.*:yourserver\\.com" - whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }} - - #blacklist: - #- "@user:yourserver\\.com" - blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }} - - # Map certain homeserver URLs to the C-S API endpoint - # Useful for double-puppeting if .well-known is unavailable for some reason - #homeserverUrlMap: - # yourserver.com: http://localhost:1234 - - namePatterns: - # Override the protocols set default name patterns - # Which variables are available depends on protocol implementation - user: :name - room: :name - - limits: - # Up to how many users should be auto-joined on room creation? -1 to disable - # Defaults to 200 - maxAutojoinUsers: 200 - # How long the delay between two autojoin users should be, in millisectonds. - # Defaults to 5000 - roomUserAutojoinDelay: 5000 +matrix_mx_puppet_skype_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mx_puppet_skype_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 new file mode 100644 index 00000000..c7b5c870 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 @@ -0,0 +1,138 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Address for the bridge to bind to; if running as a Docker container, you + # probably want 0.0.0.0 here + bindAddress: 0.0.0.0 + # Port to host the bridge on which your homeserver will connect to + port: {{ matrix_mx_puppet_skype_appservice_port }} + # Name of your homeserver + domain: {{ matrix_domain }} + # URL where the bridge can connect to your homeserver + homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }} + # Optionally specify a different media URL used for the media store + mediaURL: https://{{ matrix_server_fqn_matrix }} + # This enabled automatic double-puppeting: + # A map for shared secrets of the homeserver URL to the shared secret + # See https://github.com/devture/matrix-synapse-shared-secret-auth + #loginSharedSecretMap: + # yourserver.com: supersecretsharedsecret + {% if matrix_mx_puppet_skype_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} + {% endif %} + # optionally override the display name of the bridge bot + #displayname: Protocol Bot + # optionally set the avatar of the bridge bot + #avatarUrl: mxc://yourserver.com/somefile + +logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Optionally, you can apply filters to the console logging + #console: + # level: info + # enabled: + # - Store + # disabled: + # - PresenceHandler + + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m + # Optionally enable/disable logging for certain modules + #disabled: + # - PresenceHandler + # - module: bot-sdk-MatrixLiteClient + # regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log + #enabled: + # - Store + +database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + +provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }} + +presence: + # Bridge online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + # if the im.vector.user_status state setting should be diabled + #disableStatusState: false + # A blacklist of remote user IDs for the im.vector.user_status state setting + #statusStateBlacklist: + # - baduser + +relay: + # Regex of Matrix IDs to allow to use the relay mode + # Same format as in provisioning + #whitelist: + #- "@.*:yourserver\\.com" + whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }} + + #blacklist: + #- "@user:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }} + +# Map certain homeserver URLs to the C-S API endpoint +# Useful for double-puppeting if .well-known is unavailable for some reason +#homeserverUrlMap: +# yourserver.com: http://localhost:1234 + +namePatterns: + # Override the protocols set default name patterns + # Which variables are available depends on protocol implementation + user: :name + room: :name + +limits: + # Up to how many users should be auto-joined on room creation? -1 to disable + # Defaults to 200 + maxAutojoinUsers: 200 + # How long the delay between two autojoin users should be, in millisectonds. + # Defaults to 5000 + roomUserAutojoinDelay: 5000 diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 083910b1..13aa5b7a 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -57,99 +57,7 @@ matrix_mx_puppet_slack_homeserver_token: '' # # For a more advanced customization, you can extend the default (see `matrix_mx_puppet_slack_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_mx_puppet_slack_configuration_yaml: | - #jinja2: lstrip_blocks: "True" - bridge: - # Port to host the bridge on - # Used for communication between the homeserver and the bridge - port: {{ matrix_mx_puppet_slack_appservice_port }} - # The host connections to the bridge's webserver are allowed from - bindAddress: 0.0.0.0 - # Public domain of the homeserver - domain: {{ matrix_mx_puppet_slack_homeserver_domain }} - # Reachable URL of the Matrix homeserver - homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }} - - - # Slack OAuth settings. Create a slack app at https://api.slack.com/apps - oauth: - enabled: true - # Slack app credentials. - # N.B. This must be quoted so YAML wouldn't parse it as a float. - clientId: "{{ matrix_mx_puppet_slack_client_id }}" - clientSecret: {{ matrix_mx_puppet_slack_client_secret }} - # Path where to listen for OAuth redirect callbacks. - redirectPath: {{ matrix_mx_puppet_slack_redirect_path }} - # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path, - # then set this field and the Slack app redirect URI field to the former. - redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }} - - presence: - # Bridge Discord online/offline status - enabled: true - # How often to send status to the homeserver in milliseconds - interval: 500 - - provisioning: - # Regex of Matrix IDs allowed to use the puppet bridge - whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }} - # Allow a specific user - #- "@user:server\\.com" - # Allow users on a specific homeserver - #- "@.*:yourserver\\.com" - # Allow anyone - #- ".*" - # Regex of Matrix IDs forbidden from using the puppet bridge - #blacklist: - # Disallow a specific user - #- "@user:server\\.com" - # Disallow users on a specific homeserver - #- "@.*:yourserver\\.com" - blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }} - - # Shared secret for the provisioning API for use by integration managers. - # If this is not set, the provisioning API will not be enabled. - #sharedSecret: random string - # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. - apiPrefix: /_matrix/provision - - database: - # Use Postgres as a database backend - # If set, will be used instead of SQLite3 - # Connection string to connect to the Postgres instance - # with username "user", password "pass", host "localhost" and database name "dbname". - # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" - # Use SQLite3 as a database backend - # The name of the database file - filename: /data/database.db - - logging: - # Log level of console output - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - console: info - # Date and time formatting - lineDateFormat: MMM-D HH:mm:ss.SSS - # Logging files - # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m +matrix_mx_puppet_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mx_puppet_slack_configuration_extension_yaml: | # Your custom YAML configuration goes here. diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 new file mode 100644 index 00000000..bcf4e2d1 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -0,0 +1,92 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_slack_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_slack_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }} + + +# Slack OAuth settings. Create a slack app at https://api.slack.com/apps +oauth: + enabled: true + # Slack app credentials. + # N.B. This must be quoted so YAML wouldn't parse it as a float. + clientId: "{{ matrix_mx_puppet_slack_client_id }}" + clientSecret: {{ matrix_mx_puppet_slack_client_secret }} + # Path where to listen for OAuth redirect callbacks. + redirectPath: {{ matrix_mx_puppet_slack_redirect_path }} + # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path, + # then set this field and the Slack app redirect URI field to the former. + redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }} + +presence: + # Bridge Discord online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + +provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }} + + # Shared secret for the provisioning API for use by integration managers. + # If this is not set, the provisioning API will not be enabled. + #sharedSecret: random string + # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. + apiPrefix: /_matrix/provision + +database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + +logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index fafe289d..770f5bcb 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -39,89 +39,7 @@ matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048" # # For a more advanced customization, you can extend the default (see `matrix_dimension_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_dimension_configuration_yaml: | - #jinja2: lstrip_blocks: True - # The web settings for the service (API and UI). - # It is best to have this run on localhost and use a reverse proxy to access Dimension. - web: - port: 8184 - address: '0.0.0.0' - - # Homeserver configuration - homeserver: - # The domain name of the homeserver. This is used in many places, such as with go-neb - # setups, to identify the homeserver. - name: "{{ matrix_domain }}" - - # The URL that Dimension, go-neb, and other services provisioned by Dimension should - # use to access the homeserver with. - clientServerUrl: "http://matrix-synapse:8008" - - # The URL that Dimension should use when trying to communicate with federated APIs on - # the homeserver. If not supplied or left empty Dimension will try to resolve the address - # through the normal federation process. - federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" - - # The URL that Dimension will redirect media requests to for downloading media such as - # stickers. If not supplied or left empty Dimension will use the clientServerUrl. - mediaUrl: "https://{{ matrix_server_fqn_matrix }}" - - # The access token Dimension should use for miscellaneous access to the homeserver. This - # should be for a user on the configured homeserver: any user will do, however it is - # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on - # how to acquire an access token, visit https://t2bot.io/docs/access_tokens - accessToken: "{{ matrix_dimension_access_token }}" - - # These users can modify the integrations this Dimension supports. - # To access the admin interface, open Dimension in Riot and click the settings icon. - admins: {{ matrix_dimension_admins|to_json }} - - # IPs and CIDR ranges listed here will be blocked from being widgets. - # Note: Widgets may still be embedded with restricted content, although not through Dimension directly. - widgetBlacklist: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - 127.0.0.0/8 - - # Where the database for Dimension is - database: - file: "dimension.db" - - # Display settings that apply to self-hosted go-neb instances - goneb: - # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver - # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot, - # make the bot's avatar an empty string. - avatars: - giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27" - imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513" - github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1" - wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1" - travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8" - rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3" - google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142" - guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526" - echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13" - circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee" - jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329" - - # Settings for how Dimension is represented to the public - dimension: - # This is where Dimension is accessible from clients. Be sure to set this - # to your own Dimension instance. - publicUrl: "https://{{ matrix_server_fqn_dimension }}" - - # Settings for controlling how logging works - logging: - file: /dev/null - console: true - consoleLevel: verbose - fileLevel: info - rotate: - size: 52428800 # bytes, default is 50mb - count: 5 - +matrix_dimension_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_dimension_configuration_extension_yaml: | # Your custom YAML configuration for Dimension goes here. diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 new file mode 100644 index 00000000..576c4e8a --- /dev/null +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -0,0 +1,81 @@ +#jinja2: lstrip_blocks: True +# The web settings for the service (API and UI). +# It is best to have this run on localhost and use a reverse proxy to access Dimension. +web: + port: 8184 + address: '0.0.0.0' + +# Homeserver configuration +homeserver: + # The domain name of the homeserver. This is used in many places, such as with go-neb + # setups, to identify the homeserver. + name: "{{ matrix_domain }}" + + # The URL that Dimension, go-neb, and other services provisioned by Dimension should + # use to access the homeserver with. + clientServerUrl: "http://matrix-synapse:8008" + + # The URL that Dimension should use when trying to communicate with federated APIs on + # the homeserver. If not supplied or left empty Dimension will try to resolve the address + # through the normal federation process. + federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}" + + # The URL that Dimension will redirect media requests to for downloading media such as + # stickers. If not supplied or left empty Dimension will use the clientServerUrl. + mediaUrl: "https://{{ matrix_server_fqn_matrix }}" + + # The access token Dimension should use for miscellaneous access to the homeserver. This + # should be for a user on the configured homeserver: any user will do, however it is + # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on + # how to acquire an access token, visit https://t2bot.io/docs/access_tokens + accessToken: "{{ matrix_dimension_access_token }}" + +# These users can modify the integrations this Dimension supports. +# To access the admin interface, open Dimension in Riot and click the settings icon. +admins: {{ matrix_dimension_admins|to_json }} + +# IPs and CIDR ranges listed here will be blocked from being widgets. +# Note: Widgets may still be embedded with restricted content, although not through Dimension directly. +widgetBlacklist: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 127.0.0.0/8 + +# Where the database for Dimension is +database: + file: "dimension.db" + +# Display settings that apply to self-hosted go-neb instances +goneb: + # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver + # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot, + # make the bot's avatar an empty string. + avatars: + giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27" + imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513" + github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1" + wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1" + travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8" + rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3" + google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142" + guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526" + echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13" + circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee" + jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329" + +# Settings for how Dimension is represented to the public +dimension: + # This is where Dimension is accessible from clients. Be sure to set this + # to your own Dimension instance. + publicUrl: "https://{{ matrix_server_fqn_dimension }}" + +# Settings for controlling how logging works +logging: + file: /dev/null + console: true + consoleLevel: verbose + fileLevel: info + rotate: + size: 52428800 # bytes, default is 50mb + count: 5 diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index ff2f72d4..64cf7c9a 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -85,76 +85,7 @@ matrix_ma1sd_v2_enabled: true # # For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`) # or completely replace this variable with your own template. -matrix_ma1sd_configuration_yaml: | - #jinja2: lstrip_blocks: True - matrix: - domain: {{ matrix_domain }} - v1: {{ matrix_ma1sd_v1_enabled|to_json }} - v2: {{ matrix_ma1sd_v2_enabled|to_json }} - - server: - name: {{ matrix_server_fqn_matrix }} - - key: - path: /var/ma1sd/sign.key - - storage: - provider: - sqlite: - database: /var/ma1sd/ma1sd.db - - {% if matrix_ma1sd_dns_overwrite_enabled %} - dns: - overwrite: - homeserver: - client: - - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} - value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} - {% endif %} - - {% if matrix_ma1sd_matrixorg_forwarding_enabled %} - forward: - servers: ['matrix-org'] - {% endif %} - - threepid: - medium: - email: - identity: - from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} - connectors: - smtp: - host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} - port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} - tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} - login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} - password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} - {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} - generators: - template: - {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} - invite: '/var/ma1sd/invite-template.eml' - {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} - session: - {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} - validation: '/var/ma1sd/validate-template.eml' - {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} - unbind: - frandulent: '/var/ma1sd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} - generic: - matrixId: '/var/ma1sd/mxid-template.eml' - {% endif %} - {% endif %} - - synapseSql: - enabled: {{ matrix_ma1sd_synapsesql_enabled }} - type: {{ matrix_ma1sd_synapsesql_type }} - connection: {{ matrix_ma1sd_synapsesql_connection }} +matrix_ma1sd_configuration_yaml: "{{ lookup('template', 'templates/ma1sd.yaml.j2') }}" matrix_ma1sd_configuration_extension_yaml: | # Your custom YAML configuration for ma1sd goes here. diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 new file mode 100644 index 00000000..0deef3d8 --- /dev/null +++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 @@ -0,0 +1,69 @@ +#jinja2: lstrip_blocks: True +matrix: + domain: {{ matrix_domain }} + v1: {{ matrix_ma1sd_v1_enabled|to_json }} + v2: {{ matrix_ma1sd_v2_enabled|to_json }} + +server: + name: {{ matrix_server_fqn_matrix }} + +key: + path: /var/ma1sd/sign.key + +storage: + provider: + sqlite: + database: /var/ma1sd/ma1sd.db + +{% if matrix_ma1sd_dns_overwrite_enabled %} +dns: + overwrite: + homeserver: + client: + - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} + value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} +{% endif %} + +{% if matrix_ma1sd_matrixorg_forwarding_enabled %} +forward: + servers: ['matrix-org'] +{% endif %} + +threepid: + medium: + email: + identity: + from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} + connectors: + smtp: + host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} +{% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} + generators: + template: + {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} + invite: '/var/ma1sd/invite-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + session: + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} + validation: '/var/ma1sd/validate-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + unbind: + frandulent: '/var/ma1sd/unbind-fraudulent.eml' + {% endif %} + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} + generic: + matrixId: '/var/ma1sd/mxid-template.eml' + {% endif %} +{% endif %} + +synapseSql: + enabled: {{ matrix_ma1sd_synapsesql_enabled }} + type: {{ matrix_ma1sd_synapsesql_type }} + connection: {{ matrix_ma1sd_synapsesql_connection }} From c00a7c2fe91f75340102f94de6ebb6e951d4aef9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Jun 2020 09:35:31 +0300 Subject: [PATCH 1202/2384] Update mautrix-facebook configuration (invitation, backfilling support) --- .../templates/config.yaml.j2 | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 887f3df8..d484823d 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -111,10 +111,24 @@ bridge: # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. default: false - # Whether or not the bridge should send a read receipt from the bridge bot when a message has # been sent to Facebook. delivery_receipts: false + # Whether to allow inviting arbitrary mxids to portal rooms + allow_invites: false + # Settings for backfilling messages from Facebook. + backfill: + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when backfilling history from Facebook. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # Maximum number of messages to backfill if messages were missed while + # the bridge was disconnected. + # Set to 0 to disable backfilling missed messages. + missed_limit: 1000 # Permissions for using the bridge. # Permitted values: From 0967bc3cd9500bc75363996e0c16f09e7099201b Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Wed, 3 Jun 2020 12:03:44 +0200 Subject: [PATCH 1203/2384] added missing z flag --- .../templates/systemd/matrix-sms-bridge.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index f0634dbe..087e678a 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -30,7 +30,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ -v {{ matrix_sms_bridge_config_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ --privileged \ - -v /dev:/dev \ + -v /dev:/dev:z \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} From 41b1925b2a20c302ff2c6b7e13858030d22fb629 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Wed, 3 Jun 2020 13:07:36 +0200 Subject: [PATCH 1204/2384] remove dev mount --- .../templates/systemd/matrix-sms-bridge.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index 087e678a..6bb6449e 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -30,7 +30,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ -v {{ matrix_sms_bridge_config_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ --privileged \ - -v /dev:/dev:z \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} From 3a3b95abfc6c67457e349170c81e90f203b3cdfe Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Wed, 3 Jun 2020 13:13:25 +0200 Subject: [PATCH 1205/2384] added dev volume to find serial by id --- .../templates/systemd/matrix-sms-bridge.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index 6bb6449e..087e678a 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -30,6 +30,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ -v {{ matrix_sms_bridge_config_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ --privileged \ + -v /dev:/dev:z \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} From b60a4ac6433cbb7467c450135511f9368e72a565 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Wed, 3 Jun 2020 14:25:23 +0200 Subject: [PATCH 1206/2384] mount as slave --- .../templates/systemd/matrix-sms-bridge.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 index 087e678a..7bf91700 100644 --- a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 @@ -30,7 +30,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ -v {{ matrix_sms_bridge_config_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ --privileged \ - -v /dev:/dev:z \ + -v /dev:/dev:slave \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} From 85c6befc041b7365ff1c9200a837358f706b413d Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Wed, 3 Jun 2020 20:02:37 +0200 Subject: [PATCH 1207/2384] removed unused delivery report --- roles/matrix-sms-bridge/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-sms-bridge/defaults/main.yml index 6465a9d4..4019f7be 100644 --- a/roles/matrix-sms-bridge/defaults/main.yml +++ b/roles/matrix-sms-bridge/defaults/main.yml @@ -127,8 +127,7 @@ matrix_sms_bridge_gammu_configuration: | ResetFrequency = {{ matrix_sms_bridge_gammu_reset_frequency }} debugLevel = 1 LogFile = /data/log/smsd.log - DeliveryReport = log - DeliveryReportDelay = 7200 + DeliveryReport = no HangupCalls = 1 CheckBattery = 0 From 0fce642179c5ae876d069dac3c61c94ab6d533a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Jun 2020 19:52:55 +0300 Subject: [PATCH 1208/2384] Upgrade riot-web (1.6.2 -> 1.6.3) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 1dc1be04..04440c60 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.2" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.3" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From f68e47d3c4175b3b1ba2727ecf33326774c92ca6 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Fri, 5 Jun 2020 12:25:41 +0200 Subject: [PATCH 1209/2384] renamed role matrix-sms-bridge to matrix-bridge-sms --- ...-sms-bridge.md => configuring-playbook-matrix-bridge-sms.md} | 2 +- docs/configuring-playbook.md | 2 +- .../{matrix-sms-bridge => matrix-bridge-sms}/defaults/main.yml | 0 roles/{matrix-sms-bridge => matrix-bridge-sms}/tasks/init.yml | 0 roles/{matrix-sms-bridge => matrix-bridge-sms}/tasks/main.yml | 0 .../tasks/setup_install.yml | 0 .../tasks/setup_uninstall.yml | 0 .../tasks/validate_config.yml | 0 .../templates/systemd/matrix-sms-bridge-database.service.j2 | 0 .../templates/systemd/matrix-sms-bridge.service.j2 | 0 setup.yml | 2 +- 11 files changed, 3 insertions(+), 3 deletions(-) rename docs/{configuring-playbook-matrix-sms-bridge.md => configuring-playbook-matrix-bridge-sms.md} (96%) rename roles/{matrix-sms-bridge => matrix-bridge-sms}/defaults/main.yml (100%) rename roles/{matrix-sms-bridge => matrix-bridge-sms}/tasks/init.yml (100%) rename roles/{matrix-sms-bridge => matrix-bridge-sms}/tasks/main.yml (100%) rename roles/{matrix-sms-bridge => matrix-bridge-sms}/tasks/setup_install.yml (100%) rename roles/{matrix-sms-bridge => matrix-bridge-sms}/tasks/setup_uninstall.yml (100%) rename roles/{matrix-sms-bridge => matrix-bridge-sms}/tasks/validate_config.yml (100%) rename roles/{matrix-sms-bridge => matrix-bridge-sms}/templates/systemd/matrix-sms-bridge-database.service.j2 (100%) rename roles/{matrix-sms-bridge => matrix-bridge-sms}/templates/systemd/matrix-sms-bridge.service.j2 (100%) diff --git a/docs/configuring-playbook-matrix-sms-bridge.md b/docs/configuring-playbook-matrix-bridge-sms.md similarity index 96% rename from docs/configuring-playbook-matrix-sms-bridge.md rename to docs/configuring-playbook-matrix-bridge-sms.md index 31a85228..2809fb03 100644 --- a/docs/configuring-playbook-matrix-sms-bridge.md +++ b/docs/configuring-playbook-matrix-bridge-sms.md @@ -1,4 +1,4 @@ -# Setting up matrix-sms-bridge (optional) +# Setting up matrix-bridge-sms (optional) The playbook can install and configure [matrix-sms-brdige](https://github.com/benkuly/matrix-sms-bridge) for you. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 90771cf3..208db5bb 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -103,4 +103,4 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) -- [Setting up Matrix SMS bridging](configuring-playbook-matrix-sms-bridge.md) (optional) +- [Setting up Matrix SMS bridging](configuring-playbook-matrix-bridge-sms.md) (optional) diff --git a/roles/matrix-sms-bridge/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml similarity index 100% rename from roles/matrix-sms-bridge/defaults/main.yml rename to roles/matrix-bridge-sms/defaults/main.yml diff --git a/roles/matrix-sms-bridge/tasks/init.yml b/roles/matrix-bridge-sms/tasks/init.yml similarity index 100% rename from roles/matrix-sms-bridge/tasks/init.yml rename to roles/matrix-bridge-sms/tasks/init.yml diff --git a/roles/matrix-sms-bridge/tasks/main.yml b/roles/matrix-bridge-sms/tasks/main.yml similarity index 100% rename from roles/matrix-sms-bridge/tasks/main.yml rename to roles/matrix-bridge-sms/tasks/main.yml diff --git a/roles/matrix-sms-bridge/tasks/setup_install.yml b/roles/matrix-bridge-sms/tasks/setup_install.yml similarity index 100% rename from roles/matrix-sms-bridge/tasks/setup_install.yml rename to roles/matrix-bridge-sms/tasks/setup_install.yml diff --git a/roles/matrix-sms-bridge/tasks/setup_uninstall.yml b/roles/matrix-bridge-sms/tasks/setup_uninstall.yml similarity index 100% rename from roles/matrix-sms-bridge/tasks/setup_uninstall.yml rename to roles/matrix-bridge-sms/tasks/setup_uninstall.yml diff --git a/roles/matrix-sms-bridge/tasks/validate_config.yml b/roles/matrix-bridge-sms/tasks/validate_config.yml similarity index 100% rename from roles/matrix-sms-bridge/tasks/validate_config.yml rename to roles/matrix-bridge-sms/tasks/validate_config.yml diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge-database.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 similarity index 100% rename from roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge-database.service.j2 rename to roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 diff --git a/roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 similarity index 100% rename from roles/matrix-sms-bridge/templates/systemd/matrix-sms-bridge.service.j2 rename to roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 diff --git a/setup.yml b/setup.yml index fc0ddc2c..4831873e 100755 --- a/setup.yml +++ b/setup.yml @@ -18,7 +18,7 @@ - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-skype - matrix-bridge-mx-puppet-slack - - matrix-sms-bridge + - matrix-bridge-sms - matrix-synapse - matrix-riot-web - matrix-jitsi From d6c44879984dc9a69e1780a35cfff4508e36e7fb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 5 Jun 2020 14:52:24 +0300 Subject: [PATCH 1210/2384] Fix some typos --- docs/configuring-playbook-matrix-bridge-sms.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-matrix-bridge-sms.md b/docs/configuring-playbook-matrix-bridge-sms.md index 2809fb03..c208bb81 100644 --- a/docs/configuring-playbook-matrix-bridge-sms.md +++ b/docs/configuring-playbook-matrix-bridge-sms.md @@ -1,7 +1,7 @@ -# Setting up matrix-bridge-sms (optional) +# Setting up matrix-sms-bridge (optional) The playbook can install and configure -[matrix-sms-brdige](https://github.com/benkuly/matrix-sms-bridge) for you. +[matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for you. See the project page to learn what it does and why it might be useful to you. From 8d786713a6b8efb998a1313ca3fd1d9401e984cc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 5 Jun 2020 15:05:48 +0300 Subject: [PATCH 1211/2384] Update changelog --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index de86333d..a3899f35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-06-05 + +## SMS bridging support + +Thanks to [benkuly](https://github.com/benkuly)'s efforts, the playbook now supports bridging to SMS (with one telephone number only) via [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge). + +See our [Setting up Matrix SMS bridging](docs/configuring-playbook-matrix-bridge-sms.md) documentation page for getting started. + + # 2020-05-19 ## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server From b0b744dede94da789339051615c6106a0215d583 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 5 Jun 2020 15:21:41 +0300 Subject: [PATCH 1212/2384] Add periodic reconnection configuration to mautrix-facebook bridge --- .../templates/config.yaml.j2 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index d484823d..3c7b7e62 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -129,6 +129,16 @@ bridge: # the bridge was disconnected. # Set to 0 to disable backfilling missed messages. missed_limit: 1000 + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Facebook stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + periodic_reconnect_interval: -1 + # What to do in periodic reconnects. Either "refresh" or "reconnect" + periodic_reconnect_mode: refresh + # The number of seconds that a disconnection can last without triggering an automatic re-sync + # and missed message backfilling when reconnecting. + # Set to 0 to always re-sync, or -1 to never re-sync automatically. + resync_max_disconnected_time: 5 # Permissions for using the bridge. # Permitted values: From 88a4a3ab55a6fbf844741daa8d36d4922f31e081 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Jun 2020 08:25:27 +0300 Subject: [PATCH 1213/2384] Update components --- docs/ansible.md | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- roles/matrix-riot-web/defaults/main.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index 5f27a7c7..1ba430f4 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -49,7 +49,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -devture/ansible:2.9.7-r0 +devture/ansible:2.9.9-r0 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 07dd2038..ae54ea4e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.17.10-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.19.0-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" @@ -220,7 +220,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.4.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.5.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 04440c60..700e0ec3 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.3" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.4" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From e4edfd5b1254ebc76ce826c726cb8ae35922b773 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Jun 2020 08:47:56 +0300 Subject: [PATCH 1214/2384] Remove now-unnecessary /dev/null hacks from riot-web `/etc/nginx/conf.d/default.conf` was previously causing some issues when used with our `--user`. It's not the case anymore, so we can remove it. Fixes #369 (Github Issue). --- .../matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 37aff5cd..a15cb55e 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -22,7 +22,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-riot-web \ {% endif %} --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ - -v /dev/null:/etc/nginx/conf.d/default.conf:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/app/config.json:ro \ -v {{ matrix_riot_web_data_path }}/config.json:/app/config.{{ matrix_server_fqn_riot }}.json:ro \ {% if matrix_riot_web_embedded_pages_home_path is not none %} From 77fd23149bb6e4cc24cfa71eebc7a3e1b8a90bc3 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sat, 6 Jun 2020 08:28:08 +0200 Subject: [PATCH 1215/2384] added gammu hard reset for sms modem --- docs/configuring-playbook-matrix-bridge-sms.md | 3 ++- roles/matrix-bridge-sms/defaults/main.yml | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-bridge-sms.md b/docs/configuring-playbook-matrix-bridge-sms.md index 2809fb03..8a91ab93 100644 --- a/docs/configuring-playbook-matrix-bridge-sms.md +++ b/docs/configuring-playbook-matrix-bridge-sms.md @@ -18,8 +18,9 @@ matrix_sms_bridge_gammu_modem: "/dev/serial/by-id/myDeviceId" matrix_sms_bridge_database_password: "" # (optional) a room id to a default room matrix_sms_bridge_default_room: "" -# (optional) gammu reset frequency (see https://wammu.eu/docs/manual/smsd/config.html#option-ResetFrequency) +# (optional) gammu reset frequencies (see https://wammu.eu/docs/manual/smsd/config.html#option-ResetFrequency) matrix_sms_bridge_gammu_reset_frequency: 3600 +matrix_sms_bridge_gammu_hard_reset_frequency: 0 # (optional) group with unix read and write rights to modem matrix_sms_bridge_modem_group: 'dialout' ``` diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 4019f7be..77435be8 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -50,6 +50,7 @@ matrix_sms_bridge_default_room: '' matrix_sms_bridge_gammu_modem: '' matrix_sms_bridge_modem_group: 'dialout' matrix_sms_bridge_gammu_reset_frequency: 0 +matrix_sms_bridge_gammu_hard_reset_frequency: 0 matrix_sms_bridge_configuration_yaml: | @@ -125,6 +126,7 @@ matrix_sms_bridge_gammu_configuration: | OutboxFormat = detail TransmitFormat = auto ResetFrequency = {{ matrix_sms_bridge_gammu_reset_frequency }} + HardResetFrequency = {{ matrix_sms_bridge_gammu_hard_reset_frequency }} debugLevel = 1 LogFile = /data/log/smsd.log DeliveryReport = no From 331c77a6510b8b15f9d8e603c7f43e5f74ce74cd Mon Sep 17 00:00:00 2001 From: dasTholo Date: Sat, 6 Jun 2020 12:42:25 +0200 Subject: [PATCH 1216/2384] Add Docker Network for matrix-mautrix-telegram-db for Telegram Bridge with Postgress Postgres setup like matrix_mautrix_telegram_configuration_extension_yaml: | appservice: database: "postgres://XXX:XXX@matrix-postgres:5432/mxtg" will fail without the right Dockernetwork --- .../templates/systemd/matrix-mautrix-telegram.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index 2c9986b4..b0b4f643 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -17,6 +17,7 @@ ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-tel --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_telegram_config_path }}:/config:z \ -v {{ matrix_mautrix_telegram_data_path }}:/data:z \ {{ matrix_mautrix_telegram_docker_image }} \ From 201292cdc527eb33f4caa81c5e5ea9113a9caff4 Mon Sep 17 00:00:00 2001 From: kristbaum Date: Sun, 7 Jun 2020 19:56:12 +0200 Subject: [PATCH 1217/2384] typo --- docs/configuring-well-known.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 826a7494..21a4343e 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -136,7 +136,7 @@ backend matrix-backend reqirep ^(GET|POST|HEAD)\ /.well-known/matrix/(.*) \1\ /\2 # Rewrite redirects as ProxyPassReverse does acl response-is-redirect res.hdr(Location) -m found - rsprep ^Location:\ (http|https)://matrix.example.com\/(.*) Location:\ \1://matrix.exapmle.com/.well-known/matrix/\2 if response-is-redirect + rsprep ^Location:\ (http|https)://matrix.example.com\/(.*) Location:\ \1://matrix.example.com/.well-known/matrix/\2 if response-is-redirect ``` Make sure to: From 01138525045df9c2cafe28b281d51ed0d741f3e4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Jun 2020 09:27:31 +0300 Subject: [PATCH 1218/2384] Upgrade matrix-synapse-shared-secret-auth (1.0.1 -> 1.0.2) There's no change in the source code. Just a release bump for packaing reasons. It doesn't matter much for us here, but let's be on the latest tag anyway. --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ef8cca83..6d09add5 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -299,7 +299,7 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals # Enable this to activate the Shared Secret Auth password provider module. # See: https://github.com/devture/matrix-synapse-shared-secret-auth matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false -matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.2/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" # Enable this to activate LDAP password provider From 1f414a44ff65c30ab1cbb317cb0615bc7ff8d367 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Jun 2020 09:37:28 +0300 Subject: [PATCH 1219/2384] Upgrade matrix-mailer --- roles/matrix-mailer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 8364ee2c..c1ffb0cf 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -2,7 +2,7 @@ matrix_mailer_enabled: true matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer" -matrix_mailer_docker_image: "devture/exim-relay:4.92.2-r0-0" +matrix_mailer_docker_image: "devture/exim-relay:4.93.1-r0" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" # The user/group that the container runs with. From ab32f6adf6a7473cb0fc835bce720e23bc139a4d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Jun 2020 09:52:34 +0300 Subject: [PATCH 1220/2384] Add self-building support to matrix-mailer (exim-relay) --- docs/alternative-architectures.md | 6 ++--- docs/self-building.md | 1 + group_vars/matrix_servers | 4 ++- roles/matrix-mailer/defaults/main.yml | 5 ++++ roles/matrix-mailer/tasks/setup_mailer.yml | 29 +++++++++++++++++++--- 5 files changed, 37 insertions(+), 8 deletions(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index 07510d8a..43c14b67 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -19,6 +19,6 @@ matrix_architecture: "arm32" This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection. On most roles [self-building](self-building.md) is used if the architecture is not `amd64`, however there are some special cases: -- matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well, -- matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well, -- matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling. +- `matrix-bridge-mautrix-facebook`: there is a pre-built Docker image for `arm64` as well +- `matrix-bridge-mautrix-hangouts`: there is a pre-built Docker image for `arm64` as well +- `matrix-nginx-proxy`: Certbot has a pre-built Docker image for both `arm32` and `arm64`, however tagging is used, which requires special handling. diff --git a/docs/self-building.md b/docs/self-building.md index 85d09812..e4912090 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-riot-web` - `matrix-coturn` - `matrix-ma1sd` +- `matrix-mailer` - `matrix-mautrix-facebook` - `matrix-mautrix-hangouts` - `matrix-mx-puppet-skype` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8ff5ce96..6835c93a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -537,11 +537,13 @@ matrix_jitsi_web_stun_servers: | # ###################################################################### -# By default, this playbook sets up a postfix mailer server (running in a container). +# By default, this playbook sets up an exim mailer server (running in a container). # This is so that Synapse can send email reminders for unread messages. # Other services (like ma1sd), also use the mailer. matrix_mailer_enabled: true +matrix_mailer_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + ###################################################################### # # /matrix-mailer diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index c1ffb0cf..0a8fd13c 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -2,6 +2,11 @@ matrix_mailer_enabled: true matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer" +matrix_mailer_container_image_self_build: false +matrix_mailer_container_image_self_build_repository_url: "https://github.com/devture/exim-relay" +matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" +matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" + matrix_mailer_docker_image: "devture/exim-relay:4.93.1-r0" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index 6104edfe..99370638 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -6,12 +6,15 @@ - name: Ensure mailer base path exists file: - path: "{{ matrix_mailer_base_path }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_mailer_enabled|bool + with_items: + - { path: "{{ matrix_mailer_base_path }}", when: true } + - { path: "{{ matrix_mailer_container_image_self_build_src_files_path }}", when: "{{ matrix_mailer_container_image_self_build }}" } + when: "matrix_mailer_enabled|bool and item.when" - name: Ensure mailer environment variables file created template: @@ -20,13 +23,31 @@ mode: 0640 when: matrix_mailer_enabled|bool -- name: Ensure mailer image is pulled +- name: Ensure exim-relay repository is present on self-build + git: + repo: "{{ matrix_mailer_container_image_self_build_repository_url }}" + dest: "{{ matrix_mailer_container_image_self_build_src_files_path }}" + version: "{{ matrix_mailer_container_image_self_build_version }}" + force: "yes" + when: "matrix_mailer_container_image_self_build|bool" + +- name: Ensure exim-relay Docker image is built + docker_image: + name: "{{ matrix_mailer_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" + pull: yes + when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool" + +- name: Ensure exim-relay image is pulled docker_image: name: "{{ matrix_mailer_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mailer_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_docker_image_force_pull }}" - when: matrix_mailer_enabled|bool + when: "matrix_mailer_enabled|bool and not matrix_mailer_container_image_self_build|bool" - name: Ensure matrix-mailer.service installed template: From 831c3f4e6400c8d9e776a5139a21bd45de1e33d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 Jun 2020 07:54:42 +0300 Subject: [PATCH 1221/2384] Fix certbot/cerbot image pulling for ARM32 and ARM64 Related to #529 (Github Issue). --- docs/alternative-architectures.md | 13 +++++++++---- group_vars/matrix_servers | 8 +++++++- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index 43c14b67..4ca9646e 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -1,22 +1,27 @@ # Alternative architectures + As stated in the [Prerequisites](prerequisites.md), currently only x86_64 is supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used. To that end add the following variable to your `vars.yaml` file: -``` + +```yaml matrix_architecture: ``` + Currently supported architectures are the following: - `amd64` (the default) - `arm64` - `arm32` -so for the Raspberry Pi the following should be in your `vars.yaml` file: -``` +so for the Raspberry Pi, the following should be in your `vars.yaml` file: + +```yaml matrix_architecture: "arm32" ``` ## Implementation details -This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection. + +This subsection is used for a reminder, how the different roles implement architecture differences. This is **not** aimed at the users, so one does not have to do anything based on this subsection. On most roles [self-building](self-building.md) is used if the architecture is not `amd64`, however there are some special cases: - `matrix-bridge-mautrix-facebook`: there is a pre-built Docker image for `arm64` as well diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6835c93a..90c249a6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -675,7 +675,13 @@ matrix_ssl_domains_to_obtain_certificates_for: | ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) }} -matrix_ssl_architecture: "{{ matrix_architecture }}" +matrix_ssl_architecture: "{{ + { + 'amd64': 'amd64', + 'arm32': 'arm32v6', + 'arm64': 'arm64v8', + }[matrix_architecture] +}}" ###################################################################### # From e48cfa4bccaeafb72d94315f1213ae36215f54c2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 Jun 2020 08:02:13 +0300 Subject: [PATCH 1222/2384] Improve documentation on joining Discord rooms --- docs/configuring-playbook-bridge-appservice-discord.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index dbd11226..96f8377e 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -23,7 +23,7 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" 4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. 5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`) 6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. -7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: `discordapp.com/channels/guild_id/channel_id` +7. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client. Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. From 65e50205969eaf4170b37115d6845b43a806797a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 Jun 2020 08:12:58 +0300 Subject: [PATCH 1223/2384] Proxy other /_synapse endpoints to the client API Besides /_synapse/admin, there are other things like /_synapse/oidc, etc. We should just proxy everything. Fixes #534 (Github Issue). --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 99662515..8fd87958 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -150,7 +150,7 @@ } {% endif %} - location /_synapse/admin { + location /_synapse { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; From 10b3ceff7229abebdd3d41fed38fefc7a64421a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 Jun 2020 08:29:03 +0300 Subject: [PATCH 1224/2384] Make Matrix federation port configurable Fixes #523 (Github Issue). --- group_vars/matrix_servers | 4 +++- roles/matrix-base/defaults/main.yml | 2 ++ .../templates/static-files/well-known/matrix-server.j2 | 2 +- roles/matrix-synapse/tasks/self_check_federation_api.yml | 2 +- roles/matrix-synapse/vars/main.yml | 2 +- 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 90c249a6..ff69cd8f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -638,6 +638,8 @@ matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048" +matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}" + matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" @@ -788,7 +790,7 @@ matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}" # # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. -matrix_synapse_container_federation_api_tls_host_bind_port: "{{ '8448' if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" +matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" # # For exposing the Synapse Metrics API's port (plain HTTP) to the local host. matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}" diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 1aa09800..76c363e4 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -21,6 +21,8 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" # This is where you access Jitsi. matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" +matrix_federation_public_port: 8448 + matrix_user_username: "matrix" matrix_user_groupname: "matrix" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 index de0f5722..8349a15c 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 @@ -1,4 +1,4 @@ #jinja2: lstrip_blocks: "True" { - "m.server": "{{ matrix_server_fqn_matrix }}:8448" + "m.server": "{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}" } diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index fd4b338c..2a716d6b 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -11,7 +11,7 @@ - name: Fail if Matrix Federation API not working fail: - msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" when: "matrix_synapse_enabled|bool and matrix_synapse_federation_enabled|bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)" - name: Fail if Matrix Federation API unexpectedly enabled diff --git a/roles/matrix-synapse/vars/main.yml b/roles/matrix-synapse/vars/main.yml index bb0a06f2..b53dceb8 100644 --- a/roles/matrix-synapse/vars/main.yml +++ b/roles/matrix-synapse/vars/main.yml @@ -3,7 +3,7 @@ matrix_synapse_id_servers_public: ['vector.im', 'matrix.org'] matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" -matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:8448/_matrix/federation/v1/version" +matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" # Tells whether this role had executed or not. Toggled to `true` during runtime. matrix_synapse_role_executed: false From 440569c47b6f6f2704a23fba215882d13e470eb3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 10 Jun 2020 09:20:06 +0300 Subject: [PATCH 1225/2384] Update mautrix-facebook configuration --- .../templates/config.yaml.j2 | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 3c7b7e62..7da7b588 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -129,16 +129,29 @@ bridge: # the bridge was disconnected. # Set to 0 to disable backfilling missed messages. missed_limit: 1000 - # Interval in seconds in which to automatically reconnect all users. - # This can be used to automatically mitigate the bug where Facebook stops sending messages. - # Set to -1 to disable periodic reconnections entirely. - periodic_reconnect_interval: -1 - # What to do in periodic reconnects. Either "refresh" or "reconnect" - periodic_reconnect_mode: refresh + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + periodic_reconnect: + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Facebook stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + interval: -1 + # What to do in periodic reconnects. Either "refresh" or "reconnect" + mode: refresh + # Should even disconnected users be reconnected? + always: false # The number of seconds that a disconnection can last without triggering an automatic re-sync # and missed message backfilling when reconnecting. # Set to 0 to always re-sync, or -1 to never re-sync automatically. resync_max_disconnected_time: 5 + # Whether or not temporary disconnections should send notices to the notice room. + # If this is false, disconnections will never send messages and connections will only send + # messages if it was disconnected for more than resync_max_disconnected_time seconds. + temporary_disconnect_notices: true + # Whether or not the bridge should try to "refresh" the connection if a normal reconnection + # attempt fails. + refresh_on_reconnection_fail: false # Permissions for using the bridge. # Permitted values: From d4938333e6140d19fdc577adb73b453ee043888c Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Thu, 11 Jun 2020 11:10:13 +0200 Subject: [PATCH 1226/2384] Fix missing conf for double puppeting in mx-puppet-slack --- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 3 +++ roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 13aa5b7a..6acfb714 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -52,6 +52,9 @@ matrix_mx_puppet_slack_systemd_wanted_services_list: [] matrix_mx_puppet_slack_appservice_token: '' matrix_mx_puppet_slack_homeserver_token: '' +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mx_puppet_slack_login_shared_secret: '' + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 index bcf4e2d1..b6e88784 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -9,6 +9,10 @@ bridge: domain: {{ matrix_mx_puppet_slack_homeserver_domain }} # Reachable URL of the Matrix homeserver homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }} + {% if matrix_mx_puppet_slack_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_domain }}: {{ matrix_mx_puppet_slack_login_shared_secret }} + {% endif %} # Slack OAuth settings. Create a slack app at https://api.slack.com/apps From 6538ae34f50d056636884a6e6ea7447198702e13 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 Jun 2020 15:51:56 +0300 Subject: [PATCH 1227/2384] Upgrade Synapse (v1.14 -> v1.15) Fixes #539 (Github Issue). --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 177 +++++++++++------- 2 files changed, 111 insertions(+), 68 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 6d09add5..75357edd 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.14.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.15.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 15b06c87..93cf4396 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1199,6 +1199,13 @@ auto_join_rooms: # autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} +# When auto_join_rooms is specified, setting this flag to false prevents +# guest accounts from being automatically joined to the rooms. +# +# Defaults to true. +# +#auto_join_rooms_for_guests: false + ## Metrics ### @@ -1356,6 +1363,8 @@ trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} #key_server_signing_keys_path: "key_server_signing_keys.key" +## Single sign-on integration ## + # Enable SAML2 for registration and login. Uses pysaml2. # # At least one of `sp_config` or `config_path` must be set in this section to @@ -1489,7 +1498,13 @@ saml2_config: # * HTML page to display to users if something goes wrong during the # authentication process: 'saml_error.html'. # - # This template doesn't currently need any variable to render. + # When rendering, this template is given the following variables: + # * code: an HTML error code corresponding to the error that is being + # returned (typically 400 or 500) + # + # * msg: a textual message describing the error. + # + # The variables will automatically be HTML-escaped. # # You can see the default templates at: # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates @@ -1497,92 +1512,119 @@ saml2_config: #template_dir: "res/templates" -# Enable OpenID Connect for registration and login. Uses authlib. +# OpenID Connect integration. The following settings can be used to make Synapse +# use an OpenID Connect Provider for authentication, instead of its internal +# password database. +# +# See https://github.com/matrix-org/synapse/blob/master/openid.md. # oidc_config: - # enable OpenID Connect. Defaults to false. - # - #enabled: true + # Uncomment the following to enable authorization against an OpenID Connect + # server. Defaults to false. + # + #enabled: true - # use the OIDC discovery mechanism to discover endpoints. Defaults to true. - # - #discover: true + # Uncomment the following to disable use of the OIDC discovery mechanism to + # discover endpoints. Defaults to true. + # + #discover: false - # the OIDC issuer. Used to validate tokens and discover the providers endpoints. Required. - # - #issuer: "https://accounts.example.com/" + # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to + # discover the provider's endpoints. + # + # Required if 'enabled' is true. + # + #issuer: "https://accounts.example.com/" - # oauth2 client id to use. Required. - # - #client_id: "provided-by-your-issuer" + # oauth2 client id to use. + # + # Required if 'enabled' is true. + # + #client_id: "provided-by-your-issuer" - # oauth2 client secret to use. Required. - # - #client_secret: "provided-by-your-issuer" + # oauth2 client secret to use. + # + # Required if 'enabled' is true. + # + #client_secret: "provided-by-your-issuer" - # auth method to use when exchanging the token. - # Valid values are "client_secret_basic" (default), "client_secret_post" and "none". - # - #client_auth_method: "client_secret_basic" + # auth method to use when exchanging the token. + # Valid values are 'client_secret_basic' (default), 'client_secret_post' and + # 'none'. + # + #client_auth_method: client_secret_post - # list of scopes to ask. This should include the "openid" scope. Defaults to ["openid"]. - # - #scopes: ["openid"] + # list of scopes to request. This should normally include the "openid" scope. + # Defaults to ["openid"]. + # + #scopes: ["openid", "profile"] - # the oauth2 authorization endpoint. Required if provider discovery is disabled. - # - #authorization_endpoint: "https://accounts.example.com/oauth2/auth" + # the oauth2 authorization endpoint. Required if provider discovery is disabled. + # + #authorization_endpoint: "https://accounts.example.com/oauth2/auth" - # the oauth2 token endpoint. Required if provider discovery is disabled. - # - #token_endpoint: "https://accounts.example.com/oauth2/token" + # the oauth2 token endpoint. Required if provider discovery is disabled. + # + #token_endpoint: "https://accounts.example.com/oauth2/token" - # the OIDC userinfo endpoint. Required if discovery is disabled and the "openid" scope is not asked. - # - #userinfo_endpoint: "https://accounts.example.com/userinfo" + # the OIDC userinfo endpoint. Required if discovery is disabled and the + # "openid" scope is not requested. + # + #userinfo_endpoint: "https://accounts.example.com/userinfo" - # URI where to fetch the JWKS. Required if discovery is disabled and the "openid" scope is used. - # - #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + # URI where to fetch the JWKS. Required if discovery is disabled and the + # "openid" scope is used. + # + #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" - # skip metadata verification. Defaults to false. - # Use this if you are connecting to a provider that is not OpenID Connect compliant. - # Avoid this in production. - # - #skip_verification: false + # Uncomment to skip metadata verification. Defaults to false. + # + # Use this if you are connecting to a provider that is not OpenID Connect + # compliant. + # Avoid this in production. + # + #skip_verification: true + # An external module can be provided here as a custom solution to mapping + # attributes returned from a OIDC provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. + # + # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers + # for information on implementing a custom mapping provider. + # + #module: mapping_provider.OidcMappingProvider - # An external module can be provided here as a custom solution to mapping - # attributes returned from a OIDC provider onto a matrix user. + # Custom configuration values for the module. This section will be passed as + # a Python dictionary to the user mapping provider module's `parse_config` + # method. # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. + # The examples below are intended for the default provider: they should be + # changed if using a custom provider. + # + config: + # name of the claim containing a unique identifier for the user. + # Defaults to `sub`, which OpenID Connect compliant providers should provide. # - #module: mapping_provider.OidcMappingProvider + #subject_claim: "sub" - # Custom configuration values for the module. Below options are intended - # for the built-in provider, they should be changed if using a custom - # module. This section will be passed as a Python dictionary to the - # module's `parse_config` method. + # Jinja2 template for the localpart of the MXID. # - # Below is the config of the default mapping provider, based on Jinja2 - # templates. Those templates are used to render user attributes, where the - # userinfo object is available through the `user` variable. + # When rendering, this template is given the following variables: + # * user: The claims returned by the UserInfo Endpoint and/or in the ID + # Token # - config: - # name of the claim containing a unique identifier for the user. - # Defaults to `sub`, which OpenID Connect compliant providers should provide. - # - #subject_claim: "sub" - - # Jinja2 template for the localpart of the MXID - # - localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + # This must be configured if using the default mapping provider. + # + localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" - # Jinja2 template for the display name to set on first login. Optional. - # - #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" + # Jinja2 template for the display name to set on first login. + # + # If unset, no displayname will be set. + # + #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" @@ -1597,7 +1639,8 @@ oidc_config: # # name: value -# Additional settings to use with single-sign on systems such as SAML2 and CAS. +# Additional settings to use with single-sign on systems such as OpenID Connect, +# SAML2 and CAS. # sso: # A list of client URLs which are whitelisted so that the user does not From 11e53c4fbc2d93d7b7d254b58bb0b56431201a67 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Thu, 11 Jun 2020 15:37:46 +0200 Subject: [PATCH 1228/2384] add default region --- roles/matrix-bridge-sms/defaults/main.yml | 6 ++++-- roles/matrix-bridge-sms/tasks/validate_config.yml | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 77435be8..d940a2f4 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,8 +3,8 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:latest" -matrix_sms_bridge_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.0.RELEASE" +matrix_sms_bridge_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':0.2.0.RELEASE') }}" matrix_sms_bridge_database_docker_image: "neo4j:latest" matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" @@ -46,6 +46,7 @@ matrix_sms_bridge_homeserver_port: '8008' matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" matrix_sms_bridge_default_room: '' +matrix_sms_bridge_default_region: '' matrix_sms_bridge_gammu_modem: '' matrix_sms_bridge_modem_group: 'dialout' @@ -71,6 +72,7 @@ matrix_sms_bridge_configuration_yaml: | # (optional) SMS messages without a valid token a routed to this room. # Note that you must invite @smsbot:yourHomeServer to this room. defaultRoomId: "{{ matrix_sms_bridge_default_room }}" + defaultRegion: "{{ matrix_sms_bridge_default_region }}" provider: gammu: # (optional) default is disabled diff --git a/roles/matrix-bridge-sms/tasks/validate_config.yml b/roles/matrix-bridge-sms/tasks/validate_config.yml index 8eb7b63c..23fc8a23 100644 --- a/roles/matrix-bridge-sms/tasks/validate_config.yml +++ b/roles/matrix-bridge-sms/tasks/validate_config.yml @@ -10,3 +10,4 @@ - "matrix_sms_bridge_homeserver_token" - "matrix_sms_bridge_database_password" - "matrix_sms_bridge_gammu_modem" + - "matrix_sms_bridge_default_region" From e44cc9e2a17f8767028f0f379174577468433753 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Thu, 11 Jun 2020 16:11:24 +0200 Subject: [PATCH 1229/2384] added changelog of sms bridge --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3899f35..799ac45e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2020-06-11 + +## SMS bridging requires db reset + +The current version of [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) needs you to delete the database to work as expected. Just remove `/matrix/matrix-sms-bridge/database/*`. It also adds a new requried var `matrix_sms_bridge_default_region`. + +To reuse your existing rooms, invite `@smsbot:yourServer` to the room or write a message. You are also able to use automated room creation with telephonenumers by writing `sms send -t 01749292923 "Hello World"` in a room with `@smsbot:yourServer`. See [the docs](https://github.com/benkuly/matrix-sms-bridge) for more information. + # 2020-06-05 ## SMS bridging support From a0661a60120538ba124b75742100f2e8551ec9ba Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Fri, 12 Jun 2020 08:37:08 +0200 Subject: [PATCH 1230/2384] updated sms bridge docker image --- roles/matrix-bridge-sms/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index d940a2f4..00f3255b 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,8 +3,8 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.0.RELEASE" -matrix_sms_bridge_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':0.2.0.RELEASE') }}" +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.1.RELEASE" +matrix_sms_bridge_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':0.2.1.RELEASE') }}" matrix_sms_bridge_database_docker_image: "neo4j:latest" matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" From d49ee510350834f5f4da32234b28432b3f0194c1 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Fri, 12 Jun 2020 10:23:51 +0200 Subject: [PATCH 1231/2384] remove force pull matrix-sms-bridge docker image --- roles/matrix-bridge-sms/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 00f3255b..a53056b7 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -4,7 +4,6 @@ matrix_sms_bridge_enabled: true matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.1.RELEASE" -matrix_sms_bridge_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':0.2.1.RELEASE') }}" matrix_sms_bridge_database_docker_image: "neo4j:latest" matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" From 67ab7e7a1bc4cf799822ec3065b769e77c114ef8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 13 Jun 2020 07:50:56 +0300 Subject: [PATCH 1232/2384] Preserve vars.yml on the server for easily restoring Fixes #542 (Github Issues). --- roles/matrix-base/tasks/setup_matrix_base.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 74d40d1a..64831f2a 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -10,6 +10,14 @@ with_items: - "{{ matrix_base_data_path }}" +- name: Preserve vars.yml on the server for easily restoring if it gets lost later on + copy: + src: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}/vars.yml" + dest: "{{ matrix_base_data_path }}/vars.yml" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: '0660' + # `docker_network` doesn't work as expected when the given network # is a substring of a network that already exists. # From 7729511a84d5a9538d24ed46e9a7beeef24d5c78 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 14 Jun 2020 10:00:22 +0300 Subject: [PATCH 1233/2384] Make vars.yml snapshotting optional and more configurable Certain people organize their inventory in a different way and we'd like to accommodate them. Related to #542 (Github Issue). --- roles/matrix-base/defaults/main.yml | 6 ++++++ roles/matrix-base/tasks/setup_matrix_base.yml | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 76c363e4..8a860b1e 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -59,6 +59,12 @@ matrix_riot_jitsi_preferredDomain: '' # The Docker network that all services would be put into matrix_docker_network: "matrix" +# Controls whether we'll preserve the vars.yml file on the Matrix server. +# If you have a differently organized inventory, you may wish to disable this feature, +# or to repoint `matrix_vars_yml_snapshotting_src` to the file you'd like to preserve. +matrix_vars_yml_snapshotting_enabled: true +matrix_vars_yml_snapshotting_src: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}/vars.yml" + # Controls whether a `/.well-known/matrix/server` file is generated and used at all. # # If you wish to rely on DNS SRV records only, you can disable this. diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 64831f2a..22d330f2 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -12,11 +12,12 @@ - name: Preserve vars.yml on the server for easily restoring if it gets lost later on copy: - src: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}/vars.yml" + src: "{{ matrix_vars_yml_snapshotting_src }}" dest: "{{ matrix_base_data_path }}/vars.yml" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" mode: '0660' + when: "matrix_vars_yml_snapshotting_enabled|bool" # `docker_network` doesn't work as expected when the given network # is a substring of a network that already exists. From 10bc85962e4296d706ecadc429f0cafc9793f88f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Jun 2020 13:55:27 +0300 Subject: [PATCH 1234/2384] Upgrade Synapse (1.15.0 -> 1.15.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 75357edd..a03740bb 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.15.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.15.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 105b3524bb68d4f0cc88674e8b6a910df82b9827 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Jun 2020 19:22:45 +0300 Subject: [PATCH 1235/2384] Upgrade riot-web (1.6.4 -> 1.6.5) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 700e0ec3..3e91de12 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.4" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.5" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From d2a0ec6aa925290de3dd3da19b07d050ae9ecf6d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Jun 2020 18:03:58 +0300 Subject: [PATCH 1236/2384] Upgrade riot-web (1.6.5 -> 1.6.6) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 3e91de12..f4f4b018 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.5" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.6" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From c341608480058c5475629f6b8c16add02000fbcc Mon Sep 17 00:00:00 2001 From: Pablo Date: Tue, 23 Jun 2020 19:22:52 -0300 Subject: [PATCH 1237/2384] Add variables to fine tune jitsi --- roles/matrix-jitsi/defaults/main.yml | 12 ++++++++ roles/matrix-jitsi/templates/web/config.js.j2 | 30 ++++++++++--------- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 21dae448..71c90bdc 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -96,6 +96,18 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false +# Jitsi Fine Tune +matrix_jitsi_web_config_disable_AudioLevels: False +matrix_jitsi_web_config_enable_LayerSuspension: False +matrix_jitsi_web_config_channelLastN: -1 +matrix_jitsi_web_config_enable_Video_Constraints: False + +# This settings work if matrix_jitsi_web_config_enable_Video_Constraints: true +matrix_jitsi_web_config_aspectRatio: 16 / 9 +matrix_jitsi_web_config_height_ideal: 720 +matrix_jitsi_web_config_height_max: 720 +matrix_jitsi_web_config_height_min: 240 + matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4548-1" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index 7e24d30b..6417acd5 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -81,7 +81,7 @@ var config = { // Audio // Disable measuring of audio levels. - // disableAudioLevels: false, + disableAudioLevels: {{ matrix_jitsi_web_config_disable_AudioLevels|to_json }}, // Start the conference in audio only mode (no video is being received nor // sent). @@ -109,24 +109,25 @@ var config = { // util#browser#usesNewGumFlow. The constraints are independency from // this config's resolution value. Defaults to requesting an ideal aspect // ratio of 16:9 with an ideal resolution of 720. - // constraints: { - // video: { - // aspectRatio: 16 / 9, - // height: { - // ideal: 720, - // max: 720, - // min: 240 - // } - // } - // }, - + {% if matrix_jitsi_web_config_enable_Video_Constraints %} + constraints: { + video: { + aspectRatio: {{ matrix_jitsi_web_config_aspectRatio }}, + height: { + ideal: {{ matrix_jitsi_web_config_height_ideal|to_json }}, + max: {{ matrix_jitsi_web_config_height_max|to_json }}, + min: {{ matrix_jitsi_web_config_height_min|to_json }} + } + } + }, + {% endif %} // Enable / disable simulcast support. // disableSimulcast: false, // Enable / disable layer suspension. If enabled, endpoints whose HD // layers are not in use will be suspended (no longer sent) until they // are requested again. - // enableLayerSuspension: false, + enableLayerSuspension: {{ matrix_jitsi_web_config_enable_LayerSuspension|to_json }}, // Suspend sending video if bandwidth estimation is too low. This may cause // problems with audio playback. Disabled until these are fixed. @@ -211,7 +212,7 @@ hiddenDomain: {{ matrix_jitsi_recorder_domain|to_json }}, // Misc // Default value for the channel "last N" attribute. -1 for unlimited. - channelLastN: -1, + channelLastN: {{ matrix_jitsi_web_config_channelLastN|to_json }}, // Disables or enables RTX (RFC 4588) (defaults to false). // disableRtx: false, @@ -488,3 +489,4 @@ hiddenDomain: {{ matrix_jitsi_recorder_domain|to_json }}, }; /* eslint-enable no-unused-vars, no-var */ + From 34523476487c96ad4b2a51c4ed1e62b2b2489977 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Jun 2020 09:42:41 +0300 Subject: [PATCH 1238/2384] Suggest base domain serving in configuring-well-known.md Fixes #545 (Github Issue). --- docs/configuring-well-known.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 21a4343e..959d3506 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -48,12 +48,12 @@ If you're managing the base domain by yourself somehow, you'll need to set up se To make things easy for you to set up, this playbook generates and hosts 2 well-known files on the Matrix domain's server (e.g. `https://matrix.example.com/.well-known/matrix/server` and `https://matrix.example.com/.well-known/matrix/client`), even though this is the wrong place to host them. -You have 2 options when it comes to installing the files on the base domain's server: +You have 3 options when it comes to installing the files on the base domain's server: ### (Option 1): **Copying the files manually** to your base domain's server -**Hint**: Option 2 (below) is generally a better way to do this. Make sure to go with that one, if possible. +**Hint**: Option 2 and 3 (below) are generally a better way to do this. Make sure to go with them, if possible. All you need to do is: @@ -65,7 +65,16 @@ This is relatively easy to do and possibly your only choice if you can only host It is, however, **a little fragile**, as future updates performed by this playbook may regenerate the well-known files and you may need to notice that and copy them over again. -### (Option 2): **Setting up reverse-proxying** of the well-known files from the base domain's server to the Matrix server +### (Option 2): **Serving the base domain** from the Matrix server via the playbook + +If you don't need the base domain (e.g. `example.com`) for anything else (hosting a website, etc.), you can point it to the Matrix server's IP address and tell the playbook to configure it. + +This is the easiest way to set up well-known serving -- letting the playbook handle the whole base domain for you (including SSL certificates, etc.). However, if you need to use the base domain for other things (such as hosting some website, etc.), going with Option 1 or Option 2 might be more suitable. + +See [Serving the base domain](configuring-playbook-base-domain-serving.md) to learn how the playbook can help you set it up. + + +### (Option 3): **Setting up reverse-proxying** of the well-known files from the base domain's server to the Matrix server This option is less fragile and generally better. From d44541ff6e97b5a61f8cc316b8e385fa184277cc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Jun 2020 10:22:19 +0300 Subject: [PATCH 1239/2384] Mention matrix_synapse_allow_public_rooms_over_federation in the docs Fixes #502 (Github Issue) --- docs/configuring-playbook-federation.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/configuring-playbook-federation.md b/docs/configuring-playbook-federation.md index ad818ab2..1e4ad61e 100644 --- a/docs/configuring-playbook-federation.md +++ b/docs/configuring-playbook-federation.md @@ -17,6 +17,17 @@ matrix_synapse_federation_domain_whitelist: If you wish to disable federation, you can do that with an empty list (`[]`), or better yet by completely disabling federation (see below). +## Exposing the room directory over federation + +By default, your server's public rooms directory is not exposed to other servers via federation. + +If you wish to expose it, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_synapse_allow_public_rooms_over_federation: true +``` + + ## Disabling federation To completely disable federation, isolating your server from the rest of the Matrix network, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): From 5c5f1c6ab96c4af559a272e69c561b34f25f9b15 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Jun 2020 11:38:51 +0300 Subject: [PATCH 1240/2384] Add support for telling Riot to not default to E2EE Related to https://github.com/vector-im/riot-web/pull/13914 --- roles/matrix-base/defaults/main.yml | 5 +++++ .../templates/static-files/well-known/matrix-client.j2 | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 8a860b1e..3a147124 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -56,6 +56,11 @@ matrix_integration_manager_ui_url: ~ # See: https://github.com/vector-im/riot-web/blob/develop/docs/jitsi.md#configuring-riot-to-use-your-self-hosted-jitsi-server matrix_riot_jitsi_preferredDomain: '' +# Controls whether Riot should use End-to-End Encryption by default. +# Setting this to false will update `/.well-known/matrix/client` and tell Riot clients to avoid E2EE. +# See: https://github.com/vector-im/riot-web/blob/develop/docs/e2ee.md +matrix_riot_e2ee_default: true + # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index edbaa62e..a4c1c439 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -23,4 +23,9 @@ "preferredDomain": {{ matrix_riot_jitsi_preferredDomain|to_json }} } {% endif %} + {% if not matrix_riot_e2ee_default %}, + "im.vector.riot.e2ee": { + "default": false + } + {% endif %} } From 3527200ac4feaa0986d0ffec80f41afc38a60cee Mon Sep 17 00:00:00 2001 From: Justin Croonenberghs Date: Wed, 24 Jun 2020 16:34:28 -0500 Subject: [PATCH 1241/2384] Added config hint for SMS verification --- docs/configuring-playbook-ma1sd.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index da9ff21e..8b392965 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -72,6 +72,20 @@ To use a more custom configuration, you can define a `matrix_ma1sd_configuration and put your configuration in it. To learn more about how to do this, refer to the information about `matrix_ma1sd_configuration_extension_yaml` in the [default variables file](../roles/matrix-ma1sd/defaults/main.yml) of the ma1sd component. +## Example: SMS verification + +If your use case requires mobile verification, it is quite simple to integrate ma1sd with Twilio, an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration: + +```matrix_ma1sd_configuration_extension_yaml: | + threepid: + medium: + msisdn: + connectors: + twilio: + account_sid: '' + auth_token: '' + number: '+' +``` ## Troubleshooting From 25290f780cecc693554ff4cbb96023b4862dc041 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Jun 2020 08:22:12 +0300 Subject: [PATCH 1242/2384] Link to Twilio --- docs/configuring-playbook-ma1sd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index 8b392965..cd61fec1 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -74,7 +74,7 @@ To learn more about how to do this, refer to the information about `matrix_ma1sd ## Example: SMS verification -If your use case requires mobile verification, it is quite simple to integrate ma1sd with Twilio, an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration: +If your use case requires mobile verification, it is quite simple to integrate ma1sd with [Twilio](https://www.twilio.com/), an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration: ```matrix_ma1sd_configuration_extension_yaml: | threepid: From 224c21878efdb24b0a9f6ff09d594673b2c044b9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Jun 2020 08:26:09 +0300 Subject: [PATCH 1243/2384] Fix code block a bit Related to #549 (Github Pull Request) --- docs/configuring-playbook-ma1sd.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index cd61fec1..03d1ecde 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -76,7 +76,8 @@ To learn more about how to do this, refer to the information about `matrix_ma1sd If your use case requires mobile verification, it is quite simple to integrate ma1sd with [Twilio](https://www.twilio.com/), an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration: -```matrix_ma1sd_configuration_extension_yaml: | +```yaml +matrix_ma1sd_configuration_extension_yaml: | threepid: medium: msisdn: From 69570de8a9e3e9273a147412a759d07d8b0e9e51 Mon Sep 17 00:00:00 2001 From: Pablo Date: Thu, 25 Jun 2020 11:20:40 -0300 Subject: [PATCH 1244/2384] Rename variables --- roles/matrix-jitsi/defaults/main.yml | 23 +++++++++++-------- roles/matrix-jitsi/templates/web/config.js.j2 | 15 ++++++------ 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 71c90bdc..d3ce0ac8 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -96,17 +96,20 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -# Jitsi Fine Tune -matrix_jitsi_web_config_disable_AudioLevels: False -matrix_jitsi_web_config_enable_LayerSuspension: False +# Jitsi_web Fine Tune default values. +# Useful to manage bandwidth and CPU consumption in server and client side +matrix_jitsi_web_config_disableAudioLevels: false +matrix_jitsi_web_config_enableLayerSuspension: false matrix_jitsi_web_config_channelLastN: -1 -matrix_jitsi_web_config_enable_Video_Constraints: False - -# This settings work if matrix_jitsi_web_config_enable_Video_Constraints: true -matrix_jitsi_web_config_aspectRatio: 16 / 9 -matrix_jitsi_web_config_height_ideal: 720 -matrix_jitsi_web_config_height_max: 720 -matrix_jitsi_web_config_height_min: 240 +# If 'matrix_jitsi_web_config_constraints_enabled: false' +# the video constraints will be disabled and will take the default values of jitsi +matrix_jitsi_web_config_constraints_enabled: false +# This settings work if matrix_jitsi_web_config_constraints_enabled: true +# See their definitions in config.js.j2 (templates / web) +matrix_jitsi_web_config_constraints_video_aspectRatio: 16 / 9 +matrix_jitsi_web_config_constraints_video_height_ideal: 720 +matrix_jitsi_web_config_constraints_video_height_max: 720 +matrix_jitsi_web_config_constraints_video_height_min: 240 matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4548-1" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index 6417acd5..ad0e5410 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -81,7 +81,7 @@ var config = { // Audio // Disable measuring of audio levels. - disableAudioLevels: {{ matrix_jitsi_web_config_disable_AudioLevels|to_json }}, + disableAudioLevels: {{ matrix_jitsi_web_config_disableAudioLevels|to_json }}, // Start the conference in audio only mode (no video is being received nor // sent). @@ -109,14 +109,14 @@ var config = { // util#browser#usesNewGumFlow. The constraints are independency from // this config's resolution value. Defaults to requesting an ideal aspect // ratio of 16:9 with an ideal resolution of 720. - {% if matrix_jitsi_web_config_enable_Video_Constraints %} + {% if matrix_jitsi_web_config_constraints_enabled %} constraints: { video: { - aspectRatio: {{ matrix_jitsi_web_config_aspectRatio }}, + aspectRatio: {{ matrix_jitsi_web_config_constraints_video_aspectRatio }}, height: { - ideal: {{ matrix_jitsi_web_config_height_ideal|to_json }}, - max: {{ matrix_jitsi_web_config_height_max|to_json }}, - min: {{ matrix_jitsi_web_config_height_min|to_json }} + ideal: {{ matrix_jitsi_web_config_constraints_video_height_ideal|to_json }}, + max: {{ matrix_jitsi_web_config_constraints_video_height_max|to_json }}, + min: {{ matrix_jitsi_web_config_constraints_video_height_min|to_json }} } } }, @@ -127,7 +127,7 @@ var config = { // Enable / disable layer suspension. If enabled, endpoints whose HD // layers are not in use will be suspended (no longer sent) until they // are requested again. - enableLayerSuspension: {{ matrix_jitsi_web_config_enable_LayerSuspension|to_json }}, + enableLayerSuspension: {{ matrix_jitsi_web_config_enableLayerSuspension|to_json }}, // Suspend sending video if bandwidth estimation is too low. This may cause // problems with audio playback. Disabled until these are fixed. @@ -489,4 +489,3 @@ hiddenDomain: {{ matrix_jitsi_recorder_domain|to_json }}, }; /* eslint-enable no-unused-vars, no-var */ - From 671cd517973e9cb25590a195997ec39ef657d0de Mon Sep 17 00:00:00 2001 From: Julian Foad Date: Fri, 26 Jun 2020 15:13:58 +0100 Subject: [PATCH 1245/2384] Improve the example Traefik config. Use playbook variables instead of textual place-holders for the domain names. --- docs/configuring-playbook-own-webserver.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 4adcd934..f97f622f 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -144,8 +144,7 @@ matrix_nginx_proxy_container_extra_arguments: - '--label "traefik.enable=true"' # The Nginx proxy container will receive traffic from these subdomains - # (Replace DOMAIN with your domain, e.g. example.com) - - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`matrix.DOMAIN`,`riot.DOMAIN`,`dimension.DOMAIN`)"' + - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_riot }}`,`{{ matrix_server_fqn_dimension }}`)"' # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' @@ -161,8 +160,7 @@ matrix_synapse_container_extra_arguments: - '--label "traefik.enable=true"' # The Synapse container will receive traffic from this subdomain - # (Replace DOMAIN with your domain, e.g. example.com) - - '--label "traefik.http.routers.matrix-synapse.rule=Host(`matrix.DOMAIN`)"' + - '--label "traefik.http.routers.matrix-synapse.rule=Host(`{{ matrix_server_fqn_matrix }}`)"' # (The 'synapse' entrypoint must bind to port 8448 in Traefik config) - '--label "traefik.http.routers.matrix-synapse.entrypoints=synapse"' From 0fea35cdd2195f9634c9148dec9783031de73408 Mon Sep 17 00:00:00 2001 From: jdreichmann Date: Sat, 27 Jun 2020 12:40:27 +0200 Subject: [PATCH 1246/2384] mx-puppet-instagram: add role --- group_vars/matrix_servers | 31 +++++++ .../defaults/main.yml | 86 +++++++++++++++++++ .../tasks/init.yml | 17 ++++ .../tasks/main.yml | 21 +++++ .../tasks/setup_install.yml | 78 +++++++++++++++++ .../tasks/setup_uninstall.yml | 24 ++++++ .../tasks/validate_config.yml | 10 +++ .../templates/config.yaml.j2 | 82 ++++++++++++++++++ .../matrix-mx-puppet-instagram.service.j2 | 41 +++++++++ setup.yml | 1 + 10 files changed, 391 insertions(+) create mode 100644 roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml create mode 100644 roles/matrix-bridge-mx-puppet-instagram/tasks/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ff69cd8f..7581d7f4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -392,6 +392,37 @@ matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_prov ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-instagram +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_instagram_enabled: false + +matrix_mx_puppet_instagram_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + +matrix_mx_puppet_instagram_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" + +matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" + +matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-instagram +# +###################################################################### + + ###################################################################### # # matrix-corporal diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml new file mode 100644 index 00000000..c7488cbb --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -0,0 +1,86 @@ +# mx-puppet-instagram bridges instagram DMs +# See: https://github.com/Sorunome/mx-puppet-instagram + +matrix_mx_puppet_instagram_enabled: true + +matrix_mx_puppet_instagram_container_image_self_build: false + +matrix_mx_puppet_instagram_docker_image: "docker.io/sorunome/mx-puppet-instagram:latest" +matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_instagram_base_path: "{{ matrix_base_data_path }}/mx-puppet-instagram" +matrix_mx_puppet_instagram_config_path: "{{ matrix_mx_puppet_instagram_base_path }}/config" +matrix_mx_puppet_instagram_data_path: "{{ matrix_mx_puppet_instagram_base_path }}/data" +matrix_mx_puppet_instagram_docker_src_files_path: "{{ matrix_mx_puppet_instagram_base_path }}/docker-src" + +matrix_mx_puppet_instagram_appservice_port: "8440" +matrix_mx_puppet_instagram_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_instagram_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_instagram_appservice_address: 'http://matrix-mx-puppet-instagram:{{ matrix_mx_puppet_instagram_appservice_port }}' + +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_instagram_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_instagram_provisioning_blacklist: [] + +# A list of extra arguments to pass to the container +matrix_mx_puppet_instagram_container_extra_arguments: [] + +# List of systemd services that matrix-puppet-instagram.service depends on. +matrix_mx_puppet_instagram_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-puppet-instagram.service wants +matrix_mx_puppet_instagram_systemd_wanted_services_list: [] + +matrix_mx_puppet_instagram_appservice_token: '' +matrix_mx_puppet_instagram_homeserver_token: '' + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mx_puppet_instagram_login_shared_secret: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_instagram_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_instagram_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mx_puppet_instagram_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_instagram_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_instagram_configuration_yaml`. + +matrix_mx_puppet_instagram_configuration_extension: "{{ matrix_mx_puppet_instagram_configuration_extension_yaml|from_yaml if matrix_mx_puppet_instagram_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_instagram_configuration_yaml`. +matrix_mx_puppet_instagram_configuration: "{{ matrix_mx_puppet_instagram_configuration_yaml|from_yaml|combine(matrix_mx_puppet_instagram_configuration_extension, recursive=True) }}" + +matrix_mx_puppet_instagram_registration_yaml: | + as_token: "{{ matrix_mx_puppet_instagram_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_instagram_homeserver_token }}" + id: instagram-puppet + namespaces: + users: + - exclusive: true + regex: '@_instagrampuppet_.*:{{ matrix_mx_puppet_instagram_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#_instagrampuppet_.*:{{ matrix_mx_puppet_instagram_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _instagrampuppet_bot + url: {{ matrix_mx_puppet_instagram_appservice_address }} + +matrix_mx_puppet_instagram_registration: "{{ matrix_mx_puppet_instagram_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml new file mode 100644 index 00000000..dafa59c0 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -0,0 +1,17 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram'] }}" + when: matrix_mx_puppet_instagram_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_instagram_config_path }}/registration.yaml,dst=/matrix-mx-puppet-instagram-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-instagram-registration.yaml"] }} + when: matrix_mx_puppet_instagram_enabled|bool + diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/main.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/main.yml new file mode 100644 index 00000000..d0fe90e4 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_instagram_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-instagram + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_instagram_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-instagram + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_instagram_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-instagram diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml new file mode 100644 index 00000000..d60fbaf2 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -0,0 +1,78 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-instagram role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure mx-puppet-instagram image is pulled + docker_image: + name: "{{ matrix_mx_puppet_instagram_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_instagram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_instagram_docker_image_force_pull }}" + when: matrix_mx_puppet_instagram_enabled|bool and not matrix_mx_puppet_instagram_container_image_self_build + +- name: Ensure mx-puppet-instagram paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mx_puppet_instagram_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_instagram_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_instagram_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}", when: "{{ matrix_mx_puppet_instagram_container_image_self_build }}" } + when: matrix_mx_puppet_instagram_enabled|bool and item.when|bool + +- name: Ensure mx-puppet-instagram repository is present on self build + git: + repo: https://github.com/Sorunome/mx-puppet-instagram.git + dest: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}" + force: "yes" + when: "matrix_mx_puppet_instagram_enabled|bool and matrix_mx_puppet_instagram_container_image_self_build" + +- name: Ensure mx-puppet-instagram Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_instagram_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_instagram_enabled|bool and matrix_mx_puppet_instagram_container_image_self_build" + +- name: Ensure mx-puppet-instagram config.yaml installed + copy: + content: "{{ matrix_mx_puppet_instagram_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_instagram_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mx-puppet-instagram-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_instagram_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_instagram_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mx-puppet-instagram.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-instagram.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-instagram.service" + mode: 0644 + register: matrix_mx_puppet_instagram_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-instagram.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_instagram_systemd_service_result.changed" + + diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml new file mode 100644 index 00000000..4b5e67ac --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-instagram service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-instagram.service" + register: matrix_mx_puppet_instagram_service_stat + +- name: Ensure matrix-mx-puppet-instagram is stopped + service: + name: matrix-mx-puppet-instagram + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_instagram_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-instagram.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-instagram.service" + state: absent + when: "matrix_mx_puppet_instagram_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-instagram.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_instagram_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml new file mode 100644 index 00000000..b6d9d994 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_instagram_appservice_token" + - "matrix_mx_puppet_instagram_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 new file mode 100644 index 00000000..634fbaec --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 @@ -0,0 +1,82 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_instagram_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_instagram_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_instagram_homeserver_address }} + {% if matrix_mx_puppet_instagram_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_domain }}: {{ matrix_mx_puppet_instagram_login_shared_secret }} + {% endif %} + +presence: + # Bridge Instagram online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + +provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_instagram_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_instagram_provisioning_blacklist|to_json }} + + # Shared secret for the provisioning API for use by integration managers. + # If this is not set, the provisioning API will not be enabled. + #sharedSecret: random string + # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. + apiPrefix: /_matrix/provision + +database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + +logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 new file mode 100644 index 00000000..4c4b74a5 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -0,0 +1,41 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix mx-puppet-instagram bridge +{% for service in matrix_mx_puppet_instagram_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_instagram_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-instagram \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_instagram_config_path }}:/config:z \ + -v {{ matrix_mx_puppet_instagram_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_instagram_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_instagram_docker_image }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-instagram + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 4831873e..247950d4 100755 --- a/setup.yml +++ b/setup.yml @@ -18,6 +18,7 @@ - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-skype - matrix-bridge-mx-puppet-slack + - matrix-bridge-mx-puppet-instagram - matrix-bridge-sms - matrix-synapse - matrix-riot-web From f7ea5705f1fd5a29001a2a1f5963955d792e8950 Mon Sep 17 00:00:00 2001 From: Pablo Date: Sat, 27 Jun 2020 16:54:30 -0300 Subject: [PATCH 1247/2384] =?UTF-8?q?Agrego=20documentaci=C3=B3n=20de=20la?= =?UTF-8?q?s=20variables=20de=20ajuste=20fino=20(Fine=20tune)=20de=20Jitsi?= =?UTF-8?q?.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/configuring-playbook-jitsi.md | 41 ++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 21a440f6..2a25fb02 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -81,6 +81,47 @@ matrix_jitsi_jvb_container_extra_arguments: - '--env "DOCKER_HOST_ADDRESS="' ``` +## (Optional) Fine tune Jitsi + +You may want to suspend unused video layers until they are requested again, to save up resources on both server and clients. +Read more on this feature [here](https://jitsi.org/blog/new-off-stage-layer-suppression-feature/) +For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_web_config_enableLayerSuspension: true +``` + +You may wish to disable audio levels to avoid excessive refresh of the client-side page and decrease the CPU consumption involved. +For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_web_config_disableAudioLevels: true +``` + +You may want to limit the number of video feeds forwarded to each client, to save up resources on both server and clients. As clients’ bandwidth and CPU may not bear the load, use this setting to avoid lag and crashes. +This feature is found by default in other webconference applications such as Office 365 Teams (limit is set to 4). +Read how it works [here](https://github.com/jitsi/jitsi-videobridge/blob/master/doc/last-n.md) and performance evaluation on this [study](https://jitsi.org/wp-content/uploads/2016/12/nossdav2015lastn.pdf) +For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_web_config_channelLastN: 4 +``` + +To enable the variables that allow you to manage the video configuration you must add the following line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_web_config_constraints_enabled: true +``` + +You may want to limit the maximum video resolution, to save up resources on both server and clients. +For example, to set resolution to 480. +For this add this two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_web_config_constraints_video_height_ideal: 480 +matrix_jitsi_web_config_constraints_video_height_max: 480 +``` + ## Apply changes Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` From 19b9a1b16c9af0e1409794a1eb4f5d0f604351f2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 Jun 2020 09:01:48 +0300 Subject: [PATCH 1248/2384] Expose mautrix-hangouts port if matrix-nginx-proxy is disabled --- group_vars/matrix_servers | 2 ++ roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 5 +++++ .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 3 +++ roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ff69cd8f..914d53c8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -232,6 +232,8 @@ matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key matrix_mautrix_hangouts_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}" +matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" + matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" ###################################################################### diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 31f4fe98..8430527a 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -20,6 +20,11 @@ matrix_mautrix_hangouts_homeserver_address: 'http://matrix-synapse:8008' matrix_mautrix_hangouts_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_hangouts_appservice_address: 'http://matrix-mautrix-hangouts:8080' +# Controls whether the matrix-mautrix-hangouts container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9007"), or empty string to not expose. +matrix_mautrix_hangouts_container_http_host_bind_port: '' + # A list of extra arguments to pass to the container matrix_mautrix_hangouts_container_extra_arguments: [] diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index f33aff63..dc6ffda0 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -30,6 +30,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangou --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + {% if matrix_mautrix_hangouts_container_http_host_bind_port %} + -p {{ matrix_mautrix_hangouts_container_http_host_bind_port }}:8080 \ + {% endif %} -v {{ matrix_mautrix_hangouts_config_path }}:/config:z \ -v {{ matrix_mautrix_hangouts_data_path }}:/data:z \ {% for arg in matrix_mautrix_hangouts_container_extra_arguments %} diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index d3990b68..36b14608 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -26,7 +26,7 @@ matrix_mautrix_telegram_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080' matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }}' -# Controls whether the matrix-telegram container exposes its HTTP port (tcp/8080 in the container). +# Controls whether the matrix-mautrix-telegram container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9006"), or empty string to not expose. matrix_mautrix_telegram_container_http_host_bind_port: '' From 2073cd6caecdc8258d6f383f2a0e33da6b0e329e Mon Sep 17 00:00:00 2001 From: jdreichmann Date: Sun, 28 Jun 2020 10:40:14 +0200 Subject: [PATCH 1249/2384] mx-puppet-instagram: change tokens appservice<>homeserver in order to not collide with mx-puppet-slack --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7581d7f4..eb9f415a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -410,9 +410,9 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) }} -matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" +matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" -matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}" +matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}" matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" From ad05c7f758b4eefea9337dca5951539e55b7352e Mon Sep 17 00:00:00 2001 From: jdreichmann Date: Sun, 28 Jun 2020 10:46:39 +0200 Subject: [PATCH 1250/2384] mx-puppet-instagram: add documentation on how to setup & use the bridge --- README.md | 2 ++ ...ing-playbook-bridge-mx-puppet-instagram.md | 36 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mx-puppet-instagram.md diff --git a/README.md b/README.md index a5ec78d3..154d3bfc 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) +- (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation + - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms diff --git a/docs/configuring-playbook-bridge-mx-puppet-instagram.md b/docs/configuring-playbook-bridge-mx-puppet-instagram.md new file mode 100644 index 00000000..3dad9844 --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-puppet-instagram.md @@ -0,0 +1,36 @@ +# Setting up mx-puppet-instagram (optional) + +The playbook can install and configure +[mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) for you. + +This allows you to bridge Instagram DirectMessages into Matrix. + +To enable the [Instagram](https://www.instagram.com/) bridge just use the following +playbook configuration: + + +```yaml +matrix_mx_puppet_instagram_enabled: true +``` + + +## Usage + +Once the bot is enabled, you need to start a chat with `Instagram Puppet Bridge` with +the handle `@_instagrampuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +Send `link ` to the bridge bot to link your instagram account. + +The `list` commands shows which accounts are linked and which `puppetId` is associated. + +For double-puppeting, you probably want to issue these commands: + +- `settype $puppetId puppet` to enable puppeting for the link (instead of relaying) +- `setautoinvite $puppetId 1` to automatically invite you to chats +- `setmatrixtoken $accessToken` to set the access token to enable puppeting from the other side (the "double" in double puppeting) + +If you are linking only one Instagram account, your `$puppetId` is probably 1, but use the `list` command find out. + +The `help` command shows which commands are available, though at the time of writing, not every command is fully implemented. + From 4cf59098adafe1227eb4249d4d12efda0102f9b5 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 28 Jun 2020 21:47:19 +0200 Subject: [PATCH 1251/2384] Update ma1sd to v2.4.0 --- roles/matrix-ma1sd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 64cf7c9a..9e21d862 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -5,7 +5,7 @@ matrix_ma1sd_enabled: true matrix_ma1sd_container_image_self_build: false -matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0" +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.4.0" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" From 0162fe31d151ca5a82555ffb5e5465df3d88a19e Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 28 Jun 2020 21:47:39 +0200 Subject: [PATCH 1252/2384] Re-enable ma1sd user directory search --- CHANGELOG.md | 12 ++++++++++++ group_vars/matrix_servers | 5 +---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 799ac45e..41a781dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2020-06-28 + +## (Post Mortem / fixed Security Issue) Re-enabling User Directory search powered by the ma1sd Identity Server + +User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database. + +ma1sd's [security issue](https://github.com/ma1uta/ma1sd/issues/44) has been fixed in version `2.4.0`, with [this commit](ma1uta/ma1sd@2bb5a734d11662b06471113cf3d6b4cee5e33a85). `ma1sd 2.4.0` is now the default version for this playbook. For more information on what happened, please check the mentioned issue. + +We are re-enabling user directory search with this update. Those who would like to keep it disabled can use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false` + +As always, re-running the playbook is enough to get the updated bits. + # 2020-06-11 ## SMS bridging requires db reset diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 914d53c8..85dab4dd 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -646,10 +646,7 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -# Not proxying the user directory search to the identity server by default anymore, -# because it currently leaks data. -# See: https://github.com/ma1uta/ma1sd/issues/44 -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" From 784cb3e325b1a96a2717b719b360aa709c0f43dd Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 28 Jun 2020 22:00:08 +0200 Subject: [PATCH 1253/2384] Update Jitsi to stable-4627-1 --- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index d3ce0ac8..531a9d37 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -50,7 +50,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' -matrix_jitsi_web_docker_image: "jitsi/web:stable-4548-1" +matrix_jitsi_web_docker_image: "jitsi/web:stable-4627-1" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -111,7 +111,7 @@ matrix_jitsi_web_config_constraints_video_height_ideal: 720 matrix_jitsi_web_config_constraints_video_height_max: 720 matrix_jitsi_web_config_constraints_video_height_min: 240 -matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4548-1" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4627-1" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -125,7 +125,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:stable-4548-1" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:stable-4627-1" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -142,7 +142,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:stable-4548-1" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:stable-4627-1" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From 635f385971779c3b927edc731c89ce0a543da1af Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Jun 2020 14:53:23 +0300 Subject: [PATCH 1254/2384] Use pre-built arm64 image for ma1sd ma1sd 2.4.0 announced experimental support for arm64. We're making use of those arm64 images instead of self-building. --- group_vars/matrix_servers | 12 +++++++++++- roles/matrix-ma1sd/defaults/main.yml | 4 +++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 85dab4dd..155dd8bc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -564,7 +564,17 @@ matrix_mailer_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. matrix_ma1sd_enabled: true -matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" +# There's no prebuilt ma1sd image for the `arm32` architecture. +# We're relying on self-building there. +matrix_ma1sd_architecture: "{{ + { + 'amd64': 'amd64', + 'arm32': 'arm32', + 'arm64': 'arm64', + }[matrix_architecture] +}}" + +matrix_ma1sd_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 9e21d862..822cc942 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -5,7 +5,9 @@ matrix_ma1sd_enabled: true matrix_ma1sd_container_image_self_build: false -matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.4.0" +matrix_ma1sd_architecture: "amd64" + +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.4.0-{{ matrix_ma1sd_architecture }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" From de545f9c5f2e081e64df2048721170f482f5018c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Jun 2020 14:58:03 +0300 Subject: [PATCH 1255/2384] Update docs on self-building and remove useless variable `matrix_container_images_self_build` was not really doing anything anymore. It previously was influencing `matrix_*_self_build` variables, but it's no longer the case since some time ago. Individual `matrix_*_self_build` variables are still available. People that would like to toggle self-building for a specific component ought to use those. These variables are also controlled automatically (via `group_vars/matrix_servers`) depending on `matrix_architecture`. In other words, self-building is being done automatically for all components when they don't have a prebuilt image for the specified architecture. Some components only support `amd64`, while others also have images for other architectures. --- docs/alternative-architectures.md | 9 +++------ docs/self-building.md | 19 ++++++++++--------- roles/matrix-base/defaults/main.yml | 4 ---- 3 files changed, 13 insertions(+), 19 deletions(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index 4ca9646e..7a3e35eb 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -1,6 +1,6 @@ # Alternative architectures -As stated in the [Prerequisites](prerequisites.md), currently only x86_64 is supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used. +As stated in the [Prerequisites](prerequisites.md), currently only `x86_64` is fully supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used. To that end add the following variable to your `vars.yaml` file: @@ -21,9 +21,6 @@ matrix_architecture: "arm32" ## Implementation details -This subsection is used for a reminder, how the different roles implement architecture differences. This is **not** aimed at the users, so one does not have to do anything based on this subsection. +For `amd64`, prebuilt images are used everywhere (because all images are available for this architecture). -On most roles [self-building](self-building.md) is used if the architecture is not `amd64`, however there are some special cases: -- `matrix-bridge-mautrix-facebook`: there is a pre-built Docker image for `arm64` as well -- `matrix-bridge-mautrix-hangouts`: there is a pre-built Docker image for `arm64` as well -- `matrix-nginx-proxy`: Certbot has a pre-built Docker image for both `arm32` and `arm64`, however tagging is used, which requires special handling. +For other architectures, components which have a prebuilt image make use of it. If the component is not available for the specific architecture, [self-building](self-building.md) will be used. Not all components support self-building though, so your mileage may vary. diff --git a/docs/self-building.md b/docs/self-building.md index e4912090..8413fb5e 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -2,22 +2,23 @@ **Caution: self-building does not have to be used on its own. See the [Alternative Architectures](alternative-architectures.md) page.** -The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for ma1sd). +The playbook supports the self-building of various components, which don't have a container image for your architecture. For `amd64`, self-building is not required. -To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: -```yaml -matrix_container_images_self_build: true -``` -Setting that variable will self-build every role which supports self-building. Self-building can be set on a per-role basis as well. +For other architectures (e.g. `arm32`, `arm64`), ready-made container images are used when available. If there's no ready-made image for a specific component and said component supports self-building, an image will be built on the host. Building images like this takes more time and resources (some build tools need to get installed by the playbook to assist building). +To make use of self-building, you don't need to do anything besides change your architecture variable (e.g. `matrix_architecture: arm64`). If a component has an image for the specified architecture, the playbook will use it. If not, it will build the image. + +Note that **not all components support self-building yet**. List of roles where self-building the Docker image is currently possible: - `matrix-synapse` - `matrix-riot-web` - `matrix-coturn` - `matrix-ma1sd` - `matrix-mailer` -- `matrix-mautrix-facebook` -- `matrix-mautrix-hangouts` -- `matrix-mx-puppet-skype` +- `matrix-bridge-mautrix-facebook` +- `matrix-bridge-mautrix-hangouts` +- `matrix-bridge-mx-puppet-skype` Adding self-building support to other roles is welcome. Feel free to contribute! + +If you'd like **to force self-building** even if an image is available for your architecture, look into the `matrix_*_self_build` variables provided by individual roles. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 3a147124..804da22c 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -99,7 +99,3 @@ run_setup: true run_self_check: true run_start: true run_stop: true - -# Building every docker image from source on the target host -# Controlling docker image build is possible on a per unit base -matrix_container_images_self_build: false From 13186a1ddcdee7db05d01ef8d780f105e9aa6a06 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Mon, 29 Jun 2020 15:28:43 +0300 Subject: [PATCH 1256/2384] Add mx-puppet-twitter Signed-off-by: Tulir Asokan --- README.md | 2 + ...uring-playbook-bridge-mx-puppet-twitter.md | 34 ++++++ group_vars/matrix_servers | 30 +++++ .../defaults/main.yml | 103 ++++++++++++++++++ .../tasks/init.yml | 70 ++++++++++++ .../tasks/main.yml | 21 ++++ .../tasks/setup_install.yml | 93 ++++++++++++++++ .../tasks/setup_uninstall.yml | 24 ++++ .../tasks/validate_config.yml | 10 ++ .../templates/config.yaml.j2 | 92 ++++++++++++++++ .../matrix-mx-puppet-twitter.service.j2 | 44 ++++++++ setup.yml | 1 + 12 files changed, 524 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mx-puppet-twitter.md create mode 100644 roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml create mode 100644 roles/matrix-bridge-mx-puppet-twitter/tasks/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 diff --git a/README.md b/README.md index a5ec78d3..fcee4d2d 100644 --- a/README.md +++ b/README.md @@ -152,6 +152,8 @@ This playbook sets up your server using the following Docker images: - [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional) +- [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) - the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge to [Twitter](https://twitter.com) (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) diff --git a/docs/configuring-playbook-bridge-mx-puppet-twitter.md b/docs/configuring-playbook-bridge-mx-puppet-twitter.md new file mode 100644 index 00000000..dd2c9c12 --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-puppet-twitter.md @@ -0,0 +1,34 @@ +# Setting up MX Puppet Twitter (optional) + +The playbook can install and configure +[mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) for you. + +See the project page to learn what it does and why it might be useful to you. + +To enable the [Twitter](https://twitter.com) bridge, make an app on [developer.twitter.com](https://developer.twitter.com/en/apps) +and fill out the following playbook configuration. + +```yaml +matrix_mx_puppet_twitter_enabled: true +matrix_mx_puppet_twitter_consumer_key: '' +matrix_mx_puppet_twitter_consumer_secret: '' +matrix_mx_puppet_twitter_access_token: '' +matrix_mx_puppet_twitter_access_token_secret: '' +matrix_mx_puppet_twitter_environment: '' +``` + + +## Usage + +Once the bot is enabled you need to start a chat with `Twitter Puppet Bridge` with +the handle `@_twitterpuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +To log in, use `link` and click the link. + +Once logged in, send `list` to the bot user to list the available rooms. + +Clicking rooms in the list will result in you receiving an invitation to the +bridged room. + +Also send `help` to the bot to see the commands available. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 85dab4dd..275601da 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -393,6 +393,36 @@ matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_prov # ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-twitter +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_twitter_enabled: false + +matrix_mx_puppet_twitter_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + +matrix_mx_puppet_twitter_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" + +matrix_mx_puppet_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}" + +matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-twitter +# +###################################################################### + ###################################################################### # diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml new file mode 100644 index 00000000..edf15a6d --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -0,0 +1,103 @@ +# Mx Puppet Twitter is a Matrix <-> Twitter bridge +# See: https://github.com/Sorunome/mx-puppet-twitter + +matrix_mx_puppet_twitter_enabled: true + +matrix_mx_puppet_twitter_container_image_self_build: false + +# Controls whether the mx-puppet-twitter container exposes its HTTP port (tcp/8432 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. +matrix_mx_puppet_twitter_container_http_host_bind_port: '' + +matrix_mx_puppet_twitter_docker_image: "sorunome/mx-puppet-twitter:latest" +matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_twitter_base_path: "{{ matrix_base_data_path }}/mx-puppet-twitter" +matrix_mx_puppet_twitter_config_path: "{{ matrix_mx_puppet_twitter_base_path }}/config" +matrix_mx_puppet_twitter_data_path: "{{ matrix_mx_puppet_twitter_base_path }}/data" +matrix_mx_puppet_twitter_docker_src_files_path: "{{ matrix_mx_puppet_twitter_base_path }}/docker-src" + +matrix_mx_puppet_twitter_appservice_port: "8432" + +matrix_mx_puppet_twitter_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_twitter_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_twitter_appservice_address: 'http://matrix-mx-puppet-twitter:{{ matrix_mx_puppet_twitter_appservice_port }}' + +matrix_mx_puppet_twitter_consumer_key: '' +matrix_mx_puppet_twitter_consumer_secret: '' +matrix_mx_puppet_twitter_access_token: '' +matrix_mx_puppet_twitter_access_token_secret: '' +matrix_mx_puppet_twitter_environment: '' +matrix_mx_puppet_twitter_webhook_path: '/twitter/webhook' +matrix_mx_puppet_twitter_webhook_url: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mx_puppet_twitter_webhook_path }}' + +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_twitter_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_twitter_provisioning_blacklist: [] + +# A list of extra arguments to pass to the container +matrix_mx_puppet_twitter_container_extra_arguments: [] + +# List of systemd services that mx-puppet-twitter.service depends on. +matrix_mx_puppet_twitter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that mx-puppet-twitter.service wants +matrix_mx_puppet_twitter_systemd_wanted_services_list: [] + +matrix_mx_puppet_twitter_appservice_token: '' +matrix_mx_puppet_twitter_homeserver_token: '' + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mx_puppet_twitter_login_shared_secret: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_twitter_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_twitter_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mx_puppet_twitter_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_twitter_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_twitter_configuration_yaml`. + +matrix_mx_puppet_twitter_configuration_extension: "{{ matrix_mx_puppet_twitter_configuration_extension_yaml|from_yaml if matrix_mx_puppet_twitter_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_twitter_configuration_yaml`. +matrix_mx_puppet_twitter_configuration: "{{ matrix_mx_puppet_twitter_configuration_yaml|from_yaml|combine(matrix_mx_puppet_twitter_configuration_extension, recursive=True) }}" + +# The prefix for user IDs and aliases +matrix_mx_puppet_twitter_namespace_prefix: _twitterpuppet_ + +matrix_mx_puppet_twitter_registration_yaml: | + as_token: "{{ matrix_mx_puppet_twitter_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_twitter_homeserver_token }}" + id: twitter-puppet + namespaces: + users: + - exclusive: true + regex: '@{{ matrix_mx_puppet_twitter_namespace_prefix|regex_escape }}.*:{{ matrix_mx_puppet_twitter_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#{{ matrix_mx_puppet_twitter_namespace_prefix|regex_escape }}.*:{{ matrix_mx_puppet_twitter_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _twitterpuppet_bot + url: {{ matrix_mx_puppet_twitter_appservice_address }} + +matrix_mx_puppet_twitter_registration: "{{ matrix_mx_puppet_twitter_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml new file mode 100644 index 00000000..8f4aca6c --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -0,0 +1,70 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter'] }}" + when: matrix_mx_puppet_twitter_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_twitter_config_path }}/registration.yaml,dst=/matrix-mx-puppet-twitter-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-twitter-registration.yaml"] }} + when: matrix_mx_puppet_twitter_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Twitter Appservice's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-twitter role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Matrix MX Puppet Twitter proxying configuration for matrix-nginx-proxy + set_fact: + matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration: | + location {{ matrix_mx_puppet_twitter_webhook_path }} { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_mx_puppet_twitter_appservice_address }}"; + proxy_pass $backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_twitter_appservice_port }}; + {% endif %} + } + + - name: Register Twitter Appservice proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_mx_puppet_twitter_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_mx_puppet_twitter_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Matrix Twitter bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_mx_puppet_twitter_redirect_path }}` + URL endpoint to the matrix-mx-puppet-twitter container. + You can expose the container's port using the `matrix_mx_puppet_twitter_container_http_host_bind_port` variable. + when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined" + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/main.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/main.yml new file mode 100644 index 00000000..af355df3 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_twitter_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-twitter + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_twitter_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-twitter + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_twitter_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-twitter diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml new file mode 100644 index 00000000..4773055d --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -0,0 +1,93 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-twitter role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure MX Puppet Twitter image is pulled + docker_image: + name: "{{ matrix_mx_puppet_twitter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_twitter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_twitter_docker_image_force_pull }}" + when: matrix_mx_puppet_twitter_enabled|bool and not matrix_mx_puppet_twitter_container_image_self_build + +- name: Ensure MX Puppet Twitter paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mx_puppet_twitter_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_twitter_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_twitter_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}", when: "{{ matrix_mx_puppet_twitter_container_image_self_build }}" } + when: matrix_mx_puppet_twitter_enabled|bool and item.when|bool + +- name: Ensure MX Puppet Twitter repository is present on self build + git: + repo: https://github.com/Sorunome/mx-puppet-twitter.git + dest: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}" + force: "yes" + when: "matrix_mx_puppet_twitter_enabled|bool and matrix_mx_puppet_twitter_container_image_self_build" + +- name: Ensure MX Puppet Twitter Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_twitter_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_twitter_enabled|bool and matrix_mx_puppet_twitter_container_image_self_build" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_twitter_base_path }}/database.db" + register: matrix_mx_puppet_twitter_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-twitter.service is stopped + service: + name: matrix-mx-puppet-twitter + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_twitter_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-twitter database file to ./data directory + command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + when: "matrix_mx_puppet_twitter_stat_database.stat.exists" + +- name: Ensure mx-puppet-twitter config.yaml installed + copy: + content: "{{ matrix_mx_puppet_twitter_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_twitter_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mx-puppet-twitter twitter-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_twitter_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_twitter_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mx-puppet-twitter.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-twitter.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-twitter.service" + mode: 0644 + register: matrix_mx_puppet_twitter_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-twitter.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_twitter_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml new file mode 100644 index 00000000..1d663531 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-twitter service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-twitter.service" + register: matrix_mx_puppet_twitter_service_stat + +- name: Ensure matrix-mx-puppet-twitter is stopped + service: + name: matrix-mx-puppet-twitter + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_twitter_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-twitter.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-twitter.service" + state: absent + when: "matrix_mx_puppet_twitter_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-twitter.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_twitter_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml new file mode 100644 index 00000000..d13a39e1 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_twitter_appservice_token" + - "matrix_mx_puppet_twitter_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 new file mode 100644 index 00000000..7d3033b3 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 @@ -0,0 +1,92 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_twitter_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_twitter_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_twitter_homeserver_address }} + {% if matrix_mx_puppet_twitter_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_domain }}: {{ matrix_mx_puppet_twitter_login_shared_secret }} + {% endif %} + +twitter: + consumerKey: "{{ matrix_mx_puppet_twitter_consumer_key }}" + consumerSecret: "{{ matrix_mx_puppet_twitter_consumer_secret }}" + accessToken: "{{ matrix_mx_puppet_twitter_access_token }}" + accessTokenSecret: "{{ matrix_mx_puppet_twitter_access_token_secret }}" + environment: "{{ matrix_mx_puppet_twitter_environment }}" + server: + url: "{{ matrix_mx_puppet_twitter_webhook_url }}" + path: "{{ matrix_mx_puppet_twitter_webhook_path }}" + +presence: + # Bridge Twitter online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + +provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_twitter_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_twitter_provisioning_blacklist|to_json }} + + # Shared secret for the provisioning API for use by integration managers. + # If this is not set, the provisioning API will not be enabled. + #sharedSecret: random string + # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically. + apiPrefix: /_matrix/provision + +database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + +logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 new file mode 100644 index 00000000..9245f02b --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -0,0 +1,44 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mx Puppet Twitter server +{% for service in matrix_mx_puppet_twitter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_twitter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-twitter \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_mx_puppet_twitter_container_http_host_bind_port %} + -p {{ matrix_mx_puppet_twitter_container_http_host_bind_port }}:{{ matrix_mx_puppet_twitter_appservice_port }} \ + {% endif %} + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_twitter_config_path }}:/config:z \ + -v {{ matrix_mx_puppet_twitter_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_twitter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_twitter_docker_image }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-twitter + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 4831873e..056e76de 100755 --- a/setup.yml +++ b/setup.yml @@ -18,6 +18,7 @@ - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-skype - matrix-bridge-mx-puppet-slack + - matrix-bridge-mx-puppet-twitter - matrix-bridge-sms - matrix-synapse - matrix-riot-web From 5b960bcfb53d4a83d01ea774b45736885f1d4f18 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Mon, 29 Jun 2020 18:04:40 +0300 Subject: [PATCH 1257/2384] Make sender_localpart configurable for mx-puppet-twitter --- roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index edf15a6d..8299fd81 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -82,6 +82,7 @@ matrix_mx_puppet_twitter_configuration: "{{ matrix_mx_puppet_twitter_configurati # The prefix for user IDs and aliases matrix_mx_puppet_twitter_namespace_prefix: _twitterpuppet_ +matrix_mx_puppet_twitter_bot_localpart: _twitterpuppet_bot matrix_mx_puppet_twitter_registration_yaml: | as_token: "{{ matrix_mx_puppet_twitter_appservice_token }}" @@ -97,7 +98,7 @@ matrix_mx_puppet_twitter_registration_yaml: | regex: '#{{ matrix_mx_puppet_twitter_namespace_prefix|regex_escape }}.*:{{ matrix_mx_puppet_twitter_homeserver_domain|regex_escape }}' protocols: [] rate_limited: false - sender_localpart: _twitterpuppet_bot + sender_localpart: "{{ matrix_mx_puppet_twitter_bot_localpart }}" url: {{ matrix_mx_puppet_twitter_appservice_address }} matrix_mx_puppet_twitter_registration: "{{ matrix_mx_puppet_twitter_registration_yaml|from_yaml }}" From f41c5e89e592e6423c92625f814afb3824a94306 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Jun 2020 18:41:06 +0300 Subject: [PATCH 1258/2384] Upgrade riot-web (1.6.6 -> 1.6.7) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index f4f4b018..bbf7c0f1 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.6" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.7" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 8b59402f7918228a1bd583cad96ae77a38f0523c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Jun 2020 14:28:41 +0300 Subject: [PATCH 1259/2384] Upgrade Coturn (4.5.1.2 -> 4.5.1.3) 4.5.1.3 fixes a security vulnerability: https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index ef314d89..104019a4 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.2" +matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.3" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" # The Docker network that Coturn would be put into. From 9686a0fc5b4271a7a992354ff301481e1a6c8440 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Jun 2020 17:39:19 +0300 Subject: [PATCH 1260/2384] Expose mx-puppet-twitter port when matrix-nginx-proxy disabled --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index becbdf67..68e5487b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -417,6 +417,8 @@ matrix_mx_puppet_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_mx_puppet_twitter_appservice_port) }}" + ###################################################################### # # /matrix-bridge-mx-puppet-twitter From b5bed60e6b0fd459d2010d4b9073e20e42680e92 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Jun 2020 17:51:56 +0300 Subject: [PATCH 1261/2384] Announce mx-puppet-instagram and mx-puppet-twitter support Related to #551 and #555 (Github Pull Requests). --- CHANGELOG.md | 9 +++++++++ README.md | 4 ++++ docs/configuring-playbook.md | 4 ++++ 3 files changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 41a781dc..55466e91 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-06-30 + +## Instagram and Twitter bridging support + +Thanks to [Johanna Dorothea Reichmann](https://github.com/jdreichmann)'s efforts, the playbook now supports bridging to [Instagram](https://www.instagram.com/) via the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge. See our [Setting up MX Puppet Instagram bridging](docs/configuring-playbook-bridge-mx-puppet-instagram.md) documentation page for getting started. + +Thanks to [Tulir Asokan](https://github.com/tulir)'s efforts, the playbook now supports bridging to [Twitter](https://twitter.com/) via the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge. See our [Setting up MX Puppet Twitter bridging](docs/configuring-playbook-bridge-mx-puppet-twitter.md) documentation page for getting started. + + # 2020-06-28 ## (Post Mortem / fixed Security Issue) Re-enabling User Directory search powered by the ma1sd Identity Server diff --git a/README.md b/README.md index a0353c52..cea399f5 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation +- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation + - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms @@ -154,6 +156,8 @@ This playbook sets up your server using the following Docker images: - [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional) +- [sorunome/mx-puppet-instagram](https://hub.docker.com/r/sorunome/mx-puppet-instagram) - the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge to [Instagram](https://www.instagram.com) (optional) + - [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) - the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge to [Twitter](https://twitter.com) (optional) - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 208db5bb..ed15cd9f 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -101,6 +101,10 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (optional) +- [Setting up MX Puppet Instagram bridging](configuring-playbook-bridge-mx-puppet-instagram.md) (optional) + +- [Setting up MX Puppet Twitter bridging](configuring-playbook-bridge-mx-puppet-twitter.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) - [Setting up Matrix SMS bridging](configuring-playbook-matrix-bridge-sms.md) (optional) From 42e7f5e9bcb9810bf57afb226998cc9af76e6b46 Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Thu, 11 Jun 2020 17:54:36 +0200 Subject: [PATCH 1262/2384] Add mx-puppet-discord --- README.md | 2 + ...uring-playbook-bridge-mx-puppet-discord.md | 34 +++++ group_vars/matrix_servers | 30 ++++ .../defaults/main.yml | 95 ++++++++++++ .../tasks/init.yml | 23 +++ .../tasks/main.yml | 21 +++ .../tasks/setup_install.yml | 93 ++++++++++++ .../tasks/setup_uninstall.yml | 24 +++ .../tasks/validate_config.yml | 10 ++ .../templates/config.yaml.j2 | 138 ++++++++++++++++++ .../matrix-mx-puppet-discord.service.j2 | 41 ++++++ setup.yml | 1 + 12 files changed, 512 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mx-puppet-discord.md create mode 100644 roles/matrix-bridge-mx-puppet-discord/defaults/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-discord/tasks/init.yml create mode 100644 roles/matrix-bridge-mx-puppet-discord/tasks/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 diff --git a/README.md b/README.md index cea399f5..9bbfb964 100644 --- a/README.md +++ b/README.md @@ -160,6 +160,8 @@ This playbook sets up your server using the following Docker images: - [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) - the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge to [Twitter](https://twitter.com) (optional) +- [pneumaticat/mx-puppet-discord](https://hub.docker.com/r/pneumaticat/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Disocrd](https:/discordapp.com) (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) diff --git a/docs/configuring-playbook-bridge-mx-puppet-discord.md b/docs/configuring-playbook-bridge-mx-puppet-discord.md new file mode 100644 index 00000000..11ca8be6 --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-puppet-discord.md @@ -0,0 +1,34 @@ +# Setting up MX Puppet Discord (optional) + +The playbook can install and configure +[mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) for you. + +See the project page to learn what it does and why it might be useful to you. + +To enable the [Discord](https://discordapp.com/) bridge just use the following +playbook configuration: + + +```yaml +matrix_mx_puppet_discord_enabled: true +matrix_mx_puppet_discord_client_id: "" +matrix_mx_puppet_discord_client_secret: "" +``` + + +## Usage + +Once the bot is enabled you need to start a chat with `Discord Puppet Bridge` with +the handle `@_discordpuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +Three authentication methods are available, Legacy Token, OAuth and xoxc token. +See mx-puppet-discord [documentation](https://github.com/matrix-discord/mx-puppet-discord) +for more information about how to configure the bridge. + +Once logged in, send `list` to the bot user to list the available rooms. + +Clicking rooms in the list will result in you receiving an invitation to the +bridged room. + +Also send `help` to the bot to see the commands available. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 68e5487b..1b9d9dfc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -456,6 +456,36 @@ matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_ # ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-discord +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_discord_enabled: false + +matrix_mx_puppet_discord_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + +matrix_mx_puppet_discord_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" + +matrix_mx_puppet_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}" + +matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-discord +# +###################################################################### + ###################################################################### # diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml new file mode 100644 index 00000000..cf7b13be --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -0,0 +1,95 @@ +# Mx Puppet Discord is a Matrix <-> Discord bridge +# See: https://github.com/matrix-discord/mx-puppet-discord + +matrix_mx_puppet_discord_enabled: true + +matrix_mx_puppet_discord_container_image_self_build: false + +# Controls whether the mx-puppet-discord container exposes its HTTP port (tcp/8432 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. +matrix_mx_puppet_discord_container_http_host_bind_port: '' + +matrix_mx_puppet_discord_docker_image: "pneumaticat/mx-puppet-discord:latest" +matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_discord_base_path: "{{ matrix_base_data_path }}/mx-puppet-discord" +matrix_mx_puppet_discord_config_path: "{{ matrix_mx_puppet_discord_base_path }}/config" +matrix_mx_puppet_discord_data_path: "{{ matrix_mx_puppet_discord_base_path }}/data" +matrix_mx_puppet_discord_docker_src_files_path: "{{ matrix_mx_puppet_discord_base_path }}/docker-src" + +matrix_mx_puppet_discord_appservice_port: "8432" + +matrix_mx_puppet_discord_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' + +matrix_mx_puppet_discord_client_id: '' +matrix_mx_puppet_discord_client_secret: '' + +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_discord_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_discord_provisioning_blacklist: [] + +# A list of extra arguments to pass to the container +matrix_mx_puppet_discord_container_extra_arguments: [] + +# List of systemd services that matrix-puppet-discord.service depends on. +matrix_mx_puppet_discord_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-puppet-discord.service wants +matrix_mx_puppet_discord_systemd_wanted_services_list: [] + +matrix_mx_puppet_discord_appservice_token: '' +matrix_mx_puppet_discord_homeserver_token: '' + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mx_puppet_discord_login_shared_secret: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_discord_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_discord_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mx_puppet_discord_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_discord_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_discord_configuration_yaml`. + +matrix_mx_puppet_discord_configuration_extension: "{{ matrix_mx_puppet_discord_configuration_extension_yaml|from_yaml if matrix_mx_puppet_discord_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_discord_configuration_yaml`. +matrix_mx_puppet_discord_configuration: "{{ matrix_mx_puppet_discord_configuration_yaml|from_yaml|combine(matrix_mx_puppet_discord_configuration_extension, recursive=True) }}" + +matrix_mx_puppet_discord_registration_yaml: | + as_token: "{{ matrix_mx_puppet_discord_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_discord_homeserver_token }}" + id: discord-puppet + namespaces: + users: + - exclusive: true + regex: '@_discordpuppet_.*:{{ matrix_mx_puppet_discord_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#_discordpuppet_.*:{{ matrix_mx_puppet_discord_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _discordpuppet_bot + url: {{ matrix_mx_puppet_discord_appservice_address }} + +matrix_mx_puppet_discord_registration: "{{ matrix_mx_puppet_discord_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml new file mode 100644 index 00000000..5d461931 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -0,0 +1,23 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord'] }}" + when: matrix_mx_puppet_discord_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_discord_config_path }}/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-discord-registration.yaml"] }} + when: matrix_mx_puppet_discord_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/main.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/main.yml new file mode 100644 index 00000000..3ca32335 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_discord_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-discord + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_discord_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-discord + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_discord_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-discord diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml new file mode 100644 index 00000000..e1aef147 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -0,0 +1,93 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-discord role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure MX Puppet Discord image is pulled + docker_image: + name: "{{ matrix_mx_puppet_discord_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_discord_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_discord_docker_image_force_pull }}" + when: matrix_mx_puppet_discord_enabled|bool and not matrix_mx_puppet_discord_container_image_self_build + +- name: Ensure MX Puppet Discord paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mx_puppet_discord_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_discord_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_discord_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}", when: "{{ matrix_mx_puppet_discord_container_image_self_build }}" } + when: matrix_mx_puppet_discord_enabled|bool and item.when|bool + +- name: Ensure MX Puppet Discord repository is present on self build + git: + repo: https://github.com/matrix-discord/mx-puppet-discord.git + dest: "{{ matrix_mx_puppet_discord_docker_src_files_path }}" + force: "yes" + when: "matrix_mx_puppet_discord_enabled|bool and matrix_mx_puppet_discord_container_image_self_build" + +- name: Ensure MX Puppet Discord Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_discord_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_discord_enabled|bool and matrix_mx_puppet_discord_container_image_self_build" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_discord_base_path }}/database.db" + register: matrix_mx_puppet_discord_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-discord.service is stopped + service: + name: matrix-mx-puppet-discord + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_discord_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-discord database file to ./data directory + command: "mv {{ matrix_mx_puppet_discord_base_path }}/database.db {{ matrix_mx_puppet_discord_data_path }}/database.db" + when: "matrix_mx_puppet_discord_stat_database.stat.exists" + +- name: Ensure mx-puppet-discord config.yaml installed + copy: + content: "{{ matrix_mx_puppet_discord_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_discord_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mx-puppet-discord discord-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_discord_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_discord_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mx-puppet-discord.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-discord.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-discord.service" + mode: 0644 + register: matrix_mx_puppet_discord_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-discord.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_discord_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml new file mode 100644 index 00000000..b5b83c98 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-discord service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-discord.service" + register: matrix_mx_puppet_discord_service_stat + +- name: Ensure matrix-mx-puppet-discord is stopped + service: + name: matrix-mx-puppet-discord + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_discord_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-discord.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-discord.service" + state: absent + when: "matrix_mx_puppet_discord_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-discord.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_discord_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml new file mode 100644 index 00000000..c253eda2 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_discord_appservice_token" + - "matrix_mx_puppet_discord_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 new file mode 100644 index 00000000..2c703796 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -0,0 +1,138 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_discord_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_discord_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_discord_homeserver_address }} + {% if matrix_mx_puppet_discord_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_domain }}: {{ matrix_mx_puppet_discord_login_shared_secret }} + {% endif %} + # Display name of the bridge bot + displayname: Discord Puppet Bridge + # Optionally specify a different media URL used for the media store + # + # This is where Discord will download user profile pictures and media + # from + #mediaUrl: https://external-url.org + +presence: + # Bridge Discord online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + +provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_discord_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_discord_provisioning_blacklist|to_json }} + +relay: + # Regex of Matrix IDs who are allowed to use the bridge in relay mode. + # Relay mode is when a single Discord bot account relays messages of + # multiple Matrix users + # + # Same format as in provisioning + whitelist: {{ matrix_mx_puppet_discord_provisioning_whitelist|to_json }} + blacklist: {{ matrix_mx_puppet_discord_provisioning_blacklist|to_json }} + +selfService: + # Regex of Matrix IDs who are allowed to use bridge self-servicing (plumbed rooms) + # + # Same format as in provisioning + whitelist: {{ matrix_mx_puppet_discord_provisioning_whitelist|to_json }} + blacklist: {{ matrix_mx_puppet_discord_provisioning_blacklist|to_json }} + +# Override the default name patterns for users, rooms and groups +# +# Variable names must be prefixed with a ':' +namePatterns: + # The default displayname for a bridged user + # + # Available variables: + # + # name: username of the user + # discriminator: hashtag of the user (ex. #1234) + user: :name + + # A user's guild-specific displayname - if they've set a custom nick in + # a guild + # + # Available variables: + # + # name: username of the user + # discriminator: hashtag of the user (ex. #1234) + # displayname: the user's custom group-specific nick + # channel: the name of the channel + # guild: the name of the guild + userOverride: :name + + # Room names for bridged Discord channels + # + # Available variables: + # + # name: name of the channel + # guild: name of the guild + room: :name + + # Group names for bridged Discord servers + # + # Available variables: + # + # name: name of the guide + group: :name + +database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + +logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 new file mode 100644 index 00000000..e26128ef --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -0,0 +1,41 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mx Puppet Discord server +{% for service in matrix_mx_puppet_discord_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_discord_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-discord \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_discord_config_path }}:/config:z \ + -v {{ matrix_mx_puppet_discord_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_discord_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_discord_docker_image }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-discord + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index d9a896cc..92319036 100755 --- a/setup.yml +++ b/setup.yml @@ -16,6 +16,7 @@ - matrix-bridge-mautrix-hangouts - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp + - matrix-bridge-mx-puppet-discord - matrix-bridge-mx-puppet-skype - matrix-bridge-mx-puppet-slack - matrix-bridge-mx-puppet-twitter From eb0df37247dd0b56d9719999806429146f066f56 Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Wed, 1 Jul 2020 10:18:29 +0200 Subject: [PATCH 1263/2384] Mx-puppet-discord Use official docker image https://github.com/matrix-discord/mx-puppet-discord/issues/80 Thanks Sorunome for setting up the automated build --- README.md | 2 +- roles/matrix-bridge-mx-puppet-discord/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9bbfb964..c78fd2e6 100644 --- a/README.md +++ b/README.md @@ -160,7 +160,7 @@ This playbook sets up your server using the following Docker images: - [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) - the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge to [Twitter](https://twitter.com) (optional) -- [pneumaticat/mx-puppet-discord](https://hub.docker.com/r/pneumaticat/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Disocrd](https:/discordapp.com) (optional) +- [sorunome/mx-puppet-discord](https://hub.docker.com/r/sorunome/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Discord](https:/discordapp.com) (optional) - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index cf7b13be..12c597d4 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -10,7 +10,7 @@ matrix_mx_puppet_discord_container_image_self_build: false # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_discord_container_http_host_bind_port: '' -matrix_mx_puppet_discord_docker_image: "pneumaticat/mx-puppet-discord:latest" +matrix_mx_puppet_discord_docker_image: "sorunome/mx-puppet-discord:latest" matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}" matrix_mx_puppet_discord_base_path: "{{ matrix_base_data_path }}/mx-puppet-discord" From 76352bcbd8a3a8c4df4d06555589e877b1484959 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Jul 2020 19:01:14 +0300 Subject: [PATCH 1264/2384] Announce mx-puppet-discord bridging support Related to #540 (Github Pull Request). --- CHANGELOG.md | 9 +++++++++ README.md | 4 +++- docs/configuring-playbook-bridge-appservice-discord.md | 2 ++ docs/configuring-playbook-bridge-mx-puppet-discord.md | 2 ++ docs/configuring-playbook.md | 2 ++ 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 55466e91..e7c7c710 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-07-01 + +## Discord bridging support via mx-puppet-discord + +Thanks to [Hugues Morisset](https://github.com/izissise)'s efforts, the playbook now supports bridging to [Discord](https://discordapp.com/) via the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge. See our [Setting up MX Puppet Discord bridging](docs/configuring-playbook-bridge-mx-puppet-discord.md) documentation page for getting started. + +**Note**: this is a new Discord bridge. The playbook still retains Discord bridging via [matrix-appservice-discord](docs/configuring-playbook-bridge-appservice-discord.md). You're free too use the bridge that serves you better, or even both (for different users and use-cases). + + # 2020-06-30 ## Instagram and Twitter bridging support diff --git a/README.md b/README.md index c78fd2e6..765754d1 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,9 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation -- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation +- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://discordapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation + +- (optional) the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge for [Discord](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 96f8377e..3e98d69e 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -1,5 +1,7 @@ # Setting up Appservice Discord (optional) +**Note**: bridging to [Discord](https://discordapp.com/) can also happen via the [mx-puppet-discord](configuring-playbook-bridge-mx-puppet-discord.md) bridge supported by the playbook. + The playbook can install and configure [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) for you. See the project's [documentation](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/README.md) to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook-bridge-mx-puppet-discord.md b/docs/configuring-playbook-bridge-mx-puppet-discord.md index 11ca8be6..7a3e986c 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-discord.md +++ b/docs/configuring-playbook-bridge-mx-puppet-discord.md @@ -1,5 +1,7 @@ # Setting up MX Puppet Discord (optional) +**Note**: bridging to [Discord](https://discordapp.com/) can also happen via the [matrix-appservice-discord](configuring-playbook-bridge-appservice-discord.md) bridge supported by the playbook. + The playbook can install and configure [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) for you. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index ed15cd9f..9265cc8d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -105,6 +105,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up MX Puppet Twitter bridging](configuring-playbook-bridge-mx-puppet-twitter.md) (optional) +- [Setting up MX Puppet Discord bridging](configuring-playbook-bridge-mx-puppet-discord.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) - [Setting up Matrix SMS bridging](configuring-playbook-matrix-bridge-sms.md) (optional) From 57f498217a15b351936eaf4d0980094c33886ddc Mon Sep 17 00:00:00 2001 From: Hugues Morisset Date: Wed, 1 Jul 2020 13:46:58 +0200 Subject: [PATCH 1265/2384] Add mx-puppet-steam --- README.md | 2 + ...iguring-playbook-bridge-mx-puppet-steam.md | 34 +++++++ group_vars/matrix_servers | 29 ++++++ .../defaults/main.yml | 95 ++++++++++++++++++ .../tasks/init.yml | 23 +++++ .../tasks/main.yml | 21 ++++ .../tasks/setup_install.yml | 93 +++++++++++++++++ .../tasks/setup_uninstall.yml | 24 +++++ .../tasks/validate_config.yml | 10 ++ .../templates/config.yaml.j2 | 99 +++++++++++++++++++ .../systemd/matrix-mx-puppet-steam.service.j2 | 41 ++++++++ setup.yml | 1 + 12 files changed, 472 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mx-puppet-steam.md create mode 100644 roles/matrix-bridge-mx-puppet-steam/defaults/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-steam/tasks/init.yml create mode 100644 roles/matrix-bridge-mx-puppet-steam/tasks/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 diff --git a/README.md b/README.md index 765754d1..db2b1c30 100644 --- a/README.md +++ b/README.md @@ -164,6 +164,8 @@ This playbook sets up your server using the following Docker images: - [sorunome/mx-puppet-discord](https://hub.docker.com/r/sorunome/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Discord](https:/discordapp.com) (optional) +- [icewind1991/mx-puppet-steam](https://hub.docker.com/r/icewind1991/mx-puppet-steam) - the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge to [Steam](https://steampowered.com) (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) diff --git a/docs/configuring-playbook-bridge-mx-puppet-steam.md b/docs/configuring-playbook-bridge-mx-puppet-steam.md new file mode 100644 index 00000000..ab492921 --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-puppet-steam.md @@ -0,0 +1,34 @@ +# Setting up MX Puppet Steam (optional) + +The playbook can install and configure +[mx-puppet-steam](https://github.com/matrix-steam/mx-puppet-steam) for you. + +See the project page to learn what it does and why it might be useful to you. + +To enable the [Steam](https://steamapp.com/) bridge just use the following +playbook configuration: + + +```yaml +matrix_mx_puppet_steam_enabled: true +matrix_mx_puppet_steam_client_id: "" +matrix_mx_puppet_steam_client_secret: "" +``` + + +## Usage + +Once the bot is enabled you need to start a chat with `Steam Puppet Bridge` with +the handle `@_steampuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +Three authentication methods are available, Legacy Token, OAuth and xoxc token. +See mx-puppet-steam [documentation](https://github.com/matrix-steam/mx-puppet-steam) +for more information about how to configure the bridge. + +Once logged in, send `list` to the bot user to list the available rooms. + +Clicking rooms in the list will result in you receiving an invitation to the +bridged room. + +Also send `help` to the bot to see the commands available. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1b9d9dfc..b8af1894 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -486,6 +486,35 @@ matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_pr # ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-steam +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_steam_enabled: false + +matrix_mx_puppet_steam_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + +matrix_mx_puppet_steam_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" + +matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" + +matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-steam +# +###################################################################### ###################################################################### # diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml new file mode 100644 index 00000000..bea26d39 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -0,0 +1,95 @@ +# Mx Puppet Steam is a Matrix <-> Steam bridge +# See: https://github.com/matrix-steam/mx-puppet-steam + +matrix_mx_puppet_steam_enabled: true + +matrix_mx_puppet_steam_container_image_self_build: false + +# Controls whether the mx-puppet-steam container exposes its HTTP port (tcp/8432 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. +matrix_mx_puppet_steam_container_http_host_bind_port: '' + +matrix_mx_puppet_steam_docker_image: "icewind1991/mx-puppet-steam:latest" +matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_steam_base_path: "{{ matrix_base_data_path }}/mx-puppet-steam" +matrix_mx_puppet_steam_config_path: "{{ matrix_mx_puppet_steam_base_path }}/config" +matrix_mx_puppet_steam_data_path: "{{ matrix_mx_puppet_steam_base_path }}/data" +matrix_mx_puppet_steam_docker_src_files_path: "{{ matrix_mx_puppet_steam_base_path }}/docker-src" + +matrix_mx_puppet_steam_appservice_port: "8432" + +matrix_mx_puppet_steam_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_steam_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_steam_appservice_address: 'http://matrix-mx-puppet-steam:{{ matrix_mx_puppet_steam_appservice_port }}' + +matrix_mx_puppet_steam_client_id: '' +matrix_mx_puppet_steam_client_secret: '' + +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_steam_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_steam_provisioning_blacklist: [] + +# A list of extra arguments to pass to the container +matrix_mx_puppet_steam_container_extra_arguments: [] + +# List of systemd services that matrix-puppet-steam.service depends on. +matrix_mx_puppet_steam_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-puppet-steam.service wants +matrix_mx_puppet_steam_systemd_wanted_services_list: [] + +matrix_mx_puppet_steam_appservice_token: '' +matrix_mx_puppet_steam_homeserver_token: '' + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mx_puppet_steam_login_shared_secret: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_steam_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_steam_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mx_puppet_steam_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_steam_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_steam_configuration_yaml`. + +matrix_mx_puppet_steam_configuration_extension: "{{ matrix_mx_puppet_steam_configuration_extension_yaml|from_yaml if matrix_mx_puppet_steam_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_steam_configuration_yaml`. +matrix_mx_puppet_steam_configuration: "{{ matrix_mx_puppet_steam_configuration_yaml|from_yaml|combine(matrix_mx_puppet_steam_configuration_extension, recursive=True) }}" + +matrix_mx_puppet_steam_registration_yaml: | + as_token: "{{ matrix_mx_puppet_steam_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_steam_homeserver_token }}" + id: steam-puppet + namespaces: + users: + - exclusive: true + regex: '@_steampuppet_.*:{{ matrix_mx_puppet_steam_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#_steampuppet_.*:{{ matrix_mx_puppet_steam_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _steampuppet_bot + url: {{ matrix_mx_puppet_steam_appservice_address }} + +matrix_mx_puppet_steam_registration: "{{ matrix_mx_puppet_steam_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml new file mode 100644 index 00000000..60b66074 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -0,0 +1,23 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam'] }}" + when: matrix_mx_puppet_steam_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_steam_config_path }}/registration.yaml,dst=/matrix-mx-puppet-steam-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-steam-registration.yaml"] }} + when: matrix_mx_puppet_steam_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/main.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/main.yml new file mode 100644 index 00000000..cd6bb147 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_steam_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-steam + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_steam_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-steam + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_steam_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-steam diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml new file mode 100644 index 00000000..3a2fa762 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -0,0 +1,93 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-steam role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure MX Puppet Steam image is pulled + docker_image: + name: "{{ matrix_mx_puppet_steam_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_steam_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_steam_docker_image_force_pull }}" + when: matrix_mx_puppet_steam_enabled|bool and not matrix_mx_puppet_steam_container_image_self_build + +- name: Ensure MX Puppet Steam paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mx_puppet_steam_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_steam_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_steam_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_steam_docker_src_files_path }}", when: "{{ matrix_mx_puppet_steam_container_image_self_build }}" } + when: matrix_mx_puppet_steam_enabled|bool and item.when|bool + +- name: Ensure MX Puppet Steam repository is present on self build + git: + repo: https://github.com/matrix-steam/mx-puppet-steam.git + dest: "{{ matrix_mx_puppet_steam_docker_src_files_path }}" + force: "yes" + when: "matrix_mx_puppet_steam_enabled|bool and matrix_mx_puppet_steam_container_image_self_build" + +- name: Ensure MX Puppet Steam Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_steam_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_steam_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_steam_enabled|bool and matrix_mx_puppet_steam_container_image_self_build" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_steam_base_path }}/database.db" + register: matrix_mx_puppet_steam_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-steam.service is stopped + service: + name: matrix-mx-puppet-steam + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_steam_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-steam database file to ./data directory + command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + when: "matrix_mx_puppet_steam_stat_database.stat.exists" + +- name: Ensure mx-puppet-steam config.yaml installed + copy: + content: "{{ matrix_mx_puppet_steam_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_steam_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mx-puppet-steam steam-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_steam_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_steam_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mx-puppet-steam.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-steam.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-steam.service" + mode: 0644 + register: matrix_mx_puppet_steam_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-steam.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_steam_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml new file mode 100644 index 00000000..1ee95eb3 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-steam service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-steam.service" + register: matrix_mx_puppet_steam_service_stat + +- name: Ensure matrix-mx-puppet-steam is stopped + service: + name: matrix-mx-puppet-steam + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_steam_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-steam.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-steam.service" + state: absent + when: "matrix_mx_puppet_steam_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-steam.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_steam_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml new file mode 100644 index 00000000..a8bc6a42 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_steam_appservice_token" + - "matrix_mx_puppet_steam_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 new file mode 100644 index 00000000..d08982ca --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 @@ -0,0 +1,99 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_steam_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_steam_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_steam_homeserver_address }} + {% if matrix_mx_puppet_steam_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_domain }}: {{ matrix_mx_puppet_steam_login_shared_secret }} + {% endif %} + # Display name of the bridge bot + displayname: Steam Puppet Bridge + # Optionally specify a different media URL used for the media store + # + # This is where Steam will download user profile pictures and media + # from + #mediaUrl: https://external-url.org + +presence: + # Bridge Steam online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 5000 + +provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_steam_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_steam_provisioning_blacklist|to_json }} + +relay: + # Regex of Matrix IDs who are allowed to use the bridge in relay mode. + # Relay mode is when a single Steam bot account relays messages of + # multiple Matrix users + # + # Same format as in provisioning + whitelist: {{ matrix_mx_puppet_steam_provisioning_whitelist|to_json }} + blacklist: {{ matrix_mx_puppet_steam_provisioning_blacklist|to_json }} + +selfService: + # Regex of Matrix IDs who are allowed to use bridge self-servicing (plumbed rooms) + # + # Same format as in provisioning + whitelist: {{ matrix_mx_puppet_steam_provisioning_whitelist|to_json }} + blacklist: {{ matrix_mx_puppet_steam_provisioning_blacklist|to_json }} + +database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + +logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 new file mode 100644 index 00000000..53518d42 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -0,0 +1,41 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mx Puppet Steam server +{% for service in matrix_mx_puppet_steam_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_steam_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-steam \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_steam_config_path }}:/config:z \ + -v {{ matrix_mx_puppet_steam_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_steam_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_steam_docker_image }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-steam + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 92319036..372664a6 100755 --- a/setup.yml +++ b/setup.yml @@ -17,6 +17,7 @@ - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-discord + - matrix-bridge-mx-puppet-steam - matrix-bridge-mx-puppet-skype - matrix-bridge-mx-puppet-slack - matrix-bridge-mx-puppet-twitter From 78382b0ce480be00669e1d5841076b747ec4f28e Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 2 Jul 2020 10:38:25 -0500 Subject: [PATCH 1266/2384] Upgrade Synapse (1.15.1 -> 1.15.2) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a03740bb..d9b5b61d 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.15.1" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.15.2" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From a8f7ccf3f32e6f81e2acd4c67d848fffcb82e901 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Jul 2020 12:10:57 +0300 Subject: [PATCH 1267/2384] Announce mx-puppet-steam bridging support Related to #557 (Github Pull Request). --- CHANGELOG.md | 7 +++++++ README.md | 2 ++ docs/configuring-playbook.md | 2 ++ 3 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e7c7c710..881bb00a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# 2020-07-03 + +## Steam bridging support via mx-puppet-steam + +Thanks to [Hugues Morisset](https://github.com/izissise)'s efforts, the playbook now supports bridging to [Steam](https://steamapp.com/) via the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge. See our [Setting up MX Puppet Steam bridging](docs/configuring-playbook-bridge-mx-puppet-steam.md) documentation page for getting started. + + # 2020-07-01 ## Discord bridging support via mx-puppet-discord diff --git a/README.md b/README.md index db2b1c30..65fa8c08 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge for [Discord](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation +- (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation + - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 9265cc8d..7e81d3a7 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -107,6 +107,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up MX Puppet Discord bridging](configuring-playbook-bridge-mx-puppet-discord.md) (optional) +- [Setting up MX Puppet Steam bridging](configuring-playbook-bridge-mx-puppet-steam.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) - [Setting up Matrix SMS bridging](configuring-playbook-matrix-bridge-sms.md) (optional) From b08ee2f2fa4b6498912a6b0fa4b833ef37527c6e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Jul 2020 13:10:59 +0300 Subject: [PATCH 1268/2384] Move Jitsi container image tag to a variable Related to #554 (Github Pull Request). --- roles/matrix-jitsi/defaults/main.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 531a9d37..37ee0fdd 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -49,8 +49,9 @@ matrix_jitsi_jibri_xmpp_password: '' matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: '' +matrix_jitsi_container_image_tag: "stable-4627-1" -matrix_jitsi_web_docker_image: "jitsi/web:stable-4627-1" +matrix_jitsi_web_docker_image: "jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -111,7 +112,7 @@ matrix_jitsi_web_config_constraints_video_height_ideal: 720 matrix_jitsi_web_config_constraints_video_height_max: 720 matrix_jitsi_web_config_constraints_video_height_min: 240 -matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4627-1" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -125,7 +126,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:stable-4627-1" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -142,7 +143,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:stable-4627-1" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From 1f21f0c09ad16d56404e6f9e0bc5b4d2b0ec13d7 Mon Sep 17 00:00:00 2001 From: Justin Croonenberghs Date: Fri, 3 Jul 2020 18:33:25 -0500 Subject: [PATCH 1269/2384] Add variables for reCAPTCHA validation --- docs/configuring-captcha.md | 24 +++++++++++++++++++ docs/configuring-playbook-ma1sd.md | 2 ++ roles/matrix-synapse/defaults/main.yml | 5 ++++ .../templates/synapse/homeserver.yaml.j2 | 6 ++--- 4 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 docs/configuring-captcha.md diff --git a/docs/configuring-captcha.md b/docs/configuring-captcha.md new file mode 100644 index 00000000..5183b92b --- /dev/null +++ b/docs/configuring-captcha.md @@ -0,0 +1,24 @@ +(Adapted from the [upstream project](https://github.com/matrix-org/synapse/blob/develop/docs/CAPTCHA_SETUP.md)) + +# Overview +Captcha can be enabled for this home server. This file explains how to do that. +The captcha mechanism used is Google's ReCaptcha. This requires API keys from Google. + +## Getting keys + +Requires a site/secret key pair from: + + + +Must be a reCAPTCHA v2 key using the "I'm not a robot" Checkbox option + +## Setting ReCaptcha Keys + +Once registered as above, set the following values: + + matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY' + matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY' + +In addition, you MUST enable captchas via: + + matrix_synapse_enable_registration_captcha: true diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index 03d1ecde..06a5a5b9 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -31,6 +31,8 @@ To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/featu - `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse +- `matrix_synapse_enable_registration_captcha` - to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring_captcha.md) documentation. + - `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering - variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d9b5b61d..ee38b179 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -162,6 +162,11 @@ matrix_synapse_allow_public_rooms_over_federation: false # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false +# reCAPTCHA API for validating registration attempts +matrix_synapse_enable_registration_captcha: false +matrix_synapse_recaptcha_public_key: '' +matrix_synapse_recaptcha_private_key: '' + # Allows non-server-admin users to create groups on this server matrix_synapse_enable_group_creation: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 93cf4396..e0b57f69 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -934,18 +934,18 @@ url_preview_accept_language: # This homeserver's ReCAPTCHA public key. Must be specified if # enable_registration_captcha is enabled. # -#recaptcha_public_key: "YOUR_PUBLIC_KEY" +#recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key }} # This homeserver's ReCAPTCHA private key. Must be specified if # enable_registration_captcha is enabled. # -#recaptcha_private_key: "YOUR_PRIVATE_KEY" +#recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key }} # Uncomment to enable ReCaptcha checks when registering, preventing signup # unless a captcha is answered. Requires a valid ReCaptcha # public/private key. Defaults to 'false'. # -#enable_registration_captcha: true +enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha }} # The API endpoint to use for verifying m.login.recaptcha responses. # Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". From 35c2655fa46a4f981c6c969511faf37d13129a4b Mon Sep 17 00:00:00 2001 From: Justin Croonenberghs Date: Fri, 3 Jul 2020 19:01:03 -0500 Subject: [PATCH 1270/2384] Removed troublesome #s --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e0b57f69..3cbb5a78 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -934,12 +934,12 @@ url_preview_accept_language: # This homeserver's ReCAPTCHA public key. Must be specified if # enable_registration_captcha is enabled. # -#recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key }} +recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key }} # This homeserver's ReCAPTCHA private key. Must be specified if # enable_registration_captcha is enabled. # -#recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key }} +recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key }} # Uncomment to enable ReCaptcha checks when registering, preventing signup # unless a captcha is answered. Requires a valid ReCaptcha From b2a0830638db5d7475849054c83b65d02e3730a1 Mon Sep 17 00:00:00 2001 From: Justin Croonenberghs Date: Fri, 3 Jul 2020 19:10:00 -0500 Subject: [PATCH 1271/2384] Better URL for reCAPTCHA doc --- docs/configuring-captcha.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-captcha.md b/docs/configuring-captcha.md index 5183b92b..208dfdee 100644 --- a/docs/configuring-captcha.md +++ b/docs/configuring-captcha.md @@ -8,7 +8,7 @@ The captcha mechanism used is Google's ReCaptcha. This requires API keys from Go Requires a site/secret key pair from: - + Must be a reCAPTCHA v2 key using the "I'm not a robot" Checkbox option From f758ee90cb386899908403b19d74aec5b1b1946e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 4 Jul 2020 09:31:52 +0300 Subject: [PATCH 1272/2384] Add |to_json to some values --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 3cbb5a78..a02eb48f 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -934,18 +934,18 @@ url_preview_accept_language: # This homeserver's ReCAPTCHA public key. Must be specified if # enable_registration_captcha is enabled. # -recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key }} +recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} # This homeserver's ReCAPTCHA private key. Must be specified if # enable_registration_captcha is enabled. # -recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key }} +recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} # Uncomment to enable ReCaptcha checks when registering, preventing signup # unless a captcha is answered. Requires a valid ReCaptcha # public/private key. Defaults to 'false'. # -enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha }} +enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha|to_json }} # The API endpoint to use for verifying m.login.recaptcha responses. # Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". From f7e4281751ce619f71acd26ea00f9b2942c02798 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 4 Jul 2020 09:35:20 +0300 Subject: [PATCH 1273/2384] Simplify enabling recaptcha instructions a bit --- docs/configuring-captcha.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/configuring-captcha.md b/docs/configuring-captcha.md index 208dfdee..d137cf99 100644 --- a/docs/configuring-captcha.md +++ b/docs/configuring-captcha.md @@ -2,7 +2,7 @@ # Overview Captcha can be enabled for this home server. This file explains how to do that. -The captcha mechanism used is Google's ReCaptcha. This requires API keys from Google. +The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. ## Getting keys @@ -10,15 +10,14 @@ Requires a site/secret key pair from: -Must be a reCAPTCHA v2 key using the "I'm not a robot" Checkbox option +Must be a reCAPTCHA **v2** key using the "I'm not a robot" Checkbox option ## Setting ReCaptcha Keys Once registered as above, set the following values: - matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY' - matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY' - -In addition, you MUST enable captchas via: - - matrix_synapse_enable_registration_captcha: true +```yaml +matrix_synapse_enable_registration_captcha: true +matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY' +matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY' +``` From eb2766386f727ddf31844df6c1634884e274d2da Mon Sep 17 00:00:00 2001 From: dasTholo Date: Sat, 4 Jul 2020 10:17:46 +0200 Subject: [PATCH 1274/2384] swap links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 65fa8c08..22e08e1c 100644 --- a/README.md +++ b/README.md @@ -54,9 +54,9 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation -- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://discordapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation +- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation -- (optional) the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge for [Discord](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation +- (optional) the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation - (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation From e2a5278d417718d68c41daca500308ca2649e135 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 4 Jul 2020 14:18:37 +0300 Subject: [PATCH 1275/2384] Fix some other swapped Twitter/Discord references --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 22e08e1c..dda85cb3 100644 --- a/README.md +++ b/README.md @@ -54,9 +54,9 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation -- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation +- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation -- (optional) the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation +- (optional) the [mx-puppet-discord](https://github.com/Sorunome/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation - (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation From b6b5435746edd916703f487b6b04825e4e6b9df6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 4 Jul 2020 14:20:02 +0300 Subject: [PATCH 1276/2384] Fix some broken links --- docs/configuring-playbook-bridge-mx-puppet-steam.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-mx-puppet-steam.md b/docs/configuring-playbook-bridge-mx-puppet-steam.md index ab492921..b64e6711 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-steam.md +++ b/docs/configuring-playbook-bridge-mx-puppet-steam.md @@ -1,7 +1,7 @@ # Setting up MX Puppet Steam (optional) The playbook can install and configure -[mx-puppet-steam](https://github.com/matrix-steam/mx-puppet-steam) for you. +[mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) for you. See the project page to learn what it does and why it might be useful to you. @@ -23,7 +23,7 @@ the handle `@_steampuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). Three authentication methods are available, Legacy Token, OAuth and xoxc token. -See mx-puppet-steam [documentation](https://github.com/matrix-steam/mx-puppet-steam) +See mx-puppet-steam [documentation](https://github.com/icewind1991/mx-puppet-steam) for more information about how to configure the bridge. Once logged in, send `list` to the bot user to list the available rooms. From 6293f1bdb0f11a60a97e65410d7b751834985d20 Mon Sep 17 00:00:00 2001 From: shadow Date: Sat, 4 Jul 2020 13:33:33 +0200 Subject: [PATCH 1277/2384] Run all API self checks in check_mode --- roles/matrix-corporal/tasks/self_check_corporal.yml | 1 + roles/matrix-ma1sd/tasks/self_check_ma1sd.yml | 1 + roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml | 2 ++ roles/matrix-riot-web/tasks/self_check_riot_web.yml | 1 + roles/matrix-synapse/tasks/self_check_client_api.yml | 1 + roles/matrix-synapse/tasks/self_check_federation_api.yml | 1 + 6 files changed, 7 insertions(+) diff --git a/roles/matrix-corporal/tasks/self_check_corporal.yml b/roles/matrix-corporal/tasks/self_check_corporal.yml index d1561757..f7c15109 100644 --- a/roles/matrix-corporal/tasks/self_check_corporal.yml +++ b/roles/matrix-corporal/tasks/self_check_corporal.yml @@ -8,6 +8,7 @@ url: "{{ corporal_client_api_url_endpoint_public }}" follow_redirects: none return_content: true + check_mode: no register: result_corporal_client_api ignore_errors: true diff --git a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml index 2e081263..b8a7faaa 100644 --- a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml @@ -8,6 +8,7 @@ url: "{{ ma1sd_url_endpoint_public }}" follow_redirects: none validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}" + check_mode: no register: result_ma1sd ignore_errors: true diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml index e7a4cfac..2cf1ef06 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -12,6 +12,7 @@ follow_redirects: none return_content: true validate_certs: "{{ well_known_file_check.validate_certs }}" + check_mode: no register: result_well_known_matrix ignore_errors: true @@ -39,6 +40,7 @@ follow_redirects: "{{ well_known_file_check.follow_redirects }}" return_content: true validate_certs: "{{ well_known_file_check.validate_certs }}" + check_mode: no register: result_well_known_identity ignore_errors: true diff --git a/roles/matrix-riot-web/tasks/self_check_riot_web.yml b/roles/matrix-riot-web/tasks/self_check_riot_web.yml index 1a845b3e..4c3e2b4b 100644 --- a/roles/matrix-riot-web/tasks/self_check_riot_web.yml +++ b/roles/matrix-riot-web/tasks/self_check_riot_web.yml @@ -9,6 +9,7 @@ follow_redirects: none validate_certs: "{{ matrix_riot_web_self_check_validate_certificates }}" register: result_riot_web + check_mode: no ignore_errors: true - name: Fail if riot-web not working diff --git a/roles/matrix-synapse/tasks/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml index fc691cc6..30244d50 100644 --- a/roles/matrix-synapse/tasks/self_check_client_api.yml +++ b/roles/matrix-synapse/tasks/self_check_client_api.yml @@ -7,6 +7,7 @@ validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_client_api ignore_errors: true + check_mode: no when: matrix_synapse_enabled|bool - name: Fail if Matrix Client API not working diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml index 2a716d6b..57c9e56b 100644 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -7,6 +7,7 @@ validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" register: result_matrix_synapse_federation_api ignore_errors: true + check_mode: no when: matrix_synapse_enabled|bool - name: Fail if Matrix Federation API not working From 8b19ceb6fc1cbe32e5939cb754d5f8b8a7cd5d73 Mon Sep 17 00:00:00 2001 From: Panagiotis Vasilopoulos Date: Sun, 5 Jul 2020 10:26:34 +0300 Subject: [PATCH 1278/2384] Fixed Steam link --- docs/configuring-playbook-bridge-mx-puppet-steam.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mx-puppet-steam.md b/docs/configuring-playbook-bridge-mx-puppet-steam.md index b64e6711..616efbe2 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-steam.md +++ b/docs/configuring-playbook-bridge-mx-puppet-steam.md @@ -5,7 +5,7 @@ The playbook can install and configure See the project page to learn what it does and why it might be useful to you. -To enable the [Steam](https://steamapp.com/) bridge just use the following +To enable the [Steam](https://steampowered.com/) bridge just use the following playbook configuration: From baed917a134236991c65229e892542976a19752e Mon Sep 17 00:00:00 2001 From: Panagiotis Vasilopoulos Date: Sun, 5 Jul 2020 23:28:03 +0300 Subject: [PATCH 1279/2384] Fixed repository link for mx-puppet-steam - https://github.com/icewind1991/mx-puppet-steam is the link that's referenced by the documentation. - The previous link, https://github.com/matrix-steam/mx-puppet-steam, is invalid/inaccessible to the public. --- roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 3a2fa762..be41c645 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure MX Puppet Steam repository is present on self build git: - repo: https://github.com/matrix-steam/mx-puppet-steam.git + repo: https://github.com/icewind1991/mx-puppet-steam.git dest: "{{ matrix_mx_puppet_steam_docker_src_files_path }}" force: "yes" when: "matrix_mx_puppet_steam_enabled|bool and matrix_mx_puppet_steam_container_image_self_build" From 227f1a28e38f804d95ffe720e17bc724ab10546a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Jul 2020 11:05:34 +0300 Subject: [PATCH 1280/2384] Allow matrix_user_uid/matrix_user_gid to be specified manually --- roles/matrix-base/defaults/main.yml | 6 ++++++ roles/matrix-base/tasks/setup_matrix_user.yml | 2 ++ roles/matrix-base/tasks/validate_config.yml | 10 ---------- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 804da22c..0cdd6e32 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -26,6 +26,12 @@ matrix_federation_public_port: 8448 matrix_user_username: "matrix" matrix_user_groupname: "matrix" +# By default, the playbook creates the user (`matrix_user_username`) +# and group (`matrix_user_groupname`) with a random id. +# To use a specific user/group id, override these variables. +matrix_user_uid: ~ +matrix_user_gid: ~ + matrix_base_data_path: "/matrix" matrix_base_data_path_mode: "750" diff --git a/roles/matrix-base/tasks/setup_matrix_user.yml b/roles/matrix-base/tasks/setup_matrix_user.yml index 700201a8..295643e9 100644 --- a/roles/matrix-base/tasks/setup_matrix_user.yml +++ b/roles/matrix-base/tasks/setup_matrix_user.yml @@ -3,6 +3,7 @@ - name: Ensure Matrix group is created group: name: "{{ matrix_user_groupname }}" + gid: "{{ omit if matrix_user_gid is none else matrix_user_gid }}" state: present register: matrix_group @@ -13,6 +14,7 @@ - name: Ensure Matrix user is created user: name: "{{ matrix_user_username }}" + uid: "{{ omit if matrix_user_uid is none else matrix_user_uid }}" state: present group: "{{ matrix_user_groupname }}" register: matrix_user diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml index 52686619..ed97d539 100644 --- a/roles/matrix-base/tasks/validate_config.yml +++ b/roles/matrix-base/tasks/validate_config.yml @@ -1,11 +1 @@ --- - -- name: (Deprecation) Warn about unused user/group variables - fail: - msg: > - The `{{ item }}` variable defined in your configuration is not used by this playbook anymore. - User/group creation is now dynamic. You can remove these variables from your configuration, as they have no effect on anything. - when: "item in vars" - with_items: - - 'matrix_user_uid' - - 'matrix_user_gid' From 18ab677a963745e23f95a8ba90a02d731094d0c8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Jul 2020 00:22:47 +0300 Subject: [PATCH 1281/2384] Remove useless file --- roles/matrix-synapse/templates/synapse/env-synapse.j2 | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 roles/matrix-synapse/templates/synapse/env-synapse.j2 diff --git a/roles/matrix-synapse/templates/synapse/env-synapse.j2 b/roles/matrix-synapse/templates/synapse/env-synapse.j2 deleted file mode 100644 index c0f4b647..00000000 --- a/roles/matrix-synapse/templates/synapse/env-synapse.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#jinja2: lstrip_blocks: "True" -SYNAPSE_CONFIG_PATH=/data/homeserver.yaml -SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} From 928982cffecc6b73988ed478b84a8e8fffb1c76e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Jul 2020 14:08:46 +0300 Subject: [PATCH 1282/2384] Upgrade Synapse (v1.15.2 -> v1.16.0) --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 85 ++++++++++++++++++- 2 files changed, 82 insertions(+), 5 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ee38b179..6fc7eab2 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.15.2" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.16.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index a02eb48f..fb432f87 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -288,7 +288,7 @@ listeners: # number of monthly active users. # # 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# anabled and a limit is reached the server returns a 'ResourceLimitError' +# enabled and a limit is reached the server returns a 'ResourceLimitError' # with error type Codes.RESOURCE_LIMIT_EXCEEDED # # 'max_mau_value' is the hard limit of monthly active users above which @@ -1182,7 +1182,11 @@ account_threepid_delegates: #enable_3pid_changes: false # Users who register on this homeserver will automatically be joined -# to these rooms +# to these rooms. +# +# By default, any room aliases included in this list will be created +# as a publicly joinable room when the first user registers for the +# homeserver. This behaviour can be customised with the settings below. # #auto_join_rooms: # - "#example:example.com" @@ -1194,11 +1198,63 @@ auto_join_rooms: # Where auto_join_rooms are specified, setting this flag ensures that the # the rooms exist by creating them when the first user on the # homeserver registers. +# +# By default the auto-created rooms are publicly joinable from any federated +# server. Use the autocreate_auto_join_rooms_federated and +# autocreate_auto_join_room_preset settings below to customise this behaviour. +# # Setting to false means that if the rooms are not manually created, # users cannot be auto-joined since they do not exist. # +# Defaults to true. Uncomment the following line to disable automatically +# creating auto-join rooms. +# autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} +# Whether the auto_join_rooms that are auto-created are available via +# federation. Only has an effect if autocreate_auto_join_rooms is true. +# +# Note that whether a room is federated cannot be modified after +# creation. +# +# Defaults to true: the room will be joinable from other servers. +# Uncomment the following to prevent users from other homeservers from +# joining these rooms. +# +#autocreate_auto_join_rooms_federated: false + +# The room preset to use when auto-creating one of auto_join_rooms. Only has an +# effect if autocreate_auto_join_rooms is true. +# +# This can be one of "public_chat", "private_chat", or "trusted_private_chat". +# If a value of "private_chat" or "trusted_private_chat" is used then +# auto_join_mxid_localpart must also be configured. +# +# Defaults to "public_chat", meaning that the room is joinable by anyone, including +# federated servers if autocreate_auto_join_rooms_federated is true (the default). +# Uncomment the following to require an invitation to join these rooms. +# +#autocreate_auto_join_room_preset: private_chat + +# The local part of the user id which is used to create auto_join_rooms if +# autocreate_auto_join_rooms is true. If this is not provided then the +# initial user account that registers will be used to create the rooms. +# +# The user id is also used to invite new users to any auto-join rooms which +# are set to invite-only. +# +# It *must* be configured if autocreate_auto_join_room_preset is set to +# "private_chat" or "trusted_private_chat". +# +# Note that this must be specified in order for new users to be correctly +# invited to any auto-join rooms which have been set to invite-only (either +# at the time of creation or subsequently). +# +# Note that, if the room already exists, this user must be joined and +# have the appropriate permissions to invite new members. +# +#auto_join_mxid_localpart: system + # When auto_join_rooms is specified, setting this flag to false prevents # guest accounts from being automatically joined to the rooms. # @@ -1431,7 +1487,7 @@ saml2_config: # The lifetime of a SAML session. This defines how long a user has to # complete the authentication process, if allow_unsolicited is unset. - # The default is 5 minutes. + # The default is 15 minutes. # #saml_session_lifetime: 5m @@ -1516,7 +1572,7 @@ saml2_config: # use an OpenID Connect Provider for authentication, instead of its internal # password database. # -# See https://github.com/matrix-org/synapse/blob/master/openid.md. +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md. # oidc_config: # Uncomment the following to enable authorization against an OpenID Connect @@ -1960,6 +2016,27 @@ push: # example_stop_events_from: ['@bad:example.com'] spam_checker: {{ matrix_synapse_spam_checker|to_json }} + +## Rooms ## + +# Controls whether locally-created rooms should be end-to-end encrypted by +# default. +# +# Possible options are "all", "invite", and "off". They are defined as: +# +# * "all": any locally-created room +# * "invite": any room created with the "private_chat" or "trusted_private_chat" +# room creation presets +# * "off": this option will take no effect +# +# The default value is "off". +# +# Note that this option will only affect rooms created after it is set. It +# will also not affect rooms created by other servers. +# +#encryption_enabled_by_default_for_room_type: invite + + # Uncomment to allow non-server-admin users to create groups on this server # enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} From c5f9e021036a8ed79b1737326a5c5938aa478fd7 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sun, 14 Jun 2020 17:49:59 +0200 Subject: [PATCH 1283/2384] updated matrix sms bridge container --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index a53056b7..2d905ea3 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.1.RELEASE" +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.2.RELEASE" matrix_sms_bridge_database_docker_image: "neo4j:latest" matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" From 226d5a9c648076e17a03f532547f077ab819b7b6 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sun, 14 Jun 2020 18:10:15 +0200 Subject: [PATCH 1284/2384] remove force pull --- roles/matrix-bridge-sms/tasks/setup_install.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-bridge-sms/tasks/setup_install.yml b/roles/matrix-bridge-sms/tasks/setup_install.yml index 47454b27..254510a3 100644 --- a/roles/matrix-bridge-sms/tasks/setup_install.yml +++ b/roles/matrix-bridge-sms/tasks/setup_install.yml @@ -4,8 +4,6 @@ docker_image: name: "{{ matrix_sms_bridge_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_sms_bridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sms_bridge_docker_image_force_pull }}" - name: Ensure matrix-sms-bridge databse image is pulled docker_image: From bd3223cdd475664fee1c5d3c37479834f45cc204 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sun, 14 Jun 2020 18:28:42 +0200 Subject: [PATCH 1285/2384] updated matrix-sms-bridge container --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 2d905ea3..a20ddb39 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.2.RELEASE" +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.3.RELEASE" matrix_sms_bridge_database_docker_image: "neo4j:latest" matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" From 8e1a418a4573f143792bfdbb38f2abafbb8048c4 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sun, 14 Jun 2020 20:13:39 +0200 Subject: [PATCH 1286/2384] updated matrix-sms-bridge container --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index a20ddb39..40ee8846 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.3.RELEASE" +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.4.RELEASE" matrix_sms_bridge_database_docker_image: "neo4j:latest" matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" From 3553d3d513ce24eab9faddc57aab32a78570233e Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Wed, 8 Jul 2020 14:27:57 +0200 Subject: [PATCH 1287/2384] updated version of matrix-sms-bridge --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 40ee8846..e598213b 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.2.4.RELEASE" +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.3.0.RELEASE" matrix_sms_bridge_database_docker_image: "neo4j:latest" matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" From eff55e4d001771788703c13f8eb9d95177c781a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Jul 2020 14:33:18 +0300 Subject: [PATCH 1288/2384] Upgrade Synapse (v1.16.0 -> v1.16.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 6fc7eab2..c56db7b6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.16.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.16.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From ddfc945fcf7e31d63dde0d508068b7c6729183eb Mon Sep 17 00:00:00 2001 From: shadow Date: Fri, 10 Jul 2020 19:20:36 +0200 Subject: [PATCH 1289/2384] Remove unused validate_config.yml, since it causes ansible warnings --- roles/matrix-base/tasks/main.yml | 5 ----- roles/matrix-base/tasks/validate_config.yml | 1 - 2 files changed, 6 deletions(-) delete mode 100644 roles/matrix-base/tasks/validate_config.yml diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 26e01996..a1bb6754 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -2,11 +2,6 @@ tags: - always -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool" - tags: - - setup-all - - import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml" when: run_setup|bool tags: diff --git a/roles/matrix-base/tasks/validate_config.yml b/roles/matrix-base/tasks/validate_config.yml deleted file mode 100644 index ed97d539..00000000 --- a/roles/matrix-base/tasks/validate_config.yml +++ /dev/null @@ -1 +0,0 @@ ---- From 0074ca646e23babb732879542d9c11be3076cce2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Jul 2020 09:50:39 +0300 Subject: [PATCH 1290/2384] Improve Goofys documentation example for GCS Fixes #573 (Github Issue). --- docs/configuring-playbook-s3.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md index ed7c4d92..643edb5b 100644 --- a/docs/configuring-playbook-s3.md +++ b/docs/configuring-playbook-s3.md @@ -47,5 +47,6 @@ You can use any S3-compatible object store by **additionally** configuring these ```yaml matrix_s3_media_store_custom_endpoint_enabled: true +# Example: "https://storage.googleapis.com" matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" ``` From 200f912c042327355644b14393b23219a32868f2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 13 Jul 2020 14:08:50 +0300 Subject: [PATCH 1291/2384] Upgrade Synapse (v1.16.1 -> v1.17.0) Fixes #579 (Github Issue). --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 35 ++++++++++++++++--- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index c56db7b6..eb9462d2 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.16.1" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.17.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index fb432f87..5ed2524b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1781,12 +1781,39 @@ sso: #template_dir: "res/templates" -# The JWT needs to contain a globally unique "sub" (subject) claim. +# JSON web token integration. The following settings can be used to make +# Synapse JSON web tokens for authentication, instead of its internal +# password database. +# +# Each JSON Web Token needs to contain a "sub" (subject) claim, which is +# used as the localpart of the mxid. +# +# Note that this is a non-standard login type and client support is +# expected to be non-existant. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. # #jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" + # Uncomment the following to enable authorization using JSON web + # tokens. Defaults to false. + # + #enabled: true + + # This is either the private shared secret or the public key used to + # decode the contents of the JSON web token. + # + # Required if 'enabled' is true. + # + #secret: "provided-by-your-issuer" + + # The algorithm used to sign the JSON web token. + # + # Supported algorithms are listed at + # https://pyjwt.readthedocs.io/en/latest/algorithms.html + # + # Required if 'enabled' is true. + # + #algorithm: "provided-by-your-issuer" password_config: From c23a0620f2c5d9c0b0d98e1ea8652fb45393a340 Mon Sep 17 00:00:00 2001 From: Julian Strobl Date: Mon, 13 Jul 2020 11:07:16 +0200 Subject: [PATCH 1292/2384] Fix default SSL path for federation api in docs One could also remove the two variables from the docs completely, because they are set by the playbook automatically. Error: javax.net.ssl.SSLPeerUnverifiedException: Certificate for > doesn't match any of the subject alternative names: [] Fixes #577 (Github Issue). --- docs/howto-server-delegation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 9fa34326..5235b843 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -82,8 +82,8 @@ Based on your setup, you have different ways to go about it: # # NOTE: these are in-container paths. `/matrix/ssl` on the host is mounted into the container # at the same path (`/matrix/ssl`) by default, so if that's the path you need, it would be seamless. -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live//fullchain.pem -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live//privkey.pem +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live/matrix./fullchain.pem +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live/matrix./privkey.pem ``` If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container: From 000b482d18dad47bd70174d4ee6246b88de0f334 Mon Sep 17 00:00:00 2001 From: bertiebaggio <7524620+bertiebaggio@users.noreply.github.com> Date: Mon, 13 Jul 2020 15:03:24 +0100 Subject: [PATCH 1293/2384] Add 'Troubleshooting' w/workaround for ownership If a Postgres dump contains ALTER TABLE ... OWNER_TO statements which set the owner to a username different from 'synapse' the post Postgres import task will fail complaining about lack of role. Changing the matrix_postgres_connection_username group var has no effect. However, the ALTER TABLE statements (and accompanying comments) can be rewritten to change the username to 'synapse', which permits the import task to succeed. From a sample of 1, having the owner set in this was causes no discernable side effects on the homeserver. --- docs/importing-postgres.md | 51 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index f1adaa06..4410db53 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -24,3 +24,54 @@ To import, run this command (make sure to replace `` must be a file path to a Postgres dump file on the server (not on your local machine!). + +## Troubleshooting + +A table ownership issue can occur if you are importing from a Synapse installation which was both: + + - migrated from SQLite to Postgres, and + - used a username other than 'synapse' + +In this case you may run into the following error during the import task: + +``` +"ERROR: role \"synapse_user\" does not exist" +``` + +where `synapse_user` is the database username from the previous Synapse installation. + +This can be verified by examining the dump for ALTER TABLE statements which set OWNER TO that username: + +```Shell +$ grep "ALTER TABLE" homeserver.sql" +ALTER TABLE public.access_tokens OWNER TO synapse_user; +ALTER TABLE public.account_data OWNER TO synapse_user; +ALTER TABLE public.account_data_max_stream_id OWNER TO synapse_user; +ALTER TABLE public.account_validity OWNER TO synapse_user; +ALTER TABLE public.application_services_state OWNER TO synapse_user; +... +``` + +It can be worked around by changing the username to `synapse`, for example by using `sed`: + +```sed +$ sed -i "s/synapse_user/synapse/g" homeserver.sql" +``` + +This uses sed to perform an 'in-place' (`-i`) replacement globally (`/g`), searching for `synapse user` and replacing with `synapse` (`s/synapse_user/synapse`). If your database username was different, change `synapse_user` to that username instead. + +Note that if the previous import failed with an error it may have made changes which are incompatible with re-running the import task right away; if you do so it may fail with an error such as: + +``` +ERROR: relation \"access_tokens\" already exists +``` + +In this case you can use the command suggested in the import task to clear the database before retrying the import: + +```Shell +# systemctl stop matrix-postgres +# rm -rf /matrix/postgres/data/* +# systemctl start matrix-postgres +``` + +Once the database is clear and the ownership of the tables has been fixed in the SQL file, the import task should succeed. From 866d6fc1c9a136b96fefdbccfe5cadeb0079b9d9 Mon Sep 17 00:00:00 2001 From: bertiebaggio <7524620+bertiebaggio@users.noreply.github.com> Date: Mon, 13 Jul 2020 15:12:17 +0100 Subject: [PATCH 1294/2384] Fix sed formatting --- docs/importing-postgres.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 4410db53..a88067e1 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -54,7 +54,7 @@ ALTER TABLE public.application_services_state OWNER TO synapse_user; It can be worked around by changing the username to `synapse`, for example by using `sed`: -```sed +```Shell $ sed -i "s/synapse_user/synapse/g" homeserver.sql" ``` From b50cfe8d18a8ef81014e65cfb6c9758795918a4a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Jul 2020 10:35:32 +0300 Subject: [PATCH 1295/2384] Upgrade mautrix-telegram (0.7.2 -> 0.8.1) --- .../defaults/main.yml | 2 +- .../templates/config.yaml.j2 | 26 +++++++++++++++++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 36b14608..43210c07 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -4,7 +4,7 @@ matrix_mautrix_telegram_enabled: true # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.2" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.8.1" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 2a5b5785..490494cc 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -124,8 +124,8 @@ bridge: # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames) # at startup and when creating a bridge. sync_matrix_state: true - # Allow logging in within Matrix. If false, the only way to log in is using the out-of-Matrix - # login website (see appservice.public config section) + # Allow logging in within Matrix. If false, users can only log in using login-qr or the + # out-of-Matrix login website (see appservice.public config section) allow_matrix_login: true # Whether or not to bridge plaintext highlights. # Only enable this if your displayname_template has some static part that the bridge can use to @@ -184,6 +184,28 @@ bridge: # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. default: false + # Database for the encryption data. Currently only supports Postgres and an in-memory + # store that's persisted as a pickle. + # If set to `default`, will use the appservice postgres database + # or a pickle file if the appservice database is sqlite. + # + # Format examples: + # Pickle: pickle:///filename.pickle + # Postgres: postgres://username:password@hostname/dbname + database: default + + # Whether or not to explicitly set the avatar and room name for private + # chat portal rooms. This will be implicitly enabled if encryption.default is true. + private_chat_portal_meta: false + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Telegram. + delivery_receipts: false + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false # Overrides for base power levels. initial_power_level_overrides: From a1e248e0e1e6876673bfd9de691b8c60cee77a16 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Tue, 14 Jul 2020 13:02:34 +0200 Subject: [PATCH 1296/2384] updated matrix-sms-bridge (#581) * updated matrix sms bridge container * remove force pull * updated matrix-sms-bridge container * updated matrix-sms-bridge container * updated version of matrix-sms-bridge * updates matrix-sms-bridge --- roles/matrix-bridge-sms/defaults/main.yml | 4 +++- roles/matrix-bridge-sms/tasks/validate_config.yml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index e598213b..0784841a 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.3.0.RELEASE" +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.3.1.RELEASE" matrix_sms_bridge_database_docker_image: "neo4j:latest" matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" @@ -46,6 +46,7 @@ matrix_sms_bridge_homeserver_port: '8008' matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" matrix_sms_bridge_default_room: '' matrix_sms_bridge_default_region: '' +matrix_sms_bridge_default_timezone: '' matrix_sms_bridge_gammu_modem: '' matrix_sms_bridge_modem_group: 'dialout' @@ -72,6 +73,7 @@ matrix_sms_bridge_configuration_yaml: | # Note that you must invite @smsbot:yourHomeServer to this room. defaultRoomId: "{{ matrix_sms_bridge_default_room }}" defaultRegion: "{{ matrix_sms_bridge_default_region }}" + defaultTimeZone: "{{ matrix_sms_bridge_default_timezone }}" provider: gammu: # (optional) default is disabled diff --git a/roles/matrix-bridge-sms/tasks/validate_config.yml b/roles/matrix-bridge-sms/tasks/validate_config.yml index 23fc8a23..0e40aefa 100644 --- a/roles/matrix-bridge-sms/tasks/validate_config.yml +++ b/roles/matrix-bridge-sms/tasks/validate_config.yml @@ -11,3 +11,4 @@ - "matrix_sms_bridge_database_password" - "matrix_sms_bridge_gammu_modem" - "matrix_sms_bridge_default_region" + - "matrix_sms_bridge_default_timezone" From 4eb87c1dcb6c424b394160f5ab57385a6f90e1b0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Jul 2020 16:25:21 +0300 Subject: [PATCH 1297/2384] Add more notes on migrating data from another installation Related to #583 (Github Issue). --- README.md | 2 ++ docs/README.md | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index dda85cb3..af658678 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,8 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM - this one optionally **allows you to use an external PostgreSQL server** for Synapse's database (but defaults to running one in a container) +- helps you **import data from a previous installation** (so you can migrate your manual virtualenv/Docker setup to a more managed one) + ## Installation diff --git a/docs/README.md b/docs/README.md index 88354c0f..8d22477e 100644 --- a/docs/README.md +++ b/docs/README.md @@ -10,6 +10,14 @@ - [Installing](installing.md) +- **Importing data from another Synapse server installation** + + - [Importing an existing SQLite database (from another installation)](importing-sqlite.md) (optional) + + - [Importing an existing Postgres database (from another installation)](importing-postgres.md) (optional) + + - [Importing `media_store` data files from an existing installation](importing-media-store.md) (optional) + - [Registering users](registering-users.md) - [Updating users passwords](updating-users-passwords.md) From 7c55e94cff70de396bbfb448f682a346bbd47660 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Jul 2020 14:28:23 +0300 Subject: [PATCH 1298/2384] Upgrade riot-web (1.6.7 -> 1.7.0) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index bbf7c0f1..099eab6e 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.7" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.7.0" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 820dc6d7fa092bc3f16954451b6e898f14070ba8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Jul 2020 14:46:39 +0300 Subject: [PATCH 1299/2384] Fix translation issue (Riot.im -> Element) --- roles/matrix-riot-web/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 099eab6e..75480d38 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -40,9 +40,9 @@ matrix_riot_web_brand: "Riot" matrix_riot_web_welcome_logo: "welcome/images/logo.svg" # URL of link on welcome image -matrix_riot_web_welcome_logo_link: "https://riot.im" +matrix_riot_web_welcome_logo_link: "https://element.io" -matrix_riot_web_welcome_headline: "_t('Welcome to Riot.im')" +matrix_riot_web_welcome_headline: "_t('Welcome to Element')" matrix_riot_web_welcome_text: "_t('Decentralised, encrypted chat & collaboration powered by [matrix]')" # Links, shown in footer of welcome page: From 8b44a024e06f7702743e263d3974f0702eb99d4f Mon Sep 17 00:00:00 2001 From: aa1874 Date: Wed, 15 Jul 2020 20:44:49 +0700 Subject: [PATCH 1300/2384] Update README.md to rename Element --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index af658678..bc32cfa2 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI -- (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Synapse server by default +- (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default - (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server @@ -122,7 +122,7 @@ This playbook sets up your server using the following Docker images: - [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) -- [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Riot.im](https://about.riot.im/) web client (optional) +- [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Element](https://element.io/) web client (optional) - [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) From c47a55d170003c8cd6f5882f9dc6eb49ab04fce8 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Thu, 16 Jul 2020 06:34:14 -0500 Subject: [PATCH 1301/2384] Update nginx (1.19.0 -> 1.19.1) and certbot (1.5.0 -> 1.6.0) --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index ae54ea4e..49a49c69 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.19.0-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.19.1-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" @@ -220,7 +220,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.5.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.6.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From b0e984136f88f77b6a730578e4c4fef81347265a Mon Sep 17 00:00:00 2001 From: Matt Cengia Date: Fri, 17 Jul 2020 13:57:47 +1000 Subject: [PATCH 1302/2384] Fix issues building ma1sd Docker image The tag format used in the `ma1sd` repo have change. Versions no longer start with 'v', and when building for non-amd64, we also need to strip off the '-$arch' bit from the Docker image name. Further, when building the .jar file, `ma1sd` currently names the .jar based on the project's directory, which we call 'docker-src'. This means other parts of the `ma1sd` build can't find the .jar file. Remedy this by ensuring that the dir is called `docker-src/ma1sd`. --- roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 822cc942..8fa8662a 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -11,7 +11,7 @@ matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.4.0-{{ matrix_ma1sd_architecture }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" -matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src" +matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src/ma1sd" matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index ee055afd..cef94a24 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -54,7 +54,7 @@ git: repo: https://github.com/ma1uta/ma1sd.git dest: "{{ matrix_ma1sd_docker_src_files_path }}" - version: "v{{ matrix_ma1sd_docker_image.split(':')[1] }}" + version: "{{ matrix_ma1sd_docker_image.split(':')[1].split('-')[0] }}" force: "yes" - name: Ensure ma1sd Docker image is built From 298d277c6c0ad9b114ccfd94dc7bc7195011f61a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Jul 2020 08:55:01 +0300 Subject: [PATCH 1303/2384] Upgrade riot-web (1.7.0 -> 1.7.1) --- roles/matrix-riot-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 75480d38..b6c0241b 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.7.0" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.7.1" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From de0efe96e77ec0128ddfa93b1846645d3a849ca4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Jul 2020 08:58:53 +0300 Subject: [PATCH 1304/2384] Fix incorrect when statement --- roles/matrix-coturn/tasks/setup_coturn.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 272a36f2..a83908d3 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -13,7 +13,7 @@ group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"} - when: matrix_riot_web_enabled|bool and item.when + when: matrix_coturn_enabled|bool and item.when - name: Ensure Coturn image is pulled docker_image: From fede58fe96d44161d56ca25cc409a9f0167f2148 Mon Sep 17 00:00:00 2001 From: Matt Cengia Date: Fri, 17 Jul 2020 17:12:16 +1000 Subject: [PATCH 1305/2384] Correctly tag self-built ma1sd Docker image --- roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index cef94a24..82595c1d 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -61,7 +61,15 @@ shell: "./gradlew dockerBuild" args: chdir: "{{ matrix_ma1sd_docker_src_files_path }}" - when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build" + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build" + + - name: Ensure ma1sd Docker image is tagged correctly + docker_image: + name: "{{ matrix_ma1sd_docker_image.split('-')[0] }}" + repository: "{{ matrix_ma1sd_docker_image }}" + force_tag: yes + source: local + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build" - name: Ensure ma1sd config installed copy: From c6ab1c6a908d4ab051e9dd6b3c4e2c894b2a901e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Jul 2020 11:31:20 +0300 Subject: [PATCH 1306/2384] Riot is now Element Fixes #586 (Github Issue) --- CHANGELOG.md | 11 ++ README.md | 2 +- docs/configuring-dns.md | 8 +- docs/configuring-playbook-client-element.md | 41 ++++++ docs/configuring-playbook-dimension.md | 6 +- docs/configuring-playbook-jitsi.md | 6 +- docs/configuring-playbook-own-webserver.md | 6 +- docs/configuring-playbook-riot-web.md | 39 +++--- docs/configuring-playbook-ssl-certificates.md | 11 +- docs/configuring-playbook.md | 2 +- docs/configuring-well-known.md | 4 +- docs/maintenance-synapse.md | 3 +- docs/registering-users.md | 4 +- docs/self-building.md | 2 +- docs/updating-users-passwords.md | 6 +- ...ot-web.conf => matrix-client-element.conf} | 18 +-- examples/caddy/matrix-client-element | 8 ++ examples/caddy/matrix-riot-web | 8 -- examples/haproxy/haproxy.cfg | 14 +- group_vars/matrix_servers | 48 +++---- roles/matrix-base/defaults/main.yml | 12 +- roles/matrix-base/tasks/sanity_check.yml | 7 +- .../templates/config.yaml.j2 | 2 +- roles/matrix-client-element/defaults/main.yml | 122 +++++++++++++++++ .../tasks/init.yml | 8 +- roles/matrix-client-element/tasks/main.yml | 34 +++++ .../tasks/migrate_riot_web.yml | 36 +++++ .../tasks/prepare_themes.yml | 48 +++++++ .../tasks/self_check.yml | 22 +++ roles/matrix-client-element/tasks/setup.yml | 127 ++++++++++++++++++ .../tasks/validate_config.yml | 20 +++ .../templates/config.json.j2 | 45 +++++++ .../templates/nginx.conf.j2 | 0 .../systemd/matrix-client-element.service.j2 | 43 ++++++ .../templates/welcome.html.j2 | 12 +- roles/matrix-client-element/vars/main.yml | 3 + .../matrix-dimension/templates/config.yaml.j2 | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 23 ++-- .../tasks/setup_nginx_proxy.yml | 11 +- .../tasks/validate_config.yml | 3 + .../conf.d/matrix-client-element.conf.j2 | 73 ++++++++++ .../nginx/conf.d/matrix-riot-web.conf.j2 | 23 +--- .../templates/nginx/conf.d/nginx-http.conf.j2 | 2 +- roles/matrix-riot-web/defaults/main.yml | 122 ----------------- roles/matrix-riot-web/tasks/main.yml | 28 ---- .../tasks/prepare_riot_web_themes.yml | 48 ------- .../tasks/self_check_riot_web.yml | 22 --- .../matrix-riot-web/tasks/setup_riot_web.yml | 127 ------------------ .../matrix-riot-web/tasks/validate_config.yml | 23 ---- .../matrix-riot-web/templates/config.json.j2 | 45 ------- .../systemd/matrix-riot-web.service.j2 | 43 ------ roles/matrix-riot-web/vars/main.yml | 3 - roles/matrix-synapse/defaults/main.yml | 2 +- setup.yml | 2 +- 54 files changed, 780 insertions(+), 610 deletions(-) create mode 100644 docs/configuring-playbook-client-element.md rename examples/apache/{matrix-riot-web.conf => matrix-client-element.conf} (61%) create mode 100644 examples/caddy/matrix-client-element delete mode 100644 examples/caddy/matrix-riot-web create mode 100644 roles/matrix-client-element/defaults/main.yml rename roles/{matrix-riot-web => matrix-client-element}/tasks/init.yml (59%) create mode 100644 roles/matrix-client-element/tasks/main.yml create mode 100644 roles/matrix-client-element/tasks/migrate_riot_web.yml create mode 100644 roles/matrix-client-element/tasks/prepare_themes.yml create mode 100644 roles/matrix-client-element/tasks/self_check.yml create mode 100644 roles/matrix-client-element/tasks/setup.yml create mode 100644 roles/matrix-client-element/tasks/validate_config.yml create mode 100644 roles/matrix-client-element/templates/config.json.j2 rename roles/{matrix-riot-web => matrix-client-element}/templates/nginx.conf.j2 (100%) create mode 100644 roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 rename roles/{matrix-riot-web => matrix-client-element}/templates/welcome.html.j2 (91%) create mode 100644 roles/matrix-client-element/vars/main.yml create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 delete mode 100644 roles/matrix-riot-web/defaults/main.yml delete mode 100644 roles/matrix-riot-web/tasks/main.yml delete mode 100644 roles/matrix-riot-web/tasks/prepare_riot_web_themes.yml delete mode 100644 roles/matrix-riot-web/tasks/self_check_riot_web.yml delete mode 100644 roles/matrix-riot-web/tasks/setup_riot_web.yml delete mode 100644 roles/matrix-riot-web/tasks/validate_config.yml delete mode 100644 roles/matrix-riot-web/templates/config.json.j2 delete mode 100644 roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 delete mode 100644 roles/matrix-riot-web/vars/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 881bb00a..c70dde25 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2020-07-17 + +## (Compatibility Break) Riot is now Element + +As per the official announcement, [Riot has been rebraned to Element](https://element.io/blog/welcome-to-element/). + +The playbook follows suit. Existing installations have a few options for how to handle this. + +See our [Migrating to Element](docs/configuring-playbook-riot-web.md#migrating-to-element) documentation page for more details. + + # 2020-07-03 ## Steam bridging support via mx-puppet-steam diff --git a/README.md b/README.md index bc32cfa2..78a4f83a 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls -- (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Riot web UI +- (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Element web UI - (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 29ddc61e..55328e36 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -21,7 +21,7 @@ If you decide to go with the alternative method ([Server Delegation via a DNS SR | Type | Host | Priority | Weight | Port | Target | | ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- | | A | `matrix` | - | - | - | `matrix-server-IP` | -| CNAME | `riot` | - | - | - | `matrix.` | +| CNAME | `element` | - | - | - | `matrix.` | | CNAME | `dimension` (*) | - | - | - | `matrix.` | | CNAME | `jitsi` (*) | - | - | - | `matrix.` | | SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | @@ -32,10 +32,10 @@ DNS records marked with `(*)` above are optional. They refer to services that wi ## Subdomains setup -As the table above illustrates, you need to create 2 subdomains (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine). +As the table above illustrates, you need to create 2 subdomains (`matrix.` and `element.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine). -The `riot.` subdomain is necessary, because this playbook installs the Riot web client for you. -If you'd rather instruct the playbook not to install Riot (`matrix_riot_web_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `riot.` DNS record. +The `element.` subdomain is necessary, because this playbook installs the [Element](https://github.com/vector-im/riot-web) web client for you. +If you'd rather instruct the playbook not to install Element (`matrix_client_element_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `element.` DNS record. The `dimension.` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.` DNS record. diff --git a/docs/configuring-playbook-client-element.md b/docs/configuring-playbook-client-element.md new file mode 100644 index 00000000..26536364 --- /dev/null +++ b/docs/configuring-playbook-client-element.md @@ -0,0 +1,41 @@ +# Configuring Element (optional) + +By default, this playbook installs the [Element](https://github.com/vector-im/riot-web) Matrix client web application. +If that's okay, you can skip this document. + + +## Disabling Element + +If you'd like for the playbook to not install (or to uninstall the previously installed Element), you can disable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_element_enabled: false +``` + + +## Configuring Element settings + +The playbook provides some customization variables you could use to change Element's settings. + +Their defaults are defined in [`roles/matrix-client-element/defaults/main.yml`](../roles/matrix-client-element/defaults/main.yml) and they ultimately end up in the generated `/matrix/element/config.json` file (on the server). This file is generated from the [`roles/matrix-client-element/templates/config.json.j2`](../roles/matrix-client-element/templates/config.json.j2) template. + +**If there's an existing variable** which controls a setting you wish to change, you can simply define that variable in your configuration file (`inventory/host_vars/matrix./vars.yml`) and [re-run the playbook](installing.md) to apply the changes. + +Alternatively, **if there is no pre-defined variable** for an Element setting you wish to change: + +- you can either **request a variable to be created** (or you can submit such a contribution yourself). Keep in mind that it's **probably not a good idea** to create variables for each one of Element's various settings that rarely get used. + +- or, you can **extend and override the default configuration** ([`config.json.j2`](../roles/matrix-client-element/templates/config.json.j2)) by making use of the `matrix_client_element_configuration_extension_json_` variable. You can find information about this in [`roles/matrix-client-element/defaults/main.yml`](../roles/matrix-client-element/defaults/main.yml). + +- or, if extending the configuration is still not powerful enough for your needs, you can **override the configuration completely** using `matrix_client_element_configuration_default` (or `matrix_client_element_configuration`). You can find information about this in [`roles/matrix-client-element/defaults/main.yml`](../roles/matrix-client-element/defaults/main.yml). + + +## Themes + +To change the look of Element, you can define your own themes manually by using the `matrix_client_element__settingDefaults_custom_themes` setting. + +Or better yet, you can automatically pull it all themes provided by the [aaronraimist/element-themes](https://github.com/aaronraimist/element-themes) project by simply flipping a flag (`matrix_client_element_themes_enabled: true`). + +If you make your own theme, we encourage you to submit it to the **aaronraimist/element-themes** project, so that the whole community could easily enjoy it. + +Note that for a custom theme to work well, all Element instances that you use must have the same theme installed. diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index d4de8e2b..9b9c09e7 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -21,7 +21,7 @@ matrix_dimension_enabled: true ## Define admin users -These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon. +These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Element and clicking the settings icon. Add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml @@ -39,7 +39,7 @@ Follow our [Registering users](registering-users.md) guide to learn how to regis You are required to specify an access token (belonging to this new user) for Dimension to work. To get an access token for the Dimension user, follow these steps: -1. In a private browsing session (incognito window), open Riot. +1. In a private browsing session (incognito window), open Element. 2. Log in with the `dimension` user and its password. 1. Set the display name and avatar, if required. 2. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: `. @@ -70,7 +70,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](./configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details. -In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* → *Settings* → *Widgets* → *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately. +In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In Element, go to *Manage Integrations* → *Settings* → *Widgets* → *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately. ## Additional features diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 2a25fb02..efc5eaaf 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -1,6 +1,6 @@ # Jitsi -The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing platform and integrate it with [Riot](configuring-playbook-riot-web.md). +The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing platform and integrate it with [Element](configuring-playbook-client-element.md). Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services. @@ -144,13 +144,13 @@ Run this command for each user you would like to create, replacing `` You can use the self-hosted Jitsi server in multiple ways: -- **by adding a widget to a room via riot-web** (the one configured by the playbook at `https://riot.DOMAIN`). Just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. +- **by adding a widget to a room via Element** (the one configured by the playbook at `https://element.DOMAIN`). Just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. - **by adding a widget to a room via the Dimension Integration Manager**. You'll have to point the widget to your own Jitsi server manually. See our [Dimension](./configuring-playbook-dimension.md) documentation page for more details. Naturally, Dimension would need to be installed first (the playbook doesn't install it by default). - **directly (without any Matrix integration)**. Just go to `https://jitsi.DOMAIN` -**Note**: Riot apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/vector-im/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support). +**Note**: Element apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/vector-im/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support). ## Troubleshooting diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index f97f622f..2c4b43a2 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -113,7 +113,7 @@ With this, nginx would still be in use, but it would not bother with anything SS All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as per the example configuration above). You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports. -The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `riot.DOMAIN` and `dimension.DOMAIN` are optional). +The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `element.DOMAIN` and `dimension.DOMAIN` are optional). ### Sample configuration for running behind Traefik 2.0 @@ -144,7 +144,7 @@ matrix_nginx_proxy_container_extra_arguments: - '--label "traefik.enable=true"' # The Nginx proxy container will receive traffic from these subdomains - - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_riot }}`,`{{ matrix_server_fqn_dimension }}`)"' + - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`)"' # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' @@ -172,7 +172,7 @@ matrix_synapse_container_extra_arguments: - '--label "traefik.http.services.matrix-synapse.loadbalancer.server.port=8048"' ``` -This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `riot.DOMAIN`, and `dimension.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. +This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, and `dimension.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows: diff --git a/docs/configuring-playbook-riot-web.md b/docs/configuring-playbook-riot-web.md index 11907308..c3ac4069 100644 --- a/docs/configuring-playbook-riot-web.md +++ b/docs/configuring-playbook-riot-web.md @@ -1,40 +1,37 @@ # Configuring Riot-web (optional) -By default, this playbook installs the [Riot-web](https://github.com/vector-im/riot-web) Matrix client web application. -If that's okay, you can skip this document. +By default, this playbook **used to install** the [Riot-web](https://github.com/vector-im/riot-web) Matrix client web application. +Riot has since been [renamed to Element](https://element.io/blog/welcome-to-element/). -## Disabling riot-web +- to learn more about Element and its configuration, see our dedicated [Configuring Element](configuring-playbook-client-element.md) documentation page +- to learn how to migrate from Riot to Element, see [Migrating to Element](#migrating-to-element) below -If you'd like for the playbook to not install (or to uninstall the previously installed riot-web), you can disable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): -```yaml -matrix_riot_web_enabled: false -``` - -## Configuring riot-web settings +## Migrating to Element -The playbook provides some customization variables you could use to change riot-web's settings. +### Migrating your custom settings -Their defaults are defined in [`roles/matrix-riot-web/defaults/main.yml`](../roles/matrix-riot-web/defaults/main.yml) and they ultimately end up in the generated `/matrix/riot-web/config.json` file (on the server). This file is generated from the [`roles/matrix-riot-web/templates/config.json.j2`](../roles/matrix-riot-web/templates/config.json.j2) template. +If you have custom `matrix_riot_web_` variables in your `inventory/host_vars/matrix.DOMAIN/vars.yml` file, you'll need to rename them (`matrix_riot_web_` -> `matrix_client_element_`). -**If there's an existing variable** which controls a setting you wish to change, you can simply define that variable in your configuration file (`inventory/host_vars/matrix./vars.yml`) and [re-run the playbook](installing.md) to apply the changes. -Alternatively, **if there is no pre-defined variable** for a riot-web setting you wish to change: +### Domain migration -- you can either **request a variable to be created** (or you can submit such a contribution yourself). Keep in mind that it's **probably not a good idea** to create variables for each one of riot-web's various settings that rarely get used. +We used to set up Riot at the `riot.DOMAIN` domain. The playbook now sets up Element at `element.DOMAIN` by default. -- or, you can **extend and override the default configuration** ([`config.json.j2`](../roles/matrix-riot-web/templates/config.json.j2)) by making use of the `matrix_riot_web_configuration_extension_json_` variable. You can find information about this in [`roles/matrix-riot-web/defaults/main.yml`](../roles/matrix-riot-web/defaults/main.yml). +There are a few options for handling this: -- or, if extending the configuration is still not powerful enough for your needs, you can **override the configuration completely** using `matrix_riot_web_configuration_default` (or `matrix_riot_web_configuration`). You can find information about this in [`roles/matrix-riot-web/defaults/main.yml`](../roles/matrix-riot-web/defaults/main.yml). +- (**avoiding changes** - using the old `riot.DOMAIN` domain and avoiding DNS changes) -- to keep using `riot.DOMAIN` instead of `element.DOMAIN`, override the domain at which the playbook serves Element: `matrix_server_fqn_element: "riot.{{ matrix_domain }}"` +- (**embracing changes** - using only `element.DOMAIN`) - set up the `element.DOMAIN` DNS record (see [Configuring DNS](configuring-dns.md)). You can drop the `riot.DOMAIN` in this case. If so, you may also wish to remove old SSL certificates (`rm -rf /matrix/ssl/live/riot.DOMAIN`), so that `certbot` would stop trying to renew them. -## Themes +- (**embracing changes and transitioning smoothly** - using both `element.DOMAIN` and `riot.DOMAIN`) - to serve Element at the new domain (`element.DOMAIN`) and to also have `riot.DOMAIN` redirect there - set up the `element.DOMAIN` DNS record (see [Configuring DNS](configuring-dns.md)) and enable Riot to Element redirection (`matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true`). -To change the look of riot-web, you can define your own themes manually by using the `matrix_riot_web_settingDefaults_custom_themes` setting. -Or better yet, you can automatically pull it all themes provided by the [aaronraimist/riot-web-themes](https://github.com/aaronraimist/riot-web-themes) project by simply flipping a flag (`matrix_riot_web_themes_enabled: true`). +### Re-running the playbook -If you make your own theme, we encourage you to submit it to the **aaronraimist/riot-web-themes** project, so that the whole community could easily enjoy it. +As always, after making the necessary DNS and configuration adjustments, re-run the playbook to apply the changes: -Note that for a custom theme to work well, all riot-web/riot-desktop instances that you use must have the same theme installed. +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 28d50542..0b593f20 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -1,6 +1,6 @@ # Adjusting SSL certificate retrieval (optional, advanced) -By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.` and possibly `riot.`) +By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (`matrix.` and possibly `element.`) Those certificates are used when configuring the nginx reverse proxy installed by this playbook. They can also be used for configuring [your own webserver](docs/configuring-playbook-own-webserver.md), in case you're not using the integrated nginx server provided by the playbook. @@ -42,7 +42,7 @@ With such a configuration, the playbook would expect you to drop the SSL certifi - `/live//fullchain.pem` - `/live//privkey.pem` -where `` refers to the domains that you need (usually `matrix.` and `riot.`). +where `` refers to the domains that you need (usually `matrix.` and `element.`). ## Not bothering with SSL certificates @@ -62,7 +62,8 @@ The playbook tries to be smart about the certificates it will obtain for you. By default, it obtains certificates for: - `matrix.` (`matrix_server_fqn_matrix`) -- possibly for `riot.`, unless you have disabled the Riot component using `matrix_riot_web_enabled: false` +- possibly for `element.`, unless you have disabled the [Element client component](configuring-playbook-client-element.md) using `matrix_client_element_enabled: false` +- possibly for `riot.`, if you have explicitly enabled Riot to Element redirection (for background compatibility) using `matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true` - possibly for `dimension.`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md). - possibly for your base domain (``), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md) @@ -70,12 +71,12 @@ If you are hosting other domains on the Matrix machine, you can make the playboo To do that, simply define your own custom configuration like this: ```yaml -# Note: we need to explicitly list the aforementioned Matrix domains that you use (Matrix, Riot, Dimension). +# Note: we need to explicitly list the aforementioned Matrix domains that you use (Matrix, Element, Dimension). # In this example, we retrieve an extra certificate - one for the base domain (in the `matrix_domain` variable). # Adding any other additional domains (hosted on the same machine) is possible. matrix_ssl_domains_to_obtain_certificates_for: - '{{ matrix_server_fqn_matrix }}' - - '{{ matrix_server_fqn_riot }}' + - '{{ matrix_server_fqn_element }}' - '{{ matrix_server_fqn_dimension }}' - '{{ matrix_domain }}' ``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 7e81d3a7..82b3fe61 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -38,7 +38,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Configuring Synapse](configuring-playbook-synapse.md) (optional) -- [Configuring Riot-web](configuring-playbook-riot-web.md) (optional) +- [Configuring Element](configuring-playbook-client-element.md) (optional) - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 959d3506..5e910c3b 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -6,7 +6,7 @@ There are 2 types of well-known service discovery that Matrix makes use of: - (important) **Federation Server discovery** (`/.well-known/matrix/server`) -- assists other servers in the Matrix network with finding your server. Without a proper configuration, your server will effectively not be part of the Matrix network. Learn more in [Introduction to Federation Server Discovery](#introduction-to-federation-server-discovery) -- (not that important) **Client Server discovery** (`/.well-known/matrix/client`) -- assists programs that you use to connect to your server (e.g. Riot), so that they can make it more convenient for you by automatically configuring the "Homeserver URL" and "Identity Server URL" addresses. Learn more in [Introduction to Client Server Discovery](#introduction-to-client-server-discovery) +- (not that important) **Client Server discovery** (`/.well-known/matrix/client`) -- assists programs that you use to connect to your server (e.g. Element), so that they can make it more convenient for you by automatically configuring the "Homeserver URL" and "Identity Server URL" addresses. Learn more in [Introduction to Client Server Discovery](#introduction-to-client-server-discovery) ## Introduction to Federation Server Discovery @@ -59,7 +59,7 @@ All you need to do is: - copy `/.well-known/matrix/server` and `/.well-known/matrix/client` from the Matrix server (e.g. `matrix.example.com`) to your base domain's server (`example.com`). You can find these files in the `/matrix/static-files/.well-known/matrix` directory on the Matrix server. They are also accessible on URLs like this: `https://matrix.example.com/.well-known/matrix/server` (same for `client`). -- set up the server at your base domain (e.g. `example.com`) so that it adds an extra HTTP header when serving the `/.well-known/matrix/client` file. [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS), the `Access-Control-Allow-Origin` header should be set with a value of `*`. If you don't do this step, web-based Matrix clients (like Riot) may fail to work. Setting up headers for the `/.well-known/matrix/server` file is not necessary, as this file is only consumed by non-browsers, which don't care about CORS. +- set up the server at your base domain (e.g. `example.com`) so that it adds an extra HTTP header when serving the `/.well-known/matrix/client` file. [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS), the `Access-Control-Allow-Origin` header should be set with a value of `*`. If you don't do this step, web-based Matrix clients (like Element) may fail to work. Setting up headers for the `/.well-known/matrix/server` file is not necessary, as this file is only consumed by non-browsers, which don't care about CORS. This is relatively easy to do and possibly your only choice if you can only host static files from the base domain's server. It is, however, **a little fragile**, as future updates performed by this playbook may regenerate the well-known files and you may need to notice that and copy them over again. diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index 9c70934d..afbf86ed 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -13,6 +13,7 @@ Table of contents: - [Vacuuming Postgres](#vacuuming-postgres) - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api) - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) + - [Browse and manipulate the database](#browse-and-manipulate-the-database) - [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands @@ -56,7 +57,7 @@ If [purging unused and unreachable data](#purging-unused-data-with-synapse-janit Synapse provides a [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) that you can use to purge on a per-room basis. -To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like riot-web). +To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element). Alternatively, you can log in and obtain a new access token like this: ``` diff --git a/docs/registering-users.md b/docs/registering-users.md index cf0ede41..4bca71e8 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -16,7 +16,7 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=` is just a plain username (like `john`), not your full `@:` identifier. -**You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot./`. +**You can then log in with that user** via the Element service that this playbook has created for you at a URL like this: `https://element./`. ----- @@ -25,7 +25,7 @@ If you've just installed Matrix, **to finalize the installation process**, it's ----- -## Adding/Removing Administrator privileges to an existing user. +## Adding/Removing Administrator privileges to an existing user. The script `/usr/local/bin/matrix-change-user-admin-status` may be used to change a user's admin privileges. diff --git a/docs/self-building.md b/docs/self-building.md index 8413fb5e..bc0d097c 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -11,7 +11,7 @@ To make use of self-building, you don't need to do anything besides change your Note that **not all components support self-building yet**. List of roles where self-building the Docker image is currently possible: - `matrix-synapse` -- `matrix-riot-web` +- `matrix-client-element` - `matrix-coturn` - `matrix-ma1sd` - `matrix-mailer` diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index f2fac643..785bc17c 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -10,7 +10,7 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=` is just a plain username (like `john`), not your full `@:` identifier. -**You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot./`. +**You can then log in with that user** via the Element service that this playbook has created for you at a URL like this: `https://element./`. ## Option 2 (if you are using an external Postgres server): @@ -34,9 +34,9 @@ where `` is the hash returned by the docker command above. Use the Synapse User Admin API as described here: https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#reset-password -This requires an access token from a server admin account. *This method will also log the user out of all of their clients while the other options do not.* +This requires an access token from a server admin account. *This method will also log the user out of all of their clients while the other options do not.* -If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). +If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md). ### Example: To set @user:domain.com's password to `correct_horse_battery_staple` you could use this curl command: diff --git a/examples/apache/matrix-riot-web.conf b/examples/apache/matrix-client-element.conf similarity index 61% rename from examples/apache/matrix-riot-web.conf rename to examples/apache/matrix-client-element.conf index 0860a048..f2b347fe 100644 --- a/examples/apache/matrix-riot-web.conf +++ b/examples/apache/matrix-client-element.conf @@ -1,8 +1,8 @@ -# This is a sample file demonstrating how to set up reverse-proxy for riot.DOMAIN. -# If you're not using Riot (`matrix_riot_web_enabled: false`), you won't need this. +# This is a sample file demonstrating how to set up reverse-proxy for element.DOMAIN. +# If you're not using Element (`matrix_client_element_enabled: false`), you won't need this. - ServerName riot.DOMAIN + ServerName element.DOMAIN ProxyVia On @@ -13,17 +13,17 @@ ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge - Redirect permanent / https://riot.DOMAIN/ + Redirect permanent / https://element.DOMAIN/ - ServerName riot.DOMAIN + ServerName element.DOMAIN SSLEngine On # If you manage SSL certificates by yourself, these paths will differ. - SSLCertificateFile /matrix/ssl/config/live/riot.DOMAIN/fullchain.pem - SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem + SSLCertificateFile /matrix/ssl/config/live/element.DOMAIN/fullchain.pem + SSLCertificateKeyFile /matrix/ssl/config/live/element.DOMAIN/privkey.pem SSLProxyEngine on SSLProxyProtocol +TLSv1.2 +TLSv1.3 @@ -36,6 +36,6 @@ ProxyPass / http://127.0.0.1:8765/ ProxyPassReverse / http://127.0.0.1:8765/ - ErrorLog ${APACHE_LOG_DIR}/riot.DOMAIN-error.log - CustomLog ${APACHE_LOG_DIR}/riot.DOMAIN-access.log combined + ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log + CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined diff --git a/examples/caddy/matrix-client-element b/examples/caddy/matrix-client-element new file mode 100644 index 00000000..2dc6ba34 --- /dev/null +++ b/examples/caddy/matrix-client-element @@ -0,0 +1,8 @@ +https://element.DOMAIN { + # These might differ if you are supplying your own certificates + tls /matrix/ssl/config/live/element.DOMAIN/fullchain.pem /matrix/ssl/config/live/element.DOMAIN/privkey.pem + + proxy / http://127.0.0.1:8765 { + transparent + } +} diff --git a/examples/caddy/matrix-riot-web b/examples/caddy/matrix-riot-web deleted file mode 100644 index 8c195725..00000000 --- a/examples/caddy/matrix-riot-web +++ /dev/null @@ -1,8 +0,0 @@ -https://riot.DOMAIN { - # These might differ if you are supplying your own certificates - tls /matrix/ssl/config/live/riot.DOMAIN/fullchain.pem /matrix/ssl/config/live/riot.DOMAIN/privkey.pem - - proxy / http://127.0.0.1:8765 { - transparent - } -} diff --git a/examples/haproxy/haproxy.cfg b/examples/haproxy/haproxy.cfg index 6c75b9a6..c7fbf967 100644 --- a/examples/haproxy/haproxy.cfg +++ b/examples/haproxy/haproxy.cfg @@ -39,7 +39,7 @@ frontend https-frontend # HAproxy wants the full chain and the private key in one file. For Letsencrypt manually generated certs (e.g., wildcard certs) you can use # cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/haproxy/certs/star-example.com.pem bind *:443 ssl crt /etc/haproxy/certs/star-example.com.pem - #bind *:443 ssl crt /etc/haproxy/certs/riot.example.com.pem /etc/haproxy/certs/matrix.example.com.pem + #bind *:443 ssl crt /etc/haproxy/certs/element.example.com.pem /etc/haproxy/certs/matrix.example.com.pem reqadd X-Forwarded-Proto:\ https option httplog option http-server-close @@ -60,10 +60,10 @@ frontend https-frontend acl synapse_admin path -i -m beg /_synapse/admin # Send to :8008 use_backend matrix-main if matrix_path or synapse_admin - # riot.example.com - acl riot_domain hdr_dom(host) -i riot.example.com + # element.example.com + acl element_domain hdr_dom(host) -i element.example.com # Send to 8765 - use_backend riot if riot_domain + use_backend element if element_domain # If nothing else match, just send to default matrix backend use_backend matrix-main if matrix_domain #default_backend matrix-main @@ -86,12 +86,12 @@ backend synapse backend nginx-static capture request header origin len 128 - http-response add-header Access-Control-Allow-Origin * + http-response add-header Access-Control-Allow-Origin * rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT if { capture.req.hdr(0) -m found } rspadd Access-Control-Allow-Credentials:\ true if { capture.req.hdr(0) -m found } rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization if { capture.req.hdr(0) -m found } server nginx 127.0.0.1:40888 check -backend riot - server riot 127.0.0.1:8765 check +backend element + server element 127.0.0.1:8765 check diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b8af1894..f1a773f5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -755,7 +755,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:4 matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" matrix_nginx_proxy_proxy_matrix_enabled: true -matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" +matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -792,14 +792,16 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + - (['matrix-riot-web.service'] if matrix_riot_web_enabled else []) + (['matrix-client-element.service'] if matrix_client_element_enabled else []) }} matrix_ssl_domains_to_obtain_certificates_for: | {{ ([matrix_server_fqn_matrix]) + - ([matrix_server_fqn_riot] if matrix_riot_web_enabled else []) + ([matrix_server_fqn_element] if matrix_client_element_enabled else []) + + + ([matrix_nginx_proxy_proxy_riot_compat_redirect_hostname] if matrix_nginx_proxy_proxy_riot_compat_redirect_enabled else []) + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + @@ -847,48 +849,48 @@ matrix_postgres_db_name: "homeserver" ###################################################################### # -# matrix-riot-web +# matrix-client-element # ###################################################################### -# By default, this playbook installs the Riot.IM web UI on the `matrix_server_fqn_riot` domain. +# By default, this playbook installs the Element web UI on the `matrix_server_fqn_element` domain. # If you wish to connect to your Matrix server by other means, you may wish to disable this. -matrix_riot_web_enabled: true +matrix_client_element_enabled: true -matrix_riot_web_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" +matrix_client_element_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. +# Normally, matrix-nginx-proxy is enabled and nginx can reach Element over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the riot-web HTTP port to the local host. -matrix_riot_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}" +# the Element HTTP port to the local host. +matrix_client_element_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}" -matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}" +matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" +matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" # Use Dimension if enabled, otherwise fall back to Scalar -matrix_riot_web_integrations_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else 'https://scalar.vector.im/' }}" -matrix_riot_web_integrations_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else 'https://scalar.vector.im/api' }}" -matrix_riot_web_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" -matrix_riot_web_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" +matrix_client_element_integrations_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else 'https://scalar.vector.im/' }}" +matrix_client_element_integrations_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else 'https://scalar.vector.im/api' }}" +matrix_client_element_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" +matrix_client_element_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" -matrix_riot_web_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_client_element_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" -matrix_riot_web_registration_enabled: "{{ matrix_synapse_enable_registration }}" +matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registration }}" -matrix_riot_web_enable_presence_by_hs_url: | +matrix_client_element_enable_presence_by_hs_url: | {{ none if matrix_synapse_use_presence - else {matrix_riot_web_default_hs_url: false} + else {matrix_client_element_default_hs_url: false} }} -matrix_riot_web_welcome_user_id: ~ +matrix_client_element_welcome_user_id: ~ -matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}" +matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}" ###################################################################### # -# /matrix-riot-web +# /matrix-client-element # ###################################################################### diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 0cdd6e32..520f36f1 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -8,12 +8,12 @@ matrix_domain: ~ # This is where your data lives and what we set up. -# This and the Riot FQN (see below) are expected to be on the same server. +# This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" -# This is where you access the web UI from and what we set up here. +# This is where you access the Element web UI from (if enabled via matrix_client_element_enabled; enabled by default). # This and the Matrix FQN (see above) are expected to be on the same server. -matrix_server_fqn_riot: "riot.{{ matrix_domain }}" +matrix_server_fqn_element: "element.{{ matrix_domain }}" # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" @@ -58,12 +58,12 @@ matrix_integration_manager_rest_url: ~ matrix_integration_manager_ui_url: ~ # The domain name where a Jitsi server is self-hosted. -# If set, `/.well-known/matrix/client` will suggest Riot clients to use that Jitsi server. +# If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server. # See: https://github.com/vector-im/riot-web/blob/develop/docs/jitsi.md#configuring-riot-to-use-your-self-hosted-jitsi-server matrix_riot_jitsi_preferredDomain: '' -# Controls whether Riot should use End-to-End Encryption by default. -# Setting this to false will update `/.well-known/matrix/client` and tell Riot clients to avoid E2EE. +# Controls whether Element should use End-to-End Encryption by default. +# Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE. # See: https://github.com/vector-im/riot-web/blob/develop/docs/e2ee.md matrix_riot_e2ee_default: true diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index b0e1c8b6..2afb68e1 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -25,7 +25,8 @@ - {'old': 'host_specific_hostname_identity', 'new': 'matrix_domain'} - {'old': 'hostname_identity', 'new': 'matrix_domain'} - {'old': 'hostname_matrix', 'new': 'matrix_server_fqn_matrix'} - - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_riot'} + - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} + - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} - name: Fail if required variables are undefined fail: @@ -33,7 +34,7 @@ with_items: - matrix_domain - matrix_server_fqn_matrix - - matrix_server_fqn_riot + - matrix_server_fqn_element when: "item not in vars or vars[item] is none" - name: Fail if uppercase domain used @@ -42,7 +43,7 @@ with_items: - "{{ matrix_domain }}" - "{{ matrix_server_fqn_matrix }}" - - "{{ matrix_server_fqn_riot }}" + - "{{ matrix_server_fqn_element }}" when: "item != item|lower" - name: Fail if using python2 on Archlinux diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 490494cc..1a4ac43e 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -145,7 +145,7 @@ bridge: # Set to false to disable link previews in messages sent to Telegram. telegram_link_preview: true # Use inline images instead of a separate message for the caption. - # N.B. Inline images are not supported on all clients (e.g. Riot iOS). + # N.B. Inline images are not supported on all clients (e.g. Element iOS). inline_images: false # Maximum size of image in megabytes before sending to Telegram as a document. image_as_file_size: 10 diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml new file mode 100644 index 00000000..c61283a4 --- /dev/null +++ b/roles/matrix-client-element/defaults/main.yml @@ -0,0 +1,122 @@ +matrix_client_element_enabled: true + +matrix_client_element_container_image_self_build: false + +matrix_client_element_docker_image: "vectorim/riot-web:v1.7.1" +matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" + +matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" +matrix_client_element_docker_src_files_path: "{{ matrix_client_element_data_path }}/docker-src" + +# Controls whether the matrix-client-element container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8765"), or empty string to not expose. +matrix_client_element_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_element_container_extra_arguments: [] + +# List of systemd services that matrix-client-element.service depends on +matrix_client_element_systemd_required_services_list: ['docker.service'] + +# Element config.json customizations +matrix_client_element_default_server_name: "{{ matrix_domain }}" +matrix_client_element_default_hs_url: "" +matrix_client_element_default_is_url: ~ +matrix_client_element_disable_custom_urls: true +matrix_client_element_disable_guests: true +matrix_client_element_integrations_ui_url: "https://scalar.vector.im/" +matrix_client_element_integrations_rest_url: "https://scalar.vector.im/api" +matrix_client_element_integrations_widgets_urls: ["https://scalar.vector.im/api"] +matrix_client_element_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html" +matrix_client_element_permalinkPrefix: "https://matrix.to" +# Element public room directory server(s) +matrix_client_element_roomdir_servers: ['matrix.org'] +matrix_client_element_welcome_user_id: "@riot-bot:matrix.org" +# Branding of Element +matrix_client_element_brand: "Element" + +# URL to Logo on welcome page +matrix_client_element_welcome_logo: "welcome/images/logo.svg" + +# URL of link on welcome image +matrix_client_element_welcome_logo_link: "https://element.io" + +matrix_client_element_welcome_headline: "_t('Welcome to Element')" +matrix_client_element_welcome_text: "_t('Decentralised, encrypted chat & collaboration powered by [matrix]')" + +# Links, shown in footer of welcome page: +# [{"text": "Link text", "url": "https://link.target"}, {"text": "Other link"}] +matrix_client_element_branding_authFooterLinks: ~ + +# URL to image, shown during Login +matrix_client_element_branding_authHeaderLogoUrl: "{{ matrix_client_element_welcome_logo }}" + +# URL to Wallpaper, shown in background of welcome page +matrix_client_element_branding_welcomeBackgroundUrl: ~ + +# By default, there's no Element homepage (when logged in). If you wish to have one, +# point this to a `home.html` template file on your local filesystem. +matrix_client_element_embedded_pages_home_path: ~ + +matrix_client_element_jitsi_preferredDomain: '' + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_element_self_check_validate_certificates: true + +# don't show the registration button on welcome page +matrix_client_element_registration_enabled: false + +# Controls whether presence will be enabled +matrix_client_element_enable_presence_by_hs_url: ~ + +# Controls whether custom Element themes will be installed. +# When enabled, all themes found in the `matrix_client_element_themes_repository_url` repository +# will be installed and enabled automatically. +matrix_client_element_themes_enabled: false +matrix_client_element_themes_repository_url: https://github.com/aaronraimist/element-themes + +# Controls the default theme +matrix_client_element_default_theme: 'light' + +# Controls the `settingsDefault.custom_themes` setting of the Element configuration. +# You can use this setting to define custom themes. +# +# Also, look at `matrix_client_element_themes_enabled` for a way to pull in a bunch of custom themes automatically. +# If you define your own themes here and set `matrix_client_element_themes_enabled: true`, your themes will be preserved as well. +# +# Note that for a custom theme to work well, all Element instances that you use must have the same theme installed. +matrix_client_element_settingDefaults_custom_themes: [] + +# Default Element configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_element_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_element_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for Element should go to `matrix_client_element_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_element_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_element_configuration_default`. +# +# Example configuration extension follows: +# +# matrix_client_element_configuration_extension_json: | +# { +# "disable_3pid_login": true, +# "disable_login_language_selector": true +# } +matrix_client_element_configuration_extension_json: '{}' + +matrix_client_element_configuration_extension: "{{ matrix_client_element_configuration_extension_json|from_json if matrix_client_element_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final Element configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_element_configuration_default`. +matrix_client_element_configuration: "{{ matrix_client_element_configuration_default|combine(matrix_client_element_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-riot-web/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml similarity index 59% rename from roles/matrix-riot-web/tasks/init.yml rename to roles/matrix-client-element/tasks/init.yml index 7c8a1550..a8b64854 100644 --- a/roles/matrix-riot-web/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -1,10 +1,10 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-riot-web'] }}" - when: matrix_riot_web_enabled|bool + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element'] }}" + when: matrix_client_element_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: - msg: "To self build Riot Web image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_riot_web_container_image_self_build" + msg: "To self build the Element image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build" diff --git a/roles/matrix-client-element/tasks/main.yml b/roles/matrix-client-element/tasks/main.yml new file mode 100644 index 00000000..cdc5fa97 --- /dev/null +++ b/roles/matrix-client-element/tasks/main.yml @@ -0,0 +1,34 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_element_enabled|bool" + tags: + - setup-all + - setup-client-element + +- import_tasks: "{{ role_path }}/tasks/prepare_themes.yml" + when: run_setup|bool + tags: + - setup-all + - setup-client-element + +- import_tasks: "{{ role_path }}/tasks/migrate_riot_web.yml" + when: run_setup|bool + tags: + - setup-all + - setup-client-element + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: run_setup|bool + tags: + - setup-all + - setup-client-element + +- import_tasks: "{{ role_path }}/tasks/self_check.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_client_element_enabled|bool" + tags: + - self-check diff --git a/roles/matrix-client-element/tasks/migrate_riot_web.yml b/roles/matrix-client-element/tasks/migrate_riot_web.yml new file mode 100644 index 00000000..dd0eb0f8 --- /dev/null +++ b/roles/matrix-client-element/tasks/migrate_riot_web.yml @@ -0,0 +1,36 @@ +--- + +- name: Check existence of matrix-riot-web.service + stat: + path: "{{ matrix_systemd_path }}/matrix-riot-web.service" + register: matrix_client_riot_web_service_stat + when: "matrix_client_element_enabled|bool" + +- name: Ensure matrix-riot-web is stopped + service: + name: matrix-riot-web + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_client_element_enabled|bool and matrix_client_riot_web_service_stat.stat.exists" + +- name: Ensure matrix-riot-web.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-riot-web.service" + state: absent + when: "matrix_client_element_enabled|bool and matrix_client_riot_web_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-riot-web.service removal + service: + daemon_reload: yes + when: "matrix_client_element_enabled|bool and matrix_client_riot_web_service_stat.stat.exists" + +- name: Check existence of /matrix/riot-web + stat: + path: "/matrix/riot-web" + register: matrix_client_riot_web_dir_stat + when: "matrix_client_element_enabled|bool" + +- name: Relocate /matrix/riot-web to /matrix/client-element + command: "mv /matrix/riot-web /matrix/client-element" + when: "matrix_client_element_enabled|bool and matrix_client_riot_web_dir_stat.stat.exists" diff --git a/roles/matrix-client-element/tasks/prepare_themes.yml b/roles/matrix-client-element/tasks/prepare_themes.yml new file mode 100644 index 00000000..1453e37d --- /dev/null +++ b/roles/matrix-client-element/tasks/prepare_themes.yml @@ -0,0 +1,48 @@ +--- + +# +# Tasks related to setting up Element themes +# + +- block: + - name: Ensure Element themes repository is pulled + git: + repo: "{{ matrix_client_element_themes_repository_url }}" + dest: "{{ role_path }}/files/scratchpad/themes" + + - name: Find all Element theme files + find: + paths: "{{ role_path }}/files/scratchpad/themes" + patterns: "*.json" + recurse: true + register: matrix_client_element_theme_file_list + + - name: Read Element theme + slurp: + path: "{{ item.path }}" + register: "matrix_client_element_theme_file_contents" + with_items: "{{ matrix_client_element_theme_file_list.files }}" + + - name: Load Element theme + set_fact: + matrix_client_element_settingDefaults_custom_themes: "{{ matrix_client_element_settingDefaults_custom_themes + [item['content'] | b64decode | from_json] }}" + with_items: "{{ matrix_client_element_theme_file_contents.results }}" + + run_once: true + delegate_to: 127.0.0.1 + become: false + when: matrix_client_element_themes_enabled|bool + + +# +# Tasks related to getting rid of Element themes (if it was previously enabled) +# + +- name: Ensure Element themes repository is removed + file: + path: "{{ role_path }}/files/scratchpad/themes" + state: absent + run_once: true + delegate_to: 127.0.0.1 + become: false + when: "not matrix_client_element_themes_enabled|bool" diff --git a/roles/matrix-client-element/tasks/self_check.yml b/roles/matrix-client-element/tasks/self_check.yml new file mode 100644 index 00000000..34b6b88b --- /dev/null +++ b/roles/matrix-client-element/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_element_url_endpoint_public: "https://{{ matrix_server_fqn_element }}/config.json" + +- name: Check Element + uri: + url: "{{ matrix_client_element_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_element_self_check_validate_certificates }}" + register: matrix_client_element_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Element not working + fail: + msg: "Failed checking Element is up at `{{ matrix_server_fqn_element }}` (checked endpoint: `{{ matrix_client_element_url_endpoint_public }}`). Is Element running? Is port 443 open in your firewall? Full error: {{ matrix_client_element_self_check_result }}" + when: "matrix_client_element_self_check_result.failed or 'json' not in matrix_client_element_self_check_result" + +- name: Report working Element + debug: + msg: "Element at `{{ matrix_server_fqn_element }}` is working (checked endpoint: `{{ matrix_client_element_url_endpoint_public }}`)" diff --git a/roles/matrix-client-element/tasks/setup.yml b/roles/matrix-client-element/tasks/setup.yml new file mode 100644 index 00000000..2e8071ca --- /dev/null +++ b/roles/matrix-client-element/tasks/setup.yml @@ -0,0 +1,127 @@ +--- + +# +# Tasks related to setting up Element +# + +- name: Ensure Element paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_element_data_path }}", when: true } + - { path: "{{ matrix_client_element_docker_src_files_path }}", when: "{{ matrix_client_element_container_image_self_build }}" } + when: matrix_client_element_enabled|bool and item.when + +- name: Ensure Element Docker image is pulled + docker_image: + name: "{{ matrix_client_element_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_element_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_element_docker_image_force_pull }}" + when: matrix_client_element_enabled|bool and not matrix_client_element_container_image_self_build + +- name: Ensure Element repository is present on self-build + git: + repo: https://github.com/vector-im/riot-web.git + dest: "{{ matrix_client_element_docker_src_files_path }}" + version: "{{ matrix_client_element_docker_image.split(':')[1] }}" + force: "yes" + when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build" + +- name: Ensure Element Docker image is built + docker_image: + name: "{{ matrix_client_element_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_client_element_docker_src_files_path }}" + pull: yes + when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build" + +- name: Ensure Element configuration installed + copy: + content: "{{ matrix_client_element_configuration|to_nice_json }}" + dest: "{{ matrix_client_element_data_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_client_element_enabled|bool + +- name: Ensure Element config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_element_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + - {src: "{{ role_path }}/templates/welcome.html.j2", name: "welcome.html"} + - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} + when: "matrix_client_element_enabled|bool and item.src is not none" + +- name: Ensure Element config files removed + file: + path: "{{ matrix_client_element_data_path }}/{{ item.name }}" + state: absent + with_items: + - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} + when: "matrix_client_element_enabled|bool and item.src is none" + +- name: Ensure matrix-client-element.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-element.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-element.service" + mode: 0644 + register: matrix_client_element_systemd_service_result + when: matrix_client_element_enabled|bool + +- name: Ensure systemd reloaded after matrix-client-element.service installation + service: + daemon_reload: yes + when: "matrix_client_element_enabled and matrix_client_element_systemd_service_result.changed" + +# +# Tasks related to getting rid of Element (if it was previously enabled) +# + +- name: Check existence of matrix-client-element.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-element.service" + register: matrix_client_element_service_stat + when: "not matrix_client_element_enabled|bool" + +- name: Ensure matrix-client-element is stopped + service: + name: matrix-client-element + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" + +- name: Ensure matrix-client-element.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-element.service" + state: absent + when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-client-element.service removal + service: + daemon_reload: yes + when: "not matrix_client_element_enabled|bool and matrix_client_element_service_stat.stat.exists" + +- name: Ensure Element paths doesn't exist + file: + path: "{{ matrix_client_element_data_path }}" + state: absent + when: "not matrix_client_element_enabled|bool" + +- name: Ensure Element Docker image doesn't exist + docker_image: + name: "{{ matrix_client_element_docker_image }}" + state: absent + when: "not matrix_client_element_enabled|bool" diff --git a/roles/matrix-client-element/tasks/validate_config.yml b/roles/matrix-client-element/tasks/validate_config.yml new file mode 100644 index 00000000..d246b612 --- /dev/null +++ b/roles/matrix-client-element/tasks/validate_config.yml @@ -0,0 +1,20 @@ +--- + +- name: Fail if required Element settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using Element. + when: "vars[item] == ''" + with_items: + - "matrix_client_element_default_hs_url" + +- name: (Deprecation) Catch and report riot-web variables + fail: + msg: >- + Riot has been renamed to Element (https://element.io/blog/welcome-to-element/). + The playbook will migrate your existing configuration and data automatically, but you need to adjust variable names. + Please change your configuration (vars.yml) to rename all riot-web variables (`{{ item.old }}` -> `{{ item.new }}`). + Also note that DNS configuration changes may be necessary. + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" + with_items: + - {'old': 'matrix_riot_web_.*', 'new': 'matrix_client_element_.*'} diff --git a/roles/matrix-client-element/templates/config.json.j2 b/roles/matrix-client-element/templates/config.json.j2 new file mode 100644 index 00000000..bb8d6571 --- /dev/null +++ b/roles/matrix-client-element/templates/config.json.j2 @@ -0,0 +1,45 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": {{ matrix_client_element_default_hs_url|string|to_json }}, + "server_name": {{ matrix_client_element_default_server_name|string|to_json }} + }, + "m.identity_server": { + "base_url": {{ matrix_client_element_default_is_url|string|to_json }} + } + }, + "settingDefaults": { + "custom_themes": {{ matrix_client_element_settingDefaults_custom_themes|to_json }} + }, + "default_theme": {{ matrix_client_element_default_theme|string|to_json }}, + "permalinkPrefix": {{ matrix_client_element_permalinkPrefix|string|to_json }}, + "disable_custom_urls": {{ matrix_client_element_disable_custom_urls|to_json }}, + "disable_guests": {{ matrix_client_element_disable_guests|to_json }}, + "brand": {{ matrix_client_element_brand|to_json }}, + "integrations_ui_url": {{ matrix_client_element_integrations_ui_url|string|to_json }}, + "integrations_rest_url": {{ matrix_client_element_integrations_rest_url|string|to_json }}, + "integrations_widgets_urls": {{ matrix_client_element_integrations_widgets_urls|to_json }}, + "integrations_jitsi_widget_url": {{ matrix_client_element_integrations_jitsi_widget_url|string|to_json }}, + "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "enableLabs": true, + "roomDirectory": { + "servers": {{ matrix_client_element_roomdir_servers|to_json }} + }, + "welcomeUserId": {{ matrix_client_element_welcome_user_id|to_json }}, + {% if matrix_client_element_enable_presence_by_hs_url is not none %} + "enable_presence_by_hs_url": {{ matrix_client_element_enable_presence_by_hs_url|to_json }}, + {% endif %} + "embeddedPages": { + "homeUrl": {{ matrix_client_element_embedded_pages_home_url|string|to_json }} + }, + {% if matrix_client_element_jitsi_preferredDomain %} + "jitsi": { + "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} + }, + {% endif %} + "branding": { + "authFooterLinks": {{ matrix_client_element_branding_authFooterLinks|to_json }}, + "authHeaderLogoUrl": {{ matrix_client_element_branding_authHeaderLogoUrl|to_json }}, + "welcomeBackgroundUrl": {{ matrix_client_element_branding_welcomeBackgroundUrl|to_json }} + } +} diff --git a/roles/matrix-riot-web/templates/nginx.conf.j2 b/roles/matrix-client-element/templates/nginx.conf.j2 similarity index 100% rename from roles/matrix-riot-web/templates/nginx.conf.j2 rename to roles/matrix-client-element/templates/nginx.conf.j2 diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 new file mode 100644 index 00000000..49b2f198 --- /dev/null +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Element server +{% for service in matrix_client_element_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-client-element +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-client-element + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-element \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_element_container_http_host_bind_port %} + -p {{ matrix_client_element_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + -v {{ matrix_client_element_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ + -v {{ matrix_client_element_data_path }}/config.json:/app/config.json:ro \ + -v {{ matrix_client_element_data_path }}/config.json:/app/config.{{ matrix_server_fqn_element }}.json:ro \ + {% if matrix_client_element_embedded_pages_home_path is not none %} + -v {{ matrix_client_element_data_path }}/home.html:/app/home.html:ro \ + {% endif %} + -v {{ matrix_client_element_data_path }}/welcome.html:/app/welcome.html:ro \ + {% for arg in matrix_client_element_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_element_docker_image }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-client-element +ExecStop=-{{ matrix_host_command_docker }} rm matrix-client-element +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-element + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-riot-web/templates/welcome.html.j2 b/roles/matrix-client-element/templates/welcome.html.j2 similarity index 91% rename from roles/matrix-riot-web/templates/welcome.html.j2 rename to roles/matrix-client-element/templates/welcome.html.j2 index 48a0f532..b2918393 100644 --- a/roles/matrix-riot-web/templates/welcome.html.j2 +++ b/roles/matrix-client-element/templates/welcome.html.j2 @@ -153,23 +153,23 @@ h1::after {
- - + + -

{{ matrix_riot_web_welcome_headline }}

-

{{ matrix_riot_web_welcome_text }}

+

{{ matrix_client_element_welcome_headline }}

+

{{ matrix_client_element_welcome_text }}

_t("Sign In")
-{% if matrix_riot_web_registration_enabled %} +{% if matrix_client_element_registration_enabled %}
_t("Create Account")
{% endif %}
-{% if matrix_riot_web_disable_guests != true %} +{% if matrix_client_element_disable_guests != true %} -
-
-
_t("Need help?")
- -
_t("Chat with Riot Bot")
-
-
+ From 43c5f3ec6e275e959a06c2f8ba4a075ac521b95f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 Sep 2020 18:14:37 +0300 Subject: [PATCH 1421/2384] Do not create /home/matrix when creating the matrix user --- roles/matrix-base/tasks/setup_matrix_user.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-base/tasks/setup_matrix_user.yml b/roles/matrix-base/tasks/setup_matrix_user.yml index 295643e9..ab5e8111 100644 --- a/roles/matrix-base/tasks/setup_matrix_user.yml +++ b/roles/matrix-base/tasks/setup_matrix_user.yml @@ -17,6 +17,9 @@ uid: "{{ omit if matrix_user_uid is none else matrix_user_uid }}" state: present group: "{{ matrix_user_groupname }}" + home: "{{ matrix_base_data_path }}" + create_home: no + system: yes register: matrix_user - name: Set Matrix Group UID Variable From 3a3383fada6fb709ef2b77538b3f4e9783589aed Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 30 Sep 2020 16:40:24 -0500 Subject: [PATCH 1422/2384] Add support for postgres 13 --- CHANGELOG.md | 6 +++--- roles/matrix-postgres/defaults/main.yml | 3 ++- .../tasks/util/detect_existing_postgres_version.yml | 5 +++++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e1002b9..749f4bca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -307,11 +307,11 @@ Additionally, Postgres [upgrading](docs/maintenance-postgres.md#upgrading-postgr # 2019-10-04 -## Postgres 12 support +## Postgres 13 support -The playbook now installs [Postgres 12](https://www.postgresql.org/about/news/1976/) by default. +The playbook now installs [Postgres 13](https://www.postgresql.org/about/news/postgresql-13-released-2077/) by default. -If you have have an existing setup, it's likely running on an older Postgres version (9.x, 10.x or 11.x). You can easily upgrade by following the [upgrading PostgreSQL guide](docs/maintenance-postgres.md#upgrading-postgresql). +If you have have an existing setup, it's likely running on an older Postgres version (9.x, 10.x, 11.x, or 12.x). You can easily upgrade by following the [upgrading PostgreSQL guide](docs/maintenance-postgres.md#upgrading-postgresql). # 2019-10-03 diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index b5c6f6a8..f4fc180e 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -12,7 +12,8 @@ matrix_postgres_docker_image_v9: "postgres:9.6.19-alpine" matrix_postgres_docker_image_v10: "postgres:10.14-alpine" matrix_postgres_docker_image_v11: "postgres:11.9-alpine" matrix_postgres_docker_image_v12: "postgres:12.4-alpine" -matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}" +matrix_postgres_docker_image_v13: "postgres:13.0-alpine" +matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}' diff --git a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml index 805d0cbd..9032c15e 100644 --- a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml +++ b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml @@ -49,3 +49,8 @@ set_fact: matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v11 }}" when: "matrix_postgres_detected_version == '11' or matrix_postgres_detected_version.startswith('11.')" + +- name: Determine corresponding Docker image to detected version (use 12.x, if detected) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}" + when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" From e89dc7c7a8579da66e93e7afb6da405d7fe43b41 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 30 Sep 2020 19:54:28 -0500 Subject: [PATCH 1423/2384] Undo bad changelog edit --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 749f4bca..3e1002b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -307,11 +307,11 @@ Additionally, Postgres [upgrading](docs/maintenance-postgres.md#upgrading-postgr # 2019-10-04 -## Postgres 13 support +## Postgres 12 support -The playbook now installs [Postgres 13](https://www.postgresql.org/about/news/postgresql-13-released-2077/) by default. +The playbook now installs [Postgres 12](https://www.postgresql.org/about/news/1976/) by default. -If you have have an existing setup, it's likely running on an older Postgres version (9.x, 10.x, 11.x, or 12.x). You can easily upgrade by following the [upgrading PostgreSQL guide](docs/maintenance-postgres.md#upgrading-postgresql). +If you have have an existing setup, it's likely running on an older Postgres version (9.x, 10.x or 11.x). You can easily upgrade by following the [upgrading PostgreSQL guide](docs/maintenance-postgres.md#upgrading-postgresql). # 2019-10-03 From 3bfbbc10bcf673334739d9d42d45a936899d81a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Oct 2020 09:46:43 +0300 Subject: [PATCH 1424/2384] Announce Postgres v13 upgrade --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e1002b9..ef67ae66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2020-10-01 + +## Postgres 13 support + +The playbook now installs [Postgres 13](https://www.postgresql.org/about/news/postgresql-13-released-2077/) by default. + +If you have have an existing setup, it's likely running on an older Postgres version (9.x, 10.x, 11.x or 12.x). You can easily upgrade by following the [upgrading PostgreSQL guide](docs/maintenance-postgres.md#upgrading-postgresql). + # 2020-09-01 ## matrix-registration support From 07fa8404bfc4675ceb7c8d70be97111f01437a1a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Oct 2020 18:30:30 +0300 Subject: [PATCH 1425/2384] Upgrade matrix-corporal (1.10.1 -> 1.11.0) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 27b2b92a..52681a30 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -19,7 +19,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_docker_image: "devture/matrix-corporal:1.10.1" +matrix_corporal_docker_image: "devture/matrix-corporal:1.11.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" From 23daec748c2f73b19987ef29075ec17b03cadd07 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Oct 2020 11:52:17 +0300 Subject: [PATCH 1426/2384] Require Ansible v2.7 or newer (because of items2dict and dict2items) Interestingly, no one has reported this failure before #662 (Github Issue). It doesn't make sense to keep saying that we support such old Ansible versions, when we're not even testing on anything close to those. Time is also passing and such versions are getting more and more ancient. It's time we bumped our requirements to something that is more likely to work. --- docs/ansible.md | 4 ++-- roles/matrix-base/tasks/sanity_check.yml | 9 +++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index 1ba430f4..1ac08b5f 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -9,7 +9,7 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv ## Supported Ansible versions -Ansible 2.5.2 or newer is required. +Ansible 2.7.0 or newer is required. ## Checking your Ansible version @@ -49,7 +49,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -devture/ansible:2.9.9-r0 +devture/ansible:2.9.13-r0 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 23f90b85..e504bfe9 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -1,13 +1,10 @@ --- -# We generally support Ansible 2.5.2 and above. -# -# Ansible 2.5.0 and 2.5.1 are known to have a bug with `include_tasks` + `with_items`. -# The bug has been fixed in Ansible 2.5.2. -- name: Fail if running on Ansible < 2.5 or Ansible 2.5.x (lower than 2.5.2) +# We generally support Ansible 2.7.0 and above. +- name: Fail if running on Ansible < 2.7 fail: msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" - when: "(ansible_version.major < 2) or (ansible_version.major <= 2 and ansible_version.minor < 5) or (ansible_version.major == 2 and ansible_version.minor == 5 and ansible_version.revision < 2)" + when: "(ansible_version.major < 2) or (ansible_version.major <= 2 and ansible_version.minor < 7)" - name: (Deprecation) Catch and report renamed settings fail: From ae75920be920f4fc539af4e866f0a46c2cff1449 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Oct 2020 12:00:56 +0300 Subject: [PATCH 1427/2384] Update changelog Related to 23daec748c2f73b1 and #662 (Github Issue). --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ef67ae66..247e4e14 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2020-10-02 + +## Minimum Ansible version raised to v2.7.0 + +We were claiming to support [Ansible](https://www.ansible.com/) v2.5.2 and higher, but issues like [#662](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/662) demonstrate that we need at least v2.7.0. + +If you've been using the playbook without getting any errors until now, you're probably on a version higher than that already (or you're not using the `matrix-ma1sd` and `matrix-client-element` roles). + +Our [Ansible docs page](docs/ansible.md) contains information on how to run a more up-to-date version of Ansible. + + # 2020-10-01 ## Postgres 13 support From ee8dd44837b92a3bb253a067b9425d1f949aff00 Mon Sep 17 00:00:00 2001 From: Hardy Erlinger Date: Fri, 2 Oct 2020 22:53:06 +0200 Subject: [PATCH 1428/2384] Use up-to-date PostgreSQL container version for backups. --- docs/maintenance-postgres.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index d385bc9c..14d5cdb9 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -45,7 +45,7 @@ docker run \ --log-driver=none \ --network=matrix \ --env-file=/matrix/postgres/env-postgres-psql \ -postgres:12.4-alpine \ +postgres:13.0-alpine \ pg_dumpall -h matrix-postgres \ | gzip -c \ > /postgres.sql.gz From 8370ee0647d9420f6e0bd59d7d2e0df6d334ffe5 Mon Sep 17 00:00:00 2001 From: Panagiotis Vasilopoulos Date: Sun, 4 Oct 2020 19:28:22 +0000 Subject: [PATCH 1429/2384] caddy2: removed unknown tls directive --- examples/caddy2/Caddyfile | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 55fca3fd..1438a50b 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -1,7 +1,4 @@ matrix.DOMAIN.tld { - - tls {$CADDY_TLS} - @identity { path /_matrix/identity/* } @@ -97,10 +94,7 @@ matrix.DOMAIN.tld:8448 { } dimension.DOMAIN.tld { - - tls {$CADDY_TLS} - - header { +header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Enable cross-site filter (XSS) and tell browser to block detected attacks @@ -127,9 +121,6 @@ dimension.DOMAIN.tld { } element.DOMAIN.tld { - - tls {$CADDY_TLS} - header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -153,4 +144,4 @@ element.DOMAIN.tld { header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} } -} \ No newline at end of file +} From 1f9c173a7ec3cb071f6857c59a6ef6c619cc9702 Mon Sep 17 00:00:00 2001 From: dhose <4066579+dhose@users.noreply.github.com> Date: Tue, 6 Oct 2020 11:42:32 +0200 Subject: [PATCH 1430/2384] Adding '.python-version' to .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index d6068088..36c65bda 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ !/inventory/scripts /roles/*/files/scratchpad .DS_Store +.python-version From 6a72e3fa540edb9ef427b4ab804ef5aeb6e28a7d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 7 Oct 2020 08:54:46 +0300 Subject: [PATCH 1431/2384] Try to make importing SQLite from older Synapse version work If the SQLite database was from an older version of Synapse, it appears that Synapse would try to run migrations on it first, before importing. This was failing, because the file wasn't writable. Hopefully, this fixes the problem. --- roles/matrix-postgres/tasks/import_sqlite_db.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index fe0deba8..c877ead4 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -81,6 +81,6 @@ --entrypoint=python -v {{ matrix_synapse_config_dir_path }}:/data -v {{ matrix_synapse_config_dir_path }}:/matrix-media-store-parent/media-store - -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro + -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }} {{ matrix_synapse_docker_image }} /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml From 898f319e1175fc5b77bf36c6338dd25daf0fb831 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 7 Oct 2020 09:06:59 +0300 Subject: [PATCH 1432/2384] Add additional notice to SQLite importing docs --- docs/importing-sqlite.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/importing-sqlite.md b/docs/importing-sqlite.md index cb30d098..9e3a910d 100644 --- a/docs/importing-sqlite.md +++ b/docs/importing-sqlite.md @@ -20,4 +20,7 @@ Run this command (make sure to replace `` with a f ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=' --tags=import-sqlite-db -**Note**: `` must be a file path to a `homeserver.db` file on the server (not on your local machine!). +**Notes**: + +- `` must be a file path to a `homeserver.db` **file on the server** (not on your local machine!). +- if the SQLite database is from an older version of Synapse, the **importing procedure may run migrations on it to bring it up to date**. That is, your SQLite database file may get modified and become unusable with your older Synapse version. Keeping a copy of the original is probably wise. From 1a9cafa3a33387f2c32eb736e6a4665dd87a177e Mon Sep 17 00:00:00 2001 From: Fanch Date: Sat, 10 Oct 2020 04:11:26 +0200 Subject: [PATCH 1433/2384] add run-docker-prune command --- roles/matrix-common-after/tasks/main.yml | 4 ++++ roles/matrix-common-after/tasks/run_docker_prune.yml | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 roles/matrix-common-after/tasks/run_docker_prune.yml diff --git a/roles/matrix-common-after/tasks/main.yml b/roles/matrix-common-after/tasks/main.yml index 197ab6a9..d77d56a1 100644 --- a/roles/matrix-common-after/tasks/main.yml +++ b/roles/matrix-common-after/tasks/main.yml @@ -11,3 +11,7 @@ - import_tasks: "{{ role_path }}/tasks/dump_runtime_results.yml" tags: - always + +- import_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" + tags: + - run-docker-prune diff --git a/roles/matrix-common-after/tasks/run_docker_prune.yml b/roles/matrix-common-after/tasks/run_docker_prune.yml new file mode 100644 index 00000000..a7e35a03 --- /dev/null +++ b/roles/matrix-common-after/tasks/run_docker_prune.yml @@ -0,0 +1,4 @@ +--- + +- name: Run Docker System Prune + command: "{{ matrix_host_command_docker }} system prune -a -f" From 4d5068e283e9bab4dfedfd51e1357a6775126960 Mon Sep 17 00:00:00 2001 From: Fanch Date: Sat, 10 Oct 2020 14:27:07 +0200 Subject: [PATCH 1434/2384] add some doc about the run-docker-prune tag --- docs/maintenance-and-troubleshooting.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/maintenance-and-troubleshooting.md b/docs/maintenance-and-troubleshooting.md index bccf3e2e..ae90fba2 100644 --- a/docs/maintenance-and-troubleshooting.md +++ b/docs/maintenance-and-troubleshooting.md @@ -33,6 +33,12 @@ matrix_synapse_root_log_level: "INFO" Re-run the playbook after making these configuration changes. +## Remove unused Docker data + +You can free some disk space from Docker, see [docker system prune](https://docs.docker.com/engine/reference/commandline/system_prune/) for more information. +```bash +ansible-playbook -i inventory/hosts setup.yml --tags=run-docker-prune +``` ## Postgres From 40024e9b81539e942bc544c798304883085d75c7 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 29 Sep 2020 11:14:39 +0200 Subject: [PATCH 1435/2384] Prevent workers failing if their config doesn't exist - cherry-pick "Ensure worker config exists in systemd service (#7528)" from synapse d74cdc1a42e8b487d74c214b1d0ca575429d546a: "check that the worker config file exists instead of silently failing." --- .../templates/synapse/systemd/matrix-synapse-worker@.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 index a46517c4..d82564c4 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 @@ -2,6 +2,7 @@ # c.f. https://github.com/matrix-org/synapse/pull/4662 [Unit] Description=Synapse Matrix Worker +AssertPathExists={{matrix_synapse_config_dir_path }}/worker.%i.yaml After=matrix-synapse.service BindsTo=matrix-synapse.service From e9241f5fb9ee5603bbabea76ca5f8f5b3f92e470 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 11 Oct 2020 16:42:45 +0200 Subject: [PATCH 1436/2384] Improve synapse-workers systemd service template Is the PID magic gonna work? or will it need an ExecStartPost hack.. --- .../synapse/systemd/matrix-synapse-worker@.service.j2 | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 index d82564c4..d14b2557 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 @@ -1,4 +1,6 @@ #jinja2: lstrip_blocks: "True" +# Instantiable worker service, running inside the synapse container +# alongside the homeserver main process. # c.f. https://github.com/matrix-org/synapse/pull/4662 [Unit] Description=Synapse Matrix Worker @@ -12,15 +14,18 @@ Type=simple # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre=/bin/sleep 5 -# systemd ftw 🤦‍♂️ -# https://github.com/systemd/systemd/issues/14895#issuecomment-594123923 +# no sane way of instancing more than one variable (systemd "cant-fix" 🤦) +# c.f. https://github.com/systemd/systemd/issues/14895#issuecomment-594123923 +# So use good ol' shell parameter expansion to get the worker type.. ExecStart=/bin/sh -c "WORKER=%i; WORKER=$${WORKER%%:*}; \ exec /usr/bin/docker exec \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ matrix-synapse \ python -m synapse.app.$${WORKER} -c /data/homeserver.yaml -c /data/worker.%i.yaml" +ExecReload=/bin/kill -HUP $MAINPID ExecStop=/usr/bin/docker exec matrix-synapse pkill -f %i +PIDFile=/matrix-run/{{ item.worker }}.port{{ item.port }}.pid KillMode=process Restart=always RestartSec=10 From 36e9be60929a35957a4c38969d3337d61afbc791 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 11 Oct 2020 21:31:18 +0200 Subject: [PATCH 1437/2384] matrix_synapse_workers_{avail,enabled}_list: sort non-generic workers .. alphabetically and put those not documented as multi-instance capable on ports ending on zero. --- roles/matrix-synapse/defaults/main.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8ea12850..4fb843cb 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -275,7 +275,8 @@ matrix_synapse_manhole_enabled: false # Enable support for Synapse workers matrix_synapse_workers_enabled: false -# List of workers to spawn +# Default list of workers to spawn +# (worker with ports ending on 00 are single-instance) matrix_synapse_workers_enabled_list: - { worker: generic_worker, port: 18101 } - { worker: generic_worker, port: 18102 } @@ -283,22 +284,22 @@ matrix_synapse_workers_enabled_list: - { worker: generic_worker, port: 18104 } - { worker: generic_worker, port: 18105 } - { worker: generic_worker, port: 18106 } - - { worker: pusher, port: 18201 } - - { worker: appservice, port: 18301 } - - { worker: federation_sender, port: 18401 } + - { worker: appservice, port: 18200 } + - { worker: federation_sender, port: 18301 } + - { worker: frontend_proxy, port: 18400 } - { worker: media_repository, port: 18501 } - - { worker: user_dir, port: 18601 } - - { worker: frontend_proxy, port: 18701 } + - { worker: pusher, port: 18600 } + - { worker: user_dir, port: 18700 } # The list of available workers (2020-08-28) matrix_synapse_workers_avail_list: - generic_worker - - pusher - appservice - federation_sender + - frontend_proxy - media_repository + - pusher - user_dir - - frontend_proxy # Redis information matrix_synapse_redis_enabled: false From d2e61af2243e2fa3ca95f15210ffa41d66fe2463 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 9 Sep 2020 19:57:49 +0200 Subject: [PATCH 1438/2384] Add worker_name to synapse worker config template & restrict federation listener; frontend_proxy / user_dir don't need it --- roles/matrix-synapse/templates/synapse/worker.yaml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index c99e97cd..319f5708 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -1,5 +1,6 @@ #jinja2: lstrip_blocks: "True" worker_app: synapse.app.{{ item.worker }} +worker_name: {{ item.worker ~ '_' ~ item.port }} worker_replication_host: 127.0.0.1 worker_replication_http_port: {{ matrix_synapse_replication_http_port }} @@ -12,6 +13,8 @@ worker_listeners: - names: {% if item.worker in [ 'generic_worker', 'frontend_proxy', 'user_dir' ] %} - client +{% endif %} +{% if item.worker in [ 'generic_worker' ] %} - federation {% elif item.worker in [ 'media_repository' ] %} - media From 78529cbd47544f8dd3a452eda4f749256315f359 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 12 Oct 2020 23:59:34 -0500 Subject: [PATCH 1439/2384] Upgrade Synapse (v1.20.1 -> v1.21.0) --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 121 ++++++++++++++++-- 2 files changed, 113 insertions(+), 10 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index bd8d2be9..1bc04bc6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.20.1" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.21.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e687a500..f58f34f8 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -9,10 +9,23 @@ ## Server ## -# The domain name of the server, with optional explicit port. -# This is used by remote servers to connect to this server, -# e.g. matrix.org, localhost:8080, etc. -# This is also the last part of your UserID. +# The public-facing domain of the server +# +# The server_name name will appear at the end of usernames and room addresses +# created on this server. For example if the server_name was example.com, +# usernames on this server would be in the format @user:example.com +# +# In most cases you should avoid using a matrix specific subdomain such as +# matrix.example.com or synapse.example.com as the server_name for the same +# reasons you wouldn't use user@email.example.com as your email address. +# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md +# for information on how to host Synapse on a subdomain while preserving +# a clean server_name. +# +# The server_name cannot be changed later so it is important to +# configure this correctly before you start Synapse. It should be all +# lowercase and may contain an explicit port. +# Examples: matrix.org, localhost:8080 # server_name: "{{ matrix_domain }}" @@ -107,7 +120,6 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # #enable_search: false - # List of ports that Synapse should listen on, their purpose and their # configuration. # @@ -389,6 +401,12 @@ retention: # 'longest_max_lifetime' of '3d' will handle every room with a retention policy # which 'max_lifetime' is lower than or equal to three days. # + # The rationale for this per-job configuration is that some rooms might have a + # retention policy with a low 'max_lifetime', where history needs to be purged + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. + # # If any purge job is configured, it is strongly recommended to have at least # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' # set, or one job without 'shortest_max_lifetime' and one job without @@ -414,6 +432,24 @@ retention: # #request_token_inhibit_3pid_errors: true +# A list of domains that the domain portion of 'next_link' parameters +# must match. +# +# This parameter is optionally provided by clients while requesting +# validation of an email or phone number, and maps to a link that +# users will be automatically redirected to after validation +# succeeds. Clients can make use this parameter to aid the validation +# process. +# +# The whitelist is applied whether the homeserver or an +# identity server is handling validation. +# +# The default value is no whitelist functionality; all domains are +# allowed. Setting this value to an empty list will instead disallow +# all domains. +# +#next_link_domain_whitelist: ["matrix.org"] + ## TLS ## @@ -580,6 +616,7 @@ acme: #tls_fingerprints: [{"sha256": ""}] +## Federation ## # Restrict federation to the following whitelist of domains. # N.B. we recommend also firewalling your federation listener to limit @@ -617,6 +654,17 @@ federation_ip_range_blacklist: - 'fe80::/64' - 'fc00::/7' +# Report prometheus metrics on the age of PDUs being sent to and received from +# the following domains. This can be used to give an idea of "delay" on inbound +# and outbound federation, though be aware that any delay can be due to problems +# at either end or with the intermediate network. +# +# By default, no domains are monitored in this way. +# +#federation_metrics_domains: +# - matrix.org +# - example.com + ## Caching ## @@ -662,6 +710,7 @@ caches: per_cache_factors: #get_users_who_share_room_with_user: 2.0 + ## Database ## database: @@ -1074,6 +1123,17 @@ account_validity: # #invalid_token_html_path: "invalid_token.html" +# Time that a user's session remains valid for, after they log in. +# +# Note that this is not currently compatible with guest logins. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to users who have already logged in. +# +# By default, this is infinite. +# +#session_lifetime: 24h + # The user must provide all of the below types of 3PID when registering. # #registrations_require_3pid: @@ -1427,11 +1487,14 @@ trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} # At least one of `sp_config` or `config_path` must be set in this section to # enable SAML login. # -# (You will probably also want to set the following options to `false` to +# You will probably also want to set the following options to `false` to # disable the regular login/registration flows: # * enable_registration # * password_config.enabled # +# You will also want to investigate the settings under the "sso" configuration +# section below. +# # Once SAML support is enabled, a metadata file will be exposed at # https://:/_matrix/saml2/metadata.xml, which you may be able to # use to configure your SAML IdP with. Alternatively, you can manually configure @@ -1653,6 +1716,19 @@ oidc_config: # #skip_verification: true + # Whether to fetch the user profile from the userinfo endpoint. Valid + # values are: "auto" or "userinfo_endpoint". + # + # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included + # in `scopes`. Uncomment the following to always fetch the userinfo endpoint. + # + #user_profile_method: "userinfo_endpoint" + + # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead + # of failing. This could be used if switching from password logins to OIDC. Defaults to false. + # + #allow_existing_users: true + # An external module can be provided here as a custom solution to mapping # attributes returned from a OIDC provider onto a matrix user. # @@ -1830,6 +1906,24 @@ sso: # #algorithm: "provided-by-your-issuer" + # The issuer to validate the "iss" claim against. + # + # Optional, if provided the "iss" claim will be required and + # validated for all JSON web tokens. + # + #issuer: "provided-by-your-issuer" + + # A list of audiences to validate the "aud" claim against. + # + # Optional, if provided the "aud" claim will be required and + # validated for all JSON web tokens. + # + # Note that if the "aud" claim is included in a JSON web token then + # validation will fail without configuring audiences. + # + #audiences: + # - "provided-by-your-issuer" + password_config: # Uncomment to disable password login @@ -1936,9 +2030,13 @@ email: # * The contents of password reset emails sent by the homeserver: # 'password_reset.html' and 'password_reset.txt' # - # * HTML pages for success and failure that a user will see when they follow - # the link in the password reset email: 'password_reset_success.html' and - # 'password_reset_failure.html' + # * An HTML page that a user will see when they follow the link in the password + # reset email. The user will be asked to confirm the action before their + # password is reset: 'password_reset_confirmation.html' + # + # * HTML pages for success and failure that a user will see when they confirm + # the password reset flow using the page above: 'password_reset_success.html' + # and 'password_reset_failure.html' # # * The contents of address verification emails sent during registration: # 'registration.html' and 'registration.txt' @@ -2417,6 +2515,11 @@ opentracing: # events: worker1 # typing: worker1 +# The worker that is used to run background tasks (e.g. cleaning up expired +# data). If not provided this defaults to the main process. +# +#run_background_tasks_on: worker1 + # Configuration for Redis when using workers. This *must* be enabled when # using workers (unless using old style direct TCP configuration). From d250727e8baf7e5e71fa6a6b1c6ce0b119ab7924 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 13 Oct 2020 09:44:32 +0300 Subject: [PATCH 1440/2384] Upgrade certbot (1.7.0 -> 1.9.0) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8ba0c532..3b9dd60b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -227,7 +227,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.7.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.9.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From 5abd51136864106ea151519fc31c1e153d8fc69c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 13 Oct 2020 13:08:25 +0300 Subject: [PATCH 1441/2384] Upgrade Synapse (v1.21.0 -> v1.21.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 1bc04bc6..43808e49 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.21.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.21.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 1f988969a5e91d3b2e4421f35db1563ca4ac957d Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Tue, 13 Oct 2020 16:18:38 -0700 Subject: [PATCH 1442/2384] Added role for dynamic dns --- docs/configuring-playbook-budget-builds.md | 21 +++++++++++++ docs/configuring-playbook.md | 1 + roles/matrix-dynamic-dns/defaults/main.yml | 14 +++++++++ roles/matrix-dynamic-dns/tasks/init.yml | 4 +++ roles/matrix-dynamic-dns/tasks/install.yml | 24 ++++++++++++++ roles/matrix-dynamic-dns/tasks/main.yml | 28 +++++++++++++++++ .../tasks/platform/archlinux.yml | 16 ++++++++++ .../tasks/platform/centos.yml | 23 ++++++++++++++ .../tasks/platform/debian.yml | 18 +++++++++++ .../tasks/platform/main.yml | 11 +++++++ roles/matrix-dynamic-dns/tasks/uninstall.yml | 31 +++++++++++++++++++ .../tasks/validate_config.yml | 19 ++++++++++++ .../templates/ddclient.conf.j2 | 7 +++++ .../matrix-dynamic-dns/templates/ddclient.j2 | 4 +++ setup.yml | 1 + 15 files changed, 222 insertions(+) create mode 100644 docs/configuring-playbook-budget-builds.md create mode 100644 roles/matrix-dynamic-dns/defaults/main.yml create mode 100644 roles/matrix-dynamic-dns/tasks/init.yml create mode 100644 roles/matrix-dynamic-dns/tasks/install.yml create mode 100644 roles/matrix-dynamic-dns/tasks/main.yml create mode 100644 roles/matrix-dynamic-dns/tasks/platform/archlinux.yml create mode 100644 roles/matrix-dynamic-dns/tasks/platform/centos.yml create mode 100644 roles/matrix-dynamic-dns/tasks/platform/debian.yml create mode 100644 roles/matrix-dynamic-dns/tasks/platform/main.yml create mode 100644 roles/matrix-dynamic-dns/tasks/uninstall.yml create mode 100644 roles/matrix-dynamic-dns/tasks/validate_config.yml create mode 100644 roles/matrix-dynamic-dns/templates/ddclient.conf.j2 create mode 100644 roles/matrix-dynamic-dns/templates/ddclient.j2 diff --git a/docs/configuring-playbook-budget-builds.md b/docs/configuring-playbook-budget-builds.md new file mode 100644 index 00000000..0fb73835 --- /dev/null +++ b/docs/configuring-playbook-budget-builds.md @@ -0,0 +1,21 @@ +# Tips for deploying Matrix on a Budget + +## Dynamic DNS + +Most cloud providers / ISPs will charge you extra for a static IP address. If you're +not hosting a highly reliable homeserver you can workaround this via dynamic DNS. To +set this up, you'll need to get the username/password from your DNS provider. For +google domains, this process is described [here](https://support.google.com/domains/answer/6147083). +After you've gotten the proper credentials you can add the following config to your `host-vars`: + +``` +matrix_dynamic_dns_username: XXXXXXXXXXXXXXXX +matrix_dynamic_dns_password: XXXXXXXXXXXXXXXX +matrix_dynamic_dns_provider: 'domains.google.com' +``` + +## Additional Reading + +Additional resources: + +- https://matrix.org/docs/guides/free-small-matrix-server \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b174637e..8b0c5537 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -33,6 +33,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md) (optional) +- [Setting up budget builds or resource-constrained builds](configuring-playbook-budget-builds.md) (optional) ### Core service adjustments diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml new file mode 100644 index 00000000..a0afc99e --- /dev/null +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -0,0 +1,14 @@ +# Whether dynamic dns is enabled +matrix_dynamic_dns_enabled: true + +# Allowed values: 'daemon', 'dhcp' +matrix_dynamic_dns_mode: 'dhcp' + +# The DNS provider domain +matrix_dynamic_dns_provider: 'domains.google.com' + +# The dynamic dns protocol +matrix_dynamic_dns_protocol: 'dyndns2' + +# The dynamic dns daemon interval +matrix_dynamic_dns_daemon_interval: '300' diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml new file mode 100644 index 00000000..4cddb8b5 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -0,0 +1,4 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['ddclient'] }}" + when: "matrix_dynamic_dns_enabled|bool" + \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml new file mode 100644 index 00000000..edaf6864 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/install.yml @@ -0,0 +1,24 @@ +--- + +- name: Ensure ddclient domain config exists + template: + src: "{{ role_path }}/templates/ddclient.conf.j2" + dest: "/etc/ddclient.conf" + mode: 0600 + register: matrix_dynamic_dns_ddclient_domain_config + +- name: Ensure ddclient client config directory exists + file: + path: "/etc/default" + state: directory + mode: 0700 + owner: "{{ user_username }}" + group: "{{ user_groupname }}" + +- name: Ensure ddclient client config exists + template: + src: "{{ role_path }}/templates/ddclient.j2" + dest: "/etc/default/ddclient" + mode: 0600 + register: matrix_dynamic_dns_ddclient_client_config + \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/main.yml b/roles/matrix-dynamic-dns/tasks/main.yml new file mode 100644 index 00000000..727bf16e --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/main.yml @@ -0,0 +1,28 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" + tags: + - setup-all + - setup-dynamic-dns + +- import_tasks: "{{ role_path }}/tasks/install.yml" + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" + tags: + - setup-all + - setup-dynamic-dns + +- import_tasks: "{{ role_path }}/tasks/platform/main.yml" + when: "run_setup|bool" + tags: + - setup-all + - setup-dynamic-dns + +- import_tasks: "{{ role_path }}/tasks/uninstall.yml" + when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" + tags: + - setup-all + - setup-dynamic-dns + \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml b/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml new file mode 100644 index 00000000..773cfce6 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml @@ -0,0 +1,16 @@ +--- + +- name: Ensure ddclient is installed + pacman: + name: ddclient + state: latest + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" + +- name: Ensure ddclient is uninstalled + pacman: + name: ddclient + state: absent + update_cache: true + become: true + when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" + \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/platform/centos.yml b/roles/matrix-dynamic-dns/tasks/platform/centos.yml new file mode 100644 index 00000000..5e84ef10 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/platform/centos.yml @@ -0,0 +1,23 @@ +--- + +- name: Ensure yum packages are installed + yum: + name: epel-release + state: latest + update_cache: yes + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" + +- name: Ensure ddclient is installed + yum: + name: ddclient + state: latest + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" + +- name: Ensure ddclient is uninstalled + yum: + name: + - ddclient + - epel-release + state: absent + when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" + \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/platform/debian.yml b/roles/matrix-dynamic-dns/tasks/platform/debian.yml new file mode 100644 index 00000000..f6d664fd --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/platform/debian.yml @@ -0,0 +1,18 @@ +--- + +- name: Ensure ddclient is installed + apt: + name: ddclient + state: present + update_cache: true + become: true + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" + +- name: Ensure ddclient is uninstalled + apt: + name: ddclient + state: absent + update_cache: true + become: true + when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" + \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/platform/main.yml b/roles/matrix-dynamic-dns/tasks/platform/main.yml new file mode 100644 index 00000000..ca973749 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/platform/main.yml @@ -0,0 +1,11 @@ +--- + +- include_tasks: "{{ role_path }}/tasks/platform/centos.yml" + when: ansible_distribution == 'CentOS' + +# The instructions are the same for Debian, Ubuntu, and Raspbian +- include_tasks: "{{ role_path }}/tasks/platform/debian.yml" + when: ansible_distribution == 'Debian' + +- include_tasks: "{{ role_path }}/tasks/platform/archlinux.yml" + when: ansible_distribution == 'Archlinux' diff --git a/roles/matrix-dynamic-dns/tasks/uninstall.yml b/roles/matrix-dynamic-dns/tasks/uninstall.yml new file mode 100644 index 00000000..27604585 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/uninstall.yml @@ -0,0 +1,31 @@ +--- + +- name: Check existence of ddclient.service + stat: + path: "{{ systemd_path }}/ddclient.service" + register: matrix_dynamic_dns_ddclient_service_stat + +- name: Ensure ddclient.service is stopped + service: + name: dynamic-dns + state: stopped + daemon_reload: yes + when: "matrix_dynamic_dns_ddclient_service_stat.stat.exists" + +- name: Ensure systemd reloaded after ddclient.service removal + service: + daemon_reload: yes + when: "matrix_dynamic_dns_ddclient_service_stat.stat.exists" + +- name: Ensure ddclient.service doesn't exist + file: + path: "{{ systemd_path }}/ddclient.service" + state: absent + when: "matrix_dynamic_dns_ddclient_service_stat.stat.exists" + +- name: Ensure ddclient configuration files don't exist + file: + path: + - "etc/ddclient.conf" + - "etc/default/ddclient" + state: absent diff --git a/roles/matrix-dynamic-dns/tasks/validate_config.yml b/roles/matrix-dynamic-dns/tasks/validate_config.yml new file mode 100644 index 00000000..bb351e49 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/validate_config.yml @@ -0,0 +1,19 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_dynamic_dns_username" + - "matrix_dynamic_dns_password" + - "matrix_domain" + - "matrix_dynamic_dns_provider" + - "matrix_dynamic_dns_mode" + +- name: Fail if dynamic dns mode is incorrect + fail: + msg: >- + matrix_dynamic_dns_mode needs to be set to 'daemon' or 'startup' + when: "matrix_dynamic_dns_enabled and matrix_dynamic_dns_mode != 'daemon' and matrix_dynamic_dns_mode != 'dhcp'" diff --git a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 new file mode 100644 index 00000000..dcb5c1e4 --- /dev/null +++ b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 @@ -0,0 +1,7 @@ +protocol={{ matrix_dynamic_dns_protocol }} +use=web +ssl=yes +server={{ matrix_dynamic_dns_provider }} +login='{{ matrix_dynamic_dns_username }}' +password='{{ matrix_dynamic_dns_password }}' +{{ matrix_domain }} \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/templates/ddclient.j2 b/roles/matrix-dynamic-dns/templates/ddclient.j2 new file mode 100644 index 00000000..eb5d053d --- /dev/null +++ b/roles/matrix-dynamic-dns/templates/ddclient.j2 @@ -0,0 +1,4 @@ +run_dhclient="{{ (matrix_dynamic_dns_mode == 'dhcp') | lower }}" +run_ipup="false" +run_daemon="{{ (matrix_dynamic_dns_mode == 'daemon') | lower }}" +daemon_interval="{{ matrix_dynamic_dns_daemon_interval }}" diff --git a/setup.yml b/setup.yml index 68c4e4ee..f07f0278 100755 --- a/setup.yml +++ b/setup.yml @@ -5,6 +5,7 @@ roles: - matrix-base + - dynamic-dns - matrix-mailer - matrix-postgres - matrix-corporal From fa5d85426b052884d7edbc5e50f102fffe48deed Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Tue, 13 Oct 2020 16:35:41 -0700 Subject: [PATCH 1443/2384] Renamed systemd descriptions for all bridges --- .../templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 | 2 +- .../templates/systemd/matrix-appservice-discord.service.j2 | 2 +- .../templates/systemd/matrix-appservice-irc.service.j2 | 2 +- .../templates/systemd/matrix-appservice-slack.service.j2 | 2 +- .../templates/systemd/matrix-appservice-webhooks.service.j2 | 2 +- .../templates/systemd/matrix-mautrix-facebook.service.j2 | 2 +- .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 2 +- .../templates/systemd/matrix-mautrix-telegram.service.j2 | 2 +- .../templates/systemd/matrix-mautrix-whatsapp.service.j2 | 2 +- .../templates/systemd/matrix-mx-puppet-discord.service.j2 | 2 +- .../templates/systemd/matrix-mx-puppet-instagram.service.j2 | 2 +- .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 2 +- .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 2 +- .../templates/systemd/matrix-mx-puppet-steam.service.j2 | 2 +- .../templates/systemd/matrix-mx-puppet-twitter.service.j2 | 2 +- .../templates/systemd/matrix-sms-bridge-database.service.j2 | 2 +- .../templates/systemd/matrix-sms-bridge.service.j2 | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index 4220e6cc..0decac02 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=matrix-reminder-bot +Description=Matrix reminder bot {% for service in matrix_bot_matrix_reminder_bot_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index d512cd88..f2187ca3 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Appservice Discord server +Description=Matrix Appservice Discord bridge {% for service in matrix_appservice_discord_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index aa6141d6..95638612 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Appservice IRC server +Description=Matrix Appservice IRC bridge {% for service in matrix_appservice_irc_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index de773ff9..1c68294f 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Appservice Slack server +Description=Matrix Appservice Slack bridge {% for service in matrix_appservice_slack_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index b05f8a27..08f5813f 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Appservice webhooks server +Description=Matrix Appservice webhooks bridge {% for service in matrix_appservice_webhooks_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index 444423c1..b593a2e3 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mautrix Facebook server +Description=Matrix Mautrix Facebook bridge {% for service in matrix_mautrix_facebook_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index dc6ffda0..58433982 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mautrix Hangouts server +Description=Matrix Mautrix Hangouts bridge {% for service in matrix_mautrix_hangouts_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index b0b4f643..c0fb8938 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mautrix Telegram server +Description=Matrix Mautrix Telegram bridge {% for service in matrix_mautrix_telegram_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index 7dd25140..ac2b961e 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mautrix Whatsapp server +Description=Matrix Mautrix Whatsapp bridge {% for service in matrix_mautrix_whatsapp_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 index e26128ef..78737a17 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mx Puppet Discord server +Description=Matrix Mx Puppet Discord bridge {% for service in matrix_mx_puppet_discord_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 index b94c399a..81e3e081 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mx Puppet Instagram server +Description=Matrix Mx Puppet Instagram bridge {% for service in matrix_mx_puppet_instagram_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index a6860b69..8a46cb25 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mx Puppet Skype server +Description=Matrix Mx Puppet Skype bridge {% for service in matrix_mx_puppet_skype_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index 3ce0e18b..23c2504f 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mx Puppet Slack server +Description=Matrix Mx Puppet Slack bridge {% for service in matrix_mx_puppet_slack_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 index 53518d42..986c5d2c 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mx Puppet Steam server +Description=Matrix Mx Puppet Steam bridge {% for service in matrix_mx_puppet_steam_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 index 9245f02b..6afb6fb4 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix Mx Puppet Twitter server +Description=Matrix Mx Puppet Twitter bridge {% for service in matrix_mx_puppet_twitter_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 index e2cad164..c9bb0343 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=matrix-sms-bridge-database server +Description=Matrix sms bridge database {% for service in matrix_sms_bridge_database_systemd_required_services_list %} Requires={{ service }} After={{ service }} diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 7bf91700..7cab3742 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=matrix-sms-bridge server +Description=Matrix sms bridge {% for service in matrix_sms_bridge_systemd_required_services_list %} Requires={{ service }} After={{ service }} From 53bc7a77e1c851132e41df963c650d434418652a Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Tue, 13 Oct 2020 16:47:09 -0700 Subject: [PATCH 1444/2384] fixed EOF issues --- roles/matrix-dynamic-dns/tasks/init.yml | 1 - roles/matrix-dynamic-dns/tasks/install.yml | 1 - roles/matrix-dynamic-dns/tasks/main.yml | 1 - roles/matrix-dynamic-dns/tasks/platform/archlinux.yml | 1 - roles/matrix-dynamic-dns/tasks/platform/centos.yml | 1 - roles/matrix-dynamic-dns/tasks/platform/debian.yml | 1 - roles/matrix-dynamic-dns/templates/ddclient.conf.j2 | 2 +- 7 files changed, 1 insertion(+), 7 deletions(-) diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 4cddb8b5..97f5eaec 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -1,4 +1,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['ddclient'] }}" when: "matrix_dynamic_dns_enabled|bool" - \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml index edaf6864..0948e79d 100644 --- a/roles/matrix-dynamic-dns/tasks/install.yml +++ b/roles/matrix-dynamic-dns/tasks/install.yml @@ -21,4 +21,3 @@ dest: "/etc/default/ddclient" mode: 0600 register: matrix_dynamic_dns_ddclient_client_config - \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/main.yml b/roles/matrix-dynamic-dns/tasks/main.yml index 727bf16e..7646dd13 100644 --- a/roles/matrix-dynamic-dns/tasks/main.yml +++ b/roles/matrix-dynamic-dns/tasks/main.yml @@ -25,4 +25,3 @@ tags: - setup-all - setup-dynamic-dns - \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml b/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml index 773cfce6..10e20802 100644 --- a/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml +++ b/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml @@ -13,4 +13,3 @@ update_cache: true become: true when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" - \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/platform/centos.yml b/roles/matrix-dynamic-dns/tasks/platform/centos.yml index 5e84ef10..7375ad32 100644 --- a/roles/matrix-dynamic-dns/tasks/platform/centos.yml +++ b/roles/matrix-dynamic-dns/tasks/platform/centos.yml @@ -20,4 +20,3 @@ - epel-release state: absent when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" - \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/tasks/platform/debian.yml b/roles/matrix-dynamic-dns/tasks/platform/debian.yml index f6d664fd..c41dbaf9 100644 --- a/roles/matrix-dynamic-dns/tasks/platform/debian.yml +++ b/roles/matrix-dynamic-dns/tasks/platform/debian.yml @@ -15,4 +15,3 @@ update_cache: true become: true when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" - \ No newline at end of file diff --git a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 index dcb5c1e4..6d873688 100644 --- a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 +++ b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 @@ -4,4 +4,4 @@ ssl=yes server={{ matrix_dynamic_dns_provider }} login='{{ matrix_dynamic_dns_username }}' password='{{ matrix_dynamic_dns_password }}' -{{ matrix_domain }} \ No newline at end of file +{{ matrix_domain }} From b65bfc38ce499e3b3ad21e146dcb86e1c4e60c34 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 14 Oct 2020 06:23:33 -0500 Subject: [PATCH 1445/2384] Update nginx (1.19.2 -> 1.19.3) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3b9dd60b..643d723e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.19.2-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.19.3-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" From 640166e4c307e59d79720aac9efe2ee8572cdcf7 Mon Sep 17 00:00:00 2001 From: jgbresson Date: Thu, 15 Oct 2020 00:09:54 -0400 Subject: [PATCH 1446/2384] Upgrade Element (1.7.8 -> 1.7.9) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 5219bcc3..a864244a 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -2,7 +2,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false -matrix_client_element_docker_image: "vectorim/riot-web:v1.7.8" +matrix_client_element_docker_image: "vectorim/riot-web:v1.7.9" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" From 3fd198e89a6be52325d09aa775cfacd8b3df03ed Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 15 Oct 2020 11:34:50 +0300 Subject: [PATCH 1447/2384] Add notes about running Ansible on Ubuntu 20.04 Discussed in #669 (Github Issue). --- docs/ansible.md | 2 ++ docs/prerequisites.md | 8 +++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index 1ac08b5f..776147bd 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -11,6 +11,8 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv Ansible 2.7.0 or newer is required. +Ubuntu (at least 20.04) ships with a buggy version (see this [bug](https://bugs.launchpad.net/ubuntu/+source/ansible/+bug/1880359)), which can't be used in combination with a host running new systemd (more detaisl in [#517](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/517), [#669]([669](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/669))). If this problem affects you, you can: avoid running Ubuntu 20.04 on your host; run Ansible from another machine targeting your host; or try to upgrade to a newer Ansible version (see below). + ## Checking your Ansible version diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 5f551eb4..4356081b 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -1,6 +1,12 @@ # Prerequisites -- An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+), **Ubuntu** (16.04+), or **Archlinux**. This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Alternative Architectures](alternative-architectures.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +- An **x86** server running one of these operating systems: + - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)) + - **Debian** (9/Stretch+) + - **Ubuntu** (16.04+, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) + - **Archlinux** + +This playbook doesn't support running on ARM (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Alternative Architectures](alternative-architectures.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. - `root` access to your server (or a user capable of elevating to `root` via `sudo`). From f7ecc7a2a5e849420685eaa6b9d0ce010e3533f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 15 Oct 2020 17:42:52 +0300 Subject: [PATCH 1448/2384] Upgrade Synapse (v1.21.1 -> v1.21.2) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 43808e49..fd8eaa52 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.21.1" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.21.2" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 48f929dc918d277b7ea44b1e8afe385326e46cb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20K=C3=BCchel?= Date: Fri, 16 Oct 2020 00:32:00 +0200 Subject: [PATCH 1449/2384] add variables for secure_backup_required and secure_backup_setup_methods --- roles/matrix-base/defaults/main.yml | 10 ++++++++ .../static-files/well-known/matrix-client.j2 | 25 +++++++++++++++---- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 3fbbd76e..5bd10014 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -67,6 +67,16 @@ matrix_client_element_jitsi_preferredDomain: '' # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md matrix_client_element_e2ee_default: true +# Controls whether Element should require a secure backup set up before Element can be used. +# Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup. +# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md +matrix_client_element_e2ee_backup_required: false + +# Controls which backup methods from ["key", "passphrase"] should be used, both is the default. +# Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use +# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md +matrix_client_element_e2ee_backup_methods: [] + # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index 6dc5ff23..b1879d92 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -26,12 +26,27 @@ "preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }} } {% endif %} - {% if not matrix_client_element_e2ee_default %}, - "io.element.e2ee": { - "default": false + , + "io.element.e2ee": { + {% if not matrix_client_element_e2ee_default %} + "default": false + {% else %} + "default": true + {% endif %} + {% if matrix_client_element_e2ee_backup_required %}, + "secure_backup_required": true + {% else %} + "secure_backup_required": false + {% endif %} + {% if matrix_client_element_e2ee_backup_methods %}, + "secure_backup_setup_methods": {{ matrix_client_element_e2ee_backup_methods|to_json }} + {% endif %} }, "im.vector.riot.e2ee": { - "default": false + {% if not matrix_client_element_e2ee_default %} + "default": false + {% else %} + "default": true + {% endif %} } - {% endif %} } From 65992043347f8ed0451aa1ae29ddd3d37c6730be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20K=C3=BCchel?= Date: Fri, 16 Oct 2020 08:20:22 +0200 Subject: [PATCH 1450/2384] fix commata not being set when secure_backup_required false --- .../templates/static-files/well-known/matrix-client.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index b1879d92..14cbe71f 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -29,11 +29,11 @@ , "io.element.e2ee": { {% if not matrix_client_element_e2ee_default %} - "default": false + "default": false, {% else %} - "default": true + "default": true, {% endif %} - {% if matrix_client_element_e2ee_backup_required %}, + {% if matrix_client_element_e2ee_backup_required %} "secure_backup_required": true {% else %} "secure_backup_required": false From 4cfa11275544c447d9c848811535a32dc14a5a02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20K=C3=BCchel?= Date: Fri, 16 Oct 2020 08:44:04 +0200 Subject: [PATCH 1451/2384] update default backup_methods as proposed by the system anyway --- roles/matrix-base/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 5bd10014..cffb7b4a 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -75,7 +75,7 @@ matrix_client_element_e2ee_backup_required: false # Controls which backup methods from ["key", "passphrase"] should be used, both is the default. # Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_backup_methods: [] +matrix_client_element_e2ee_backup_methods: [ "key", "passphrase" ] # The Docker network that all services would be put into matrix_docker_network: "matrix" From 8f7e21892d7facae416b3b4cd36857835fa6428b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20K=C3=BCchel?= Date: Fri, 16 Oct 2020 08:47:37 +0200 Subject: [PATCH 1452/2384] fix indentation, updated to proposed changes from Slavi: no more ifdef --- .../static-files/well-known/matrix-client.j2 | 24 ++++--------------- 1 file changed, 5 insertions(+), 19 deletions(-) diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index 14cbe71f..ecd5eaf9 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -27,26 +27,12 @@ } {% endif %} , - "io.element.e2ee": { - {% if not matrix_client_element_e2ee_default %} - "default": false, - {% else %} - "default": true, - {% endif %} - {% if matrix_client_element_e2ee_backup_required %} - "secure_backup_required": true - {% else %} - "secure_backup_required": false - {% endif %} - {% if matrix_client_element_e2ee_backup_methods %}, - "secure_backup_setup_methods": {{ matrix_client_element_e2ee_backup_methods|to_json }} - {% endif %} + "io.element.e2ee": { + "default": {{ matrix_client_element_e2ee_default|to_json }}, + "secure_backup_required": {{ matrix_client_element_e2ee_backup_required|to_json }}, + "secure_backup_setup_methods": {{ matrix_client_element_e2ee_backup_methods|to_json }} }, "im.vector.riot.e2ee": { - {% if not matrix_client_element_e2ee_default %} - "default": false - {% else %} - "default": true - {% endif %} + "default": {{ matrix_client_element_e2ee_default|to_json }} } } From 5158fa4df98ec2baf7a9c88b2e2c2d8924f093cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20K=C3=BCchel?= Date: Fri, 16 Oct 2020 08:50:16 +0200 Subject: [PATCH 1453/2384] e2ee_backup_methods: rather leave the default empty, so that the system default may apply --- roles/matrix-base/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index cffb7b4a..5bd10014 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -75,7 +75,7 @@ matrix_client_element_e2ee_backup_required: false # Controls which backup methods from ["key", "passphrase"] should be used, both is the default. # Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_backup_methods: [ "key", "passphrase" ] +matrix_client_element_e2ee_backup_methods: [] # The Docker network that all services would be put into matrix_docker_network: "matrix" From 1cf5b1d80f626c7a1e54bd48fb1e31a1dd81618f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20K=C3=BCchel?= Date: Fri, 16 Oct 2020 09:24:50 +0200 Subject: [PATCH 1454/2384] e2ee_backup: rename variables to be consistent with naming scheme --- roles/matrix-base/defaults/main.yml | 4 ++-- .../templates/static-files/well-known/matrix-client.j2 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 5bd10014..164509b7 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -70,12 +70,12 @@ matrix_client_element_e2ee_default: true # Controls whether Element should require a secure backup set up before Element can be used. # Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup. # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_backup_required: false +matrix_client_element_e2ee_secure_backup_required: false # Controls which backup methods from ["key", "passphrase"] should be used, both is the default. # Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md -matrix_client_element_e2ee_backup_methods: [] +matrix_client_element_e2ee_secure_backup_setup_methods: [] # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index ecd5eaf9..a4356d1d 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -29,8 +29,8 @@ , "io.element.e2ee": { "default": {{ matrix_client_element_e2ee_default|to_json }}, - "secure_backup_required": {{ matrix_client_element_e2ee_backup_required|to_json }}, - "secure_backup_setup_methods": {{ matrix_client_element_e2ee_backup_methods|to_json }} + "secure_backup_required": {{ matrix_client_element_e2ee_secure_backup_required|to_json }}, + "secure_backup_setup_methods": {{ matrix_client_element_e2ee_secure_backup_setup_methods|to_json }} }, "im.vector.riot.e2ee": { "default": {{ matrix_client_element_e2ee_default|to_json }} From 51cca4c312b70ac09de5c423681c69e045e725cf Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Fri, 16 Oct 2020 21:21:58 -0700 Subject: [PATCH 1455/2384] Added containerization --- roles/matrix-dynamic-dns/defaults/main.yml | 45 +++++++++++--- roles/matrix-dynamic-dns/tasks/init.yml | 6 +- .../tasks/install_daemon.yml | 59 +++++++++++++++++++ .../tasks/{install.yml => install_dhcp.yml} | 14 +++-- roles/matrix-dynamic-dns/tasks/main.yml | 18 ++++-- .../tasks/uninstall_daemon.yml | 24 ++++++++ .../{uninstall.yml => uninstall_dhcp.yml} | 12 ++-- .../tasks/validate_config.yml | 4 +- .../templates/ddclient.conf.j2 | 22 +++++-- .../matrix-dynamic-dns/templates/ddclient.j2 | 4 -- .../systemd/matrix-dynamic-dns.service.j2 | 41 +++++++++++++ setup.yml | 2 +- 12 files changed, 211 insertions(+), 40 deletions(-) create mode 100644 roles/matrix-dynamic-dns/tasks/install_daemon.yml rename roles/matrix-dynamic-dns/tasks/{install.yml => install_dhcp.yml} (55%) create mode 100644 roles/matrix-dynamic-dns/tasks/uninstall_daemon.yml rename roles/matrix-dynamic-dns/tasks/{uninstall.yml => uninstall_dhcp.yml} (93%) delete mode 100644 roles/matrix-dynamic-dns/templates/ddclient.j2 create mode 100644 roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index a0afc99e..c2490837 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -1,14 +1,43 @@ # Whether dynamic dns is enabled -matrix_dynamic_dns_enabled: true +matrix_dynamic_dns_enabled: false # Allowed values: 'daemon', 'dhcp' -matrix_dynamic_dns_mode: 'dhcp' - -# The DNS provider domain -matrix_dynamic_dns_provider: 'domains.google.com' - -# The dynamic dns protocol -matrix_dynamic_dns_protocol: 'dyndns2' +matrix_dynamic_dns_mode: 'daemon' # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' + +# The docker container to use when in daemon mode +matrix_dynamic_dns_docker_image: 'linuxserver/ddclient' + +# The image to force pull +matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}" + +# List of extra arguments to pass to the ontainer daemon mode +matrix_dynamic_dns_container_extra_arguments: [] + +# List of wanted services when running in daemon mode +matrix_dynamic_dns_systemd_wanted_services_list: [] + +# List of required services when running in daemon mode +matrix_dynamic_dns_systemd_required_services_list: ['docker.service'] + +# Build the container from source when running in daemon mode +matrix_dynamic_dns_container_image_self_build: false + +# Config paths +matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns" +matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config" +matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src" + +# Config options +matrix_dynamic_dns_use: "web" +matrix_dynamic_dns_static: false +matrix_dynamic_dns_custom: false +matrix_dynamic_dns_zone: "" +matrix_dynamic_dns_ttl: "" +matrix_dynamic_dns_mx: "" +matrix_dynamic_dns_wildcard: false +matrix_dynamic_dns_protocol: 'dyndns2' +matrix_dynamic_dns_provider: 'domains.google.com' +matrix_dynamic_dns_domain: '{{ matrix_domain }}' diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 97f5eaec..2954ac9a 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -1,3 +1,7 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['ddclient'] }}" - when: "matrix_dynamic_dns_enabled|bool" + when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'dhcp'" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns'] }}" + when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'daemon'" diff --git a/roles/matrix-dynamic-dns/tasks/install_daemon.yml b/roles/matrix-dynamic-dns/tasks/install_daemon.yml new file mode 100644 index 00000000..816dc7c3 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/install_daemon.yml @@ -0,0 +1,59 @@ +--- + +- name: Ensure Dynamic DNS image is pulled + docker_image: + name: "{{ matrix_dynamic_dns_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_dynamic_dns_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_docker_image_force_pull }}" + when: matrix_dynamic_dns_enabled|bool and not matrix_dynamic_dns_container_image_self_build + +- name: Ensure Dynamic DNS paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_dynamic_dns_base_path }}", when: true } + - { path: "{{ matrix_dynamic_dns_config_path }}", when: true } + - { path: "{{ matrix_dynamic_dns_docker_src_files_path }}", when: "{{ matrix_dynamic_dns_container_image_self_build }}" } + when: matrix_dynamic_dns_enabled|bool and item.when|bool + +- name: Ensure Dynamic DNS repository is present on self build + git: + repo: https://github.com/linuxserver/docker-ddclient.git + dest: "{{ matrix_dynamic_dns_docker_src_files_path }}" + force: "yes" + when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build" + +- name: Ensure Dynamic DNS Docker image is built + docker_image: + name: "{{ matrix_dynamic_dns_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_dynamic_dns_docker_src_files_path }}" + pull: yes + when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build" + +- name: Ensure Dynamic DNS ddclient.conf installed + template: + src: "{{ role_path }}/templates/ddclient.conf.j2" + dest: "{{ matrix_dynamic_dns_config_path }}/ddclient.conf" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-dynamic-dns.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-dynamic-dns.service.j2" + dest: "/etc/systemd/system/matrix-dynamic-dns.service" + mode: 0644 + register: matrix_dynamic_dns_systemd_service_result + +- name: Ensure systemd reloaded after matrix-dynamic-dns.service installation + service: + daemon_reload: yes + when: "matrix_dynamic_dns_systemd_service_result.changed" diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install_dhcp.yml similarity index 55% rename from roles/matrix-dynamic-dns/tasks/install.yml rename to roles/matrix-dynamic-dns/tasks/install_dhcp.yml index 0948e79d..cb340686 100644 --- a/roles/matrix-dynamic-dns/tasks/install.yml +++ b/roles/matrix-dynamic-dns/tasks/install_dhcp.yml @@ -5,19 +5,21 @@ src: "{{ role_path }}/templates/ddclient.conf.j2" dest: "/etc/ddclient.conf" mode: 0600 - register: matrix_dynamic_dns_ddclient_domain_config - name: Ensure ddclient client config directory exists file: path: "/etc/default" state: directory mode: 0700 - owner: "{{ user_username }}" - group: "{{ user_groupname }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure ddclient client config exists - template: - src: "{{ role_path }}/templates/ddclient.j2" + copy: + content: "run_dhclient=\"true\"\nrun_ipup=\"false\"\nrun_daemon=\"false\"" dest: "/etc/default/ddclient" mode: 0600 - register: matrix_dynamic_dns_ddclient_client_config + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- import_tasks: "{{ role_path }}/tasks/platform/main.yml" diff --git a/roles/matrix-dynamic-dns/tasks/main.yml b/roles/matrix-dynamic-dns/tasks/main.yml index 7646dd13..2d999568 100644 --- a/roles/matrix-dynamic-dns/tasks/main.yml +++ b/roles/matrix-dynamic-dns/tasks/main.yml @@ -8,20 +8,26 @@ - setup-all - setup-dynamic-dns -- import_tasks: "{{ role_path }}/tasks/install.yml" - when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" +- import_tasks: "{{ role_path }}/tasks/install_dhcp.yml" + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'dhcp'" + tags: + - setup-all + - setup-dynamic-dns + +- import_tasks: "{{ role_path }}/tasks/uninstall_dhcp.yml" + when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'dhcp'" tags: - setup-all - setup-dynamic-dns -- import_tasks: "{{ role_path }}/tasks/platform/main.yml" - when: "run_setup|bool" +- import_tasks: "{{ role_path }}/tasks/install_daemon.yml" + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'daemon'" tags: - setup-all - setup-dynamic-dns -- import_tasks: "{{ role_path }}/tasks/uninstall.yml" - when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" +- import_tasks: "{{ role_path }}/tasks/uninstall_daemon.yml" + when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'daemon'" tags: - setup-all - setup-dynamic-dns diff --git a/roles/matrix-dynamic-dns/tasks/uninstall_daemon.yml b/roles/matrix-dynamic-dns/tasks/uninstall_daemon.yml new file mode 100644 index 00000000..8480f3c3 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/uninstall_daemon.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-dynamic-dns service + stat: + path: "{{ systemd_path }}m/matrix-dynamic-dns.service" + register: matrix_dynamic_dns_service_stat + +- name: Ensure matrix-dynamic-dns is stopped + service: + name: matrix-dynamic-dns + state: stopped + daemon_reload: yes + when: "matrix_dynamic_dns_service_stat.stat.exists" + +- name: Ensure matrix-dynamic-dns.service doesn't exist + file: + path: "{{ systemd_path }}m/matrix-dynamic-dns.service" + state: absent + when: "matrix_dynamic_dns_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-dynamic-dns.service removal + service: + daemon_reload: yes + when: "matrix_dynamic_dns_service_stat.stat.exists" diff --git a/roles/matrix-dynamic-dns/tasks/uninstall.yml b/roles/matrix-dynamic-dns/tasks/uninstall_dhcp.yml similarity index 93% rename from roles/matrix-dynamic-dns/tasks/uninstall.yml rename to roles/matrix-dynamic-dns/tasks/uninstall_dhcp.yml index 27604585..09018f68 100644 --- a/roles/matrix-dynamic-dns/tasks/uninstall.yml +++ b/roles/matrix-dynamic-dns/tasks/uninstall_dhcp.yml @@ -1,5 +1,7 @@ --- +- import_tasks: "{{ role_path }}/tasks/platform/main.yml" + - name: Check existence of ddclient.service stat: path: "{{ systemd_path }}/ddclient.service" @@ -12,11 +14,6 @@ daemon_reload: yes when: "matrix_dynamic_dns_ddclient_service_stat.stat.exists" -- name: Ensure systemd reloaded after ddclient.service removal - service: - daemon_reload: yes - when: "matrix_dynamic_dns_ddclient_service_stat.stat.exists" - - name: Ensure ddclient.service doesn't exist file: path: "{{ systemd_path }}/ddclient.service" @@ -29,3 +26,8 @@ - "etc/ddclient.conf" - "etc/default/ddclient" state: absent + +- name: Ensure systemd reloaded after ddclient.service removal + service: + daemon_reload: yes + when: "matrix_dynamic_dns_ddclient_service_stat.stat.exists" diff --git a/roles/matrix-dynamic-dns/tasks/validate_config.yml b/roles/matrix-dynamic-dns/tasks/validate_config.yml index bb351e49..650f9b70 100644 --- a/roles/matrix-dynamic-dns/tasks/validate_config.yml +++ b/roles/matrix-dynamic-dns/tasks/validate_config.yml @@ -6,8 +6,6 @@ You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" with_items: - - "matrix_dynamic_dns_username" - - "matrix_dynamic_dns_password" - "matrix_domain" - "matrix_dynamic_dns_provider" - "matrix_dynamic_dns_mode" @@ -15,5 +13,5 @@ - name: Fail if dynamic dns mode is incorrect fail: msg: >- - matrix_dynamic_dns_mode needs to be set to 'daemon' or 'startup' + matrix_dynamic_dns_mode needs to be set to 'daemon' or 'dhcp' when: "matrix_dynamic_dns_enabled and matrix_dynamic_dns_mode != 'daemon' and matrix_dynamic_dns_mode != 'dhcp'" diff --git a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 index 6d873688..ffbf4c05 100644 --- a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 +++ b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 @@ -1,7 +1,17 @@ -protocol={{ matrix_dynamic_dns_protocol }} -use=web +{% if matrix_dynamic_dns_mode == "daemon" %}} +daemon={{ matrix_dynamic_dns_daemon_interval }} +syslog=no +pid=/var/run/ddclient/ddclient.pid {% endif %} ssl=yes -server={{ matrix_dynamic_dns_provider }} -login='{{ matrix_dynamic_dns_username }}' -password='{{ matrix_dynamic_dns_password }}' -{{ matrix_domain }} +use={{ matrix_dynamic_dns_use }} +protocol={{ matrix_dynamic_dns_protocol }} +server={{ matrix_dynamic_dns_provider }} {% if matrix_dynamic_dns_username %} +login='{{ matrix_dynamic_dns_username }}' {% endif %} {% if matrix_dynamic_dns_username %} +password='{{ matrix_dynamic_dns_password }}' {% endif %} {% if matrix_dynamic_dns_static %} +static=yes {% endif %} {% if matrix_dynamic_dns_custom %} +custom=yes {% endif %} {% if matrix_dynamic_dns_zone %} +zone={{ matrix_dynamic_dns_zone }} {% endif %} {% if matrix_dynamic_dns_ttl %} +ttl={{ matrix_dynamic_dns_ttl }} {% endif %} {% if matrix_dynamic_dns_mx %} +mx={{ matrix_dynamic_dns_mx }} {% endif %} {% if matrix_dynamic_dns_wildcard %} +wildcard=yes {% endif %} +{{ matrix_dynamic_dns_domain }} diff --git a/roles/matrix-dynamic-dns/templates/ddclient.j2 b/roles/matrix-dynamic-dns/templates/ddclient.j2 deleted file mode 100644 index eb5d053d..00000000 --- a/roles/matrix-dynamic-dns/templates/ddclient.j2 +++ /dev/null @@ -1,4 +0,0 @@ -run_dhclient="{{ (matrix_dynamic_dns_mode == 'dhcp') | lower }}" -run_ipup="false" -run_daemon="{{ (matrix_dynamic_dns_mode == 'daemon') | lower }}" -daemon_interval="{{ matrix_dynamic_dns_daemon_interval }}" diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 new file mode 100644 index 00000000..9f866e1e --- /dev/null +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -0,0 +1,41 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Dynamic DNS +{% for service in matrix_dynamic_dns_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_dynamic_dns_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -e PUID={{ matrix_user_uid }} \ + -e PGID={{ matrix_user_gid }} \ + -e CONFIG_PATH=/config/config.yaml \ + -v {{ matrix_dynamic_dns_config_path }}:/config:z \ + {% for arg in matrix_dynamic_dns_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_dynamic_dns_docker_image }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns +ExecStop=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-dynamic-dns + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index f07f0278..a1f4f9ab 100755 --- a/setup.yml +++ b/setup.yml @@ -5,7 +5,7 @@ roles: - matrix-base - - dynamic-dns + - matrix-dynamic-dns - matrix-mailer - matrix-postgres - matrix-corporal From 806f98447c771adaf4fa027346e5df8cd32c15c9 Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Fri, 16 Oct 2020 21:26:58 -0700 Subject: [PATCH 1456/2384] Removed directory creation --- roles/matrix-dynamic-dns/tasks/install_dhcp.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/matrix-dynamic-dns/tasks/install_dhcp.yml b/roles/matrix-dynamic-dns/tasks/install_dhcp.yml index cb340686..31f88178 100644 --- a/roles/matrix-dynamic-dns/tasks/install_dhcp.yml +++ b/roles/matrix-dynamic-dns/tasks/install_dhcp.yml @@ -6,14 +6,6 @@ dest: "/etc/ddclient.conf" mode: 0600 -- name: Ensure ddclient client config directory exists - file: - path: "/etc/default" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - - name: Ensure ddclient client config exists copy: content: "run_dhclient=\"true\"\nrun_ipup=\"false\"\nrun_daemon=\"false\"" From 8e6d7d9022711154929d538ca7b912f2d76b1fbb Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Fri, 16 Oct 2020 21:28:43 -0700 Subject: [PATCH 1457/2384] changed domain naming --- docs/configuring-playbook-budget-builds.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-budget-builds.md b/docs/configuring-playbook-budget-builds.md index 0fb73835..318c3c0c 100644 --- a/docs/configuring-playbook-budget-builds.md +++ b/docs/configuring-playbook-budget-builds.md @@ -6,7 +6,7 @@ Most cloud providers / ISPs will charge you extra for a static IP address. If yo not hosting a highly reliable homeserver you can workaround this via dynamic DNS. To set this up, you'll need to get the username/password from your DNS provider. For google domains, this process is described [here](https://support.google.com/domains/answer/6147083). -After you've gotten the proper credentials you can add the following config to your `host-vars`: +After you've gotten the proper credentials you can add the following config to your inventory/host_vars/matrix.DOMAIN/vars.yml: ``` matrix_dynamic_dns_username: XXXXXXXXXXXXXXXX From de1511b4bbf2f6ee1924a3796eee5d66933039c0 Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Fri, 16 Oct 2020 21:31:07 -0700 Subject: [PATCH 1458/2384] Fixed valdiation --- roles/matrix-dynamic-dns/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-dynamic-dns/tasks/validate_config.yml b/roles/matrix-dynamic-dns/tasks/validate_config.yml index 650f9b70..61a8ea23 100644 --- a/roles/matrix-dynamic-dns/tasks/validate_config.yml +++ b/roles/matrix-dynamic-dns/tasks/validate_config.yml @@ -6,7 +6,7 @@ You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" with_items: - - "matrix_domain" + - "matrix_dynamic_dns_domain" - "matrix_dynamic_dns_provider" - "matrix_dynamic_dns_mode" From 19721be8b11ef55964cd2255617b869e949419a5 Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Sun, 18 Oct 2020 21:05:23 -0700 Subject: [PATCH 1459/2384] removed dhcp option --- roles/matrix-dynamic-dns/defaults/main.yml | 13 +++----- roles/matrix-dynamic-dns/tasks/init.yml | 6 +--- .../tasks/{install_daemon.yml => install.yml} | 0 .../matrix-dynamic-dns/tasks/install_dhcp.yml | 17 ---------- roles/matrix-dynamic-dns/tasks/main.yml | 20 +++-------- .../{uninstall_daemon.yml => uninstall.yml} | 0 .../tasks/uninstall_dhcp.yml | 33 ------------------- .../tasks/validate_config.yml | 7 ---- .../templates/ddclient.conf.j2 | 3 +- 9 files changed, 11 insertions(+), 88 deletions(-) rename roles/matrix-dynamic-dns/tasks/{install_daemon.yml => install.yml} (100%) delete mode 100644 roles/matrix-dynamic-dns/tasks/install_dhcp.yml rename roles/matrix-dynamic-dns/tasks/{uninstall_daemon.yml => uninstall.yml} (100%) delete mode 100644 roles/matrix-dynamic-dns/tasks/uninstall_dhcp.yml diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index c2490837..e57b47da 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -1,28 +1,25 @@ # Whether dynamic dns is enabled matrix_dynamic_dns_enabled: false -# Allowed values: 'daemon', 'dhcp' -matrix_dynamic_dns_mode: 'daemon' - # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' -# The docker container to use when in daemon mode +# The docker container to use when in mode matrix_dynamic_dns_docker_image: 'linuxserver/ddclient' # The image to force pull matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}" -# List of extra arguments to pass to the ontainer daemon mode +# List of extra arguments to pass to the ontainer mode matrix_dynamic_dns_container_extra_arguments: [] -# List of wanted services when running in daemon mode +# List of wanted services when running in mode matrix_dynamic_dns_systemd_wanted_services_list: [] -# List of required services when running in daemon mode +# List of required services when running in mode matrix_dynamic_dns_systemd_required_services_list: ['docker.service'] -# Build the container from source when running in daemon mode +# Build the container from source when running in mode matrix_dynamic_dns_container_image_self_build: false # Config paths diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 2954ac9a..7b87fdb1 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -1,7 +1,3 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['ddclient'] }}" - when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'dhcp'" - - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns'] }}" - when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'daemon'" + when: "matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-dynamic-dns/tasks/install_daemon.yml b/roles/matrix-dynamic-dns/tasks/install.yml similarity index 100% rename from roles/matrix-dynamic-dns/tasks/install_daemon.yml rename to roles/matrix-dynamic-dns/tasks/install.yml diff --git a/roles/matrix-dynamic-dns/tasks/install_dhcp.yml b/roles/matrix-dynamic-dns/tasks/install_dhcp.yml deleted file mode 100644 index 31f88178..00000000 --- a/roles/matrix-dynamic-dns/tasks/install_dhcp.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: Ensure ddclient domain config exists - template: - src: "{{ role_path }}/templates/ddclient.conf.j2" - dest: "/etc/ddclient.conf" - mode: 0600 - -- name: Ensure ddclient client config exists - copy: - content: "run_dhclient=\"true\"\nrun_ipup=\"false\"\nrun_daemon=\"false\"" - dest: "/etc/default/ddclient" - mode: 0600 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- import_tasks: "{{ role_path }}/tasks/platform/main.yml" diff --git a/roles/matrix-dynamic-dns/tasks/main.yml b/roles/matrix-dynamic-dns/tasks/main.yml index 2d999568..f9aaab8f 100644 --- a/roles/matrix-dynamic-dns/tasks/main.yml +++ b/roles/matrix-dynamic-dns/tasks/main.yml @@ -8,26 +8,14 @@ - setup-all - setup-dynamic-dns -- import_tasks: "{{ role_path }}/tasks/install_dhcp.yml" - when: "run_setup|bool and matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'dhcp'" - tags: - - setup-all - - setup-dynamic-dns - -- import_tasks: "{{ role_path }}/tasks/uninstall_dhcp.yml" - when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'dhcp'" - tags: - - setup-all - - setup-dynamic-dns - -- import_tasks: "{{ role_path }}/tasks/install_daemon.yml" - when: "run_setup|bool and matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'daemon'" +- import_tasks: "{{ role_path }}/tasks/install.yml" + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" tags: - setup-all - setup-dynamic-dns -- import_tasks: "{{ role_path }}/tasks/uninstall_daemon.yml" - when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_mode == 'daemon'" +- import_tasks: "{{ role_path }}/tasks/uninstall.yml" + when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" tags: - setup-all - setup-dynamic-dns diff --git a/roles/matrix-dynamic-dns/tasks/uninstall_daemon.yml b/roles/matrix-dynamic-dns/tasks/uninstall.yml similarity index 100% rename from roles/matrix-dynamic-dns/tasks/uninstall_daemon.yml rename to roles/matrix-dynamic-dns/tasks/uninstall.yml diff --git a/roles/matrix-dynamic-dns/tasks/uninstall_dhcp.yml b/roles/matrix-dynamic-dns/tasks/uninstall_dhcp.yml deleted file mode 100644 index 09018f68..00000000 --- a/roles/matrix-dynamic-dns/tasks/uninstall_dhcp.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/platform/main.yml" - -- name: Check existence of ddclient.service - stat: - path: "{{ systemd_path }}/ddclient.service" - register: matrix_dynamic_dns_ddclient_service_stat - -- name: Ensure ddclient.service is stopped - service: - name: dynamic-dns - state: stopped - daemon_reload: yes - when: "matrix_dynamic_dns_ddclient_service_stat.stat.exists" - -- name: Ensure ddclient.service doesn't exist - file: - path: "{{ systemd_path }}/ddclient.service" - state: absent - when: "matrix_dynamic_dns_ddclient_service_stat.stat.exists" - -- name: Ensure ddclient configuration files don't exist - file: - path: - - "etc/ddclient.conf" - - "etc/default/ddclient" - state: absent - -- name: Ensure systemd reloaded after ddclient.service removal - service: - daemon_reload: yes - when: "matrix_dynamic_dns_ddclient_service_stat.stat.exists" diff --git a/roles/matrix-dynamic-dns/tasks/validate_config.yml b/roles/matrix-dynamic-dns/tasks/validate_config.yml index 61a8ea23..2895f407 100644 --- a/roles/matrix-dynamic-dns/tasks/validate_config.yml +++ b/roles/matrix-dynamic-dns/tasks/validate_config.yml @@ -8,10 +8,3 @@ with_items: - "matrix_dynamic_dns_domain" - "matrix_dynamic_dns_provider" - - "matrix_dynamic_dns_mode" - -- name: Fail if dynamic dns mode is incorrect - fail: - msg: >- - matrix_dynamic_dns_mode needs to be set to 'daemon' or 'dhcp' - when: "matrix_dynamic_dns_enabled and matrix_dynamic_dns_mode != 'daemon' and matrix_dynamic_dns_mode != 'dhcp'" diff --git a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 index ffbf4c05..651712db 100644 --- a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 +++ b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 @@ -1,7 +1,6 @@ -{% if matrix_dynamic_dns_mode == "daemon" %}} daemon={{ matrix_dynamic_dns_daemon_interval }} syslog=no -pid=/var/run/ddclient/ddclient.pid {% endif %} +pid=/var/run/ddclient/ddclient.pid ssl=yes use={{ matrix_dynamic_dns_use }} protocol={{ matrix_dynamic_dns_protocol }} From e7d79a95dc9a20948ea439cc308e185057fafd3a Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Mon, 19 Oct 2020 10:46:02 -0700 Subject: [PATCH 1460/2384] removed platform-specific stuff --- .../tasks/platform/archlinux.yml | 15 ------------- .../tasks/platform/centos.yml | 22 ------------------- .../tasks/platform/debian.yml | 17 -------------- .../tasks/platform/main.yml | 11 ---------- 4 files changed, 65 deletions(-) delete mode 100644 roles/matrix-dynamic-dns/tasks/platform/archlinux.yml delete mode 100644 roles/matrix-dynamic-dns/tasks/platform/centos.yml delete mode 100644 roles/matrix-dynamic-dns/tasks/platform/debian.yml delete mode 100644 roles/matrix-dynamic-dns/tasks/platform/main.yml diff --git a/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml b/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml deleted file mode 100644 index 10e20802..00000000 --- a/roles/matrix-dynamic-dns/tasks/platform/archlinux.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: Ensure ddclient is installed - pacman: - name: ddclient - state: latest - when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" - -- name: Ensure ddclient is uninstalled - pacman: - name: ddclient - state: absent - update_cache: true - become: true - when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-dynamic-dns/tasks/platform/centos.yml b/roles/matrix-dynamic-dns/tasks/platform/centos.yml deleted file mode 100644 index 7375ad32..00000000 --- a/roles/matrix-dynamic-dns/tasks/platform/centos.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: Ensure yum packages are installed - yum: - name: epel-release - state: latest - update_cache: yes - when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" - -- name: Ensure ddclient is installed - yum: - name: ddclient - state: latest - when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" - -- name: Ensure ddclient is uninstalled - yum: - name: - - ddclient - - epel-release - state: absent - when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-dynamic-dns/tasks/platform/debian.yml b/roles/matrix-dynamic-dns/tasks/platform/debian.yml deleted file mode 100644 index c41dbaf9..00000000 --- a/roles/matrix-dynamic-dns/tasks/platform/debian.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: Ensure ddclient is installed - apt: - name: ddclient - state: present - update_cache: true - become: true - when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" - -- name: Ensure ddclient is uninstalled - apt: - name: ddclient - state: absent - update_cache: true - become: true - when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-dynamic-dns/tasks/platform/main.yml b/roles/matrix-dynamic-dns/tasks/platform/main.yml deleted file mode 100644 index ca973749..00000000 --- a/roles/matrix-dynamic-dns/tasks/platform/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- include_tasks: "{{ role_path }}/tasks/platform/centos.yml" - when: ansible_distribution == 'CentOS' - -# The instructions are the same for Debian, Ubuntu, and Raspbian -- include_tasks: "{{ role_path }}/tasks/platform/debian.yml" - when: ansible_distribution == 'Debian' - -- include_tasks: "{{ role_path }}/tasks/platform/archlinux.yml" - when: ansible_distribution == 'Archlinux' From efeb651789871128eaa6a09706b5cf1999000e3c Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Mon, 19 Oct 2020 11:25:01 -0700 Subject: [PATCH 1461/2384] Removed typo --- roles/matrix-dynamic-dns/tasks/uninstall.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dynamic-dns/tasks/uninstall.yml b/roles/matrix-dynamic-dns/tasks/uninstall.yml index 8480f3c3..1be0e190 100644 --- a/roles/matrix-dynamic-dns/tasks/uninstall.yml +++ b/roles/matrix-dynamic-dns/tasks/uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-dynamic-dns service stat: - path: "{{ systemd_path }}m/matrix-dynamic-dns.service" + path: "{{ systemd_path }}/matrix-dynamic-dns.service" register: matrix_dynamic_dns_service_stat - name: Ensure matrix-dynamic-dns is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-dynamic-dns.service doesn't exist file: - path: "{{ systemd_path }}m/matrix-dynamic-dns.service" + path: "{{ systemd_path }}/matrix-dynamic-dns.service" state: absent when: "matrix_dynamic_dns_service_stat.stat.exists" From 94dcceb7b9c77ca5b1be02c53aa9a12e310df5e5 Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Mon, 19 Oct 2020 11:26:37 -0700 Subject: [PATCH 1462/2384] removed intentional delay --- .../templates/systemd/matrix-dynamic-dns.service.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index 9f866e1e..9c11e148 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -13,10 +13,6 @@ Wants={{ service }} Type=simple ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns - -# Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre={{ matrix_host_command_sleep }} 5 - ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ From 24c6d7e81f9c22764dfd7c2d3c2c20239b692553 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Oct 2020 19:06:16 +0300 Subject: [PATCH 1463/2384] Upgrade Element (1.7.9 -> 1.7.10) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index a864244a..d2b9258f 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -2,7 +2,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false -matrix_client_element_docker_image: "vectorim/riot-web:v1.7.9" +matrix_client_element_docker_image: "vectorim/riot-web:v1.7.10" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" From 501efee07e621eb626f5ed032210d49f30c04408 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 22 Oct 2020 20:53:41 +0200 Subject: [PATCH 1464/2384] synapse workers: supply systemd with actual worker PIDs (requires jq) also, worker.yaml.j2: - hone worker_name - remove worker_pid_file entry (would only be used if worker_daemonize set to true; also, synapse only knows about the container namespace and thus can not provide the required host-view PID) --- .../matrix-synapse-worker-write-pid | 30 +++++++++++++++++++ .../tasks/workers/setup_install.yml | 6 ++++ .../tasks/workers/setup_uninstall.yml | 5 ++++ .../systemd/matrix-synapse-worker@.service.j2 | 12 +++++--- .../templates/synapse/worker.yaml.j2 | 3 +- 5 files changed, 50 insertions(+), 6 deletions(-) create mode 100644 roles/matrix-synapse/files/usr-local-bin/matrix-synapse-worker-write-pid diff --git a/roles/matrix-synapse/files/usr-local-bin/matrix-synapse-worker-write-pid b/roles/matrix-synapse/files/usr-local-bin/matrix-synapse-worker-write-pid new file mode 100644 index 00000000..02c5ba09 --- /dev/null +++ b/roles/matrix-synapse/files/usr-local-bin/matrix-synapse-worker-write-pid @@ -0,0 +1,30 @@ +#!/bin/bash +# Find a synapse worker's PID and write it to a file so systemd can manage it as a service + +# example invocation: +# matrix-synapse-worker-write-pid user_dir:18700 /run/matrix-synapse-worker.user_dir:18700.pid + +docker_api_call() { curl --silent --unix-socket /var/run/docker.sock ${@}; } + +TARGETCONTAINER=matrix-synapse +TARGETWORKER=${1} +PIDFILE=${2} + +# get ID list of subprocesses executed in $TARGETCONTAINER, and for each.. +for EXECID in $(docker_api_call http://localhost/containers/${TARGETCONTAINER}/json | jq --raw-output '.ExecIDs[]') +do + # fetch detailed process info + EXECINFO=$(docker_api_call http://localhost/exec/${EXECID}/json) + + # extract config file path from last command argument + WORKERCONFIGFILE=$(echo ${EXECINFO} | jq --raw-output .ProcessConfig.arguments[-1]) + + # reconstruct worker name + WORKERNAME=${WORKERCONFIGFILE#*/worker.} + WORKERNAME=${WORKERNAME%.yaml} + + # if name matches the target worker: write out most recent PID & quit + [ "${WORKERNAME}" = "${TARGETWORKER}" ] \ + && echo ${EXECINFO} | jq --raw-output .Pid > ${PIDFILE} \ + && exit 0 +done diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index 0031c236..44d59495 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -40,3 +40,9 @@ {{ matrix_synapse_systemd_wanted_services_list + ['matrix-synapse-worker@' + item.worker + ':' + item.port|string + '.service'] }} with_items: "{{ matrix_synapse_workers_enabled_list }}" + +- name: Ensure matrix-synapse-worker-write-pid script is created + copy: + src: "{{ role_path }}/files/usr-local-bin/matrix-synapse-worker-write-pid" + dest: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" + mode: 0750 diff --git a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml index d1e7e3b5..0571114c 100644 --- a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml @@ -36,3 +36,8 @@ - name: Ensure systemd noticed removal of worker service units service: daemon_reload: yes + +- name: Ensure matrix-synapse-worker-write-pid script is removed + file: + path: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" + state: absent diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 index d14b2557..2c82873d 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 @@ -3,8 +3,8 @@ # alongside the homeserver main process. # c.f. https://github.com/matrix-org/synapse/pull/4662 [Unit] -Description=Synapse Matrix Worker -AssertPathExists={{matrix_synapse_config_dir_path }}/worker.%i.yaml +Description=Matrix worker synapse.app.%i +AssertPathExists={{ matrix_synapse_config_dir_path }}/worker.%i.yaml After=matrix-synapse.service BindsTo=matrix-synapse.service @@ -23,9 +23,13 @@ ExecStart=/bin/sh -c "WORKER=%i; WORKER=$${WORKER%%:*}; \ matrix-synapse \ python -m synapse.app.$${WORKER} -c /data/homeserver.yaml -c /data/worker.%i.yaml" +# wait for worker startup & write out PID of actual worker process so systemd can handle it +ExecStartPost=/bin/sleep 5 +ExecStartPost=/usr/local/bin/matrix-synapse-worker-write-pid %i /run/matrix-synapse-worker.%i.pid + ExecReload=/bin/kill -HUP $MAINPID -ExecStop=/usr/bin/docker exec matrix-synapse pkill -f %i -PIDFile=/matrix-run/{{ item.worker }}.port{{ item.port }}.pid +ExecStop=/bin/kill $MAINPID +PIDFile=/run/matrix-synapse-worker.%i.pid KillMode=process Restart=always RestartSec=10 diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index 319f5708..0a282ba7 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" worker_app: synapse.app.{{ item.worker }} -worker_name: {{ item.worker ~ '_' ~ item.port }} +worker_name: {{ item.worker ~ ':' ~ item.port }} worker_replication_host: 127.0.0.1 worker_replication_http_port: {{ matrix_synapse_replication_http_port }} @@ -26,5 +26,4 @@ worker_main_http_uri: http://127.0.0.1:8008 {% endif %} worker_daemonize: false -worker_pid_file: /matrix-run/{{ item.worker }}.port{{ item.port }}.pid worker_log_config: /data/{{ matrix_server_fqn_matrix }}.log.config From 69efcb5c21ad55bf597a298a3f6ba499c729920a Mon Sep 17 00:00:00 2001 From: Sabine Date: Thu, 22 Oct 2020 23:29:34 +0200 Subject: [PATCH 1465/2384] added mautrix-signal role --- .../defaults/main.yml | 102 +++++++++ .../tasks/init.yml | 63 ++++++ .../tasks/main.yml | 21 ++ .../tasks/setup_install.yml | 102 +++++++++ .../tasks/setup_uninstall.yml | 64 ++++++ .../tasks/validate_config.yml | 22 ++ .../templates/config.yaml.j2 | 207 ++++++++++++++++++ .../matrix-mautrix-signal-daemon.service.j2 | 29 +++ .../matrix-mautrix-signal-db.service.j2 | 32 +++ .../systemd/matrix-mautrix-signal.service.j2 | 44 ++++ setup.yml | 1 + 11 files changed, 687 insertions(+) create mode 100644 roles/matrix-bridge-mautrix-signal/defaults/main.yml create mode 100644 roles/matrix-bridge-mautrix-signal/tasks/init.yml create mode 100644 roles/matrix-bridge-mautrix-signal/tasks/main.yml create mode 100644 roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 create mode 100644 roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 create mode 100644 roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml new file mode 100644 index 00000000..d86bdb59 --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -0,0 +1,102 @@ +# mautrix-telegram is a Matrix <-> Telegram bridge +# See: https://github.com/tulir/mautrix-telegram + +matrix_mautrix_signal_enabled: false + +# See: https://mau.dev/tulir/mautrix-signal/container_registry +matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest" +matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" + +matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" +matrix_mautrix_signal_config_path: "{{ matrix_mautrix_signal_base_path }}/bridge" + +matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest" +matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" + +matrix_mautrix_signal_daemon_path: "{{ matrix_mautrix_signal_base_path }}/signald" + +# # Get your own API keys at https://my.telegram.org/apps +# matrix_mautrix_telegram_api_id: '' +# matrix_mautrix_telegram_api_hash: '' +# matrix_mautrix_telegram_bot_token: disabled + +# # Mautrix telegram public endpoint to log in to telegram +# # Use an uuid so it's not easily discoverable. +# # Example: /741a0483-ba17-4682-9900-30bd7269f1cc +# matrix_mautrix_telegram_public_endpoint: '' + +matrix_mautrix_signal_homeserver_address: 'http://matrix-synapse:8008' +matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_signal_appservice_address: 'http://matrix-mautrix-signal:29328' +# matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }}' + +# Controls whether the matrix-mautrix-telegram container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9006"), or empty string to not expose. +matrix_mautrix_signal_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_mautrix_signal_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-signal.service depends on. +matrix_mautrix_signal_systemd_required_services_list: ['docker.service', 'matrix-mautrix-signal-daemon.service', 'matrix-mautrix-signal-db.service'] + +# List of systemd services that matrix-mautrix-telegram.service wants +matrix_mautrix_signal_systemd_wanted_services_list: [] + +matrix_mautrix_signal_appservice_token: '' +matrix_mautrix_signal_homeserver_token: '' + +matrix_mautrix_signal_db_docker_image: "postgres:13.0-alpine" +matrix_mautrix_signal_db_docker_image_force_pull: "{{ matrix_mautrix_signal_db_docker_image.endswith(':latest') }}" +matrix_mautrix_signal_db_storage_path: "{{ matrix_mautrix_signal_base_path }}/database" + +matrix_mautrix_signal_db_user: '' +matrix_mautrix_signal_db_password: '' +matrix_mautrix_signal_db_host: 'matrix-mautrix-signal-db' +matrix_mautrix_signal_db_port: '5432' +matrix_mautrix_signal_db_database: '' + +matrix_mautrix_signal_db_url: "postgres://{{ matrix_mautrix_signal_db_user }}:{{ matrix_mautrix_signal_db_password }}@{{ matrix_mautrix_signal_db_host }}:{{ matrix_mautrix_signal_db_port }}/{{ matrix_mautrix_signal_db_database }}" + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_signal_login_shared_secret: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_telegram_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_signal_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_signal_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_telegram_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_telegram_configuration_yaml`. + +matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configuration_extension_yaml|from_yaml if matrix_mautrix_signal_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`. +matrix_mautrix_signal_configuration: "{{ matrix_mautrix_signal_configuration_yaml|from_yaml|combine(matrix_mautrix_signal_configuration_extension, recursive=True) }}" + +matrix_mautrix_signal_registration_yaml: | + id: signal + as_token: "{{ matrix_mautrix_signal_appservice_token }}" + hs_token: "{{ matrix_mautrix_signal_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' + aliases: + - exclusive: true + regex: '^#signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_signal_appservice_address }} + sender_localpart: signalbot + rate_limited: false + +matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/init.yml b/roles/matrix-bridge-mautrix-signal/tasks/init.yml new file mode 100644 index 00000000..8fdc9834 --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/tasks/init.yml @@ -0,0 +1,63 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal', 'matrix-mautrix-signal-daemon'] }}" + when: matrix_mautrix_signal_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mautrix_signal_config_path }}/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mautrix-signal-registration.yaml"] }} + when: matrix_mautrix_signal_enabled|bool + +# - block: +# - name: Fail if matrix-nginx-proxy role already executed +# fail: +# msg: >- +# Trying to append Mautrix Signal's reverse-proxying configuration to matrix-nginx-proxy, +# but it's pointless since the matrix-nginx-proxy role had already executed. +# To fix this, please change the order of roles in your plabook, +# so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-signal role. +# when: matrix_nginx_proxy_role_executed|default(False)|bool + + # - name: Generate Mautrix Signal proxying configuration for matrix-nginx-proxy + # set_fact: + # matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | + # location {{ matrix_mautrix_telegram_public_endpoint }} { + # {% if matrix_nginx_proxy_enabled|default(False) %} + # {# Use the embedded DNS resolver in Docker containers to discover the service #} + # resolver 127.0.0.11 valid=5s; + # set $backend "matrix-mautrix-telegram:8080"; + # proxy_pass http://$backend; + # {% else %} + # {# Generic configuration for use outside of our container setup #} + # proxy_pass http://127.0.0.1:9006; + # {% endif %} + # } + + # - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy + # set_fact: + # matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + # {{ + # matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + # + + # [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] + # }} + # tags: + # - always + # when: matrix_mautrix_telegram_enabled|bool + +# - name: Warn about reverse-proxying if matrix-nginx-proxy not used +# debug: +# msg: >- +# NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy +# reverse proxy. +# Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` +# URL endpoint to the matrix-mautrix-telegram container. +# You can expose the container's port using the `matrix_mautrix_telegram_container_http_host_bind_port` variable. +# when: "matrix_mautrix_telegram_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/main.yml b/roles/matrix-bridge-mautrix-signal/tasks/main.yml new file mode 100644 index 00000000..edca20e6 --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mautrix_signal_enabled|bool" + tags: + - setup-all + - setup-mautrix-signal + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mautrix_signal_enabled|bool" + tags: + - setup-all + - setup-mautrix-signal + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mautrix_signal_enabled|bool" + tags: + - setup-all + - setup-mautrix-signal diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml new file mode 100644 index 00000000..cacb4c6c --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -0,0 +1,102 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure Mautrix Signal image is pulled + docker_image: + name: "{{ matrix_mautrix_signal_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" + +- name: Ensure Mautrix Signal Daemon image is pulled + docker_image: + name: "{{ matrix_mautrix_signal_daemon_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" + +- name: Ensure Mautrix Signal database image is pulled + docker_image: + name: "{{ matrix_mautrix_signal_db_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_signal_db_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" + +- name: Ensure Mautrix Signal paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_mautrix_signal_base_path }}" + - "{{ matrix_mautrix_signal_config_path }}" + - "{{ matrix_mautrix_signal_daemon_path }}" + - "{{ matrix_mautrix_signal_db_storage_path }}" + +# - name: Check if an old database file already exists +# stat: +# path: "{{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db" +# register: matrix_mautrix_telegram_stat_database +# +# - name: (Data relocation) Ensure matrix-mautrix-telegram.service is stopped +# service: +# name: matrix-mautrix-telegram +# state: stopped +# daemon_reload: yes +# failed_when: false +# when: "matrix_mautrix_telegram_stat_database.stat.exists" +# +# - name: (Data relocation) Move mautrix-telegram database file to ./data directory +# command: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" +# when: "matrix_mautrix_telegram_stat_database.stat.exists" + +- name: Ensure mautrix-signal config.yaml installed + copy: + content: "{{ matrix_mautrix_signal_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_signal_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-signal registration.yaml installed + copy: + content: "{{ matrix_mautrix_signal_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_signal_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-signal-daemon.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal-daemon.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service" + mode: 0644 + register: matrix_mautrix_signal_daemon_systemd_service_result + +- name: Ensure matrix-mautrix-signal-db.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal-db.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service" + mode: 0644 + register: matrix_mautrix_signal_db_systemd_service_result + +- name: Ensure matrix-mautrix-signal.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service" + mode: 0644 + register: matrix_mautrix_signal_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-signal.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_signal_systemd_service_result.changed or matrix_mautrix_signal_daemon_systemd_service_result.changed or matrix_mautrix_signal_db_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml new file mode 100644 index 00000000..51581874 --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml @@ -0,0 +1,64 @@ +--- + +# Signal database service +- name: Check existence of matrix-mautrix-signal-db service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service" + register: matrix_mautrix_signal_db_service_stat + +- name: Ensure matrix-mautrix-signal-db is stopped + service: + name: matrix-mautrix-signal-db + state: stopped + daemon_reload: yes + when: "matrix_mautrix_signal_db_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-signal-db.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service" + state: absent + when: "matrix_mautrix_signal_db_service_stat.stat.exists" + +# Signal daemon service +- name: Check existence of matrix-mautrix-signal-daemon service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service" + register: matrix_mautrix_signal_daemon_service_stat + +- name: Ensure matrix-mautrix-signal-daemon is stopped + service: + name: matrix-mautrix-signal-daemon + state: stopped + daemon_reload: yes + when: "matrix_mautrix_signal_daemon_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-signal-daemon.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service" + state: absent + when: "matrix_mautrix_signal_daemon_service_stat.stat.exists" + +# Bridge service +- name: Check existence of matrix-mautrix-signal service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service" + register: matrix_mautrix_signal_service_stat + +- name: Ensure matrix-mautrix-signal is stopped + service: + name: matrix-mautrix-signal + state: stopped + daemon_reload: yes + when: "matrix_mautrix_signal_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-signal.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service" + state: absent + when: "matrix_mautrix_signal_service_stat.stat.exists" + +# All services +- name: Ensure systemd reloaded after matrix-mautrix-signal_X.service removal + service: + daemon_reload: yes + when: "matrix_mautrix_signal_service_stat.stat.exists or matrix_mautrix_signal_daemon_service_stat.stat.exists or matrix_mautrix_signal_db_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml new file mode 100644 index 00000000..a11e192d --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -0,0 +1,22 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_signal_appservice_token" + - "matrix_mautrix_signal_homeserver_token" + - "matrix_mautrix_signal_db_user" + - "matrix_mautrix_signal_db_password" + - "matrix_mautrix_signal_db_database" + +- name: (Deprecation) Catch and report renamed Signal variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_mautrix_signal_container_exposed_port_number', 'new': ''} diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 new file mode 100644 index 00000000..6865d3c1 --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -0,0 +1,207 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_signal_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_signal_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + asmux: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_signal_appservice_address }} + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29328 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. Only Postgres is currently supported. + database: {{ matrix_mautrix_signal_db_url }} + + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + + # The unique ID of this appservice. + id: signal + # Username of the appservice bot. + bot_username: signalbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Signal bridge bot + bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp + + # Community ID for bridged users (changes registration file) and rooms. + # Must be created manually. + # + # Example: "+signal:example.com". Set to false to disable. + community_id: false + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_signal_appservice_token }}" + hs_token: "{{ matrix_mautrix_signal_homeserver_token }}" + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +signal: + # Path to signald unix socket + socket_path: /signald/signald.sock + # Directory for temp files when sending files to Signal. This should be an + # absolute path that signald can read. For attachments in the other direction, + # make sure signald is configured to use an absolute path as the data directory. + outgoing_attachment_dir: /signald/attachments + # Directory where signald stores avatars for groups. + avatar_dir: /signald/avatars + # Whether or not message attachments should be removed from disk after they're bridged. + remove_file_after_handling: true + +# Bridge config +bridge: + # Localpart template of MXIDs for Signal users. + # {userid} is replaced with an identifier for the Signal user. + username_template: "signal_{userid}" + # Displayname template for Signal users. + # {displayname} is replaced with the displayname of the Signal user, which is the first + # available variable in displayname_preference. The variables in displayname_preference + # can also be used here directly. + displayname_template: "{displayname} (Signal)" + # Whether or not contact list displaynames should be used. + # Using this isn't recommended on multi-user instances. + allow_contact_list_name_updates: false + # Available variables: full_name, first_name, last_name, phone, uuid + displayname_preference: + - full_name + - phone + + # Whether or not to create portals for all groups on login/connect. + autocreate_group_portal: true + # Whether or not to create portals for all contacts on login/connect. + autocreate_contact_portal: false + # Whether or not to use /sync to get read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. + double_puppet_server_map: {} + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + login_shared_secret_map: + {{ matrix_mautrix_signal_homeserver_domain }}: {{ matrix_mautrix_signal_login_shared_secret|to_json }} + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Options for automatic key sharing. + key_sharing: + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow: false + # Require the requesting device to have a valid cross-signing signature? + # This doesn't require that the bridge has verified the device, only that the user has verified it. + # Not yet implemented. + require_cross_signing: false + # Require devices to be verified by the bridge? + # Verification by the bridge is not yet implemented. + require_verification: true + # Whether or not to explicitly set the avatar and room name for private + # chat portal rooms. This will be implicitly enabled if encryption.default is true. + private_chat_portal_meta: false + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Signal. This let's you check manually whether the bridge is receiving your + # messages. + # Note that this is not related to Signal delivery receipts. + delivery_receipts: false + # Whether or not delivery errors should be reported as messages in the Matrix room. (not yet implemented) + delivery_error_reports: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!signal" + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "1m.at": "user" + "@admin:1m.at": "admin" + + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_signal.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: normal + filename: ./mautrix-signal.log + maxBytes: 10485760 + backupCount: 10 + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [file, console] diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 new file mode 100644 index 00000000..499ee309 --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -0,0 +1,29 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix Signal daemon + +[Service] +Type=simple + +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal-daemon \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ + {{ matrix_mautrix_signal_daemon_docker_image }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-signal-daemon + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 new file mode 100644 index 00000000..653b67b8 --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 @@ -0,0 +1,32 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix Signal database server + +[Service] +Type=simple + +ExecStartPre=-{{ matrix_host_command_docker }} kill {{ matrix_mautrix_signal_db_host }} +ExecStartPre=-{{ matrix_host_command_docker }} rm {{ matrix_mautrix_signal_db_host }} + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_mautrix_signal_db_host }} \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --network={{ matrix_docker_network }} \ + --env POSTGRES_USER={{ matrix_mautrix_signal_db_user }} \ + --env POSTGRES_PASSWORD={{ matrix_mautrix_signal_db_password }} \ + --env POSTGRES_DB={{ matrix_mautrix_signal_db_database }} \ + -v {{ matrix_mautrix_signal_db_storage_path }}:/var/lib/postgresql/data:z \ + {{ matrix_mautrix_signal_db_docker_image }} + +ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_mautrix_signal_db_host }} +ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_mautrix_signal_db_host }} + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-signal-db + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 new file mode 100644 index 00000000..c1c835a2 --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -0,0 +1,44 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix Signal server + +{% for service in matrix_mautrix_signal_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} + +{% for service in matrix_mautrix_signal_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + {% if matrix_mautrix_signal_container_http_host_bind_port %} + -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ + {% endif %} + -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ + -v {{ matrix_mautrix_signal_config_path }}:/data:z \ + {% for arg in matrix_mautrix_signal_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_signal_docker_image }} \ + python3 -m mautrix_signal -c /data/config.yaml + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal +ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal + +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-signal + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 68c4e4ee..67639f3e 100755 --- a/setup.yml +++ b/setup.yml @@ -14,6 +14,7 @@ - matrix-bridge-appservice-irc - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts + - matrix-bridge-mautrix-signal - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-discord From a4125d544623312397c0760f43ac91fd261fa96b Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Fri, 23 Oct 2020 20:49:53 +0200 Subject: [PATCH 1466/2384] synapse workers: polishing, cleansing and installation of jq dependency --- roles/matrix-synapse/tasks/workers/setup.yml | 5 ++- .../tasks/workers/setup_install.yml | 31 +++++++++++++++++-- .../tasks/workers/setup_uninstall.yml | 12 ++++--- .../systemd/matrix-synapse-worker@.service.j2 | 10 +++--- 4 files changed, 44 insertions(+), 14 deletions(-) diff --git a/roles/matrix-synapse/tasks/workers/setup.yml b/roles/matrix-synapse/tasks/workers/setup.yml index 4951ac2d..083da807 100644 --- a/roles/matrix-synapse/tasks/workers/setup.yml +++ b/roles/matrix-synapse/tasks/workers/setup.yml @@ -1,8 +1,7 @@ --- -# a negative when condition will not actually prevent ansible from executing loops in imported tasks! -- import_tasks: "{{ role_path }}/tasks/workers/setup_install.yml" +- include_tasks: "{{ role_path }}/tasks/workers/setup_install.yml" when: "matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool" -- import_tasks: "{{ role_path }}/tasks/workers/setup_uninstall.yml" +- include_tasks: "{{ role_path }}/tasks/workers/setup_uninstall.yml" when: "not matrix_synapse_workers_enabled|bool" diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index 44d59495..3f1f8ac0 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -7,12 +7,11 @@ mode: 0644 register: matrix_synapse_worker_systemd_service_result -- name: Ensure previous worker service symlinks are cleaned (FIXME) +- name: Ensure previous worker service symlinks are cleaned file: path: "{{ item.root + '/' + item.path }}" state: absent when: - - matrix_synapse_workers_enabled|bool - item.state == 'link' - item.path is match('matrix-synapse-worker@.*\\.service') with_filetree: @@ -28,6 +27,13 @@ enabled: true with_items: "{{ matrix_synapse_workers_enabled_list }}" +- name: Ensure previous worker configs are cleaned + file: + path: "{{ item }}" + state: absent + with_fileglob: + - "{{ matrix_synapse_config_dir_path }}/worker.*.yaml" + - name: Ensure creation of specific worker configs template: src: "{{ role_path }}/templates/synapse/worker.yaml.j2" @@ -46,3 +52,24 @@ src: "{{ role_path }}/files/usr-local-bin/matrix-synapse-worker-write-pid" dest: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" mode: 0750 + +- name: Ensure jq is installed (Archlinux) + pacman: + name: + - jq + state: present + when: (ansible_distribution == 'Archlinux') + +- name: Ensure jq is installed (CentOS) + yum: + name: + - jq + state: present + when: (ansible_distribution == 'CentOS') + +- name: Ensure jq is installed (Debian) + apt: + name: + - jq + state: present + when: (ansible_os_family == 'Debian') diff --git a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml index 0571114c..58b64760 100644 --- a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml @@ -9,14 +9,11 @@ state: stopped with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker@.+\\.service')|list|items2dict }}" -# As we cannot know the ports of workers removed from the enabled_list.. -# => .. just kill them all (FIXME?) -- name: Ensure previous worker service symlinks are cleaned +- name: Ensure worker service symlinks are cleaned file: path: "{{ item.root + '/' + item.path }}" state: absent when: - - not matrix_synapse_workers_enabled|bool - item.state == 'link' - item.path is match('matrix-synapse-worker@.*\\.service') with_filetree: @@ -28,6 +25,13 @@ state: absent register: matrix_synapse_worker_systemd_service_result +- name: Ensure worker configs are cleaned + file: + path: "{{ item.root + '/' + item.path }}" + state: absent + with_fileglob: + - "{{ matrix_synapse_config_dir_path }}/worker.*.yaml" + - name: Remove workers from synapse.wants list set_fact: matrix_synapse_systemd_wanted_services_list: "{{ matrix_synapse_systemd_wanted_services_list | reject('search', item) | list }}" diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 index 2c82873d..983426ba 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 @@ -11,21 +11,21 @@ BindsTo=matrix-synapse.service [Service] Type=simple -# Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 +# Intentional delay, so that the homeserver can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 # no sane way of instancing more than one variable (systemd "cant-fix" 🤦) # c.f. https://github.com/systemd/systemd/issues/14895#issuecomment-594123923 # So use good ol' shell parameter expansion to get the worker type.. ExecStart=/bin/sh -c "WORKER=%i; WORKER=$${WORKER%%:*}; \ - exec /usr/bin/docker exec \ + exec {{ matrix_host_command_docker }} exec \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ matrix-synapse \ python -m synapse.app.$${WORKER} -c /data/homeserver.yaml -c /data/worker.%i.yaml" # wait for worker startup & write out PID of actual worker process so systemd can handle it -ExecStartPost=/bin/sleep 5 -ExecStartPost=/usr/local/bin/matrix-synapse-worker-write-pid %i /run/matrix-synapse-worker.%i.pid +ExecStartPost={{ matrix_host_command_sleep }} 5 +ExecStartPost={{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid %i /run/matrix-synapse-worker.%i.pid ExecReload=/bin/kill -HUP $MAINPID ExecStop=/bin/kill $MAINPID From 7a54e1109066ea5960c772de34ae7461be7a304d Mon Sep 17 00:00:00 2001 From: Sabine Date: Sat, 24 Oct 2020 12:15:03 +0200 Subject: [PATCH 1467/2384] started moving settings to group_vars --- group_vars/matrix_servers | 25 +++++++++++++++++++ .../defaults/main.yml | 4 +-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 00cdbdfb..00936700 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -241,7 +241,32 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-signal +# +###################################################################### + +matrix_mautrix_signal_enabled: false + +matrix_mautrix_signal_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}" + +matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}" + +matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +###################################################################### +# +# /matrix-bridge-mautrix-signal +# +###################################################################### ###################################################################### diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index d86bdb59..d034cab1 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -1,7 +1,7 @@ # mautrix-telegram is a Matrix <-> Telegram bridge # See: https://github.com/tulir/mautrix-telegram -matrix_mautrix_signal_enabled: false +matrix_mautrix_signal_enabled: true # See: https://mau.dev/tulir/mautrix-signal/container_registry matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest" @@ -41,7 +41,7 @@ matrix_mautrix_signal_container_extra_arguments: [] # List of systemd services that matrix-mautrix-signal.service depends on. matrix_mautrix_signal_systemd_required_services_list: ['docker.service', 'matrix-mautrix-signal-daemon.service', 'matrix-mautrix-signal-db.service'] -# List of systemd services that matrix-mautrix-telegram.service wants +# List of systemd services that matrix-mautrix-signal.service wants matrix_mautrix_signal_systemd_wanted_services_list: [] matrix_mautrix_signal_appservice_token: '' From 1227349d0cd6671df2fbf30fac0193727ec0d928 Mon Sep 17 00:00:00 2001 From: Ivar Troost Date: Sat, 24 Oct 2020 17:03:24 +0200 Subject: [PATCH 1468/2384] Fix docker mount instruction in documentation The SSL certificates should be accessible to the nginx proxy container, not the synapse container. --- docs/howto-server-delegation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 5235b843..1ea1091a 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -89,7 +89,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/ If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container: ```yaml -matrix_synapse_container_extra_arguments: +matrix_nginx_proxy_container_extra_arguments: - "--mount type=bind,src=/some/path/on/the/host,dst=/some/path/inside/the/container,ro" ``` From d6940d9f106429629c6f4b758ebbbd122f6026a4 Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sun, 25 Oct 2020 18:44:19 +0100 Subject: [PATCH 1469/2384] added docs --- ...figuring-playbook-bridge-mautrix-signal.md | 45 +++++++++++++++++++ docs/configuring-playbook.md | 2 + 2 files changed, 47 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mautrix-signal.md diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md new file mode 100644 index 00000000..7bdd9924 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -0,0 +1,45 @@ +# Setting up Mautrix Signal (optional) + +The playbook can install and configure [mautrix-signal](https://github.com/tulir/mautrix-signal) for you. + +See the project's [documentation](https://github.com/tulir/mautrix-signal/wiki) to learn what it does and why it might be useful to you. + +Use the following playbook configuration: + +```yaml +matrix_mautrix_signal_enabled: true +``` + + +## Set up Double Puppeting + +If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-whatsapp/wiki/Authentication#replacing-whatsapp-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it. + +### Method 1: automatically, by enabling Shared Secret Auth + +The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. + +This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. + +### Method 2: manually, by asking each user to provide a working access token + +**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). + +When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: + +- retrieve a Matrix access token for yourself. You can use the following command: + +``` +curl \ +--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Signal", "initial_device_display_name": "Mautrix-Signal"}' \ +https://matrix.DOMAIN/_matrix/client/r0/login +``` + +- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` + +- make sure you don't log out the `Mautrix-Signal` device some time in the future, as that would break the Double Puppeting feature + + +## Usage + +You then need to start a chat with `@signalbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b174637e..ad45eac7 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -93,6 +93,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Hangouts bridging](configuring-playbook-bridge-mautrix-hangouts.md) (optional) +- [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional) + - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional) From ff1d7921a0f5a64b3f418d13d096112c100990f4 Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sun, 25 Oct 2020 20:16:24 +0100 Subject: [PATCH 1470/2384] moved registration.yaml contents to template --- .../defaults/main.yml | 15 +-------------- .../templates/registration.yaml.j2 | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 14 deletions(-) create mode 100644 roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index d034cab1..94428d4f 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -84,19 +84,6 @@ matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configu # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`. matrix_mautrix_signal_configuration: "{{ matrix_mautrix_signal_configuration_yaml|from_yaml|combine(matrix_mautrix_signal_configuration_extension, recursive=True) }}" -matrix_mautrix_signal_registration_yaml: | - id: signal - as_token: "{{ matrix_mautrix_signal_appservice_token }}" - hs_token: "{{ matrix_mautrix_signal_homeserver_token }}" - namespaces: - users: - - exclusive: true - regex: '^@signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' - aliases: - - exclusive: true - regex: '^#signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' - url: {{ matrix_mautrix_signal_appservice_address }} - sender_localpart: signalbot - rate_limited: false +matrix_mautrix_signal_registration_yaml: "{{ lookup('template', 'templates/registration.yaml.j2') }}" matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 new file mode 100644 index 00000000..45cc5a0f --- /dev/null +++ b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 @@ -0,0 +1,14 @@ +#jinja2: lstrip_blocks: "True" +id: signal +as_token: "{{ matrix_mautrix_signal_appservice_token }}" +hs_token: "{{ matrix_mautrix_signal_homeserver_token }}" +namespaces: + users: + - exclusive: true + regex: '^@signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' + aliases: + - exclusive: true + regex: '^#signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' +url: {{ matrix_mautrix_signal_appservice_address }} +sender_localpart: signalbot +rate_limited: false From 9b890e9ced5efc95de2b112e12aac5989a22aeb7 Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sun, 25 Oct 2020 20:45:24 +0100 Subject: [PATCH 1471/2384] moved some settings from role to group_vars --- group_vars/matrix_servers | 7 +++++++ roles/matrix-bridge-mautrix-signal/defaults/main.yml | 4 ++-- .../matrix-bridge-mautrix-signal/tasks/validate_config.yml | 2 ++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 00936700..c42054d7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -257,11 +257,18 @@ matrix_mautrix_signal_systemd_required_services_list: | }} matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}" +matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' + +matrix_mautrix_signal_homeserver_address: "{{ 'http://matrix-synapse:8008' if matrix_synapse_enabled else '' }}" matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}" matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +matrix_mautrix_signal_db_user: 'signal-db-user' +matrix_mautrix_signal_db_password: 'signal-db-password' +matrix_mautrix_signal_db_database: 'signal-db' + ###################################################################### # # /matrix-bridge-mautrix-signal diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 94428d4f..0e970591 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -25,8 +25,8 @@ matrix_mautrix_signal_daemon_path: "{{ matrix_mautrix_signal_base_path }}/signal # # Example: /741a0483-ba17-4682-9900-30bd7269f1cc # matrix_mautrix_telegram_public_endpoint: '' -matrix_mautrix_signal_homeserver_address: 'http://matrix-synapse:8008' -matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_signal_homeserver_address: '' +matrix_mautrix_signal_homeserver_domain: '' matrix_mautrix_signal_appservice_address: 'http://matrix-mautrix-signal:29328' # matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }}' diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml index a11e192d..0f3a8e35 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -7,6 +7,8 @@ when: "vars[item] == ''" with_items: - "matrix_mautrix_signal_appservice_token" + - "matrix_mautrix_signal_homeserver_domain" + - "matrix_mautrix_signal_homeserver_address" - "matrix_mautrix_signal_homeserver_token" - "matrix_mautrix_signal_db_user" - "matrix_mautrix_signal_db_password" From 8ebc39dea0f1e7ca587c2f781279e3b16527167a Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sun, 25 Oct 2020 20:46:32 +0100 Subject: [PATCH 1472/2384] fixed dependencies of bridge service (not ideal, but correct) --- group_vars/matrix_servers | 3 +++ roles/matrix-bridge-mautrix-signal/defaults/main.yml | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c42054d7..735581a2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -249,11 +249,14 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro matrix_mautrix_signal_enabled: false +# TODO: unclear whether to put this into the role or keep it here matrix_mautrix_signal_systemd_required_services_list: | {{ ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + ['matrix-mautrix-signal-daemon.service', 'matrix-mautrix-signal-db.service'] }} matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}" diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 0e970591..85ae6992 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -39,7 +39,12 @@ matrix_mautrix_signal_container_http_host_bind_port: '' matrix_mautrix_signal_container_extra_arguments: [] # List of systemd services that matrix-mautrix-signal.service depends on. -matrix_mautrix_signal_systemd_required_services_list: ['docker.service', 'matrix-mautrix-signal-daemon.service', 'matrix-mautrix-signal-db.service'] +# TODO: unclear whether to put this into group_vars or keep it here +matrix_mautrix_signal_systemd_required_services_list: + - 'docker.service' + - "{{ 'matrix-synapse.service' if matrix_synapse_enabled else [] }}" + - 'matrix-mautrix-signal-daemon.service' + - 'matrix-mautrix-signal-db.service' # List of systemd services that matrix-mautrix-signal.service wants matrix_mautrix_signal_systemd_wanted_services_list: [] From c36e1355cf58d3f73d3891060cb720db9e5b9230 Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sun, 25 Oct 2020 20:46:57 +0100 Subject: [PATCH 1473/2384] cleanup --- group_vars/matrix_servers | 3 ++- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 5 ++--- roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 735581a2..5252f7ad 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -259,13 +259,14 @@ matrix_mautrix_signal_systemd_required_services_list: | ['matrix-mautrix-signal-daemon.service', 'matrix-mautrix-signal-db.service'] }} -matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}" matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_signal_homeserver_address: "{{ 'http://matrix-synapse:8008' if matrix_synapse_enabled else '' }}" matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}" +matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}" + matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_db_user: 'signal-db-user' diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 85ae6992..96778940 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -7,12 +7,11 @@ matrix_mautrix_signal_enabled: true matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" -matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" -matrix_mautrix_signal_config_path: "{{ matrix_mautrix_signal_base_path }}/bridge" - matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" +matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" +matrix_mautrix_signal_config_path: "{{ matrix_mautrix_signal_base_path }}/bridge" matrix_mautrix_signal_daemon_path: "{{ matrix_mautrix_signal_base_path }}/signald" # # Get your own API keys at https://my.telegram.org/apps diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml index 0f3a8e35..6663c641 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -6,10 +6,10 @@ You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" with_items: - - "matrix_mautrix_signal_appservice_token" - "matrix_mautrix_signal_homeserver_domain" - "matrix_mautrix_signal_homeserver_address" - "matrix_mautrix_signal_homeserver_token" + - "matrix_mautrix_signal_appservice_token" - "matrix_mautrix_signal_db_user" - "matrix_mautrix_signal_db_password" - "matrix_mautrix_signal_db_database" From e59aa07b8660d57e6d34e1cb730524ea7fc27dd9 Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sun, 25 Oct 2020 20:47:10 +0100 Subject: [PATCH 1474/2384] more cleanup --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 96778940..2d61d207 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -14,16 +14,6 @@ matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" matrix_mautrix_signal_config_path: "{{ matrix_mautrix_signal_base_path }}/bridge" matrix_mautrix_signal_daemon_path: "{{ matrix_mautrix_signal_base_path }}/signald" -# # Get your own API keys at https://my.telegram.org/apps -# matrix_mautrix_telegram_api_id: '' -# matrix_mautrix_telegram_api_hash: '' -# matrix_mautrix_telegram_bot_token: disabled - -# # Mautrix telegram public endpoint to log in to telegram -# # Use an uuid so it's not easily discoverable. -# # Example: /741a0483-ba17-4682-9900-30bd7269f1cc -# matrix_mautrix_telegram_public_endpoint: '' - matrix_mautrix_signal_homeserver_address: '' matrix_mautrix_signal_homeserver_domain: '' matrix_mautrix_signal_appservice_address: 'http://matrix-mautrix-signal:29328' From 2211e678f39af4f6e0931bba834d090c5ce0a0f6 Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sun, 25 Oct 2020 21:01:25 +0100 Subject: [PATCH 1475/2384] fixed comments that were copied over from mautrix-telegram role --- .../defaults/main.yml | 15 +++--- .../tasks/init.yml | 47 ------------------- .../tasks/setup_install.yml | 17 ------- 3 files changed, 7 insertions(+), 72 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 2d61d207..c15f1ed1 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -1,5 +1,5 @@ -# mautrix-telegram is a Matrix <-> Telegram bridge -# See: https://github.com/tulir/mautrix-telegram +# mautrix-signal is a Matrix <-> Signal bridge +# See: https://github.com/tulir/mautrix-signal matrix_mautrix_signal_enabled: true @@ -17,9 +17,8 @@ matrix_mautrix_signal_daemon_path: "{{ matrix_mautrix_signal_base_path }}/signal matrix_mautrix_signal_homeserver_address: '' matrix_mautrix_signal_homeserver_domain: '' matrix_mautrix_signal_appservice_address: 'http://matrix-mautrix-signal:29328' -# matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }}' -# Controls whether the matrix-mautrix-telegram container exposes its HTTP port (tcp/8080 in the container). +# Controls whether the matrix-mautrix-signal container exposes its port (tcp/29328 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9006"), or empty string to not expose. matrix_mautrix_signal_container_http_host_bind_port: '' @@ -59,23 +58,23 @@ matrix_mautrix_signal_login_shared_secret: '' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # -# For a more advanced customization, you can extend the default (see `matrix_mautrix_telegram_configuration_extension_yaml`) +# For a more advanced customization, you can extend the default (see `matrix_mautrix_signal_configuration_extension_yaml`) # or completely replace this variable with your own template. matrix_mautrix_signal_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_mautrix_signal_configuration_extension_yaml: | # Your custom YAML configuration goes here. - # This configuration extends the default starting configuration (`matrix_mautrix_telegram_configuration_yaml`). + # This configuration extends the default starting configuration (`matrix_mautrix_signal_configuration_yaml`). # # You can override individual variables from the default configuration, or introduce new ones. # # If you need something more special, you can take full control by - # completely redefining `matrix_mautrix_telegram_configuration_yaml`. + # completely redefining `matrix_mautrix_signal_configuration_yaml`. matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configuration_extension_yaml|from_yaml if matrix_mautrix_signal_configuration_extension_yaml|from_yaml is mapping else {} }}" # Holds the final configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`. +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_signal_configuration_yaml`. matrix_mautrix_signal_configuration: "{{ matrix_mautrix_signal_configuration_yaml|from_yaml|combine(matrix_mautrix_signal_configuration_extension, recursive=True) }}" matrix_mautrix_signal_registration_yaml: "{{ lookup('template', 'templates/registration.yaml.j2') }}" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/init.yml b/roles/matrix-bridge-mautrix-signal/tasks/init.yml index 8fdc9834..c2b37841 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/init.yml @@ -14,50 +14,3 @@ + {{ ["/matrix-mautrix-signal-registration.yaml"] }} when: matrix_mautrix_signal_enabled|bool - -# - block: -# - name: Fail if matrix-nginx-proxy role already executed -# fail: -# msg: >- -# Trying to append Mautrix Signal's reverse-proxying configuration to matrix-nginx-proxy, -# but it's pointless since the matrix-nginx-proxy role had already executed. -# To fix this, please change the order of roles in your plabook, -# so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-signal role. -# when: matrix_nginx_proxy_role_executed|default(False)|bool - - # - name: Generate Mautrix Signal proxying configuration for matrix-nginx-proxy - # set_fact: - # matrix_mautrix_telegram_matrix_nginx_proxy_configuration: | - # location {{ matrix_mautrix_telegram_public_endpoint }} { - # {% if matrix_nginx_proxy_enabled|default(False) %} - # {# Use the embedded DNS resolver in Docker containers to discover the service #} - # resolver 127.0.0.11 valid=5s; - # set $backend "matrix-mautrix-telegram:8080"; - # proxy_pass http://$backend; - # {% else %} - # {# Generic configuration for use outside of our container setup #} - # proxy_pass http://127.0.0.1:9006; - # {% endif %} - # } - - # - name: Register Mautrix Telegram proxying configuration with matrix-nginx-proxy - # set_fact: - # matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - # {{ - # matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) - # + - # [matrix_mautrix_telegram_matrix_nginx_proxy_configuration] - # }} - # tags: - # - always - # when: matrix_mautrix_telegram_enabled|bool - -# - name: Warn about reverse-proxying if matrix-nginx-proxy not used -# debug: -# msg: >- -# NOTE: You've enabled the Mautrix Telegram bridge but are not using the matrix-nginx-proxy -# reverse proxy. -# Please make sure that you're proxying the `{{ matrix_mautrix_telegram_public_endpoint }}` -# URL endpoint to the matrix-mautrix-telegram container. -# You can expose the container's port using the `matrix_mautrix_telegram_container_http_host_bind_port` variable. -# when: "matrix_mautrix_telegram_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index cacb4c6c..16b68d25 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -42,23 +42,6 @@ - "{{ matrix_mautrix_signal_daemon_path }}" - "{{ matrix_mautrix_signal_db_storage_path }}" -# - name: Check if an old database file already exists -# stat: -# path: "{{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db" -# register: matrix_mautrix_telegram_stat_database -# -# - name: (Data relocation) Ensure matrix-mautrix-telegram.service is stopped -# service: -# name: matrix-mautrix-telegram -# state: stopped -# daemon_reload: yes -# failed_when: false -# when: "matrix_mautrix_telegram_stat_database.stat.exists" -# -# - name: (Data relocation) Move mautrix-telegram database file to ./data directory -# command: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" -# when: "matrix_mautrix_telegram_stat_database.stat.exists" - - name: Ensure mautrix-signal config.yaml installed copy: content: "{{ matrix_mautrix_signal_configuration|to_nice_yaml }}" From dd50ee19ab80daef38ae59b2b4f68bd679a4cee7 Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sun, 25 Oct 2020 21:42:40 +0100 Subject: [PATCH 1476/2384] fixed bridge permissions --- docs/configuring-playbook-bridge-mautrix-signal.md | 14 ++++++++++++++ .../matrix-bridge-mautrix-signal/defaults/main.yml | 9 +++++++++ .../templates/config.yaml.j2 | 4 +--- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 7bdd9924..066dbaff 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -10,6 +10,20 @@ Use the following playbook configuration: matrix_mautrix_signal_enabled: true ``` +To specify which users have access to the bridge, use the variable `matrix_mautrix_signal_configuration_permissions`. +Refer to the documentation for +```yaml +bridge: + permissions: +``` +in [the example config in mautrix-signal](https://github.com/tulir/mautrix-signal/blob/master/mautrix_signal/example-config.yaml). +For instance, use +```yaml +matrix_mautrix_signal_configuration_permissions: + "YOUR_DOMAIN": user +``` +to allow all users registered to `YOUR_DOMAIN` access to the bridge (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). + ## Set up Double Puppeting diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index c15f1ed1..e6c5fe05 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -62,6 +62,15 @@ matrix_mautrix_signal_login_shared_secret: '' # or completely replace this variable with your own template. matrix_mautrix_signal_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" +# Permitted values: +# user - Use the bridge with puppeting. +# admin - Use and administrate the bridge. +# Permitted keys: +# * - All Matrix users +# domain - All users on that homeserver +# mxid - Specific user +matrix_mautrix_signal_configuration_permissions: [] + matrix_mautrix_signal_configuration_extension_yaml: | # Your custom YAML configuration goes here. # This configuration extends the default starting configuration (`matrix_mautrix_signal_configuration_yaml`). diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 6865d3c1..ec2a4764 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -170,9 +170,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - "1m.at": "user" - "@admin:1m.at": "admin" + permissions: {{ matrix_mautrix_signal_configuration_permissions }} # Python logging configuration. From 63a49bb2dc7780e023b2801a7230cda529b2b3c1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 26 Oct 2020 10:36:38 +0200 Subject: [PATCH 1477/2384] Do not expose /_synapse/admin publicly by default Fixes #685 (Github Issue). --- CHANGELOG.md | 16 ++++++++++ examples/apache/matrix-synapse.conf | 2 ++ examples/caddy/matrix-synapse | 8 +++-- roles/matrix-nginx-proxy/defaults/main.yml | 20 +++++++++++++ .../nginx/conf.d/matrix-synapse.conf.j2 | 29 ++++--------------- 5 files changed, 48 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 247e4e14..6b6dd8e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,19 @@ +# 2020-10-26 + +## (Compatibility Break) /_synapse/admin is no longer publicly exposed by default + +We used to expose the Synapse Admin APIs publicly (at `https://matrix.DOMAIN/_synapse/admin`). +These APIs require authentication with a valid access token, so it's not that big a deal to expose them. + +However, following [official Synapse's reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints), we're no longer exposing `/_synapse/admin` by default. + +If you'd like to restore restore the old behavior and expose `/_synapse/admin` publicly, you can use the following configuration (in your `vars.yml`): + +```yaml +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true +``` + + # 2020-10-02 ## Minimum Ansible version raised to v2.7.0 diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index 3e09121f..e4266b81 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -43,6 +43,8 @@ AllowEncodedSlashes NoDecode ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix + ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon + ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client # Map /.well-known/matrix/client for client discovery Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client diff --git a/examples/caddy/matrix-synapse b/examples/caddy/matrix-synapse index 30f7c5a2..4202c759 100644 --- a/examples/caddy/matrix-synapse +++ b/examples/caddy/matrix-synapse @@ -21,9 +21,11 @@ https://matrix.DOMAIN { } # Synapse Client<>Server API - proxy / matrix-synapse:8008 { + proxy /_matrix matrix-synapse:8008 { + transparent + except /_matrix/identity/ /_matrix/client/r0/user_directory/search + } + proxy /_synapse/client matrix-synapse:8008 { transparent - except /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search } - } diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 643d723e..89007a85 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -149,6 +149,26 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008" # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 + +# Tells wheter `/_synapse/client` is forwarded to the Matrix Client API server. +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true + +# Tells wheter `/_synapse/admin` is forwarded to the Matrix Client API server. +# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false + +# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds +# the location prefixes that get forwarded to the Matrix Client API server. +# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`. +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | + {{ + (['/_matrix']) + + + (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else []) + + + (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) + }} + # Controls whether proxying for the Matrix Federation API should be done. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 8fd87958..8bcc9bc6 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -105,29 +105,6 @@ {{- configuration_block }} {% endfor %} - {# - This handles the Matrix Client API only. - The Matrix Federation API is handled by a separate vhost. - #} - location /_matrix { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - } - {% if matrix_nginx_proxy_proxy_synapse_metrics %} location /_synapse/metrics { {% if matrix_nginx_proxy_enabled %} @@ -150,7 +127,11 @@ } {% endif %} - location /_synapse { + {# + This handles the Matrix Client API only. + The Matrix Federation API is handled by a separate vhost. + #} + location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; From 70f0b97a0aa8adb84833480ec3c53aab51eec349 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Oct 2020 14:24:02 +0200 Subject: [PATCH 1478/2384] Upgrade Synapse (v1.21.2 -> v1.22.0) --- group_vars/matrix_servers | 2 +- roles/matrix-synapse/defaults/main.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 00cdbdfb..a817f1e6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -917,7 +917,7 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr # ###################################################################### -matrix_synapse_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" +matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm32', 'arm64', 'amd64'] }}" # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index fd8eaa52..450a26be 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.21.2" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.22.0" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" @@ -73,7 +73,7 @@ matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_ke matrix_synapse_allow_guest_access: false matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" -matrix_synapse_max_upload_size_mb: 10 +matrix_synapse_max_upload_size_mb: 50 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}" @@ -349,7 +349,7 @@ matrix_synapse_room_list_publication_rules: room_id: "*" action: allow -matrix_synapse_default_room_version: "5" +matrix_synapse_default_room_version: "6" # Controls the Synapse `spam_checker` setting. # From 7d211b71e2123ba0a62f2264497c6d4696243e61 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Oct 2020 14:30:43 +0200 Subject: [PATCH 1479/2384] Restore self-building on ARM for Synapse for now While v1.22.0 supposedly has multi-arch Docker images (thanks to https://github.com/matrix-org/synapse/pull/7921), I can't them on Docker Hub yet, so I'm backing out of this change for now and letting people fall back to self-building there. --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a817f1e6..817b4c8f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -917,7 +917,7 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr # ###################################################################### -matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm32', 'arm64', 'amd64'] }}" +matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. From 5a7d26599786cdd075610a130f85556248350035 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Oct 2020 20:33:37 +0200 Subject: [PATCH 1480/2384] Fix Synapse Admin not working due to unexposed Synapse Admin APIs Regression since 63a49bb2dc7780. Related to #685 (Github Issue). We now automatically expose the APIs when Synapse Admin is enabled. --- docs/configuring-playbook-synapse-admin.md | 2 ++ group_vars/matrix_servers | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index b3eafaea..a2f5e646 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -15,6 +15,8 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. matrix_synapse_admin_enabled: true ``` +**Note**: enabling Synapse Admin automatically exposes Synapse's Administration APIs (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`). + ## Installing diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 817b4c8f..71a6bc85 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -769,6 +769,8 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corp matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}" matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" + matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" From 67d0f264636c5b7bb67f47698545beca9e85d8b0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Oct 2020 20:41:52 +0200 Subject: [PATCH 1481/2384] Improve wording a bit --- docs/configuring-playbook-synapse-admin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index a2f5e646..68d70305 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -15,7 +15,7 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. matrix_synapse_admin_enabled: true ``` -**Note**: enabling Synapse Admin automatically exposes Synapse's Administration APIs (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`). +**Note**: Synapse Admin requires Synapse's [Admin APIs](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`). ## Installing From 2d1b9f2dbf33f4178d75c385c0264093ad842ec7 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 28 Oct 2020 07:13:19 +0100 Subject: [PATCH 1482/2384] synapse workers: reworkings + get endpoints from upstream docs via awk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (yes, a bit awkward and brittle… xD) --- group_vars/matrix_servers | 11 +- roles/matrix-nginx-proxy/defaults/main.yml | 83 +---------- .../nginx/conf.d/matrix-synapse.conf.j2 | 47 +++--- roles/matrix-synapse/defaults/main.yml | 39 ++--- .../files/workers-doc-to-yaml.awk | 137 ++++++++++++++++++ .../tasks/workers/setup_install.yml | 19 ++- .../templates/synapse/homeserver.yaml.j2 | 10 +- .../synapse/systemd/matrix-synapse.service.j2 | 5 +- .../templates/synapse/worker.yaml.j2 | 14 +- 9 files changed, 226 insertions(+), 139 deletions(-) create mode 100755 roles/matrix-synapse/files/workers-doc-to-yaml.awk diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c9ab5ef7..891cf6af 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -799,6 +799,15 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}" + +matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" +matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" +matrix_nginx_proxy_synapse_generic_worker_locations: "{{ matrix_synapse_workers_generic_worker_endpoints }}" +matrix_nginx_proxy_synapse_media_repository_locations: "{{ matrix_synapse_workers_media_repository_endpoints }}" +matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints }}" +matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints }}" + matrix_nginx_proxy_systemd_wanted_services_list: | {{ (['matrix-synapse.service']) @@ -1017,7 +1026,7 @@ matrix_synapse_systemd_wanted_services_list: | (['matrix-mailer.service'] if matrix_mailer_enabled else []) }} -# Worker support with redis +# Synapse workers (used for parallel load-scaling) need Redis for IPC. matrix_synapse_redis_enabled: "{{ matrix_redis_enabled }}" matrix_synapse_redis_host: "{{ 'matrix-redis' if matrix_redis_enabled else '' }}" matrix_synapse_redis_password: "{{ matrix_redis_connection_password if matrix_redis_enabled else '' }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 718a040e..b01be702 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -249,79 +249,10 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] -# worker -matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" -matrix_nginx_proxy_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" -matrix_nginx_proxy_synapse_generic_worker_locations: [ - # Sync requests - '^/_matrix/client/(v2_alpha|r0)/sync$', - '^/_matrix/client/(api/v1|v2_alpha|r0)/events$', - '^/_matrix/client/(api/v1|r0)/initialSync$', - '^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$', - - # Federation requests - '^/_matrix/federation/v1/event/', - '^/_matrix/federation/v1/state/', - '^/_matrix/federation/v1/state_ids/', - '^/_matrix/federation/v1/backfill/', - '^/_matrix/federation/v1/get_missing_events/', - '^/_matrix/federation/v1/publicRooms', - '^/_matrix/federation/v1/query/', - '^/_matrix/federation/v1/make_join/', - '^/_matrix/federation/v1/make_leave/', - '^/_matrix/federation/v1/send_join/', - '^/_matrix/federation/v2/send_join/', - '^/_matrix/federation/v1/send_leave/', - '^/_matrix/federation/v2/send_leave/', - '^/_matrix/federation/v1/invite/', - '^/_matrix/federation/v2/invite/', - '^/_matrix/federation/v1/query_auth/', - '^/_matrix/federation/v1/event_auth/', - '^/_matrix/federation/v1/exchange_third_party_invite/', - '^/_matrix/federation/v1/user/devices/', - '^/_matrix/federation/v1/get_groups_publicised$', - '^/_matrix/key/v2/query', - - # Inbound federation transaction request - '^/_matrix/federation/v1/send/', - - # Client API requests - '^/_matrix/client/(api/v1|r0|unstable)/publicRooms$', - '^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$', - '^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$', - '^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$', - '^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$', - '^/_matrix/client/(api/v1|r0|unstable)/account/3pid$', - '^/_matrix/client/(api/v1|r0|unstable)/keys/query$', - '^/_matrix/client/(api/v1|r0|unstable)/keys/changes$', - '^/_matrix/client/versions$', - '^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$', - '^/_matrix/client/(api/v1|r0|unstable)/joined_groups$', - '^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$', - '^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/', - - # Registration/login requests - '^/_matrix/client/(api/v1|r0|unstable)/login$', - '^/_matrix/client/(r0|unstable)/register$', - '^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$', - - # Event sending requests - '^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send', - '^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/', - '^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$', - '^/_matrix/client/(api/v1|r0|unstable)/join/', - '^/_matrix/client/(api/v1|r0|unstable)/profile/', -] - -matrix_nginx_proxy_synapse_media_repository_locations: [ - '^/_matrix/media/', - '^/_synapse/admin/v1/purge_media_cache$', - '^/_synapse/admin/v1/room/.*/media.*$', - '^/_synapse/admin/v1/user/.*/media.*$', - '^/_synapse/admin/v1/media/.*$', - '^/_synapse/admin/v1/quarantine_media/.*$', -] - -matrix_nginx_proxy_synapse_user_dir_locations: [ - '^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$', -] +# synapse worker activation and endpoint mappings +matrix_nginx_proxy_synapse_workers_enabled: false +matrix_nginx_proxy_synapse_workers_list: [] +matrix_nginx_proxy_synapse_generic_worker_locations: [] +matrix_nginx_proxy_synapse_media_repository_locations: [] +matrix_nginx_proxy_synapse_user_dir_locations: [] +matrix_nginx_proxy_synapse_frontend_proxy_locations: [] diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index a49bd8b6..f39c2c34 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -68,6 +68,7 @@ {% endif %} {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} + # FIXME: if this is enabled, user_dir_workers should be disabled location /_matrix/client/r0/user_directory/search { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} @@ -102,10 +103,10 @@ {% endif %} {% if matrix_nginx_proxy_synapse_workers_enabled %} - {# Synapse Workers #} + # Workers redirects BEGIN - {% if generic_worker_workers %} - {# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker #} + {% if generic_workers %} + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker {% for location in matrix_nginx_proxy_synapse_generic_worker_locations %} location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; @@ -113,11 +114,11 @@ proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} - {# ToDo: add GET ^/_matrix/federation/v1/groups/ #} + # FIXME: add GET ^/_matrix/federation/v1/groups/ {% endif %} {% if media_repository_workers %} - {# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository #} + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} location ~ {{ location }} { proxy_pass http://media_repository_upstream$request_uri; @@ -128,7 +129,8 @@ {% endif %} {% if user_dir_workers %} - {# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappuser_dir #} + # FIXME: obsolete if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled is set + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappuser_dir {% for location in matrix_nginx_proxy_synapse_user_dir_locations %} location ~ {{ location }} { proxy_pass http://user_dir_upstream$request_uri; @@ -139,13 +141,16 @@ {% endif %} {% if frontend_proxy_workers %} - {# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfrontend_proxy #} - location ~ ^/_matrix/client/(api/v1|r0|unstable)/keys/upload { + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfrontend_proxy + {% for location in matrix_nginx_proxy_synapse_frontend_proxy_locations %} + location ~ {{ location }} { proxy_pass http://frontend_proxy_upstream$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } - {% if not matrix_synapse_use_presence %} + {% endfor %} + {% if matrix_nginx_proxy_synapse_presence_disabled %} + # FIXME: keep in sync with synapse workers documentation manually location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { proxy_pass http://frontend_proxy_upstream$request_uri; proxy_set_header Host $host; @@ -153,6 +158,7 @@ } {% endif %} {% endif %} + # Workers redirects END {% endif %} @@ -229,20 +235,20 @@ } {% endmacro %} -{% set generic_worker_workers = matrix_nginx_proxy_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'generic_worker')|list %} -{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'media_repository')|list %} -{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'user_dir')|list %} -{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'frontend_proxy')|list %} +{% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %} +{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %} +{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %} +{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %} {% if matrix_nginx_proxy_synapse_workers_enabled %} - {# Setup upstream for groups of workers #} + # Round Robin "upstream" pools for workers - {% if generic_worker_workers %} + {% if generic_workers %} upstream generic_worker_upstream { # ensures that requests from the same client will always be passed # to the same server (except when this server is unavailable) ip_hash; - {% for worker in generic_worker_workers %} + {% for worker in generic_workers %} server "matrix-synapse:{{ worker.port }}"; {% endfor %} } @@ -250,7 +256,6 @@ {% if frontend_proxy_workers %} upstream frontend_proxy_upstream { - # Round Robin {% for worker in frontend_proxy_workers %} server "matrix-synapse:{{ worker.port }}"; {% endfor %} @@ -259,7 +264,6 @@ {% if media_repository_workers %} upstream media_repository_upstream { - # Round Robin {% for worker in media_repository_workers %} server "matrix-synapse:{{ worker.port }}"; {% endfor %} @@ -268,7 +272,6 @@ {% if user_dir_workers %} upstream user_dir_upstream { - # Round Robin {% for worker in user_dir_workers %} server "matrix-synapse:{{ worker.port }}"; {% endfor %} @@ -358,8 +361,8 @@ server { {% endif %} {% if matrix_nginx_proxy_synapse_workers_enabled %} - {% if generic_worker_workers %} - {# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker #} + {% if generic_workers %} + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker {% for location in matrix_nginx_proxy_synapse_generic_worker_locations %} location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; @@ -367,7 +370,7 @@ server { proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} - {# ToDo: add GET ^/_matrix/federation/v1/groups/ #} + # FIXME: add GET ^/_matrix/federation/v1/groups/ {% endif %} {% endif %} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 2cdd839c..47287f28 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -275,31 +275,22 @@ matrix_synapse_manhole_enabled: false # Enable support for Synapse workers matrix_synapse_workers_enabled: false -# Default list of workers to spawn -# (worker with ports ending on 00 are single-instance) +# Default list of workers to spawn (order in accord to docs) +# - no endpoints / doesn't need port mapping if port ends on 0 +# - single-instance-only if 2nd last digit of port number is 0 matrix_synapse_workers_enabled_list: - - { worker: generic_worker, port: 18101 } - - { worker: generic_worker, port: 18102 } - - { worker: generic_worker, port: 18103 } - - { worker: generic_worker, port: 18104 } - - { worker: generic_worker, port: 18105 } - - { worker: generic_worker, port: 18106 } - - { worker: appservice, port: 18200 } - - { worker: federation_sender, port: 18301 } - - { worker: frontend_proxy, port: 18400 } - - { worker: media_repository, port: 18501 } - - { worker: pusher, port: 18600 } - - { worker: user_dir, port: 18700 } - -# The list of available workers (2020-08-28) -matrix_synapse_workers_avail_list: - - generic_worker - - appservice - - federation_sender - - frontend_proxy - - media_repository - - pusher - - user_dir + - { type: generic_worker, port: 18111 } + - { type: generic_worker, port: 18112 } + - { type: generic_worker, port: 18113 } + - { type: generic_worker, port: 18114 } + - { type: generic_worker, port: 18115 } + - { type: generic_worker, port: 18116 } + - { type: pusher, port: 00 } + - { type: appservice, port: 00 } + - { type: federation_sender, port: 0 } + - { type: media_repository, port: 18221 } + - { type: user_dir, port: 18331 } + - { type: frontend_proxy, port: 18441 } # Redis information matrix_synapse_redis_enabled: false diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.awk b/roles/matrix-synapse/files/workers-doc-to-yaml.awk new file mode 100755 index 00000000..e0474645 --- /dev/null +++ b/roles/matrix-synapse/files/workers-doc-to-yaml.awk @@ -0,0 +1,137 @@ +#!/usr/bin/awk +# Hackish approach to get a machine-readable list of current matrix +# synapse REST API endpoints from the official documentation at +# https://github.com/matrix-org/synapse/raw/master/docs/workers.md +# +# invoke in shell with: +# URL=https://github.com/matrix-org/synapse/raw/master/docs/workers.md +# curl -L ${URL} | awk -f parse-workers-docs.awk - + +function worker_stanza_append(string) { + worker_stanza = worker_stanza string +} + +function line_is_endpoint_url(line) { + # probably API endpoint if it starts with white-space and ^ or / + return (line ~ /^ +[\^/].*\//) +} + +# Put YAML marker at beginning of file. +BEGIN { + print "---" + endpoint_conditional_comment = " # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually\n" +} + +# Enable further processing after the introductory text. +# Read each synapse worker section as record and its lines as fields. +/Available worker applications/ { + enable_parsing = 1 + # set record separator to markdown section header + RS = "\n### " + # set field separator to newline + FS = "\n" +} + +# Once parsing is active, this will process each section as record. +enable_parsing { + # Each worker section starts with a synapse.app.X headline + if ($1 ~ /synapse\.app\./) { + + # get rid of the backticks and extract worker type from headline + gsub("`", "", $1) + gsub("synapse.app.", "", $1) + worker_type = $1 + + # initialize empty worker stanza + worker_stanza = "" + + # track if any endpoints are mentioned in a specific section + worker_has_urls = 0 + + # some endpoint descriptions contain flag terms + endpoints_seem_conditional = 0 + + # also, collect a list of available workers + workers = (workers ? workers "\n" : "") " - " worker_type + + # loop through the lines (2 - number of fields in record) + for (i = 1; i < NF + 1; i++) { + # copy line for gsub replacements + line = $i + + # end all lines but the last with a linefeed + linefeed = (i < NF - 1) ? "\n" : "" + + # line starts with white-space and a hash: endpoint block headline + if (line ~ /^ +#/) { + + # copy to output verbatim, normalizing white-space + gsub(/^ +/, "", line) + worker_stanza_append(" " line linefeed) + + } else if (line_is_endpoint_url(line)) { + + # mark section for special output formatting + worker_has_urls = 1 + + # remove leading white-space + gsub(/^ +/, "", line) + api_endpoint_regex = line + + # FIXME: https://github.com/matrix-org/synapse/issues/new + # munge inconsistent media_repository endpoint notation + if (api_endpoint_regex == "/_matrix/media/") { + api_endpoint_regex = "^" line + } + + # disable endpoints which specify complications + if (endpoints_seem_conditional) { + # only add notice if previous line didn't match + if (!line_is_endpoint_url($(i - 1))) { + worker_stanza_append(endpoint_conditional_comment) + } + worker_stanza_append(" # " api_endpoint_regex linefeed) + } else { + # output endpoint regex + worker_stanza_append(" - " api_endpoint_regex linefeed) + } + + # white-space only line? + } else if (line ~ /^\w*$/) { + + if (i > 3 && i < NF) { + # print white-space lines unless 1st or last line in section + worker_stanza_append(line linefeed) + } + + # nothing of the above: the line is regular documentation text + } else { + + # include this text line as comment + worker_stanza_append(" # " line linefeed) + + # and take note of words hinting at additional conditions to be met + if (line ~ /\<[Ii]f\>|\<[Ff]or\>/) { + endpoints_seem_conditional = 1 + } + } + } + + if (worker_has_urls) { + print "\nmatrix_synapse_workers_" worker_type "_endpoints:" + print worker_stanza + } else { + # include workers without endpoints as well for reference + print "\n# " worker_type " worker (no API endpoints) [" + print worker_stanza + print "# ]" + } + } +} + +END { + print "\nmatrix_synapse_workers_avail_list:" + print workers | "sort" +} + +# vim: tabstop=4 shiftwidth=4 expandtab autoindent diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index 3f1f8ac0..cbd73643 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -1,5 +1,18 @@ --- +- name: Download synapse workers doc + get_url: + url: https://github.com/matrix-org/synapse/raw/master/docs/workers.md + dest: "{{ role_path }}/files/workers.upstream-documentation.md" + +- name: Download synapse workers doc and convert into YAML + shell: + cmd: "awk -f {{ role_path }}/files/workers-doc-to-yaml.awk -- {{ role_path }}/files/workers.upstream-documentation.md > {{ role_path }}/vars/workers.yml" + creates: "{{ role_path }}/vars/workers.yml" + +- name: Load list of available worker apps and endpoints + include_vars: "{{ role_path }}/vars/workers.yml" + - name: Ensure synapse worker base service file installed template: src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse-worker@.service.j2" @@ -23,7 +36,7 @@ - name: Ensure individual worker service symlinks exist service: - name: "matrix-synapse-worker@{{ item.worker }}:{{ item.port }}.service" + name: "matrix-synapse-worker@{{ item.type }}:{{ item.port }}.service" enabled: true with_items: "{{ matrix_synapse_workers_enabled_list }}" @@ -37,14 +50,14 @@ - name: Ensure creation of specific worker configs template: src: "{{ role_path }}/templates/synapse/worker.yaml.j2" - dest: "{{ matrix_synapse_config_dir_path }}/worker.{{ item.worker }}:{{ item.port }}.yaml" + dest: "{{ matrix_synapse_config_dir_path }}/worker.{{ item.type }}:{{ item.port }}.yaml" with_list: "{{ matrix_synapse_workers_enabled_list }}" - name: Add workers to synapse.wants list set_fact: matrix_synapse_systemd_wanted_services_list: > {{ matrix_synapse_systemd_wanted_services_list + - ['matrix-synapse-worker@' + item.worker + ':' + item.port|string + '.service'] }} + ['matrix-synapse-worker@' + item.type + ':' + item.port|string + '.service'] }} with_items: "{{ matrix_synapse_workers_enabled_list }}" - name: Ensure matrix-synapse-worker-write-pid script is created diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 5d4dff4e..e69de451 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -249,19 +249,19 @@ worker_app: synapse.app.homeserver # thx https://oznetnerd.com/2017/04/18/jinja2-selectattr-filter/ # reduce the main worker's offerings to core homeserver business -{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'appservice')|list %} +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'appservice')|list %} notify_appservices: false {% endif %} -{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'federation_sender')|list %} +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'federation_sender')|list %} send_federation: false {% endif %} -{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'media_repository')|list %} +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'media_repository')|list %} enable_media_repo: false {% endif %} -{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'pusher')|list %} +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'pusher')|list %} start_pushers: false {% endif %} -{% if matrix_synapse_workers_enabled_list|selectattr('worker', 'equalto', 'user_dir')|list %} +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'user_dir')|list %} update_user_directory: false {% endif %} diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 9a5ce8e4..757ef23a 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -43,9 +43,12 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %} -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} - {% if matrix_synapse_workers_enabled %} + {% if matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled|default(False) %} + {# Expose worker (by default 18xxx range) ports on host if not using internal nginx proxy #} {% for worker in matrix_synapse_workers_enabled_list %} + {% if worker.port != 0 %} -p {{ worker.port }}:{{ worker.port }} \ + {% endif %} {% endfor %} {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data:ro \ diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index 0a282ba7..2ee606dc 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -1,27 +1,27 @@ #jinja2: lstrip_blocks: "True" -worker_app: synapse.app.{{ item.worker }} -worker_name: {{ item.worker ~ ':' ~ item.port }} +worker_app: synapse.app.{{ item.type }} +worker_name: {{ item.type ~ ':' ~ item.port }} worker_replication_host: 127.0.0.1 worker_replication_http_port: {{ matrix_synapse_replication_http_port }} -{% if item.worker not in [ 'appservice', 'federation_sender', 'pusher' ] %} +{% if item.type not in [ 'appservice', 'federation_sender', 'pusher' ] %} worker_listeners: - type: http port: {{ item.port }} resources: - names: -{% if item.worker in [ 'generic_worker', 'frontend_proxy', 'user_dir' ] %} +{% if item.type in [ 'generic_worker', 'frontend_proxy', 'user_dir' ] %} - client {% endif %} -{% if item.worker in [ 'generic_worker' ] %} +{% if item.type in [ 'generic_worker' ] %} - federation -{% elif item.worker in [ 'media_repository' ] %} +{% elif item.type in [ 'media_repository' ] %} - media {% endif %} {% endif %} -{% if item.worker == 'frontend_proxy' %} +{% if item.type == 'frontend_proxy' %} worker_main_http_uri: http://127.0.0.1:8008 {% endif %} From ef07aa8e5df1e8708b6e3a5437570d7677f4cf18 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 28 Oct 2020 09:38:04 +0200 Subject: [PATCH 1483/2384] Prevent certain nginx location blocks from being ignored The regex introduced in 63a49bb2dc778 seems to take precedence over the bare location blocks, causing a regression. > It is important to understand that, by default, Nginx will serve regular expression matches in preference to prefix matches. > However, it evaluates prefix locations first, allowing for the administer to override this tendency by specifying locations using the = and ^~ modifiers. Source: https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 8bcc9bc6..463aec07 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -34,7 +34,7 @@ {% endif %} {% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} - location /_matrix/corporal { + location ^~ /_matrix/corporal { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; @@ -51,7 +51,7 @@ {% endif %} {% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %} - location /_matrix/identity { + location ^~ /_matrix/identity { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; @@ -68,7 +68,7 @@ {% endif %} {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} - location /_matrix/client/r0/user_directory/search { + location ^~ /_matrix/client/r0/user_directory/search { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; From e078e29ef8266171b6945f388c6504b7f253f33f Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 28 Oct 2020 08:39:31 +0100 Subject: [PATCH 1484/2384] synapse workers: fix self name in workers-doc-to-yaml.awk script --- roles/matrix-synapse/files/workers-doc-to-yaml.awk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.awk b/roles/matrix-synapse/files/workers-doc-to-yaml.awk index e0474645..b3c79eb5 100755 --- a/roles/matrix-synapse/files/workers-doc-to-yaml.awk +++ b/roles/matrix-synapse/files/workers-doc-to-yaml.awk @@ -1,11 +1,11 @@ #!/usr/bin/awk -# Hackish approach to get a machine-readable list of current matrix +# Hackish approach to get a machine-readable list of current matrix # synapse REST API endpoints from the official documentation at # https://github.com/matrix-org/synapse/raw/master/docs/workers.md # # invoke in shell with: # URL=https://github.com/matrix-org/synapse/raw/master/docs/workers.md -# curl -L ${URL} | awk -f parse-workers-docs.awk - +# curl -L ${URL} | awk -f workers-doc-to-yaml.awk - function worker_stanza_append(string) { worker_stanza = worker_stanza string From 4700e803897d2ceb12e328e8dbfa688bb849e0b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 28 Oct 2020 10:02:47 +0200 Subject: [PATCH 1485/2384] Raise standalone default Matrix Client API client_max_body_size We do this to match Synapse's new default "max_upload_size" (50MB). This `matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb` default value only affects standalone usage of the `matrix-nginx-proxy` role. When the role is used in the context of the playbook, the value is dynamically assigned from `group_vars/matrix_servers`. Somewhat related to #692 (Github Issue). --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 89007a85..2ce8eb30 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -147,7 +147,7 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008" # This needs to be equal or higher than the maximum upload size accepted by Synapse. -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 # Tells wheter `/_synapse/client` is forwarded to the Matrix Client API server. From 9a46647010989a0d8925f771240de9d49692b56b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 28 Oct 2020 10:39:12 +0200 Subject: [PATCH 1486/2384] Make https://matrix.DOMAIN/ redirect to https://element.DOMAIN/ Fixes #696 (Github Issue) --- CHANGELOG.md | 14 ++++++++++++++ group_vars/matrix_servers | 2 ++ roles/matrix-nginx-proxy/defaults/main.yml | 6 ++++++ .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 6 +++++- 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b6dd8e5..089d0650 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2020-10-28 + +## (Compatibility Break) https://matrix.DOMAIN/ now redirects to https://element.DOMAIN/ + +Until now, we used to serve a static page coming from Synapse at `https://matrix.DOMAIN/`. This page was not very useful to anyone. + +Since `matrix.DOMAIN` may be accessed by regular users in certain conditions, it's probably better to redirect them to a better place (e.g. to the [Element](docs/configuring-playbook-client-element.md) client). + +If Element is installed (`matrix_client_element_enabled: true`, which it is by default), we now redirect people to it, instead of showing them a Synapse static page. + +If you'd like to control where the redirect goes, use the `matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain` variable. +To restore the old behavior of not redirecting anywhere and serving the Synapse static page, set it to an empty value (`matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""`). + + # 2020-10-26 ## (Compatibility Break) /_synapse/admin is no longer publicly exposed by default diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 71a6bc85..eabce668 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -771,6 +771,8 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" +matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_server_fqn_element if matrix_client_element_enabled else '' }}" + matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 2ce8eb30..6d9ff33b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -169,6 +169,12 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) }} +# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. +# If this has an empty value, they're just passed to the homeserver, which serves a static page. +# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here. +# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`). +matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "" + # Controls whether proxying for the Matrix Federation API should be done. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 463aec07..adbee18e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -151,7 +151,11 @@ } location / { - rewrite ^/$ /_matrix/static/ last; + {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} + return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; + {% else %} + rewrite ^/$ /_matrix/static/ last; + {% endif %} } {% endmacro %} From c1c6eaefff7eb40ef133b72870af8c77b569076c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 28 Oct 2020 17:34:39 +0200 Subject: [PATCH 1487/2384] Upgrade Element (1.7.10 -> 1.7.12) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index d2b9258f..100a23b4 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -2,7 +2,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false -matrix_client_element_docker_image: "vectorim/riot-web:v1.7.10" +matrix_client_element_docker_image: "vectorim/riot-web:v1.7.12" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" From 468cc3946546a7d939be5f25201eb5829c0f3745 Mon Sep 17 00:00:00 2001 From: Sabine Date: Wed, 28 Oct 2020 21:56:13 +0100 Subject: [PATCH 1488/2384] added a workaround for postgres's issue with initdb --- .../templates/systemd/matrix-mautrix-signal-db.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 index 653b67b8..b4baed4c 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 @@ -19,6 +19,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_mautrix_sig --env POSTGRES_PASSWORD={{ matrix_mautrix_signal_db_password }} \ --env POSTGRES_DB={{ matrix_mautrix_signal_db_database }} \ -v {{ matrix_mautrix_signal_db_storage_path }}:/var/lib/postgresql/data:z \ + -v /etc/passwd:/etc/passwd:ro \ {{ matrix_mautrix_signal_db_docker_image }} ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_mautrix_signal_db_host }} From aabefe21f46a353258c784d1209e7dea4f2e5f05 Mon Sep 17 00:00:00 2001 From: Sabine Date: Wed, 28 Oct 2020 21:58:59 +0100 Subject: [PATCH 1489/2384] fixed yaml --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index e6c5fe05..5d6bb7d3 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -69,7 +69,7 @@ matrix_mautrix_signal_configuration_yaml: "{{ lookup('template', 'templates/conf # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user -matrix_mautrix_signal_configuration_permissions: [] +matrix_mautrix_signal_configuration_permissions: {} matrix_mautrix_signal_configuration_extension_yaml: | # Your custom YAML configuration goes here. From cea2faa1b34362b08d3224276ac6b9e2a81070ad Mon Sep 17 00:00:00 2001 From: Sabine Date: Wed, 28 Oct 2020 21:59:36 +0100 Subject: [PATCH 1490/2384] added docs for bridge permissions --- docs/configuring-playbook-bridge-mautrix-signal.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 066dbaff..a5410665 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -19,10 +19,13 @@ bridge: in [the example config in mautrix-signal](https://github.com/tulir/mautrix-signal/blob/master/mautrix_signal/example-config.yaml). For instance, use ```yaml -matrix_mautrix_signal_configuration_permissions: - "YOUR_DOMAIN": user +matrix_mautrix_signal_configuration_permissions: | + { + '{{ matrix_domain }}': 'user' + } ``` -to allow all users registered to `YOUR_DOMAIN` access to the bridge (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). +to allow all users registered to the current host's matrix domain access to the bridge, or hard-code whatever you like. +(See [this issue](https://github.com/ansible/ansible/issues/17324#issuecomment-449642731) on how to use variable names as dictionary keys.) ## Set up Double Puppeting From cce90b187a95fcb9a1d146340e9f5d1ad3460423 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 28 Oct 2020 23:09:21 +0100 Subject: [PATCH 1491/2384] synapse workers: fix undefined variable cases when removing workers --- group_vars/matrix_servers | 8 ++++---- roles/matrix-synapse/tasks/workers/setup_uninstall.yml | 5 ++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 891cf6af..3744a65e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -803,10 +803,10 @@ matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presenc matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" -matrix_nginx_proxy_synapse_generic_worker_locations: "{{ matrix_synapse_workers_generic_worker_endpoints }}" -matrix_nginx_proxy_synapse_media_repository_locations: "{{ matrix_synapse_workers_media_repository_endpoints }}" -matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints }}" -matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints }}" +matrix_nginx_proxy_synapse_generic_worker_locations: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) }}" +matrix_nginx_proxy_synapse_media_repository_locations: "{{ matrix_synapse_workers_media_repository_endpoints|default([]) }}" +matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}" +matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}" matrix_nginx_proxy_systemd_wanted_services_list: | {{ diff --git a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml index 58b64760..879e6998 100644 --- a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml @@ -27,15 +27,14 @@ - name: Ensure worker configs are cleaned file: - path: "{{ item.root + '/' + item.path }}" + path: "{{ item }}" state: absent with_fileglob: - "{{ matrix_synapse_config_dir_path }}/worker.*.yaml" - name: Remove workers from synapse.wants list set_fact: - matrix_synapse_systemd_wanted_services_list: "{{ matrix_synapse_systemd_wanted_services_list | reject('search', item) | list }}" - with_items: "{{ matrix_synapse_workers_avail_list }}" + matrix_synapse_systemd_wanted_services_list: "{{ matrix_synapse_systemd_wanted_services_list | reject('search', '^matrix-synapse-worker@') | list }}" - name: Ensure systemd noticed removal of worker service units service: From 56ebeb1ae26ecc58888979efd327c3c25c2ac0b4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 29 Oct 2020 07:35:53 +0200 Subject: [PATCH 1492/2384] Revert "Restore self-building on ARM for Synapse for now" This reverts commit 7d211b71e2123ba0a62f2264497c6d4696243e61. The multi-arch images are now available, as discussed in #699 (Github Issue). --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index eabce668..ceaab812 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -921,7 +921,7 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr # ###################################################################### -matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}" +matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm32', 'arm64', 'amd64'] }}" # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. From c33d007306761a56a9cf909d62088089c6a8cef1 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 29 Oct 2020 11:46:58 -0500 Subject: [PATCH 1493/2384] Switch to the new vectorim/element-web Docker image --- README.md | 2 +- docs/configuring-dns.md | 2 +- docs/configuring-playbook-client-element.md | 2 +- roles/matrix-client-element/defaults/main.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 72018115..1a207937 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,7 @@ This playbook sets up your server using the following Docker images: - [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) -- [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Element](https://element.io/) web client (optional) +- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional) - [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 08bc905e..9d738477 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -34,7 +34,7 @@ DNS records marked with `(*)` above are optional. They refer to services that wi As the table above illustrates, you need to create 2 subdomains (`matrix.` and `element.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine). -The `element.` subdomain is necessary, because this playbook installs the [Element](https://github.com/vector-im/riot-web) web client for you. +The `element.` subdomain is necessary, because this playbook installs the [Element](https://github.com/vector-im/element-web) web client for you. If you'd rather instruct the playbook not to install Element (`matrix_client_element_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `element.` DNS record. The `dimension.` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.` DNS record. diff --git a/docs/configuring-playbook-client-element.md b/docs/configuring-playbook-client-element.md index 8b0eb331..45299c55 100644 --- a/docs/configuring-playbook-client-element.md +++ b/docs/configuring-playbook-client-element.md @@ -1,6 +1,6 @@ # Configuring Element (optional) -By default, this playbook installs the [Element](https://github.com/vector-im/riot-web) Matrix client web application. +By default, this playbook installs the [Element](https://github.com/vector-im/element-web) Matrix client web application. If that's okay, you can skip this document. diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 100a23b4..76bc7142 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -2,7 +2,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false -matrix_client_element_docker_image: "vectorim/riot-web:v1.7.12" +matrix_client_element_docker_image: "vectorim/element-web:v1.7.12" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" From 5c91e56898cc0ded68afda1c892fc20edb01ebd5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 30 Oct 2020 19:35:55 +0200 Subject: [PATCH 1494/2384] Upgrade Synapse (v1.22.0 -> v1.22.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 450a26be..5777e802 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.22.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.22.1" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From ef68d3d2961c603d79e5fdda6d2b350ac694147e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 2 Nov 2020 11:10:03 +0200 Subject: [PATCH 1495/2384] Add support for reverse-proxying /_synapse/oidc This broke in 63a49bb2dc7780e023b28. Proxying the OpenID Connect endpoints is now possible, but needs to be enabled explicitly now. Supersedes #702 (Github Pull Request). This patch builds up on the idea from that Pull Request, but does things in a cleaner way. --- docs/configuring-playbook-nginx.md | 9 +++++++++ docs/configuring-playbook-synapse.md | 5 +++++ roles/matrix-nginx-proxy/defaults/main.yml | 9 +++++++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index e0b4911e..945864e9 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -23,3 +23,12 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: - 8.8.8.8 - 1.1.1.1 ``` + + +## Synapse + OpenID Connect for Single-Sign-On + +If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse: + +```yaml +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true +``` diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 019a651f..9ae1e903 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -21,3 +21,8 @@ Alternatively, **if there is no pre-defined variable** for a Synapse setting you ## Synapse Admin Certain Synapse administration tasks (managing users and rooms, etc.) can be performed via a web user-interace, if you install [Synapse Admin](configuring-playbook-synapse-admin.md). + + +## Synapse + OpenID Connect for Single-Sign-On + +If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)). diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 6d9ff33b..546f1f1d 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -150,10 +150,13 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008" matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 -# Tells wheter `/_synapse/client` is forwarded to the Matrix Client API server. +# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true -# Tells wheter `/_synapse/admin` is forwarded to the Matrix Client API server. +# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server. +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false + +# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server. # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false @@ -166,6 +169,8 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | + (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else []) + + (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else []) + + (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) }} From 350c39d7457f325bc814800934c5e843bccadd97 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 2 Nov 2020 11:13:25 +0200 Subject: [PATCH 1496/2384] Update comment --- roles/matrix-nginx-proxy/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 546f1f1d..dc25b792 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -154,6 +154,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true # Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server. +# Enable this if you need OpenID Connect authentication support. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false # Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server. From e894befd87dce731debad58e77fd0de33e303732 Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Sat, 7 Nov 2020 17:34:16 -0800 Subject: [PATCH 1497/2384] Updates to reviewer comments --- ...md => configuring-playbook-dynamic-dns.md} | 13 ++++---- docs/configuring-playbook.md | 2 +- group_vars/matrix_servers | 17 +++++++++++ roles/matrix-dynamic-dns/defaults/main.yml | 14 ++------- roles/matrix-dynamic-dns/tasks/install.yml | 2 +- .../tasks/validate_config.yml | 10 +++---- .../templates/ddclient.conf.j2 | 30 ++++++++++++------- .../systemd/matrix-dynamic-dns.service.j2 | 3 -- ...tup_ssl_lets_encrypt_obtain_for_domain.yml | 12 ++++++++ 9 files changed, 66 insertions(+), 37 deletions(-) rename docs/{configuring-playbook-budget-builds.md => configuring-playbook-dynamic-dns.md} (65%) diff --git a/docs/configuring-playbook-budget-builds.md b/docs/configuring-playbook-dynamic-dns.md similarity index 65% rename from docs/configuring-playbook-budget-builds.md rename to docs/configuring-playbook-dynamic-dns.md index 318c3c0c..1047eaf1 100644 --- a/docs/configuring-playbook-budget-builds.md +++ b/docs/configuring-playbook-dynamic-dns.md @@ -1,6 +1,6 @@ -# Tips for deploying Matrix on a Budget +# Dynamic DNS -## Dynamic DNS +## Setup Most cloud providers / ISPs will charge you extra for a static IP address. If you're not hosting a highly reliable homeserver you can workaround this via dynamic DNS. To @@ -9,13 +9,14 @@ google domains, this process is described [here](https://support.google.com/doma After you've gotten the proper credentials you can add the following config to your inventory/host_vars/matrix.DOMAIN/vars.yml: ``` -matrix_dynamic_dns_username: XXXXXXXXXXXXXXXX -matrix_dynamic_dns_password: XXXXXXXXXXXXXXXX -matrix_dynamic_dns_provider: 'domains.google.com' +matrix_dynamic_dns_domain_configurations: | + {{ + [{'provider': 'domains.google.com', 'protocol': 'dyndn2', 'username': 'XXXXXXXXXXXXXXXX', 'password': 'XXXXXXXXXXXXXXXX', 'domain': matrix_domain}] + }} ``` ## Additional Reading Additional resources: -- https://matrix.org/docs/guides/free-small-matrix-server \ No newline at end of file +- https://matrix.org/docs/guides/free-small-matrix-server diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 8b0c5537..7ef58b2f 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -33,7 +33,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md) (optional) -- [Setting up budget builds or resource-constrained builds](configuring-playbook-budget-builds.md) (optional) +- [Setting Dynamic DNS](configuring-playbook-dynamic-dns.md) (optional) ### Core service adjustments diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 00cdbdfb..2be361c9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -619,6 +619,23 @@ matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if mat ###################################################################### + +###################################################################### +# +# matrix-dynamic-dns +# +###################################################################### + +matrix_dynamic_dns_domain_configurations: [] + +###################################################################### +# +# /matrix-dynamic-dns +# +###################################################################### + + + ###################################################################### # # matrix-email2matrix diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index e57b47da..8c86d35c 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -1,11 +1,11 @@ # Whether dynamic dns is enabled -matrix_dynamic_dns_enabled: false +matrix_dynamic_dns_enabled: "{{ matrix_dynamic_dns_domain_configurations is defined }}" # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' # The docker container to use when in mode -matrix_dynamic_dns_docker_image: 'linuxserver/ddclient' +matrix_dynamic_dns_docker_image: 'linuxserver/ddclient:v3.9.1-ls45' # The image to force pull matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}" @@ -28,13 +28,5 @@ matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config" matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src" # Config options +matrix_dynamic_dns_additional_configuration_blocks: [] matrix_dynamic_dns_use: "web" -matrix_dynamic_dns_static: false -matrix_dynamic_dns_custom: false -matrix_dynamic_dns_zone: "" -matrix_dynamic_dns_ttl: "" -matrix_dynamic_dns_mx: "" -matrix_dynamic_dns_wildcard: false -matrix_dynamic_dns_protocol: 'dyndns2' -matrix_dynamic_dns_provider: 'domains.google.com' -matrix_dynamic_dns_domain: '{{ matrix_domain }}' diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml index 816dc7c3..225738bf 100644 --- a/roles/matrix-dynamic-dns/tasks/install.yml +++ b/roles/matrix-dynamic-dns/tasks/install.yml @@ -12,7 +12,7 @@ file: path: "{{ item.path }}" state: directory - mode: 0750 + mode: 0751 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: diff --git a/roles/matrix-dynamic-dns/tasks/validate_config.yml b/roles/matrix-dynamic-dns/tasks/validate_config.yml index 2895f407..c6e4c4a6 100644 --- a/roles/matrix-dynamic-dns/tasks/validate_config.yml +++ b/roles/matrix-dynamic-dns/tasks/validate_config.yml @@ -1,10 +1,10 @@ --- -- name: Fail if required settings not defined +- name: Fail if required settings not defined in configuration blocks fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" - with_items: - - "matrix_dynamic_dns_domain" - - "matrix_dynamic_dns_provider" + when: "'domain' not in configuration == '' or 'provider' not in configuration == '' or 'protocol' not in configuration == ''" + with_items: "{{ matrix_dynamic_dns_domain_configurations }}" + loop_control: + loop_var: configuration diff --git a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 index 651712db..1480d834 100644 --- a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 +++ b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 @@ -3,14 +3,24 @@ syslog=no pid=/var/run/ddclient/ddclient.pid ssl=yes use={{ matrix_dynamic_dns_use }} -protocol={{ matrix_dynamic_dns_protocol }} -server={{ matrix_dynamic_dns_provider }} {% if matrix_dynamic_dns_username %} -login='{{ matrix_dynamic_dns_username }}' {% endif %} {% if matrix_dynamic_dns_username %} -password='{{ matrix_dynamic_dns_password }}' {% endif %} {% if matrix_dynamic_dns_static %} -static=yes {% endif %} {% if matrix_dynamic_dns_custom %} -custom=yes {% endif %} {% if matrix_dynamic_dns_zone %} -zone={{ matrix_dynamic_dns_zone }} {% endif %} {% if matrix_dynamic_dns_ttl %} -ttl={{ matrix_dynamic_dns_ttl }} {% endif %} {% if matrix_dynamic_dns_mx %} -mx={{ matrix_dynamic_dns_mx }} {% endif %} {% if matrix_dynamic_dns_wildcard %} + +{% for dynamic_dns_domain_configuration in matrix_dynamic_dns_domain_configurations %} +protocol={{ dynamic_dns_domain_configuration.protocol }} +server={{ dynamic_dns_domain_configuration.provider }} {% if 'username' in dynamic_dns_domain_configuration %} +login='{{ dynamic_dns_domain_configuration.username }}' {% endif %} {% if 'password' in dynamic_dns_domain_configuration %} +password='{{ dynamic_dns_domain_configuration.password }}' {% endif %} {% if 'static' in dynamic_dns_domain_configuration %} +static=yes {% endif %} {% if 'custom' in dynamic_dns_domain_configuration %} +custom=yes {% endif %} {% if 'zone' in dynamic_dns_domain_configuration %} +zone={{ dynamic_dns_domain_configuration.zone }} {% endif %} {% if 'ttl' in dynamic_dns_domain_configuration %} +ttl={{ dynamic_dns_domain_configuration.ttl }} {% endif %} {% if 'mx' in dynamic_dns_domain_configuration %} +mx={{ dynamic_dns_domain_configuration.mx }} {% endif %} {% if 'wildcard' in dynamic_dns_domain_configuration %} wildcard=yes {% endif %} -{{ matrix_dynamic_dns_domain }} +{{ dynamic_dns_domain_configuration.domain }} + +{% endfor %} + + +{% for matrix_dynamic_dns_additional_configuration in matrix_dynamic_dns_additional_configuration_blocks %} +{{ matrix_dynamic_dns_additional_configuration }} + +{% endfor %} diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index 9c11e148..7e73b587 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -15,12 +15,9 @@ ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ --network={{ matrix_docker_network }} \ -e PUID={{ matrix_user_uid }} \ -e PGID={{ matrix_user_gid }} \ - -e CONFIG_PATH=/config/config.yaml \ -v {{ matrix_dynamic_dns_config_path }}:/config:z \ {% for arg in matrix_dynamic_dns_container_extra_arguments %} {{ arg }} \ diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index e80b655d..0c12fa93 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -12,6 +12,18 @@ - set_fact: domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" +- name: Ensure dynamic dns has ran + service: + name: "dynamic-dns" + state: started + register: dynamic_dns_service_update + when: "domain_name_needs_cert|bool and matrix_dynamic_dns_enabled|bool" + +- name: Sleep for 60 seconds so that DNS records can be updated + wait_for: + timeout: 60 + when: dynamic_dns_service_update.changed + # This will fail if there is something running on port 80 (like matrix-nginx-proxy). # We suppress the error, as we'll try another method below. - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly) From c448aa54a1eda4fba76ce20aec0ef6909b1411dd Mon Sep 17 00:00:00 2001 From: Eneko Nieto Date: Sun, 8 Nov 2020 22:39:08 +0100 Subject: [PATCH 1498/2384] Added docker-compose example for launching Traefik. --- docs/configuring-playbook-own-webserver.md | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 2c4b43a2..54afce6d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -193,3 +193,38 @@ Note that this configuration on its own does **not** redirect traffic on port 80 scheme = "https" permanent = true ``` + +You can use the following `docker-compose.yml` as example to launch Traefik. + +```yaml +version: "3.3" + +services: + + traefik: + image: "traefik:v2.3" + restart: always + container_name: "traefik" + networks: + - traefik + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.network=traefik" + - "--providers.docker.exposedbydefault=false" + - "--entrypoints.websecure.address=:443" + - "--entrypoints.synapse.address=:8448" + - "--certificatesresolvers.default.acme.tlschallenge=true" + - "--certificatesresolvers.default.acme.email=YOUR EMAIL" + - "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json" + ports: + - "443:443" + - "8080:8080" + volumes: + - "./letsencrypt:/letsencrypt" + - "/var/run/docker.sock:/var/run/docker.sock:ro" + +networks: + traefik: + external: true +``` From 2c33aa3ec54533f70e7558baec5c62a7e51fbbde Mon Sep 17 00:00:00 2001 From: Eneko Nieto Date: Mon, 9 Nov 2020 00:03:15 +0100 Subject: [PATCH 1499/2384] Fixed entrypoint name. --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 54afce6d..dac78376 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -212,7 +212,7 @@ services: - "--providers.docker=true" - "--providers.docker.network=traefik" - "--providers.docker.exposedbydefault=false" - - "--entrypoints.websecure.address=:443" + - "--entrypoints.web-secure.address=:443" - "--entrypoints.synapse.address=:8448" - "--certificatesresolvers.default.acme.tlschallenge=true" - "--certificatesresolvers.default.acme.email=YOUR EMAIL" From 59bb6b297138dd586198a6aa463c55f6374d23bc Mon Sep 17 00:00:00 2001 From: Scott Crossen Date: Mon, 9 Nov 2020 13:32:58 -0800 Subject: [PATCH 1500/2384] responded to reviewer comments --- docs/configuring-playbook-dynamic-dns.md | 1 + group_vars/matrix_servers | 1 + roles/matrix-dynamic-dns/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dynamic-dns.md b/docs/configuring-playbook-dynamic-dns.md index 1047eaf1..e46d87c0 100644 --- a/docs/configuring-playbook-dynamic-dns.md +++ b/docs/configuring-playbook-dynamic-dns.md @@ -9,6 +9,7 @@ google domains, this process is described [here](https://support.google.com/doma After you've gotten the proper credentials you can add the following config to your inventory/host_vars/matrix.DOMAIN/vars.yml: ``` +matrix_dyanmic_dns_enabled: true matrix_dynamic_dns_domain_configurations: | {{ [{'provider': 'domains.google.com', 'protocol': 'dyndn2', 'username': 'XXXXXXXXXXXXXXXX', 'password': 'XXXXXXXXXXXXXXXX', 'domain': matrix_domain}] diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2be361c9..86d91088 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -626,6 +626,7 @@ matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if mat # ###################################################################### +matrix_dyanmic_dns_enabled: false matrix_dynamic_dns_domain_configurations: [] ###################################################################### diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index 8c86d35c..cb17c90c 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -1,5 +1,5 @@ # Whether dynamic dns is enabled -matrix_dynamic_dns_enabled: "{{ matrix_dynamic_dns_domain_configurations is defined }}" +matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' From 235299939da49d5b7984a4deb66b626fa07504ce Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 09:30:00 +0200 Subject: [PATCH 1501/2384] Upgrade nginx (1.19.3 -> 1.19.4) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index dc25b792..e36270b7 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.19.3-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.19.4-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" From 31619e0968dc060107447da9de764a20cf64e5a6 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 10 Nov 2020 11:27:15 -0600 Subject: [PATCH 1502/2384] Upgrade Element (1.7.12 -> 1.7.13) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 76bc7142..c591b025 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -2,7 +2,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false -matrix_client_element_docker_image: "vectorim/element-web:v1.7.12" +matrix_client_element_docker_image: "vectorim/element-web:v1.7.13" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" From e5072c20d98f13ad27425183c76eb5304a94b0bc Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 10 Nov 2020 20:35:39 +0100 Subject: [PATCH 1503/2384] synapse workers/nginx: handle media_repository worker endpoints on federation port to prevent "404 on the federation port for the path `/_matrix/media`, if a remote server is trying to get the media object on federation port, see https://github.com/matrix-org/synapse/issues/8695 " https://github.com/matrix-org/synapse/pull/8701 --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index f39c2c34..1dbbb844 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -372,6 +372,16 @@ server { {% endfor %} # FIXME: add GET ^/_matrix/federation/v1/groups/ {% endif %} + {% if media_repository_workers %} + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository + {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} + location ~ {{ location }} { + proxy_pass http://media_repository_upstream$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endfor %} + {% endif %} {% endif %} location / { From 1e971312e806123c5677fc7104d435e2b69baedf Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 10 Nov 2020 21:23:19 +0100 Subject: [PATCH 1504/2384] synapse workers: handle auth fallback endpoint on main process only (allegedly breaks with SSO enabled) --- roles/matrix-synapse/files/workers-doc-to-yaml.awk | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.awk b/roles/matrix-synapse/files/workers-doc-to-yaml.awk index b3c79eb5..fe018b6f 100755 --- a/roles/matrix-synapse/files/workers-doc-to-yaml.awk +++ b/roles/matrix-synapse/files/workers-doc-to-yaml.awk @@ -84,6 +84,15 @@ enable_parsing { api_endpoint_regex = "^" line } + # FIXME: https://github.com/matrix-org/synapse/issues/7530 + # https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456#issuecomment-719015911 + if (api_endpoint_regex == "^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$") { + worker_stanza_append(" # FIXME: possible bug with SSO and multiple generic workers\n") + worker_stanza_append(" # see https://github.com/matrix-org/synapse/issues/7530\n") + worker_stanza_append(" # " api_endpoint_regex linefeed) + continue + } + # disable endpoints which specify complications if (endpoints_seem_conditional) { # only add notice if previous line didn't match From b05d298ae44f2befc227845c9ff45aa64424cf25 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 10 Nov 2020 21:43:33 +0100 Subject: [PATCH 1505/2384] synapse workers nginx rule: add client_max_body_size on media endpoints so transfer limits are properly set in accord to the relevant setting https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456#issuecomment-719996778 --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 1dbbb844..86b3762d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -124,6 +124,10 @@ proxy_pass http://media_repository_upstream$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; } {% endfor %} {% endif %} @@ -379,6 +383,10 @@ server { proxy_pass http://media_repository_upstream$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; } {% endfor %} {% endif %} From dd402bee928997459b0b25254700e2f6b87b0afa Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 10 Nov 2020 22:22:40 +0100 Subject: [PATCH 1506/2384] synapse workers: add rudimentary documentation on worker support --- docs/configuring-playbook-synapse.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 019a651f..276baca5 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -18,6 +18,21 @@ Alternatively, **if there is no pre-defined variable** for a Synapse setting you - or, if extending the configuration is still not powerful enough for your needs, you can **override the configuration completely** using `matrix_synapse_configuration` (or `matrix_synapse_configuration_yaml`). You can find information about this in [`roles/matrix-synapse/defaults/main.yml`](../roles/matrix-synapse/defaults/main.yml). +## Load balancing with workers +To have synapse gracefully handle thousands of users, worker support should be enabled. It factors out some homeserver tasks and spreads the load of incoming client and server-to-server traffic between multiple processes. More information can be found at https://github.com/matrix-org/synapse/blob/master/docs/workers.md (which, coincidentally, also is the file which an awk script extracts the endpoint URLs from when running with tag `setup-synapse`). + +To enable synapse worker support, set + +```yaml +matrix_synapse_workers_enabled: true +``` + +in your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. +There, you can also override the default `matrix_synapse_workers_enabled_list` from [`roles/matrix-synapse/defaults/main.yml`](../roles/matrix-synapse/defaults/main.yml). + +If you are not using the inbuilt nginx proxy container but an instance managed by yourself, you are currently on your own as the template needs yet to be adapted to better support this use case. + + ## Synapse Admin Certain Synapse administration tasks (managing users and rooms, etc.) can be performed via a web user-interace, if you install [Synapse Admin](configuring-playbook-synapse-admin.md). From 73d5faa1f9567548b54a7d9ff888cebdb93392f0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 23:30:38 +0200 Subject: [PATCH 1507/2384] Fix variable name typo --- docs/configuring-playbook-dynamic-dns.md | 2 +- group_vars/matrix_servers | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-dynamic-dns.md b/docs/configuring-playbook-dynamic-dns.md index e46d87c0..4251291b 100644 --- a/docs/configuring-playbook-dynamic-dns.md +++ b/docs/configuring-playbook-dynamic-dns.md @@ -9,7 +9,7 @@ google domains, this process is described [here](https://support.google.com/doma After you've gotten the proper credentials you can add the following config to your inventory/host_vars/matrix.DOMAIN/vars.yml: ``` -matrix_dyanmic_dns_enabled: true +matrix_dynamic_dns_enabled: true matrix_dynamic_dns_domain_configurations: | {{ [{'provider': 'domains.google.com', 'protocol': 'dyndn2', 'username': 'XXXXXXXXXXXXXXXX', 'password': 'XXXXXXXXXXXXXXXX', 'domain': matrix_domain}] diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 86d91088..e199ea86 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -626,7 +626,7 @@ matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if mat # ###################################################################### -matrix_dyanmic_dns_enabled: false +matrix_dynamic_dns_enabled: false matrix_dynamic_dns_domain_configurations: [] ###################################################################### From f3d2797d9ccc4348f131ad35dc1f4220a7b47919 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 10 Nov 2020 22:40:48 +0100 Subject: [PATCH 1508/2384] synapse workers: make awk script invocation handle paths with spaces (quoting ftw) --- roles/matrix-synapse/tasks/workers/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index cbd73643..6b246a18 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -7,7 +7,7 @@ - name: Download synapse workers doc and convert into YAML shell: - cmd: "awk -f {{ role_path }}/files/workers-doc-to-yaml.awk -- {{ role_path }}/files/workers.upstream-documentation.md > {{ role_path }}/vars/workers.yml" + cmd: "awk -f '{{ role_path }}/files/workers-doc-to-yaml.awk' -- '{{ role_path }}/files/workers.upstream-documentation.md' > '{{ role_path }}/vars/workers.yml'" creates: "{{ role_path }}/vars/workers.yml" - name: Load list of available worker apps and endpoints From 5c5f828405f5a279b9a1b1df14f7ecbf51d755e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 23:33:27 +0200 Subject: [PATCH 1509/2384] Use more YAML-like syntax for the dynamic DNS configurations Related to #681 (Github Pull Request) --- docs/configuring-playbook-dynamic-dns.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-dynamic-dns.md b/docs/configuring-playbook-dynamic-dns.md index 4251291b..cec53e4a 100644 --- a/docs/configuring-playbook-dynamic-dns.md +++ b/docs/configuring-playbook-dynamic-dns.md @@ -8,12 +8,20 @@ set this up, you'll need to get the username/password from your DNS provider. Fo google domains, this process is described [here](https://support.google.com/domains/answer/6147083). After you've gotten the proper credentials you can add the following config to your inventory/host_vars/matrix.DOMAIN/vars.yml: -``` +```yaml matrix_dynamic_dns_enabled: true + matrix_dynamic_dns_domain_configurations: | {{ [{'provider': 'domains.google.com', 'protocol': 'dyndn2', 'username': 'XXXXXXXXXXXXXXXX', 'password': 'XXXXXXXXXXXXXXXX', 'domain': matrix_domain}] }} + +matrix_dynamic_dns_domain_configurations: + - provider: domains.google.com + protocol: dyndn2 + username: XXXXXXXXXXXXXXXX + password: XXXXXXXXXXXXXXXX + domain: "{{ matrix_domain }}" ``` ## Additional Reading From fef44b93d33d1e2c6835d50eef1f6c79f01d3ea2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 23:33:58 +0200 Subject: [PATCH 1510/2384] Define the matrix_dynamic_dns_domain_configurations variable in the role Having it unset in the role itself (while referencign it) is a little strange. Now people can look at the `roles/matrix-dynamic-dns/defaults/main.yml` file and figure out everything that's necessary to run the role. Related to #681 (Github Pull Request) --- roles/matrix-dynamic-dns/defaults/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index cb17c90c..0d34ccea 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -27,6 +27,17 @@ matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns" matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config" matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src" +# Holds the configurations (the domains to update DNS for, the providers they use, etc.) +# +# Example: +# matrix_dynamic_dns_domain_configurations: +# - provider: domains.google.com +# protocol: dyndn2 +# username: XXXXXXXXXXXXXXXX +# password: XXXXXXXXXXXXXXXX +# domain: "{{ matrix_domain }}" +matrix_dynamic_dns_domain_configurations: [] + # Config options matrix_dynamic_dns_additional_configuration_blocks: [] matrix_dynamic_dns_use: "web" From 97a7c8b0f08d91ec68f946c5def9cea79dbfef5e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 23:43:15 +0200 Subject: [PATCH 1511/2384] Fix matrix_dynamic_dns_domain_configurations validation check - `item` was undefined - `'key' in configurations == ''` was doing the wrong thing Related to #681 (Github Pull Request) --- roles/matrix-dynamic-dns/tasks/validate_config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dynamic-dns/tasks/validate_config.yml b/roles/matrix-dynamic-dns/tasks/validate_config.yml index c6e4c4a6..3976a4b0 100644 --- a/roles/matrix-dynamic-dns/tasks/validate_config.yml +++ b/roles/matrix-dynamic-dns/tasks/validate_config.yml @@ -3,8 +3,8 @@ - name: Fail if required settings not defined in configuration blocks fail: msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "'domain' not in configuration == '' or 'provider' not in configuration == '' or 'protocol' not in configuration == ''" + One of the configurations in matrix_dynamic_dns_domain_configurations is missing a required key (domain, provider, protocol). + when: "'domain' not in configuration or 'provider' not in configuration or 'protocol' not in configuration" with_items: "{{ matrix_dynamic_dns_domain_configurations }}" loop_control: loop_var: configuration From 8782919d8509ea53b5bdd16d7d672b053ff59cca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 23:44:09 +0200 Subject: [PATCH 1512/2384] Ensure matrix_dynamic_dns_domain_configurations contains configurations If `matrix_dynamic_dns_enabled`, we'd like to ensure there's at least one configuration defined. Related to #681 (Github Pull Request) --- roles/matrix-dynamic-dns/tasks/validate_config.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-dynamic-dns/tasks/validate_config.yml b/roles/matrix-dynamic-dns/tasks/validate_config.yml index 3976a4b0..8f0001ea 100644 --- a/roles/matrix-dynamic-dns/tasks/validate_config.yml +++ b/roles/matrix-dynamic-dns/tasks/validate_config.yml @@ -1,5 +1,11 @@ --- +- name: Fail if no configurations specified + fail: + msg: >- + You need to define at least one configuration in `matrix_dynamic_dns_domain_configurations` for using matrix-dynamic-dns. + when: "matrix_dynamic_dns_domain_configurations|length == 0" + - name: Fail if required settings not defined in configuration blocks fail: msg: >- From 1427286cec29db8fb821dce963b2aa6c54c04845 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 23:46:33 +0200 Subject: [PATCH 1513/2384] Integrate matrix-dynamic-dns with matrix-nginx-proxy without causing a dependency We'd like the roles to be self-contained (as much as possible). Thus, the `matrix-nginx-proxy` shouldn't reference any variables from other roles. Instead, we rely on injection via `group_vars/matrix_servers`. Related to #681 (Github Pull Request) --- group_vars/matrix_servers | 2 ++ roles/matrix-nginx-proxy/defaults/main.yml | 4 ++++ ...tup_ssl_lets_encrypt_obtain_for_domain.yml | 21 ++++++++++--------- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e199ea86..f38284e8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -851,6 +851,8 @@ matrix_ssl_architecture: "{{ }[matrix_architecture] }}" +matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matrix_dynamic_dns_enabled else '' }} + ###################################################################### # # /matrix-nginx-proxy diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3b9dd60b..4bf57f61 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -243,6 +243,10 @@ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" +# If you'd like to start some service before a certificate is obtained, specify it here. +# This could be something like `matrix-dynamic-dns`, etc. +matrix_ssl_pre_obtaining_required_service_name: ~ +matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # nginx status page configurations. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 0c12fa93..3dea71fb 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -12,17 +12,18 @@ - set_fact: domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" -- name: Ensure dynamic dns has ran - service: - name: "dynamic-dns" - state: started - register: dynamic_dns_service_update - when: "domain_name_needs_cert|bool and matrix_dynamic_dns_enabled|bool" +- block: + - name: Ensure required service for obtaining is started + service: + name: "{{ matrix_ssl_pre_obtaining_required_service_name }}" + state: started + register: matrix_ssl_pre_obtaining_required_service_start_result -- name: Sleep for 60 seconds so that DNS records can be updated - wait_for: - timeout: 60 - when: dynamic_dns_service_update.changed + - name: Wait some time, so that the required service for obtaining can start + wait_for: + timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}" + when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool" + when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''" # This will fail if there is something running on port 80 (like matrix-nginx-proxy). # We suppress the error, as we'll try another method below. From 2708f9aec71bb3f829979825bd8c2dbe66dcfc1f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 23:50:41 +0200 Subject: [PATCH 1514/2384] Remove duplicate configuration in docs page Related to #681 (Github Pull Request) --- docs/configuring-playbook-dynamic-dns.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/configuring-playbook-dynamic-dns.md b/docs/configuring-playbook-dynamic-dns.md index cec53e4a..c06bcf43 100644 --- a/docs/configuring-playbook-dynamic-dns.md +++ b/docs/configuring-playbook-dynamic-dns.md @@ -11,11 +11,6 @@ After you've gotten the proper credentials you can add the following config to y ```yaml matrix_dynamic_dns_enabled: true -matrix_dynamic_dns_domain_configurations: | - {{ - [{'provider': 'domains.google.com', 'protocol': 'dyndn2', 'username': 'XXXXXXXXXXXXXXXX', 'password': 'XXXXXXXXXXXXXXXX', 'domain': matrix_domain}] - }} - matrix_dynamic_dns_domain_configurations: - provider: domains.google.com protocol: dyndn2 From de0987e8064181c606efd4f2c6aaa8b6c97b7dbc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 23:51:38 +0200 Subject: [PATCH 1515/2384] Remove unnecessary variable definition Related to #681 (Github Pull Request) --- group_vars/matrix_servers | 1 - 1 file changed, 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f38284e8..c2e40507 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -627,7 +627,6 @@ matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if mat ###################################################################### matrix_dynamic_dns_enabled: false -matrix_dynamic_dns_domain_configurations: [] ###################################################################### # From 5598a89ad5b81e9e9ce7e14e4ac81c52a354d6b8 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 10 Nov 2020 23:00:24 +0100 Subject: [PATCH 1516/2384] synapse workers doc: link to relevant synapse issue list search --- docs/configuring-playbook-synapse.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 276baca5..c12386c6 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -32,6 +32,8 @@ There, you can also override the default `matrix_synapse_workers_enabled_list` f If you are not using the inbuilt nginx proxy container but an instance managed by yourself, you are currently on your own as the template needs yet to be adapted to better support this use case. +In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`. + ## Synapse Admin From d910df2b1cc1b8e497c7a643d22852a625492bb3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Nov 2020 00:00:52 +0200 Subject: [PATCH 1517/2384] Announce Dynamic DNS support Related to #681 (Github Pull Request) --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-dynamic-dns.md | 3 ++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 089d0650..aa378ae3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-11-10 + +## Dynamic DNS support + +Thanks to [Scott Crossen](https://github.com/scottcrossen), the playbook can now manage Dynamic DNS for you using [ddclient](https://ddclient.net/). + +To learn more, follow our [Dynamic DNS docs page](docs/configuring-playbook-dynamic-dns.md). + + # 2020-10-28 ## (Compatibility Break) https://matrix.DOMAIN/ now redirects to https://element.DOMAIN/ diff --git a/docs/configuring-playbook-dynamic-dns.md b/docs/configuring-playbook-dynamic-dns.md index c06bcf43..bc58c273 100644 --- a/docs/configuring-playbook-dynamic-dns.md +++ b/docs/configuring-playbook-dynamic-dns.md @@ -6,7 +6,7 @@ Most cloud providers / ISPs will charge you extra for a static IP address. If yo not hosting a highly reliable homeserver you can workaround this via dynamic DNS. To set this up, you'll need to get the username/password from your DNS provider. For google domains, this process is described [here](https://support.google.com/domains/answer/6147083). -After you've gotten the proper credentials you can add the following config to your inventory/host_vars/matrix.DOMAIN/vars.yml: +After you've gotten the proper credentials you can add the following config to your `inventory/host_vars/matrix.DOMAIN/vars.yml`: ```yaml matrix_dynamic_dns_enabled: true @@ -19,6 +19,7 @@ matrix_dynamic_dns_domain_configurations: domain: "{{ matrix_domain }}" ``` + ## Additional Reading Additional resources: From b5435db3386da670de8add53aa0278a0b99fd330 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Nov 2020 00:22:09 +0200 Subject: [PATCH 1518/2384] Fix syntax error in group_vars/matrix_servers --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8bda2bbe..742391c3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -854,7 +854,7 @@ matrix_ssl_architecture: "{{ }[matrix_architecture] }}" -matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matrix_dynamic_dns_enabled else '' }} +matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matrix_dynamic_dns_enabled else '' }}" ###################################################################### # From 4dbec2470f3fb8d96af2de0c9db24a1d3baf3c44 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 11 Nov 2020 00:45:02 +0200 Subject: [PATCH 1519/2384] Fix systemd_path being undefined breakage Regression since #681 (Github Pull Request). Fixes #715 (Github Issue). --- roles/matrix-dynamic-dns/tasks/uninstall.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dynamic-dns/tasks/uninstall.yml b/roles/matrix-dynamic-dns/tasks/uninstall.yml index 1be0e190..98dca0e8 100644 --- a/roles/matrix-dynamic-dns/tasks/uninstall.yml +++ b/roles/matrix-dynamic-dns/tasks/uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-dynamic-dns service stat: - path: "{{ systemd_path }}/matrix-dynamic-dns.service" + path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service" register: matrix_dynamic_dns_service_stat - name: Ensure matrix-dynamic-dns is stopped @@ -14,7 +14,7 @@ - name: Ensure matrix-dynamic-dns.service doesn't exist file: - path: "{{ systemd_path }}/matrix-dynamic-dns.service" + path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service" state: absent when: "matrix_dynamic_dns_service_stat.stat.exists" From fe7bed5df37dbe8bf575143dff095dde4286428f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Nov 2020 23:10:59 +0200 Subject: [PATCH 1520/2384] Upgrade appservice-discord --- .../defaults/main.yml | 8 +++++--- .../tasks/validate_config.yml | 1 + .../templates/config.yaml.j2 | 14 +++++++++----- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 97ad8e89..392f3028 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_discord_enabled: true -matrix_appservice_discord_docker_image: "halfshot/matrix-appservice-discord:latest" +matrix_appservice_discord_docker_image: "halfshot/matrix-appservice-discord:v1.0.0-rc3" matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" @@ -17,6 +17,8 @@ matrix_appservice_discord_bot_token: '' matrix_appservice_discord_appservice_token: '' matrix_appservice_discord_homeserver_token: '' +matrix_appservice_discord_homeserver_domain: "{{ matrix_domain }}" + # Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9005 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9005"), or empty string to not expose. @@ -62,10 +64,10 @@ matrix_appservice_discord_registration_yaml: | namespaces: users: - exclusive: true - regex: '^@_discord_.*' + regex: '@_discord_.*:{{ matrix_appservice_discord_homeserver_domain|regex_escape }}' aliases: - exclusive: true - regex: '^#_discord_.*' + regex: '#_discord_.*:{{ matrix_appservice_discord_homeserver_domain|regex_escape }}' url: {{ matrix_appservice_discord_appservice_url }} sender_localpart: _discord_bot rate_limited: false diff --git a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml index 46612ba5..b0713a43 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml @@ -10,6 +10,7 @@ - "matrix_appservice_discord_bot_token" - "matrix_appservice_discord_appservice_token" - "matrix_appservice_discord_homeserver_token" + - "matrix_appservice_discord_homeserver_domain" - name: (Deprecation) Catch and report renamed appservice-discord variables fail: diff --git a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 index e91c60de..0c2aab41 100644 --- a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 @@ -26,6 +26,10 @@ bridge: disableReadReceipts: false # Disable Join Leave echos from matrix disableJoinLeaveNotifications: false + # Disable Invite echos from matrix + disableInviteNotifications: false + # Auto-determine the language of code blocks (this can be CPU-intensive) + determineCodeLanguage: false # Authentication configuration for the discord bot. auth: clientID: {{ matrix_appservice_discord_client_id|string|to_json }} @@ -45,8 +49,6 @@ logging: # enable: # - "DiscordBot" database: - userStorePath: "/data/user-store.db" - roomStorePath: "/data/room-store.db" # You may either use SQLite or Postgresql for the bridge database, which contains # important mappings for events and user puppeting configurations. # Use the filename option for SQLite, or connString for Postgresql. @@ -82,10 +84,12 @@ channel: limits: # Delay in milliseconds between discord users joining a room. roomGhostJoinDelay: 6000 - # Delay in milliseconds before sending messages to discord to avoid echos. - # (Copies of a sent message may arrive from discord before we've + # Lock timeout in milliseconds before sending messages to discord to avoid + # echos. Default is rather high as the lock will most likely time out + # before anyways. + # echos = (Copies of a sent message may arrive from discord before we've # fininished handling it, causing us to echo it back to the room) - discordSendDelay: 750 + discordSendDelay: 1500 ghosts: # Pattern for the ghosts nick, available is :nick, :username, :tag and :id nickPattern: ":nick" From 6dbb90258e143ed1452eb381dfc793760b993fe7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 13 Nov 2020 08:23:40 +0200 Subject: [PATCH 1521/2384] Mention and recommend enabling usePrivilegedIntents --- ...configuring-playbook-bridge-appservice-discord.md | 12 +++++++----- .../defaults/main.yml | 8 ++++++++ .../templates/config.yaml.j2 | 3 +++ 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 13a5174b..11be678e 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -14,18 +14,20 @@ Instructions loosely based on [this](https://github.com/Half-Shot/matrix-appserv 1. Create a Discord Application [here](https://discordapp.com/developers/applications). 2. Retrieve Client ID. 3. Create a bot from the Bot tab and retrieve the Bot token. -4. Enable the bridge with the following configuration in your `vars.yml` file: +4. From the Bot tab, enable all checkboxes related to Privileged Gateway Intents (you can skip this step if you're not using `matrix_appservice_discord_auth_usePrivilegedIntents: true` below) +5. Enable the bridge with the following configuration in your `vars.yml` file: ```yaml matrix_appservice_discord_enabled: true matrix_appservice_discord_client_id: "YOUR DISCORD APP CLIENT ID" matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" +matrix_appservice_discord_auth_usePrivilegedIntents: true ``` -4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. -5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S). -6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. -7. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client. +6. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. +7. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S). +8. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. +9. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client. Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 392f3028..cb262166 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -41,6 +41,14 @@ matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}" matrix_appservice_discord_bridge_disablePresence: false matrix_appservice_discord_bridge_enableSelfServiceBridging: false +# Tells whether the bot should make use of "Privileged Gateway Intents". +# +# Enabling this means that you need to enable it for the bot (Discord application) as well, +# by triggering all Intent checkboxes on a page like this: `https://discord.com/developers/applications/694448564151123988/bot` +# +# Learn more: https://gist.github.com/advaith1/e69bcc1cdd6d0087322734451f15aa2f +matrix_appservice_discord_auth_usePrivilegedIntents: false + matrix_appservice_discord_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_discord_configuration_extension_yaml: | diff --git a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 index 0c2aab41..aca49228 100644 --- a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 @@ -34,6 +34,9 @@ bridge: auth: clientID: {{ matrix_appservice_discord_client_id|string|to_json }} botToken: {{ matrix_appservice_discord_bot_token }} + # You must enable "Privileged Gateway Intents" in your bot settings on discord.com (e.g. https://discord.com/developers/applications/12345/bot) + # for this to work + usePrivilegedIntents: false logging: # What level should the logger output to the console at. console: "warn" #silly, verbose, info, http, warn, error, silent From c985e17f18d0c3eba97febc546902039d9617ef8 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Fri, 13 Nov 2020 08:44:21 +0100 Subject: [PATCH 1522/2384] updated matrix-sms-bridge --- CHANGELOG.md | 13 +++++++ roles/matrix-bridge-sms/defaults/main.yml | 36 +++++++++---------- roles/matrix-bridge-sms/tasks/init.yml | 2 +- .../matrix-bridge-sms/tasks/setup_install.yml | 20 ++--------- .../tasks/setup_uninstall.yml | 25 +------------ .../tasks/validate_config.yml | 3 +- 6 files changed, 35 insertions(+), 64 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aa378ae3..ae96ef36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +# 2020-11-13 + +## Breaking change matrix-sms-bridge + +The new version of [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) changed its database from neo4j to h2. You need to sync the bridge at the first start. Note that this only will sync rooms where the @smsbot:yourServer is member. For rooms without @smsbot:yourServer you need to kick and invite the telephone number **or** invite @smsbot:yourServer. + +1. Add the following to your `vars.yml` file: `matrix_sms_bridge_container_extra_arguments=['--env SPRING_PROFILES_ACTIVE=initialsync']` +2. Login to your host shell and remove old systemd file from your host: `rm /etc/systemd/system/matrix-sms-bridge-database.service` +2. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-matrix-sms-bridge,start` +3. Login to your host shell and check the logs with `journalctl -u matrix-sms-bridge` until the sync finished. +4. Remove the var from the first step. +5. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`. + # 2020-11-10 ## Dynamic DNS support diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 25d2208c..0801fe5b 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,9 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.3.2.RELEASE" -matrix_sms_bridge_database_docker_image: "neo4j:latest" -matrix_sms_bridge_database_docker_image_force_pull: "{{ matrix_sms_bridge_docker_image.endswith(':latest') }}" +matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.4.1.RELEASE" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" @@ -17,29 +15,22 @@ matrix_sms_bridge_data_spool_inbox_processed_path: "{{ matrix_base_data_path }}/ matrix_sms_bridge_data_spool_outbox_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/outbox" matrix_sms_bridge_data_spool_sent_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/sent" matrix_sms_bridge_data_spool_error_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/error" -matrix_sms_bridge_database_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/database" matrix_sms_bridge_appservice_token: '' matrix_sms_bridge_homeserver_token: '' -matrix_sms_bridge_database_username: 'neo4j' -matrix_sms_bridge_database_password: '' - matrix_sms_bridge_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_sms_bridge_container_extra_arguments: [] # List of systemd services that service depends on. -matrix_sms_bridge_systemd_required_services_list: ['docker.service','matrix-sms-bridge-database.service'] -matrix_sms_bridge_database_systemd_required_services_list: ['docker.service'] +matrix_sms_bridge_systemd_required_services_list: ['docker.service'] # List of systemd services that service wants matrix_sms_bridge_systemd_wanted_services_list: [] -matrix_sms_bridge_database_systemd_wanted_services_list: [] matrix_sms_bridge_appservice_url: 'http://matrix-sms-bridge:8080' -matrix_sms_bridge_database_url: 'bolt://matrix-sms-bridge-database:7687' matrix_sms_bridge_homeserver_hostname: 'matrix-synapse' matrix_sms_bridge_homeserver_port: '8008' @@ -47,25 +38,19 @@ matrix_sms_bridge_homserver_domain: "{{ matrix_domain }}" matrix_sms_bridge_default_room: '' matrix_sms_bridge_default_region: '' matrix_sms_bridge_default_timezone: '' +matrix_sms_bridge_single_mode_enabled: false matrix_sms_bridge_gammu_modem: '' matrix_sms_bridge_modem_group: 'dialout' matrix_sms_bridge_gammu_reset_frequency: 0 matrix_sms_bridge_gammu_hard_reset_frequency: 0 +matrix_sms_bridge_gammu_smsc: '' matrix_sms_bridge_configuration_yaml: | #jinja2: lstrip_blocks: "True" # Database connection - org: - neo4j: - driver: - uri: {{ matrix_sms_bridge_database_url }} - authentication: - username: {{ matrix_sms_bridge_database_username }} - password: {{ matrix_sms_bridge_database_password }} - matrix: bridge: sms: @@ -74,6 +59,7 @@ matrix_sms_bridge_configuration_yaml: | defaultRoomId: "{{ matrix_sms_bridge_default_room }}" defaultRegion: "{{ matrix_sms_bridge_default_region }}" defaultTimeZone: "{{ matrix_sms_bridge_default_timezone }}" + singleModeEnabled: "{{ matrix_sms_bridge_single_mode_enabled }}" provider: gammu: # (optional) default is disabled @@ -85,6 +71,12 @@ matrix_sms_bridge_configuration_yaml: | bot: # The domain-part of matrix-ids. E. g. example.org when your userIds look like @unicorn:example.org serverName: {{ matrix_sms_bridge_homserver_domain }} + migration: + url: "jdbc:h2:file:/data/database/db" + username: sa + database: + url: "r2dbc:h2:file:////data/database/db" + username: sa client: homeServer: # The hostname of your Homeserver. @@ -128,6 +120,9 @@ matrix_sms_bridge_gammu_configuration: | InboxFormat = detail OutboxFormat = detail TransmitFormat = auto + {% if matrix_sms_bridge_gammu_smsc is defined and matrix_sms_bridge_gammu_smsc|length %} + SMSC = {{ matrix_sms_bridge_gammu_smsc }} + {% endif %} ResetFrequency = {{ matrix_sms_bridge_gammu_reset_frequency }} HardResetFrequency = {{ matrix_sms_bridge_gammu_hard_reset_frequency }} debugLevel = 1 @@ -145,6 +140,9 @@ matrix_sms_bridge_registration_yaml: | users: - exclusive: true regex: '^@sms_.+:{{ matrix_sms_bridge_homserver_domain|regex_escape }}$' + aliases: + - exclusive: true + regex: '^#sms_.+:{{ matrix_sms_bridge_homserver_domain|regex_escape }}$' url: {{ matrix_sms_bridge_appservice_url }} sender_localpart: smsbot rate_limited: false diff --git a/roles/matrix-bridge-sms/tasks/init.yml b/roles/matrix-bridge-sms/tasks/init.yml index 7a49e4b2..cca4d4c5 100644 --- a/roles/matrix-bridge-sms/tasks/init.yml +++ b/roles/matrix-bridge-sms/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge','matrix-sms-bridge-database'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge'] }}" when: matrix_sms_bridge_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-sms/tasks/setup_install.yml b/roles/matrix-bridge-sms/tasks/setup_install.yml index 254510a3..1d36ea8d 100644 --- a/roles/matrix-bridge-sms/tasks/setup_install.yml +++ b/roles/matrix-bridge-sms/tasks/setup_install.yml @@ -5,14 +5,6 @@ name: "{{ matrix_sms_bridge_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" -- name: Ensure matrix-sms-bridge databse image is pulled - docker_image: - name: "{{ matrix_sms_bridge_database_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_sms_bridge_database_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sms_bridge_database_docker_image_force_pull }}" - - - name: Ensure matrix-sms-bridge paths exist file: path: "{{ item }}" @@ -31,7 +23,6 @@ - "{{ matrix_sms_bridge_data_spool_outbox_path }}" - "{{ matrix_sms_bridge_data_spool_sent_path }}" - "{{ matrix_sms_bridge_data_spool_error_path }}" - - "{{ matrix_sms_bridge_database_path }}" - name: Ensure matrix-sms-bridge application.yml installed copy: @@ -64,14 +55,7 @@ mode: 0644 register: matrix_sms_bridge_systemd_service_result -- name: Ensure matrix-sms-bridge-database.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-sms-bridge-database.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-sms-bridge-database.service" - mode: 0644 - register: matrix_sms_bridge_database_systemd_service_result - -- name: Ensure systemd reloaded after matrix-sms-bridge.service or matrix-sms-bridge-database.service installation +- name: Ensure systemd reloaded after matrix-sms-bridge.service installation service: daemon_reload: yes - when: matrix_sms_bridge_systemd_service_result.changed or matrix_sms_bridge_database_systemd_service_result.changed + when: matrix_sms_bridge_systemd_service_result.changed \ No newline at end of file diff --git a/roles/matrix-bridge-sms/tasks/setup_uninstall.yml b/roles/matrix-bridge-sms/tasks/setup_uninstall.yml index 87436687..03ddaad0 100644 --- a/roles/matrix-bridge-sms/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-sms/tasks/setup_uninstall.yml @@ -5,11 +5,6 @@ path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" register: matrix_sms_bridge_service_stat -- name: Check existence of matrix-sms-bridge-database service - stat: - path: "{{ matrix_systemd_path }}/matrix-sms-bridge-database.service" - register: matrix_sms_bridge_database_service_stat - - name: Ensure matrix-sms-bridge is stopped service: name: matrix-sms-bridge @@ -17,26 +12,8 @@ daemon_reload: yes when: "matrix_sms_bridge_service_stat.stat.exists" -- name: Ensure matrix-sms-bridge-database is stopped - service: - name: matrix-sms-bridge-database - state: stopped - daemon_reload: yes - when: "matrix_sms_bridge_database_service_stat.stat.exists" - - name: Ensure matrix-sms-bridge.service doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-sms-bridge.service" state: absent - when: "matrix_sms_bridge_service_stat.stat.exists" - -- name: Ensure matrix-sms-bridge-database.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-sms-bridge-database.service" - state: absent - when: "matrix_sms_bridge_database_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-sms-bridge.service or matrix-sms-bridge-database.service removal - service: - daemon_reload: yes - when: matrix_sms_bridge_service_stat.stat.exists or matrix_sms_bridge_database_service_stat.stat.exists + when: "matrix_sms_bridge_service_stat.stat.exists" \ No newline at end of file diff --git a/roles/matrix-bridge-sms/tasks/validate_config.yml b/roles/matrix-bridge-sms/tasks/validate_config.yml index 0e40aefa..79f62fe1 100644 --- a/roles/matrix-bridge-sms/tasks/validate_config.yml +++ b/roles/matrix-bridge-sms/tasks/validate_config.yml @@ -8,7 +8,6 @@ with_items: - "matrix_sms_bridge_appservice_token" - "matrix_sms_bridge_homeserver_token" - - "matrix_sms_bridge_database_password" - "matrix_sms_bridge_gammu_modem" - "matrix_sms_bridge_default_region" - - "matrix_sms_bridge_default_timezone" + - "matrix_sms_bridge_default_timezone" \ No newline at end of file From 078592454ca0272563525dddcadedb578c4d5a4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Marques?= Date: Fri, 13 Nov 2020 18:13:45 +0000 Subject: [PATCH 1523/2384] Update jitsi web to stable-5142 Changelog https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_5142 --- roles/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 7486821d..d05d2c71 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -51,7 +51,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_container_image_tag: "stable-4857" +matrix_jitsi_container_image_tag: "stable-5142" matrix_jitsi_web_docker_image: "jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" From 5eed874199e51be851995efcb980c260866aceca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 14 Nov 2020 22:47:14 +0200 Subject: [PATCH 1524/2384] Improve self-building experience (avoid conflict with pullable images) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/716 This patch makes us use more fully-qualified container image names (either prefixed with docker.io/ or with localhost/). The latter happens when self-building is enabled. We've recently had issues where if an image was removed manually and the service was restarted (making `docker run` fetch it from Docker Hub, etc.), we'd end up with a pulled image, even though we're aiming for a self-built one. Re-running the playbook would then not do a rebuild, because: - the image with that name already exists (even though it's something else) - we sometimes had conditional logic where we'd build only if the git repo changed By explicitly changing the name of the images (prefixing with localhost/), we avoid such confusion and the possibility that we'd automatically pul something which is not what we expect. Also, I've removed that condition where building would happen on git changes only. We now always build (unless an image with that name already exists). We just force-build when the git repo changes. --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 3 ++- .../matrix-bridge-mautrix-facebook/tasks/setup_install.yml | 4 ++-- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 3 ++- .../matrix-bridge-mautrix-hangouts/tasks/setup_install.yml | 6 +++--- roles/matrix-bridge-mx-puppet-discord/defaults/main.yml | 3 ++- .../matrix-bridge-mx-puppet-discord/tasks/setup_install.yml | 4 +++- roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml | 3 ++- .../tasks/setup_install.yml | 6 ++++-- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 6 +++--- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml | 2 ++ roles/matrix-bridge-mx-puppet-steam/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml | 2 ++ roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml | 3 ++- .../matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml | 2 ++ roles/matrix-client-element/defaults/main.yml | 3 ++- roles/matrix-client-element/tasks/setup.yml | 6 ++++-- roles/matrix-coturn/defaults/main.yml | 3 ++- roles/matrix-coturn/tasks/setup_coturn.yml | 4 +++- roles/matrix-dynamic-dns/defaults/main.yml | 4 +++- roles/matrix-dynamic-dns/tasks/install.yml | 6 ++++-- roles/matrix-ma1sd/defaults/main.yml | 3 ++- roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 6 +++++- roles/matrix-mailer/defaults/main.yml | 3 ++- roles/matrix-mailer/tasks/setup_mailer.yml | 4 +++- roles/matrix-registration/defaults/main.yml | 3 ++- roles/matrix-registration/tasks/setup.yml | 4 ++-- roles/matrix-synapse-admin/defaults/main.yml | 3 ++- roles/matrix-synapse-admin/tasks/setup.yml | 4 ++-- roles/matrix-synapse/defaults/main.yml | 3 ++- roles/matrix-synapse/tasks/synapse/setup_install.yml | 6 ++++-- 32 files changed, 81 insertions(+), 40 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 610bcc11..c34da88f 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -6,7 +6,8 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false # See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "dock.mau.dev/tulir/mautrix-facebook:latest" +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest" +matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index a1131d8e..75ea7a6b 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -43,12 +43,12 @@ docker_image: name: "{{ matrix_mautrix_facebook_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_git_pull_results.changed" + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build|bool" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 8430527a..13bc1a6c 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -6,7 +6,8 @@ matrix_mautrix_hangouts_enabled: true matrix_mautrix_hangouts_container_image_self_build: false # See: https://mau.dev/tulir/mautrix-hangouts/container_registry -matrix_mautrix_hangouts_docker_image: "dock.mau.dev/tulir/mautrix-hangouts:latest" +matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:latest" +matrix_mautrix_hangouts_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_hangouts_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_docker_image.endswith(':latest') }}" matrix_mautrix_hangouts_base_path: "{{ matrix_base_data_path }}/mautrix-hangouts" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 97893be7..5dc5f20a 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -36,18 +36,18 @@ dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" force: "yes" register: matrix_mautrix_hangouts_git_pull_results - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build" + when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build|bool" - name: Ensure Mautrix Hangouts Docker image is built docker_image: name: "{{ matrix_mautrix_hangouts_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_mautrix_hangouts_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_git_pull_results.changed" + when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build|bool" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 12c597d4..30732000 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -10,7 +10,8 @@ matrix_mx_puppet_discord_container_image_self_build: false # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_discord_container_http_host_bind_port: '' -matrix_mx_puppet_discord_docker_image: "sorunome/mx-puppet-discord:latest" +matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:latest" +matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}" matrix_mx_puppet_discord_base_path: "{{ matrix_base_data_path }}/mx-puppet-discord" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index e1aef147..e36950bd 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -35,17 +35,19 @@ repo: https://github.com/matrix-discord/mx-puppet-discord.git dest: "{{ matrix_mx_puppet_discord_docker_src_files_path }}" force: "yes" + register: matrix_mx_puppet_discord_git_pull_results when: "matrix_mx_puppet_discord_enabled|bool and matrix_mx_puppet_discord_container_image_self_build" - name: Ensure MX Puppet Discord Docker image is built docker_image: name: "{{ matrix_mx_puppet_discord_docker_image }}" source: build + force_source: "{{ matrix_mx_puppet_discord_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}" pull: yes - when: "matrix_mx_puppet_discord_enabled|bool and matrix_mx_puppet_discord_container_image_self_build" + when: "matrix_mx_puppet_discord_enabled|bool and matrix_mx_puppet_discord_container_image_self_build|bool" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index c7488cbb..108a0a34 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -5,7 +5,8 @@ matrix_mx_puppet_instagram_enabled: true matrix_mx_puppet_instagram_container_image_self_build: false -matrix_mx_puppet_instagram_docker_image: "docker.io/sorunome/mx-puppet-instagram:latest" +matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:latest" +matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}" matrix_mx_puppet_instagram_base_path: "{{ matrix_base_data_path }}/mx-puppet-instagram" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index d60fbaf2..6b638626 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -35,17 +35,19 @@ repo: https://github.com/Sorunome/mx-puppet-instagram.git dest: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}" force: "yes" - when: "matrix_mx_puppet_instagram_enabled|bool and matrix_mx_puppet_instagram_container_image_self_build" + register: matrix_mx_puppet_instagram_git_pull_results + when: "matrix_mx_puppet_instagram_enabled|bool and matrix_mx_puppet_instagram_container_image_self_build|bool" - name: Ensure mx-puppet-instagram Docker image is built docker_image: name: "{{ matrix_mx_puppet_instagram_docker_image }}" source: build + force_source: "{{ matrix_mx_puppet_instagram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}" pull: yes - when: "matrix_mx_puppet_instagram_enabled|bool and matrix_mx_puppet_instagram_container_image_self_build" + when: "matrix_mx_puppet_instagram_enabled|bool and matrix_mx_puppet_instagram_container_image_self_build|bool" - name: Ensure mx-puppet-instagram config.yaml installed copy: diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 8b977acf..9e1c71bb 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -5,7 +5,8 @@ matrix_mx_puppet_skype_enabled: true matrix_mx_puppet_skype_container_image_self_build: false -matrix_mx_puppet_skype_docker_image: "sorunome/mx-puppet-skype:latest" +matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:latest" +matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" matrix_mx_puppet_skype_base_path: "{{ matrix_base_data_path }}/mx-puppet-skype" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 1febca3e..9b04c290 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -36,18 +36,18 @@ dest: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" force: "yes" register: matrix_mx_puppet_skype_git_pull_results - when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build" + when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build|bool" - name: Ensure MX Puppet Skype Docker image is built docker_image: name: "{{ matrix_mx_puppet_skype_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_mx_puppet_skype_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" pull: yes - when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build and matrix_mx_puppet_skype_git_pull_results.changed" + when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build|bool" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 6acfb714..94b37041 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -10,7 +10,8 @@ matrix_mx_puppet_slack_container_image_self_build: false # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_slack_container_http_host_bind_port: '' -matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest" +matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:latest" +matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" matrix_mx_puppet_slack_base_path: "{{ matrix_base_data_path }}/mx-puppet-slack" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index ddaede72..b7cdc13c 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -35,12 +35,14 @@ repo: https://github.com/Sorunome/mx-puppet-slack.git dest: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" force: "yes" + register: matrix_mx_puppet_slack_git_pull_results when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build" - name: Ensure MX Puppet Slack Docker image is built docker_image: name: "{{ matrix_mx_puppet_slack_docker_image }}" source: build + force_source: "{{ matrix_mx_puppet_slack_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index bea26d39..cb06bf7d 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -10,7 +10,8 @@ matrix_mx_puppet_steam_container_image_self_build: false # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_steam_container_http_host_bind_port: '' -matrix_mx_puppet_steam_docker_image: "icewind1991/mx-puppet-steam:latest" +matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:latest" +matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}" matrix_mx_puppet_steam_base_path: "{{ matrix_base_data_path }}/mx-puppet-steam" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index be41c645..d9679510 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -35,12 +35,14 @@ repo: https://github.com/icewind1991/mx-puppet-steam.git dest: "{{ matrix_mx_puppet_steam_docker_src_files_path }}" force: "yes" + register: matrix_mx_puppet_steam_git_pull_results when: "matrix_mx_puppet_steam_enabled|bool and matrix_mx_puppet_steam_container_image_self_build" - name: Ensure MX Puppet Steam Docker image is built docker_image: name: "{{ matrix_mx_puppet_steam_docker_image }}" source: build + force_source: "{{ matrix_mx_puppet_steam_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_steam_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index 8299fd81..18c39826 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -10,7 +10,8 @@ matrix_mx_puppet_twitter_container_image_self_build: false # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_twitter_container_http_host_bind_port: '' -matrix_mx_puppet_twitter_docker_image: "sorunome/mx-puppet-twitter:latest" +matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:latest" +matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}" matrix_mx_puppet_twitter_base_path: "{{ matrix_base_data_path }}/mx-puppet-twitter" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 4773055d..10e49572 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -35,12 +35,14 @@ repo: https://github.com/Sorunome/mx-puppet-twitter.git dest: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}" force: "yes" + register: matrix_mx_puppet_twitter_git_pull_results when: "matrix_mx_puppet_twitter_enabled|bool and matrix_mx_puppet_twitter_container_image_self_build" - name: Ensure MX Puppet Twitter Docker image is built docker_image: name: "{{ matrix_mx_puppet_twitter_docker_image }}" source: build + force_source: "{{ matrix_mx_puppet_twitter_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index c591b025..f1504c5b 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -2,7 +2,8 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false -matrix_client_element_docker_image: "vectorim/element-web:v1.7.13" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.13" +matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" diff --git a/roles/matrix-client-element/tasks/setup.yml b/roles/matrix-client-element/tasks/setup.yml index 2e8071ca..81f7842f 100644 --- a/roles/matrix-client-element/tasks/setup.yml +++ b/roles/matrix-client-element/tasks/setup.yml @@ -30,17 +30,19 @@ dest: "{{ matrix_client_element_docker_src_files_path }}" version: "{{ matrix_client_element_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build" + register: matrix_client_element_git_pull_results + when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build|bool" - name: Ensure Element Docker image is built docker_image: name: "{{ matrix_client_element_docker_image }}" source: build + force_source: "{{ matrix_client_element_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_client_element_docker_src_files_path }}" pull: yes - when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build" + when: "matrix_client_element_enabled|bool and matrix_client_element_container_image_self_build|bool" - name: Ensure Element configuration installed copy: diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 104019a4..4aae3f06 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,8 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.3" +matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.1.3" +matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" # The Docker network that Coturn would be put into. diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 17b6137d..fa622caf 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -29,17 +29,19 @@ dest: "{{ matrix_coturn_docker_src_files_path }}" version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" + register: matrix_coturn_git_pull_results when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build" - name: Ensure Coturn Docker image is built docker_image: name: "{{ matrix_coturn_docker_image }}" source: build + force_source: "{{ matrix_coturn_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_coturn_docker_src_files_path }}" pull: yes - when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build" + when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build|bool" - name: Ensure Coturn configuration path exists file: diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index 0d34ccea..17c57f2c 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -5,7 +5,9 @@ matrix_dynamic_dns_enabled: true matrix_dynamic_dns_daemon_interval: '300' # The docker container to use when in mode -matrix_dynamic_dns_docker_image: 'linuxserver/ddclient:v3.9.1-ls45' +matrix_dynamic_dns_docker_image: '{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:v3.9.1-ls45' + +matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else 'docker.io/' }}" # The image to force pull matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml index 225738bf..9ca1043f 100644 --- a/roles/matrix-dynamic-dns/tasks/install.yml +++ b/roles/matrix-dynamic-dns/tasks/install.yml @@ -26,17 +26,19 @@ repo: https://github.com/linuxserver/docker-ddclient.git dest: "{{ matrix_dynamic_dns_docker_src_files_path }}" force: "yes" - when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build" + register: matrix_dynamic_dns_git_pull_results + when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build|bool" - name: Ensure Dynamic DNS Docker image is built docker_image: name: "{{ matrix_dynamic_dns_docker_image }}" source: build + force_source: "{{ matrix_dynamic_dns_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_dynamic_dns_docker_src_files_path }}" pull: yes - when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build" + when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build|bool" - name: Ensure Dynamic DNS ddclient.conf installed template: diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 63bc5a59..b86f7ee0 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -7,7 +7,8 @@ matrix_ma1sd_container_image_self_build: false matrix_ma1sd_architecture: "amd64" -matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.4.0-{{ matrix_ma1sd_architecture }}" +matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:2.4.0-{{ matrix_ma1sd_architecture }}" +matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else 'docker.io/' }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index 44fe6b19..8814e6b9 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -56,6 +56,7 @@ dest: "{{ matrix_ma1sd_docker_src_files_path }}" version: "{{ matrix_ma1sd_docker_image.split(':')[1].split('-')[0] }}" force: "yes" + register: matrix_ma1sd_git_pull_results - name: Ensure ma1sd Docker image is built shell: "./gradlew dockerBuild" @@ -64,7 +65,10 @@ - name: Ensure ma1sd Docker image is tagged correctly docker_image: - name: "{{ matrix_ma1sd_docker_image.split('-')[0] }}" + # The build script always tags the image with something like `ma1uta/ma1sd:2.4.0`. + # Remove the `-{{ matrix_ma1sd_architecture }}` suffix and our `localhost/` prefix (applied when self-building) + # to get to what has actually been built, so we can retag it as `{{ matrix_ma1sd_docker_image }}`. + name: "{{ matrix_ma1sd_docker_image.split('-')[0].replace('localhost/', '') }}" repository: "{{ matrix_ma1sd_docker_image }}" force_tag: yes source: local diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 0a8fd13c..f396d8ee 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,8 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_docker_image: "devture/exim-relay:4.93.1-r0" +matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93.1-r0" +matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" # The user/group that the container runs with. diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index 99370638..cb979080 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -29,12 +29,14 @@ dest: "{{ matrix_mailer_container_image_self_build_src_files_path }}" version: "{{ matrix_mailer_container_image_self_build_version }}" force: "yes" - when: "matrix_mailer_container_image_self_build|bool" + register: matrix_mailer_git_pull_results + when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool" - name: Ensure exim-relay Docker image is built docker_image: name: "{{ matrix_mailer_docker_image }}" source: build + force_source: "{{ matrix_mailer_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index 7eb9340e..c2150488 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -12,7 +12,8 @@ matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/ matrix_registration_version: "v0.7.0" -matrix_registration_docker_image: "devture/zeratax-matrix-registration:{{ matrix_registration_version }}" +matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}devture/zeratax-matrix-registration:{{ matrix_registration_version }}" +matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else 'docker.io/' }}" matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}" matrix_registration_docker_repo: "https://github.com/ZerataX/matrix-registration" diff --git a/roles/matrix-registration/tasks/setup.yml b/roles/matrix-registration/tasks/setup.yml index 29b2347b..253f7aea 100644 --- a/roles/matrix-registration/tasks/setup.yml +++ b/roles/matrix-registration/tasks/setup.yml @@ -39,12 +39,12 @@ docker_image: name: "{{ matrix_registration_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_registration_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_registration_docker_src_files_path }}" pull: yes - when: "matrix_registration_enabled|bool and matrix_registration_container_image_self_build|bool and matrix_registration_git_pull_results.changed" + when: "matrix_registration_enabled|bool and matrix_registration_container_image_self_build|bool" - name: Ensure matrix-registration config installed copy: diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 17de0636..6f1d219e 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -7,7 +7,8 @@ matrix_synapse_admin_container_self_build: false matrix_synapse_admin_docker_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_docker_image: "awesometechnologies/synapse-admin:0.5.0" +matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.5.0" +matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index 0ee5e8d2..6d2b8c20 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -24,12 +24,12 @@ docker_image: name: "{{ matrix_synapse_admin_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_synapse_admin_git_pull_results }}" build: dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" pull: yes - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool and matrix_synapse_admin_git_pull_results.changed" + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" - name: Ensure matrix-synapse-admin.service installed template: diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5777e802..4cc819a6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,8 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.22.1" +matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.22.1" +matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index 58f4d31d..51f846e3 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -24,17 +24,19 @@ dest: "{{ matrix_synapse_docker_src_files_path }}" version: "{{ matrix_synapse_docker_image.split(':')[1] }}" force: "yes" - when: "matrix_synapse_container_image_self_build" + register: matrix_synapse_git_pull_results + when: "matrix_synapse_container_image_self_build|bool" - name: Ensure Synapse Docker image is built docker_image: name: "{{ matrix_synapse_docker_image }}" source: build + force_source: "{{ matrix_synapse_git_pull_results.changed }}" build: dockerfile: docker/Dockerfile path: "{{ matrix_synapse_docker_src_files_path }}" pull: yes - when: "matrix_synapse_container_image_self_build" + when: "matrix_synapse_container_image_self_build|bool" - name: Ensure Synapse Docker image is pulled docker_image: From ccabc82d4cd46f586fac9fc63c4f54abe35cd49c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 14 Nov 2020 22:53:23 +0200 Subject: [PATCH 1525/2384] Use more fully-qualified container images This is both for consistency with 93cc71cb69976c and for making things more obvious. --- roles/matrix-bot-matrix-reminder-bot/defaults/main.yml | 2 +- .../matrix-bridge-appservice-discord/defaults/main.yml | 2 +- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- roles/matrix-bridge-appservice-slack/defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- roles/matrix-bridge-sms/defaults/main.yml | 2 +- roles/matrix-corporal/defaults/main.yml | 2 +- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-email2matrix/defaults/main.yml | 2 +- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- roles/matrix-postgres/defaults/main.yml | 10 +++++----- 12 files changed, 20 insertions(+), 20 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 8f4a2c2f..33028147 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_matrix_reminder_bot_enabled: true -matrix_bot_matrix_reminder_bot_docker_image: "anoa/matrix-reminder-bot:release-v0.2.0" +matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:release-v0.2.0" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot" diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 97ad8e89..d03ebb92 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_discord_enabled: true -matrix_appservice_discord_docker_image: "halfshot/matrix-appservice-discord:latest" +matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:latest" matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 2cbb3e5f..7ff2d46a 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_irc_enabled: true -matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.17.1" +matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.17.1" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index eef7d070..f2cfd8f9 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_slack_enabled: true -matrix_appservice_slack_docker_image: "matrixdotorg/matrix-appservice-slack:release-1.5.0" +matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 0fb5abbc..e668f918 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_webhooks_enabled: true -matrix_appservice_webhooks_docker_image: "turt2live/matrix-appservice-webhooks:latest" +matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:latest" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 0801fe5b..9f0f10f6 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "folivonet/matrix-sms-bridge:0.4.1.RELEASE" +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.4.1.RELEASE" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 52681a30..def3fcc9 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -19,7 +19,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_docker_image: "devture/matrix-corporal:1.11.0" +matrix_corporal_docker_image: "docker.io/devture/matrix-corporal:1.11.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 33e7212c..3b69227a 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -12,7 +12,7 @@ matrix_dimension_widgets_allow_self_signed_ssl_certificates: false matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" -matrix_dimension_docker_image: "turt2live/matrix-dimension:latest" +matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:latest" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # The user and group id correspond to the node user in the `turt2live/matrix-dimension` image. diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml index 68ff1990..7917decf 100644 --- a/roles/matrix-email2matrix/defaults/main.yml +++ b/roles/matrix-email2matrix/defaults/main.yml @@ -3,7 +3,7 @@ matrix_email2matrix_enabled: true matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" -matrix_email2matrix_docker_image: "devture/email2matrix:1.0.1" +matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:1.0.1" matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index d05d2c71..69e1ae54 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -53,7 +53,7 @@ matrix_jitsi_enable_lobby: false matrix_jitsi_container_image_tag: "stable-5142" -matrix_jitsi_web_docker_image: "jitsi/web:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -114,7 +114,7 @@ matrix_jitsi_web_config_constraints_video_height_ideal: 720 matrix_jitsi_web_config_constraints_video_height_max: 720 matrix_jitsi_web_config_constraints_video_height_min: 240 -matrix_jitsi_prosody_docker_image: "jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_prosody_docker_image: "docker.io/jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -128,7 +128,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jicofo_docker_image: "docker.io/jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -145,7 +145,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jvb_docker_image: "docker.io/jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 67b32d89..ceba9ab6 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.19.4-alpine" +matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.4-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" @@ -259,7 +259,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.9.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.9.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index f4fc180e..8717fdb6 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -8,11 +8,11 @@ matrix_postgres_db_name: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "postgres:9.6.19-alpine" -matrix_postgres_docker_image_v10: "postgres:10.14-alpine" -matrix_postgres_docker_image_v11: "postgres:11.9-alpine" -matrix_postgres_docker_image_v12: "postgres:12.4-alpine" -matrix_postgres_docker_image_v13: "postgres:13.0-alpine" +matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.19-alpine" +matrix_postgres_docker_image_v10: "docker.io/postgres:10.14-alpine" +matrix_postgres_docker_image_v11: "docker.io/postgres:11.9-alpine" +matrix_postgres_docker_image_v12: "docker.io/postgres:12.4-alpine" +matrix_postgres_docker_image_v13: "docker.io/postgres:13.0-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. From 775b1ca7afdeddc91a04f37e2999696bc9cd2289 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Sun, 15 Nov 2020 12:12:44 +0100 Subject: [PATCH 1526/2384] updated matrix-sms-bridge image version --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 9f0f10f6..ca431abf 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.4.1.RELEASE" +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.4.2.RELEASE" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" From 787a9ef8ad2313b6623e8baf3a0dc2a6819eb448 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 16 Nov 2020 11:51:11 +0100 Subject: [PATCH 1527/2384] updated matrix-sms-bridge image --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index ca431abf..882f44d4 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.4.2.RELEASE" +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.4.3.RELEASE" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" From 8153e25d2de5e3f33b3a49d64449fab81e108679 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 16 Nov 2020 13:59:03 +0100 Subject: [PATCH 1528/2384] updated matrix-sms-bridge image --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 882f44d4..7ad449bb 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.4.3.RELEASE" +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.4.4.RELEASE" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" From f7d7190bd0909f29005fab87ae636c284d14cdda Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Tue, 17 Nov 2020 21:20:12 +0100 Subject: [PATCH 1529/2384] update mautrix-telegram to 0.9.0 --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index d2ab9909..b6f4ef5b 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -4,7 +4,7 @@ matrix_mautrix_telegram_enabled: true # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.8.2" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" From 41fa00edb412f31b264998df6b6750e1e479c15b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 18 Nov 2020 12:53:58 +0200 Subject: [PATCH 1530/2384] Revert "Update jitsi web to stable-5142" This reverts commit 078592454ca0272563525dddcadedb578c4d5a4e due to reports of breakage both in the support chat room and in here https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/719 --- roles/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 69e1ae54..865424ed 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -51,7 +51,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_container_image_tag: "stable-5142" +matrix_jitsi_container_image_tag: "stable-4857" matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" From c58a7e03c72510bcdd30662a440775bc26226e1c Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Wed, 18 Nov 2020 14:16:46 +0100 Subject: [PATCH 1531/2384] synapse: update to 1.23.0 --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 4cc819a6..aadb47ee 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.22.1" +matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.23.0" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -59,7 +59,7 @@ matrix_synapse_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-synapse.service wants matrix_synapse_systemd_wanted_services_list: [] -matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.7/site-packages" +matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.8/site-packages" # Specifies which template files to use when configuring Synapse. # If you'd like to have your own different configuration, feel free to copy and paste From b627d93cdc78fc37191a0fcf5d0eeabcd37c5a35 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 18 Nov 2020 16:57:50 +0200 Subject: [PATCH 1532/2384] Update homeserver.yaml to keep up with Synapse v1.23.0 Related to #724 (Github Pull Request) --- .../templates/synapse/homeserver.yaml.j2 | 187 ++++++++++-------- 1 file changed, 109 insertions(+), 78 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index f58f34f8..8c68189b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1482,10 +1482,8 @@ trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} ## Single sign-on integration ## -# Enable SAML2 for registration and login. Uses pysaml2. -# -# At least one of `sp_config` or `config_path` must be set in this section to -# enable SAML login. +# The following settings can be used to make Synapse use a single sign-on +# provider for authentication, instead of its internal password database. # # You will probably also want to set the following options to `false` to # disable the regular login/registration flows: @@ -1494,6 +1492,11 @@ trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} # # You will also want to investigate the settings under the "sso" configuration # section below. + +# Enable SAML2 for registration and login. Uses pysaml2. +# +# At least one of `sp_config` or `config_path` must be set in this section to +# enable SAML login. # # Once SAML support is enabled, a metadata file will be exposed at # https://:/_matrix/saml2/metadata.xml, which you may be able to @@ -1509,40 +1512,64 @@ saml2_config: # so it is not normally necessary to specify them unless you need to # override them. # - #sp_config: - # # point this to the IdP's metadata. You can use either a local file or - # # (preferably) a URL. - # metadata: - # #local: ["saml2/idp.xml"] - # remote: - # - url: https://our_idp/metadata.xml - # - # # By default, the user has to go to our login page first. If you'd like - # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # # 'service.sp' section: - # # - # #service: - # # sp: - # # allow_unsolicited: true - # - # # The examples below are just used to generate our metadata xml, and you - # # may well not need them, depending on your setup. Alternatively you - # # may need a whole lot more detail - see the pysaml2 docs! - # - # description: ["My awesome SP", "en"] - # name: ["Test SP", "en"] - # - # organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - # - # contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical + sp_config: + # Point this to the IdP's metadata. You must provide either a local + # file via the `local` attribute or (preferably) a URL via the + # `remote` attribute. + # + #metadata: + # local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + + # By default, the user has to go to our login page first. If you'd like + # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # 'service.sp' section: + # + #service: + # sp: + # allow_unsolicited: true + + # The examples below are just used to generate our metadata xml, and you + # may well not need them, depending on your setup. Alternatively you + # may need a whole lot more detail - see the pysaml2 docs! + + #description: ["My awesome SP", "en"] + #name: ["Test SP", "en"] + + #ui_info: + # display_name: + # - lang: en + # text: "Display Name is the descriptive name of your service." + # description: + # - lang: en + # text: "Description should be a short paragraph explaining the purpose of the service." + # information_url: + # - lang: en + # text: "https://example.com/terms-of-service" + # privacy_statement_url: + # - lang: en + # text: "https://example.com/privacy-policy" + # keywords: + # - lang: en + # text: ["Matrix", "Element"] + # logo: + # - lang: en + # text: "https://example.com/logo.svg" + # width: "200" + # height: "80" + + #organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + + #contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical # Instead of putting the config inline as above, you can specify a # separate pysaml2 configuration file: @@ -1617,37 +1644,11 @@ saml2_config: # - attribute: department # value: "sales" - # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. - # - # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. - # If you *do* uncomment it, you will need to make sure that all the templates - # below are in the directory. - # - # Synapse will look for the following templates in this directory: - # - # * HTML page to display to users if something goes wrong during the - # authentication process: 'saml_error.html'. - # - # When rendering, this template is given the following variables: - # * code: an HTML error code corresponding to the error that is being - # returned (typically 400 or 500) - # - # * msg: a textual message describing the error. - # - # The variables will automatically be HTML-escaped. - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - -# OpenID Connect integration. The following settings can be used to make Synapse -# use an OpenID Connect Provider for authentication, instead of its internal -# password database. +# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. # -# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md. +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md +# for some example configurations. # oidc_config: # Uncomment the following to enable authorization against an OpenID Connect @@ -1770,17 +1771,47 @@ oidc_config: # #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" + # Jinja2 templates for extra attributes to send back to the client during + # login. + # + # Note that these are non-standard and clients will ignore them without modifications. + # + #extra_attributes: + #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}" + -# Enable CAS for registration and login. +# Enable Central Authentication Service (CAS) for registration and login. # -#cas_config: -# enabled: true -# server_url: "https://cas-server.com" -# service_url: "https://homeserver.domain.com:8448" -# #displayname_attribute: name -# #required_attributes: -# # name: value +cas_config: + # Uncomment the following to enable authorization against a CAS server. + # Defaults to false. + # + #enabled: true + + # The URL of the CAS authorization endpoint. + # + #server_url: "https://cas-server.com" + + # The public URL of the homeserver. + # + #service_url: "https://homeserver.domain.com:8448" + + # The attribute of the CAS response to use as the display name. + # + # If unset, no displayname will be set. + # + #displayname_attribute: name + + # It is possible to configure Synapse to only allow logins if CAS attributes + # match particular values. All of the keys in the mapping below must exist + # and the values must match the given value. Alternately if the given value + # is None then any value is allowed (the attribute just must exist). + # All of the listed attributes must match for the login to be permitted. + # + #required_attributes: + # userGroup: "staff" + # department: None # Additional settings to use with single-sign on systems such as OpenID Connect, @@ -1880,7 +1911,7 @@ sso: # and issued at ("iat") claims are validated if present. # # Note that this is a non-standard login type and client support is -# expected to be non-existant. +# expected to be non-existent. # # See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. # @@ -2411,7 +2442,7 @@ alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} # # Options for the rules include: # -# user_id: Matches agaisnt the creator of the alias +# user_id: Matches against the creator of the alias # room_id: Matches against the room ID being published # alias: Matches against any current local or canonical aliases # associated with the room @@ -2459,7 +2490,7 @@ opentracing: # This is a list of regexes which are matched against the server_name of the # homeserver. # - # By defult, it is empty, so no servers are matched. + # By default, it is empty, so no servers are matched. # #homeserver_whitelist: # - ".*" From 6c85b84c1e146bb100d18e01d0d123d1b299490d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 18 Nov 2020 18:36:03 +0200 Subject: [PATCH 1533/2384] Fix self-building for synapse-admin --- roles/matrix-synapse-admin/tasks/setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index 6d2b8c20..d30657d3 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -24,7 +24,7 @@ docker_image: name: "{{ matrix_synapse_admin_docker_image }}" source: build - force_source: "{{ matrix_synapse_admin_git_pull_results }}" + force_source: "{{ matrix_synapse_admin_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" From 4713e5d5f7a061ff8441810e52c2effd92524ab4 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 23 Nov 2020 12:30:39 +0100 Subject: [PATCH 1534/2384] updated matrix-sms-bridge to 0.5.0 --- ...uring-playbook-bridge-matrix-bridge-sms.md | 30 +++++---- roles/matrix-bridge-sms/defaults/main.yml | 66 ++++++------------- .../matrix-bridge-sms/tasks/setup_install.yml | 14 ++-- .../tasks/validate_config.yml | 6 +- .../matrix-sms-bridge-database.service.j2 | 36 ---------- .../systemd/matrix-sms-bridge.service.j2 | 4 -- 6 files changed, 46 insertions(+), 110 deletions(-) delete mode 100644 roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 diff --git a/docs/configuring-playbook-bridge-matrix-bridge-sms.md b/docs/configuring-playbook-bridge-matrix-bridge-sms.md index 99b4f6f0..59b21d61 100644 --- a/docs/configuring-playbook-bridge-matrix-bridge-sms.md +++ b/docs/configuring-playbook-bridge-matrix-bridge-sms.md @@ -1,11 +1,10 @@ # Setting up matrix-sms-bridge (optional) -The playbook can install and configure -[matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for you. +The playbook can install and configure [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for you. See the project page to learn what it does and why it might be useful to you. -First you need to ensure, that the bridge has unix read and write rights to your modem. On debian based distributions there is nothing to do. On others distributions you either add a group `dialout` to your host and assign it to your modem or you give the matrix user or group access to your modem. +** The bridge uses [android-sms-gateway-server](https://github.com/RebekkaMa/android-sms-gateway-server). You need to configure it first. ** To enable the bridge just use the following playbook configuration: @@ -13,16 +12,23 @@ playbook configuration: ```yaml matrix_sms_bridge_enabled: true -matrix_sms_bridge_gammu_modem: "/dev/serial/by-id/myDeviceId" -# generate a secret passwort e.g. with pwgen -s 64 1 -matrix_sms_bridge_database_password: "" -# (optional) a room id to a default room + +# (optional but recommended) a room id to a default room matrix_sms_bridge_default_room: "" -# (optional) gammu reset frequencies (see https://wammu.eu/docs/manual/smsd/config.html#option-ResetFrequency) -matrix_sms_bridge_gammu_reset_frequency: 3600 -matrix_sms_bridge_gammu_hard_reset_frequency: 0 -# (optional) group with unix read and write rights to modem -matrix_sms_bridge_modem_group: 'dialout' + +# (optional but recommended) configure your server location +matrix_sms_bridge_default_region: DE +matrix_sms_bridge_default_timezone: Europe/Berlin + +# Settings to connect to android-sms-gateway-server +matrix_sms_bridge_provider_android_baseurl: https://192.168.24.24:9090 +matrix_sms_bridge_provider_android_username: admin +matrix_sms_bridge_provider_android_password: supeSecretPassword + +# (optional) ff your android-sms-gateway-server uses a self signed vertificate, the bridge needs a "truststore". This can be the certificate itself. +matrix_sms_bridge_provider_android_truststore_local_path: android-sms-gateway-server.p12 +matrix_sms_bridge_provider_android_truststore_password: 123 + ``` diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 7ad449bb..74ec2ec7 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,18 +3,11 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.4.4.RELEASE" +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.0" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" matrix_sms_bridge_data_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data" -matrix_sms_bridge_data_log_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/log" -matrix_sms_bridge_data_spool_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool" -matrix_sms_bridge_data_spool_inbox_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/inbox" -matrix_sms_bridge_data_spool_inbox_processed_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/inbox_processed" -matrix_sms_bridge_data_spool_outbox_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/outbox" -matrix_sms_bridge_data_spool_sent_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/sent" -matrix_sms_bridge_data_spool_error_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/data/spool/error" matrix_sms_bridge_appservice_token: '' matrix_sms_bridge_homeserver_token: '' @@ -40,11 +33,11 @@ matrix_sms_bridge_default_region: '' matrix_sms_bridge_default_timezone: '' matrix_sms_bridge_single_mode_enabled: false -matrix_sms_bridge_gammu_modem: '' -matrix_sms_bridge_modem_group: 'dialout' -matrix_sms_bridge_gammu_reset_frequency: 0 -matrix_sms_bridge_gammu_hard_reset_frequency: 0 -matrix_sms_bridge_gammu_smsc: '' +matrix_sms_bridge_provider_android_baseurl: '' +matrix_sms_bridge_provider_android_username: '' +matrix_sms_bridge_provider_android_password: '' +matrix_sms_bridge_provider_android_truststore_local_path: '' +matrix_sms_bridge_provider_android_truststore_password: '' matrix_sms_bridge_configuration_yaml: | @@ -61,13 +54,22 @@ matrix_sms_bridge_configuration_yaml: | defaultTimeZone: "{{ matrix_sms_bridge_default_timezone }}" singleModeEnabled: "{{ matrix_sms_bridge_single_mode_enabled }}" provider: - gammu: + android: # (optional) default is disabled enabled: true - # (optional) Path to the Gammu-Inbox directory. - inboxPath: /data/spool/inbox - # (optional) Path to the directory, where to put processed messages. - inboxProcessedPath: /data/spool/inbox_processed + # The url to the android-sms-gateway-server + baseUrl: {{ matrix_sms_bridge_provider_android_baseurl }} + # The username of the gateway + username: {{ matrix_sms_bridge_provider_android_username }} + # The password of the gateway + password: {{ matrix_sms_bridge_provider_android_password }} + # (optional) if you use a self signed certificate, you can add the public key here + {% if matrix_sms_bridge_provider_android_truststore_path %} + trustStore: + path: /data/config/matrix-sms-gateway-server.p12 + password: {{ matrix_sms_bridge_provider_android_truststore_password }} + type: PKCS12 + {% endif %} bot: # The domain-part of matrix-ids. E. g. example.org when your userIds look like @unicorn:example.org serverName: {{ matrix_sms_bridge_homserver_domain }} @@ -104,34 +106,6 @@ matrix_sms_bridge_configuration_extension: "{{ matrix_sms_bridge_configuration_e matrix_sms_bridge_configuration: "{{ matrix_sms_bridge_configuration_yaml|from_yaml|combine(matrix_sms_bridge_configuration_extension, recursive=True) }}" -matrix_sms_bridge_gammu_configuration: | - [gammu] - Device = {{ matrix_sms_bridge_gammu_modem }} - LogFile = /data/log/gammu.log - debugLevel = 1 - - [smsd] - Service = files - LoopSleep = 2 - InboxPath = /data/spool/inbox/ - OutboxPath = /data/spool/outbox/ - SentSMSPath = /data/spool/sent/ - ErrorSMSPath = /data/spool/error/ - InboxFormat = detail - OutboxFormat = detail - TransmitFormat = auto - {% if matrix_sms_bridge_gammu_smsc is defined and matrix_sms_bridge_gammu_smsc|length %} - SMSC = {{ matrix_sms_bridge_gammu_smsc }} - {% endif %} - ResetFrequency = {{ matrix_sms_bridge_gammu_reset_frequency }} - HardResetFrequency = {{ matrix_sms_bridge_gammu_hard_reset_frequency }} - debugLevel = 1 - LogFile = /data/log/smsd.log - DeliveryReport = no - HangupCalls = 1 - CheckBattery = 0 - - matrix_sms_bridge_registration_yaml: | id: sms as_token: "{{ matrix_sms_bridge_appservice_token }}" diff --git a/roles/matrix-bridge-sms/tasks/setup_install.yml b/roles/matrix-bridge-sms/tasks/setup_install.yml index 1d36ea8d..1e5f6137 100644 --- a/roles/matrix-bridge-sms/tasks/setup_install.yml +++ b/roles/matrix-bridge-sms/tasks/setup_install.yml @@ -16,13 +16,6 @@ - "{{ matrix_sms_bridge_base_path }}" - "{{ matrix_sms_bridge_config_path }}" - "{{ matrix_sms_bridge_data_path }}" - - "{{ matrix_sms_bridge_data_log_path }}" - - "{{ matrix_sms_bridge_data_spool_path }}" - - "{{ matrix_sms_bridge_data_spool_inbox_path }}" - - "{{ matrix_sms_bridge_data_spool_inbox_processed_path }}" - - "{{ matrix_sms_bridge_data_spool_outbox_path }}" - - "{{ matrix_sms_bridge_data_spool_sent_path }}" - - "{{ matrix_sms_bridge_data_spool_error_path }}" - name: Ensure matrix-sms-bridge application.yml installed copy: @@ -40,13 +33,14 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure matrix-sms-bridge gammu-smsdrc installed +- name: Ensure android-sms-gateway-server cert installed copy: - content: "{{ matrix_sms_bridge_gammu_configuration }}" - dest: "{{ matrix_sms_bridge_config_path }}/gammu-smsdrc" + src: "{{ matrix_sms_bridge_provider_android_truststore_path }}" + dest: "{{ matrix_sms_bridge_config_path }}/matrix-sms-gateway-server.p12" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" + when: matrix_sms_bridge_provider_android_truststore_path != "" - name: Ensure matrix-sms-bridge.service installed template: diff --git a/roles/matrix-bridge-sms/tasks/validate_config.yml b/roles/matrix-bridge-sms/tasks/validate_config.yml index 79f62fe1..6dc6ce9c 100644 --- a/roles/matrix-bridge-sms/tasks/validate_config.yml +++ b/roles/matrix-bridge-sms/tasks/validate_config.yml @@ -8,6 +8,8 @@ with_items: - "matrix_sms_bridge_appservice_token" - "matrix_sms_bridge_homeserver_token" - - "matrix_sms_bridge_gammu_modem" - "matrix_sms_bridge_default_region" - - "matrix_sms_bridge_default_timezone" \ No newline at end of file + - "matrix_sms_bridge_default_timezone" + - "matrix_sms_bridge_provider_android_baseurl" + - "matrix_sms_bridge_provider_android_username" + - "matrix_sms_bridge_provider_android_password" \ No newline at end of file diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 deleted file mode 100644 index c9bb0343..00000000 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge-database.service.j2 +++ /dev/null @@ -1,36 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix sms bridge database -{% for service in matrix_sms_bridge_database_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_sms_bridge_database_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge-database -ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge-database - -# Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre=/bin/sleep 5 - -ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge-database \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - -v {{ matrix_sms_bridge_database_path }}:/data:z \ - -e NEO4J_AUTH={{ matrix_sms_bridge_database_username }}/{{ matrix_sms_bridge_database_password }} \ - {{ matrix_sms_bridge_database_docker_image }} - -ExecStop=-/usr/bin/docker kill matrix-sms-bridge-database -ExecStop=-/usr/bin/docker rm matrix-sms-bridge-database -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-sms-bridge - - [Install] -WantedBy=multi-user.target diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 7cab3742..15464cc4 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -20,7 +20,6 @@ ExecStartPre=/bin/sleep 5 ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --group-add {{ matrix_sms_bridge_modem_group }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_sms_bridge_container_http_host_bind_port %} @@ -28,9 +27,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endif %} -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ - -v {{ matrix_sms_bridge_config_path }}/gammu-smsdrc:/etc/gammu-smsdrc:z \ - --privileged \ - -v /dev:/dev:slave \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} From 2fb42dd7f1c6956087da5071839b596ce14fc91d Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 23 Nov 2020 12:38:17 +0100 Subject: [PATCH 1535/2384] fixed typo in truststore path --- docs/configuring-playbook-bridge-matrix-bridge-sms.md | 2 +- roles/matrix-bridge-sms/defaults/main.yml | 2 +- roles/matrix-bridge-sms/tasks/setup_install.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-bridge-matrix-bridge-sms.md b/docs/configuring-playbook-bridge-matrix-bridge-sms.md index 59b21d61..3dd7398b 100644 --- a/docs/configuring-playbook-bridge-matrix-bridge-sms.md +++ b/docs/configuring-playbook-bridge-matrix-bridge-sms.md @@ -25,7 +25,7 @@ matrix_sms_bridge_provider_android_baseurl: https://192.168.24.24:9090 matrix_sms_bridge_provider_android_username: admin matrix_sms_bridge_provider_android_password: supeSecretPassword -# (optional) ff your android-sms-gateway-server uses a self signed vertificate, the bridge needs a "truststore". This can be the certificate itself. +# (optional) if your android-sms-gateway-server uses a self signed vertificate, the bridge needs a "truststore". This can be the certificate itself. matrix_sms_bridge_provider_android_truststore_local_path: android-sms-gateway-server.p12 matrix_sms_bridge_provider_android_truststore_password: 123 diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 74ec2ec7..b551b43a 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -64,7 +64,7 @@ matrix_sms_bridge_configuration_yaml: | # The password of the gateway password: {{ matrix_sms_bridge_provider_android_password }} # (optional) if you use a self signed certificate, you can add the public key here - {% if matrix_sms_bridge_provider_android_truststore_path %} + {% if matrix_sms_bridge_provider_android_truststore_local_path %} trustStore: path: /data/config/matrix-sms-gateway-server.p12 password: {{ matrix_sms_bridge_provider_android_truststore_password }} diff --git a/roles/matrix-bridge-sms/tasks/setup_install.yml b/roles/matrix-bridge-sms/tasks/setup_install.yml index 1e5f6137..61de923f 100644 --- a/roles/matrix-bridge-sms/tasks/setup_install.yml +++ b/roles/matrix-bridge-sms/tasks/setup_install.yml @@ -35,12 +35,12 @@ - name: Ensure android-sms-gateway-server cert installed copy: - src: "{{ matrix_sms_bridge_provider_android_truststore_path }}" + src: "{{ matrix_sms_bridge_provider_android_truststore_local_path }}" dest: "{{ matrix_sms_bridge_config_path }}/matrix-sms-gateway-server.p12" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_sms_bridge_provider_android_truststore_path != "" + when: matrix_sms_bridge_provider_android_truststore_local_path != "" - name: Ensure matrix-sms-bridge.service installed template: From 76b0b9dc34d4cded3e30c29397d8a59b4d727875 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 23 Nov 2020 12:48:08 +0100 Subject: [PATCH 1536/2384] fixed application.yml loading --- .../templates/systemd/matrix-sms-bridge.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 15464cc4..2c7e0105 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -27,6 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endif %} -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ + --env SPRING_CONFIG_ADDITIONAL_LOCATION=/config/application.yml {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} From ad1f0a01ce5ed11482046168ee7e6f1852bdc97a Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 23 Nov 2020 12:49:28 +0100 Subject: [PATCH 1537/2384] fixed systemd service typo --- .../templates/systemd/matrix-sms-bridge.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 2c7e0105..7c96f9f4 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -27,7 +27,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-sms-bridge \ {% endif %} -v {{ matrix_sms_bridge_config_path }}:/config:z \ -v {{ matrix_sms_bridge_data_path }}:/data:z \ - --env SPRING_CONFIG_ADDITIONAL_LOCATION=/config/application.yml + --env SPRING_CONFIG_ADDITIONAL_LOCATION=/config/application.yml \ {% for arg in matrix_sms_bridge_container_extra_arguments %} {{ arg }} \ {% endfor %} From f1ceb49ae20b010dc271a15fe644e3d3ee5c02ee Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 23 Nov 2020 12:52:16 +0100 Subject: [PATCH 1538/2384] fixed wrong path of truststore --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index b551b43a..9df04de7 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -66,7 +66,7 @@ matrix_sms_bridge_configuration_yaml: | # (optional) if you use a self signed certificate, you can add the public key here {% if matrix_sms_bridge_provider_android_truststore_local_path %} trustStore: - path: /data/config/matrix-sms-gateway-server.p12 + path: /config/matrix-sms-gateway-server.p12 password: {{ matrix_sms_bridge_provider_android_truststore_password }} type: PKCS12 {% endif %} From 3a2e058f2e26c76c45fb287c2b80aa9d2dbb8185 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 23 Nov 2020 13:07:08 +0100 Subject: [PATCH 1539/2384] updated version of matrix-sms-bridge --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 9df04de7..6477f176 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.0" +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.1" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" From ff9a4e90c4f0cac1cb7d0471074d122123e9563b Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 23 Nov 2020 13:43:04 +0100 Subject: [PATCH 1540/2384] updated matrix-sms-bridge --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 6477f176..9f1c1d9c 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.1" +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.2" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" From 8c8002f6396be4eea63f2895689725b528c09928 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Mon, 23 Nov 2020 14:48:04 +0100 Subject: [PATCH 1541/2384] added changelog --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae96ef36..c350d235 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2020-11-23 + +## Breaking change matrix-sms-bridge + +Because of many problems using gammu as SMS provider, matrix-sms-bridge now uses (https://github.com/RebekkaMa/android-sms-gateway-server) by default. See (the docs)[./docs/configuring-playbook-bridge-matrix-bridge-sms.md] which new vars you need to add. + +If you are using this playbook to deploy matrix-sms-bridge and still really want to use gammu as SMS provider, we could possibly add support for both android-sms-gateway-server and gammu. + # 2020-11-13 ## Breaking change matrix-sms-bridge From c9d2ef7981a54525c17c201b604efc764422c2c5 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 23 Nov 2020 23:05:54 -0600 Subject: [PATCH 1542/2384] Upgrade Element (1.7.13 -> 1.7.14) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index f1504c5b..17a04465 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -2,7 +2,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.13" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.14" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 3e2355282bffe214a3ca5cf98ae56a160e763c8e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Nov 2020 09:06:16 +0200 Subject: [PATCH 1543/2384] Upgrade Postgres minor versions Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/727 --- roles/matrix-postgres/defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 8717fdb6..0d2f50e3 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -8,11 +8,11 @@ matrix_postgres_db_name: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.19-alpine" -matrix_postgres_docker_image_v10: "docker.io/postgres:10.14-alpine" -matrix_postgres_docker_image_v11: "docker.io/postgres:11.9-alpine" -matrix_postgres_docker_image_v12: "docker.io/postgres:12.4-alpine" -matrix_postgres_docker_image_v13: "docker.io/postgres:13.0-alpine" +matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.20-alpine" +matrix_postgres_docker_image_v10: "docker.io/postgres:10.15-alpine" +matrix_postgres_docker_image_v11: "docker.io/postgres:11.10-alpine" +matrix_postgres_docker_image_v12: "docker.io/postgres:12.5-alpine" +matrix_postgres_docker_image_v13: "docker.io/postgres:13.1-alpine" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. From 27c9014cb881fb5296af10b079fa67a39fcdc0f2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Nov 2020 09:38:17 +0200 Subject: [PATCH 1544/2384] Improve uninstallation instructions Also switches to using `docker system prune -a` for a less invasive cleanup of Docker images and related resources. --- docs/uninstalling.md | 30 ++++++++++++++----- .../usr-local-bin/matrix-remove-all.j2 | 6 ++-- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/docs/uninstalling.md b/docs/uninstalling.md index 7acb9bcc..cb55a7b5 100644 --- a/docs/uninstalling.md +++ b/docs/uninstalling.md @@ -1,24 +1,40 @@ # Uninstalling -**Note**: If you have some trouble with your installation configuration, you can just [re-run the playbook](installing.md) and it will try to set things up again. You don't need to uninstall and install fresh. +**Warnings**: -However, if you've installed this on some server where you have other stuff you wish to preserve, and now want get rid of Matrix, it's enough to do these: +- If your server federates with others, make sure to **leave any federated rooms before nuking your Matrix server's data**. Otherwise, the next time you set up a Matrix server for this domain (regardless of the installation method you use), you'll encounter trouble federating. -- ensure all Matrix services are stopped (`systemctl stop 'matrix*'`) +- If you have some trouble with your installation, you can just [re-run the playbook](installing.md) and it will try to set things up again. **Uninstalling and then installing anew rarely solves anything**. -- delete the Matrix-related systemd .service files (`rm -f /etc/systemd/system/matrix*`) and reload systemd (`systemctl daemon-reload`) + +----------------- + + +## Uninstalling using a script + +Installing places a `/usr/local/bin/matrix-remove-all` script on the server. + +You can run it to to have it uninstall things for you automatically (see below). **Use with caution!** + + +## Uninstalling manually + +If you prefer to uninstall manually, run these commands (most are meant to be executed on the Matrix server itself): + +- ensure all Matrix services are stopped: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` (if you can't get Ansible working to run this command, you can run `systemctl stop 'matrix*'` manually on the server) + +- delete the Matrix-related systemd `.service` files (`rm -f /etc/systemd/system/matrix*.service`) and reload systemd (`systemctl daemon-reload`) - delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*`) - delete some helper scripts (`rm -f /usr/local/bin/matrix*`) -- delete some cached Docker images (or just delete them all: `docker rmi $(docker images -aq)`) +- delete some cached Docker images (`docker system prune -a`) or just delete them all (`docker rmi $(docker images -aq)`) -- delete the Docker network: `docker network rm matrix` +- delete the Docker network: `docker network rm matrix` (might have been deleted already if you ran the `docker system prune` command) - uninstall Docker itself, if necessary - delete the `/matrix` directory (`rm -rf /matrix`) -The script `/usr/local/bin/matrix-remove-all` performs all these steps (**use with caution!**). diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 972919e3..2a2314a5 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -24,9 +24,9 @@ else find /etc/cron.d/ -name "matrix-*" -delete echo "Remove matrix scripts" find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete - echo "Remove every docker images" - docker rmi $(docker images -aq) - echo "Remove docker matrix network" + echo "Remove unused Docker images and resources" + docker system prune -af + echo "Remove Docker matrix network (should be gone already, but ..)" docker network rm {{ matrix_docker_network }} echo "Remove {{ matrix_base_data_path }} directory" rm -fr "{{ matrix_base_data_path }}" From 1fca917ad13103845eade92be3f5a25616b92988 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 24 Nov 2020 10:15:12 +0200 Subject: [PATCH 1545/2384] Replace some -v instances with --mount `-v` magically creates the source destination as a directory, if it doesn't exist already. We'd like to avoid this magic and the potential breakage that it might cause. We'd rather fail while Docker tries to find things to `--mount` than have it automatically create directories and fail anyway, while having contaminated the filesystem. There's a lot more `-v` instances remaining to be fixed later on. This is just some start. Things like `matrix_synapse_container_additional_volumes` and `matrix_nginx_proxy_container_additional_volumes` were not changed to use `--mount`, as options for each one are passed differently (`ro` is `ro`, but `rw` doesn't exist and `slave` is `bind-propagation=slave`). To avoid breaking people's custom volume mounts, we keep it as it is for now. A deficiency with `--mount` is that it lacks the `z` option (SELinux ownership changes), and some of our `-v` instances use that. I'm not sure how supported SELinux is for us right now, but it might be, and breaking that would not be a good idea. --- .../templates/systemd/matrix-client-element.service.j2 | 10 +++++----- .../templates/systemd/matrix-dimension.service.j2 | 2 +- .../templates/jicofo/matrix-jitsi-jicofo.service.j2 | 2 +- .../templates/jvb/matrix-jitsi-jvb.service.j2 | 2 +- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 4 ++-- .../templates/web/matrix-jitsi-web.service.j2 | 4 ++-- .../templates/systemd/matrix-ma1sd.service.j2 | 4 ++-- .../templates/systemd/matrix-nginx-proxy.service.j2 | 10 +++++----- .../templates/systemd/matrix-postgres.service.j2 | 4 ++-- .../templates/systemd/matrix-registration.service.j2 | 4 ++-- roles/matrix-synapse/tasks/synapse/setup_install.yml | 2 +- .../templates/goofys/systemd/matrix-goofys.service.j2 | 6 +++--- .../synapse/systemd/matrix-synapse.service.j2 | 4 ++-- 13 files changed, 29 insertions(+), 29 deletions(-) diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index 49b2f198..39b7aa52 100644 --- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -21,13 +21,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-element -p {{ matrix_client_element_container_http_host_bind_port }}:8080 \ {% endif %} --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ - -v {{ matrix_client_element_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ - -v {{ matrix_client_element_data_path }}/config.json:/app/config.json:ro \ - -v {{ matrix_client_element_data_path }}/config.json:/app/config.{{ matrix_server_fqn_element }}.json:ro \ + --mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \ + --mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.{{ matrix_server_fqn_element }}.json,ro \ {% if matrix_client_element_embedded_pages_home_path is not none %} - -v {{ matrix_client_element_data_path }}/home.html:/app/home.html:ro \ + --mount type=bind,src={{ matrix_client_element_data_path }}/home.html,dst=/app/home.html,ro \ {% endif %} - -v {{ matrix_client_element_data_path }}/welcome.html:/app/welcome.html:ro \ + --mount type=bind,src={{ matrix_client_element_data_path }}/welcome.html,dst=/app/welcome.html,ro \ {% for arg in matrix_client_element_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index db9d58a8..bad94f64 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -23,7 +23,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \ {% if matrix_dimension_container_http_host_bind_port %} -p {{ matrix_dimension_container_http_host_bind_port }}:8184 \ {% endif %} - -v {{ matrix_dimension_base_path }}:/data:rw \ + --mount type=bind,src={{ matrix_dimension_base_path }},dst=/data \ {% for arg in matrix_dimension_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index 3512b3af..f19d08ff 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -15,7 +15,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ - -v {{ matrix_jitsi_jicofo_config_path }}:/config \ + --mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \ {% for arg in matrix_jitsi_jicofo_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index a189df9c..6db6a850 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -21,7 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ {% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %} -p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \ {% endif %} - -v {{ matrix_jitsi_jvb_config_path }}:/config \ + --mount type=bind,src={{ matrix_jitsi_jvb_config_path }},dst=/config \ {% for arg in matrix_jitsi_jvb_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 30801d77..74b13df3 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -15,8 +15,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody --log-driver=none \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_jitsi_prosody_base_path }}/env \ - -v {{ matrix_jitsi_prosody_config_path }}:/config \ - -v {{ matrix_jitsi_prosody_plugins_path }}:/prosody-plugins-custom \ + --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ {% for arg in matrix_jitsi_prosody_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 1f8a890b..e13f9633 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -18,8 +18,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ {% if matrix_jitsi_web_container_http_host_bind_port %} -p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \ {% endif %} - -v {{ matrix_jitsi_web_config_path }}:/config \ - -v {{ matrix_jitsi_web_transcripts_path }}:/usr/share/jitsi-meet/transcripts \ + --mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \ {% for arg in matrix_jitsi_web_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 80370088..3c49ec75 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -29,8 +29,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ {% if matrix_ma1sd_verbose_logging %} -e MA1SD_LOG_LEVEL=debug \ {% endif %} - -v {{ matrix_ma1sd_config_path }}:/etc/ma1sd:ro \ - -v {{ matrix_ma1sd_data_path }}:/var/ma1sd:rw \ + --mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \ + --mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \ {% for arg in matrix_ma1sd_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 7a385a64..e2182d28 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -30,11 +30,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %} -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \ {% endif %} - -v {{ matrix_nginx_proxy_base_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ - -v {{ matrix_nginx_proxy_data_path }}:/nginx-data:ro \ - -v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \ - -v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \ - -v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \ + --mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \ + --mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ + --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ + --mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \ {% for volume in matrix_nginx_proxy_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 8e6392c1..47f19e9b 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -21,8 +21,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ -p {{ matrix_postgres_container_postgres_bind_port }}:5432 \ {% endif %} --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ - -v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data:rw \ - -v /etc/passwd:/etc/passwd:ro \ + --mount type=bind,src={{ matrix_postgres_data_path }},dst=/var/lib/postgresql/data \ + --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ {% for arg in matrix_postgres_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 index 38860729..052b7d95 100644 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -22,8 +22,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \ {% if matrix_registration_container_http_host_bind_port %} -p {{ matrix_registration_container_http_host_bind_port }}:5000 \ {% endif %} - -v {{ matrix_registration_config_path }}:/config:ro \ - -v {{ matrix_registration_data_path }}:/data \ + --mount type=bind,src={{ matrix_registration_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_registration_data_path }},dst=/data \ {% for arg in matrix_registration_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index 51f846e3..3aa2c223 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -65,7 +65,7 @@ --name=matrix-config --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL - -v {{ matrix_synapse_config_dir_path }}:/data + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data -e UID={{ matrix_user_uid }} -e GID={{ matrix_user_gid }} -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index d9d752c2..c3ec9249 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -12,13 +12,13 @@ ExecStartPre=-{{ matrix_host_command_docker }} rm %n ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - -v /etc/passwd:/etc/passwd:ro \ - -v /etc/group:/etc/group:ro \ + --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ + --mount type=bind,src=/etc/group,dst=/etc/group,ro \ + --mount type=bind,src={{ matrix_synapse_media_store_path }},dst=/s3,bind-propagation=shared \ --security-opt apparmor:unconfined \ --cap-add mknod \ --cap-add sys_admin \ --device=/dev/fuse \ - -v {{ matrix_synapse_media_store_path }}:/s3:shared \ --env-file={{ matrix_synapse_config_dir_path }}/env-goofys \ --entrypoint /bin/sh \ {{ matrix_s3_goofys_docker_image }} \ diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 47786eee..791d324e 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -43,8 +43,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %} -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} - -v {{ matrix_synapse_config_dir_path }}:/data:ro \ - -v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \ + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ + --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ {% for volume in matrix_synapse_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} From 75f9fde7a48c11e62d83a543432e583c8d790077 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 25 Nov 2020 10:49:59 +0200 Subject: [PATCH 1546/2384] Remove some more -v usage Continuation of 1fca917ad13103. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/722 --- .../systemd/matrix-bot-matrix-reminder-bot.service.j2 | 4 ++-- .../tasks/setup_install.yml | 2 +- .../systemd/matrix-appservice-discord.service.j2 | 4 ++-- .../templates/systemd/matrix-corporal.service.j2 | 6 +++--- .../templates/systemd/matrix-coturn.service.j2 | 2 +- .../ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml | 8 ++++---- .../matrix-ssl-lets-encrypt-certificates-renew.j2 | 4 ++-- roles/matrix-postgres/tasks/import_postgres.yml | 2 +- roles/matrix-postgres/tasks/import_sqlite_db.yml | 6 +++--- roles/matrix-postgres/tasks/upgrade_postgres.yml | 4 ++-- .../tasks/rust-synapse-compress-state/compress_room.yml | 4 ++-- 11 files changed, 23 insertions(+), 23 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index 0decac02..23493c54 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -21,8 +21,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-matrix-rem --read-only \ --network={{ matrix_docker_network }} \ -e 'TZ={{ matrix_bot_matrix_reminder_bot_reminders_timezone }}' \ - -v {{ matrix_bot_matrix_reminder_bot_config_path }}:/config:ro \ - -v {{ matrix_bot_matrix_reminder_bot_data_path }}:/data:rw \ + --mount type=bind,src={{ matrix_bot_matrix_reminder_bot_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_bot_matrix_reminder_bot_data_path }},dst=/data \ --entrypoint=/bin/sh \ {% for arg in matrix_bot_matrix_reminder_bot_container_extra_arguments %} {{ arg }} \ diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index 3678b35b..935d07eb 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -63,7 +63,7 @@ {{ matrix_host_command_docker }} run --rm --name matrix-appservice-discord-link-gen --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL - -v {{ matrix_appservice_discord_config_path }}:/cfg + --mount type=bind,src={{ matrix_appservice_discord_config_path }},dst=/cfg -w /cfg {{ matrix_appservice_discord_docker_image }} /bin/sh -c "node /build/tools/addbot.js > /cfg/invite_link" diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index f2187ca3..6a44a3e6 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -25,8 +25,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-dis {% if matrix_appservice_discord_container_http_host_bind_port %} -p {{ matrix_appservice_discord_container_http_host_bind_port }}:9005 \ {% endif %} - -v {{ matrix_appservice_discord_config_path }}:/cfg \ - -v {{ matrix_appservice_discord_data_path }}:/data \ + --mount type=bind,src={{ matrix_appservice_discord_config_path }},dst=/cfg \ + --mount type=bind,src={{ matrix_appservice_discord_data_path }},dst=/data \ {% for arg in matrix_appservice_discord_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 533ece0a..97ec7d89 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -23,9 +23,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \ {% if matrix_corporal_container_http_api_host_bind_port %} -p {{ matrix_corporal_container_http_api_host_bind_port }}:41081 \ {% endif %} - -v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \ - -v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \ - -v {{ matrix_corporal_var_dir_path }}:/var/matrix-corporal:rw \ + --mount type=bind,src={{ matrix_corporal_config_dir_path }},dst=/etc/matrix-corporal,ro \ + --mount type=bind,src={{ matrix_corporal_cache_dir_path }},dst=/var/cache/matrix-corporal \ + --mount type=bind,src={{ matrix_corporal_var_dir_path }},dst=/var/matrix-corporal \ {% for arg in matrix_corporal_container_extra_arguments %} {{ arg }} \ {% endfor %} diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index a6d19705..e484b59b 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -30,7 +30,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ {% if matrix_coturn_container_turn_range_listen_interface is not none %} -p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \ {% endif %} - -v {{ matrix_coturn_config_path }}:/turnserver.conf:ro \ + --mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \ {% for volume in matrix_coturn_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml index 3dea71fb..4639f122 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -35,8 +35,8 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080 - -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt - -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt + --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt + --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt {{ matrix_ssl_lets_encrypt_certbot_docker_image }} certonly --non-interactive @@ -63,8 +63,8 @@ --cap-drop=ALL -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 --network={{ matrix_docker_network }} - -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt - -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt + --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt + --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt {{ matrix_ssl_lets_encrypt_certbot_docker_image }} certonly --non-interactive diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index f7c930c0..39366abf 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -14,8 +14,8 @@ docker run \ --cap-drop=ALL \ --network="{{ matrix_docker_network }}" \ -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ - -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \ - -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt \ + --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \ + --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \ {{ matrix_ssl_lets_encrypt_certbot_docker_image }} \ renew \ --non-interactive \ diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index 0753c292..33d98691 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -69,7 +69,7 @@ --cap-drop=ALL --network={{ matrix_docker_network }} --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - -v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro + --mount type=bind,src={{ server_path_postgres_dump }},dst=/{{ server_path_postgres_dump|basename }},ro --entrypoint=/bin/sh {{ matrix_postgres_docker_image_latest }} -c "cat /{{ server_path_postgres_dump|basename }} | diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml index c877ead4..ea15c5a8 100644 --- a/roles/matrix-postgres/tasks/import_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml @@ -79,8 +79,8 @@ --cap-drop=ALL --network={{ matrix_docker_network }} --entrypoint=python - -v {{ matrix_synapse_config_dir_path }}:/data - -v {{ matrix_synapse_config_dir_path }}:/matrix-media-store-parent/media-store - -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }} + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/matrix-media-store-parent/media-store + --mount type=bind,src={{ server_path_homeserver_db }},dst=/{{ server_path_homeserver_db|basename }} {{ matrix_synapse_docker_image }} /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml index c1a01d3f..72f327b3 100644 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -85,7 +85,7 @@ --network={{ matrix_docker_network }} --env-file={{ matrix_postgres_base_path }}/env-postgres-psql --entrypoint=/bin/sh - -v {{ postgres_dump_dir }}:/out + --mount type=bind,src={{ postgres_dump_dir }},dst=/out {{ matrix_postgres_detected_version_corresponding_docker_image }} -c "pg_dumpall -h matrix-postgres {{ '| gzip -c ' if postgres_dump_name.endswith('.gz') else '' }} @@ -131,7 +131,7 @@ --network={{ matrix_docker_network }} --env-file={{ matrix_postgres_base_path }}/env-postgres-psql --entrypoint=/bin/sh - -v {{ postgres_dump_dir }}:/in:ro + --mount type=bind,src={{ postgres_dump_dir }},dst=/in,ro {{ matrix_postgres_docker_image_latest }} -c "cat /in/{{ postgres_dump_name }} | {{ 'gunzip |' if postgres_dump_name.endswith('.gz') else '' }} diff --git a/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml index ad7b91b4..8570411f 100644 --- a/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml +++ b/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml @@ -8,7 +8,7 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} - -v {{ matrix_synapse_rust_synapse_compress_state_base_path }}:/work + --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work {{ matrix_synapse_rust_synapse_compress_state_docker_image }} /synapse-compress-state -t -o /work/state-compressor.sql -p "host={{ matrix_synapse_database_host }} user={{ matrix_synapse_database_user }} password={{ matrix_synapse_database_password }} dbname={{ matrix_synapse_database_database }}" @@ -30,7 +30,7 @@ --cap-drop=ALL --network={{ matrix_docker_network }} --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - -v {{ matrix_synapse_rust_synapse_compress_state_base_path }}:/work:ro + --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work,ro --entrypoint=/bin/sh {{ matrix_postgres_docker_image_latest }} -c "cat /work/state-compressor.sql | From 58baa0ac30ebe4759bed23433f0c1aee9cbc57db Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Wed, 25 Nov 2020 15:39:14 +0100 Subject: [PATCH 1547/2384] Update configuring-playbook-bridge-matrix-bridge-sms.md --- docs/configuring-playbook-bridge-matrix-bridge-sms.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-matrix-bridge-sms.md b/docs/configuring-playbook-bridge-matrix-bridge-sms.md index 3dd7398b..86a95ab2 100644 --- a/docs/configuring-playbook-bridge-matrix-bridge-sms.md +++ b/docs/configuring-playbook-bridge-matrix-bridge-sms.md @@ -4,7 +4,7 @@ The playbook can install and configure [matrix-sms-bridge](https://github.com/be See the project page to learn what it does and why it might be useful to you. -** The bridge uses [android-sms-gateway-server](https://github.com/RebekkaMa/android-sms-gateway-server). You need to configure it first. ** +**The bridge uses [android-sms-gateway-server](https://github.com/RebekkaMa/android-sms-gateway-server). You need to configure it first.** To enable the bridge just use the following playbook configuration: From 732f57cbd915aa486522829f432b4b60f37fe49f Mon Sep 17 00:00:00 2001 From: anonym Date: Thu, 26 Nov 2020 01:24:43 +0100 Subject: [PATCH 1548/2384] Note about the max length of the postgres password --- group_vars/matrix_servers | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 742391c3..c3d42d74 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -874,6 +874,7 @@ matrix_postgres_enabled: true matrix_postgres_connection_hostname: "matrix-postgres" matrix_postgres_connection_username: "synapse" +# Please note that max length of the password is 99 characters matrix_postgres_connection_password: "synapse-password" matrix_postgres_db_name: "homeserver" From d4ef751052380632f491570c182fd5829d48a483 Mon Sep 17 00:00:00 2001 From: anonym Date: Thu, 26 Nov 2020 01:30:08 +0100 Subject: [PATCH 1549/2384] Update matrix_servers --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c3d42d74..cdd01153 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -874,7 +874,7 @@ matrix_postgres_enabled: true matrix_postgres_connection_hostname: "matrix-postgres" matrix_postgres_connection_username: "synapse" -# Please note that max length of the password is 99 characters +# Please note that the max length of the password is 99 characters matrix_postgres_connection_password: "synapse-password" matrix_postgres_db_name: "homeserver" From 796c752b6028b0883011c757312f3e239fa3dd70 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Nov 2020 09:51:48 +0200 Subject: [PATCH 1550/2384] Ensure Postgres passwords are not longer than 99 characters Complements https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/732 --- roles/matrix-postgres/tasks/validate_config.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-postgres/tasks/validate_config.yml b/roles/matrix-postgres/tasks/validate_config.yml index 4985a4c7..6ff5adb0 100644 --- a/roles/matrix-postgres/tasks/validate_config.yml +++ b/roles/matrix-postgres/tasks/validate_config.yml @@ -20,3 +20,8 @@ - "matrix_postgres_connection_username" - "matrix_postgres_connection_password" - "matrix_postgres_db_name" + +- name: Fail if Postgres password length exceeded + fail: + msg: "The maximum `matrix_postgres_connection_password` length is 99 characters" + when: "matrix_postgres_connection_hostname|length > 99" From 12867e9f18a3321217083bfbcdfc9a79de0de9ba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Nov 2020 09:55:26 +0200 Subject: [PATCH 1551/2384] Do not try to mount /matrix/ssl when matrix_ssl_retrieval_method is 'none' Since the switch from `-v` to `--mount` (in 1fca917ad1310), we've regressed when `matrix_ssl_retrieval_method == 'none'`. In such a case, we don't create `/matrix/ssl` directories at all and shouldn't be trying to mount them into the `matrix-nginx-proxy` container. Previously, with `-v`, Docker would auto-create them, effectively hiding our mistake. Now that `--mount` doesn't do such auto-creation magic, the `matrix-nginx-proxy` container was failing to start. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/734 --- .../templates/systemd/matrix-nginx-proxy.service.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index e2182d28..6e8d31f4 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -33,8 +33,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ --mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \ --mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ + {% if matrix_ssl_retrieval_method != 'none' %} --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ --mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \ + {% endif %} {% for volume in matrix_nginx_proxy_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} From d2353355077891e299c25b08da71faf8e69fa872 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Nov 2020 10:08:52 +0200 Subject: [PATCH 1552/2384] Do not mount /matrix/ssl into matrix-coturn when matrix_ssl_retrieval_method is 'none' Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/734 Similar to 12867e9f18a3321217083, but for `matrix-coturn` (not `matrix-nginx-proxy`). --- group_vars/matrix_servers | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cdd01153..464cff78 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -578,13 +578,19 @@ matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" -matrix_coturn_tls_enabled: true +matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}" matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem" -matrix_coturn_container_additional_volumes: - - src: "{{ matrix_ssl_config_dir_path }}" - dst: "{{ matrix_ssl_config_dir_path }}" - options: ro +matrix_coturn_container_additional_volumes: | + {{ + ([] if matrix_ssl_retrieval_method == 'none' else [ + { + 'src': matrix_ssl_config_dir_path, + 'dst': matrix_ssl_config_dir_path, + 'options': 'ro', + } + ]) + }} ###################################################################### # From d702e74079f917e1c017ac1476a13aaac6b3847e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 26 Nov 2020 18:40:15 +0200 Subject: [PATCH 1553/2384] Fix matrix-nginx-proxy static files mounting when SSL retrieval is none Fixup for 12867e9f18a33212. This shouldn't have been caught in the `if`. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/734 --- .../templates/systemd/matrix-nginx-proxy.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 6e8d31f4..0945c25e 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ --mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ {% if matrix_ssl_retrieval_method != 'none' %} --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ - --mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \ {% endif %} + --mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \ {% for volume in matrix_nginx_proxy_container_additional_volumes %} -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ {% endfor %} From 84c7c190682763e2e4994becbd9554bfda87da0a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 27 Nov 2020 13:30:00 +0200 Subject: [PATCH 1554/2384] Add jitsi.DOMAIN to sample Traefik 2.0 config Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/735 --- docs/configuring-playbook-own-webserver.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index dac78376..8c671df4 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -113,7 +113,7 @@ With this, nginx would still be in use, but it would not bother with anything SS All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as per the example configuration above). You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports. -The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `element.DOMAIN` and `dimension.DOMAIN` are optional). +The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN` are optional). ### Sample configuration for running behind Traefik 2.0 @@ -144,7 +144,7 @@ matrix_nginx_proxy_container_extra_arguments: - '--label "traefik.enable=true"' # The Nginx proxy container will receive traffic from these subdomains - - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`)"' + - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }},`{{ matrix_server_fqn_jitsi }}`)"' # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' @@ -172,7 +172,7 @@ matrix_synapse_container_extra_arguments: - '--label "traefik.http.services.matrix-synapse.loadbalancer.server.port=8048"' ``` -This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, and `dimension.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. +This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows: @@ -205,7 +205,7 @@ services: image: "traefik:v2.3" restart: always container_name: "traefik" - networks: + networks: - traefik command: - "--api.insecure=true" From f93a4f6474ede88cf9aee7c35dc25ab527c9798d Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Fri, 27 Nov 2020 16:01:24 +0100 Subject: [PATCH 1555/2384] updated matrix-sms-bridge --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 9f1c1d9c..82f9b841 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.2" +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.4" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" From fa76128fd84727f00fc6925afe70fb6f2d0fe97e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 27 Nov 2020 17:28:24 +0200 Subject: [PATCH 1556/2384] Update Jitsi to build 5142 This supersedes/fixes-up this Pull Request: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/719 The Jitsi Web and JVB containers now (in build 5142) always start by bulding their own default configuration (`config.js` and `sip-communicator.properties`, respectively). The fact that we were generating these files ourselves was no longer of use, because our configuration was thrown away in favor of the one created by the containers on startup. With this commit, we're completely redoing things. We no longer generate these configuration files. We try to pass the proper environment variables, so that Jitsi services can generate the configuration files themselves. Besides that, we try to use the "custom configuration" mechanism provided by Jitsi Web and Jitsi JVB (`custom-config.js` and `custom-sip-communicator.properties`, respectively), so that we and our users can inject additional configuration. Some configuration options we had are gone now. Others are no longer controllable via variables and need to be injected using the `_config_extension` variables that we provide. The validation logic that is part of the role should take care to inform people about how to upgrade (if they're using some custom configuration, which needs special care now). Most users should not have to do anything special though. --- docs/configuring-playbook-jitsi.md | 43 +- roles/matrix-jitsi/defaults/main.yml | 114 +++- roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 2 +- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 2 +- roles/matrix-jitsi/tasks/validate_config.yml | 21 + .../jvb/custom-sip-communicator.properties.j2 | 7 + roles/matrix-jitsi/templates/jvb/env.j2 | 19 + .../jvb/sip-communicator.properties.j2 | 19 - roles/matrix-jitsi/templates/web/config.js.j2 | 491 ------------------ .../templates/web/custom-config.js.j2 | 15 + roles/matrix-jitsi/templates/web/env.j2 | 12 + .../templates/web/interface_config.js.j2 | 317 ++++++----- 12 files changed, 374 insertions(+), 688 deletions(-) create mode 100644 roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 delete mode 100644 roles/matrix-jitsi/templates/jvb/sip-communicator.properties.j2 delete mode 100644 roles/matrix-jitsi/templates/web/config.js.j2 create mode 100644 roles/matrix-jitsi/templates/web/custom-config.js.j2 diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 72402360..62edc578 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -91,44 +91,33 @@ matrix_jitsi_jvb_container_extra_arguments: ## (Optional) Fine tune Jitsi -You may want to suspend unused video layers until they are requested again, to save up resources on both server and clients. -Read more on this feature [here](https://jitsi.org/blog/new-off-stage-layer-suppression-feature/) -For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: +Sample **additional** `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration to save up resources (explained below): ```yaml -matrix_jitsi_web_config_enableLayerSuspension: true -``` +matrix_jitsi_web_custom_config_extension: | + config.enableLayerSuspension = true; -You may wish to disable audio levels to avoid excessive refresh of the client-side page and decrease the CPU consumption involved. -For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + config.disableAudioLevels = true; -```yaml -matrix_jitsi_web_config_disableAudioLevels: true + # Limit the number of video feeds forwarded to each client + config.channelLastN = 4; + +matrix_jitsi_web_config_resolution_width_ideal_and_max: 480 +matrix_jitsi_web_config_resolution_height_ideal_and_max: 240 ``` -You may want to limit the number of video feeds forwarded to each client, to save up resources on both server and clients. As clients’ bandwidth and CPU may not bear the load, use this setting to avoid lag and crashes. -This feature is found by default in other webconference applications such as Office 365 Teams (limit is set to 4). -Read how it works [here](https://github.com/jitsi/jitsi-videobridge/blob/master/doc/last-n.md) and performance evaluation on this [study](https://jitsi.org/wp-content/uploads/2016/12/nossdav2015lastn.pdf) +You may want to **suspend unused video layers** until they are requested again, to save up resources on both server and clients. +Read more on this feature [here](https://jitsi.org/blog/new-off-stage-layer-suppression-feature/) For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: -```yaml -matrix_jitsi_web_config_channelLastN: 4 -``` +You may wish to **disable audio levels** to avoid excessive refresh of the client-side page and decrease the CPU consumption involved. -To enable the variables that allow you to manage the video configuration you must add the following line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: - -```yaml -matrix_jitsi_web_config_constraints_enabled: true -``` +You may want to **limit the number of video feeds forwarded to each client**, to save up resources on both server and clients. As clients’ bandwidth and CPU may not bear the load, use this setting to avoid lag and crashes. +This feature is found by default in other webconference applications such as Office 365 Teams (limit is set to 4). +Read how it works [here](https://github.com/jitsi/jitsi-videobridge/blob/master/doc/last-n.md) and performance evaluation on this [study](https://jitsi.org/wp-content/uploads/2016/12/nossdav2015lastn.pdf). -You may want to limit the maximum video resolution, to save up resources on both server and clients. -For example, to set resolution to 480. -For this add this two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: +You may want to **limit the maximum video resolution**, to save up resources on both server and clients. -```yaml -matrix_jitsi_web_config_constraints_video_height_ideal: 480 -matrix_jitsi_web_config_constraints_video_height_max: 480 -``` ## Apply changes diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 865424ed..c9c8745e 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -6,6 +6,7 @@ matrix_jitsi_enable_auth: false matrix_jitsi_enable_guests: false matrix_jitsi_enable_recording: true matrix_jitsi_enable_transcriptions: true +matrix_jitsi_enable_p2p: true # Authentication type, must be one of internal, jwt or ldap. Currently only # internal and ldap are supported by this playbook. @@ -51,7 +52,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_container_image_tag: "stable-4857" +matrix_jitsi_container_image_tag: "stable-5142" matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" @@ -77,42 +78,86 @@ matrix_jitsi_web_container_extra_arguments: [] # List of systemd services that matrix-jitsi-web.service depends on matrix_jitsi_web_systemd_required_services_list: ['docker.service'] -matrix_jitsi_web_config_defaultLanguage: 'en' -matrix_jitsi_web_config_start_with_audio_muted: false -matrix_jitsi_web_config_start_with_video_muted: false -matrix_jitsi_web_config_testing_enableFirefoxSimulcast: false -matrix_jitsi_web_config_testing_p2pTestMode: false +# Some variables controlling the interface of Jitsi Web. +# These get applied to `templates/web/interface_config.js.j2`. +# +# Besides this, you can also use `matrix_jitsi_web_custom_interface_config_extension` +# to define any other configuration option. matrix_jitsi_web_interface_config_lang_detection: false matrix_jitsi_web_interface_config_show_jitsi_watermark: true matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" matrix_jitsi_web_interface_config_show_brand_watermark: false matrix_jitsi_web_interface_config_brand_watermark_link: "" -matrix_jitsi_web_interface_config_show_watermark_for_guests: true matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true matrix_jitsi_web_interface_config_display_welcome_page_content: true matrix_jitsi_web_interface_config_app_name: "Jitsi Meet" matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" matrix_jitsi_web_interface_config_provider_name: "Jitsi" -matrix_jitsi_web_interface_config_invitation_powered_by: true matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -# Jitsi_web Fine Tune default values. -# Useful to manage bandwidth and CPU consumption in server and client side -matrix_jitsi_web_config_disableAudioLevels: false -matrix_jitsi_web_config_enableLayerSuspension: false -matrix_jitsi_web_config_channelLastN: -1 -# If 'matrix_jitsi_web_config_constraints_enabled: false' -# the video constraints will be disabled and will take the default values of jitsi -matrix_jitsi_web_config_constraints_enabled: false -# This settings work if matrix_jitsi_web_config_constraints_enabled: true -# See their definitions in config.js.j2 (templates / web) -matrix_jitsi_web_config_constraints_video_aspectRatio: 16 / 9 -matrix_jitsi_web_config_constraints_video_height_ideal: 720 -matrix_jitsi_web_config_constraints_video_height_max: 720 -matrix_jitsi_web_config_constraints_video_height_min: 240 +# Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web. +# This configuration gets appended to the final interface configuration that Jitsi Web uses. +# +# Note: not to be confused with `matrix_jitsi_web_custom_config_extension`. +# +# For interface configuration, the flow is like this: +# - the contents of `templates/web/interface_config.js.j2` is generated (based on various `matrix_jitsi_web_interface_config_*` variables you see in this file) +# - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults. +# +# Example: +# matrix_jitsi_web_custom_interface_config_extension: | +# interfaceConfig.CONNECTION_INDICATOR_AUTO_HIDE_ENABLED = false; +# interfaceConfig.DISABLE_VIDEO_BACKGROUND = true; +matrix_jitsi_web_custom_interface_config_extension: '' + + +# Controls after which participant audio will be muted. If not specified, defaults to Jitsi's default value (likely 10) +matrix_jitsi_web_config_start_audio_muted_after_nth_participant: ~ +# Controls after which participant video will be muted. If not specified, defaults to Jitsi's default value (likely 10) +matrix_jitsi_web_config_start_video_muted_after_nth_participant: ~ + +matrix_jitsi_web_config_defaultLanguage: 'en' + +# Ideal and also maximum resolution width. If not specified, defaults to Jitsi's default value (likely 1280) +matrix_jitsi_web_config_resolution_width_ideal_and_max: ~ +# Minimum resolution width. If not specified, defaults to Jitsi's default value (likely 320) +matrix_jitsi_web_config_resolution_width_min: ~ +# Ideal and also maximum resolution height. If not specified, defaults to Jitsi's default value (likely 720) +matrix_jitsi_web_config_resolution_height_ideal_and_max: ~ +# Minimum resolution height. If not specified, defaults to Jitsi's default value (likely 180) +matrix_jitsi_web_config_resolution_height_min: ~ + +# Custom configuration to be injected into `custom-config.js`, passed to Jitsi Web. +# This configuration gets appended to the final configuration that Jitsi Web uses. +# +# Note: not to be confused with `matrix_jitsi_web_custom_interface_config_extension`. +# +# The flow is like this: +# - some default configuration is automatically generated based on the environment variables passed to the Jitsi Web container +# - the contents of `custom-config.js` is appended to it (see `templates/web/custom-config.js.j2`) +# - said `custom-config.js` contains your custom contents specified in `matrix_jitsi_web_custom_config_extension`. +# +# Example: +# matrix_jitsi_web_custom_config_extension: | +# if (!config.hasOwnProperty('testing')) config.testing = {}; +# config.testing.p2pTestMode = true +matrix_jitsi_web_custom_config_extension: '' + +# Additional environment variables to pass to the Jitsi Web container. +# You can use this to further influence the default configuration generated by the Jitsi Web container on every startup. +# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration +# by using `matrix_jitsi_web_custom_config_extension`. +# +# Example: +# matrix_jitsi_web_environment_variables_extension: | +# ENABLE_FILE_RECORDING_SERVICE=1 +# DROPBOX_APPKEY=something +# DROPBOX_REDIRECT_URI=something +matrix_jitsi_web_environment_variables_extension: '' + matrix_jitsi_prosody_docker_image: "docker.io/jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" @@ -168,6 +213,31 @@ matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 matrix_jitsi_jvb_rtp_tcp_port: 4443 +# Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. +# This configuration gets appended to the final configuration that Jitsi JVB uses. +# +# The flow is like this: +# - some default configuration is automatically generated based on the environment variables passed to the Jitsi JVB container +# - the contents of `custom-sip-communicator.properties` is appended to it (see `templates/jvb/custom-sip-communicator.properties.j2`) +# - said `custom-sip-communicator.properties` contains your custom contents specified in `matrix_jitsi_jvb_custom_config_extension`. +# +# Example: +# matrix_jitsi_jvb_custom_config_extension: | +# org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=false +# org.jitsi.videobridge.ENABLE_STATISTICS=false +matrix_jitsi_jvb_custom_config_extension: '' + +# Additional environment variables to pass to the Jitsi JVB container. +# You can use this to further influence the default configuration generated by the Jitsi JVB container on every startup. +# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration +# by using `matrix_jitsi_jvb_custom_config_extension`. +# +# Example: +# matrix_jitsi_jvb_environment_variables_extension: | +# SOME_VARIABLE=1 +# ANOTHER_VARIABLE=something +matrix_jitsi_jvb_environment_variables_extension: '' + # Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:10000"), or empty string to not expose. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index 09055b59..e4c7f277 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -30,7 +30,7 @@ dest: "{{ matrix_jitsi_jvb_config_path }}/{{ item }}" mode: 0644 with_items: - - sip-communicator.properties + - custom-sip-communicator.properties - logging.properties when: matrix_jitsi_enabled|bool diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 6e5d20b0..3dd6f30c 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -38,7 +38,7 @@ dest: "{{ matrix_jitsi_web_config_path }}/{{ item }}" mode: 0644 with_items: - - config.js + - custom-config.js - interface_config.js when: matrix_jitsi_enabled|bool diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index ea92c914..bd939d3a 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -19,3 +19,24 @@ - "matrix_jitsi_jicofo_component_secret" - "matrix_jitsi_jicofo_auth_password" - "matrix_jitsi_jvb_auth_password" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_jitsi_web_config_constraints_enabled', 'new': ''} + - {'old': 'matrix_jitsi_web_config_constraints_video_aspectRatio', 'new': ''} + - {'old': 'matrix_jitsi_web_config_constraints_video_height_ideal', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} + - {'old': 'matrix_jitsi_web_config_constraints_video_height_max', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} + - {'old': 'matrix_jitsi_web_config_constraints_video_height_min', 'new': 'matrix_jitsi_web_config_resolution_height_min'} + - {'old': 'matrix_jitsi_web_config_disableAudioLevels', 'new': ''} + - {'old': 'matrix_jitsi_web_config_enableLayerSuspension', 'new': ''} + - {'old': 'matrix_jitsi_web_config_channelLastN', 'new': ''} + - {'old': 'matrix_jitsi_web_config_testing_p2pTestMode', 'new': ''} + - {'old': 'matrix_jitsi_web_config_start_with_audio_muted', 'new': ''} + - {'old': 'matrix_jitsi_web_config_start_with_video_muted', 'new': ''} + - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} + - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} diff --git a/roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 new file mode 100644 index 00000000..44b6b8c2 --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 @@ -0,0 +1,7 @@ +org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true + +org.jitsi.videobridge.ENABLE_STATISTICS=true +org.jitsi.videobridge.STATISTICS_TRANSPORT=muc +org.jitsi.videobridge.STATISTICS_INTERVAL=5000 + +{{ matrix_jitsi_jvb_custom_config_extension }} diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index 423070db..f7dc9247 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -1 +1,20 @@ JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} +JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} +JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} +JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} +JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} + +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} + +HOSTNAME=matrix-jitsi-jvb + +{% if matrix_jitsi_jvb_stun_servers|length > 0 %} +JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} +{% endif %} + +PUBLIC_URL={{ matrix_jitsi_web_public_url }} + +{{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/jvb/sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jvb/sip-communicator.properties.j2 deleted file mode 100644 index 173af0b6..00000000 --- a/roles/matrix-jitsi/templates/jvb/sip-communicator.properties.j2 +++ /dev/null @@ -1,19 +0,0 @@ -org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} -org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false -org.jitsi.videobridge.TCP_HARVESTER_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} - -{% if matrix_jitsi_jvb_stun_servers|length > 0 %} -org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES={{ matrix_jitsi_jvb_stun_servers|join(',') }} -{% endif %} - -org.jitsi.videobridge.xmpp.user.shard.HOSTNAME={{ matrix_jitsi_xmpp_server }} -org.jitsi.videobridge.xmpp.user.shard.DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -org.jitsi.videobridge.xmpp.user.shard.USERNAME={{ matrix_jitsi_jvb_auth_user }} -org.jitsi.videobridge.xmpp.user.shard.PASSWORD={{ matrix_jitsi_jvb_auth_password }} -org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} -org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=matrix-jitsi-jvb -org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true - -org.jitsi.videobridge.ENABLE_STATISTICS=true -org.jitsi.videobridge.STATISTICS_TRANSPORT=muc -org.jitsi.videobridge.STATISTICS_INTERVAL=5000 diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 deleted file mode 100644 index ad0e5410..00000000 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ /dev/null @@ -1,491 +0,0 @@ -/* eslint-disable no-unused-vars, no-var */ - -var config = { - // Configuration - // - - // Alternative location for the configuration. - // configLocation: './config.json', - - // Custom function which given the URL path should return a room name. - // getroomnode: function (path) { return 'someprefixpossiblybasedonpath'; }, - - - // Connection - // - - hosts: { - // XMPP domain. - domain: '{{ matrix_jitsi_xmpp_domain }}', - - {% if matrix_jitsi_enable_auth %} - {% if matrix_jitsi_enable_guests %} - // When using authentication, domain for guest users. - anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}', - {% endif %} - - // Domain for authenticated users. Defaults to . - authdomain: '{{ matrix_jitsi_xmpp_domain }}', - {% endif %} - - // Jirecon recording component domain. - // jirecon: 'jirecon.{{ matrix_jitsi_xmpp_domain }}', - - // Call control component (Jigasi). - // call_control: 'callcontrol.{{ matrix_jitsi_xmpp_domain }}', - - // Focus component domain. Defaults to focus.. - // focus: 'focus.{{ matrix_jitsi_xmpp_domain }}', - - // XMPP MUC domain. FIXME: use XEP-0030 to discover it. - muc: {{ matrix_jitsi_xmpp_muc_domain|to_json }}, - }, - - // BOSH URL. FIXME: use XEP-0156 to discover it. - bosh: '/http-bind', - - // The name of client node advertised in XEP-0115 'c' stanza - clientNode: 'http://jitsi.org/jitsimeet', - - // The real JID of focus participant - can be overridden here - focusUserJid: {{ matrix_jitsi_jicofo_auth_user|to_json }} + '@' + {{ matrix_jitsi_xmpp_auth_domain|to_json }}, - - - // Testing / experimental features. - // - - testing: { - // Enables experimental simulcast support on Firefox. - enableFirefoxSimulcast: {{ matrix_jitsi_web_config_testing_enableFirefoxSimulcast|to_json }}, - - // P2P test mode disables automatic switching to P2P when there are 2 - // participants in the conference. - p2pTestMode: {{ matrix_jitsi_web_config_testing_p2pTestMode|to_json }} - - // Enables the test specific features consumed by jitsi-meet-torture - // testMode: false - }, - - // Disables ICE/UDP by filtering out local and remote UDP candidates in - // signalling. - // webrtcIceUdpDisable: false, - - // Disables ICE/TCP by filtering out local and remote TCP candidates in - // signalling. - // webrtcIceTcpDisable: false, - - - // Media - // - - // Audio - - // Disable measuring of audio levels. - disableAudioLevels: {{ matrix_jitsi_web_config_disableAudioLevels|to_json }}, - - // Start the conference in audio only mode (no video is being received nor - // sent). - // startAudioOnly: false, - - // Every participant after the Nth will start audio muted. - // startAudioMuted: 10, - - // Start calls with audio muted. Unlike the option above, this one is only - // applied locally. FIXME: having these 2 options is confusing. - // startWithAudioMuted: false, - startWithAudioMuted: {{ matrix_jitsi_web_config_start_with_audio_muted|to_json }}, - - // Enabling it (with #params) will disable local audio output of remote - // participants and to enable it back a reload is needed. - // startSilent: false - - // Video - - // Sets the preferred resolution (height) for local video. Defaults to 720. - // resolution: 720, - - // w3c spec-compliant video constraints to use for video capture. Currently - // used by browsers that return true from lib-jitsi-meet's - // util#browser#usesNewGumFlow. The constraints are independency from - // this config's resolution value. Defaults to requesting an ideal aspect - // ratio of 16:9 with an ideal resolution of 720. - {% if matrix_jitsi_web_config_constraints_enabled %} - constraints: { - video: { - aspectRatio: {{ matrix_jitsi_web_config_constraints_video_aspectRatio }}, - height: { - ideal: {{ matrix_jitsi_web_config_constraints_video_height_ideal|to_json }}, - max: {{ matrix_jitsi_web_config_constraints_video_height_max|to_json }}, - min: {{ matrix_jitsi_web_config_constraints_video_height_min|to_json }} - } - } - }, - {% endif %} - // Enable / disable simulcast support. - // disableSimulcast: false, - - // Enable / disable layer suspension. If enabled, endpoints whose HD - // layers are not in use will be suspended (no longer sent) until they - // are requested again. - enableLayerSuspension: {{ matrix_jitsi_web_config_enableLayerSuspension|to_json }}, - - // Suspend sending video if bandwidth estimation is too low. This may cause - // problems with audio playback. Disabled until these are fixed. - disableSuspendVideo: true, - - // Every participant after the Nth will start video muted. - // startVideoMuted: 10, - - // Start calls with video muted. Unlike the option above, this one is only - // applied locally. FIXME: having these 2 options is confusing. - // startWithVideoMuted: false, - startWithVideoMuted: {{ matrix_jitsi_web_config_start_with_video_muted|to_json }}, - - // If set to true, prefer to use the H.264 video codec (if supported). - // Note that it's not recommended to do this because simulcast is not - // supported when using H.264. For 1-to-1 calls this setting is enabled by - // default and can be toggled in the p2p section. - // preferH264: true, - - // If set to true, disable H.264 video codec by stripping it out of the - // SDP. - // disableH264: false, - - // Desktop sharing - - // The ID of the jidesha extension for Chrome. - desktopSharingChromeExtId: null, - - // Whether desktop sharing should be disabled on Chrome. - // desktopSharingChromeDisabled: false, - - // The media sources to use when using screen sharing with the Chrome - // extension. - desktopSharingChromeSources: [ 'screen', 'window', 'tab' ], - - // Required version of Chrome extension - desktopSharingChromeMinExtVersion: '0.1', - - // Whether desktop sharing should be disabled on Firefox. - // desktopSharingFirefoxDisabled: false, - - // Optional desktop sharing frame rate options. Default value: min:5, max:5. - // desktopSharingFrameRate: { - // min: 5, - // max: 5 - // }, - - // Try to start calls with screen-sharing instead of camera video. - // startScreenSharing: false, - - // Recording -hiddenDomain: {{ matrix_jitsi_recorder_domain|to_json }}, - - // Whether to enable file recording or not. - fileRecordingsEnabled: {{ matrix_jitsi_enable_recording|to_json }}, - // Enable the dropbox integration. - // dropbox: { - // appKey: '' // Specify your app key here. - // // A URL to redirect the user to, after authenticating - // // by default uses: - // // 'https://{{ matrix_jitsi_xmpp_domain }}/static/oauth.html' - // redirectURI: - // 'https://{{ matrix_jitsi_xmpp_domain }}/subfolder/static/oauth.html' - // }, - // When integrations like dropbox are enabled only that will be shown, - // by enabling fileRecordingsServiceEnabled, we show both the integrations - // and the generic recording service (its configuration and storage type - // depends on jibri configuration) - // fileRecordingsServiceEnabled: false, - // Whether to show the possibility to share file recording with other people - // (e.g. meeting participants), based on the actual implementation - // on the backend. - // fileRecordingsServiceSharingEnabled: false, - - // Whether to enable live streaming or not. - liveStreamingEnabled: {{ matrix_jitsi_enable_recording|to_json }}, - - // Transcription (in interface_config, - // subtitles and buttons can be configured) - transcribingEnabled: {{ matrix_jitsi_enable_transcriptions|to_json }}, - - // Misc - - // Default value for the channel "last N" attribute. -1 for unlimited. - channelLastN: {{ matrix_jitsi_web_config_channelLastN|to_json }}, - - // Disables or enables RTX (RFC 4588) (defaults to false). - // disableRtx: false, - - // Disables or enables TCC (the default is in Jicofo and set to true) - // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting - // affects congestion control, it practically enables send-side bandwidth - // estimations. - // enableTcc: true, - - // Disables or enables REMB (the default is in Jicofo and set to false) - // (draft-alvestrand-rmcat-remb-03). This setting affects congestion - // control, it practically enables recv-side bandwidth estimations. When - // both TCC and REMB are enabled, TCC takes precedence. When both are - // disabled, then bandwidth estimations are disabled. - // enableRemb: false, - - // Defines the minimum number of participants to start a call (the default - // is set in Jicofo and set to 2). - // minParticipants: 2, - - // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, - - // Enable IPv6 support. - // useIPv6: true, - - // Enables / disables a data communication channel with the Videobridge. - // Values can be 'datachannel', 'websocket', true (treat it as - // 'datachannel'), undefined (treat it as 'datachannel') and false (don't - // open any channel). - // openBridgeChannel: true, - - - // UI - // - - // Use display name as XMPP nickname. - // useNicks: false, - - // Require users to always specify a display name. - // requireDisplayName: true, - - // Whether to use a welcome page or not. In case it's false a random room - // will be joined when no room is specified. - enableWelcomePage: true, - - // Enabling the close page will ignore the welcome page redirection when - // a call is hangup. - // enableClosePage: false, - - // Disable hiding of remote thumbnails when in a 1-on-1 conference call. - // disable1On1Mode: false, - - // Default language for the user interface. - defaultLanguage: {{ matrix_jitsi_web_config_defaultLanguage|to_json }}, - - // If true all users without a token will be considered guests and all users - // with token will be considered non-guests. Only guests will be allowed to - // edit their profile. - enableUserRolesBasedOnToken: false, - - // Whether or not some features are checked based on token. - // enableFeaturesBasedOnToken: false, - - // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests. - // lockRoomGuestEnabled: false, - - // When enabled the password used for locking a room is restricted to up to the number of digits specified - // roomPasswordNumberOfDigits: 10, - // default: roomPasswordNumberOfDigits: false, - - // Message to show the users. Example: 'The service will be down for - // maintenance at 01:00 AM GMT, - // noticeMessage: '', - - // Enables calendar integration, depends on googleApiApplicationClientID - // and microsoftApiApplicationClientID - // enableCalendarIntegration: false, - - // Stats - // - - // Whether to enable stats collection or not in the TraceablePeerConnection. - // This can be useful for debugging purposes (post-processing/analysis of - // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth - // estimation tests. - // gatherStats: false, - - // To enable sending statistics to callstats.io you must provide the - // Application ID and Secret. - // callStatsID: '', - // callStatsSecret: '', - - // enables callstatsUsername to be reported as statsId and used - // by callstats as repoted remote id - // enableStatsID: false - - // enables sending participants display name to callstats - // enableDisplayNameInStats: false - - - // Privacy - // - - // If third party requests are disabled, no other server will be contacted. - // This means avatars will be locally generated and callstats integration - // will not function. - // disableThirdPartyRequests: false, - - - // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. - // - - p2p: { - // Enables peer to peer mode. When enabled the system will try to - // establish a direct connection when there are exactly 2 participants - // in the room. If that succeeds the conference will stop sending data - // through the JVB and use the peer to peer connection instead. When a - // 3rd participant joins the conference will be moved back to the JVB - // connection. - enabled: true, - - // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, - - // The STUN servers that will be used in the peer to peer connections - {% if matrix_jitsi_web_stun_servers|length > 0 %} - stunServers: [ - {% for url in matrix_jitsi_web_stun_servers %} - { urls: {{ url|to_json }} }{% if not loop.last %},{% endif %} - {% endfor %} - ], - {% endif %} - - // Sets the ICE transport policy for the p2p connection. At the time - // of this writing the list of possible values are 'all' and 'relay', - // but that is subject to change in the future. The enum is defined in - // the WebRTC standard: - // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. - // If not set, the effective value is 'all'. - // iceTransportPolicy: 'all', - - // If set to true, it will prefer to use H.264 for P2P calls (if H.264 - // is supported). - preferH264: true - - // If set to true, disable H.264 video codec by stripping it out of the - // SDP. - // disableH264: false, - - // How long we're going to wait, before going back to P2P after the 3rd - // participant has left the conference (to filter out page reload). - // backToP2PDelay: 5 - }, - - analytics: { - // The Google Analytics Tracking ID: - // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' - - // The Amplitude APP Key: - // amplitudeAPPKey: '' - - // Array of script URLs to load as lib-jitsi-meet "analytics handlers". - // scriptURLs: [ - // "libs/analytics-ga.min.js", // google-analytics - // "https://example.com/my-custom-analytics.js" - // ], - }, - - // Information about the jitsi-meet instance we are connecting to, including - // the user region as seen by the server. - deploymentInfo: { - // shard: "shard1", - // region: "europe", - // userRegion: "asia" - } - - // Local Recording - // - - // localRecording: { - // Enables local recording. - // Additionally, 'localrecording' (all lowercase) needs to be added to - // TOOLBAR_BUTTONS in interface_config.js for the Local Recording - // button to show up on the toolbar. - // - // enabled: true, - // - - // The recording format, can be one of 'ogg', 'flac' or 'wav'. - // format: 'flac' - // - - // } - - // Options related to end-to-end (participant to participant) ping. - // e2eping: { - // // The interval in milliseconds at which pings will be sent. - // // Defaults to 10000, set to <= 0 to disable. - // pingInterval: 10000, - // - // // The interval in milliseconds at which analytics events - // // with the measured RTT will be sent. Defaults to 60000, set - // // to <= 0 to disable. - // analyticsInterval: 60000, - // } - - // If set, will attempt to use the provided video input device label when - // triggering a screenshare, instead of proceeding through the normal flow - // for obtaining a desktop stream. - // NOTE: This option is experimental and is currently intended for internal - // use only. - // _desktopSharingSourceDevice: 'sample-id-or-label' - - // If true, any checks to handoff to another application will be prevented - // and instead the app will continue to display in the current browser. - // disableDeepLinking: false - - // A property to disable the right click context menu for localVideo - // the menu has option to flip the locally seen video for local presentations - // disableLocalVideoFlip: false - - // List of undocumented settings used in jitsi-meet - /** - _immediateReloadThreshold - autoRecord - autoRecordToken - debug - debugAudioLevels - deploymentInfo - dialInConfCodeUrl - dialInNumbersUrl - dialOutAuthUrl - dialOutCodesUrl - disableRemoteControl - displayJids - etherpad_base - externalConnectUrl - firefox_fake_device - googleApiApplicationClientID - iAmRecorder - iAmSipGateway - microsoftApiApplicationClientID - peopleSearchQueryTypes - peopleSearchUrl - requireDisplayName - tokenAuthUrl - */ - - // List of undocumented settings used in lib-jitsi-meet - /** - _peerConnStatusOutOfLastNTimeout - _peerConnStatusRtcMuteTimeout - abTesting - avgRtpStatsN - callStatsConfIDNamespace - callStatsCustomScriptUrl - desktopSharingSources - disableAEC - disableAGC - disableAP - disableHPF - disableNS - enableLipSync - enableTalkWhileMuted - forceJVB121Ratio - hiddenDomain - ignoreStartMuted - nick - startBitrate - */ - -}; - -/* eslint-enable no-unused-vars, no-var */ diff --git a/roles/matrix-jitsi/templates/web/custom-config.js.j2 b/roles/matrix-jitsi/templates/web/custom-config.js.j2 new file mode 100644 index 00000000..02316ca0 --- /dev/null +++ b/roles/matrix-jitsi/templates/web/custom-config.js.j2 @@ -0,0 +1,15 @@ +config.defaultLanguage = {{ matrix_jitsi_web_config_defaultLanguage|to_json }}; + + +if (!config.hasOwnProperty('p2p')) config.p2p = {% raw %}{}{% endraw %}; + +{% if matrix_jitsi_web_stun_servers|length > 0 %} +config.p2p.stunServers = [ + {% for url in matrix_jitsi_web_stun_servers %} + { urls: {{ url|to_json }} }{% if not loop.last %},{% endif %} + {% endfor %} +]; +{% endif %} + + +{{ matrix_jitsi_web_custom_config_extension }} diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index b85e9af5..353a3d14 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -3,6 +3,8 @@ ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} +ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} + DISABLE_HTTPS=1 JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} @@ -26,3 +28,13 @@ JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} + +RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} +RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} +RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} +RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} + +START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} +START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} + +{{ matrix_jitsi_web_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 index c56f8c8c..60fac4d5 100644 --- a/roles/matrix-jitsi/templates/web/interface_config.js.j2 +++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2 @@ -1,90 +1,76 @@ /* eslint-disable no-unused-vars, no-var, max-len */ +/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */ var interfaceConfig = { - // TO FIX: this needs to be handled from SASS variables. There are some - // methods allowing to use variables both in css and js. - DEFAULT_BACKGROUND: '#474747', + APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }}, + AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)', + AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)', /** - * Whether or not the blurred video background for large video should be - * displayed on browsers that can support it. + * A UX mode where the last screen share participant is automatically + * pinned. Valid values are the string "remote-only" so remote participants + * get pinned but not local, otherwise any truthy value for all participants, + * and any falsy value to disable the feature. + * + * Note: this mode is experimental and subject to breakage. */ - DISABLE_VIDEO_BACKGROUND: false, - - INITIAL_TOOLBAR_TIMEOUT: 20000, - TOOLBAR_TIMEOUT: 4000, - TOOLBAR_ALWAYS_VISIBLE: false, - DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', - DEFAULT_LOCAL_DISPLAY_NAME: 'me', - SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }}, - JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }}, - - // if watermark is disabled by default, it can be shown only for guests - SHOW_WATERMARK_FOR_GUESTS: {{ matrix_jitsi_web_interface_config_show_watermark_for_guests|to_json }}, - SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }}, + AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only', BRAND_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_brand_watermark_link|to_json }}, - SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }}, - SHOW_DEEP_LINKING_IMAGE: {{ matrix_jisti_web_interface_config_show_deep_linking_image|to_json }}, - GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }}, - DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }}, - APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }}, - NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }}, - PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }}, - LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language - INVITATION_POWERED_BY: {{ matrix_jitsi_web_interface_config_invitation_powered_by|to_json }}, + CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it /** - * If we should show authentication block in profile + * Whether the connection indicator icon should hide itself based on + * connection strength. If true, the connection indicator will remain + * displayed while the participant has a weak connection and will hide + * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is + * strong. + * + * @type {boolean} */ - AUTHENTICATION_ENABLE: true, + CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, /** - * The name of the toolbar buttons to display in the toolbar. If present, - * the button will display. Exceptions are "livestreaming" and "recording" - * which also require being a moderator and some values in config.js to be - * enabled. Also, the "profile" button will not display for user's with a - * jwt. + * How long the connection indicator should remain displayed before hiding. + * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. + * + * @type {number} */ - TOOLBAR_BUTTONS: [ - {% if matrix_jitsi_enable_transcriptions %} - 'closedcaptions', - {% endif %} + CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, - 'microphone', 'camera', 'desktop', 'fullscreen', - 'fodeviceselection', 'hangup', 'profile', 'info', 'chat', 'recording', - 'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand', - 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', - 'tileview', 'videobackgroundblur' - ], + /** + * If true, hides the connection indicators completely. + * + * @type {boolean} + */ + CONNECTION_INDICATOR_DISABLED: false, - SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ], + DEFAULT_BACKGROUND: '#474747', + DEFAULT_LOCAL_DISPLAY_NAME: 'me', + DEFAULT_LOGO_URL: 'images/watermark.svg', + DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', + DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', - // Determines how the video would fit the screen. 'both' would fit the whole - // screen, 'height' would fit the original video height to the height of the - // screen, 'width' would fit the original video width to the width of the - // screen respecting ratio. - VIDEO_LAYOUT_FIT: 'both', + DISABLE_DOMINANT_SPEAKER_INDICATOR: false, + + DISABLE_FOCUS_INDICATOR: false, /** - * Whether to only show the filmstrip (and hide the toolbar). + * If true, notifications regarding joining/leaving are no longer displayed. */ - filmStripOnly: false, + DISABLE_JOIN_LEAVE_NOTIFICATIONS: false, /** - * Whether to show thumbnails in filmstrip as a column instead of as a row. + * If true, presence status: busy, calling, connected etc. is not displayed. */ - VERTICAL_FILMSTRIP: true, - - // A html text to be shown to guests on the close page, false disables it - CLOSE_PAGE_GUEST_HINT: false, - RANDOM_AVATAR_URL_PREFIX: false, - RANDOM_AVATAR_URL_SUFFIX: false, - FILM_STRIP_MAX_HEIGHT: 120, + DISABLE_PRESENCE_STATUS: false, - // Enables feedback star animation. - ENABLE_FEEDBACK_ANIMATION: false, - DISABLE_FOCUS_INDICATOR: false, - DISABLE_DOMINANT_SPEAKER_INDICATOR: false, + /** + * Whether the ringing sound in the call/ring overlay is disabled. If + * {@code undefined}, defaults to {@code false}. + * + * @type {boolean} + */ + DISABLE_RINGING: false, /** * Whether the speech to text transcription subtitles panel is disabled. @@ -95,76 +81,83 @@ var interfaceConfig = { DISABLE_TRANSCRIPTION_SUBTITLES: {{ matrix_jitsi_web_interface_config_disable_transcription_subtitles|to_json }}, /** - * Whether the ringing sound in the call/ring overlay is disabled. If - * {@code undefined}, defaults to {@code false}. - * - * @type {boolean} + * Whether or not the blurred video background for large video should be + * displayed on browsers that can support it. */ - DISABLE_RINGING: false, - AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)', - AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)', - POLICY_LOGO: null, - LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 - REMOTE_THUMBNAIL_RATIO: 1, // 1:1 - // Documentation reference for the live streaming feature. - LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', + DISABLE_VIDEO_BACKGROUND: false, + + DISPLAY_WELCOME_FOOTER: true, + DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false, + DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }}, + DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false, + + ENABLE_DIAL_OUT: true, + + ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation. + + FILM_STRIP_MAX_HEIGHT: 120, + + GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }}, /** - * Whether the mobile app Jitsi Meet is to be promoted to participants - * attempting to join a conference in a mobile Web browser. If - * {@code undefined}, defaults to {@code true}. - * - * @type {boolean} + * Hide the logo on the deep linking pages. */ - MOBILE_APP_PROMO: true, + HIDE_DEEP_LINKING_LOGO: false, + + /** + * Hide the invite prompt in the header when alone in the meeting. + */ + HIDE_INVITE_MORE_HEADER: false, + + INITIAL_TOOLBAR_TIMEOUT: 20000, + JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }}, + + LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language + LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature. + LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 /** - * Maximum coeficient of the ratio of the large video to the visible area + * Maximum coefficient of the ratio of the large video to the visible area * after the large video is scaled to fit the window. * * @type {number} */ MAXIMUM_ZOOMING_COEFFICIENT: 1.3, - /* - * If indicated some of the error dialogs may point to the support URL for - * help. - */ - SUPPORT_URL: 'https://github.com/jitsi/jitsi-meet/issues/new', - /** - * Whether the connection indicator icon should hide itself based on - * connection strength. If true, the connection indicator will remain - * displayed while the participant has a weak connection and will hide - * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is - * strong. + * Whether the mobile app Jitsi Meet is to be promoted to participants + * attempting to join a conference in a mobile Web browser. If + * {@code undefined}, defaults to {@code true}. * * @type {boolean} */ - CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, + MOBILE_APP_PROMO: true, /** - * How long the connection indicator should remain displayed before hiding. - * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. - * - * @type {number} + * Specify custom URL for downloading android mobile app. */ - CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, + MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet', /** - * If true, hides the connection indicators completely. - * - * @type {boolean} + * Specify custom URL for downloading f droid app. */ - CONNECTION_INDICATOR_DISABLED: false, + MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/', /** - * If true, hides the video quality label indicating the resolution status - * of the current large video. - * - * @type {boolean} + * Specify URL for downloading ios mobile app. */ - VIDEO_QUALITY_LABEL_DISABLED: false, + MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905', + + NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }}, + + // Names of browsers which should show a warning stating the current browser + // has a suboptimal experience. Browsers which are not listed as optimal or + // unsupported are considered suboptimal. Valid values are: + // chrome, chromium, edge, electron, firefox, nwjs, opera, safari + OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ], + + POLICY_LOGO: null, + PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }}, /** * If true, will display recent list @@ -172,26 +165,78 @@ var interfaceConfig = { * @type {boolean} */ RECENT_LIST_ENABLED: true, + REMOTE_THUMBNAIL_RATIO: 1, // 1:1 - // Names of browsers which should show a warning stating the current browser - // has a suboptimal experience. Browsers which are not listed as optimal or - // unsupported are considered suboptimal. Valid values are: - // chrome, chromium, edge, electron, firefox, nwjs, opera, safari - OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron' ], + SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ], + SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }}, + + /** + * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. + * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) + * being already installed is done before rendering. + */ + SHOW_CHROME_EXTENSION_BANNER: false, + + SHOW_DEEP_LINKING_IMAGE: {{ matrix_jisti_web_interface_config_show_deep_linking_image|to_json }}, + SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }}, + SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }}, + SHOW_PROMOTIONAL_CLOSE_PAGE: false, + + /* + * If indicated some of the error dialogs may point to the support URL for + * help. + */ + SUPPORT_URL: 'https://community.jitsi.org/', + + TOOLBAR_ALWAYS_VISIBLE: false, + + /** + * The name of the toolbar buttons to display in the toolbar, including the + * "More actions" menu. If present, the button will display. Exceptions are + * "livestreaming" and "recording" which also require being a moderator and + * some values in config.js to be enabled. Also, the "profile" button will + * not display for users with a JWT. + * Notes: + * - it's impossible to choose which buttons go in the "More actions" menu + * - it's impossible to control the placement of buttons + * - 'desktop' controls the "Share your screen" button + */ + TOOLBAR_BUTTONS: [ + {% if matrix_jitsi_enable_transcriptions %} + 'closedcaptions', + {% endif %} + + 'microphone', 'camera', 'desktop', 'embedmeeting', 'fullscreen', + 'fodeviceselection', 'hangup', 'profile', 'chat', 'recording', + 'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand', + 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', + 'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone', 'security' + ], + + TOOLBAR_TIMEOUT: 4000, // Browsers, in addition to those which do not fully support WebRTC, that // are not supported and should show the unsupported browser page. UNSUPPORTED_BROWSERS: [], /** - * A UX mode where the last screen share participant is automatically - * pinned. Valid values are the string "remote-only" so remote participants - * get pinned but not local, otherwise any truthy value for all participants, - * and any falsy value to disable the feature. + * Whether to show thumbnails in filmstrip as a column instead of as a row. + */ + VERTICAL_FILMSTRIP: true, + + // Determines how the video would fit the screen. 'both' would fit the whole + // screen, 'height' would fit the original video height to the height of the + // screen, 'width' would fit the original video width to the width of the + // screen respecting ratio. + VIDEO_LAYOUT_FIT: 'both', + + /** + * If true, hides the video quality label indicating the resolution status + * of the current large video. * - * Note: this mode is experimental and subject to breakage. + * @type {boolean} */ - AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only' + VIDEO_QUALITY_LABEL_DISABLED: false, /** * How many columns the tile view can expand to. The respected range is @@ -200,14 +245,15 @@ var interfaceConfig = { // TILE_VIEW_MAX_COLUMNS: 5, /** - * Specify custom URL for downloading android mobile app. - */ - // MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet', - - /** - * Specify URL for downloading ios mobile app. + * Specify Firebase dynamic link properties for the mobile apps. */ - // MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905', + // MOBILE_DYNAMIC_LINK: { + // APN: 'org.jitsi.meet', + // APP_CODE: 'w2atb', + // CUSTOM_DOMAIN: undefined, + // IBI: 'com.atlassian.JitsiMeet.ios', + // ISI: '1165103905' + // }, /** * Specify mobile app scheme for opening the app from the mobile browser. @@ -225,6 +271,23 @@ var interfaceConfig = { * milliseconds, those notifications should remain displayed. */ // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, + + // List of undocumented settings + /** + INDICATOR_FONT_SIZES + PHONE_NUMBER_REGEX + */ + + // Allow all above example options to include a trailing comma and + // prevent fear when commenting out the last value. + // eslint-disable-next-line sort-keys + makeJsonParserHappy: 'even if last key had a trailing comma' + + // No configuration value should follow this line. }; + +{{ matrix_jitsi_web_custom_interface_config_extension }} + + /* eslint-enable no-unused-vars, no-var, max-len */ From b354155d7cbca855dd979ae941668154f10afe18 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 27 Nov 2020 17:57:07 +0200 Subject: [PATCH 1557/2384] Make JVB websockets reverse-proxying work --- group_vars/matrix_servers | 2 ++ roles/matrix-jitsi/defaults/main.yml | 5 +++++ .../templates/jvb/matrix-jitsi-jvb.service.j2 | 3 +++ .../nginx/conf.d/matrix-jitsi.conf.j2 | 21 +++++++++++++++++++ 4 files changed, 31 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 464cff78..07f9a88c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -671,6 +671,8 @@ matrix_jitsi_enabled: false # the Jitsi HTTP port to the local host. matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12080' }}" +matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12090' }}" + matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index c9c8745e..85123cf7 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -247,3 +247,8 @@ matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_ # # Takes an ":" or "" value (e.g. "127.0.0.1:4443"), or empty string to not expose. matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}" + +# Controls whether the matrix-jitsi-jvb container exposes its Colibri WebSocket port (tcp/9090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:12090"), or empty string to not expose. +matrix_jitsi_jvb_container_colibri_ws_host_bind_port: '' diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 6db6a850..7fcfeec6 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -21,6 +21,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ {% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %} -p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \ {% endif %} + {% if matrix_jitsi_jvb_container_colibri_ws_host_bind_port %} + -p {{ matrix_jitsi_jvb_container_colibri_ws_host_bind_port }}:9090 \ + {% endif %} --mount type=bind,src={{ matrix_jitsi_jvb_config_path }},dst=/config \ {% for arg in matrix_jitsi_jvb_container_extra_arguments %} {{ arg }} \ diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 4cacf1f1..500f1943 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -23,6 +23,27 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } + + # colibri (JVB) websockets + location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) { + {% if matrix_nginx_proxy_enabled %} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-jitsi-jvb:9090"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:12090; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_http_version 1.1; + + tcp_nodelay on; + } {% endmacro %} server { From be5263f397eba7c3cc554f952344d0d7d36ec02a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 28 Nov 2020 21:34:14 +0200 Subject: [PATCH 1558/2384] Move self-building git repository URLs to variables (stop hardcoding) --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 1 + .../tasks/setup_install.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 1 + .../tasks/setup_install.yml | 2 +- .../matrix-bridge-mx-puppet-discord/defaults/main.yml | 1 + .../tasks/setup_install.yml | 2 +- .../defaults/main.yml | 1 + .../tasks/setup_install.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 1 + .../tasks/setup_install.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 1 + .../tasks/setup_install.yml | 2 +- roles/matrix-bridge-mx-puppet-steam/defaults/main.yml | 1 + .../tasks/setup_install.yml | 2 +- .../matrix-bridge-mx-puppet-twitter/defaults/main.yml | 1 + .../tasks/setup_install.yml | 2 +- roles/matrix-client-element/defaults/main.yml | 1 + roles/matrix-client-element/tasks/setup.yml | 2 +- roles/matrix-coturn/defaults/main.yml | 1 + roles/matrix-coturn/tasks/setup_coturn.yml | 2 +- roles/matrix-dynamic-dns/defaults/main.yml | 1 + roles/matrix-dynamic-dns/tasks/install.yml | 2 +- roles/matrix-ma1sd/defaults/main.yml | 1 + roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 2 +- roles/matrix-registration/defaults/main.yml | 2 +- roles/matrix-registration/tasks/setup.yml | 2 +- roles/matrix-registration/tasks/validate_config.yml | 9 +++++++++ roles/matrix-synapse-admin/defaults/main.yml | 3 ++- roles/matrix-synapse-admin/tasks/main.yml | 6 ++++++ roles/matrix-synapse-admin/tasks/setup.yml | 2 +- roles/matrix-synapse-admin/tasks/validate_config.yml | 10 ++++++++++ roles/matrix-synapse/defaults/main.yml | 1 + roles/matrix-synapse/tasks/synapse/setup_install.yml | 2 +- 33 files changed, 56 insertions(+), 17 deletions(-) create mode 100644 roles/matrix-synapse-admin/tasks/validate_config.yml diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index c34da88f..c14a3ace 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -4,6 +4,7 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false +matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" # See: https://mau.dev/tulir/mautrix-facebook/container_registry matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 75ea7a6b..638854e2 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure Mautrix Facebook repository is present on self-build git: - repo: https://github.com/tulir/mautrix-facebook.git + repo: "{{ matrix_mautrix_facebook_container_image_self_build_repo }}" dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" # version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 13bc1a6c..ab670052 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -4,6 +4,7 @@ matrix_mautrix_hangouts_enabled: true matrix_mautrix_hangouts_container_image_self_build: false +matrix_mautrix_hangouts_container_image_self_build_repo: "https://github.com/tulir/mautrix-hangouts.git" # See: https://mau.dev/tulir/mautrix-hangouts/container_registry matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:latest" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 5dc5f20a..eec5e006 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure Mautrix Hangots repository is present on self build git: - repo: https://github.com/tulir/mautrix-hangouts.git + repo: "{{ matrix_mautrix_hangouts_container_image_self_build_repo }}" dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" force: "yes" register: matrix_mautrix_hangouts_git_pull_results diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 30732000..268bbf8f 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -4,6 +4,7 @@ matrix_mx_puppet_discord_enabled: true matrix_mx_puppet_discord_container_image_self_build: false +matrix_mx_puppet_discord_container_image_self_build_repo: "https://github.com/matrix-discord/mx-puppet-discord.git" # Controls whether the mx-puppet-discord container exposes its HTTP port (tcp/8432 in the container). # diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index e36950bd..c3f2b01f 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure MX Puppet Discord repository is present on self build git: - repo: https://github.com/matrix-discord/mx-puppet-discord.git + repo: "{{ matrix_mx_puppet_discord_container_image_self_build_repo }}" dest: "{{ matrix_mx_puppet_discord_docker_src_files_path }}" force: "yes" register: matrix_mx_puppet_discord_git_pull_results diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index 108a0a34..21cde53f 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -4,6 +4,7 @@ matrix_mx_puppet_instagram_enabled: true matrix_mx_puppet_instagram_container_image_self_build: false +matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-instagram.git" matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:latest" matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else 'docker.io/' }}" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index 6b638626..78bd78c1 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure mx-puppet-instagram repository is present on self build git: - repo: https://github.com/Sorunome/mx-puppet-instagram.git + repo: "{{ matrix_mx_puppet_instagram_container_image_self_build_repo }}" dest: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}" force: "yes" register: matrix_mx_puppet_instagram_git_pull_results diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 9e1c71bb..0c16a8ba 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -4,6 +4,7 @@ matrix_mx_puppet_skype_enabled: true matrix_mx_puppet_skype_container_image_self_build: false +matrix_mx_puppet_skype_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-skype.git" matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:latest" matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else 'docker.io/' }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 9b04c290..fb5185ed 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure MX Puppet Skype repository is present on self build git: - repo: https://github.com/Sorunome/mx-puppet-skype.git + repo: "{{ matrix_mx_puppet_skype_container_image_self_build_repo }}" dest: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" force: "yes" register: matrix_mx_puppet_skype_git_pull_results diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 94b37041..96ab7833 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -4,6 +4,7 @@ matrix_mx_puppet_slack_enabled: true matrix_mx_puppet_slack_container_image_self_build: false +matrix_mx_puppet_slack_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-slack.git" # Controls whether the mx-puppet-slack container exposes its HTTP port (tcp/8432 in the container). # diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index b7cdc13c..2e45ecf6 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure MX Puppet Slack repository is present on self build git: - repo: https://github.com/Sorunome/mx-puppet-slack.git + repo: "{{ matrix_mx_puppet_slack_container_image_self_build_repo }}" dest: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" force: "yes" register: matrix_mx_puppet_slack_git_pull_results diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index cb06bf7d..b5eb8473 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -4,6 +4,7 @@ matrix_mx_puppet_steam_enabled: true matrix_mx_puppet_steam_container_image_self_build: false +matrix_mx_puppet_steam_container_image_self_build_repo: "https://github.com/icewind1991/mx-puppet-steam.git" # Controls whether the mx-puppet-steam container exposes its HTTP port (tcp/8432 in the container). # diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index d9679510..7b7f8211 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure MX Puppet Steam repository is present on self build git: - repo: https://github.com/icewind1991/mx-puppet-steam.git + repo: "{{ matrix_mx_puppet_steam_container_image_self_build_repo }}" dest: "{{ matrix_mx_puppet_steam_docker_src_files_path }}" force: "yes" register: matrix_mx_puppet_steam_git_pull_results diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index 18c39826..13438a21 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -4,6 +4,7 @@ matrix_mx_puppet_twitter_enabled: true matrix_mx_puppet_twitter_container_image_self_build: false +matrix_mx_puppet_twitter_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-twitter.git" # Controls whether the mx-puppet-twitter container exposes its HTTP port (tcp/8432 in the container). # diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 10e49572..663f822c 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -32,7 +32,7 @@ - name: Ensure MX Puppet Twitter repository is present on self build git: - repo: https://github.com/Sorunome/mx-puppet-twitter.git + repo: "{{ matrix_mx_puppet_twitter_container_image_self_build_repo }}" dest: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}" force: "yes" register: matrix_mx_puppet_twitter_git_pull_results diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 17a04465..cbe70503 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -1,6 +1,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false +matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.14" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" diff --git a/roles/matrix-client-element/tasks/setup.yml b/roles/matrix-client-element/tasks/setup.yml index 81f7842f..3b542b14 100644 --- a/roles/matrix-client-element/tasks/setup.yml +++ b/roles/matrix-client-element/tasks/setup.yml @@ -26,7 +26,7 @@ - name: Ensure Element repository is present on self-build git: - repo: https://github.com/vector-im/riot-web.git + repo: "{{ matrix_client_element_container_image_self_build_repo }}" dest: "{{ matrix_client_element_docker_src_files_path }}" version: "{{ matrix_client_element_docker_image.split(':')[1] }}" force: "yes" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 4aae3f06..8cbb3e3f 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,6 +1,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false +matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git" matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.1.3" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}" diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index fa622caf..1f13da03 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -25,7 +25,7 @@ - name: Ensure Coturn repository is present on self-build git: - repo: https://github.com/instrumentisto/coturn-docker-image.git + repo: "{{ matrix_coturn_container_image_self_build_repo }}" dest: "{{ matrix_coturn_docker_src_files_path }}" version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index 17c57f2c..b33961c1 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -23,6 +23,7 @@ matrix_dynamic_dns_systemd_required_services_list: ['docker.service'] # Build the container from source when running in mode matrix_dynamic_dns_container_image_self_build: false +matrix_dynamic_dns_container_image_self_build_repo: "https://github.com/linuxserver/docker-ddclient.git" # Config paths matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns" diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml index 9ca1043f..e7b06d95 100644 --- a/roles/matrix-dynamic-dns/tasks/install.yml +++ b/roles/matrix-dynamic-dns/tasks/install.yml @@ -23,7 +23,7 @@ - name: Ensure Dynamic DNS repository is present on self build git: - repo: https://github.com/linuxserver/docker-ddclient.git + repo: "{{ matrix_dynamic_dns_container_image_self_build_repo }}" dest: "{{ matrix_dynamic_dns_docker_src_files_path }}" force: "yes" register: matrix_dynamic_dns_git_pull_results diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index b86f7ee0..f7a0782d 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -4,6 +4,7 @@ matrix_ma1sd_enabled: true matrix_ma1sd_container_image_self_build: false +matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" matrix_ma1sd_architecture: "amd64" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index 8814e6b9..46acb428 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -52,7 +52,7 @@ - name: Ensure ma1sd repository is present on self-build git: - repo: https://github.com/ma1uta/ma1sd.git + repo: "{{ matrix_ma1sd_container_image_self_build_repo }}" dest: "{{ matrix_ma1sd_docker_src_files_path }}" version: "{{ matrix_ma1sd_docker_image.split(':')[1].split('-')[0] }}" force: "yes" diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index c2150488..680e8bfe 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -4,6 +4,7 @@ matrix_registration_enabled: true matrix_registration_container_image_self_build: false +matrix_registration_container_image_self_build_repo: "https://github.com/ZerataX/matrix-registration" matrix_registration_base_path: "{{ matrix_base_data_path }}/matrix-registration" matrix_registration_config_path: "{{ matrix_registration_base_path }}/config" @@ -15,7 +16,6 @@ matrix_registration_version: "v0.7.0" matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}devture/zeratax-matrix-registration:{{ matrix_registration_version }}" matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else 'docker.io/' }}" matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}" -matrix_registration_docker_repo: "https://github.com/ZerataX/matrix-registration" # A list of extra arguments to pass to the container matrix_registration_container_extra_arguments: [] diff --git a/roles/matrix-registration/tasks/setup.yml b/roles/matrix-registration/tasks/setup.yml index 253f7aea..8427d950 100644 --- a/roles/matrix-registration/tasks/setup.yml +++ b/roles/matrix-registration/tasks/setup.yml @@ -28,7 +28,7 @@ - name: Ensure matrix-registration repository is present when self-building git: - repo: "{{ matrix_registration_docker_repo }}" + repo: "{{ matrix_registration_container_image_self_build_repo }}" dest: "{{ matrix_registration_docker_src_files_path }}" version: "{{ matrix_registration_version }}" force: "yes" diff --git a/roles/matrix-registration/tasks/validate_config.yml b/roles/matrix-registration/tasks/validate_config.yml index 6b2f0277..90466b46 100644 --- a/roles/matrix-registration/tasks/validate_config.yml +++ b/roles/matrix-registration/tasks/validate_config.yml @@ -9,3 +9,12 @@ - "matrix_registration_shared_secret" - "matrix_registration_admin_secret" - "matrix_registration_server_location" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_registration_docker_repo', 'new': 'matrix_registration_container_image_self_build_repo'} diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 6f1d219e..ce149dfd 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -4,7 +4,8 @@ matrix_synapse_admin_enabled: true matrix_synapse_admin_container_self_build: false -matrix_synapse_admin_docker_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" +matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" + matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.5.0" diff --git a/roles/matrix-synapse-admin/tasks/main.yml b/roles/matrix-synapse-admin/tasks/main.yml index 3763ba28..b5cb1689 100644 --- a/roles/matrix-synapse-admin/tasks/main.yml +++ b/roles/matrix-synapse-admin/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-synapse-admin + - import_tasks: "{{ role_path }}/tasks/setup.yml" tags: - setup-all diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index d30657d3..a96ec10f 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -14,7 +14,7 @@ - name: Ensure matrix-synapse-admin repository is present when self-building git: - repo: "{{ matrix_synapse_admin_docker_repo }}" + repo: "{{ matrix_synapse_admin_container_self_build_repo }}" dest: "{{ matrix_synapse_admin_docker_src_files_path }}" force: "yes" register: matrix_synapse_admin_git_pull_results diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml new file mode 100644 index 00000000..e08680e0 --- /dev/null +++ b/roles/matrix-synapse-admin/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index aadb47ee..f5c2c433 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -4,6 +4,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false +matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git" matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.23.0" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index 3aa2c223..f1abcbcc 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -20,7 +20,7 @@ - name: Ensure Synapse repository is present on self-build git: - repo: https://github.com/matrix-org/synapse.git + repo: "{{ matrix_synapse_container_image_self_build_repo }}" dest: "{{ matrix_synapse_docker_src_files_path }}" version: "{{ matrix_synapse_docker_image.split(':')[1] }}" force: "yes" From e0d7d5f0cac47731ec86b4e60e8ae91d388c38ba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 28 Nov 2020 22:11:35 +0200 Subject: [PATCH 1559/2384] Disable Jitsi recording/transcriptions by default It's not like it worked anyway, because we don't have the necessary services installed for transcription (Jigasi), nor recording (Jibri). Disabling these, should hopefully disable their related elements in the Jitsi Web UI. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/726 --- roles/matrix-jitsi/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 85123cf7..924198b4 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -4,8 +4,8 @@ matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" matrix_jitsi_enable_auth: false matrix_jitsi_enable_guests: false -matrix_jitsi_enable_recording: true -matrix_jitsi_enable_transcriptions: true +matrix_jitsi_enable_recording: false +matrix_jitsi_enable_transcriptions: false matrix_jitsi_enable_p2p: true # Authentication type, must be one of internal, jwt or ldap. Currently only From d64ad91c25552e1263a73e5a18107c7ff6da1f16 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Nov 2020 13:11:15 +0200 Subject: [PATCH 1560/2384] Add some notes about recent Jitsi changes A bit late, but still better than nothing. --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c350d235..27afb64e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +# 2020-11-27 + +## Recent Jitsi updates may require configuration changes + +We've recently [updated from Jitsi build 4857 to build 5142](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/719), which brings a lot of configuration changes. + +**If you use our default Jitsi settings, you won't have to do anything.** + +People who have [fine-tuned Jitsi](docs/configuring-playbook-jitsi.md#optional-fine-tune-jitsi) may find that some options got renamed now, others are gone and yet others still need to be defined in another way. + +The next time you run the playbook [installation](docs/installing.md) command, our validation logic will tell you if you're using some variables like that and will recommend a migration path for each one. + +Additionally, we've recently disabled transcriptions (`matrix_jitsi_enable_transcriptions: false`) and recording (`matrix_jitsi_enable_recording: false`) by default. These features did not work anyway, because we don't install the required dependencies for them (Jigasi and Jibri, respectively). If you've been somehow pointing your Jitsi installation to some manually installed Jigasi/Jibri service, you may need to toggle these flags back to enabled to have transcriptions and recordings working. + + # 2020-11-23 ## Breaking change matrix-sms-bridge From 90078dd2966600c0fcaf8d3f6f415b69bc34f4ac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Nov 2020 20:58:21 +0200 Subject: [PATCH 1561/2384] Add matrix_services_autostart_enabled variable for preventing services autostart Some people requested that `--tags=start` not set up service autostart. One can now do `--tags=start --extra-vars="matrix_services_autostart_enabled=false"` to just start services ones and not set up autostarting. --- roles/matrix-common-after/tasks/start.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 4bb59bfe..bad84d92 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -1,5 +1,9 @@ --- +- name: Deterimne whether we should make services autostart + set_fact: + matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled|default('') == '' else matrix_services_autostart_enabled|bool }}" + - name: Ensure systemd is reloaded service: daemon_reload: yes @@ -14,7 +18,7 @@ - name: Ensure Matrix services are started service: name: "{{ item }}" - enabled: yes + enabled: "{{ matrix_services_autostart_enabled_bool }}" state: started with_items: "{{ matrix_systemd_services_list }}" when: not ansible_check_mode From 04da1bddf7c6e87af7c4cfa8fe1365008814e1a5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Dec 2020 11:55:18 +0200 Subject: [PATCH 1562/2384] Update matrix-mautrix-facebook config a bit This also disables presence if it's disabled for Synapse. --- group_vars/matrix_servers | 2 ++ .../defaults/main.yml | 4 +++ .../templates/config.yaml.j2 | 25 +++++++++++++------ 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 07f9a88c..8e46a48f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -201,6 +201,8 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" + ###################################################################### # # /matrix-bridge-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index c14a3ace..1547ad71 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -35,6 +35,10 @@ matrix_mautrix_facebook_homeserver_token: '' # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_facebook_login_shared_secret: '' +matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" + +matrix_mautrix_facebook_bridge_presence: true + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 7da7b588..9d8de2d5 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -81,23 +81,32 @@ bridge: command_prefix: "!fb" # Number of chats to sync (and create portals for) on startup/login. - # Maximum 20, set 0 to disable automatic syncing. + # Set 0 to disable automatic syncing. initial_chat_sync: 10 # Whether or not the Facebook users of logged in Matrix users should be # invited to private chats when the user sends a message from another client. invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Facebook account. + # Whether or not to use /sync to get presence, read receipts and typing notifications + # when double puppeting is enabled sync_with_custom_puppets: true - # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Servers to always allow double puppeting from + double_puppet_server_map: {} + # example.com: https://example.com + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth # # If set, custom puppets will be enabled automatically for local users # instead of users having to find an access token and run `login-matrix` # manually. - login_shared_secret: {{ matrix_mautrix_facebook_login_shared_secret|to_json }} - # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast - # presence, but then it won't send other users' presence to the client. - presence: true + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + login_shared_secret_map: {{ matrix_mautrix_facebook_bridge_login_shared_secret_map|to_json }} + presence: {{ matrix_mautrix_facebook_bridge_presence|to_json }} # Whether or not to update avatars when syncing all contacts at startup. update_avatar_initial_sync: true # End-to-bridge encryption support options. These require matrix-nio to be installed with pip From 694e6fe1414d0a2c897d0ae4f0495f8832648b48 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Dec 2020 15:11:37 +0200 Subject: [PATCH 1563/2384] Create FUNDING.yml --- .github/FUNDING.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 00000000..bc3c8e75 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms + +# https://liberapay.com/s.pantaleev/ +liberapay: s.pantaleev From 06ade5e187aeb6931197bb061966ff8b30d9d055 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Dec 2020 15:24:07 +0200 Subject: [PATCH 1564/2384] Add donation and support room badges --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 1a207937..ac2b7ca9 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +[![Support room on Matrix](https://img.shields.io/matrix/matrix-docker-ansible-deploy:devture.com.svg?label=%23matrix-docker-ansible-deploy%3Adevture.com&logo=matrix&style=for-the-badge&server_fqdn=matrix.devture.com)](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) [![donate](https://liberapay.com/assets/widgets/donate.svg)](https://liberapay.com/s.pantaleev/donate) + # Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker ## Purpose From e314613deddbb7d3b3260c4d819afe9f6be25db8 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 1 Dec 2020 21:52:59 +0100 Subject: [PATCH 1565/2384] Add files created by workers-doc-to-yaml.awk to .gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 36c65bda..c5279a46 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,7 @@ !/inventory/host_vars/.gitkeep !/inventory/scripts /roles/*/files/scratchpad +/roles/matrix-synapse/files/workers.upstream-documentation.md +/roles/matrix-synapse/vars/workers.yml .DS_Store .python-version From 851c25c47f0fcfca9f701ffa415a1555db9d2c95 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 1 Dec 2020 21:55:07 +0100 Subject: [PATCH 1566/2384] matrix-synapse nginx template: fix invalid jinja comment syntax --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 36f02b81..54ec11ca 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -105,7 +105,7 @@ {% endif %} {% if matrix_nginx_proxy_synapse_workers_enabled %} - {# Workers redirects BEGIN} + {# Workers redirects BEGIN #} {% if generic_workers %} # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker @@ -164,7 +164,7 @@ } {% endif %} {% endif %} - {# Workers redirects END} + {# Workers redirects END #} {% endif %} From d5932ca393d26c6b82dd32077609f19477121e8b Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 1 Dec 2020 22:18:42 +0100 Subject: [PATCH 1567/2384] synapse role workers setup: execute the endpoint extraction locally Thanks @maxklenk ! --- roles/matrix-synapse/tasks/workers/setup_install.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index 6b246a18..9aa0c4ec 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -1,14 +1,20 @@ --- - name: Download synapse workers doc - get_url: + local_action: + module: get_url url: https://github.com/matrix-org/synapse/raw/master/docs/workers.md dest: "{{ role_path }}/files/workers.upstream-documentation.md" + vars: + ansible_become: no - name: Download synapse workers doc and convert into YAML - shell: + local_action: + module: shell cmd: "awk -f '{{ role_path }}/files/workers-doc-to-yaml.awk' -- '{{ role_path }}/files/workers.upstream-documentation.md' > '{{ role_path }}/vars/workers.yml'" creates: "{{ role_path }}/vars/workers.yml" + vars: + ansible_become: no - name: Load list of available worker apps and endpoints include_vars: "{{ role_path }}/vars/workers.yml" From 414b812a29b35e0bceb45e17fa7450d44d58dc07 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 1 Dec 2020 22:20:27 +0100 Subject: [PATCH 1568/2384] synapse role workers setup: make configs clean action remote compatible Many people probably didn't even know this - that ansible can be quite a bit picky about what it will be willing to work with remotely. Thanks @maxklenk ! --- roles/matrix-synapse/tasks/workers/setup_install.yml | 12 +++++++++--- .../matrix-synapse/tasks/workers/setup_uninstall.yml | 12 +++++++++--- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index 9aa0c4ec..6cd7ae42 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -46,12 +46,18 @@ enabled: true with_items: "{{ matrix_synapse_workers_enabled_list }}" +- name: Find worker configs to be cleaned + find: + path: "{{ matrix_synapse_config_dir_path }}" + patterns: "worker.*.yaml" + use_regex: true + register: worker_config_files + - name: Ensure previous worker configs are cleaned file: - path: "{{ item }}" + path: "{{ item.path }}" state: absent - with_fileglob: - - "{{ matrix_synapse_config_dir_path }}/worker.*.yaml" + with_items: "{{ worker_config_files.files }}" - name: Ensure creation of specific worker configs template: diff --git a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml index 879e6998..a9884fca 100644 --- a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml @@ -25,12 +25,18 @@ state: absent register: matrix_synapse_worker_systemd_service_result +- name: Find worker configs to be cleaned + find: + path: "{{ matrix_synapse_config_dir_path }}" + patterns: "worker.*.yaml" + use_regex: true + register: worker_config_files + - name: Ensure worker configs are cleaned file: - path: "{{ item }}" + path: "{{ item.path }}" state: absent - with_fileglob: - - "{{ matrix_synapse_config_dir_path }}/worker.*.yaml" + with_items: "{{ worker_config_files.files }}" - name: Remove workers from synapse.wants list set_fact: From af08f1877913210e4c7c9b6f7d2f84107a93d7b9 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 1 Dec 2020 22:22:04 +0100 Subject: [PATCH 1569/2384] synapse workers default config: disable user_dir worker for now (until https://github.com/matrix-org/synapse/issues/8787 is resolved) --- roles/matrix-synapse/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index eb9c40e7..b0e8637e 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -291,7 +291,8 @@ matrix_synapse_workers_enabled_list: - { type: appservice, port: 00 } - { type: federation_sender, port: 0 } - { type: media_repository, port: 18221 } - - { type: user_dir, port: 18331 } +# disable until https://github.com/matrix-org/synapse/issues/8787 resolved +# - { type: user_dir, port: 18331 } - { type: frontend_proxy, port: 18441 } # Redis information From f201bca519b423950a977ea409aa3f2681b1496b Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 1 Dec 2020 22:49:15 +0100 Subject: [PATCH 1570/2384] synapse workers: define and expose METRICS port for each worker As seen on TV: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md#monitoring-workers --- roles/matrix-synapse/defaults/main.yml | 24 +++++++++---------- .../synapse/systemd/matrix-synapse.service.j2 | 10 +++++--- .../templates/synapse/worker.yaml.j2 | 4 ++++ 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index b0e8637e..1a87c149 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -281,19 +281,19 @@ matrix_synapse_workers_enabled: false # - no endpoints / doesn't need port mapping if port ends on 0 # - single-instance-only if 2nd last digit of port number is 0 matrix_synapse_workers_enabled_list: - - { type: generic_worker, port: 18111 } - - { type: generic_worker, port: 18112 } - - { type: generic_worker, port: 18113 } - - { type: generic_worker, port: 18114 } - - { type: generic_worker, port: 18115 } - - { type: generic_worker, port: 18116 } - - { type: pusher, port: 00 } - - { type: appservice, port: 00 } - - { type: federation_sender, port: 0 } - - { type: media_repository, port: 18221 } + - { type: generic_worker, port: 18111, metrics_port: 19111 } + - { type: generic_worker, port: 18112, metrics_port: 19112 } + - { type: generic_worker, port: 18113, metrics_port: 19113 } + - { type: generic_worker, port: 18114, metrics_port: 19114 } + - { type: generic_worker, port: 18115, metrics_port: 19115 } + - { type: generic_worker, port: 18116, metrics_port: 19116 } + - { type: pusher, port: 00, metrics_port: 19200 } + - { type: appservice, port: 00, metrics_port: 19300 } + - { type: federation_sender, port: 0, metrics_port: 19400 } + - { type: media_repository, port: 18551, metrics_port: 19551 } # disable until https://github.com/matrix-org/synapse/issues/8787 resolved -# - { type: user_dir, port: 18331 } - - { type: frontend_proxy, port: 18441 } +# - { type: user_dir, port: 18661, metrics_port: 19661 } + - { type: frontend_proxy, port: 18771, metrics_port: 19771 } # Redis information matrix_synapse_redis_enabled: false diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index b65d9645..216d1aef 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -43,14 +43,18 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %} -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} - {% if matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled|default(False) %} - {# Expose worker (by default 18xxx range) ports on host if not using internal nginx proxy #} {% for worker in matrix_synapse_workers_enabled_list %} + {% if matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled|default(False) %} + {# Expose worker ports (by default 18xxx range) on host if not using internal nginx proxy #} {% if worker.port != 0 %} -p {{ worker.port }}:{{ worker.port }} \ {% endif %} - {% endfor %} {% endif %} + {# Expose worker metrics ports on host if defined #} + {% if worker.metrics_port != 0 %} + -p {{ worker.metrics_port }}:{{ worker.metrics_port }} \ + {% endif %} + {% endfor %} --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ {% for volume in matrix_synapse_container_additional_volumes %} diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index 2ee606dc..c8876545 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -21,6 +21,10 @@ worker_listeners: {% endif %} {% endif %} + - type: metrics + bind_address: '' + port: {{ item.metrics_port }} + {% if item.type == 'frontend_proxy' %} worker_main_http_uri: http://127.0.0.1:8008 {% endif %} From e892ac464f1708e912cafdd19654b6f7dadc0cda Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 1 Dec 2020 23:49:23 +0100 Subject: [PATCH 1571/2384] synapse workers: untangle config template and specify bind address .. to mitigate log noise - WARNING: Failed to listen on 0.0.0.0, continuing because listening on [::] --- roles/matrix-synapse/templates/synapse/worker.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index c8876545..f77ff4ad 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -5,8 +5,8 @@ worker_name: {{ item.type ~ ':' ~ item.port }} worker_replication_host: 127.0.0.1 worker_replication_http_port: {{ matrix_synapse_replication_http_port }} -{% if item.type not in [ 'appservice', 'federation_sender', 'pusher' ] %} worker_listeners: +{% if item.type not in [ 'appservice', 'federation_sender', 'pusher' ] %} - type: http port: {{ item.port }} resources: @@ -18,11 +18,11 @@ worker_listeners: - federation {% elif item.type in [ 'media_repository' ] %} - media -{% endif %} {% endif %} +{% endif %} - type: metrics - bind_address: '' + bind_address: ['127.0.0.1'] port: {{ item.metrics_port }} {% if item.type == 'frontend_proxy' %} From 3156d966193b9ff49866925189b2aa2cf6530421 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 2 Dec 2020 00:29:20 +0100 Subject: [PATCH 1572/2384] synapse workers-doc-to-yaml.awk: escape slash for non-gnu awk versions --- roles/matrix-synapse/files/workers-doc-to-yaml.awk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.awk b/roles/matrix-synapse/files/workers-doc-to-yaml.awk index fe018b6f..0f304417 100755 --- a/roles/matrix-synapse/files/workers-doc-to-yaml.awk +++ b/roles/matrix-synapse/files/workers-doc-to-yaml.awk @@ -13,7 +13,7 @@ function worker_stanza_append(string) { function line_is_endpoint_url(line) { # probably API endpoint if it starts with white-space and ^ or / - return (line ~ /^ +[\^/].*\//) + return (line ~ /^ +[\^\/].*\//) } # Put YAML marker at beginning of file. From b6b95fe7424721c55493f2d16a2874eb95aac78a Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 2 Dec 2020 23:22:02 +0100 Subject: [PATCH 1573/2384] synapse workers-doc-to-yaml script: compatibility++ with non-gnu awk --- roles/matrix-synapse/files/workers-doc-to-yaml.awk | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.awk b/roles/matrix-synapse/files/workers-doc-to-yaml.awk index 0f304417..d9295e32 100755 --- a/roles/matrix-synapse/files/workers-doc-to-yaml.awk +++ b/roles/matrix-synapse/files/workers-doc-to-yaml.awk @@ -55,7 +55,7 @@ enable_parsing { workers = (workers ? workers "\n" : "") " - " worker_type # loop through the lines (2 - number of fields in record) - for (i = 1; i < NF + 1; i++) { + for (i = 2; i < NF + 1; i++) { # copy line for gsub replacements line = $i @@ -106,7 +106,7 @@ enable_parsing { } # white-space only line? - } else if (line ~ /^\w*$/) { + } else if (line ~ /^ *$/) { if (i > 3 && i < NF) { # print white-space lines unless 1st or last line in section @@ -120,7 +120,7 @@ enable_parsing { worker_stanza_append(" # " line linefeed) # and take note of words hinting at additional conditions to be met - if (line ~ /\<[Ii]f\>|\<[Ff]or\>/) { + if (line ~ /(^| )[Ii]f |(^| )[Ff]or /) { endpoints_seem_conditional = 1 } } From edd40811a59172b48d62d4c774f37c4854f213c2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 3 Dec 2020 15:16:26 +0200 Subject: [PATCH 1574/2384] Update matrix-appservice-discord to v1.0.0 final --- roles/matrix-bridge-appservice-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index cb262166..9ca06b05 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -3,7 +3,7 @@ matrix_appservice_discord_enabled: true -matrix_appservice_discord_docker_image: "halfshot/matrix-appservice-discord:v1.0.0-rc3" +matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:v1.0.0" matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" From b3d91ed4885be0672cdfb8045107215982fd2e3f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 4 Dec 2020 01:06:42 +0200 Subject: [PATCH 1575/2384] Fix passing of matrix_appservice_discord_auth_usePrivilegedIntents --- roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 index aca49228..b99f522a 100644 --- a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 @@ -36,7 +36,7 @@ auth: botToken: {{ matrix_appservice_discord_bot_token }} # You must enable "Privileged Gateway Intents" in your bot settings on discord.com (e.g. https://discord.com/developers/applications/12345/bot) # for this to work - usePrivilegedIntents: false + usePrivilegedIntents: {{ matrix_appservice_discord_auth_usePrivilegedIntents|to_json }} logging: # What level should the logger output to the console at. console: "warn" #silly, verbose, info, http, warn, error, silent From a5ae7e9ef045c81c401da3cd5d84ac5677346aac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 4 Dec 2020 01:48:08 +0200 Subject: [PATCH 1576/2384] Add self-building support to matrix-corporal --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 ++ roles/matrix-corporal/defaults/main.yml | 8 ++++++- .../matrix-corporal/tasks/setup_corporal.yml | 22 ++++++++++++++++++- 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index 169e4aa5..fa4db222 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-client-element` - `matrix-registration` - `matrix-coturn` +- `matrix-corporal` - `matrix-ma1sd` - `matrix-mailer` - `matrix-bridge-mautrix-facebook` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8e46a48f..d68db7ed 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -541,6 +541,8 @@ matrix_bot_matrix_reminder_bot_enabled: false matrix_corporal_enabled: false +matrix_corporal_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-corporal's web-server ports to the local host. diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index def3fcc9..1cab3119 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -3,6 +3,9 @@ matrix_corporal_enabled: true +matrix_corporal_container_image_self_build: false +matrix_corporal_container_image_self_build_repo: "https://github.com/devture/matrix-corporal.git" + # Controls whether the matrix-corporal container exposes its gateway HTTP port (tcp/41080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:41080"), or empty string to not expose. @@ -19,10 +22,13 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_docker_image: "docker.io/devture/matrix-corporal:1.11.0" +matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" +matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}" +matrix_corporal_docker_image_tag: "1.11.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" +matrix_corporal_container_src_files_path: "{{ matrix_corporal_base_path }}/container-src" matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config" matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache" matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var" diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index 72b6a5b2..188f09bf 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -17,13 +17,33 @@ - "{{ matrix_corporal_var_dir_path }}" when: matrix_corporal_enabled|bool +- name: Ensure Matrix Corporal repository is present on self-build + git: + repo: "{{ matrix_corporal_container_image_self_build_repo }}" + dest: "{{ matrix_corporal_container_src_files_path }}" + version: "{{ matrix_corporal_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_corporal_git_pull_results + when: "matrix_corporal_enabled|bool and matrix_corporal_container_image_self_build|bool" + +- name: Ensure Matrix Corporal Docker image is built + docker_image: + name: "{{ matrix_corporal_docker_image }}" + source: build + force_source: "{{ matrix_corporal_git_pull_results.changed }}" + build: + dockerfile: etc/docker/Dockerfile + path: "{{ matrix_corporal_container_src_files_path }}" + pull: yes + when: "matrix_corporal_enabled|bool and matrix_corporal_container_image_self_build|bool" + - name: Ensure Matrix Corporal Docker image is pulled docker_image: name: "{{ matrix_corporal_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_corporal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_corporal_docker_image_force_pull }}" - when: matrix_corporal_enabled|bool + when: "matrix_corporal_enabled|bool and not matrix_corporal_container_image_self_build|bool" - name: Ensure Matrix Corporal config installed copy: From 6921ec4b8af0e5b584d5286d5903dfda769be747 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Sun, 2 Aug 2020 20:54:13 +0200 Subject: [PATCH 1577/2384] Revert "Work around buggy docker_network sometimes failing to work" The docker_network bug was fixed two years ago This reverts commit 36658addcd688074eb9062ee71f16ed8a0bcad1b. --- roles/matrix-base/tasks/setup_matrix_base.yml | 29 +++---------------- 1 file changed, 4 insertions(+), 25 deletions(-) diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 22d330f2..0fad2b3d 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -19,31 +19,10 @@ mode: '0660' when: "matrix_vars_yml_snapshotting_enabled|bool" -# `docker_network` doesn't work as expected when the given network -# is a substring of a network that already exists. -# -# See: -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/12 -# - https://github.com/ansible/ansible/issues/32926 -# -# Due to that, we employ a workaround below. -# -# - name: Ensure Matrix network is created in Docker -# docker_network: -# name: "{{ matrix_docker_network }}" -# driver: bridge - -- name: Check existence of Matrix network in Docker - shell: - cmd: "docker network ls -q --filter='name=^{{ matrix_docker_network }}$'" - register: result_check_docker_network - changed_when: false - check_mode: no - -- name: Create Matrix network in Docker - shell: - cmd: "docker network create --driver=bridge {{ matrix_docker_network }}" - when: "result_check_docker_network.stdout == '' and not ansible_check_mode" +- name: Ensure Matrix network is created in Docker + docker_network: + name: "{{ matrix_docker_network }}" + driver: bridge - name: Ensure matrix-remove-all script created template: From 6f9b4bd9ac8f257a9ac8e1c4b72cfdf1c4875f56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Sun, 2 Aug 2020 21:13:45 +0200 Subject: [PATCH 1578/2384] Drop workaround for old Ansible docker_network bug --- roles/matrix-coturn/tasks/setup_coturn.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index 1f13da03..f3c1048f 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -59,22 +59,11 @@ mode: 0644 when: matrix_coturn_enabled|bool -# `docker_network` doesn't work as expected when the given network -# is a substring of a network that already exists. -# -# See our other comments in `roles/matrix-base/tasks/setup_matrix_base.yml` -- name: Check existence of Coturn network in Docker - shell: - cmd: "docker network ls -q --filter='name=^{{ matrix_coturn_docker_network }}$'" - register: matrix_coturn_result_docker_network - changed_when: false +- name: Ensure Coturn network is created in Docker + docker_network: + name: "{{ matrix_coturn_docker_network }}" + driver: bridge when: matrix_coturn_enabled|bool - check_mode: no - -- name: Create Coturn network in Docker - shell: - cmd: "docker network create --driver=bridge {{ matrix_coturn_docker_network }}" - when: "matrix_coturn_enabled|bool and matrix_coturn_result_docker_network.stdout == '' and not ansible_check_mode" - name: Ensure matrix-coturn.service installed template: From ec2a9d4852c49029c08df9f3651bab94fb2057fd Mon Sep 17 00:00:00 2001 From: Hardy Erlinger Date: Sun, 6 Dec 2020 13:50:45 +0100 Subject: [PATCH 1579/2384] Remove the recording button from the Jitsi UI if recording is disabled. --- roles/matrix-jitsi/templates/web/interface_config.js.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 index 60fac4d5..a12ca973 100644 --- a/roles/matrix-jitsi/templates/web/interface_config.js.j2 +++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2 @@ -205,9 +205,11 @@ var interfaceConfig = { {% if matrix_jitsi_enable_transcriptions %} 'closedcaptions', {% endif %} - + {% if matrix_jitsi_enable_recording %} + 'recording', + {% endif %} 'microphone', 'camera', 'desktop', 'embedmeeting', 'fullscreen', - 'fodeviceselection', 'hangup', 'profile', 'chat', 'recording', + 'fodeviceselection', 'hangup', 'profile', 'chat', 'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand', 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', 'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone', 'security' From 7372480e95d9fa60c05270236cc6f4d6753c3e67 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 6 Dec 2020 23:59:58 +0200 Subject: [PATCH 1580/2384] Properly serialize some ma1sd configuration values We've had a report of the `connection` value getting cut off, supposedly because it contains something that breaks off the string. Using `|to_json` takes care of it. --- roles/matrix-ma1sd/templates/ma1sd.yaml.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 index 8f3569b1..84585707 100644 --- a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 +++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 @@ -73,10 +73,10 @@ hashing: - none # the same as v1 bulk lookup - sha256 # hash the 3PID and pepper. delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s) - requests: 10 + requests: 10 {% endif %} synapseSql: - enabled: {{ matrix_ma1sd_synapsesql_enabled }} - type: {{ matrix_ma1sd_synapsesql_type }} - connection: {{ matrix_ma1sd_synapsesql_connection }} + enabled: {{ matrix_ma1sd_synapsesql_enabled|to_json }} + type: {{ matrix_ma1sd_synapsesql_type|to_json }} + connection: {{ matrix_ma1sd_synapsesql_connection|to_json }} From 9713ac96177d71cb4e126a0442a134179f4af8cf Mon Sep 17 00:00:00 2001 From: Mike Date: Sun, 6 Dec 2020 23:42:44 +0100 Subject: [PATCH 1581/2384] fixes config.js comments in config.js must begin with two slashes --- docs/configuring-playbook-jitsi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 62edc578..f72241e1 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -99,7 +99,7 @@ matrix_jitsi_web_custom_config_extension: | config.disableAudioLevels = true; - # Limit the number of video feeds forwarded to each client + // Limit the number of video feeds forwarded to each client config.channelLastN = 4; matrix_jitsi_web_config_resolution_width_ideal_and_max: 480 From d556aa943fbd736c0401d3fec2c78d5f827a5e78 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 7 Dec 2020 06:33:35 +0200 Subject: [PATCH 1582/2384] Update docker-ce.repo to not hardcode $releasever=7 This keeps it in line with https://download.docker.com/linux/centos/docker-ce.repo Whether or not Docker works well on CentOS 8 for our purposes hasn't been verified yet. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300 --- .../files/yum.repos.d/docker-ce.repo | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/roles/matrix-base/files/yum.repos.d/docker-ce.repo b/roles/matrix-base/files/yum.repos.d/docker-ce.repo index 56242d98..1abdbe36 100644 --- a/roles/matrix-base/files/yum.repos.d/docker-ce.repo +++ b/roles/matrix-base/files/yum.repos.d/docker-ce.repo @@ -1,62 +1,62 @@ [docker-ce-stable] name=Docker CE Stable - $basearch -baseurl=https://download.docker.com/linux/centos/7/$basearch/stable +baseurl=https://download.docker.com/linux/centos/$releasever/$basearch/stable enabled=1 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg [docker-ce-stable-debuginfo] name=Docker CE Stable - Debuginfo $basearch -baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/stable +baseurl=https://download.docker.com/linux/centos/$releasever/debug-$basearch/stable enabled=0 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg [docker-ce-stable-source] name=Docker CE Stable - Sources -baseurl=https://download.docker.com/linux/centos/7/source/stable +baseurl=https://download.docker.com/linux/centos/$releasever/source/stable enabled=0 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg -[docker-ce-edge] -name=Docker CE Edge - $basearch -baseurl=https://download.docker.com/linux/centos/7/$basearch/edge +[docker-ce-test] +name=Docker CE Test - $basearch +baseurl=https://download.docker.com/linux/centos/$releasever/$basearch/test enabled=0 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg -[docker-ce-edge-debuginfo] -name=Docker CE Edge - Debuginfo $basearch -baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/edge +[docker-ce-test-debuginfo] +name=Docker CE Test - Debuginfo $basearch +baseurl=https://download.docker.com/linux/centos/$releasever/debug-$basearch/test enabled=0 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg -[docker-ce-edge-source] -name=Docker CE Edge - Sources -baseurl=https://download.docker.com/linux/centos/7/source/edge +[docker-ce-test-source] +name=Docker CE Test - Sources +baseurl=https://download.docker.com/linux/centos/$releasever/source/test enabled=0 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg -[docker-ce-test] -name=Docker CE Test - $basearch -baseurl=https://download.docker.com/linux/centos/7/$basearch/test +[docker-ce-nightly] +name=Docker CE Nightly - $basearch +baseurl=https://download.docker.com/linux/centos/$releasever/$basearch/nightly enabled=0 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg -[docker-ce-test-debuginfo] -name=Docker CE Test - Debuginfo $basearch -baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/test +[docker-ce-nightly-debuginfo] +name=Docker CE Nightly - Debuginfo $basearch +baseurl=https://download.docker.com/linux/centos/$releasever/debug-$basearch/nightly enabled=0 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg -[docker-ce-test-source] -name=Docker CE Test - Sources -baseurl=https://download.docker.com/linux/centos/7/source/test +[docker-ce-nightly-source] +name=Docker CE Nightly - Sources +baseurl=https://download.docker.com/linux/centos/$releasever/source/nightly enabled=0 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg From 8c02f7b79bfe752b42e9efef069e675eba5b3d6a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 7 Dec 2020 15:18:03 +0200 Subject: [PATCH 1583/2384] Upgrade services --- roles/matrix-client-element/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index cbe70503..8b032ac2 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.14" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.15" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index ceba9ab6..7331c589 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.4-alpine" +matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.5-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" @@ -259,7 +259,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.9.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.10.1" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From c07c927d9f2f37958300169ab27ecf6a4eeabd52 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Dec 2020 16:48:25 +0200 Subject: [PATCH 1584/2384] Automatically enable openid listeners when ma1sd enabled ma1sd requires the openid endpoints for certain functionality. Example: https://github.com/ma1uta/ma1sd/blob/90b2b5301c34168346fdc5e7eccc09d6958e999f/src/main/java/io/kamax/mxisd/auth/AccountManager.java#L67-L99 If federation is disabled, we still need to expose these openid APIs on the federation port. Previously, we were doing similar magic for Dimension. As per its documentation, when running unfederated, one is to enable the openid listener as well. As per their recommendation, people are advised to do enable it on the Client-Server API port and use the `federationUrl` variable to override where the federation port is (making federation requests go to the Client-Server API). Because ma1sd always uses the federation port (unless you do some DNS overwriting magic using its configuration -- which we'd rather not do), it's better if we just default to putting the `openid` listener where it belongs - on the federation port. With this commit, we retain the "automatically enable openid APIs" thing we've been doing for Dimension, but move it to the federation port instead. We also now do the same thing when ma1sd is enabled. --- CHANGELOG.md | 12 ++++++++++ docs/configuring-playbook-dimension.md | 5 ++++- docs/configuring-playbook-federation.md | 10 +++++++++ docs/configuring-playbook-ma1sd.md | 7 +++++- docs/prerequisites.md | 13 ++++++++++- group_vars/matrix_servers | 12 +++------- roles/matrix-synapse/defaults/main.yml | 22 ++++++++++++++++++- .../templates/synapse/homeserver.yaml.j2 | 8 +++---- 8 files changed, 72 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27afb64e..5024d841 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2020-12-08 + +## openid APIs exposed by default on the federation port when federation disabled + +We've changed some defaults. People running with our default configuration (federation enabled), are not affected at all. + +If you are running an unfederated server (`matrix_synapse_federation_enabled: false`), this may be of interest to you. + +When federation is disabled, but ma1sd or Dimension are enabled, we'll now expose the `openid` APIs on the federation port. +These APIs are necessary for some ma1sd features to work. If you'd like to prevent this, you can: `matrix_synapse_federation_port_openid_resource_required: false`. + + # 2020-11-27 ## Recent Jitsi updates may require configuration changes diff --git a/docs/configuring-playbook-dimension.md b/docs/configuring-playbook-dimension.md index 604e6aa6..d5f0a9e6 100644 --- a/docs/configuring-playbook-dimension.md +++ b/docs/configuring-playbook-dimension.md @@ -3,6 +3,9 @@ **[Dimension](https://dimension.t2bot.io) can only be installed after Matrix services are installed and running.** If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. +**Note**: enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). + + ## Prerequisites This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. @@ -48,7 +51,7 @@ To get an access token for the Dimension user, you can follow one of two options 3. Copy the highlighted text to your configuration. 4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work. -*With CURL* +*With CURL* ``` curl -X POST --header 'Content-Type: application/json' -d '{ diff --git a/docs/configuring-playbook-federation.md b/docs/configuring-playbook-federation.md index 1e4ad61e..2e6410ec 100644 --- a/docs/configuring-playbook-federation.md +++ b/docs/configuring-playbook-federation.md @@ -37,3 +37,13 @@ matrix_synapse_federation_enabled: false ``` With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server. + +**Disabling federation does not necessarily disable the federation port** (`8448`). Services like [Dimension](configuring-playbook-dimension.md) and [ma1sd](configuring-playbook-ma1sd.md) normally rely on `openid` APIs exposed on that port. Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use: + +```yaml +# This stops the federation port on the Synapse side (normally `matrix-synapse:8048` on the container network). +matrix_synapse_federation_port_enabled: false + +# This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server. +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false +``` diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index 03208337..70c507cb 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -4,7 +4,9 @@ By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd) This server is private by default, potentially at the expense of user discoverability. -ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21. +*ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.* + +**Note**: enabling ma1sd (which is also the default), means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). ## Disabling ma1sd @@ -50,6 +52,9 @@ To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/featu - `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`. +**Note**: For this to work, either the homeserver needs to [federate](configuring-playbook-federation.md) or the `openid` APIs need to exposed on the federation port. When federation is disabled and ma1sd is enabled, we automatically expose the `openid` APIs (only!) on the federation port. Make sure the federation port (usually `https://matrix.DOMAIN:8448`) is whitelisted in your firewall (even if you don't actually use/need federation). + + ## Authentication [Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server: diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 4356081b..daf6ff80 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -22,6 +22,17 @@ This playbook doesn't support running on ARM (see [this issue](https://github.co - Properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)). -- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). +- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: + + - `80/tcp`: HTTP webserver + - `443/tcp`: HTTPS webserver + - `3478/tcp`: TURN over TCP (used by Coturn) + - `3478/udp`: TURN over UDP (used by Coturn) + - `5349/tcp`: TURN over TCP (used by Coturn) + - `5349/udp`: TURN over UDP (used by Coturn) + - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. + - the range `49152-49172/udp`: TURN over UDP + - `4443/tcp`: Jitsi Harvester fallback + - `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). When ready to proceed, continue with [Configuring DNS](configuring-dns.md). diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d68db7ed..78a03851 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -620,8 +620,6 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" -matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}" - ###################################################################### # # /matrix-dimension @@ -816,7 +814,8 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd: matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true +# Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: "{{ matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled }}" matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048" @@ -990,12 +989,7 @@ matrix_synapse_tls_federation_listener_enabled: false matrix_synapse_tls_certificate_path: ~ matrix_synapse_tls_private_key_path: ~ -matrix_synapse_http_listener_resource_names: | - {{ - ["client"] - + - ( ["openid"] if matrix_dimension_enabled and not matrix_synapse_federation_enabled else [] ) - }} +matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled) }}" matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f5c2c433..35d40c7c 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -136,6 +136,11 @@ matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.k # names. matrix_synapse_http_listener_resource_names: ["client"] +# Resources served on Synapse's federation port. +# When disabling federation, we may wish to serve the `openid` resource here, +# so that services like Dimension and ma1sd can work. +matrix_synapse_federation_listener_resource_names: "{{ ['federation'] if matrix_synapse_federation_enabled else (['openid'] if matrix_synapse_federation_port_openid_resource_required else []) }}" + # Enable this to allow Synapse to report utilization statistics about your server to matrix.org # (things like number of users, number of messages sent, uptime, load, etc.) matrix_synapse_report_stats: false @@ -211,10 +216,25 @@ matrix_synapse_caches_global_factor: 0.5 # Controls whether Synapse will federate at all. # Disable this to completely isolate your server from the rest of the Matrix network. -# Also see: `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled, +# +# Disabling this still keeps the federation port exposed, because it may be used for other services (`openid`). +# +# Also see: +# - `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled, # but want to stop the TLS listener (port 8448). +# - `matrix_synapse_federation_port_enabled` to avoid exposing the federation ports matrix_synapse_federation_enabled: true +# Controls whether the federation ports are used at all. +# One may wish to disable federation (`matrix_synapse_federation_enabled: true`), +# but still run other resources (like `openid`) on the federation port +# by enabling them in `matrix_synapse_federation_listener_resource_names`. +matrix_synapse_federation_port_enabled: "{{ matrix_synapse_federation_enabled or matrix_synapse_federation_port_openid_resource_required }}" + +# Controls whether an `openid` listener is to be enabled. Useful when disabling federation, +# but needing the `openid` APIs for Dimension or an identity server like ma1sd. +matrix_synapse_federation_port_openid_resource_required: false + # A list of domain names that are allowed to federate with the given Synapse server. # An empty list value (`[]`) will also effectively stop federation, but if that's the desired # result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 8c68189b..c64ed9cc 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -188,7 +188,7 @@ listeners: - '0.0.0.0' {% endif %} -{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %} +{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - port: 8448 tls: true @@ -197,7 +197,7 @@ listeners: x_forwarded: false resources: - - names: [federation] + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} compress: false {% endif %} @@ -213,7 +213,7 @@ listeners: - names: {{ matrix_synapse_http_listener_resource_names|to_json }} compress: false -{% if matrix_synapse_federation_enabled %} +{% if matrix_synapse_federation_port_enabled %} # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy # that unwraps TLS. - port: 8048 @@ -223,7 +223,7 @@ listeners: x_forwarded: true resources: - - names: [federation] + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} compress: false {% endif %} From ad92c61fdddb21539f1286c65696902aad035a0c Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Wed, 9 Dec 2020 09:45:44 +0100 Subject: [PATCH 1585/2384] updated matrix-sms-bridge --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 82f9b841..3c6b4c61 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.4" +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.5" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" From aa86e0dac65df44c21820b6cc451617c830b4ae1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 9 Dec 2020 13:30:28 +0200 Subject: [PATCH 1586/2384] Upgrade Synapse (v1.23.0 -> v1.24.0) Because the ARM images are not pushed yet, we hold back to v1.23.0 for now. --- roles/matrix-synapse/defaults/main.yml | 3 +- .../templates/synapse/homeserver.yaml.j2 | 59 ++++++++++++++----- 2 files changed, 46 insertions(+), 16 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 35d40c7c..02d788a3 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -6,8 +6,9 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git" -matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.23.0" +matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}" +matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.23.0' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index c64ed9cc..41b28c88 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1202,8 +1202,9 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} # email will be globally disabled. # # Additionally, if `msisdn` is not set, registration and password resets via msisdn -# will be disabled regardless. This is due to Synapse currently not supporting any -# method of sending SMS messages on its own. +# will be disabled regardless, and users will not be able to associate an msisdn +# identifier to their account. This is due to Synapse currently not supporting +# any method of sending SMS messages on its own. # # To enable using an identity server for operations regarding a particular third-party # identifier type, set the value to the URL of that identity server as shown in the @@ -1522,6 +1523,12 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml + # Allowed clock difference in seconds between the homeserver and IdP. + # + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # + #accepted_time_diff: 3 + # By default, the user has to go to our login page first. If you'd like # to allow IdP-initiated login, set 'allow_unsolicited: true' in a # 'service.sp' section: @@ -1644,6 +1651,14 @@ saml2_config: # - attribute: department # value: "sales" + # If the metadata XML contains multiple IdP entities then the `idp_entityid` + # option must be set to the entity to redirect users to. + # + # Most deployments only have a single IdP entity and so should omit this + # option. + # + #idp_entityid: 'https://our_idp/entityid' + # Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. # @@ -2222,21 +2237,35 @@ password_providers: {% endif %} +## Push ## -# Clients requesting push notifications can either have the body of -# the message sent in the notification poke along with other details -# like the sender, or just the event ID and room ID (`event_id_only`). -# If clients choose the former, this option controls whether the -# notification request includes the content of the event (other details -# like the sender are still included). For `event_id_only` push, it -# has no effect. -# -# For modern android devices the notification content will still appear -# because it is loaded by the app. iPhone, however will send a -# notification saying only that a message arrived and who it came from. -# push: - include_content: {{ matrix_synapse_push_include_content|to_json }} + # Clients requesting push notifications can either have the body of + # the message sent in the notification poke along with other details + # like the sender, or just the event ID and room ID (`event_id_only`). + # If clients choose the former, this option controls whether the + # notification request includes the content of the event (other details + # like the sender are still included). For `event_id_only` push, it + # has no effect. + # + # For modern android devices the notification content will still appear + # because it is loaded by the app. iPhone, however will send a + # notification saying only that a message arrived and who it came from. + # + # The default value is "true" to include message details. Uncomment to only + # include the event ID and room ID in push notification payloads. + # + include_content: {{ matrix_synapse_push_include_content|to_json }} + + # When a push notification is received, an unread count is also sent. + # This number can either be calculated as the number of unread messages + # for the user, or the number of *rooms* the user has unread messages in. + # + # The default value is "true", meaning push clients will see the number of + # rooms with unread messages in them. Uncomment to instead send the number + # of unread messages. + # + #group_unread_count_by_room: false # Spam checkers are third-party modules that can block specific actions From 245b749946a971e3b019d7be5500a59da80d1b24 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 9 Dec 2020 20:54:18 +0200 Subject: [PATCH 1587/2384] Upgrade Synapse for ARM (v1.23.0 -> v1.24.0) Continuation of aa86e0dac65, now that ARM images are out. --- roles/matrix-synapse/defaults/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 02d788a3..0dc71646 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -8,7 +8,10 @@ matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/s matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}" -matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.23.0' }}" +# The if statement below may look silly at times (leading to the same version being returned), +# but ARM-compatible container images are only released 1-7 hours after a release, +# so we may often be on different versions for different architectures when new Synapse releases come out. +matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 673e19f8307bdfc76dc4d1e63dcab40c84ebb37e Mon Sep 17 00:00:00 2001 From: John Goerzen Date: Wed, 9 Dec 2020 21:20:06 -0600 Subject: [PATCH 1588/2384] Correct inabillity for appservice-discord to connect After recently updating my matrix-docker-ansible-deploy installation, matrix-appservice-discord would refuse to start, logging ECONNREFUSED to https://matrix.[mydomain]:443, which was resolving to 172.18.0.2 due to the `--hostname` in mailer grabbing that hostname. Curious why the IRC bridge didn't have this issue, I looked into it, and it was connecting to `http://matrix-synapse:8008`. Correcting this one to that URL resolved the issue. --- roles/matrix-bridge-appservice-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 9ca06b05..357b93d6 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -37,7 +37,7 @@ matrix_appservice_discord_appservice_url: 'http://matrix-appservice-discord:9005 matrix_appservice_discord_bridge_domain: "{{ matrix_domain }}" # As of right now, the homeserver URL must be a public URL. See below. -matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}" +matrix_appservice_discord_bridge_homeserverUrl: "http://matrix-synapse:8008" matrix_appservice_discord_bridge_disablePresence: false matrix_appservice_discord_bridge_enableSelfServiceBridging: false From d08b27784f222effcbce2abf924bf07bbe0893be Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 10 Dec 2020 11:36:39 +0200 Subject: [PATCH 1589/2384] Fix systemd services autostart problem with Docker 20.10 The Docker 19.04 -> 20.10 upgrade contains the following change in `/usr/lib/systemd/system/docker.service`: ``` -BindsTo=containerd.service -After=network-online.target firewalld.service containerd.service +After=network-online.target firewalld.service containerd.service multi-user.target -Requires=docker.socket +Requires=docker.socket containerd.service Wants=network-online.target ``` The `multi-user.target` requirement in `After` seems to be in conflict with our `WantedBy=multi-user.target` and `After=docker.service` / `Requires=docker.service` definitions, causing the following error on startup for all of our systemd services: > Job matrix-synapse.service/start deleted to break ordering cycle starting with multi-user.target/start A workaround which appears to work is to add `DefaultDependencies=no` to all of our services. --- .../templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 | 1 + .../templates/systemd/matrix-appservice-discord.service.j2 | 1 + .../templates/systemd/matrix-appservice-irc.service.j2 | 1 + .../templates/systemd/matrix-appservice-slack.service.j2 | 1 + .../templates/systemd/matrix-appservice-webhooks.service.j2 | 1 + .../templates/systemd/matrix-mautrix-facebook.service.j2 | 1 + .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 1 + .../templates/systemd/matrix-mautrix-telegram.service.j2 | 1 + .../templates/systemd/matrix-mautrix-whatsapp.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-discord.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-instagram.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-steam.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-twitter.service.j2 | 1 + .../templates/systemd/matrix-sms-bridge.service.j2 | 1 + .../templates/systemd/matrix-client-element.service.j2 | 1 + .../matrix-corporal/templates/systemd/matrix-corporal.service.j2 | 1 + roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 1 + .../templates/systemd/matrix-dimension.service.j2 | 1 + .../templates/systemd/matrix-dynamic-dns.service.j2 | 1 + .../templates/systemd/matrix-email2matrix.service.j2 | 1 + .../matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 | 1 + roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 | 1 + .../templates/prosody/matrix-jitsi-prosody.service.j2 | 1 + roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 | 1 + roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 | 1 + roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 1 + .../templates/systemd/matrix-nginx-proxy.service.j2 | 1 + .../matrix-postgres/templates/systemd/matrix-postgres.service.j2 | 1 + .../templates/systemd/matrix-registration.service.j2 | 1 + .../templates/systemd/matrix-synapse-admin.service.j2 | 1 + .../templates/goofys/systemd/matrix-goofys.service.j2 | 1 + .../templates/synapse/systemd/matrix-synapse.service.j2 | 1 + 34 files changed, 34 insertions(+) diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index 23493c54..950242e5 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_bot_matrix_reminder_bot_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 6a44a3e6..7ec15752 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_appservice_discord_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 95638612..c86eb835 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_appservice_irc_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index 1c68294f..b16b2fed 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_appservice_slack_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index 08f5813f..2049ee65 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_appservice_webhooks_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index b593a2e3..18184650 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mautrix_facebook_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index 58433982..26280da3 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mautrix_hangouts_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index c0fb8938..d61cdaa4 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mautrix_telegram_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index ac2b961e..972d4e01 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mautrix_whatsapp_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 index 78737a17..36a4da8b 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mx_puppet_discord_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 index 81e3e081..4c94c84a 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mx_puppet_instagram_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index 8a46cb25..cd958662 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mx_puppet_skype_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index 23c2504f..2b1456f5 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mx_puppet_slack_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 index 986c5d2c..e263154b 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mx_puppet_steam_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 index 6afb6fb4..8d7898eb 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_mx_puppet_twitter_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 7c96f9f4..0eb0eb58 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_sms_bridge_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index 39b7aa52..e0dd2e7e 100644 --- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -5,6 +5,7 @@ Description=Matrix Element server Requires={{ service }} After={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 97ec7d89..e8ce8c0a 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -5,6 +5,7 @@ Description=Matrix Corporal Requires={{ service }} After={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index e484b59b..16ca5d2a 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -5,6 +5,7 @@ Description=Matrix Coturn server Requires={{ service }} After={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index bad94f64..94c38491 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -3,6 +3,7 @@ Description=Matrix Dimension After=docker.service Requires=docker.service +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index 7e73b587..df7d810a 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_dynamic_dns_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index 52806f35..1577877b 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -3,6 +3,7 @@ Description=Email2Matrix After=docker.service Requires=docker.service +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index f19d08ff..6b5cc941 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -5,6 +5,7 @@ Description=Matrix jitsi-jicofo server Requires={{ service }} After={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 7fcfeec6..2931133f 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -5,6 +5,7 @@ Description=Matrix jitsi-jvb server Requires={{ service }} After={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 74b13df3..4f532d89 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -5,6 +5,7 @@ Description=Matrix jitsi-prosody server Requires={{ service }} After={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index e13f9633..1978fb0e 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -5,6 +5,7 @@ Description=Matrix jitsi-web server Requires={{ service }} After={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 3c49ec75..95f15254 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_ma1sd_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index 1371a861..cab03128 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -3,6 +3,7 @@ Description=Matrix mailer After=docker.service Requires=docker.service +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 0945c25e..58f5c953 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_nginx_proxy_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 47f19e9b..0a935fb0 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -3,6 +3,7 @@ Description=Matrix Postgres server After=docker.service Requires=docker.service +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 index 052b7d95..3744c2de 100644 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_registration_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index c03c627b..7b1e40de 100644 --- a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_synapse_admin_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index c3ec9249..0bbfde99 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -3,6 +3,7 @@ Description=Matrix Goofys media store After=docker.service Requires=docker.service +DefaultDependencies=no [Service] Type=simple diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 791d324e..30c85b99 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -8,6 +8,7 @@ After={{ service }} {% for service in matrix_synapse_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} +DefaultDependencies=no [Service] Type=simple From d9f4914e0d78fa45c7a76526a660faf94213b3df Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Sun, 29 Nov 2020 15:20:22 +0100 Subject: [PATCH 1590/2384] WIP: postgres: create databases for all services If a service is enabled, a database for it is created in postgres with a uniqque password. The service can then use this database for data storage instead of relying on sqlite. --- group_vars/matrix_servers | 64 +++++++++++++++++++ .../templates/config.yaml.j2 | 4 +- .../templates/config.yaml.j2 | 4 +- .../templates/config.yaml.j2 | 3 + .../templates/config.yaml.j2 | 2 +- .../templates/config.yaml.j2 | 2 +- .../templates/config.yaml.j2 | 2 +- .../templates/config.yaml.j2 | 2 +- .../templates/config.yaml.j2 | 4 +- .../templates/config.yaml.j2 | 4 +- .../templates/config.yaml.j2 | 4 +- .../templates/config.yaml.j2 | 4 +- .../templates/config.yaml.j2 | 4 +- .../templates/config.yaml.j2 | 4 +- .../matrix-dimension/templates/config.yaml.j2 | 2 +- .../matrix-postgres/tasks/setup_postgres.yml | 30 +++++++++ 16 files changed, 118 insertions(+), 21 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 78a03851..8a099275 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -889,6 +889,70 @@ matrix_postgres_connection_username: "synapse" matrix_postgres_connection_password: "synapse-password" matrix_postgres_db_name: "homeserver" +matrix_postgres_additional_databases: | + {{ + ([{ + name: 'matrix_appservice_discord', + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_discord.db.secret') | string + }] if matrix_appservice_discord_enabled else []) + + ([{ + name: 'matrix_appservice_slack' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_slack.db.secret') | string + }] if matrix_appservice_slack_enabled else []) + + ([{ + name: 'matrix_appservice_irc' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_irc.db.secret') | string + }] if matrix_appservice_irc_enabled else []) + + ([{ + name: 'mautrix-bridge-facebook' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_facebook.db.secret') | string + }] if matrix_mautrix_facebook_enabled else []) + + ([{ + name: 'mautrix_bridge_hangouts' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_hangouts.db.secret') | string + }] if matrix_mautrix_hangouts_enabled else []) + + ([{ + name: 'mautrix_bridge_telegram' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_telegram.db.secret') | string + }] if matrix_mautrix_telegram_enabled else []) + + ([{ + name: 'mautrix_bridge_whatsapp' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_whatsapp.db.secret') | string + }] if matrix_mautrix_whatsapp_enabled else []) + + ([{ + name: 'matrix_bridge_sms' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | string + }] if matrix_sms_bridge_enabled else []) + + ([{ + name: 'matrix_puppet_skype' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_skype.db.secret') | string + }] if matrix_mx_puppet_skype_enabled else []) + + ([{ + name: 'matrix_puppet_slack' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_slack.db.secret') | string + }] if matrix_mx_puppet_slack_enabled else []) + + ([{ + name: 'matrix_puppet_twitter' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_twitter.db.secret') | string + }] if matrix_mx_puppet_twitter_enabled else []) + + ([{ + name: 'matrix_puppet_instagram' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_insta.db.secret') | string + ] if matrix_mx_puppet_instagram_enabled else []) + + ([{ + name: 'matrix_puppet_discord' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_puppet.db.secret') | string + }] if matrix_mx_puppet_discord_enabled else []) + + ([{ + name: 'matrix_puppet_steam' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_steam.db.secret') | string + }] if matrix_mx_puppet_steam_enabled else []) + + ([{ + name: 'matrix_dimension' + pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db.secret') | string + }] if matrix_dimension_enabled else []) + }} + ###################################################################### # # /matrix-postgres diff --git a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 index b99f522a..de4182d9 100644 --- a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 @@ -58,8 +58,8 @@ database: # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite # WARNING: You will almost certainly be fine with sqlite unless your bridge # is in heavy demand and you suffer from IO slowness. - filename: "/data/discord.db" - # connString: "postgresql://user:password@localhost/database_name" + #filename: "/data/discord.db" + connString: "postgresql://matrix_appservice_discord:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_appservice_discord') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_appservice_discord" room: # Set the default visibility of alias rooms, defaults to "public". # One of: "public", "private" diff --git a/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 index 3daa1898..83b71835 100644 --- a/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 @@ -127,8 +127,8 @@ advanced: # Use an external database to store bridge state. database: # database engine (must be 'postgres' or 'nedb'). Default: nedb - engine: "nedb" + engine: "postgres" # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: "nedb:///data" + connectionString: "postgres://matrix_appservice_irc:{{ matrix_addtional_databases | selectattr('name', 'equalto', 'matrix_appservice_irc') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_appservice_irc" diff --git a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 index 8f48d317..6c491134 100644 --- a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 @@ -10,5 +10,8 @@ homeserver: server_name: "{{ matrix_domain }}" dbdir: "/data" +db: + engine: "postgres" + connectionString: "postgresql://matrix_appservice_slack:{{ matrix_addtional_databases | selectattr('name', 'equalto', 'matrix_appservice_slack') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_appservice_slack" matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}" diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 9d8de2d5..304571c1 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -27,7 +27,7 @@ appservice: # Format examples: # SQLite: sqlite:///filename.db # Postgres: postgres://username:password@hostname/dbname - database: sqlite:////data/mautrix-facebook.db + database: sqlite://matrix_bridge_facebook:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_bridge_facebook') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_bridge_facebook # Public part of web server for out-of-Matrix interaction with the bridge. public: diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 index f274b203..e4e59ad2 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 @@ -27,7 +27,7 @@ appservice: # Format examples: # SQLite: sqlite:///filename.db # Postgres: postgres://username:password@hostname/dbname - database: sqlite:////data/mautrix-hangouts.db + database: postgres://mautrix_bridge_hangouts:{{ matrix_additional_databases | selectattr('name', 'equalto', 'mautrix_bridge_hangouts') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/mautrix_bridge_hangouts # The unique ID of this appservice. id: hangouts diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 1a4ac43e..65f17d33 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -27,7 +27,7 @@ appservice: # Format examples: # SQLite: sqlite:///filename.db # Postgres: postgres://username:password@hostname/dbname - database: sqlite:////data/mautrix-telegram.db + database: postgres://mautrix_bridge_telegram:{{ matrix_addtional_databases | selectattr('name', 'equalto', 'matrix_bridge_telegram') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/mautrix_bridge_telegram # Public part of web server for out-of-Matrix interaction with the bridge. # Used for things like login if the user wants to make sure the 2FA password isn't stored in diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index a527a188..93956049 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -23,7 +23,7 @@ appservice: # The database URI. # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string # Postgres: Connection string. For example, postgres://user:password@host/database - uri: mautrix-whatsapp.db + uri: postgres://matrix_bridge_whatsapp@{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_bridge_whatsapp') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_bridge_whatsapp # Maximum number of connections. Mostly relevant for Postgres. max_open_conns: 20 max_idle_conns: 2 diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index 2c703796..88c591e2 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -105,10 +105,10 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + connString: "postgres://matrix_puppet_discord:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_discord') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_discord?sslmode=disable" # Use SQLite3 as a database backend # The name of the database file - filename: /data/database.db + #filename: /data/database.db logging: # Log level of console output diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 index 634fbaec..2d189195 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 @@ -49,10 +49,10 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + connString: "postgres://matrix_puppet_instagram:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_instagram') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_instagram?sslmode=disable" # Use SQLite3 as a database backend # The name of the database file - filename: /data/database.db + #filename: /data/database.db logging: # Log level of console output diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 index c7b5c870..a54ca758 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 @@ -73,10 +73,10 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + connString: "postgres://matrix_puppet_skype:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_skype') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_skype?sslmode=disable" # Use SQLite3 as a database backend # The name of the database file - filename: /data/database.db + #filename: /data/database.db provisioning: # Regex of Matrix IDs allowed to use the puppet bridge diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 index b6e88784..7f1b21d7 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -63,10 +63,10 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + connString: "postgres://matrix_puppet_slack:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_slack') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_slack?sslmode=disable" # Use SQLite3 as a database backend # The name of the database file - filename: /data/database.db + #filename: /data/database.db logging: # Log level of console output diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 index d08982ca..14f86319 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 @@ -66,10 +66,10 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + connString: "postgres://matrix_puppet_steam:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_steam') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_steam?sslmode=disable" # Use SQLite3 as a database backend # The name of the database file - filename: /data/database.db + #filename: /data/database.db logging: # Log level of console output diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 index 7d3033b3..853d23fc 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 @@ -59,10 +59,10 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + connString: "postgres://matrix_puppet_twitter:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_twitter') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_twitter?sslmode=disable" # Use SQLite3 as a database backend # The name of the database file - filename: /data/database.db + #filename: /data/database.db logging: # Log level of console output diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 index a05b6c35..b7ca1ee3 100644 --- a/roles/matrix-dimension/templates/config.yaml.j2 +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -44,7 +44,7 @@ widgetBlacklist: # Where the database for Dimension is database: - file: "dimension.db" + uri: "postgres://matrix_dimension:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_dimension') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_dimension" # Display settings that apply to self-hosted go-neb instances goneb: diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index f186bdca..85a8604c 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -162,3 +162,33 @@ - matrix-change-user-admin-status - matrix-postgres-update-user-password-hash when: "not matrix_postgres_enabled|bool" + +# Create additional databases +- name: Retrieve IP of postgres container + shell: "docker inspect matrix-postgres | jq -r '.[0].NetworkSettings.Networks.{{ matrix_docker_network }}.IPAddress'" + register: matirx_postgres_container_ip + +- name: Create additional users in postgres + postgresql_user: + name: "{{ item.name }}" + password: "{{ item.pass }}" + login_host: "{{ matrx_postgres_container_ip.stdout }}" + login_port: 5432 + login_user: "{{ matrix_postgres_connection_username }}" + login_password: "{{ matrix_postgres_connection_password }}" + login_db: "{{ matrix_postgres_db_name }}" + loop: matrix_postgres_additional_databases + when: matrix_postgres_enabed|bool + +- name: Create additional users in postgres + postgresql_db: + name: "{{ item.name }}" + owner: "{{ item.name }}" + lc_ctype: 'C' + lc_collate: 'C' + login_host: "{{ matrx_postgres_container_ip.stdout }}" + login_port: 5432 + login_user: "{{ matrix_postgres_connection_username }}" + login_password: "{{ matrix_postgres_connection_password }}" + loop: matrix_postgres_additional_databases + when: matrix_postgres_enabled|bool From 7593d969e316cc0144bce378a5be58c76c2c37ee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 10 Dec 2020 23:51:11 +0200 Subject: [PATCH 1591/2384] Make matrix-mailer not occupy matrix_server_fqn_matrix Starting with Docker 20.10, `--hostname` seems to have the side-effect of making Docker's internal DNS server resolve said hostname to the IP address of the container. Because we were giving the mailer service a hostname of `matrix.DOMAIN`, all requests destined for `matrix.DOMAIN` originating from other services on the container network were resolving to `matrix-mailer`. This is obviously wrong. Initially reported here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/748 We normally try to not use the public hostname (and IP address) on the container network and try to make services talk to one another locally, but it sometimes could happen. With this, we use a `matrix-mailer` hostname for the matrix-mailer container. My testing shows that it doesn't cause any trouble with email deliverability. --- roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index cab03128..9345a1d6 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -19,7 +19,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ --tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_mailer_base_path }}/env-mailer \ - --hostname={{ matrix_server_fqn_matrix }} \ + --hostname=matrix-mailer \ {% for arg in matrix_mailer_container_extra_arguments %} {{ arg }} \ {% endfor %} From eae4f674708939c6b4bfd68e596fecad61b939ca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Dec 2020 00:12:56 +0200 Subject: [PATCH 1592/2384] Mention Docker 20.10 in the changelog --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5024d841..85700b58 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2020-12-11 + +## Docker 20.10 is here + +(No need to do anything special in relation to this. Just something to keep in mind) + +Docker 20.10 got released recently and your server will likely get it the next time you update. + +This is the first major Docker update in a long time and it packs a lot of changes. +Some of them introduced some breakage for us initially (see [here](https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/d08b27784f222effcbce2abf924bf07bbe0893be) and [here](https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/7593d969e316cc0144bce378a5be58c76c2c37ee)), but it should be all good now. + + # 2020-12-08 ## openid APIs exposed by default on the federation port when federation disabled From 3c2a644e5c8b672344b5aeafe374bcf70432b469 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 10 Dec 2020 16:28:48 -0600 Subject: [PATCH 1593/2384] Upgrade synapse-admin (v0.5.0 -> 0.6.1) --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index ce149dfd..1dbf0ad2 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.5.0" +matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.6.1" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 0a9109771dd1d380fed00208fe1f98b1078265b6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Dec 2020 22:17:47 +0200 Subject: [PATCH 1594/2384] Use latest/master version of matrix-registration v0.7.0 is broken right now, because it calls `/_matrix/client/r0/admin/register`, which is now at `/_synapse/admin/v1/register`. This has been fixed here: https://github.com/ZerataX/matrix-registration/commit/6b26255feada4c4f0ec49bb16a60a12b85476a0f .. but it's not part of any release. Switching to `master` (`docker.io/devture/zeratax-matrix-registration:latest`) until it gets resolved. Reported upstream here: https://github.com/ZerataX/matrix-registration/issues/43 --- roles/matrix-registration/defaults/main.yml | 3 ++- roles/matrix-registration/tasks/setup.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index 680e8bfe..87779faf 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -5,13 +5,14 @@ matrix_registration_enabled: true matrix_registration_container_image_self_build: false matrix_registration_container_image_self_build_repo: "https://github.com/ZerataX/matrix-registration" +matrix_registration_container_image_self_build_branch: "{{ 'master' if matrix_registration_version == 'latest' else matrix_registration_version }}" matrix_registration_base_path: "{{ matrix_base_data_path }}/matrix-registration" matrix_registration_config_path: "{{ matrix_registration_base_path }}/config" matrix_registration_data_path: "{{ matrix_registration_base_path }}/data" matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/docker-src" -matrix_registration_version: "v0.7.0" +matrix_registration_version: "latest" matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}devture/zeratax-matrix-registration:{{ matrix_registration_version }}" matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else 'docker.io/' }}" diff --git a/roles/matrix-registration/tasks/setup.yml b/roles/matrix-registration/tasks/setup.yml index 8427d950..dfe1ba8b 100644 --- a/roles/matrix-registration/tasks/setup.yml +++ b/roles/matrix-registration/tasks/setup.yml @@ -30,7 +30,7 @@ git: repo: "{{ matrix_registration_container_image_self_build_repo }}" dest: "{{ matrix_registration_docker_src_files_path }}" - version: "{{ matrix_registration_version }}" + version: "{{ matrix_registration_container_image_self_build_branch }}" force: "yes" register: matrix_registration_git_pull_results when: "matrix_registration_enabled|bool and matrix_registration_container_image_self_build|bool" From 86988ae1805525ab7c48ce95b34559c7f0647228 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Dec 2020 22:52:42 +0200 Subject: [PATCH 1595/2384] Switch matrix-registration to v0.7.1 Now that a new release has been made, we no longer need to use `latest` / `master`. Related to 0a9109771dd1d380f and https://github.com/ZerataX/matrix-registration/issues/43 --- roles/matrix-registration/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index 87779faf..95147665 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -12,7 +12,7 @@ matrix_registration_config_path: "{{ matrix_registration_base_path }}/config" matrix_registration_data_path: "{{ matrix_registration_base_path }}/data" matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/docker-src" -matrix_registration_version: "latest" +matrix_registration_version: "v0.7.1" matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}devture/zeratax-matrix-registration:{{ matrix_registration_version }}" matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else 'docker.io/' }}" From 47613e5a27ad226236c617eda86dbb61c692eb7a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 11 Dec 2020 23:24:42 +0200 Subject: [PATCH 1596/2384] Remove synapse-janitor support Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/746 --- CHANGELOG.md | 7 ++ docs/maintenance-synapse.md | 24 ---- roles/matrix-base/defaults/main.yml | 1 - roles/matrix-postgres/defaults/main.yml | 2 - roles/matrix-postgres/tasks/main.yml | 5 - .../tasks/run_synapse_janitor.yml | 117 ------------------ 6 files changed, 7 insertions(+), 149 deletions(-) delete mode 100644 roles/matrix-postgres/tasks/run_synapse_janitor.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 85700b58..946ec5b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2020-12-11 +## synapse-janitor support removed + +We've removed support for the unmaintained [synapse-janitor](https://github.com/xwiki-labs/synapse_scripts) script. There's been past reports of it corrupting the Synapse database. Since there hasn't been any new development on it and it doesn't seem too useful nowadays, there's no point in including it in the playbook. + +If you need to clean up or compact your database, consider using the Synapse Admin APIs directly. See our [Synapse maintenance](docs/maintenance-synapse.md) and [Postgres maintenance](docs/maintenance-postgres.md) documentation pages for more details. + + ## Docker 20.10 is here (No need to do anything special in relation to this. Just something to keep in mind) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index 79998299..143238c1 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -4,14 +4,11 @@ This document shows you how to perform various maintenance tasks related to the Table of contents: -- [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor), for when you wish to delete unused data from the Synapse database - - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api), for when you wish to delete in-use (but old) data from the Synapse database - [Synapse maintenance](#synapse-maintenance) - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api) - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) - - [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor) - [Browse and manipulate the database](#browse-and-manipulate-the-database) - [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands @@ -57,27 +54,6 @@ If you need to adjust this, pass: `--extra-vars='matrix_synapse_rust_synapse_com After state compression, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql). -## Purging unused data with synapse-janitor - -**NOTE**: There are [reports](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465) that **synapse-janitor is dangerous to use and causes database corruption**. You may wish to refrain from using it. - -When you **leave** and **forget** a room, Synapse can clean up its data, but currently doesn't. -This **unused and unreachable data** remains in your database forever. - -There are external tools (like [synapse-janitor](https://github.com/xwiki-labs/synapse_scripts)), which are meant to solve this problem. - -To ask the playbook to run synapse-janitor, execute: - -```bash -ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-synapse-janitor,start -``` - -**Note**: this will automatically stop Synapse temporarily and restart it later. - -Running synapse-janitor potentially deletes a lot of data from the Postgres database. -You may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql) after that. - - ## Browse and manipulate the database When the [matrix admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs. diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 164509b7..e0522ba8 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -106,7 +106,6 @@ matrix_docker_package_name: docker-ce run_postgres_import: true run_postgres_upgrade: true run_postgres_import_sqlite_db: true -run_postgres_synapse_janitor: true run_postgres_vacuum: true run_synapse_register_user: true run_synapse_update_user_password: true diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 0d2f50e3..ec5cb3dc 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -30,5 +30,3 @@ matrix_postgres_container_extra_arguments: [] # # Takes an ":" or "" value (e.g. "127.0.0.1:5432"), or empty string to not expose. matrix_postgres_container_postgres_bind_port: "" - -matrix_postgres_tool_synapse_janitor: "https://raw.githubusercontent.com/xwiki-labs/synapse_scripts/a9188ff175ae581610f92d58ea6eac9a114d854b/synapse_janitor.sql" diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml index 41b9c861..717b73e4 100644 --- a/roles/matrix-postgres/tasks/main.yml +++ b/roles/matrix-postgres/tasks/main.yml @@ -29,11 +29,6 @@ tags: - upgrade-postgres -- import_tasks: "{{ role_path }}/tasks/run_synapse_janitor.yml" - when: run_postgres_synapse_janitor|bool - tags: - - run-postgres-synapse-janitor - - import_tasks: "{{ role_path }}/tasks/run_vacuum.yml" when: run_postgres_vacuum|bool tags: diff --git a/roles/matrix-postgres/tasks/run_synapse_janitor.yml b/roles/matrix-postgres/tasks/run_synapse_janitor.yml deleted file mode 100644 index d7f283be..00000000 --- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot run synapse-janitor." - when: "not matrix_postgres_enabled|bool" - -- name: Fail if not aware of the risks - fail: - msg: >- - Using Synapse Janitor is considered dangerous and may break your database. - See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465. - If you'd like to run it anyway, add `--extra-vars='i_know_synapse_janitor_is_dangerous=1'` to your command. - when: "i_know_synapse_janitor_is_dangerous|default('') == ''" - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time|default('') == ''" - -- name: Set postgres_synapse_janitor_wait_time, if not provided - set_fact: - postgres_synapse_janitor_wait_time: "{{ 7 * 86400 }}" - when: "postgres_synapse_janitor_wait_time|default('') == ''" - -- name: Set postgres_synapse_janitor_tool_path, if not provided - set_fact: - postgres_synapse_janitor_tool_path: "{{ matrix_postgres_base_path }}/synapse_janitor.sql" - when: "postgres_synapse_janitor_tool_path|default('') == ''" - - -# Actual janitor work - -- name: Download synapse-janitor tool - get_url: - url: "{{ matrix_postgres_tool_synapse_janitor }}" - dest: "{{ postgres_synapse_janitor_tool_path }}" - force: true - mode: 0550 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -- import_tasks: tasks/util/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing|bool" - -- name: Generate Postgres database synapse-janitor command - set_fact: - matrix_postgres_synapse_janitor_command: >- - {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-janitor - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --mount type=bind,src={{ postgres_synapse_janitor_tool_path }},dst=/synapse_janitor.sql,ro=true - {{ matrix_postgres_docker_image_latest }} - psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -f /synapse_janitor.sql - -- name: Note about Postgres purging alternative - debug: - msg: >- - Running synapse-janitor with the following Postgres command: `{{ matrix_postgres_synapse_janitor_command }}`. - If this crashes, you can stop all processes (`systemctl stop matrix-*`), - start Postgres only (`systemctl start matrix-postgres`) - and manually run the above command directly on the server. - -- name: Populate service facts - service_facts: - -- set_fact: - matrix_postgres_synapse_was_running: "{{ ansible_facts.services['matrix-synapse.service']|default(none) is not none and ansible_facts.services['matrix-synapse.service'].state == 'running' }}" - -- name: Ensure matrix-synapse is stopped - service: - name: matrix-synapse - state: stopped - daemon_reload: yes - -- name: Run synapse-janitor - command: "{{ matrix_postgres_synapse_janitor_command }}" - async: "{{ postgres_synapse_janitor_wait_time }}" - poll: 10 - register: matrix_postgres_synapse_janitor_result - -# Intentionally show the results -- debug: var="matrix_postgres_synapse_janitor_result" - -- name: Ensure matrix-synapse is started, if it previously was - service: - name: matrix-synapse - state: started - daemon_reload: yes - when: "matrix_postgres_synapse_was_running|bool" - -- name: Delete synapse-janitor tool - file: - path: "{{ postgres_synapse_janitor_tool_path }}" - state: absent From d96d7f2a43306e9b74673c2d5f6930a87f44bd2a Mon Sep 17 00:00:00 2001 From: chagai95 <31655082+chagai95@users.noreply.github.com> Date: Sat, 12 Dec 2020 00:24:38 +0100 Subject: [PATCH 1597/2384] Adding jitsi as well --- docs/configuring-playbook-ssl-certificates.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 5b5c7cdc..3dc65516 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -80,6 +80,7 @@ matrix_ssl_domains_to_obtain_certificates_for: - '{{ matrix_server_fqn_matrix }}' - '{{ matrix_server_fqn_element }}' - '{{ matrix_server_fqn_dimension }}' + - '{{ matrix_server_fqn_jitsi }}' - '{{ matrix_domain }}' ``` From bae411342204a42cab69710c33870fed02c33a4b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 12 Dec 2020 01:44:34 +0200 Subject: [PATCH 1598/2384] Mention that we possibly obtain a Jitsi certificate --- docs/configuring-playbook-ssl-certificates.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 3dc65516..7f05a5b2 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -67,6 +67,7 @@ By default, it obtains certificates for: - possibly for `element.`, unless you have disabled the [Element client component](configuring-playbook-client-element.md) using `matrix_client_element_enabled: false` - possibly for `riot.`, if you have explicitly enabled Riot to Element redirection (for background compatibility) using `matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true` - possibly for `dimension.`, if you have explicitly [set up Dimension](configuring-playbook-dimension.md). +- possibly for `jitsi.`, if you have explicitly [set up Jitsi](configuring-playbook-jitsi.md). - possibly for your base domain (``), if you have explicitly configured [Serving the base domain](configuring-playbook-base-domain-serving.md) If you are hosting other domains on the Matrix machine, you can make the playbook obtain and renew certificates for those other domains too. From dac0d3a682d6a288dea3c22115c3d8385e79c720 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 13 Dec 2020 21:07:16 +0200 Subject: [PATCH 1599/2384] Add default matrix_postgres_additional_databases --- roles/matrix-postgres/defaults/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index ec5cb3dc..548cac15 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -30,3 +30,13 @@ matrix_postgres_container_extra_arguments: [] # # Takes an ":" or "" value (e.g. "127.0.0.1:5432"), or empty string to not expose. matrix_postgres_container_postgres_bind_port: "" + +# A list of additional (databases and their credentials) to create. +# +# Example: +# matrix_postgres_additional_databases: +# - name: matrix_appservice_discord +# pass: some-password +# - name: matrix_appservice_slack +# pass: some-password +matrix_postgres_additional_databases: [] From 527d5f57d58ad7c1feba743fc99fe8508cc90534 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 13 Dec 2020 21:40:32 +0200 Subject: [PATCH 1600/2384] Relocate Postgres additional database creation logic Moving it above the "uninstalling" set of tasks is better. Extracting it out to another file at the same time, for readability, especially given that it will probably have to become more complex in the future (potentially installing `jq`, etc.) --- .../matrix-postgres/tasks/setup_postgres.yml | 37 ++++--------------- .../util/create_additional_databases.yml | 28 ++++++++++++++ 2 files changed, 35 insertions(+), 30 deletions(-) create mode 100644 roles/matrix-postgres/tasks/util/create_additional_databases.yml diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 85a8604c..6a0f9854 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -113,6 +113,13 @@ daemon_reload: yes when: "matrix_postgres_enabled|bool and matrix_postgres_systemd_service_result.changed" +- include_tasks: + file: "{{ role_path }}/tasks/util/create_additional_databases.yml" + apply: + tags: + - always + when: "matrix_postgres_enabled|bool" + # # Tasks related to getting rid of the internal postgres server (if it was previously enabled) # @@ -162,33 +169,3 @@ - matrix-change-user-admin-status - matrix-postgres-update-user-password-hash when: "not matrix_postgres_enabled|bool" - -# Create additional databases -- name: Retrieve IP of postgres container - shell: "docker inspect matrix-postgres | jq -r '.[0].NetworkSettings.Networks.{{ matrix_docker_network }}.IPAddress'" - register: matirx_postgres_container_ip - -- name: Create additional users in postgres - postgresql_user: - name: "{{ item.name }}" - password: "{{ item.pass }}" - login_host: "{{ matrx_postgres_container_ip.stdout }}" - login_port: 5432 - login_user: "{{ matrix_postgres_connection_username }}" - login_password: "{{ matrix_postgres_connection_password }}" - login_db: "{{ matrix_postgres_db_name }}" - loop: matrix_postgres_additional_databases - when: matrix_postgres_enabed|bool - -- name: Create additional users in postgres - postgresql_db: - name: "{{ item.name }}" - owner: "{{ item.name }}" - lc_ctype: 'C' - lc_collate: 'C' - login_host: "{{ matrx_postgres_container_ip.stdout }}" - login_port: 5432 - login_user: "{{ matrix_postgres_connection_username }}" - login_password: "{{ matrix_postgres_connection_password }}" - loop: matrix_postgres_additional_databases - when: matrix_postgres_enabled|bool diff --git a/roles/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/matrix-postgres/tasks/util/create_additional_databases.yml new file mode 100644 index 00000000..ec37ea63 --- /dev/null +++ b/roles/matrix-postgres/tasks/util/create_additional_databases.yml @@ -0,0 +1,28 @@ +--- + +- name: Retrieve IP of postgres container + shell: "docker inspect matrix-postgres | jq -r '.[0].NetworkSettings.Networks.{{ matrix_docker_network }}.IPAddress'" + register: matrix_postgres_container_ip + +- name: Create additional users in postgres + postgresql_user: + name: "{{ item.name }}" + password: "{{ item.pass }}" + login_host: "{{ matrix_postgres_container_ip.stdout }}" + login_port: 5432 + login_user: "{{ matrix_postgres_connection_username }}" + login_password: "{{ matrix_postgres_connection_password }}" + login_db: "{{ matrix_postgres_db_name }}" + loop: matrix_postgres_additional_databases + +- name: Create additional users in postgres + postgresql_db: + name: "{{ item.name }}" + owner: "{{ item.name }}" + lc_ctype: 'C' + lc_collate: 'C' + login_host: "{{ matrix_postgres_container_ip.stdout }}" + login_port: 5432 + login_user: "{{ matrix_postgres_connection_username }}" + login_password: "{{ matrix_postgres_connection_password }}" + loop: matrix_postgres_additional_databases From 0641106370aed272e16cecaf2cf17754d30eb6c6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 13 Dec 2020 21:43:53 +0200 Subject: [PATCH 1601/2384] Allow username of additional Postgres databases to be different We'll most likely use one that matches the database name, but it's better to have it configurable. --- group_vars/matrix_servers | 17 ++++++++++++++++- roles/matrix-postgres/defaults/main.yml | 6 ++++-- .../tasks/util/create_additional_databases.yml | 4 ++-- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8a099275..f131ab9e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -893,62 +893,77 @@ matrix_postgres_additional_databases: | {{ ([{ name: 'matrix_appservice_discord', + username: 'matrix_appservice_discord', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_discord.db.secret') | string }] if matrix_appservice_discord_enabled else []) + ([{ name: 'matrix_appservice_slack' + username: 'matrix_appservice_slack', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_slack.db.secret') | string }] if matrix_appservice_slack_enabled else []) + ([{ name: 'matrix_appservice_irc' + username: 'matrix_appservice_irc', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_irc.db.secret') | string }] if matrix_appservice_irc_enabled else []) + ([{ - name: 'mautrix-bridge-facebook' + name: 'mautrix_bridge_facebook' + username: 'mautrix_bridge_facebook', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_facebook.db.secret') | string }] if matrix_mautrix_facebook_enabled else []) + ([{ name: 'mautrix_bridge_hangouts' + username: 'mautrix_bridge_hangouts', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_hangouts.db.secret') | string }] if matrix_mautrix_hangouts_enabled else []) + ([{ name: 'mautrix_bridge_telegram' + username: 'mautrix_bridge_telegram', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_telegram.db.secret') | string }] if matrix_mautrix_telegram_enabled else []) + ([{ name: 'mautrix_bridge_whatsapp' + username: 'mautrix_bridge_whatsapp', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_whatsapp.db.secret') | string }] if matrix_mautrix_whatsapp_enabled else []) + ([{ name: 'matrix_bridge_sms' + username: 'matrix_bridge_sms', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | string }] if matrix_sms_bridge_enabled else []) + ([{ name: 'matrix_puppet_skype' + username: 'matrix_puppet_skype', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_skype.db.secret') | string }] if matrix_mx_puppet_skype_enabled else []) + ([{ name: 'matrix_puppet_slack' + username: 'matrix_puppet_slack', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_slack.db.secret') | string }] if matrix_mx_puppet_slack_enabled else []) + ([{ name: 'matrix_puppet_twitter' + username: 'matrix_puppet_twitter', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_twitter.db.secret') | string }] if matrix_mx_puppet_twitter_enabled else []) + ([{ name: 'matrix_puppet_instagram' + username: 'matrix_puppet_instagram', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_insta.db.secret') | string ] if matrix_mx_puppet_instagram_enabled else []) + ([{ name: 'matrix_puppet_discord' + username: 'matrix_puppet_discord', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_puppet.db.secret') | string }] if matrix_mx_puppet_discord_enabled else []) + ([{ name: 'matrix_puppet_steam' + username: 'matrix_puppet_steam', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_steam.db.secret') | string }] if matrix_mx_puppet_steam_enabled else []) + ([{ name: 'matrix_dimension' + username: 'matrix_dimension', pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db.secret') | string }] if matrix_dimension_enabled else []) }} diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 548cac15..2645d4b0 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -36,7 +36,9 @@ matrix_postgres_container_postgres_bind_port: "" # Example: # matrix_postgres_additional_databases: # - name: matrix_appservice_discord -# pass: some-password +# username: matrix_appservice_discord +# pass: some_password # - name: matrix_appservice_slack -# pass: some-password +# username: matrix_appservice_slack +# pass: some_password matrix_postgres_additional_databases: [] diff --git a/roles/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/matrix-postgres/tasks/util/create_additional_databases.yml index ec37ea63..0532c99d 100644 --- a/roles/matrix-postgres/tasks/util/create_additional_databases.yml +++ b/roles/matrix-postgres/tasks/util/create_additional_databases.yml @@ -6,7 +6,7 @@ - name: Create additional users in postgres postgresql_user: - name: "{{ item.name }}" + name: "{{ item.username }}" password: "{{ item.pass }}" login_host: "{{ matrix_postgres_container_ip.stdout }}" login_port: 5432 @@ -18,7 +18,7 @@ - name: Create additional users in postgres postgresql_db: name: "{{ item.name }}" - owner: "{{ item.name }}" + owner: "{{ item.username }}" lc_ctype: 'C' lc_collate: 'C' login_host: "{{ matrix_postgres_container_ip.stdout }}" From d251764c16303dea542326746a0e13a46d13fda2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 13 Dec 2020 22:19:54 +0200 Subject: [PATCH 1602/2384] Fix syntax issues in matrix_postgres_additional_databases Quotes are necessary around dictionary field names. There was a missing `}` as well. --- group_vars/matrix_servers | 92 +++++++++++++++++++-------------------- 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f131ab9e..11c87a64 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -892,79 +892,79 @@ matrix_postgres_db_name: "homeserver" matrix_postgres_additional_databases: | {{ ([{ - name: 'matrix_appservice_discord', - username: 'matrix_appservice_discord', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_discord.db.secret') | string + 'name': 'matrix_appservice_discord', + 'username': 'matrix_appservice_discord', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_discord.db.secret') | string }] if matrix_appservice_discord_enabled else []) + ([{ - name: 'matrix_appservice_slack' - username: 'matrix_appservice_slack', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_slack.db.secret') | string + 'name': 'matrix_appservice_slack', + 'username': 'matrix_appservice_slack', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_slack.db.secret') | string }] if matrix_appservice_slack_enabled else []) + ([{ - name: 'matrix_appservice_irc' - username: 'matrix_appservice_irc', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_irc.db.secret') | string + 'name': 'matrix_appservice_irc', + 'username': 'matrix_appservice_irc', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_irc.db.secret') | string }] if matrix_appservice_irc_enabled else []) + ([{ - name: 'mautrix_bridge_facebook' - username: 'mautrix_bridge_facebook', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_facebook.db.secret') | string + 'name': 'mautrix_bridge_facebook', + 'username': 'mautrix_bridge_facebook', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_facebook.db.secret') | string }] if matrix_mautrix_facebook_enabled else []) + ([{ - name: 'mautrix_bridge_hangouts' - username: 'mautrix_bridge_hangouts', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_hangouts.db.secret') | string + 'name': 'mautrix_bridge_hangouts', + 'username': 'mautrix_bridge_hangouts', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_hangouts.db.secret') | string }] if matrix_mautrix_hangouts_enabled else []) + ([{ - name: 'mautrix_bridge_telegram' - username: 'mautrix_bridge_telegram', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_telegram.db.secret') | string + 'name': 'mautrix_bridge_telegram', + 'username': 'mautrix_bridge_telegram', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_telegram.db.secret') | string }] if matrix_mautrix_telegram_enabled else []) + ([{ - name: 'mautrix_bridge_whatsapp' - username: 'mautrix_bridge_whatsapp', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_whatsapp.db.secret') | string + 'name': 'mautrix_bridge_whatsapp', + 'username': 'mautrix_bridge_whatsapp', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_whatsapp.db.secret') | string }] if matrix_mautrix_whatsapp_enabled else []) + ([{ - name: 'matrix_bridge_sms' - username: 'matrix_bridge_sms', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | string + 'name': 'matrix_bridge_sms', + 'username': 'matrix_bridge_sms', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | string }] if matrix_sms_bridge_enabled else []) + ([{ - name: 'matrix_puppet_skype' - username: 'matrix_puppet_skype', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_skype.db.secret') | string + 'name': 'matrix_puppet_skype', + 'username': 'matrix_puppet_skype', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_skype.db.secret') | string }] if matrix_mx_puppet_skype_enabled else []) + ([{ - name: 'matrix_puppet_slack' - username: 'matrix_puppet_slack', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_slack.db.secret') | string + 'name': 'matrix_puppet_slack', + 'username': 'matrix_puppet_slack', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_slack.db.secret') | string }] if matrix_mx_puppet_slack_enabled else []) + ([{ - name: 'matrix_puppet_twitter' - username: 'matrix_puppet_twitter', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_twitter.db.secret') | string + 'name': 'matrix_puppet_twitter', + 'username': 'matrix_puppet_twitter', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_twitter.db.secret') | string }] if matrix_mx_puppet_twitter_enabled else []) + ([{ - name: 'matrix_puppet_instagram' - username: 'matrix_puppet_instagram', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_insta.db.secret') | string - ] if matrix_mx_puppet_instagram_enabled else []) + 'name': 'matrix_puppet_instagram', + 'username': 'matrix_puppet_instagram', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_insta.db.secret') | string + }] if matrix_mx_puppet_instagram_enabled else []) + ([{ - name: 'matrix_puppet_discord' - username: 'matrix_puppet_discord', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_puppet.db.secret') | string + 'name': 'matrix_puppet_discord', + 'username': 'matrix_puppet_discord', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_puppet.db.secret') | string }] if matrix_mx_puppet_discord_enabled else []) + ([{ - name: 'matrix_puppet_steam' - username: 'matrix_puppet_steam', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_steam.db.secret') | string + 'name': 'matrix_puppet_steam', + 'username': 'matrix_puppet_steam', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_steam.db.secret') | string }] if matrix_mx_puppet_steam_enabled else []) + ([{ - name: 'matrix_dimension' - username: 'matrix_dimension', - pass: matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db.secret') | string + 'name': 'matrix_dimension', + 'username': 'matrix_dimension', + 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db.secret') | string }] if matrix_dimension_enabled else []) }} From f47e8a97e6629da02a45d9d75bde3a82ef057bd6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 13 Dec 2020 22:38:35 +0200 Subject: [PATCH 1603/2384] Make use of matrix_host_command_docker instead of hardcoding --- .../matrix-postgres/tasks/util/create_additional_databases.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/matrix-postgres/tasks/util/create_additional_databases.yml index 0532c99d..424be626 100644 --- a/roles/matrix-postgres/tasks/util/create_additional_databases.yml +++ b/roles/matrix-postgres/tasks/util/create_additional_databases.yml @@ -1,7 +1,6 @@ --- - - name: Retrieve IP of postgres container - shell: "docker inspect matrix-postgres | jq -r '.[0].NetworkSettings.Networks.{{ matrix_docker_network }}.IPAddress'" + shell: "{{ matrix_host_command_docker }} inspect matrix-postgres | jq -r '.[0].NetworkSettings.Networks.{{ matrix_docker_network }}.IPAddress'" register: matrix_postgres_container_ip - name: Create additional users in postgres From e2952f16f7a97b2883ea4c00c6bc4451c71c785d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 13 Dec 2020 22:45:48 +0200 Subject: [PATCH 1604/2384] Determine matrix-postgres IP address without relying on jq To avoid needing to have `jq` installed on the machine, we could: - try to run jq in a Docker container using some small image providing that - better yet, avoid `jq` altogether --- .../matrix-postgres/tasks/util/create_additional_databases.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/matrix-postgres/tasks/util/create_additional_databases.yml index 424be626..0864d8f8 100644 --- a/roles/matrix-postgres/tasks/util/create_additional_databases.yml +++ b/roles/matrix-postgres/tasks/util/create_additional_databases.yml @@ -1,6 +1,6 @@ --- - name: Retrieve IP of postgres container - shell: "{{ matrix_host_command_docker }} inspect matrix-postgres | jq -r '.[0].NetworkSettings.Networks.{{ matrix_docker_network }}.IPAddress'" + command: "{{ matrix_host_command_docker }} inspect matrix-postgres --format='{% raw %}{{ .NetworkSettings.Networks.{% endraw %}{{ matrix_docker_network }}{% raw %}.IPAddress }}{% endraw %}'" register: matrix_postgres_container_ip - name: Create additional users in postgres From c765ceb270b7377e799a32db383eef39257d43e8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 13 Dec 2020 22:56:56 +0200 Subject: [PATCH 1605/2384] Prevent weird loop error > Invalid data passed to 'loop', it requires a list, got this instead: matrix_postgres_additional_databases. Hint: If you passed a list/dict of just one element, try adding wantlist=True to your lookup invocation or use q/query instead of lookup. Well, or working around it, as I've done in this commit (which seems more sane than `wantlist=True` stuff). --- .../tasks/util/create_additional_databases.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/matrix-postgres/tasks/util/create_additional_databases.yml index 0864d8f8..0b40cabf 100644 --- a/roles/matrix-postgres/tasks/util/create_additional_databases.yml +++ b/roles/matrix-postgres/tasks/util/create_additional_databases.yml @@ -1,4 +1,5 @@ --- + - name: Retrieve IP of postgres container command: "{{ matrix_host_command_docker }} inspect matrix-postgres --format='{% raw %}{{ .NetworkSettings.Networks.{% endraw %}{{ matrix_docker_network }}{% raw %}.IPAddress }}{% endraw %}'" register: matrix_postgres_container_ip @@ -12,7 +13,7 @@ login_user: "{{ matrix_postgres_connection_username }}" login_password: "{{ matrix_postgres_connection_password }}" login_db: "{{ matrix_postgres_db_name }}" - loop: matrix_postgres_additional_databases + loop: "{{ matrix_postgres_additional_databases }}" - name: Create additional users in postgres postgresql_db: @@ -24,4 +25,4 @@ login_port: 5432 login_user: "{{ matrix_postgres_connection_username }}" login_password: "{{ matrix_postgres_connection_password }}" - loop: matrix_postgres_additional_databases + loop: "{{ matrix_postgres_additional_databases }}" From bbc09d013b8037e784004363b7bdfdcc6e8d13c7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 13 Dec 2020 23:46:02 +0200 Subject: [PATCH 1606/2384] Do not execute additional databases creation code if not necessary The tasks in `create_additional_databases.yml` will likely ensure `matrix-postgres.service` is started, etc. If no additional databases are defined, we'd rather not execute that file and all these tasks that it may do in the future. --- roles/matrix-postgres/tasks/setup_postgres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 6a0f9854..518d1a5f 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -118,7 +118,7 @@ apply: tags: - always - when: "matrix_postgres_enabled|bool" + when: "matrix_postgres_enabled|bool and matrix_postgres_additional_databases|length > 0" # # Tasks related to getting rid of the internal postgres server (if it was previously enabled) From da4cb2f63998c2c994776b3520303e90b735157c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 00:25:13 +0200 Subject: [PATCH 1607/2384] Do not use the postgresql_user/postgresql_db modules While these modules are really nice and helpful, we can't use them for at least 2 reasons: - for us, Postgres runs in a container on a private Docker network (`--network=matrix`) without usually being exposed to the host. These modules execute on the host so they won't be able to reach it. - these modules require `psycopg2`, so we need to install it before using it. This might or might not be its own can of worms. --- .../tasks/util/create_additional_database.yml | 34 ++++++++++++++++++ .../util/create_additional_databases.yml | 35 ++++++------------- .../init-additional-db-user-and-role.sql.j2 | 19 ++++++++++ 3 files changed, 63 insertions(+), 25 deletions(-) create mode 100644 roles/matrix-postgres/tasks/util/create_additional_database.yml create mode 100644 roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 diff --git a/roles/matrix-postgres/tasks/util/create_additional_database.yml b/roles/matrix-postgres/tasks/util/create_additional_database.yml new file mode 100644 index 00000000..2da505eb --- /dev/null +++ b/roles/matrix-postgres/tasks/util/create_additional_database.yml @@ -0,0 +1,34 @@ +--- + +# TODO - ensure `additional_db` contains all keys that we expect + +# The SQL statements that we'll run against Postgres are stored in a file that others can't read. +# This file will be mounted into the container and fed to Postgres. +# This way, we avoid passing sensitive data around in CLI commands that other users on the system can see. +- name: Create additional database initialization SQL file for {{ additional_db.name }} + template: + src: "{{ role_path }}/templates/init-additional-db-user-and-role.sql.j2" + dest: "/tmp/matrix-postgres-init-additional-db-user-and-role.sql" + mode: 0600 + owner: "{{ matrix_user_uid }}" + group: "{{ matrix_user_gid }}" + +- name: Execute Postgres additional database initialization SQL file for {{ additional_db.name }} + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --network {{ matrix_docker_network }} + --mount type=bind,src=/tmp/matrix-postgres-init-additional-db-user-and-role.sql,dst=/matrix-postgres-init-additional-db-user-and-role.sql,ro + --entrypoint=/bin/sh + {{ matrix_postgres_docker_image_to_use }} + -c + 'psql -h {{ matrix_postgres_connection_hostname }} --file=/matrix-postgres-init-additional-db-user-and-role.sql' + +- name: Delete additional database initialization SQL file for {{ additional_db.name }} + file: + path: /tmp/matrix-postgres-init-additional-db-user-and-role.sql + state: absent diff --git a/roles/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/matrix-postgres/tasks/util/create_additional_databases.yml index 0b40cabf..51deb228 100644 --- a/roles/matrix-postgres/tasks/util/create_additional_databases.yml +++ b/roles/matrix-postgres/tasks/util/create_additional_databases.yml @@ -1,28 +1,13 @@ --- -- name: Retrieve IP of postgres container - command: "{{ matrix_host_command_docker }} inspect matrix-postgres --format='{% raw %}{{ .NetworkSettings.Networks.{% endraw %}{{ matrix_docker_network }}{% raw %}.IPAddress }}{% endraw %}'" - register: matrix_postgres_container_ip +# TODO - we should ensure matrix-postgres.service is started. +# .. and that if we had just started it, we've given it ample time to initialize, +# before we attempt to run queries against it. -- name: Create additional users in postgres - postgresql_user: - name: "{{ item.username }}" - password: "{{ item.pass }}" - login_host: "{{ matrix_postgres_container_ip.stdout }}" - login_port: 5432 - login_user: "{{ matrix_postgres_connection_username }}" - login_password: "{{ matrix_postgres_connection_password }}" - login_db: "{{ matrix_postgres_db_name }}" - loop: "{{ matrix_postgres_additional_databases }}" - -- name: Create additional users in postgres - postgresql_db: - name: "{{ item.name }}" - owner: "{{ item.username }}" - lc_ctype: 'C' - lc_collate: 'C' - login_host: "{{ matrix_postgres_container_ip.stdout }}" - login_port: 5432 - login_user: "{{ matrix_postgres_connection_username }}" - login_password: "{{ matrix_postgres_connection_password }}" - loop: "{{ matrix_postgres_additional_databases }}" +- name: Create additional Postgers user and database + include_tasks: "{{ role_path }}/tasks/util/create_additional_database.yml" + with_items: "{{ matrix_postgres_additional_databases }}" + loop_control: + loop_var: additional_db + # Suppress logging to avoid dumping the credentials to the shell + no_log: true diff --git a/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 b/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 new file mode 100644 index 00000000..732b0187 --- /dev/null +++ b/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 @@ -0,0 +1,19 @@ +-- `CREATE USER` does not support `IF NOT EXISTS`, so we use this workaround to prevent an error and raise a notice instead. +-- Seen here: https://stackoverflow.com/a/49858797 +DO $$ +BEGIN + CREATE USER {{ additional_db.username }}; + EXCEPTION WHEN DUPLICATE_OBJECT THEN + RAISE NOTICE 'not creating role {{ additional_db.username }}, since it already exists'; +END +$$; + +-- This is useful for initial user creation (since we don't assign a password above) and for handling subsequent password changes +-- TODO - we should escape quotes in the password. +ALTER ROLE {{ additional_db.username }} PASSWORD '{{ additional_db.pass }}'; + +-- This will generate an error on subsequent execution +CREATE DATABASE {{ additional_db.name }} WITH LC_CTYPE 'C' LC_COLLATE 'C' OWNER {{ additional_db.username }}; + +-- This is useful for changing the database owner subsequently +ALTER DATABASE {{ additional_db.name }} OWNER TO {{ additional_db.username }}; From 3a037a59935002729dfe7da742721111956eaf0b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 00:39:38 +0200 Subject: [PATCH 1608/2384] Ensure additional databases contain all the keys that we expect --- .../tasks/util/create_additional_database.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/matrix-postgres/tasks/util/create_additional_database.yml b/roles/matrix-postgres/tasks/util/create_additional_database.yml index 2da505eb..a994cc26 100644 --- a/roles/matrix-postgres/tasks/util/create_additional_database.yml +++ b/roles/matrix-postgres/tasks/util/create_additional_database.yml @@ -1,6 +1,12 @@ --- -# TODO - ensure `additional_db` contains all keys that we expect +# It'd be better if this is belonged to `validate_config.yml`, but it would have to be some loop-within-a-loop there, +# and that's ugly. We also don't expect this to catch errors often. It's more of a defensive last-minute check. +- name: Fail if additional database data appears invalid + fail: + msg: "Additional database definition ({{ additional_db }} lacks a required key: {{ item }}" + when: "item not in additional_db" + with_items: "{{ ['name', 'username', 'pass'] }}" # The SQL statements that we'll run against Postgres are stored in a file that others can't read. # This file will be mounted into the container and fed to Postgres. From 46a4034d3ec0b8ae331119e249fc584f7be2b6ed Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 00:43:03 +0200 Subject: [PATCH 1609/2384] Use "password" for additional Postgres databases, not "pass" Being more explicit sounds better. --- group_vars/matrix_servers | 30 +++++++++---------- roles/matrix-postgres/defaults/main.yml | 4 +-- .../tasks/util/create_additional_database.yml | 2 +- .../init-additional-db-user-and-role.sql.j2 | 2 +- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 11c87a64..3169e18e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -894,77 +894,77 @@ matrix_postgres_additional_databases: | ([{ 'name': 'matrix_appservice_discord', 'username': 'matrix_appservice_discord', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_discord.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_discord.db.secret') | string, }] if matrix_appservice_discord_enabled else []) + ([{ 'name': 'matrix_appservice_slack', 'username': 'matrix_appservice_slack', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_slack.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_slack.db.secret') | string, }] if matrix_appservice_slack_enabled else []) + ([{ 'name': 'matrix_appservice_irc', 'username': 'matrix_appservice_irc', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_irc.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_irc.db.secret') | string, }] if matrix_appservice_irc_enabled else []) + ([{ 'name': 'mautrix_bridge_facebook', 'username': 'mautrix_bridge_facebook', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_facebook.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_facebook.db.secret') | string, }] if matrix_mautrix_facebook_enabled else []) + ([{ 'name': 'mautrix_bridge_hangouts', 'username': 'mautrix_bridge_hangouts', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_hangouts.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_hangouts.db.secret') | string, }] if matrix_mautrix_hangouts_enabled else []) + ([{ 'name': 'mautrix_bridge_telegram', 'username': 'mautrix_bridge_telegram', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_telegram.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_telegram.db.secret') | string, }] if matrix_mautrix_telegram_enabled else []) + ([{ 'name': 'mautrix_bridge_whatsapp', 'username': 'mautrix_bridge_whatsapp', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_whatsapp.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_whatsapp.db.secret') | string, }] if matrix_mautrix_whatsapp_enabled else []) + ([{ 'name': 'matrix_bridge_sms', 'username': 'matrix_bridge_sms', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | string, }] if matrix_sms_bridge_enabled else []) + ([{ 'name': 'matrix_puppet_skype', 'username': 'matrix_puppet_skype', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_skype.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_skype.db.secret') | string, }] if matrix_mx_puppet_skype_enabled else []) + ([{ 'name': 'matrix_puppet_slack', 'username': 'matrix_puppet_slack', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_slack.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_slack.db.secret') | string, }] if matrix_mx_puppet_slack_enabled else []) + ([{ 'name': 'matrix_puppet_twitter', 'username': 'matrix_puppet_twitter', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_twitter.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_twitter.db.secret') | string, }] if matrix_mx_puppet_twitter_enabled else []) + ([{ 'name': 'matrix_puppet_instagram', 'username': 'matrix_puppet_instagram', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_insta.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_insta.db.secret') | string, }] if matrix_mx_puppet_instagram_enabled else []) + ([{ 'name': 'matrix_puppet_discord', 'username': 'matrix_puppet_discord', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_puppet.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_puppet.db.secret') | string, }] if matrix_mx_puppet_discord_enabled else []) + ([{ 'name': 'matrix_puppet_steam', 'username': 'matrix_puppet_steam', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_steam.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_steam.db.secret') | string, }] if matrix_mx_puppet_steam_enabled else []) + ([{ 'name': 'matrix_dimension', 'username': 'matrix_dimension', - 'pass': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db.secret') | string + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db.secret') | string, }] if matrix_dimension_enabled else []) }} diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 2645d4b0..ad417e0b 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -37,8 +37,8 @@ matrix_postgres_container_postgres_bind_port: "" # matrix_postgres_additional_databases: # - name: matrix_appservice_discord # username: matrix_appservice_discord -# pass: some_password +# password: some_password # - name: matrix_appservice_slack # username: matrix_appservice_slack -# pass: some_password +# password: some_password matrix_postgres_additional_databases: [] diff --git a/roles/matrix-postgres/tasks/util/create_additional_database.yml b/roles/matrix-postgres/tasks/util/create_additional_database.yml index a994cc26..ce064d59 100644 --- a/roles/matrix-postgres/tasks/util/create_additional_database.yml +++ b/roles/matrix-postgres/tasks/util/create_additional_database.yml @@ -6,7 +6,7 @@ fail: msg: "Additional database definition ({{ additional_db }} lacks a required key: {{ item }}" when: "item not in additional_db" - with_items: "{{ ['name', 'username', 'pass'] }}" + with_items: "{{ ['name', 'username', 'password'] }}" # The SQL statements that we'll run against Postgres are stored in a file that others can't read. # This file will be mounted into the container and fed to Postgres. diff --git a/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 b/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 index 732b0187..af3d912c 100644 --- a/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 +++ b/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 @@ -10,7 +10,7 @@ $$; -- This is useful for initial user creation (since we don't assign a password above) and for handling subsequent password changes -- TODO - we should escape quotes in the password. -ALTER ROLE {{ additional_db.username }} PASSWORD '{{ additional_db.pass }}'; +ALTER ROLE {{ additional_db.username }} PASSWORD '{{ additional_db.password }}'; -- This will generate an error on subsequent execution CREATE DATABASE {{ additional_db.name }} WITH LC_CTYPE 'C' LC_COLLATE 'C' OWNER {{ additional_db.username }}; From a374d309c8f5d6038bfd5f94a66c3cd9a68c7e23 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 00:52:25 +0200 Subject: [PATCH 1610/2384] Make appservice-discord support both SQLite and Postgres People can toggle between them now. The playbook also defaults to using SQLite if an external Postgres server is used. Ideally, we'd be able to create databases/users in external Postgres servers as well, but our initialization logic (and `docker run` command, etc.) hardcode too many things right now. --- group_vars/matrix_servers | 13 +++++++++---- .../defaults/main.yml | 16 ++++++++++++++++ .../tasks/validate_config.yml | 4 ++++ .../templates/config.yaml.j2 | 7 +++++-- 4 files changed, 34 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3169e18e..717e71bc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -67,6 +67,11 @@ matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_k matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}" +# We only make this use Postgres if our own Postgres server is enabled. +# It's only then (for now) that we can automatically create the necessary database and user for this service. +matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_appservice_discord_database_connString_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') }}" + ###################################################################### # # /matrix-bridge-appservice-discord @@ -892,10 +897,10 @@ matrix_postgres_db_name: "homeserver" matrix_postgres_additional_databases: | {{ ([{ - 'name': 'matrix_appservice_discord', - 'username': 'matrix_appservice_discord', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_discord.db.secret') | string, - }] if matrix_appservice_discord_enabled else []) + 'name': matrix_appservice_discord_database_connString_db_name, + 'username': matrix_appservice_discord_database_connString_username, + 'password': matrix_appservice_discord_database_connString_password, + }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_connString_hostname == 'matrix-postgres') else []) + ([{ 'name': 'matrix_appservice_slack', 'username': 'matrix_appservice_slack', diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 357b93d6..36b39b8e 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -41,6 +41,22 @@ matrix_appservice_discord_bridge_homeserverUrl: "http://matrix-synapse:8008" matrix_appservice_discord_bridge_disablePresence: false matrix_appservice_discord_bridge_enableSelfServiceBridging: false +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`) +# - adjust your database credentials +matrix_appservice_discord_database_engine: 'sqlite' +matrix_appservice_discord_database_filename: "/data/discord.db" +matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_database_connString_username }}:{{ matrix_appservice_discord_database_connString_password }}@{{ matrix_appservice_discord_database_connString_hostname }}:{{ matrix_appservice_discord_database_connString_port }}/{{ matrix_appservice_discord_database_connString_db_name }}' +matrix_appservice_discord_database_connString_username: 'matrix_appservice_discord' +matrix_appservice_discord_database_connString_password: 'some-password' +matrix_appservice_discord_database_connString_hostname: 'matrix-postgres' +matrix_appservice_discord_database_connString_port: 5432 +matrix_appservice_discord_database_connString_db_name: 'matrix_appservice_discord' + # Tells whether the bot should make use of "Privileged Gateway Intents". # # Enabling this means that you need to enable it for the bot (Discord application) as well, diff --git a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml index b0713a43..73253ba0 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml @@ -20,3 +20,7 @@ when: "item.old in vars" with_items: - {'old': 'matrix_appservice_discord_container_expose_client_server_api_port', 'new': ''} + +- name: Require a valid database engine + fail: msg="`matrix_appservice_discord_database_engine` needs to be either 'sqlite' or 'postgres'" + when: "matrix_appservice_discord_database_engine not in ['sqlite', 'postgres']" diff --git a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 index de4182d9..b2ecd198 100644 --- a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 @@ -58,8 +58,11 @@ database: # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite # WARNING: You will almost certainly be fine with sqlite unless your bridge # is in heavy demand and you suffer from IO slowness. - #filename: "/data/discord.db" - connString: "postgresql://matrix_appservice_discord:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_appservice_discord') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_appservice_discord" + {% if matrix_appservice_discord_database_engine == 'sqlite' %} + filename: {{ matrix_appservice_discord_database_filename|to_json }} + {% else %} + connString: {{ matrix_appservice_discord_database_connString|to_json }} + {% endif %} room: # Set the default visibility of alias rooms, defaults to "public". # One of: "public", "private" From 183d2a10dbdfc142ace8e88e515e2d2f60ab84bc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 00:59:59 +0200 Subject: [PATCH 1611/2384] Ensure matrix-postgres.service is started before creating additional users/databases --- roles/matrix-postgres/defaults/main.yml | 6 ++++++ .../tasks/util/create_additional_databases.yml | 18 ++++++++++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index ad417e0b..89559f5d 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -42,3 +42,9 @@ matrix_postgres_container_postgres_bind_port: "" # username: matrix_appservice_slack # password: some_password matrix_postgres_additional_databases: [] + +# The number of seconds to wait after starting `matrix-postgres.service` +# and before trying to run queries for creating additional databases/users against it. +# +# For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all. +matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: 15 diff --git a/roles/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/matrix-postgres/tasks/util/create_additional_databases.yml index 51deb228..0ad460dd 100644 --- a/roles/matrix-postgres/tasks/util/create_additional_databases.yml +++ b/roles/matrix-postgres/tasks/util/create_additional_databases.yml @@ -1,10 +1,20 @@ --- -# TODO - we should ensure matrix-postgres.service is started. -# .. and that if we had just started it, we've given it ample time to initialize, -# before we attempt to run queries against it. +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: matrix_postgres_service_start_result -- name: Create additional Postgers user and database +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds }}" + delegate_to: 127.0.0.1 + become: false + when: "matrix_postgres_service_start_result.changed|bool" + +- name: Create additional Postgres user and database include_tasks: "{{ role_path }}/tasks/util/create_additional_database.yml" with_items: "{{ matrix_postgres_additional_databases }}" loop_control: From dd994995bca0cb0bd162aec1f5ee4dae35848614 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 01:22:23 +0200 Subject: [PATCH 1612/2384] Simplify password for additional Postgres databases Using the result of `password_hash` works for creating them, but authentication seems to be failing with some tools like pgloader. It's possible that we're not escaping things properly somewhere. Ideally, it'd be nice to solve that. But the easier (and still relatively safe/good) solution is to just turn that password hash into a UUID that's safe for passing around without worrying about escaping. --- group_vars/matrix_servers | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 717e71bc..b9d0be26 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -70,7 +70,7 @@ matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_k # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_connString_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') }}" +matrix_appservice_discord_database_connString_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -904,72 +904,72 @@ matrix_postgres_additional_databases: | + ([{ 'name': 'matrix_appservice_slack', 'username': 'matrix_appservice_slack', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_slack.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_slack.db.secret') | to_uuid, }] if matrix_appservice_slack_enabled else []) + ([{ 'name': 'matrix_appservice_irc', 'username': 'matrix_appservice_irc', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_irc.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_irc.db.secret') | to_uuid, }] if matrix_appservice_irc_enabled else []) + ([{ 'name': 'mautrix_bridge_facebook', 'username': 'mautrix_bridge_facebook', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_facebook.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_facebook.db.secret') | to_uuid, }] if matrix_mautrix_facebook_enabled else []) + ([{ 'name': 'mautrix_bridge_hangouts', 'username': 'mautrix_bridge_hangouts', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_hangouts.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_hangouts.db.secret') | to_uuid, }] if matrix_mautrix_hangouts_enabled else []) + ([{ 'name': 'mautrix_bridge_telegram', 'username': 'mautrix_bridge_telegram', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_telegram.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_telegram.db.secret') | to_uuid, }] if matrix_mautrix_telegram_enabled else []) + ([{ 'name': 'mautrix_bridge_whatsapp', 'username': 'mautrix_bridge_whatsapp', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_whatsapp.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_whatsapp.db.secret') | to_uuid, }] if matrix_mautrix_whatsapp_enabled else []) + ([{ 'name': 'matrix_bridge_sms', 'username': 'matrix_bridge_sms', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | to_uuid, }] if matrix_sms_bridge_enabled else []) + ([{ 'name': 'matrix_puppet_skype', 'username': 'matrix_puppet_skype', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_skype.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_skype.db.secret') | to_uuid, }] if matrix_mx_puppet_skype_enabled else []) + ([{ 'name': 'matrix_puppet_slack', 'username': 'matrix_puppet_slack', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_slack.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_slack.db.secret') | to_uuid, }] if matrix_mx_puppet_slack_enabled else []) + ([{ 'name': 'matrix_puppet_twitter', 'username': 'matrix_puppet_twitter', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_twitter.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_twitter.db.secret') | to_uuid, }] if matrix_mx_puppet_twitter_enabled else []) + ([{ 'name': 'matrix_puppet_instagram', 'username': 'matrix_puppet_instagram', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_insta.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_insta.db.secret') | to_uuid, }] if matrix_mx_puppet_instagram_enabled else []) + ([{ 'name': 'matrix_puppet_discord', 'username': 'matrix_puppet_discord', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_puppet.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_puppet.db.secret') | to_uuid, }] if matrix_mx_puppet_discord_enabled else []) + ([{ 'name': 'matrix_puppet_steam', 'username': 'matrix_puppet_steam', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_steam.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_steam.db.secret') | to_uuid, }] if matrix_mx_puppet_steam_enabled else []) + ([{ 'name': 'matrix_dimension', 'username': 'matrix_dimension', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db.secret') | string, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db.secret') | to_uuid, }] if matrix_dimension_enabled else []) }} From b87b75437232a8b3fa4c2ba2258382dfa761a62e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 01:36:15 +0200 Subject: [PATCH 1613/2384] Fail if appservice-discord wants Postgres, but has leftover SQLite data --- .../defaults/main.yml | 3 ++- .../tasks/setup_install.yml | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 36b39b8e..53d7968d 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -49,7 +49,8 @@ matrix_appservice_discord_bridge_enableSelfServiceBridging: false # - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`) # - adjust your database credentials matrix_appservice_discord_database_engine: 'sqlite' -matrix_appservice_discord_database_filename: "/data/discord.db" +matrix_appservice_discord_database_filename: "/data/{{ matrix_appservice_discord_database_filename_name }}" +matrix_appservice_discord_database_filename_name: "discord.db" matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_database_connString_username }}:{{ matrix_appservice_discord_database_connString_password }}@{{ matrix_appservice_discord_database_connString_hostname }}:{{ matrix_appservice_discord_database_connString_port }}/{{ matrix_appservice_discord_database_connString_db_name }}' matrix_appservice_discord_database_connString_username: 'matrix_appservice_discord' matrix_appservice_discord_database_connString_password: 'some-password' diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index 935d07eb..cea8fda8 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -1,5 +1,21 @@ --- +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_appservice_discord_data_path }}/{{ matrix_appservice_discord_database_filename_name }}" + register: matrix_appservice_discord_stat_sqlite_db + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_appservice_discord_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_appservice_discord_data_path }}/{{ matrix_appservice_discord_database_filename_name }}. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_appservice_discord_database_engine: sqlite` to your vars.yml file. + To migrate to Postgres: TODO - migration instructions here. + when: "matrix_appservice_discord_database_engine == 'postgres'" + - name: Ensure Appservice Discord image is pulled docker_image: name: "{{ matrix_appservice_discord_docker_image }}" From 6e1dfb62f0d371fdb82fc7a9e635dd32d0179e86 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 01:48:36 +0200 Subject: [PATCH 1614/2384] Rename some doc files and commands related to importing Since we'll likely have generic SQLite database importing via [pgloader](https://pgloader.io/) for migrating bridge databases from SQLite to Postgres, we'd rather avoid calling the "import Synapse SQLite database" command as just `--tags=import-sqlite-db`. Similarly, for the media store, we'd like to mention that it's related to Synapse as well. We'd like to be more explicit, so as to be less confusing, especially in light of other homeserver implementations coming in the future. --- docs/README.md | 6 +++--- docs/importing-postgres.md | 4 ++-- ...ting-media-store.md => importing-synapse-media-store.md} | 4 ++-- docs/{importing-sqlite.md => importing-synapse-sqlite.md} | 6 +++--- docs/installing.md | 4 ++-- .../{import_sqlite_db.yml => import_synapse_sqlite_db.yml} | 0 roles/matrix-postgres/tasks/main.yml | 6 ++++-- roles/matrix-synapse/tasks/main.yml | 2 +- 8 files changed, 17 insertions(+), 15 deletions(-) rename docs/{importing-media-store.md => importing-synapse-media-store.md} (92%) rename docs/{importing-sqlite.md => importing-synapse-sqlite.md} (86%) rename roles/matrix-postgres/tasks/{import_sqlite_db.yml => import_synapse_sqlite_db.yml} (100%) diff --git a/docs/README.md b/docs/README.md index 8d22477e..8c95eff3 100644 --- a/docs/README.md +++ b/docs/README.md @@ -10,13 +10,13 @@ - [Installing](installing.md) -- **Importing data from another Synapse server installation** +- **Importing data from another server installation** - - [Importing an existing SQLite database (from another installation)](importing-sqlite.md) (optional) + - [Importing an existing SQLite database (from another Synapse installation)](importing-synapse-sqlite.md) (optional) - [Importing an existing Postgres database (from another installation)](importing-postgres.md) (optional) - - [Importing `media_store` data files from an existing installation](importing-media-store.md) (optional) + - [Importing `media_store` data files from an existing Synapse installation](importing-synapse-media-store.md) (optional) - [Registering users](registering-users.md) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index a88067e1..0dd75cb2 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -1,7 +1,7 @@ # Importing an existing Postgres database from another installation (optional) -Run this if you'd like to import your database from a previous installation of Synapse. -(don't forget to import your `media_store` files as well - see [the importing-media-store guide](importing-media-store.md)). +Run this if you'd like to import your database from a previous installation. +(don't forget to import your Synapse `media_store` files as well - see [the importing-synape-media-store guide](importing-synapse-media-store.md)). ## Prerequisites diff --git a/docs/importing-media-store.md b/docs/importing-synapse-media-store.md similarity index 92% rename from docs/importing-media-store.md rename to docs/importing-synapse-media-store.md index 0d86370b..0ba7bacb 100644 --- a/docs/importing-media-store.md +++ b/docs/importing-synapse-media-store.md @@ -1,4 +1,4 @@ -# Importing `media_store` data files from an existing installation (optional) +# Importing `media_store` data files from an existing Synapse installation (optional) Run this if you'd like to import your `media_store` files from a previous installation of Synapse. @@ -17,6 +17,6 @@ As an alternative, you can perform a manual restore using the [AWS CLI tool](htt Run this command (make sure to replace `` with a path on your server): - ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_media_store=' --tags=import-media-store + ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_media_store=' --tags=import-synapse-media-store **Note**: `` must be a file path to a `media_store` directory on the server (not on your local machine!). diff --git a/docs/importing-sqlite.md b/docs/importing-synapse-sqlite.md similarity index 86% rename from docs/importing-sqlite.md rename to docs/importing-synapse-sqlite.md index 9e3a910d..aade2226 100644 --- a/docs/importing-sqlite.md +++ b/docs/importing-synapse-sqlite.md @@ -1,7 +1,7 @@ -# Importing an existing SQLite database from another installation (optional) +# Importing an existing SQLite database from another Synapse installation (optional) Run this if you'd like to import your database from a previous default installation of Synapse. -(don't forget to import your `media_store` files as well - see [the importing-media-store guide](importing-media-store.md)). +(don't forget to import your `media_store` files as well - see [the importing-synapse-media-store guide](importing-synapse-media-store.md)). While this playbook always sets up PostgreSQL, by default a Synapse installation would run using an SQLite database. @@ -18,7 +18,7 @@ Before doing the actual import, **you need to upload your SQLite database file t Run this command (make sure to replace `` with a file path on your server): - ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=' --tags=import-sqlite-db + ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=' --tags=import-synapse-sqlite-db **Notes**: diff --git a/docs/installing.md b/docs/installing.md index 43758ffb..a2ce1371 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -21,11 +21,11 @@ Feel free to **re-run this setup command any time** you think something is off w After installing, but before starting the services, you may want to do additional things like: -- [Importing an existing SQLite database (from another installation)](importing-sqlite.md) (optional) +- [Importing an existing SQLite database (from another Synapse installation)](importing-synapse-sqlite.md) (optional) - [Importing an existing Postgres database (from another installation)](importing-postgres.md) (optional) -- [Importing `media_store` data files from an existing installation](importing-media-store.md) (optional) +- [Importing `media_store` data files from an existing Synapse installation](importing-synapse-media-store.md) (optional) ## Starting the services diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml similarity index 100% rename from roles/matrix-postgres/tasks/import_sqlite_db.yml rename to roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml index 717b73e4..f4c752a0 100644 --- a/roles/matrix-postgres/tasks/main.yml +++ b/roles/matrix-postgres/tasks/main.yml @@ -19,10 +19,12 @@ tags: - import-postgres -- import_tasks: "{{ role_path }}/tasks/import_sqlite_db.yml" +# The `run_postgres_import_sqlite_db` variable had better be renamed to be consistent, +# but that's a breaking change which may cause trouble for people. +- import_tasks: "{{ role_path }}/tasks/import_synapse_sqlite_db.yml" when: run_postgres_import_sqlite_db|bool tags: - - import-sqlite-db + - import-synapse-sqlite-db - import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml" when: run_postgres_upgrade|bool diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index 48e72ace..e366a13f 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -17,7 +17,7 @@ - import_tasks: "{{ role_path }}/tasks/import_media_store.yml" when: run_synapse_import_media_store|bool tags: - - import-media-store + - import-synapse-media-store - import_tasks: "{{ role_path }}/tasks/register_user.yml" when: run_synapse_register_user|bool From cb969c6ca297b21216f896033ae86702be227812 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 02:23:29 +0200 Subject: [PATCH 1615/2384] Add --tags=import-generic-sqlite-db (pgloader import) This can be used by various bridges, etc., to import an SQLite (or some other supported) database into Postgres. --- roles/matrix-postgres/defaults/main.yml | 2 + .../tasks/import_generic_sqlite_db.yml | 84 +++++++++++++++++++ roles/matrix-postgres/tasks/main.yml | 6 ++ 3 files changed, 92 insertions(+) create mode 100644 roles/matrix-postgres/tasks/import_generic_sqlite_db.yml diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 89559f5d..5755742f 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -48,3 +48,5 @@ matrix_postgres_additional_databases: [] # # For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all. matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: 15 + +matrix_postgres_pgloader_docker_image: "docker.io/illagrenan/pgloader:3.6.2" diff --git a/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml b/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml new file mode 100644 index 00000000..f2798a73 --- /dev/null +++ b/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml @@ -0,0 +1,84 @@ +--- + +# Pre-checks + +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." + when: "not matrix_postgres_enabled|bool" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `sqlite_database_path` variable needs to be provided to this playbook, via --extra-vars" + when: "sqlite_database_path is not defined or sqlite_database_path.startswith('<')" + +- name: Fail if playbook called incorrectly + fail: + msg: >- + The `postgres_db_connection_string` variable needs to be provided to this playbook, via `--extra-vars`. + Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:/database_name`" + when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')" + +- name: Check if the provided SQLite database file exists + stat: + path: "{{ sqlite_database_path }}" + register: sqlite_database_path_stat_result + +- name: Fail if provided SQLite database file doesn't exist + fail: + msg: "File cannot be found on the server at {{ sqlite_database_path }}" + when: "not sqlite_database_path_stat_result.stat.exists" + + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + + +# Actual import work + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: matrix_postgres_service_start_result + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + when: "matrix_postgres_service_start_result.changed|bool" + +- name: Import SQLite database from {{ sqlite_database_path }} into Postgres + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --mount type=bind,src={{ sqlite_database_path }},dst=/in.db,ro + --entrypoint=/bin/sh + {{ matrix_postgres_pgloader_docker_image }} + -c + 'pgloader /in.db {{ postgres_db_connection_string }}' + +- name: Archive SQLite database ({{ sqlite_database_path }} -> {{ sqlite_database_path }}.backup) + command: + cmd: "mv {{ sqlite_database_path }} {{ sqlite_database_path }}.backup" + +- name: Inject result + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your SQLite database file has been imported into Postgres. The original file has been moved from `{{ sqlite_database_path }}` to `{{ sqlite_database_path }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." + ] + }} diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml index f4c752a0..b9c2ae7c 100644 --- a/roles/matrix-postgres/tasks/main.yml +++ b/roles/matrix-postgres/tasks/main.yml @@ -26,6 +26,12 @@ tags: - import-synapse-sqlite-db +# Perhaps we need a new variable here, instead of `run_postgres_import_sqlite_db`. +- import_tasks: "{{ role_path }}/tasks/import_generic_sqlite_db.yml" + when: run_postgres_import_sqlite_db|bool + tags: + - import-generic-sqlite-db + - import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml" when: run_postgres_upgrade|bool tags: From 4617984b9f998e032f426ec629e408a1f0c2ecf8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 02:24:32 +0200 Subject: [PATCH 1616/2384] Add (SQLite -> Postgres) migration instructions --- .../tasks/setup_install.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index cea8fda8..57e59df0 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -1,10 +1,13 @@ --- - block: + - set_fact: + matrix_appservice_discord_sqlite_db_path: "{{ matrix_appservice_discord_data_path }}/{{ matrix_appservice_discord_database_filename_name }}" + - name: Check if an SQLite database already exists stat: - path: "{{ matrix_appservice_discord_data_path }}/{{ matrix_appservice_discord_database_filename_name }}" - register: matrix_appservice_discord_stat_sqlite_db + path: "{{ matrix_appservice_discord_sqlite_db_path }}" + register: matrix_appservice_discord_sqlite_db_path_stat_result - name: Fail if an SQLite database already exists when using Postgres fail: @@ -12,8 +15,12 @@ matrix_appservice_discord_database_engine has been set to `postgres` (which is our new default now). However, we've discovered an existing SQLite database in {{ matrix_appservice_discord_data_path }}/{{ matrix_appservice_discord_database_filename_name }}. It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_appservice_discord_database_engine: sqlite` to your vars.yml file. - To migrate to Postgres: TODO - migration instructions here. + To continue using SQLite, opt into it explicitly: add `matrix_appservice_discord_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_discord_sqlite_db_path }} postgres_db_connection_string={{ matrix_appservice_discord_database_connString }}'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_appservice_discord_sqlite_db_path_stat_result.stat.exists" when: "matrix_appservice_discord_database_engine == 'postgres'" - name: Ensure Appservice Discord image is pulled From b217a2ed6907347200c57d66195dd780e4a1f24f Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Mon, 14 Dec 2020 07:54:24 +0100 Subject: [PATCH 1617/2384] postgres: set default in playbook to postgres but fallback to sqlite --- group_vars/matrix_servers | 175 +++++++++++++++++++++++++------------- 1 file changed, 118 insertions(+), 57 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b9d0be26..0cbc4587 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -140,6 +140,10 @@ matrix_appservice_slack_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) }} +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-appservice-slack @@ -175,6 +179,11 @@ matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" + + ###################################################################### # # /matrix-bridge-appservice-irc @@ -208,6 +217,10 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_facebook.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mautrix-facebook @@ -241,6 +254,10 @@ matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_pr matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_hangouts.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mautrix-hangouts @@ -277,6 +294,10 @@ matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_pr matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_telegram.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mautrix-telegram @@ -305,6 +326,10 @@ matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_whatsapp.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mautrix-whatsapp @@ -361,6 +386,10 @@ matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_skype.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mx-puppet-skype @@ -392,6 +421,10 @@ matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_slack.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mx-puppet-slack @@ -424,6 +457,10 @@ matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_pr matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_mx_puppet_twitter_appservice_port) }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_twitter.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mx-puppet-twitter @@ -455,6 +492,10 @@ matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_instagram.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mx-puppet-instagram @@ -485,6 +526,10 @@ matrix_mx_puppet_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_discord.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mx-puppet-discord @@ -515,6 +560,10 @@ matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mx_puppet_stream_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_steam.db') | to_uuid }}" + ###################################################################### # # /matrix-bridge-mx-puppet-steam @@ -625,6 +674,10 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.dimension.db') | to_uuid }}" + ###################################################################### # # /matrix-dimension @@ -902,75 +955,83 @@ matrix_postgres_additional_databases: | 'password': matrix_appservice_discord_database_connString_password, }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_connString_hostname == 'matrix-postgres') else []) + ([{ - 'name': 'matrix_appservice_slack', - 'username': 'matrix_appservice_slack', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_slack.db.secret') | to_uuid, - }] if matrix_appservice_slack_enabled else []) + 'name': matrix_appservice_slack_database_db_name + 'username': matrix_appservice_slack_database_username + 'password': matrix_appservice_slack_database_password + }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres' else []) + ([{ - 'name': 'matrix_appservice_irc', - 'username': 'matrix_appservice_irc', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'app_irc.db.secret') | to_uuid, - }] if matrix_appservice_irc_enabled else []) + 'name': matrix_appservice_irc_database_db_name + 'username': matrix_appservice_irc_database_username + 'password': matrix_appservice_irc_database_password + }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres' else []) + ([{ - 'name': 'mautrix_bridge_facebook', - 'username': 'mautrix_bridge_facebook', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_facebook.db.secret') | to_uuid, - }] if matrix_mautrix_facebook_enabled else []) + 'name': matrix_mautrix_facebook_database_db_name + 'username': matrix_mautrix_facebook_database_username + 'password': matrix_mautrix_facebook_database_password + }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == 'matrix-postgres' else []) + ([{ - 'name': 'mautrix_bridge_hangouts', - 'username': 'mautrix_bridge_hangouts', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_hangouts.db.secret') | to_uuid, - }] if matrix_mautrix_hangouts_enabled else []) + 'name': matrix_mautrix_hangouts_database_db_name + 'username': matrix_mautrix_hangouts_database_username + 'password': matrix_mautrix_hangouts_database_password + }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres' else []) + ([{ - 'name': 'mautrix_bridge_telegram', - 'username': 'mautrix_bridge_telegram', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_telegram.db.secret') | to_uuid, - }] if matrix_mautrix_telegram_enabled else []) + 'name': matrix_mautrix_telegram_database_db_name + 'username': matrix_mautrix_telegram_database_username + 'password': matrix_mautrix_telegram_database_password + }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_telegram_facebook_database_hostname == 'matrix-postgres' else []) + ([{ - 'name': 'mautrix_bridge_whatsapp', - 'username': 'mautrix_bridge_whatsapp', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mautrix_whatsapp.db.secret') | to_uuid, - }] if matrix_mautrix_whatsapp_enabled else []) + 'name': matrix_mautrix_whatsapp_database_db_name + 'username': matrix_mautrix_whatsapp_database_username + 'password': matrix_mautrix_whatsapp_database_password + }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres' else []) + ([{ 'name': 'matrix_bridge_sms', 'username': 'matrix_bridge_sms', 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | to_uuid, }] if matrix_sms_bridge_enabled else []) + ([{ - 'name': 'matrix_puppet_skype', - 'username': 'matrix_puppet_skype', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_skype.db.secret') | to_uuid, - }] if matrix_mx_puppet_skype_enabled else []) - + ([{ - 'name': 'matrix_puppet_slack', - 'username': 'matrix_puppet_slack', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_slack.db.secret') | to_uuid, - }] if matrix_mx_puppet_slack_enabled else []) - + ([{ - 'name': 'matrix_puppet_twitter', - 'username': 'matrix_puppet_twitter', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_twitter.db.secret') | to_uuid, - }] if matrix_mx_puppet_twitter_enabled else []) - + ([{ - 'name': 'matrix_puppet_instagram', - 'username': 'matrix_puppet_instagram', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_insta.db.secret') | to_uuid, - }] if matrix_mx_puppet_instagram_enabled else []) - + ([{ - 'name': 'matrix_puppet_discord', - 'username': 'matrix_puppet_discord', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_puppet.db.secret') | to_uuid, - }] if matrix_mx_puppet_discord_enabled else []) - + ([{ - 'name': 'matrix_puppet_steam', - 'username': 'matrix_puppet_steam', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx_steam.db.secret') | to_uuid, - }] if matrix_mx_puppet_steam_enabled else []) + 'name': matrix_mx_puppet_skype_database_db_name + 'username': matrix_mx_puppet_skype_database_username + 'password': matrix_mx_puppet_skype_database_password + }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_database_hostname == 'matrix-postgres' else []) + ([{ - 'name': 'matrix_dimension', - 'username': 'matrix_dimension', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db.secret') | to_uuid, - }] if matrix_dimension_enabled else []) + 'name': matrix_mx_puppet_slack_database_db_name + 'username': matrix_mx_puppet_slack_database_username + 'password': matrix_mx_puppet_slack_database_password + }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres' else []) + + ([{ + 'name': matrix_mx_puppet_twitter_database_db_name + 'username': matrix_mx_puppet_twitter_database_username + 'password': matrix_mx_puppet_twitter_database_password + }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres' else []) + + ([{ + 'name': matrix_mx_puppet_instagram_database_db_name + 'username': matrix_mx_puppet_instagram_database_username + 'password': matrix_mx_puppet_instagram_database_password + }] if (matrix_mx_puppet_instagram_enabled + and matrix_mx_puppet_instagram_database_engine == 'postgres' + and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres' else []) + + ([{ + 'name': matrix_mx_puppet_discord_database_db_name + 'username': matrix_mx_puppet_discord_database_username + 'password': matrix_mx_puppet_discord_database_password + }] if (matrix_mx_puppet_discord_enabled + and matrix_mx_puppet_discord_database_engine == 'postgres' + and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres' else []) + + ([{ + 'name': matrix_mx_puppet_steam_database_db_name + 'username': matrix_mx_puppet_steam_database_username + 'password': matrix_mx_puppet_steam_database_password + }] if (matrix_mx_puppet_steam_enabled + and matrix_mx_puppet_steam_database_engine == 'postgres' + and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres' else []) + + ([{ + 'name': matrix_dimension_database_db_name + 'username': matrix_dimension_database_username + 'password': matrix_dimension_database_password + }] if (matrix_dimension_enabled + and matrix_dimension_database_engine == 'postgres' + and matrix_dimension_database_hostname == 'matrix-postgres' else []) }} ###################################################################### From f1e85f7112ffa9dd3309e8963c9a8e69723f48a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 10:04:37 +0200 Subject: [PATCH 1618/2384] Don't mention Postgres roles, just say users --- .../templates/init-additional-db-user-and-role.sql.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 b/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 index af3d912c..609a1344 100644 --- a/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 +++ b/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 @@ -4,7 +4,7 @@ DO $$ BEGIN CREATE USER {{ additional_db.username }}; EXCEPTION WHEN DUPLICATE_OBJECT THEN - RAISE NOTICE 'not creating role {{ additional_db.username }}, since it already exists'; + RAISE NOTICE 'not creating user {{ additional_db.username }}, since it already exists'; END $$; From d91aa5a060ab0742f25c15a951429104c1793a91 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 10:51:53 +0200 Subject: [PATCH 1619/2384] Do not introduce sub-variables exposing implementation details --- group_vars/matrix_servers | 10 ++++---- .../defaults/main.yml | 25 ++++++++++++------- .../tasks/setup_install.yml | 13 ++++------ 3 files changed, 26 insertions(+), 22 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0cbc4587..efb29d4a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -70,7 +70,7 @@ matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_k # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_database_connString_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -950,10 +950,10 @@ matrix_postgres_db_name: "homeserver" matrix_postgres_additional_databases: | {{ ([{ - 'name': matrix_appservice_discord_database_connString_db_name, - 'username': matrix_appservice_discord_database_connString_username, - 'password': matrix_appservice_discord_database_connString_password, - }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_connString_hostname == 'matrix-postgres') else []) + 'name': matrix_appservice_discord_postgres_db_name, + 'username': matrix_appservice_discord_postgres_username, + 'password': matrix_appservice_discord_postgres_password, + }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_appservice_slack_database_db_name 'username': matrix_appservice_slack_database_username diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 53d7968d..fb517cd5 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -47,16 +47,23 @@ matrix_appservice_discord_bridge_enableSelfServiceBridging: false # # To use Postgres: # - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`) -# - adjust your database credentials +# - adjust your database credentials via the `matrix_appservice_discord_postgres_*` variables matrix_appservice_discord_database_engine: 'sqlite' -matrix_appservice_discord_database_filename: "/data/{{ matrix_appservice_discord_database_filename_name }}" -matrix_appservice_discord_database_filename_name: "discord.db" -matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_database_connString_username }}:{{ matrix_appservice_discord_database_connString_password }}@{{ matrix_appservice_discord_database_connString_hostname }}:{{ matrix_appservice_discord_database_connString_port }}/{{ matrix_appservice_discord_database_connString_db_name }}' -matrix_appservice_discord_database_connString_username: 'matrix_appservice_discord' -matrix_appservice_discord_database_connString_password: 'some-password' -matrix_appservice_discord_database_connString_hostname: 'matrix-postgres' -matrix_appservice_discord_database_connString_port: 5432 -matrix_appservice_discord_database_connString_db_name: 'matrix_appservice_discord' + +matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db" +matrix_appservice_discord_sqlite_database_path_in_container: "/data/discord.db" + +matrix_appservice_discord_postgres_username: 'matrix_appservice_discord' +matrix_appservice_discord_postgres_password: 'some-password' +matrix_appservice_discord_postgres_hostname: 'matrix-postgres' +matrix_appservice_discord_postgres_port: 5432 +matrix_appservice_discord_postgres_db_name: 'matrix_appservice_discord' + +# These 2 variables are what actually ends up in the bridge configuration. +# It's best if you don't change them directly, but rather redefine the sub-variables that constitute them. +matrix_appservice_discord_database_filename: "{{ matrix_appservice_discord_sqlite_database_path_in_container }}" +matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_postgres_username }}:{{ matrix_appservice_discord_postgres_password }}@{{ matrix_appservice_discord_postgres_hostname }}:{{ matrix_appservice_discord_postgres_port }}/{{ matrix_appservice_discord_postgres_db_name }}' + # Tells whether the bot should make use of "Privileged Gateway Intents". # diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index 57e59df0..86a5fe51 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -1,26 +1,23 @@ --- - block: - - set_fact: - matrix_appservice_discord_sqlite_db_path: "{{ matrix_appservice_discord_data_path }}/{{ matrix_appservice_discord_database_filename_name }}" - - name: Check if an SQLite database already exists stat: - path: "{{ matrix_appservice_discord_sqlite_db_path }}" - register: matrix_appservice_discord_sqlite_db_path_stat_result + path: "{{ matrix_appservice_discord_sqlite_database_path_local }}" + register: matrix_appservice_discord_sqlite_database_path_local_stat_result - name: Fail if an SQLite database already exists when using Postgres fail: msg: >- matrix_appservice_discord_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_appservice_discord_data_path }}/{{ matrix_appservice_discord_database_filename_name }}. + However, we've discovered an existing SQLite database in {{ matrix_appservice_discord_sqlite_database_path_local }}. It appears that you've been using this bridge with the SQLite engine until now. To continue using SQLite, opt into it explicitly: add `matrix_appservice_discord_database_engine: sqlite` to your vars.yml file and re-run this same command. Alternatively, to migrate your existing SQLite database to Postgres: 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_discord_sqlite_db_path }} postgres_db_connection_string={{ matrix_appservice_discord_database_connString }}'`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_discord_sqlite_database_path_local }} postgres_db_connection_string={{ matrix_appservice_discord_database_connString }}'`) 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_appservice_discord_sqlite_db_path_stat_result.stat.exists" + when: "matrix_appservice_discord_sqlite_database_path_local_stat_result.stat.exists" when: "matrix_appservice_discord_database_engine == 'postgres'" - name: Ensure Appservice Discord image is pulled From c0edacbefd60d5bfd136c448ff3fdf76da645731 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 11:17:12 +0200 Subject: [PATCH 1620/2384] Fix matrix_postgres_additional_databases syntax problems --- group_vars/matrix_servers | 106 +++++++++++++++++++------------------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index efb29d4a..763fccd8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -955,84 +955,84 @@ matrix_postgres_additional_databases: | 'password': matrix_appservice_discord_postgres_password, }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_appservice_slack_database_db_name - 'username': matrix_appservice_slack_database_username - 'password': matrix_appservice_slack_database_password - }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres' else []) + 'name': matrix_appservice_slack_database_db_name, + 'username': matrix_appservice_slack_database_username, + 'password': matrix_appservice_slack_database_password, + }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_appservice_irc_database_db_name - 'username': matrix_appservice_irc_database_username - 'password': matrix_appservice_irc_database_password - }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres' else []) + 'name': matrix_appservice_irc_database_db_name, + 'username': matrix_appservice_irc_database_username, + 'password': matrix_appservice_irc_database_password, + }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_facebook_database_db_name - 'username': matrix_mautrix_facebook_database_username - 'password': matrix_mautrix_facebook_database_password - }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == 'matrix-postgres' else []) + 'name': matrix_mautrix_facebook_postgres_db_name, + 'username': matrix_mautrix_facebook_postgres_username, + 'password': matrix_mautrix_facebook_postgres_password, + }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_hangouts_database_db_name - 'username': matrix_mautrix_hangouts_database_username - 'password': matrix_mautrix_hangouts_database_password - }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres' else []) + 'name': matrix_mautrix_hangouts_database_db_name, + 'username': matrix_mautrix_hangouts_database_username, + 'password': matrix_mautrix_hangouts_database_password, + }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_telegram_database_db_name - 'username': matrix_mautrix_telegram_database_username - 'password': matrix_mautrix_telegram_database_password - }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_telegram_facebook_database_hostname == 'matrix-postgres' else []) + 'name': matrix_mautrix_telegram_database_db_name, + 'username': matrix_mautrix_telegram_database_username, + 'password': matrix_mautrix_telegram_database_password, + }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_telegram_facebook_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_whatsapp_database_db_name - 'username': matrix_mautrix_whatsapp_database_username - 'password': matrix_mautrix_whatsapp_database_password - }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres' else []) + 'name': matrix_mautrix_whatsapp_database_db_name, + 'username': matrix_mautrix_whatsapp_database_username, + 'password': matrix_mautrix_whatsapp_database_password, + }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else []) + ([{ 'name': 'matrix_bridge_sms', 'username': 'matrix_bridge_sms', 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | to_uuid, }] if matrix_sms_bridge_enabled else []) + ([{ - 'name': matrix_mx_puppet_skype_database_db_name - 'username': matrix_mx_puppet_skype_database_username - 'password': matrix_mx_puppet_skype_database_password - }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_database_hostname == 'matrix-postgres' else []) + 'name': matrix_mx_puppet_skype_database_db_name, + 'username': matrix_mx_puppet_skype_database_username, + 'password': matrix_mx_puppet_skype_database_password, + }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_slack_database_db_name - 'username': matrix_mx_puppet_slack_database_username - 'password': matrix_mx_puppet_slack_database_password - }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres' else []) + 'name': matrix_mx_puppet_slack_database_db_name, + 'username': matrix_mx_puppet_slack_database_username, + 'password': matrix_mx_puppet_slack_database_password, + }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_twitter_database_db_name - 'username': matrix_mx_puppet_twitter_database_username - 'password': matrix_mx_puppet_twitter_database_password - }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres' else []) + 'name': matrix_mx_puppet_twitter_database_db_name, + 'username': matrix_mx_puppet_twitter_database_username, + 'password': matrix_mx_puppet_twitter_database_password, + }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_instagram_database_db_name - 'username': matrix_mx_puppet_instagram_database_username - 'password': matrix_mx_puppet_instagram_database_password + 'name': matrix_mx_puppet_instagram_database_db_name, + 'username': matrix_mx_puppet_instagram_database_username, + 'password': matrix_mx_puppet_instagram_database_password, }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' - and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres' else []) + and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_discord_database_db_name - 'username': matrix_mx_puppet_discord_database_username - 'password': matrix_mx_puppet_discord_database_password + 'name': matrix_mx_puppet_discord_database_db_name, + 'username': matrix_mx_puppet_discord_database_username, + 'password': matrix_mx_puppet_discord_database_password, }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' - and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres' else []) + and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_steam_database_db_name - 'username': matrix_mx_puppet_steam_database_username - 'password': matrix_mx_puppet_steam_database_password + 'name': matrix_mx_puppet_steam_database_db_name, + 'username': matrix_mx_puppet_steam_database_username, + 'password': matrix_mx_puppet_steam_database_password, }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' - and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres' else []) + and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_dimension_database_db_name - 'username': matrix_dimension_database_username - 'password': matrix_dimension_database_password + 'name': matrix_dimension_database_db_name, + 'username': matrix_dimension_database_username, + 'password': matrix_dimension_database_password, }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' - and matrix_dimension_database_hostname == 'matrix-postgres' else []) - }} + and matrix_dimension_database_hostname == 'matrix-postgres') else []) + }} ###################################################################### # From 2a99e84b5bfd9f3988566e498b2fe729baa81c75 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 11:19:18 +0200 Subject: [PATCH 1621/2384] Rename Postgres-related variables (`matrix*database_*` -> `matrix*postgres_*`) `matrix_SERVICE_database_engine` remains as it is - the only one with a `_database_` infix. Postgres-related ones move to `_postgres_`. --- group_vars/matrix_servers | 72 +++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 763fccd8..5e3695ca 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -955,14 +955,14 @@ matrix_postgres_additional_databases: | 'password': matrix_appservice_discord_postgres_password, }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_appservice_slack_database_db_name, - 'username': matrix_appservice_slack_database_username, - 'password': matrix_appservice_slack_database_password, + 'name': matrix_appservice_slack_postgres_db_name, + 'username': matrix_appservice_slack_postgres_username, + 'password': matrix_appservice_slack_postgres_password, }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_appservice_irc_database_db_name, - 'username': matrix_appservice_irc_database_username, - 'password': matrix_appservice_irc_database_password, + 'name': matrix_appservice_irc_postgres_db_name, + 'username': matrix_appservice_irc_postgres_username, + 'password': matrix_appservice_irc_postgres_password, }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mautrix_facebook_postgres_db_name, @@ -970,19 +970,19 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_facebook_postgres_password, }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_hangouts_database_db_name, - 'username': matrix_mautrix_hangouts_database_username, - 'password': matrix_mautrix_hangouts_database_password, + 'name': matrix_mautrix_hangouts_postgres_db_name, + 'username': matrix_mautrix_hangouts_postgres_username, + 'password': matrix_mautrix_hangouts_postgres_password, }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_telegram_database_db_name, - 'username': matrix_mautrix_telegram_database_username, - 'password': matrix_mautrix_telegram_database_password, + 'name': matrix_mautrix_telegram_postgres_db_name, + 'username': matrix_mautrix_telegram_postgres_username, + 'password': matrix_mautrix_telegram_postgres_password, }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_telegram_facebook_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_whatsapp_database_db_name, - 'username': matrix_mautrix_whatsapp_database_username, - 'password': matrix_mautrix_whatsapp_database_password, + 'name': matrix_mautrix_whatsapp_postgres_db_name, + 'username': matrix_mautrix_whatsapp_postgres_username, + 'password': matrix_mautrix_whatsapp_postgres_password, }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else []) + ([{ 'name': 'matrix_bridge_sms', @@ -990,45 +990,45 @@ matrix_postgres_additional_databases: | 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | to_uuid, }] if matrix_sms_bridge_enabled else []) + ([{ - 'name': matrix_mx_puppet_skype_database_db_name, - 'username': matrix_mx_puppet_skype_database_username, - 'password': matrix_mx_puppet_skype_database_password, + 'name': matrix_mx_puppet_skype_postgres_db_name, + 'username': matrix_mx_puppet_skype_postgres_username, + 'password': matrix_mx_puppet_skype_postgres_password, }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_slack_database_db_name, - 'username': matrix_mx_puppet_slack_database_username, - 'password': matrix_mx_puppet_slack_database_password, + 'name': matrix_mx_puppet_slack_postgres_db_name, + 'username': matrix_mx_puppet_slack_postgres_username, + 'password': matrix_mx_puppet_slack_postgres_password, }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_twitter_database_db_name, - 'username': matrix_mx_puppet_twitter_database_username, - 'password': matrix_mx_puppet_twitter_database_password, + 'name': matrix_mx_puppet_twitter_postgres_db_name, + 'username': matrix_mx_puppet_twitter_postgres_username, + 'password': matrix_mx_puppet_twitter_postgres_password, }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_instagram_database_db_name, - 'username': matrix_mx_puppet_instagram_database_username, - 'password': matrix_mx_puppet_instagram_database_password, + 'name': matrix_mx_puppet_instagram_postgres_db_name, + 'username': matrix_mx_puppet_instagram_postgres_username, + 'password': matrix_mx_puppet_instagram_postgres_password, }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_discord_database_db_name, - 'username': matrix_mx_puppet_discord_database_username, - 'password': matrix_mx_puppet_discord_database_password, + 'name': matrix_mx_puppet_discord_postgres_db_name, + 'username': matrix_mx_puppet_discord_postgres_username, + 'password': matrix_mx_puppet_discord_postgres_password, }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_steam_database_db_name, - 'username': matrix_mx_puppet_steam_database_username, - 'password': matrix_mx_puppet_steam_database_password, + 'name': matrix_mx_puppet_steam_postgres_db_name, + 'username': matrix_mx_puppet_steam_postgres_username, + 'password': matrix_mx_puppet_steam_postgres_password, }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_dimension_database_db_name, - 'username': matrix_dimension_database_username, - 'password': matrix_dimension_database_password, + 'name': matrix_dimension_postgres_db_name, + 'username': matrix_dimension_postgres_username, + 'password': matrix_dimension_postgres_password, }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == 'matrix-postgres') else []) From 5dba0c038b6c19a9b430210cfaaa7538e383cef9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 11:47:00 +0200 Subject: [PATCH 1622/2384] Make --tags=import-generic-sqlite-db commands not pass a sensitive connection string around Instead of passing the connection string, we can now pass a name of a variable, which contains a connection string. Both are supported for having extra flexibility. --- .../tasks/setup_install.yml | 2 +- .../tasks/import_generic_sqlite_db.yml | 27 ++++++++++++++----- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index 86a5fe51..a9d8da4c 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -15,7 +15,7 @@ To continue using SQLite, opt into it explicitly: add `matrix_appservice_discord_database_engine: sqlite` to your vars.yml file and re-run this same command. Alternatively, to migrate your existing SQLite database to Postgres: 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_discord_sqlite_database_path_local }} postgres_db_connection_string={{ matrix_appservice_discord_database_connString }}'`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_discord_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_appservice_discord_database_connString'`) 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) when: "matrix_appservice_discord_sqlite_database_path_local_stat_result.stat.exists" when: "matrix_appservice_discord_database_engine == 'postgres'" diff --git a/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml b/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml index f2798a73..a42c6f55 100644 --- a/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml +++ b/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml @@ -12,13 +12,6 @@ msg: "The `sqlite_database_path` variable needs to be provided to this playbook, via --extra-vars" when: "sqlite_database_path is not defined or sqlite_database_path.startswith('<')" -- name: Fail if playbook called incorrectly - fail: - msg: >- - The `postgres_db_connection_string` variable needs to be provided to this playbook, via `--extra-vars`. - Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:/database_name`" - when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')" - - name: Check if the provided SQLite database file exists stat: path: "{{ sqlite_database_path }}" @@ -29,6 +22,26 @@ msg: "File cannot be found on the server at {{ sqlite_database_path }}" when: "not sqlite_database_path_stat_result.stat.exists" +# We either expect `postgres_db_connection_string` specifying a full Postgres database connection string, +# or `postgres_connection_string_variable_name`, specifying a name of a variable, which contains a valid connection string. + +- block: + - name: Fail if postgres_connection_string_variable_name points to an undefined variable + fail: msg="postgres_connection_string_variable_name is defined, but there is no variable with the name `{{ postgres_connection_string_variable_name }}`" + when: "postgres_connection_string_variable_name not in vars" + + - name: Get Postgres connection string from variable + set_fact: + postgres_db_connection_string: "{{ lookup('vars', postgres_connection_string_variable_name) }}" + when: 'postgres_connection_string_variable_name is defined' + +- name: Fail if playbook called incorrectly + fail: + msg: >- + Either a `postgres_db_connection_string` variable or a `postgres_connection_string_variable_name` needs to be provided to this playbook, via `--extra-vars`. + Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:/database_name"` or `--extra-vars="postgres_connection_string_variable_name=matrix_appservice_discord_database_connString"` + when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')" + # Defaults From 2d99ade72f09c9f25b718f0cda690319d9bea526 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 11:50:42 +0200 Subject: [PATCH 1623/2384] Add (Postgres + SQLite) support to matrix-mautrix-facebook bridge --- .../defaults/main.yml | 29 +++++++++++++++++++ .../tasks/setup_install.yml | 21 ++++++++++++++ .../templates/config.yaml.j2 | 2 +- .../matrix-mautrix-facebook.service.j2 | 1 + 4 files changed, 52 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 1547ad71..95adf354 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -32,6 +32,35 @@ matrix_mautrix_facebook_systemd_wanted_services_list: [] matrix_mautrix_facebook_appservice_token: '' matrix_mautrix_facebook_homeserver_token: '' + + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_facebook_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables +matrix_mautrix_facebook_database_engine: 'sqlite' + +matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" +matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db" + +matrix_mautrix_facebook_postgres_username: 'matrix_mautrix_facebook' +matrix_mautrix_facebook_postgres_password: 'some-password' +matrix_mautrix_facebook_postgres_hostname: 'matrix-postgres' +matrix_mautrix_facebook_postgres_port: 5432 +matrix_mautrix_facebook_postgres_db_name: 'matrix_mautrix_facebook' + +matrix_mautrix_facebook_postgres_connection_string: 'postgresql://{{ matrix_mautrix_facebook_postgres_username }}:{{ matrix_mautrix_facebook_postgres_password }}@{{ matrix_mautrix_facebook_postgres_hostname }}:{{ matrix_mautrix_facebook_postgres_port }}/{{ matrix_mautrix_facebook_postgres_db_name }}' + +matrix_mautrix_facebook_appservice_database: "{{ + { + 'sqlite': matrix_mautrix_facebook_sqlite_database_path_in_container, + 'postgres': matrix_mautrix_facebook_postgres_connection_string, + }[matrix_mautrix_facebook_database_engine] +}}" + # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_facebook_login_shared_secret: '' diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 638854e2..ef814108 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -1,5 +1,26 @@ --- +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" + register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_mautrix_facebook_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mautrix_facebook_sqlite_database_path_local }}. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mautrix_facebook_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_facebook_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_facebook_postgres_connection_string'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mautrix_facebook_database_engine == 'postgres'" + + # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. - name: Fail if matrix-synapse role already executed diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 304571c1..09287362 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -27,7 +27,7 @@ appservice: # Format examples: # SQLite: sqlite:///filename.db # Postgres: postgres://username:password@hostname/dbname - database: sqlite://matrix_bridge_facebook:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_bridge_facebook') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_bridge_facebook + database: {{ matrix_mautrix_facebook_appservice_database|to_json }} # Public part of web server for out-of-Matrix interaction with the bridge. public: diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index 18184650..caa52eb5 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -18,6 +18,7 @@ ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-fac --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_facebook_config_path }}:/config:z \ -v {{ matrix_mautrix_facebook_data_path }}:/data:z \ {{ matrix_mautrix_facebook_docker_image }} \ From a3406a182bf9590d7ee018867ee4fbd02c6473b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 12:04:47 +0200 Subject: [PATCH 1624/2384] Move some things around --- .../defaults/main.yml | 2 +- .../tasks/setup_install.yml | 17 ++++++++--------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 95adf354..d0b39682 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -33,7 +33,6 @@ matrix_mautrix_facebook_appservice_token: '' matrix_mautrix_facebook_homeserver_token: '' - # Database-related configuration fields. # # To use SQLite, stick to these defaults. @@ -61,6 +60,7 @@ matrix_mautrix_facebook_appservice_database: "{{ }[matrix_mautrix_facebook_database_engine] }}" + # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_facebook_login_shared_secret: '' diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index ef814108..c3c8d61f 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -1,5 +1,13 @@ --- +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + - block: - name: Check if an SQLite database already exists stat: @@ -20,15 +28,6 @@ when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists" when: "matrix_mautrix_facebook_database_engine == 'postgres'" - -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - fail: - msg: >- - The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role. - when: "matrix_synapse_role_executed|default(False)" - - name: Ensure Mautrix Facebook image is pulled docker_image: name: "{{ matrix_mautrix_facebook_docker_image }}" From 9bf8ce878e9451f2f3aa24d200d9d10dbf08e8b3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 12:06:23 +0200 Subject: [PATCH 1625/2384] Add (Postgres + SQLite) support to matrix-mautrix-telegram bridge I don't use this bridge, so this is completely untested. --- .../defaults/main.yml | 29 +++++++++++++++++++ .../tasks/setup_install.yml | 20 +++++++++++++ .../templates/config.yaml.j2 | 2 +- 3 files changed, 50 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index b6f4ef5b..d0df6a7d 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -43,6 +43,35 @@ matrix_mautrix_telegram_systemd_wanted_services_list: [] matrix_mautrix_telegram_appservice_token: '' matrix_mautrix_telegram_homeserver_token: '' + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_telegram_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_telegram_postgres_*` variables +matrix_mautrix_telegram_database_engine: 'sqlite' + +matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" +matrix_mautrix_telegram_sqlite_database_path_in_container: "/data/mautrix-telegram.db" + +matrix_mautrix_telegram_postgres_username: 'matrix_mautrix_telegram' +matrix_mautrix_telegram_postgres_password: 'some-password' +matrix_mautrix_telegram_postgres_hostname: 'matrix-postgres' +matrix_mautrix_telegram_postgres_port: 5432 +matrix_mautrix_telegram_postgres_db_name: 'matrix_mautrix_telegram' + +matrix_mautrix_telegram_postgres_connection_string: 'postgresql://{{ matrix_mautrix_telegram_postgres_username }}:{{ matrix_mautrix_telegram_postgres_password }}@{{ matrix_mautrix_telegram_postgres_hostname }}:{{ matrix_mautrix_telegram_postgres_port }}/{{ matrix_mautrix_telegram_postgres_db_name }}' + +matrix_mautrix_telegram_appservice_database: "{{ + { + 'sqlite': matrix_mautrix_telegram_sqlite_database_path_in_container, + 'postgres': matrix_mautrix_telegram_postgres_connection_string, + }[matrix_mautrix_telegram_database_engine] +}}" + + # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_telegram_login_shared_secret: '' diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 9dc38ec2..db1a8f83 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -8,6 +8,26 @@ The matrix-bridge-mautrix-telegram role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}" + register: matrix_mautrix_telegram_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_mautrix_telegram_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mautrix_telegram_sqlite_database_path_local }}. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mautrix_telegram_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_telegram_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_telegram_postgres_connection_string'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mautrix_telegram_database_engine == 'postgres'" + - name: Ensure Mautrix Telegram image is pulled docker_image: name: "{{ matrix_mautrix_telegram_docker_image }}" diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 65f17d33..52efba02 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -27,7 +27,7 @@ appservice: # Format examples: # SQLite: sqlite:///filename.db # Postgres: postgres://username:password@hostname/dbname - database: postgres://mautrix_bridge_telegram:{{ matrix_addtional_databases | selectattr('name', 'equalto', 'matrix_bridge_telegram') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/mautrix_bridge_telegram + database: {{ matrix_mautrix_telegram_appservice_database|to_json }} # Public part of web server for out-of-Matrix interaction with the bridge. # Used for things like login if the user wants to make sure the 2FA password isn't stored in From 05dd091133ad7833ca544bd4ccda55311c0450c5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 12:11:41 +0200 Subject: [PATCH 1626/2384] Rename `_database_hostname` to `_postgres_hostname` Should have been done during 2a99e84b5bfd9f39, but I've missed it. Because of this, 9bf8ce878e945 was also incomplete and would have caused an error. --- group_vars/matrix_servers | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5e3695ca..0bc0c0c5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -958,12 +958,12 @@ matrix_postgres_additional_databases: | 'name': matrix_appservice_slack_postgres_db_name, 'username': matrix_appservice_slack_postgres_username, 'password': matrix_appservice_slack_postgres_password, - }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_appservice_irc_postgres_db_name, 'username': matrix_appservice_irc_postgres_username, 'password': matrix_appservice_irc_postgres_password, - }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mautrix_facebook_postgres_db_name, 'username': matrix_mautrix_facebook_postgres_username, @@ -973,17 +973,17 @@ matrix_postgres_additional_databases: | 'name': matrix_mautrix_hangouts_postgres_db_name, 'username': matrix_mautrix_hangouts_postgres_username, 'password': matrix_mautrix_hangouts_postgres_password, - }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mautrix_telegram_postgres_db_name, 'username': matrix_mautrix_telegram_postgres_username, 'password': matrix_mautrix_telegram_postgres_password, - }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_telegram_facebook_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_telegram_facebook_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mautrix_whatsapp_postgres_db_name, 'username': matrix_mautrix_whatsapp_postgres_username, 'password': matrix_mautrix_whatsapp_postgres_password, - }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': 'matrix_bridge_sms', 'username': 'matrix_bridge_sms', @@ -993,45 +993,45 @@ matrix_postgres_additional_databases: | 'name': matrix_mx_puppet_skype_postgres_db_name, 'username': matrix_mx_puppet_skype_postgres_username, 'password': matrix_mx_puppet_skype_postgres_password, - }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_slack_postgres_db_name, 'username': matrix_mx_puppet_slack_postgres_username, 'password': matrix_mx_puppet_slack_postgres_password, - }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_twitter_postgres_db_name, 'username': matrix_mx_puppet_twitter_postgres_username, 'password': matrix_mx_puppet_twitter_postgres_password, - }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_instagram_postgres_db_name, 'username': matrix_mx_puppet_instagram_postgres_username, 'password': matrix_mx_puppet_instagram_postgres_password, }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' - and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else []) + and matrix_mx_puppet_instagram_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_discord_postgres_db_name, 'username': matrix_mx_puppet_discord_postgres_username, 'password': matrix_mx_puppet_discord_postgres_password, }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' - and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else []) + and matrix_mx_puppet_discord_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_steam_postgres_db_name, 'username': matrix_mx_puppet_steam_postgres_username, 'password': matrix_mx_puppet_steam_postgres_password, }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' - and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) + and matrix_mx_puppet_steam_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_dimension_postgres_db_name, 'username': matrix_dimension_postgres_username, 'password': matrix_dimension_postgres_password, }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' - and matrix_dimension_database_hostname == 'matrix-postgres') else []) + and matrix_dimension_postgres_hostname == 'matrix-postgres') else []) }} ###################################################################### From 6a2dd8088cea10713ffd760d32cc789821ae5ae9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 12:13:10 +0200 Subject: [PATCH 1627/2384] Fix typo (matrix_telegram_facebook_postgres_hostname -> matrix_mautrix_telegram_postgres_hostname) Related to 9bf8ce878e945. --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0bc0c0c5..626498c0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -978,7 +978,7 @@ matrix_postgres_additional_databases: | 'name': matrix_mautrix_telegram_postgres_db_name, 'username': matrix_mautrix_telegram_postgres_username, 'password': matrix_mautrix_telegram_postgres_password, - }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_telegram_facebook_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mautrix_whatsapp_postgres_db_name, 'username': matrix_mautrix_whatsapp_postgres_username, From 2848322461e451d2fb1985ecf797d87e5765ea03 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 12:19:35 +0200 Subject: [PATCH 1628/2384] Remove some remaining `_database_password` usage in favor of `_postgres_pasword` The only one that remains is `matrix_synapse_database_password`, but that's something old and should be dealt with separately in the future (unless it remains as it is). --- group_vars/matrix_servers | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 626498c0..e3f16d3f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -142,7 +142,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### # @@ -181,7 +181,7 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" ###################################################################### @@ -219,7 +219,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matr # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_facebook.db') | to_uuid }}" +matrix_mautrix_facebook_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_facebook.db') | to_uuid }}" ###################################################################### # @@ -256,7 +256,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_hangouts.db') | to_uuid }}" ###################################################################### # @@ -296,7 +296,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_telegram.db') | to_uuid }}" +matrix_mautrix_telegram_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_telegram.db') | to_uuid }}" ###################################################################### # @@ -328,7 +328,7 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_whatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_whatsapp.db') | to_uuid }}" ###################################################################### # @@ -388,7 +388,7 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_skype.db') | to_uuid }}" +matrix_mx_puppet_skype_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_skype.db') | to_uuid }}" ###################################################################### # @@ -423,7 +423,7 @@ matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_slack.db') | to_uuid }}" +matrix_mx_puppet_slack_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_slack.db') | to_uuid }}" ###################################################################### # @@ -459,7 +459,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_twitter.db') | to_uuid }}" ###################################################################### # @@ -494,7 +494,7 @@ matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_ # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_instagram.db') | to_uuid }}" +matrix_mx_puppet_instagram_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_instagram.db') | to_uuid }}" ###################################################################### # @@ -528,7 +528,7 @@ matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_pr # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_discord.db') | to_uuid }}" +matrix_mx_puppet_discord_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_discord.db') | to_uuid }}" ###################################################################### # @@ -562,7 +562,7 @@ matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_stream_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_steam.db') | to_uuid }}" +matrix_mx_puppet_steam_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_steam.db') | to_uuid }}" ###################################################################### # @@ -676,7 +676,7 @@ matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if m # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.dimension.db') | to_uuid }}" +matrix_dimension_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.dimension.db') | to_uuid }}" ###################################################################### # From 6c77eae96935f6a78c6ad170134d0797b18520af Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 12:24:37 +0200 Subject: [PATCH 1629/2384] Add (Postgres + SQLite) support to matrix-mautrix-whatsapp bridge I don't use this bridge, so this is completely untested. --- .../defaults/main.yml | 36 +++++++++++++++++++ .../tasks/setup_install.yml | 26 ++++++++++++-- .../templates/config.yaml.j2 | 4 +-- 3 files changed, 61 insertions(+), 5 deletions(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index e9929f96..6cabea3e 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -27,6 +27,42 @@ matrix_mautrix_whatsapp_systemd_wanted_services_list: [] matrix_mautrix_whatsapp_appservice_token: '' matrix_mautrix_whatsapp_homeserver_token: '' + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_whatsapp_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_whatsapp_postgres_*` variables +matrix_mautrix_whatsapp_database_engine: 'sqlite' + +matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" +matrix_mautrix_whatsapp_sqlite_database_path_in_container: "/data/mautrix-whatsapp.db" + +matrix_mautrix_whatsapp_postgres_username: 'matrix_mautrix_whatsapp' +matrix_mautrix_whatsapp_postgres_password: 'some-password' +matrix_mautrix_whatsapp_postgres_hostname: 'matrix-postgres' +matrix_mautrix_whatsapp_postgres_port: 5432 +matrix_mautrix_whatsapp_postgres_db_name: 'matrix_mautrix_whatsapp' + +matrix_mautrix_whatsapp_postgres_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_postgres_username }}:{{ matrix_mautrix_whatsapp_postgres_password }}@{{ matrix_mautrix_whatsapp_postgres_hostname }}:{{ matrix_mautrix_whatsapp_postgres_port }}/{{ matrix_mautrix_whatsapp_postgres_db_name }}' + +matrix_mautrix_whatsapp_appservice_database_type: "{{ + { + 'sqlite': 'sqlite3', + 'postgres':'postgres', + }[matrix_mautrix_whatsapp_database_engine] +}}" + +matrix_mautrix_whatsapp_appservice_database_uri: "{{ + { + 'sqlite': matrix_mautrix_whatsapp_sqlite_database_path_in_container, + 'postgres': matrix_mautrix_whatsapp_postgres_connection_string, + }[matrix_mautrix_whatsapp_database_engine] +}}" + + # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_whatsapp_login_shared_secret: '' diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 6bd87bbe..15453e8c 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -8,6 +8,26 @@ The matrix-bridge-mautrix-whatsapp role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}" + register: matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_mautrix_whatsapp_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mautrix_whatsapp_sqlite_database_path_local }}. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mautrix_whatsapp_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_whatsapp_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_whatsapp_postgres_connection_string'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mautrix_whatsapp_database_engine == 'postgres'" + - name: Ensure Mautrix Whatsapp image is pulled docker_image: name: "{{ matrix_mautrix_whatsapp_docker_image }}" @@ -26,12 +46,12 @@ - "{{ matrix_mautrix_whatsapp_base_path }}" - "{{ matrix_mautrix_whatsapp_config_path }}" - "{{ matrix_mautrix_whatsapp_data_path }}" - + - name: Check if an old database file exists stat: path: "{{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db" register: matrix_mautrix_whatsapp_stat_database - + - name: Check if an old matrix state file exists stat: path: "{{ matrix_mautrix_whatsapp_base_path }}/mx-state.json" @@ -48,7 +68,7 @@ - name: (Data relocation) Move mautrix-whatsapp database file to ./data directory command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" when: "matrix_mautrix_whatsapp_stat_database.stat.exists" - + - name: (Data relocation) Move mautrix-whatsapp mx-state file to ./data directory command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json" when: "matrix_mautrix_whatsapp_stat_mx_state.stat.exists" diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 93956049..89216695 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -19,11 +19,11 @@ appservice: # Database config. database: # The database type. "sqlite3" and "postgres" are supported. - type: sqlite3 + type: {{ matrix_mautrix_whatsapp_appservice_database_type|to_json }} # The database URI. # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string # Postgres: Connection string. For example, postgres://user:password@host/database - uri: postgres://matrix_bridge_whatsapp@{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_bridge_whatsapp') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_bridge_whatsapp + uri: {{ matrix_mautrix_whatsapp_appservice_database_uri|to_json }} # Maximum number of connections. Mostly relevant for Postgres. max_open_conns: 20 max_idle_conns: 2 From 43d6ff2af83abf0610c73b507eb4d7acae045052 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 12:30:10 +0200 Subject: [PATCH 1630/2384] Fix sqlite usage for mautrix-facebook/mautrix-telegram Regression since 2d99ade72f and 9bf8ce878e94, respectively. When SQLite is to be used, these bridges expect an `sqlite://` connection string, and not a plain file name (path), like Appservice Discord and mautrix-whatsapp do. --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index d0b39682..97584997 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -55,7 +55,7 @@ matrix_mautrix_facebook_postgres_connection_string: 'postgresql://{{ matrix_maut matrix_mautrix_facebook_appservice_database: "{{ { - 'sqlite': matrix_mautrix_facebook_sqlite_database_path_in_container, + 'sqlite': ('sqlite://' + matrix_mautrix_facebook_sqlite_database_path_in_container), 'postgres': matrix_mautrix_facebook_postgres_connection_string, }[matrix_mautrix_facebook_database_engine] }}" diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index d0df6a7d..9ba9be09 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -66,7 +66,7 @@ matrix_mautrix_telegram_postgres_connection_string: 'postgresql://{{ matrix_maut matrix_mautrix_telegram_appservice_database: "{{ { - 'sqlite': matrix_mautrix_telegram_sqlite_database_path_in_container, + 'sqlite': ('sqlite://' + matrix_mautrix_telegram_sqlite_database_path_in_container), 'postgres': matrix_mautrix_telegram_postgres_connection_string, }[matrix_mautrix_telegram_database_engine] }}" From ce21ea3640283889be6ed7c526116ca6c47ca921 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 12:34:59 +0200 Subject: [PATCH 1631/2384] Add (Postgres + SQLite) support to matrix-mautrix-hangouts bridge I don't use this bridge, so this is completely untested. --- .../defaults/main.yml | 29 +++++++++++++++++++ .../tasks/setup_install.yml | 20 +++++++++++++ .../templates/config.yaml.j2 | 2 +- .../matrix-mautrix-hangouts.service.j2 | 1 + 4 files changed, 51 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index ab670052..af0fe061 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -39,6 +39,35 @@ matrix_mautrix_hangouts_systemd_wanted_services_list: [] matrix_mautrix_hangouts_appservice_token: '' matrix_mautrix_hangouts_homeserver_token: '' + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_mautrix_hangouts_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_mautrix_hangouts_postgres_*` variables +matrix_mautrix_hangouts_database_engine: 'sqlite' + +matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" +matrix_mautrix_hangouts_sqlite_database_path_in_container: "/data/mautrix-hangouts.db" + +matrix_mautrix_hangouts_postgres_username: 'matrix_mautrix_hangouts' +matrix_mautrix_hangouts_postgres_password: 'some-password' +matrix_mautrix_hangouts_postgres_hostname: 'matrix-postgres' +matrix_mautrix_hangouts_postgres_port: 5432 +matrix_mautrix_hangouts_postgres_db_name: 'matrix_mautrix_hangouts' + +matrix_mautrix_hangouts_postgres_connection_string: 'postgresql://{{ matrix_mautrix_hangouts_postgres_username }}:{{ matrix_mautrix_hangouts_postgres_password }}@{{ matrix_mautrix_hangouts_postgres_hostname }}:{{ matrix_mautrix_hangouts_postgres_port }}/{{ matrix_mautrix_hangouts_postgres_db_name }}' + +matrix_mautrix_hangouts_appservice_database: "{{ + { + 'sqlite': ('sqlite://' + matrix_mautrix_hangouts_sqlite_database_path_in_container), + 'postgres': matrix_mautrix_hangouts_postgres_connection_string, + }[matrix_mautrix_hangouts_database_engine] +}}" + + # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_hangouts_login_shared_secret: '' diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index eec5e006..9e7bfbba 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -8,6 +8,26 @@ The matrix-bridge-mautrix-hangouts role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}" + register: matrix_mautrix_hangouts_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_mautrix_hangouts_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mautrix_hangouts_sqlite_database_path_local }}. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mautrix_hangouts_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_hangouts_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_hangouts_postgres_connection_string'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mautrix_hangouts_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mautrix_hangouts_database_engine == 'postgres'" + - name: Ensure Mautrix Hangouts image is pulled docker_image: name: "{{ matrix_mautrix_hangouts_docker_image }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 index e4e59ad2..cc2ca90b 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 @@ -27,7 +27,7 @@ appservice: # Format examples: # SQLite: sqlite:///filename.db # Postgres: postgres://username:password@hostname/dbname - database: postgres://mautrix_bridge_hangouts:{{ matrix_additional_databases | selectattr('name', 'equalto', 'mautrix_bridge_hangouts') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/mautrix_bridge_hangouts + database: {{ matrix_mautrix_hangouts_appservice_database|to_json }} # The unique ID of this appservice. id: hangouts diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index 26280da3..39559190 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -18,6 +18,7 @@ ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-han --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_hangouts_config_path }}:/config:z \ -v {{ matrix_mautrix_hangouts_data_path }}:/data:z \ {{ matrix_mautrix_hangouts_docker_image }} \ From 087dbe4ddc80ba6308e7ee98391ea475354e8860 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 13:02:47 +0200 Subject: [PATCH 1632/2384] Rename `matrix_*_postgres_*` back to `matrix_*_database_*` I was thinking that it makes sense to be more specific, and using `_postgres_` also separated these variables from the `_database_` variables that ended up in bridge configuration. However, @jdreichmann makes a good point (https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/740#discussion_r542281102) that we don't need to be so specific and can allow for other engines (like MySQL) to use these variables. --- group_vars/matrix_servers | 112 +++++++++--------- .../defaults/main.yml | 10 +- .../defaults/main.yml | 10 +- .../defaults/main.yml | 10 +- .../defaults/main.yml | 10 +- .../defaults/main.yml | 10 +- 6 files changed, 81 insertions(+), 81 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e3f16d3f..acf133e1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -70,7 +70,7 @@ matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_k # We only make this use Postgres if our own Postgres server is enabled. # It's only then (for now) that we can automatically create the necessary database and user for this service. matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_discord_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}" +matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}" ###################################################################### # @@ -142,7 +142,7 @@ matrix_appservice_slack_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_slack_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" +matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### # @@ -181,7 +181,7 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_appservice_irc_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" +matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" ###################################################################### @@ -219,7 +219,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matr # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_facebook.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_facebook.db') | to_uuid }}" ###################################################################### # @@ -256,7 +256,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_hangouts.db') | to_uuid }}" ###################################################################### # @@ -296,7 +296,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_telegram.db') | to_uuid }}" ###################################################################### # @@ -328,7 +328,7 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_whatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_whatsapp.db') | to_uuid }}" ###################################################################### # @@ -388,7 +388,7 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_skype.db') | to_uuid }}" ###################################################################### # @@ -423,7 +423,7 @@ matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_slack.db') | to_uuid }}" ###################################################################### # @@ -459,7 +459,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_twitter.db') | to_uuid }}" ###################################################################### # @@ -494,7 +494,7 @@ matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_ # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_instagram.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_instagram.db') | to_uuid }}" ###################################################################### # @@ -528,7 +528,7 @@ matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_pr # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_discord.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_discord.db') | to_uuid }}" ###################################################################### # @@ -562,7 +562,7 @@ matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_stream_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_steam.db') | to_uuid }}" ###################################################################### # @@ -676,7 +676,7 @@ matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if m # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_postgres_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.dimension.db') | to_uuid }}" ###################################################################### # @@ -950,39 +950,39 @@ matrix_postgres_db_name: "homeserver" matrix_postgres_additional_databases: | {{ ([{ - 'name': matrix_appservice_discord_postgres_db_name, - 'username': matrix_appservice_discord_postgres_username, - 'password': matrix_appservice_discord_postgres_password, + 'name': matrix_appservice_discord_database_db_name, + 'username': matrix_appservice_discord_database_username, + 'password': matrix_appservice_discord_database_password, }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_appservice_slack_postgres_db_name, - 'username': matrix_appservice_slack_postgres_username, - 'password': matrix_appservice_slack_postgres_password, + 'name': matrix_appservice_slack_database_db_name, + 'username': matrix_appservice_slack_database_username, + 'password': matrix_appservice_slack_database_password, }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_appservice_irc_postgres_db_name, - 'username': matrix_appservice_irc_postgres_username, - 'password': matrix_appservice_irc_postgres_password, + 'name': matrix_appservice_irc_database_db_name, + 'username': matrix_appservice_irc_database_username, + 'password': matrix_appservice_irc_database_password, }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_facebook_postgres_db_name, - 'username': matrix_mautrix_facebook_postgres_username, - 'password': matrix_mautrix_facebook_postgres_password, + 'name': matrix_mautrix_facebook_database_db_name, + 'username': matrix_mautrix_facebook_database_username, + 'password': matrix_mautrix_facebook_database_password, }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_hangouts_postgres_db_name, - 'username': matrix_mautrix_hangouts_postgres_username, - 'password': matrix_mautrix_hangouts_postgres_password, + 'name': matrix_mautrix_hangouts_database_db_name, + 'username': matrix_mautrix_hangouts_database_username, + 'password': matrix_mautrix_hangouts_database_password, }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_telegram_postgres_db_name, - 'username': matrix_mautrix_telegram_postgres_username, - 'password': matrix_mautrix_telegram_postgres_password, + 'name': matrix_mautrix_telegram_database_db_name, + 'username': matrix_mautrix_telegram_database_username, + 'password': matrix_mautrix_telegram_database_password, }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_whatsapp_postgres_db_name, - 'username': matrix_mautrix_whatsapp_postgres_username, - 'password': matrix_mautrix_whatsapp_postgres_password, + 'name': matrix_mautrix_whatsapp_database_db_name, + 'username': matrix_mautrix_whatsapp_database_username, + 'password': matrix_mautrix_whatsapp_database_password, }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_postgres_hostname == 'matrix-postgres') else []) + ([{ 'name': 'matrix_bridge_sms', @@ -990,45 +990,45 @@ matrix_postgres_additional_databases: | 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | to_uuid, }] if matrix_sms_bridge_enabled else []) + ([{ - 'name': matrix_mx_puppet_skype_postgres_db_name, - 'username': matrix_mx_puppet_skype_postgres_username, - 'password': matrix_mx_puppet_skype_postgres_password, + 'name': matrix_mx_puppet_skype_database_db_name, + 'username': matrix_mx_puppet_skype_database_username, + 'password': matrix_mx_puppet_skype_database_password, }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_slack_postgres_db_name, - 'username': matrix_mx_puppet_slack_postgres_username, - 'password': matrix_mx_puppet_slack_postgres_password, + 'name': matrix_mx_puppet_slack_database_db_name, + 'username': matrix_mx_puppet_slack_database_username, + 'password': matrix_mx_puppet_slack_database_password, }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_twitter_postgres_db_name, - 'username': matrix_mx_puppet_twitter_postgres_username, - 'password': matrix_mx_puppet_twitter_postgres_password, + 'name': matrix_mx_puppet_twitter_database_db_name, + 'username': matrix_mx_puppet_twitter_database_username, + 'password': matrix_mx_puppet_twitter_database_password, }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_instagram_postgres_db_name, - 'username': matrix_mx_puppet_instagram_postgres_username, - 'password': matrix_mx_puppet_instagram_postgres_password, + 'name': matrix_mx_puppet_instagram_database_db_name, + 'username': matrix_mx_puppet_instagram_database_username, + 'password': matrix_mx_puppet_instagram_database_password, }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_discord_postgres_db_name, - 'username': matrix_mx_puppet_discord_postgres_username, - 'password': matrix_mx_puppet_discord_postgres_password, + 'name': matrix_mx_puppet_discord_database_db_name, + 'username': matrix_mx_puppet_discord_database_username, + 'password': matrix_mx_puppet_discord_database_password, }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_steam_postgres_db_name, - 'username': matrix_mx_puppet_steam_postgres_username, - 'password': matrix_mx_puppet_steam_postgres_password, + 'name': matrix_mx_puppet_steam_database_db_name, + 'username': matrix_mx_puppet_steam_database_username, + 'password': matrix_mx_puppet_steam_database_password, }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_postgres_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_dimension_postgres_db_name, - 'username': matrix_dimension_postgres_username, - 'password': matrix_dimension_postgres_password, + 'name': matrix_dimension_database_db_name, + 'username': matrix_dimension_database_username, + 'password': matrix_dimension_database_password, }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_postgres_hostname == 'matrix-postgres') else []) diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index fb517cd5..57a88867 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -53,16 +53,16 @@ matrix_appservice_discord_database_engine: 'sqlite' matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db" matrix_appservice_discord_sqlite_database_path_in_container: "/data/discord.db" -matrix_appservice_discord_postgres_username: 'matrix_appservice_discord' -matrix_appservice_discord_postgres_password: 'some-password' +matrix_appservice_discord_database_username: 'matrix_appservice_discord' +matrix_appservice_discord_database_password: 'some-password' matrix_appservice_discord_postgres_hostname: 'matrix-postgres' -matrix_appservice_discord_postgres_port: 5432 -matrix_appservice_discord_postgres_db_name: 'matrix_appservice_discord' +matrix_appservice_discord_database_port: 5432 +matrix_appservice_discord_database_db_name: 'matrix_appservice_discord' # These 2 variables are what actually ends up in the bridge configuration. # It's best if you don't change them directly, but rather redefine the sub-variables that constitute them. matrix_appservice_discord_database_filename: "{{ matrix_appservice_discord_sqlite_database_path_in_container }}" -matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_postgres_username }}:{{ matrix_appservice_discord_postgres_password }}@{{ matrix_appservice_discord_postgres_hostname }}:{{ matrix_appservice_discord_postgres_port }}/{{ matrix_appservice_discord_postgres_db_name }}' +matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_database_username }}:{{ matrix_appservice_discord_database_password }}@{{ matrix_appservice_discord_postgres_hostname }}:{{ matrix_appservice_discord_database_port }}/{{ matrix_appservice_discord_database_db_name }}' # Tells whether the bot should make use of "Privileged Gateway Intents". diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 97584997..246c32fe 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -45,13 +45,13 @@ matrix_mautrix_facebook_database_engine: 'sqlite' matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db" -matrix_mautrix_facebook_postgres_username: 'matrix_mautrix_facebook' -matrix_mautrix_facebook_postgres_password: 'some-password' +matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' +matrix_mautrix_facebook_database_password: 'some-password' matrix_mautrix_facebook_postgres_hostname: 'matrix-postgres' -matrix_mautrix_facebook_postgres_port: 5432 -matrix_mautrix_facebook_postgres_db_name: 'matrix_mautrix_facebook' +matrix_mautrix_facebook_database_port: 5432 +matrix_mautrix_facebook_database_db_name: 'matrix_mautrix_facebook' -matrix_mautrix_facebook_postgres_connection_string: 'postgresql://{{ matrix_mautrix_facebook_postgres_username }}:{{ matrix_mautrix_facebook_postgres_password }}@{{ matrix_mautrix_facebook_postgres_hostname }}:{{ matrix_mautrix_facebook_postgres_port }}/{{ matrix_mautrix_facebook_postgres_db_name }}' +matrix_mautrix_facebook_postgres_connection_string: 'postgresql://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_postgres_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_db_name }}' matrix_mautrix_facebook_appservice_database: "{{ { diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index af0fe061..04280ac4 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -52,13 +52,13 @@ matrix_mautrix_hangouts_database_engine: 'sqlite' matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db" matrix_mautrix_hangouts_sqlite_database_path_in_container: "/data/mautrix-hangouts.db" -matrix_mautrix_hangouts_postgres_username: 'matrix_mautrix_hangouts' -matrix_mautrix_hangouts_postgres_password: 'some-password' +matrix_mautrix_hangouts_database_username: 'matrix_mautrix_hangouts' +matrix_mautrix_hangouts_database_password: 'some-password' matrix_mautrix_hangouts_postgres_hostname: 'matrix-postgres' -matrix_mautrix_hangouts_postgres_port: 5432 -matrix_mautrix_hangouts_postgres_db_name: 'matrix_mautrix_hangouts' +matrix_mautrix_hangouts_database_port: 5432 +matrix_mautrix_hangouts_database_db_name: 'matrix_mautrix_hangouts' -matrix_mautrix_hangouts_postgres_connection_string: 'postgresql://{{ matrix_mautrix_hangouts_postgres_username }}:{{ matrix_mautrix_hangouts_postgres_password }}@{{ matrix_mautrix_hangouts_postgres_hostname }}:{{ matrix_mautrix_hangouts_postgres_port }}/{{ matrix_mautrix_hangouts_postgres_db_name }}' +matrix_mautrix_hangouts_postgres_connection_string: 'postgresql://{{ matrix_mautrix_hangouts_database_username }}:{{ matrix_mautrix_hangouts_database_password }}@{{ matrix_mautrix_hangouts_postgres_hostname }}:{{ matrix_mautrix_hangouts_database_port }}/{{ matrix_mautrix_hangouts_database_db_name }}' matrix_mautrix_hangouts_appservice_database: "{{ { diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 9ba9be09..4f584128 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -56,13 +56,13 @@ matrix_mautrix_telegram_database_engine: 'sqlite' matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db" matrix_mautrix_telegram_sqlite_database_path_in_container: "/data/mautrix-telegram.db" -matrix_mautrix_telegram_postgres_username: 'matrix_mautrix_telegram' -matrix_mautrix_telegram_postgres_password: 'some-password' +matrix_mautrix_telegram_database_username: 'matrix_mautrix_telegram' +matrix_mautrix_telegram_database_password: 'some-password' matrix_mautrix_telegram_postgres_hostname: 'matrix-postgres' -matrix_mautrix_telegram_postgres_port: 5432 -matrix_mautrix_telegram_postgres_db_name: 'matrix_mautrix_telegram' +matrix_mautrix_telegram_database_port: 5432 +matrix_mautrix_telegram_database_db_name: 'matrix_mautrix_telegram' -matrix_mautrix_telegram_postgres_connection_string: 'postgresql://{{ matrix_mautrix_telegram_postgres_username }}:{{ matrix_mautrix_telegram_postgres_password }}@{{ matrix_mautrix_telegram_postgres_hostname }}:{{ matrix_mautrix_telegram_postgres_port }}/{{ matrix_mautrix_telegram_postgres_db_name }}' +matrix_mautrix_telegram_postgres_connection_string: 'postgresql://{{ matrix_mautrix_telegram_database_username }}:{{ matrix_mautrix_telegram_database_password }}@{{ matrix_mautrix_telegram_postgres_hostname }}:{{ matrix_mautrix_telegram_database_port }}/{{ matrix_mautrix_telegram_database_db_name }}' matrix_mautrix_telegram_appservice_database: "{{ { diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 6cabea3e..357f5892 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -40,13 +40,13 @@ matrix_mautrix_whatsapp_database_engine: 'sqlite' matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db" matrix_mautrix_whatsapp_sqlite_database_path_in_container: "/data/mautrix-whatsapp.db" -matrix_mautrix_whatsapp_postgres_username: 'matrix_mautrix_whatsapp' -matrix_mautrix_whatsapp_postgres_password: 'some-password' +matrix_mautrix_whatsapp_database_username: 'matrix_mautrix_whatsapp' +matrix_mautrix_whatsapp_database_password: 'some-password' matrix_mautrix_whatsapp_postgres_hostname: 'matrix-postgres' -matrix_mautrix_whatsapp_postgres_port: 5432 -matrix_mautrix_whatsapp_postgres_db_name: 'matrix_mautrix_whatsapp' +matrix_mautrix_whatsapp_database_port: 5432 +matrix_mautrix_whatsapp_database_db_name: 'matrix_mautrix_whatsapp' -matrix_mautrix_whatsapp_postgres_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_postgres_username }}:{{ matrix_mautrix_whatsapp_postgres_password }}@{{ matrix_mautrix_whatsapp_postgres_hostname }}:{{ matrix_mautrix_whatsapp_postgres_port }}/{{ matrix_mautrix_whatsapp_postgres_db_name }}' +matrix_mautrix_whatsapp_postgres_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_postgres_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_db_name }}' matrix_mautrix_whatsapp_appservice_database_type: "{{ { From 5d70bc1376f30c4453beffe0c23ccb4c3004635c Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Mon, 14 Dec 2020 12:38:51 +0100 Subject: [PATCH 1633/2384] add postgres support for mx-puppet-* with fallback to sqlite in role and migration notice --- .../defaults/main.yml | 15 +++++++++++++ .../tasks/validate_config.yml | 20 +++++++++++++++++ .../templates/config.yaml.j2 | 11 ++++++---- .../defaults/main.yml | 14 ++++++++++++ .../tasks/validate_config.yml | 21 ++++++++++++++++++ .../templates/config.yaml.j2 | 7 ++++-- .../defaults/main.yml | 15 +++++++++++++ .../tasks/validate_config.yml | 20 +++++++++++++++++ .../templates/config.yaml.j2 | 7 ++++-- .../defaults/main.yml | 15 +++++++++++++ .../tasks/validate_config.yml | 20 +++++++++++++++++ .../templates/config.yaml.j2 | 7 ++++-- .../defaults/main.yml | 14 ++++++++++++ .../tasks/validate_config.yml | 22 +++++++++++++++++++ .../templates/config.yaml.j2 | 7 ++++-- .../defaults/main.yml | 15 +++++++++++++ .../tasks/validate_config.yml | 22 +++++++++++++++++++ .../templates/config.yaml.j2 | 7 ++++-- 18 files changed, 245 insertions(+), 14 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 268bbf8f..5a65f33e 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -55,6 +55,21 @@ matrix_mx_puppet_discord_homeserver_token: '' # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mx_puppet_discord_login_shared_secret: '' +# Database configuration +matrix_mx_puppet_discord_database_engine: 'sqlite' +matrix_mx_puppet_discord_database_username: matrix_mx_puppet_discord +matrix_mx_puppet_discord_database_password: ~ +matrix_mx_puppet_discord_database_hostname: 'matrix-postgres' +matrix_mx_puppet_discord_database_port: 5432 +matrix_mx_puppet_discord_database_name: matrix_mx_puppet_discord +matrix_mx_puppet_discord_database_file: /data/database.db +matrix_mx_puppet_discord_database_connString: >-2 + {%- if matrix_mx_puppet_discord_database_engine == 'postgres' -%} + postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode=disable + {%- else if matrix_mx_puppet_discord_database_engine == 'sqlite' -%} + {{ matrix_mx_puppet_discord_database_engine }}://{{ matrix_mx_puppet_discord_database_file }} + {%- endif -%} + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml index c253eda2..8db47ed1 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml @@ -8,3 +8,23 @@ with_items: - "matrix_mx_puppet_discord_appservice_token" - "matrix_mx_puppet_discord_homeserver_token" + +- block: + - name: Check if a SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_discord_data_path }}/database.db" + register: matrix_mx_puppet_discord_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >-2 + matrix_mx_puppet_discord_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_discord_data_path }}/database.db. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_discord_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_discord_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_discord_database_connString'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mx_puppet_discord_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mx_puppet_discord_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index 88c591e2..c24c7e54 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -100,15 +100,18 @@ namePatterns: group: :name database: +{% if matrix_mx_puppet_slack_discord_database_engine == 'sqlite' %} + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db +{% else %} # Use Postgres as a database backend # If set, will be used instead of SQLite3 # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: "postgres://matrix_puppet_discord:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_discord') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_discord?sslmode=disable" - # Use SQLite3 as a database backend - # The name of the database file - #filename: /data/database.db + connString: {{ matrix_mx_puppet_discord_database_connString|to_json }} +{% endif %} logging: # Log level of console output diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index 21cde53f..c30f9b8b 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -46,6 +46,20 @@ matrix_mx_puppet_instagram_homeserver_token: '' # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mx_puppet_instagram_login_shared_secret: '' +matrix_mx_puppet_instagram_database_engine: sqlite +matrix_mx_puppet_instagram_database_username: matrix_mx_puppet_instagram +matrix_mx_puppet_instagram_database_password: ~ +matrix_mx_puppet_instagram_database_hostname: 'matrix-postgres' +matrix_mx_puppet_instagram_database_port: 5432 +matrix_mx_puppet_instagram_database_name: matrix_mx_puppet_instagram +matrix_mx_puppet_instagram_database_file: /data/database.db +matrix_mx_puppet_instagram_database_connString: >-2 + {%- if matrix_mx_puppet_instagram_database_engine == 'postgres' -%} + postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode=disable + {%- else if matrix_mx_puppet_instagram_database_engine == 'sqlite' -%} + {{ matrix_mx_puppet_instagram_database_engine }}://{{ matrix_mx_puppet_instagram_database_file }} + {%- endif -%} + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml index b6d9d994..7000a8a1 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml @@ -8,3 +8,24 @@ with_items: - "matrix_mx_puppet_instagram_appservice_token" - "matrix_mx_puppet_instagram_homeserver_token" + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_instagram_data_path }}/database.db" + register: matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_mx_puppet_instagram_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_instagram_data_path }}/database.db. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_instagram_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_instagram_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_instagram_database_connString'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mx_puppet_instagram_database_engine == 'postgres'" + diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 index 2d189195..d89c5bdb 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 @@ -44,15 +44,18 @@ provisioning: apiPrefix: /_matrix/provision database: +{% if matrix_mx_puppet_instagram_database_engine == 'postgres' %} # Use Postgres as a database backend # If set, will be used instead of SQLite3 # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: "postgres://matrix_puppet_instagram:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_instagram') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_instagram?sslmode=disable" + connString: {{ matrix_mx_puppet_instagram_database_connString | to_json }} +{% else %} # Use SQLite3 as a database backend # The name of the database file - #filename: /data/database.db + filename: {{ matrix_mx_puppet_instagram_database_file }} +{% endif %} logging: # Log level of console output diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 0c16a8ba..3b7448c6 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -53,6 +53,21 @@ matrix_mx_puppet_skype_homeserver_token: '' # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mx_puppet_skype_login_shared_secret: '' +# Database configuration, role default is `sqlite` but playbook default is `postgres` +matrix_mx_puppet_skype_database_engine: sqlite +matrix_mx_puppet_skype_database_username: matrix_mx_puppet_skype +matrix_mx_puppet_skype_database_password: ~ +matrix_mx_puppet_skype_database_hostname: 'matrix-postgres' +matrix_mx_puppet_skype_database_port: 5432 +matrix_mx_puppet_skype_database_name: matrix_mx_puppet_skype +matrix_mx_puppet_skype_database_file: /data/database.db +matrix_mx_puppet_skype_database_connString: >-2 + {%- if matrix_mx_puppet_skype_database_engine == 'postgres' -%} + postgresql://{{ matrix_mx_puppet_skype_database_username }}:{{ matrix_mx_puppet_skype_database_password }}@{{ matrix_mx_puppet_skype_database_hostname }}:{{ matrix_mx_puppet_skype_database_port }}/{{ matrix_mx_puppet_skype_database_name }}?sslmode=disable + {%- else if matrix_mx_puppet_skype_database_engine == 'sqlite' -%} + {{ matrix_mx_puppet_skype_database_engine }}://{{ matrix_mx_puppet_skype_database_file }} + {%- endif -%} + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml index 7ed433b1..c7100e51 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml @@ -8,3 +8,23 @@ with_items: - "matrix_mx_puppet_skype_appservice_token" - "matrix_mx_puppet_skype_homeserver_token" + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_skype_data_path }}/database.db" + register: matrix_mx_puppet_skype_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_mx_puppet_skype_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_skype_data_path }}/database.db. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_skype_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_skype_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_skype_database_connString'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mx_puppet_skype_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mx_puppet_skype_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 index a54ca758..a32523b1 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 @@ -68,15 +68,18 @@ logging: # - Store database: +{% if matrix_mx_puppet_skype_database_engine == 'postgres' %} # Use Postgres as a database backend # If set, will be used instead of SQLite3 # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: "postgres://matrix_puppet_skype:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_skype') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_skype?sslmode=disable" + connString: {{ matrix_mx_puppet_skype_database_connString | to_json }} +{% else %} # Use SQLite3 as a database backend # The name of the database file - #filename: /data/database.db + filename: {{ matrix_mx_puppet_skype_database_file }} +{% endif %} provisioning: # Regex of Matrix IDs allowed to use the puppet bridge diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 96ab7833..5f91beb8 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -57,6 +57,21 @@ matrix_mx_puppet_slack_homeserver_token: '' # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mx_puppet_slack_login_shared_secret: '' +# Database configuration, role uses 'sqlite' per default but playbook sets up postgres by default +matrix_mx_puppet_slack_database_engine: sqlite +matrix_mx_puppet_slack_database_username: matrix_mx_puppet_slack +matrix_mx_puppet_slack_database_password: ~ +matrix_mx_puppet_slack_database_hostname: 'matrix-postgres' +matrix_mx_puppet_slack_database_port: 5432 +matrix_mx_puppet_slack_database_name: matrix_mx_puppet_slack +matrix_mx_puppet_slack_database_file: /data/database.db +matrix_mx_puppet_slack_database_connString: >-2 + {%- if matrix_mx_puppet_slack_database_engine == 'postgres' -%} + postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode=disable + {%- else if matrix_mx_puppet_slack_database_engine == 'sqlite' -%} + {{ matrix_mx_puppet_slack_database_engine }}://{{ matrix_mx_puppet_slack_database_file }} + {%- endif -%} + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml index 3a0bca11..bc722ee6 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml @@ -8,3 +8,23 @@ with_items: - "matrix_mx_puppet_slack_appservice_token" - "matrix_mx_puppet_slack_homeserver_token" + +- block: + - name: Check if sqlite database already exists + stat: + path: "{{ matrix_mx_puppet_slack_data_path }}/database.db" + register: matrix_mx_puppet_slack_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_mx_puppet_slack_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_slack_data_path }}/database.db. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_slack_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_slack_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_slack_database_connString'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mx_puppet_slack_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mx_puppet_slack_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 index 7f1b21d7..58c5c11a 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -58,15 +58,18 @@ provisioning: apiPrefix: /_matrix/provision database: +{% if matrix_mx_puppet_slack_database_engine == 'postgres' %} # Use Postgres as a database backend # If set, will be used instead of SQLite3 # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: "postgres://matrix_puppet_slack:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_slack') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_slack?sslmode=disable" + connString: {{ matrix_mx_puppet_slack_database_connString | to_json }} +{% else %} # Use SQLite3 as a database backend # The name of the database file - #filename: /data/database.db + filename: {{ matrix_mx_puppet_slack_database_file }} +{% endif %} logging: # Log level of console output diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index b5eb8473..be343db4 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -55,6 +55,20 @@ matrix_mx_puppet_steam_homeserver_token: '' # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mx_puppet_steam_login_shared_secret: '' +matrix_mx_puppet_steam_database_engine: sqlite +matrix_mx_puppet_steam_database_username: matrix_mx_puppet_steam +matrix_mx_puppet_steam_database_password: ~ +matrix_mx_puppet_steam_database_hostname: 'matrix-postgres' +matrix_mx_puppet_steam_database_port: 5432 +matrix_mx_puppet_steam_database_name: matrix_mx_puppet_steam +matrix_mx_puppet_steam_database_file: /data/database.db +matrix_mx_puppet_steam_database_connString: >-2 + {%- if matrix_mx_puppet_steam_database_engine == 'postgres' -%} + postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode=disable + {%- else if matrix_mx_puppet_steam_database_engine == 'sqlite' -%} + {{ matrix_mx_puppet_steam_database_engine }}://{{ matrix_mx_puppet_steam_database_file }} + {%- endif -%} + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml index a8bc6a42..50ce15d9 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml @@ -8,3 +8,25 @@ with_items: - "matrix_mx_puppet_steam_appservice_token" - "matrix_mx_puppet_steam_homeserver_token" + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_steam_data_path }}" + register: matrix_mx_puppet_steam_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_mx_puppet_steam_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_steam_data_path }}/database.db. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_steam_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_steam_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_steam_database_connString'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mx_puppet_steam_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mx_puppet_steam_database_engine == 'postgres'" + + diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 index 14f86319..8eda278d 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 @@ -61,15 +61,18 @@ selfService: blacklist: {{ matrix_mx_puppet_steam_provisioning_blacklist|to_json }} database: +{% if matrix_mx_puppet_steam_database_engine == 'postgres' %} # Use Postgres as a database backend # If set, will be used instead of SQLite3 # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: "postgres://matrix_puppet_steam:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_steam') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_steam?sslmode=disable" + connString: {{ matrix_mx_puppet_steam_database_connString | to_json }} +{% else %} # Use SQLite3 as a database backend # The name of the database file - #filename: /data/database.db + filename: {{ matrix_mx_puppet_steam_database_file }} +{% endif %} logging: # Log level of console output diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index 13438a21..f536029c 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -60,6 +60,21 @@ matrix_mx_puppet_twitter_homeserver_token: '' # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mx_puppet_twitter_login_shared_secret: '' +# Database configuration +matrix_mx_puppet_twitter_database_engine: sqlite +matrix_mx_puppet_twitter_database_username: matrix:mx_puppet_twitter +matrix_mx_puppet_twitter_database_password: ~ +matrix_mx_puppet_twitter_database_hostname: 'matrix-postgres' +matrix_mx_puppet_twitter_database_port: 5432 +matrix_mx_puppet_twitter_database_name: matrix_mx_puppet_twitter +matrix_mx_puppet_twitter_database_file: /data/database.db +matrix_mx_puppet_twitter_database_connString: >-2 + {%- if matrix_mx_puppet_twitter_database_engine == 'postgres' -%} + postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode=disable + {%- else if matrix_mx_puppet_twitter_database_engine == 'sqlite' -%} + {{ matrix_mx_puppet_twitter_database_engine }}://{{ matrix_mx_puppet_twitter_database_file }} + {%- endif -%} + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml index d13a39e1..0b3bd8f8 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml @@ -8,3 +8,25 @@ with_items: - "matrix_mx_puppet_twitter_appservice_token" - "matrix_mx_puppet_twitter_homeserver_token" + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_twitter_sqlite_data_path }}/database.db" + register: matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_mx_puppet_twitter_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_twitter_data_path }}/database.db. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_twitter_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_twitter_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_twitter_database_connString'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_mx_puppet_twitter_database_engine == 'postgres'" + + diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 index 853d23fc..cecb171d 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 @@ -54,15 +54,18 @@ provisioning: apiPrefix: /_matrix/provision database: +{% if matrix_mx_puppet_twitter_database_engine == 'postgres' %} # Use Postgres as a database backend # If set, will be used instead of SQLite3 # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: "postgres://matrix_puppet_twitter:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_puppet_twitter') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_puppet_twitter?sslmode=disable" + connString: {{ matrix_mx_puppet_twitter_database_connString | to_json }} +{% else %} # Use SQLite3 as a database backend # The name of the database file - #filename: /data/database.db + filename: {{ matrix_mx_puppet_twitter_database_file }} +{% endif %} logging: # Log level of console output From b9a04a7f953e504a3e6798eeebcc786f51bf9788 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 14:42:18 +0200 Subject: [PATCH 1634/2384] Rename some remaining `matrix_*_postgres_*` vars back to `matrix_*_database_*` Looks like there are some that I missed in 087dbe4ddc80ba6 --- group_vars/matrix_servers | 28 +++++++++---------- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 6 ++-- .../tasks/setup_install.yml | 2 +- .../defaults/main.yml | 6 ++-- .../tasks/setup_install.yml | 2 +- .../defaults/main.yml | 6 ++-- .../tasks/setup_install.yml | 2 +- .../defaults/main.yml | 6 ++-- .../tasks/setup_install.yml | 2 +- 10 files changed, 32 insertions(+), 32 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index acf133e1..ad1e8ce3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -953,37 +953,37 @@ matrix_postgres_additional_databases: | 'name': matrix_appservice_discord_database_db_name, 'username': matrix_appservice_discord_database_username, 'password': matrix_appservice_discord_database_password, - }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_appservice_slack_database_db_name, 'username': matrix_appservice_slack_database_username, 'password': matrix_appservice_slack_database_password, - }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_appservice_irc_database_db_name, 'username': matrix_appservice_irc_database_username, 'password': matrix_appservice_irc_database_password, - }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mautrix_facebook_database_db_name, 'username': matrix_mautrix_facebook_database_username, 'password': matrix_mautrix_facebook_database_password, - }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mautrix_hangouts_database_db_name, 'username': matrix_mautrix_hangouts_database_username, 'password': matrix_mautrix_hangouts_database_password, - }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mautrix_telegram_database_db_name, 'username': matrix_mautrix_telegram_database_username, 'password': matrix_mautrix_telegram_database_password, - }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mautrix_whatsapp_database_db_name, 'username': matrix_mautrix_whatsapp_database_username, 'password': matrix_mautrix_whatsapp_database_password, - }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else []) + ([{ 'name': 'matrix_bridge_sms', 'username': 'matrix_bridge_sms', @@ -993,45 +993,45 @@ matrix_postgres_additional_databases: | 'name': matrix_mx_puppet_skype_database_db_name, 'username': matrix_mx_puppet_skype_database_username, 'password': matrix_mx_puppet_skype_database_password, - }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_slack_database_db_name, 'username': matrix_mx_puppet_slack_database_username, 'password': matrix_mx_puppet_slack_database_password, - }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_twitter_database_db_name, 'username': matrix_mx_puppet_twitter_database_username, 'password': matrix_mx_puppet_twitter_database_password, - }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_postgres_hostname == 'matrix-postgres') else []) + }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_instagram_database_db_name, 'username': matrix_mx_puppet_instagram_database_username, 'password': matrix_mx_puppet_instagram_database_password, }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' - and matrix_mx_puppet_instagram_postgres_hostname == 'matrix-postgres') else []) + and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_discord_database_db_name, 'username': matrix_mx_puppet_discord_database_username, 'password': matrix_mx_puppet_discord_database_password, }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' - and matrix_mx_puppet_discord_postgres_hostname == 'matrix-postgres') else []) + and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_mx_puppet_steam_database_db_name, 'username': matrix_mx_puppet_steam_database_username, 'password': matrix_mx_puppet_steam_database_password, }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' - and matrix_mx_puppet_steam_postgres_hostname == 'matrix-postgres') else []) + and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) + ([{ 'name': matrix_dimension_database_db_name, 'username': matrix_dimension_database_username, 'password': matrix_dimension_database_password, }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' - and matrix_dimension_postgres_hostname == 'matrix-postgres') else []) + and matrix_dimension_database_hostname == 'matrix-postgres') else []) }} ###################################################################### diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 57a88867..e2f97b85 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -55,14 +55,14 @@ matrix_appservice_discord_sqlite_database_path_in_container: "/data/discord.db" matrix_appservice_discord_database_username: 'matrix_appservice_discord' matrix_appservice_discord_database_password: 'some-password' -matrix_appservice_discord_postgres_hostname: 'matrix-postgres' +matrix_appservice_discord_database_hostname: 'matrix-postgres' matrix_appservice_discord_database_port: 5432 matrix_appservice_discord_database_db_name: 'matrix_appservice_discord' # These 2 variables are what actually ends up in the bridge configuration. # It's best if you don't change them directly, but rather redefine the sub-variables that constitute them. matrix_appservice_discord_database_filename: "{{ matrix_appservice_discord_sqlite_database_path_in_container }}" -matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_database_username }}:{{ matrix_appservice_discord_database_password }}@{{ matrix_appservice_discord_postgres_hostname }}:{{ matrix_appservice_discord_database_port }}/{{ matrix_appservice_discord_database_db_name }}' +matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_database_username }}:{{ matrix_appservice_discord_database_password }}@{{ matrix_appservice_discord_database_hostname }}:{{ matrix_appservice_discord_database_port }}/{{ matrix_appservice_discord_database_db_name }}' # Tells whether the bot should make use of "Privileged Gateway Intents". diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 246c32fe..c02197a5 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -47,16 +47,16 @@ matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebo matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' matrix_mautrix_facebook_database_password: 'some-password' -matrix_mautrix_facebook_postgres_hostname: 'matrix-postgres' +matrix_mautrix_facebook_database_hostname: 'matrix-postgres' matrix_mautrix_facebook_database_port: 5432 matrix_mautrix_facebook_database_db_name: 'matrix_mautrix_facebook' -matrix_mautrix_facebook_postgres_connection_string: 'postgresql://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_postgres_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_db_name }}' +matrix_mautrix_facebook_database_connection_string: 'postgresql://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_db_name }}' matrix_mautrix_facebook_appservice_database: "{{ { 'sqlite': ('sqlite://' + matrix_mautrix_facebook_sqlite_database_path_in_container), - 'postgres': matrix_mautrix_facebook_postgres_connection_string, + 'postgres': matrix_mautrix_facebook_database_connection_string, }[matrix_mautrix_facebook_database_engine] }}" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index c3c8d61f..1a0ff70c 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -23,7 +23,7 @@ To continue using SQLite, opt into it explicitly: add `matrix_mautrix_facebook_database_engine: sqlite` to your vars.yml file and re-run this same command. Alternatively, to migrate your existing SQLite database to Postgres: 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_facebook_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_facebook_postgres_connection_string'`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_facebook_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_facebook_database_connection_string'`) 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists" when: "matrix_mautrix_facebook_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 04280ac4..5d38289b 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -54,16 +54,16 @@ matrix_mautrix_hangouts_sqlite_database_path_in_container: "/data/mautrix-hangou matrix_mautrix_hangouts_database_username: 'matrix_mautrix_hangouts' matrix_mautrix_hangouts_database_password: 'some-password' -matrix_mautrix_hangouts_postgres_hostname: 'matrix-postgres' +matrix_mautrix_hangouts_database_hostname: 'matrix-postgres' matrix_mautrix_hangouts_database_port: 5432 matrix_mautrix_hangouts_database_db_name: 'matrix_mautrix_hangouts' -matrix_mautrix_hangouts_postgres_connection_string: 'postgresql://{{ matrix_mautrix_hangouts_database_username }}:{{ matrix_mautrix_hangouts_database_password }}@{{ matrix_mautrix_hangouts_postgres_hostname }}:{{ matrix_mautrix_hangouts_database_port }}/{{ matrix_mautrix_hangouts_database_db_name }}' +matrix_mautrix_hangouts_database_connection_string: 'postgresql://{{ matrix_mautrix_hangouts_database_username }}:{{ matrix_mautrix_hangouts_database_password }}@{{ matrix_mautrix_hangouts_database_hostname }}:{{ matrix_mautrix_hangouts_database_port }}/{{ matrix_mautrix_hangouts_database_db_name }}' matrix_mautrix_hangouts_appservice_database: "{{ { 'sqlite': ('sqlite://' + matrix_mautrix_hangouts_sqlite_database_path_in_container), - 'postgres': matrix_mautrix_hangouts_postgres_connection_string, + 'postgres': matrix_mautrix_hangouts_database_connection_string, }[matrix_mautrix_hangouts_database_engine] }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 9e7bfbba..02c34357 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -23,7 +23,7 @@ To continue using SQLite, opt into it explicitly: add `matrix_mautrix_hangouts_database_engine: sqlite` to your vars.yml file and re-run this same command. Alternatively, to migrate your existing SQLite database to Postgres: 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_hangouts_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_hangouts_postgres_connection_string'`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_hangouts_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_hangouts_database_connection_string'`) 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) when: "matrix_mautrix_hangouts_sqlite_database_path_local_stat_result.stat.exists" when: "matrix_mautrix_hangouts_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 4f584128..fcdf95db 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -58,16 +58,16 @@ matrix_mautrix_telegram_sqlite_database_path_in_container: "/data/mautrix-telegr matrix_mautrix_telegram_database_username: 'matrix_mautrix_telegram' matrix_mautrix_telegram_database_password: 'some-password' -matrix_mautrix_telegram_postgres_hostname: 'matrix-postgres' +matrix_mautrix_telegram_database_hostname: 'matrix-postgres' matrix_mautrix_telegram_database_port: 5432 matrix_mautrix_telegram_database_db_name: 'matrix_mautrix_telegram' -matrix_mautrix_telegram_postgres_connection_string: 'postgresql://{{ matrix_mautrix_telegram_database_username }}:{{ matrix_mautrix_telegram_database_password }}@{{ matrix_mautrix_telegram_postgres_hostname }}:{{ matrix_mautrix_telegram_database_port }}/{{ matrix_mautrix_telegram_database_db_name }}' +matrix_mautrix_telegram_database_connection_string: 'postgresql://{{ matrix_mautrix_telegram_database_username }}:{{ matrix_mautrix_telegram_database_password }}@{{ matrix_mautrix_telegram_database_hostname }}:{{ matrix_mautrix_telegram_database_port }}/{{ matrix_mautrix_telegram_database_db_name }}' matrix_mautrix_telegram_appservice_database: "{{ { 'sqlite': ('sqlite://' + matrix_mautrix_telegram_sqlite_database_path_in_container), - 'postgres': matrix_mautrix_telegram_postgres_connection_string, + 'postgres': matrix_mautrix_telegram_database_connection_string, }[matrix_mautrix_telegram_database_engine] }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index db1a8f83..d898c590 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -23,7 +23,7 @@ To continue using SQLite, opt into it explicitly: add `matrix_mautrix_telegram_database_engine: sqlite` to your vars.yml file and re-run this same command. Alternatively, to migrate your existing SQLite database to Postgres: 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_telegram_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_telegram_postgres_connection_string'`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_telegram_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_telegram_database_connection_string'`) 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists" when: "matrix_mautrix_telegram_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 357f5892..7e198b36 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -42,11 +42,11 @@ matrix_mautrix_whatsapp_sqlite_database_path_in_container: "/data/mautrix-whatsa matrix_mautrix_whatsapp_database_username: 'matrix_mautrix_whatsapp' matrix_mautrix_whatsapp_database_password: 'some-password' -matrix_mautrix_whatsapp_postgres_hostname: 'matrix-postgres' +matrix_mautrix_whatsapp_database_hostname: 'matrix-postgres' matrix_mautrix_whatsapp_database_port: 5432 matrix_mautrix_whatsapp_database_db_name: 'matrix_mautrix_whatsapp' -matrix_mautrix_whatsapp_postgres_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_postgres_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_db_name }}' +matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_db_name }}' matrix_mautrix_whatsapp_appservice_database_type: "{{ { @@ -58,7 +58,7 @@ matrix_mautrix_whatsapp_appservice_database_type: "{{ matrix_mautrix_whatsapp_appservice_database_uri: "{{ { 'sqlite': matrix_mautrix_whatsapp_sqlite_database_path_in_container, - 'postgres': matrix_mautrix_whatsapp_postgres_connection_string, + 'postgres': matrix_mautrix_whatsapp_database_connection_string, }[matrix_mautrix_whatsapp_database_engine] }}" diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 15453e8c..9521e0a5 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -23,7 +23,7 @@ To continue using SQLite, opt into it explicitly: add `matrix_mautrix_whatsapp_database_engine: sqlite` to your vars.yml file and re-run this same command. Alternatively, to migrate your existing SQLite database to Postgres: 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_whatsapp_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_whatsapp_postgres_connection_string'`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_whatsapp_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_whatsapp_database_connection_string'`) 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists" when: "matrix_mautrix_whatsapp_database_engine == 'postgres'" From aa828ff9f64415a404b3d7bb2a70690fea968d02 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 14:50:04 +0200 Subject: [PATCH 1635/2384] Separate matrix-reminder-bot install/uninstall tasks --- .../tasks/main.yml | 9 +- .../tasks/setup.yml | 88 ------------------- .../tasks/setup_install.yml | 41 +++++++++ .../tasks/setup_uninstall.yml | 35 ++++++++ 4 files changed, 84 insertions(+), 89 deletions(-) delete mode 100644 roles/matrix-bot-matrix-reminder-bot/tasks/setup.yml create mode 100644 roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml create mode 100644 roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/main.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/main.yml index ade3d191..fc2afddb 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/main.yml @@ -8,7 +8,14 @@ - setup-all - setup-bot-matrix-reminder-bot -- import_tasks: "{{ role_path }}/tasks/setup.yml" +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_bot_matrix_reminder_bot_enabled|bool" + tags: + - setup-all + - setup-bot-matrix-reminder-bot + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_bot_matrix_reminder_bot_enabled|bool" tags: - setup-all - setup-bot-matrix-reminder-bot diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup.yml deleted file mode 100644 index bc211e31..00000000 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-reminder-bot -# - -- name: Ensure matrix-reminder-bot paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_bot_matrix_reminder_bot_config_path }}", when: true } - - { path: "{{ matrix_bot_matrix_reminder_bot_data_path }}", when: true } - - { path: "{{ matrix_bot_matrix_reminder_bot_data_store_path }}", when: true } - when: matrix_bot_matrix_reminder_bot_enabled|bool and item.when - -- name: Ensure matrix-reminder-bot image is pulled - docker_image: - name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}" - when: matrix_bot_matrix_reminder_bot_enabled|bool - -- name: Ensure matrix-reminder-bot config installed - copy: - content: "{{ matrix_bot_matrix_reminder_bot_configuration|to_nice_yaml }}" - dest: "{{ matrix_bot_matrix_reminder_bot_config_path }}/config.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_bot_matrix_reminder_bot_enabled|bool - -- name: Ensure matrix-matrix-reminder-bot.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-bot-matrix-reminder-bot.service" - mode: 0644 - register: matrix_bot_matrix_reminder_bot_systemd_service_result - when: matrix_bot_matrix_reminder_bot_enabled|bool - -- name: Ensure systemd reloaded after matrix-matrix-reminder-bot.service installation - service: - daemon_reload: yes - when: "matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-reminder-bot (if it was previously enabled) -# - -- name: Check existence of matrix-matrix-reminder-bot service - stat: - path: "{{ matrix_systemd_path }}/matrix-matrix-reminder-bot.service" - register: matrix_bot_matrix_reminder_bot_service_stat - -- name: Ensure matrix-matrix-reminder-bot is stopped - service: - name: matrix-matrix-reminder-bot - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_service_stat.stat.exists" - -- name: Ensure matrix-matrix-reminder-bot.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-matrix-reminder-bot.service" - state: absent - when: "not matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-matrix-reminder-bot.service removal - service: - daemon_reload: yes - when: "not matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_service_stat.stat.exists" - -- name: Ensure Matrix matrix-reminder-bot paths don't exist - file: - path: "{{ matrix_bot_matrix_reminder_bot_base_path }}" - state: absent - when: "not matrix_bot_matrix_reminder_bot_enabled|bool" - -- name: Ensure matrix-reminder-bot Docker image doesn't exist - docker_image: - name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}" - state: absent - when: "not matrix_bot_matrix_reminder_bot_enabled|bool" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml new file mode 100644 index 00000000..366c39c3 --- /dev/null +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -0,0 +1,41 @@ +--- + +- name: Ensure matrix-reminder-bot paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_bot_matrix_reminder_bot_config_path }}", when: true } + - { path: "{{ matrix_bot_matrix_reminder_bot_data_path }}", when: true } + - { path: "{{ matrix_bot_matrix_reminder_bot_data_store_path }}", when: true } + when: "item.when|bool" + +- name: Ensure matrix-reminder-bot image is pulled + docker_image: + name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}" + +- name: Ensure matrix-reminder-bot config installed + copy: + content: "{{ matrix_bot_matrix_reminder_bot_configuration|to_nice_yaml }}" + dest: "{{ matrix_bot_matrix_reminder_bot_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-bot-matrix-reminder-bot.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-bot-matrix-reminder-bot.service" + mode: 0644 + register: matrix_bot_matrix_reminder_bot_systemd_service_result + +- name: Ensure systemd reloaded after matrix-bot-matrix-reminder-bot.service installation + service: + daemon_reload: yes + when: "matrix_bot_matrix_reminder_bot_systemd_service_result.changed|bool" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml new file mode 100644 index 00000000..744f474d --- /dev/null +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-matrix-reminder-bot service + stat: + path: "{{ matrix_systemd_path }}/matrix-bot-matrix-reminder-bot.service" + register: matrix_bot_matrix_reminder_bot_service_stat + +- name: Ensure matrix-matrix-reminder-bot is stopped + service: + name: matrix-matrix-reminder-bot + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-matrix-reminder-bot.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-bot-matrix-reminder-bot.service" + state: absent + when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-bot-matrix-reminder-bot.service removal + service: + daemon_reload: yes + when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists|bool" + +- name: Ensure Matrix matrix-reminder-bot paths don't exist + file: + path: "{{ matrix_bot_matrix_reminder_bot_base_path }}" + state: absent + +- name: Ensure matrix-reminder-bot Docker image doesn't exist + docker_image: + name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}" + state: absent From dde1c9f899230813ca70e657c4d7873bb890f6e4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 14:53:35 +0200 Subject: [PATCH 1636/2384] Fix indentation causing YAML syntax error --- .../tasks/validate_config.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml index 7000a8a1..c2115cbb 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml @@ -15,7 +15,7 @@ path: "{{ matrix_mx_puppet_instagram_data_path }}/database.db" register: matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result - - name: Fail if an SQLite database already exists when using Postgres + - name: Fail if an SQLite database already exists when using Postgres fail: msg: >- matrix_mx_puppet_instagram_database_engine has been set to `postgres` (which is our new default now). @@ -28,4 +28,3 @@ 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) when: "matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result.stat.exists" when: "matrix_mx_puppet_instagram_database_engine == 'postgres'" - From e3a0c9addac73580da23f1e386a67ba14d7461bf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 15:02:11 +0200 Subject: [PATCH 1637/2384] Add (Postgres + SQLite) support to matrix-reminder-bot This has been tested and appears to work. --- group_vars/matrix_servers | 10 +++++++ .../defaults/main.yml | 28 +++++++++++++++++++ .../tasks/setup_install.yml | 20 +++++++++++++ .../templates/config.yaml.j2 | 2 +- 4 files changed, 59 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ad1e8ce3..d6d6cc4a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -580,6 +580,10 @@ matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key # We don't enable bots by default. matrix_bot_matrix_reminder_bot_enabled: false +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" + ###################################################################### # # /matrix-bot-matrix-reminder-bot @@ -949,6 +953,12 @@ matrix_postgres_db_name: "homeserver" matrix_postgres_additional_databases: | {{ + ([{ + 'name': matrix_bot_matrix_reminder_bot_database_db_name, + 'username': matrix_bot_matrix_reminder_bot_database_username, + 'password': matrix_bot_matrix_reminder_bot_database_password, + }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_appservice_discord_database_db_name, 'username': matrix_appservice_discord_database_username, diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 33028147..70e7b2d2 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -21,6 +21,34 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: ['docker.service' matrix_bot_matrix_reminder_bot_systemd_wanted_services_list: [] +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_bot_matrix_reminder_bot_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_bot_matrix_reminder_bot_database_*` variables +matrix_bot_matrix_reminder_bot_database_engine: 'sqlite' + +matrix_bot_matrix_reminder_bot_sqlite_database_path_local: "{{ matrix_bot_matrix_reminder_bot_data_path }}/bot.db" +matrix_bot_matrix_reminder_bot_sqlite_database_path_in_container: "/data/bot.db" + +matrix_bot_matrix_reminder_bot_database_username: 'matrix_reminder_bot' +matrix_bot_matrix_reminder_bot_database_password: 'some-password' +matrix_bot_matrix_reminder_bot_database_hostname: 'matrix-postgres' +matrix_bot_matrix_reminder_bot_database_port: 5432 +matrix_bot_matrix_reminder_bot_database_db_name: 'matrix_reminder_bot' + +matrix_bot_matrix_reminder_bot_database_connection_string: 'postgres://{{ matrix_bot_matrix_reminder_bot_database_username }}:{{ matrix_bot_matrix_reminder_bot_database_password }}@{{ matrix_bot_matrix_reminder_bot_database_hostname }}:{{ matrix_bot_matrix_reminder_bot_database_port }}/{{ matrix_bot_matrix_reminder_bot_database_db_name }}' + +matrix_bot_matrix_reminder_bot_storage_database: "{{ + { + 'sqlite': ('sqlite://' + matrix_bot_matrix_reminder_bot_sqlite_database_path_in_container), + 'postgres': matrix_bot_matrix_reminder_bot_database_connection_string, + }[matrix_bot_matrix_reminder_bot_database_engine] +}}" + + # The bot's username. This user needs to be created manually beforehand. # Also see `matrix_bot_matrix_reminder_bot_user_password`. matrix_bot_matrix_reminder_bot_matrix_user_id_localpart: "bot.matrix-reminder-bot" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index 366c39c3..4fbafa3a 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -1,5 +1,25 @@ --- +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}" + register: matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result + + - name: Fail if an SQLite database already exists when using Postgres + fail: + msg: >- + matrix_bot_matrix_reminder_bot_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing SQLite database in {{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}. + It appears that you've been using this bridge with the SQLite engine until now. + To continue using SQLite, opt into it explicitly: add `matrix_bot_matrix_reminder_bot_database_engine: sqlite` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing SQLite database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_bot_matrix_reminder_bot_database_connection_string'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result.stat.exists" + when: "matrix_bot_matrix_reminder_bot_database_engine == 'postgres'" + - name: Ensure matrix-reminder-bot paths exist file: path: "{{ item.path }}" diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2 index e5ba5651..59643958 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2 @@ -23,7 +23,7 @@ storage: # For Postgres, this would look like: # database: "postgres://username:password@localhost/dbname?sslmode=disable" #database: "postgres://matrix-reminder-bot:remindme@localhost/matrix-reminder-bot?sslmode=disable" - database: "sqlite:///data/bot.db" + database: {{ matrix_bot_matrix_reminder_bot_storage_database|to_json }} # The path to a directory for internal bot storage # containing encryption keys, sync tokens, etc. store_path: "/data/store" From 54da61f81b56e4c5906d09cd7dbbf0fb35092948 Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Mon, 14 Dec 2020 14:02:51 +0100 Subject: [PATCH 1638/2384] add postgres support mx-appservice-[slack|irc] with fallback to nedb in role and migration notice --- .../defaults/main.yml | 14 ++++++++++++ .../tasks/validate_config.yml | 20 +++++++++++++++++ .../templates/config.yaml.j2 | 4 ++-- .../defaults/main.yml | 15 +++++++++++++ .../tasks/validate_config.yml | 22 ++++++++++++++++++- .../templates/config.yaml.j2 | 6 +++-- 6 files changed, 76 insertions(+), 5 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 7ff2d46a..a1c76253 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -16,6 +16,20 @@ matrix_appservice_irc_homeserver_domain: '{{ matrix_domain }}' matrix_appservice_irc_homeserver_enablePresence: true matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999' +matrix_appservice_irc_database_engine: nedb +matrix_appservice_irc_database_username: matrix_appservice_irc +matrix_appservice_irc_database_password: ~ +matrix_appservice_irc_database_hostname: 'matrix-postgres' +matrix_appservice_irc_database_port: 5432 +matrix_appservice_irc_database_name: matrix_appservice_irc +matrix_appservice_irc_databasa +matrix_appservice_irc_database_connString: >-2 + {%- if matrix_appservice_irc_database_engine == 'postgres' -%} + postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode=disable + {%- else if matrix_appservice_irc_database_engine == 'nedb' -%} + {{ matrix_appservice_irc_database_engine }}://{{ matrix_appservice_irc_database_file }} + {%- endif -%} + matrix_appservice_irc_ircService_servers: [] # Example of `matrix_appservice_irc_ircService_servers` with one server (and all its options): diff --git a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml index bd08427c..e0e932bc 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -33,3 +33,23 @@ when: "item.old in vars" with_items: - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': ''} + +- block: + - name: Check if a neDB database already exists + stat: + path: "{{ matrix_appservice_irc_data_path }}/" + register: matrix_appservice_irc_nedb_stat_result + + - name: Fail if an neDB database already exists when using Postgres + fail: + msg: >-2 + matrix_appservice_irc_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing neDB database in {{ matrix_appservice_irc_data_path }}/. + It appears that you've been using this bridge with the neDB engine until now. + To continue using neDB, opt into it explicitly: add `matrix_appservice_irc_database_engine: nedb` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing neDB database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the neDB database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_irc_data_path }} postgres_connection_string_variable_name=matrix_appservice_irc_database_connString'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_appservice_irc_nedb_stat_result.stat.exists" + when: "matrix_appservice_irc_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 index 83b71835..0da28403 100644 --- a/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 @@ -127,8 +127,8 @@ advanced: # Use an external database to store bridge state. database: # database engine (must be 'postgres' or 'nedb'). Default: nedb - engine: "postgres" + engine: {{ matrix_appservice_irc_database_engine }} # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: "postgres://matrix_appservice_irc:{{ matrix_addtional_databases | selectattr('name', 'equalto', 'matrix_appservice_irc') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_appservice_irc" + connectionString: {{ matrix_appservice_irc_database_connString | to_json }} diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index f2cfd8f9..e2127c29 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -45,6 +45,21 @@ matrix_appservice_slack_appservice_token: '' matrix_appservice_slack_homeserver_token: '' matrix_appservice_slack_id_token: '' +matrix_appservice_slack_database_engine: nedb +matrix_appservice_slack_database_username: matrix_appservice_slack +matrix_appservice_slack_database_password: ~ +matrix_appservice_slack_database_hostname: 'matrix-postgres' +matrix_appservice_slack_database_port: 5432 +matrix_appservice_slack_database_name: matrix_appservice_slack +matrix_appservice_slack_database_file: /data +matrix_appservice_slack_database_connString: >-2 + {%- if matrix_appservice_slack_database_engine == 'postgres' -%} + postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode=disable + {%- else if matrix_appservice_slack_database_engine == 'nedb' -%} + {{ matrix_appservice_slack_database_engine }}://{{ matrix_appservice_slack_database_file }} + {%- endif -%} + + matrix_appservice_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" matrix_appservice_slack_configuration_extension_yaml: | diff --git a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml index 5da5f947..5421b112 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml @@ -9,4 +9,24 @@ - "matrix_appservice_slack_control_room_id" - "matrix_appservice_slack_appservice_token" - "matrix_appservice_slack_homeserver_token" - - "matrix_appservice_slack_id_token" \ No newline at end of file + - "matrix_appservice_slack_id_token" + +- block: + - name: Check if a neDB database already exists + stat: + path: "{{ matrix_appservice_slack_data_path }}/" + register: matrix_appservice_slack_nedb_stat_result + + - name: Fail if an neDB database already exists when using Postgres + fail: + msg: >-2 + matrix_appservice_slack_database_engine has been set to `postgres` (which is our new default now). + However, we've discovered an existing neDB database in {{ matrix_appservice_slack_data_path }}/. + It appears that you've been using this bridge with the neDB engine until now. + To continue using neDB, opt into it explicitly: add `matrix_appservice_slack_database_engine: nedb` to your vars.yml file and re-run this same command. + Alternatively, to migrate your existing neDB database to Postgres: + 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + 2. Import the neDB database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_slack_data_path }} postgres_connection_string_variable_name=matrix_appservice_slack_database_connString'`) + 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) + when: "matrix_appservice_slack_nedb_stat_result.stat.exists" + when: "matrix_appservice_slack_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 index 6c491134..0ae13738 100644 --- a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 @@ -9,9 +9,11 @@ homeserver: url: "{{ matrix_appservice_slack_homeserver_url }}" server_name: "{{ matrix_domain }}" +{% if matrix_appservice_slack_database_engine == 'nedb' %} dbdir: "/data" +{% endif %} db: - engine: "postgres" - connectionString: "postgresql://matrix_appservice_slack:{{ matrix_addtional_databases | selectattr('name', 'equalto', 'matrix_appservice_slack') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_appservice_slack" + engine: "{{ matrix_appservice_slack_database_engine }}" + connectionString: {{ matrix_appservice_slack_database_connString | to_json }} matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}" From bc376c2fb2f2da5172dfe6ef130317921a23070f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 15:55:35 +0200 Subject: [PATCH 1639/2384] Add database migration utility to matrix-postgres role --- .../tasks/util/migrate_db_to_postgres.yml | 111 ++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml new file mode 100644 index 00000000..ec635f99 --- /dev/null +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -0,0 +1,111 @@ +--- + +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." + when: "not matrix_postgres_enabled|bool" + +- name: Fail if util called incorrectly (missing matrix_postgres_db_migration_request) + fail: + msg: "The `matrix_postgres_db_migration_request` variable needs to be provided to this util." + when: "matrix_postgres_db_migration_request is not defined" + +- name: Fail if util called incorrectly (invalid matrix_postgres_db_migration_request) + fail: + msg: "The `matrix_postgres_db_migration_request` variable needs to contain `{{ item }}`." + with_items: + - src + - dst + - caller + - engine_variable_name + - systemd_services_to_stop + when: "item not in matrix_postgres_db_migration_request" + +- name: Check if the provided source database file exists + stat: + path: "{{ matrix_postgres_db_migration_request.src }}" + register: matrix_postgres_db_migration_request_src_stat_result + +- name: Fail if provided source database file doesn't exist + fail: + msg: "File cannot be found on the server at {{ matrix_postgres_db_migration_request.src }}" + when: "not matrix_postgres_db_migration_request_src_stat_result.stat.exists" + +- name: Fail if we cannot migrate on the current architecture ({{ matrix_architecture }}) + fail: + msg: >- + {{ matrix_postgres_db_migration_request.engine_variable_name }} has been set to `postgres` (which is our new default now). + However, we've discovered an existing file-based database ({{ matrix_postgres_db_migration_request.engine_old_default }}) in {{ matrix_postgres_db_migration_request.src }}. + It appears that you've been using this bridge with a file-based database engine until now. + To continue using {{ matrix_postgres_db_migration_request.engine_old_default }}, opt into it explicitly: add `{{ matrix_postgres_db_migration_request.engine_variable_name }}: {{ matrix_postgres_db_migration_request.engine_old_default }}` to your vars.yml file and re-run this same command. + We'd normally auto-migrate you to Postgres, but we can't do it on the {{ matrix_architecture }} architecture. Our pgloader container image only supports amd64 (for now). + Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/740 + when: "matrix_architecture != 'amd64'" + + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + +# Actual import work + +# matrix-postgres is most likely started already +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: matrix_postgres_service_start_result + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + when: "matrix_postgres_service_start_result.changed|bool" + +# We only stop services here, leaving it to the caller to start them later. +# +# We can't start them, because they probably need to be reconfigured too (changing the configuration from using SQLite to Postgres, etc.), +# before starting. +# +# Since the caller will be starting them, it might make sense to leave stopping to it as well. +# However, we don't do it, because it's simpler having it here, and it also gets to happen only if we'll be doing an import. +# If we bailed out (somewhere above), nothing would have gotten stopped. It's nice to leave this running in such cases. +- name: Ensure systemd services stopped + service: + name: "{{ item }}" + state: stopped + with_items: "{{ matrix_postgres_db_migration_request.systemd_services_to_stop }}" + +- name: Import SQLite database from {{ matrix_postgres_db_migration_request.src }} into Postgres + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --mount type=bind,src={{ matrix_postgres_db_migration_request.src }},dst=/in.db,ro + --entrypoint=/bin/sh + {{ matrix_postgres_pgloader_docker_image }} + -c + 'pgloader /in.db {{ matrix_postgres_db_migration_request.dst }}' + +- name: Archive SQLite database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) + command: + cmd: "mv {{ matrix_postgres_db_migration_request.src }} {{ matrix_postgres_db_migration_request.src }}.backup" + +- name: Inject result + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your {{ matrix_postgres_db_migration_request.engine_variable_name }} database file has been imported into Postgres. The original file has been moved from `{{ matrix_postgres_db_migration_request.src }}` to `{{ matrix_postgres_db_migration_request.src }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." + ] + }} From dc7850e83cc0d23f0f5b6085e8e974f6e89f0e0e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:03:03 +0200 Subject: [PATCH 1640/2384] Fix wording and variable names a bit --- .../tasks/util/migrate_db_to_postgres.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index ec635f99..60539a91 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -35,9 +35,9 @@ fail: msg: >- {{ matrix_postgres_db_migration_request.engine_variable_name }} has been set to `postgres` (which is our new default now). - However, we've discovered an existing file-based database ({{ matrix_postgres_db_migration_request.engine_old_default }}) in {{ matrix_postgres_db_migration_request.src }}. + However, we've discovered an existing file-based database ({{ matrix_postgres_db_migration_request.engine_old }}) in {{ matrix_postgres_db_migration_request.src }}. It appears that you've been using this bridge with a file-based database engine until now. - To continue using {{ matrix_postgres_db_migration_request.engine_old_default }}, opt into it explicitly: add `{{ matrix_postgres_db_migration_request.engine_variable_name }}: {{ matrix_postgres_db_migration_request.engine_old_default }}` to your vars.yml file and re-run this same command. + To continue using {{ matrix_postgres_db_migration_request.engine_old }}, opt into it explicitly: add `{{ matrix_postgres_db_migration_request.engine_variable_name }}: {{ matrix_postgres_db_migration_request.engine_old }}` to your vars.yml file and re-run this same command. We'd normally auto-migrate you to Postgres, but we can't do it on the {{ matrix_architecture }} architecture. Our pgloader container image only supports amd64 (for now). Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/740 when: "matrix_architecture != 'amd64'" @@ -75,13 +75,13 @@ # Since the caller will be starting them, it might make sense to leave stopping to it as well. # However, we don't do it, because it's simpler having it here, and it also gets to happen only if we'll be doing an import. # If we bailed out (somewhere above), nothing would have gotten stopped. It's nice to leave this running in such cases. -- name: Ensure systemd services stopped +- name: Ensure systemd services blocking the database import are stopped service: name: "{{ item }}" state: stopped with_items: "{{ matrix_postgres_db_migration_request.systemd_services_to_stop }}" -- name: Import SQLite database from {{ matrix_postgres_db_migration_request.src }} into Postgres +- name: Import {{ matrix_postgres_db_migration_request.engine_old }} database from {{ matrix_postgres_db_migration_request.src }} into Postgres command: cmd: >- {{ matrix_host_command_docker }} run @@ -95,7 +95,7 @@ -c 'pgloader /in.db {{ matrix_postgres_db_migration_request.dst }}' -- name: Archive SQLite database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) +- name: Archive {{ matrix_postgres_db_migration_request.engine_old }} database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) command: cmd: "mv {{ matrix_postgres_db_migration_request.src }} {{ matrix_postgres_db_migration_request.src }}.backup" @@ -106,6 +106,6 @@ matrix_playbook_runtime_results|default([]) + [ - "NOTE: Your {{ matrix_postgres_db_migration_request.engine_variable_name }} database file has been imported into Postgres. The original file has been moved from `{{ matrix_postgres_db_migration_request.src }}` to `{{ matrix_postgres_db_migration_request.src }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." + "NOTE: Your {{ matrix_postgres_db_migration_request.engine_old }} database file has been imported into Postgres. The original database file has been moved from `{{ matrix_postgres_db_migration_request.src }}` to `{{ matrix_postgres_db_migration_request.src }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." ] }} From ac37091d01c4b38f59c1a57c7b83305bb335ae6d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:03:32 +0200 Subject: [PATCH 1641/2384] Enable automatic (SQLite -> Postgres) migration for matrix-reminder-bot --- .../tasks/setup_install.yml | 46 ++++++++++++------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index 4fbafa3a..fea1e00d 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -1,23 +1,29 @@ --- +- set_fact: + matrix_bot_matrix_reminder_bot_requires_restart: false + - block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}" - register: matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_bot_matrix_reminder_bot_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_bot_matrix_reminder_bot_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_bot_matrix_reminder_bot_database_connection_string'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result.stat.exists" + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}" + register: matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}" + dst: "{{ matrix_bot_matrix_reminder_bot_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_bot_matrix_reminder_bot_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-bot-matrix-reminder-bot.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_bot_matrix_reminder_bot_requires_restart: true + when: "matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_bot_matrix_reminder_bot_database_engine == 'postgres'" - name: Ensure matrix-reminder-bot paths exist @@ -59,3 +65,9 @@ service: daemon_reload: yes when: "matrix_bot_matrix_reminder_bot_systemd_service_result.changed|bool" + +- name: Ensure matrix-bot-matrix-reminder-bot.service restarted, if necessary + service: + name: "matrix-bot-matrix-reminder-bot.service" + state: restarted + when: "matrix_bot_matrix_reminder_bot_requires_restart|bool" From c1431b28f0384002843b5a059f4fe11caa3d8a57 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:13:57 +0200 Subject: [PATCH 1642/2384] Make use of matrix_postgres_db_migration_request.caller --- roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index 60539a91..b77ce4b0 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -34,7 +34,7 @@ - name: Fail if we cannot migrate on the current architecture ({{ matrix_architecture }}) fail: msg: >- - {{ matrix_postgres_db_migration_request.engine_variable_name }} has been set to `postgres` (which is our new default now). + {{ matrix_postgres_db_migration_request.engine_variable_name }} (part of {{ matrix_postgres_db_migration_request.caller }}) has been set to `postgres` (which is our new default now). However, we've discovered an existing file-based database ({{ matrix_postgres_db_migration_request.engine_old }}) in {{ matrix_postgres_db_migration_request.src }}. It appears that you've been using this bridge with a file-based database engine until now. To continue using {{ matrix_postgres_db_migration_request.engine_old }}, opt into it explicitly: add `{{ matrix_postgres_db_migration_request.engine_variable_name }}: {{ matrix_postgres_db_migration_request.engine_old }}` to your vars.yml file and re-run this same command. From bbc08722c5ba4c02e39f747e0631696022316321 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:14:23 +0200 Subject: [PATCH 1643/2384] Enable automatic (SQLite -> Postgres) migration for matrix-mautrix-facebook --- .../tasks/setup_install.yml | 46 ++++++++++++------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 1a0ff70c..7f310446 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -8,24 +8,30 @@ The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- set_fact: + matrix_mautrix_facebook_requires_restart: false + - block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" - register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_mautrix_facebook_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mautrix_facebook_sqlite_database_path_local }}. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mautrix_facebook_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_facebook_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_facebook_database_connection_string'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists" + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" + register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_facebook_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mautrix_facebook_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-facebook.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mautrix_facebook_requires_restart: true + when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_mautrix_facebook_database_engine == 'postgres'" - name: Ensure Mautrix Facebook image is pulled @@ -114,3 +120,9 @@ service: daemon_reload: yes when: "matrix_mautrix_facebook_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-facebook.service restarted, if necessary + service: + name: "matrix-mautrix-facebook.service" + state: restarted + when: "matrix_mautrix_facebook_requires_restart|bool" From 3ba852026663407c0db3707ee9a659e850186728 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:18:38 +0200 Subject: [PATCH 1644/2384] Enable automatic (SQLite -> Postgres) migration for matrix-mautrix-hangouts --- .../tasks/setup_install.yml | 46 ++++++++++++------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 02c34357..15af9626 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -8,24 +8,30 @@ The matrix-bridge-mautrix-hangouts role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- set_fact: + matrix_mautrix_hangouts_requires_restart: false + - block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}" - register: matrix_mautrix_hangouts_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_mautrix_hangouts_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mautrix_hangouts_sqlite_database_path_local }}. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mautrix_hangouts_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_hangouts_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_hangouts_database_connection_string'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mautrix_hangouts_sqlite_database_path_local_stat_result.stat.exists" + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}" + register: matrix_mautrix_hangouts_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_hangouts_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mautrix_hangouts_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-hangouts.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mautrix_hangouts_requires_restart: true + when: "matrix_mautrix_hangouts_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_mautrix_hangouts_database_engine == 'postgres'" - name: Ensure Mautrix Hangouts image is pulled @@ -113,3 +119,9 @@ service: daemon_reload: yes when: "matrix_mautrix_hangouts_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-hangouts.service restarted, if necessary + service: + name: "matrix-mautrix-hangouts.service" + state: restarted + when: "matrix_mautrix_hangouts_requires_restart|bool" From 86a8091768bbe8871212761c99de5aa734462039 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:19:54 +0200 Subject: [PATCH 1645/2384] Enable automatic (SQLite -> Postgres) migration for matrix-mautrix-telegram --- .../tasks/setup_install.yml | 46 ++++++++++++------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index d898c590..6a37974a 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -8,24 +8,30 @@ The matrix-bridge-mautrix-telegram role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- set_fact: + matrix_mautrix_telegram_requires_restart: false + - block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}" - register: matrix_mautrix_telegram_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_mautrix_telegram_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mautrix_telegram_sqlite_database_path_local }}. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mautrix_telegram_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_telegram_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_telegram_database_connection_string'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists" + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}" + register: matrix_mautrix_telegram_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_telegram_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mautrix_telegram_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-telegram.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mautrix_telegram_requires_restart: true + when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_mautrix_telegram_database_engine == 'postgres'" - name: Ensure Mautrix Telegram image is pulled @@ -91,3 +97,9 @@ service: daemon_reload: yes when: "matrix_mautrix_telegram_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-telegram.service restarted, if necessary + service: + name: "matrix-mautrix-telegram.service" + state: restarted + when: "matrix_mautrix_telegram_requires_restart|bool" From 13f84e2ad588668f26010e8f8de07f35c6527e97 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:21:01 +0200 Subject: [PATCH 1646/2384] Enable automatic (SQLite -> Postgres) migration for matrix-mautrix-whatsapp --- .../tasks/setup_install.yml | 46 ++++++++++++------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 9521e0a5..8d894a84 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -8,24 +8,30 @@ The matrix-bridge-mautrix-whatsapp role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- set_fact: + matrix_mautrix_whatsapp_requires_restart: false + - block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}" - register: matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_mautrix_whatsapp_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mautrix_whatsapp_sqlite_database_path_local }}. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mautrix_whatsapp_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mautrix_whatsapp_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_mautrix_whatsapp_database_connection_string'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists" + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}" + register: matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}" + dst: "{{ matrix_mautrix_whatsapp_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mautrix_whatsapp_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mautrix-whatsapp.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mautrix_whatsapp_requires_restart: true + when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_mautrix_whatsapp_database_engine == 'postgres'" - name: Ensure Mautrix Whatsapp image is pulled @@ -100,3 +106,9 @@ service: daemon_reload: yes when: "matrix_mautrix_whatsapp_systemd_service_result.changed" + +- name: Ensure matrix-mautrix-whatsapp.service restarted, if necessary + service: + name: "matrix-mautrix-whatsapp.service" + state: restarted + when: "matrix_mautrix_whatsapp_requires_restart|bool" From cba973d6b555b9288e8791eecb601c4e80aba4f6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:24:56 +0200 Subject: [PATCH 1647/2384] Enable automatic (SQLite -> Postgres) migration for matrix-appservice-discord --- .../tasks/setup_install.yml | 46 ++++++++++++------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index a9d8da4c..8bf50e28 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -1,23 +1,29 @@ --- +- set_fact: + matrix_appservice_discord_requires_restart: false + - block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_appservice_discord_sqlite_database_path_local }}" - register: matrix_appservice_discord_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_appservice_discord_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_appservice_discord_sqlite_database_path_local }}. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_appservice_discord_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_discord_sqlite_database_path_local }} postgres_connection_string_variable_name=matrix_appservice_discord_database_connString'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_appservice_discord_sqlite_database_path_local_stat_result.stat.exists" + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_appservice_discord_sqlite_database_path_local }}" + register: matrix_appservice_discord_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_appservice_discord_sqlite_database_path_local }}" + dst: "{{ matrix_appservice_discord_database_connString }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_appservice_discord_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-appservice-discord.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_appservice_discord_requires_restart: true + when: "matrix_appservice_discord_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_appservice_discord_database_engine == 'postgres'" - name: Ensure Appservice Discord image is pulled @@ -100,3 +106,9 @@ service: daemon_reload: yes when: "matrix_appservice_discord_systemd_service_result.changed" + +- name: Ensure matrix-appservice-discord.service restarted, if necessary + service: + name: "matrix-appservice-discord.service" + state: restarted + when: "matrix_appservice_discord_requires_restart|bool" From 7248eb3c11d77303dbc395f03c2aeb8ed85e4639 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:25:44 +0200 Subject: [PATCH 1648/2384] Fix syntax error in roles/matrix-bridge-appservice-irc/defaults/main.yml --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index a1c76253..bf23b0ab 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -22,7 +22,7 @@ matrix_appservice_irc_database_password: ~ matrix_appservice_irc_database_hostname: 'matrix-postgres' matrix_appservice_irc_database_port: 5432 matrix_appservice_irc_database_name: matrix_appservice_irc -matrix_appservice_irc_databasa + matrix_appservice_irc_database_connString: >-2 {%- if matrix_appservice_irc_database_engine == 'postgres' -%} postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode=disable From 0ca48f3532d211df9e44c67d9661a95420701660 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 16:57:51 +0200 Subject: [PATCH 1649/2384] Separate matrix-ma1sd install/uninstall tasks --- roles/matrix-ma1sd/tasks/main.yml | 9 ++- .../{setup_ma1sd.yml => setup_install.yml} | 57 ++----------------- roles/matrix-ma1sd/tasks/setup_uninstall.yml | 35 ++++++++++++ 3 files changed, 48 insertions(+), 53 deletions(-) rename roles/matrix-ma1sd/tasks/{setup_ma1sd.yml => setup_install.yml} (69%) create mode 100644 roles/matrix-ma1sd/tasks/setup_uninstall.yml diff --git a/roles/matrix-ma1sd/tasks/main.yml b/roles/matrix-ma1sd/tasks/main.yml index f5ac34d6..0b8a114e 100644 --- a/roles/matrix-ma1sd/tasks/main.yml +++ b/roles/matrix-ma1sd/tasks/main.yml @@ -8,7 +8,14 @@ - setup-all - setup-ma1sd -- import_tasks: "{{ role_path }}/tasks/setup_ma1sd.yml" +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_ma1sd_enabled|bool" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_ma1sd_enabled|bool" tags: - setup-all - setup-ma1sd diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_install.yml similarity index 69% rename from roles/matrix-ma1sd/tasks/setup_ma1sd.yml rename to roles/matrix-ma1sd/tasks/setup_install.yml index 46acb428..aa11ae7a 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up ma1sd -# - - name: Ensure ma1sd paths exist file: path: "{{ item.path }}" @@ -15,10 +11,9 @@ - { path: "{{ matrix_ma1sd_config_path }}", when: true } - { path: "{{ matrix_ma1sd_data_path }}", when: true } - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} - when: matrix_ma1sd_enabled|bool and item.when + when: "item.when|bool" - import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" - when: matrix_ma1sd_enabled|bool - name: Ensure ma1sd image is pulled docker_image: @@ -26,7 +21,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}" - when: matrix_ma1sd_enabled|bool and not matrix_ma1sd_container_image_self_build + when: "not matrix_ma1sd_container_image_self_build|bool" - block: - name: Ensure gradle is installed for self-building (Debian) @@ -72,7 +67,7 @@ repository: "{{ matrix_ma1sd_docker_image }}" force_tag: yes source: local - when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build" + when: "matrix_ma1sd_container_image_self_build|bool" - name: Ensure ma1sd config installed copy: @@ -81,7 +76,6 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_ma1sd_enabled|bool - name: Ensure custom templates are installed if any copy: @@ -95,7 +89,7 @@ - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} - when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" + when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" - name: Ensure matrix-ma1sd.service installed template: @@ -103,49 +97,8 @@ dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service" mode: 0644 register: matrix_ma1sd_systemd_service_result - when: matrix_ma1sd_enabled|bool - name: Ensure systemd reloaded after matrix-ma1sd.service installation service: daemon_reload: yes - when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_systemd_service_result.changed" - -# -# Tasks related to getting rid of ma1sd (if it was previously enabled) -# - -- name: Check existence of matrix-ma1sd service - stat: - path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" - register: matrix_ma1sd_service_stat - -- name: Ensure matrix-ma1sd is stopped - service: - name: matrix-ma1sd - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" - -- name: Ensure matrix-ma1sd.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" - state: absent - when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-ma1sd.service removal - service: - daemon_reload: yes - when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" - -- name: Ensure Matrix ma1sd paths don't exist - file: - path: "{{ matrix_ma1sd_base_path }}" - state: absent - when: "not matrix_ma1sd_enabled|bool" - -- name: Ensure ma1sd Docker image doesn't exist - docker_image: - name: "{{ matrix_ma1sd_docker_image }}" - state: absent - when: "not matrix_ma1sd_enabled|bool" + when: "matrix_ma1sd_systemd_service_result.changed|bool" diff --git a/roles/matrix-ma1sd/tasks/setup_uninstall.yml b/roles/matrix-ma1sd/tasks/setup_uninstall.yml new file mode 100644 index 00000000..b36ab508 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_ma1sd_service_stat.stat.exists|bool" + +- name: Ensure matrix-ma1sd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + state: absent + when: "matrix_ma1sd_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-ma1sd.service removal + service: + daemon_reload: yes + when: "matrix_ma1sd_service_stat.stat.exists|bool" + +- name: Ensure Matrix ma1sd paths don't exist + file: + path: "{{ matrix_ma1sd_base_path }}" + state: absent + +- name: Ensure ma1sd Docker image doesn't exist + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + state: absent From af3ea67bbaa699ad6f03db6633f1dd1902ab9290 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 17:16:25 +0200 Subject: [PATCH 1650/2384] Add (SQLite + Postgres) support and automatic migration to matrix-ma1sd --- group_vars/matrix_servers | 10 ++++++ roles/matrix-ma1sd/defaults/main.yml | 22 ++++++++++++ roles/matrix-ma1sd/tasks/setup_install.yml | 36 +++++++++++++++++++ roles/matrix-ma1sd/templates/ma1sd.yaml.j2 | 16 +++++++-- .../tasks/util/migrate_db_to_postgres.yml | 2 +- 5 files changed, 82 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d6d6cc4a..735d1324 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -835,6 +835,10 @@ matrix_ma1sd_systemd_wanted_services_list: | (['matrix-mailer.service'] if matrix_mailer_enabled else []) }} +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_ma1sd_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ma1sd.db') | to_uuid }}" + ###################################################################### # # /matrix-ma1sd @@ -953,6 +957,12 @@ matrix_postgres_db_name: "homeserver" matrix_postgres_additional_databases: | {{ + ([{ + 'name': matrix_ma1sd_database_db_name, + 'username': matrix_ma1sd_database_username, + 'password': matrix_ma1sd_database_password, + }] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_bot_matrix_reminder_bot_database_db_name, 'username': matrix_bot_matrix_reminder_bot_database_username, diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index f7a0782d..42e36e92 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -39,6 +39,28 @@ matrix_ma1sd_systemd_wanted_services_list: [] # Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups matrix_ma1sd_matrixorg_forwarding_enabled: false + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_ma1sd_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables +matrix_ma1sd_database_engine: 'sqlite' + +matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db" +matrix_ma1sd_sqlite_database_path_in_container: "/var/ma1sd/ma1sd.db" + +matrix_ma1sd_database_username: 'matrix_ma1sd' +matrix_ma1sd_database_password: 'some-password' +matrix_ma1sd_database_hostname: 'matrix-postgres' +matrix_ma1sd_database_port: 5432 +matrix_ma1sd_database_db_name: 'matrix_ma1sd' + +matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_db_name }}' + + # ma1sd has serveral supported identity stores. # One of them is storing identities directly in Synapse's database. # Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index aa11ae7a..9ae5f077 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -15,6 +15,36 @@ - import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" + +# These (SQLite -> Postgres) migration tasks are usually at the top, +# but we'd like to run them after `migrate_mxisd.yml`, which requires the ma1sd paths to exist. +- set_fact: + matrix_ma1sd_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_ma1sd_sqlite_database_path_local }}" + register: matrix_ma1sd_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_ma1sd_sqlite_database_path_local }}" + dst: "{{ matrix_ma1sd_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_ma1sd_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-ma1sd.service'] + pgloader_options: ['--with "quote identifiers"'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_ma1sd_requires_restart: true + when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_ma1sd_database_engine == 'postgres'" + - name: Ensure ma1sd image is pulled docker_image: name: "{{ matrix_ma1sd_docker_image }}" @@ -102,3 +132,9 @@ service: daemon_reload: yes when: "matrix_ma1sd_systemd_service_result.changed|bool" + +- name: Ensure matrix-ma1sd.service restarted, if necessary + service: + name: "matrix-ma1sd.service" + state: restarted + when: "matrix_ma1sd_requires_restart|bool" diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 index 84585707..43b4022d 100644 --- a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 +++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 @@ -11,9 +11,19 @@ key: path: /var/ma1sd/sign.key storage: - provider: - sqlite: - database: /var/ma1sd/ma1sd.db + {% if matrix_ma1sd_database_engine == 'sqlite' %} + backend: sqlite + provider: + sqlite: + database: {{ matrix_ma1sd_sqlite_database_path_in_container|to_json }} + {% elif matrix_ma1sd_database_engine == 'postgres' %} + backend: postgresql + provider: + postgresql: + database: //{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_db_name }} + username: {{ matrix_ma1sd_database_username|to_json }} + password: {{ matrix_ma1sd_database_password|to_json }} + {% endif %} {% if matrix_ma1sd_dns_overwrite_enabled %} dns: diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index b77ce4b0..5d917538 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -93,7 +93,7 @@ --entrypoint=/bin/sh {{ matrix_postgres_pgloader_docker_image }} -c - 'pgloader /in.db {{ matrix_postgres_db_migration_request.dst }}' + 'pgloader {{ matrix_postgres_db_migration_request.pgloader_options|default([])|join(' ') }} /in.db {{ matrix_postgres_db_migration_request.dst }}' - name: Archive {{ matrix_postgres_db_migration_request.engine_old }} database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) command: From 3ab7dd1abe07574085da2705b3f79ca6773c4f29 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 17:22:31 +0200 Subject: [PATCH 1651/2384] Potentially add matrix-postgres.service as required for bridges, etc. --- group_vars/matrix_servers | 41 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 735d1324..1223d8a6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -61,6 +61,8 @@ matrix_appservice_discord_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}" @@ -207,6 +209,8 @@ matrix_mautrix_facebook_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}" @@ -244,6 +248,8 @@ matrix_mautrix_hangouts_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}" @@ -282,6 +288,8 @@ matrix_mautrix_telegram_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}" @@ -318,6 +326,8 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" @@ -378,6 +388,8 @@ matrix_mx_puppet_skype_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}" @@ -413,6 +425,8 @@ matrix_mx_puppet_slack_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" @@ -447,6 +461,8 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" @@ -484,6 +500,8 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" @@ -518,6 +536,8 @@ matrix_mx_puppet_discord_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" @@ -552,6 +572,8 @@ matrix_mx_puppet_steam_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" @@ -580,6 +602,13 @@ matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key # We don't enable bots by default. matrix_bot_matrix_reminder_bot_enabled: false +matrix_bot_matrix_reminder_bot_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" @@ -678,6 +707,13 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}" matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}" +matrix_dimension_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.dimension.db') | to_uuid }}" @@ -826,6 +862,11 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0 matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_ma1sd_systemd_required_services_list: | + {{ + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + matrix_ma1sd_systemd_wanted_services_list: | {{ (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) From 13d8a9b39c1a5c5a225ad2c82d1a876210e341c0 Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Mon, 14 Dec 2020 16:27:06 +0100 Subject: [PATCH 1652/2384] hint supported automatic migration nedb->postgres --- .../tasks/validate_config.yml | 2 +- roles/matrix-postgres/tasks/import_nedb.yml | 117 ++++++++++++++++++ roles/matrix-postgres/tasks/main.yml | 16 +++ 3 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-postgres/tasks/import_nedb.yml diff --git a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml index e0e932bc..9b89a340 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -49,7 +49,7 @@ To continue using neDB, opt into it explicitly: add `matrix_appservice_irc_database_engine: nedb` to your vars.yml file and re-run this same command. Alternatively, to migrate your existing neDB database to Postgres: 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the neDB database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_irc_data_path }} postgres_connection_string_variable_name=matrix_appservice_irc_database_connString'`) + 2. Import the neDB database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-irc-nedb --extra-vars='nedb_database_path={{ matrix_appservice_irc_data_path }} postgres_connection_string_variable_name=matrix_appservice_irc_database_connString'`) 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) when: "matrix_appservice_irc_nedb_stat_result.stat.exists" when: "matrix_appservice_irc_database_engine == 'postgres'" diff --git a/roles/matrix-postgres/tasks/import_nedb.yml b/roles/matrix-postgres/tasks/import_nedb.yml new file mode 100644 index 00000000..cc1f9d78 --- /dev/null +++ b/roles/matrix-postgres/tasks/import_nedb.yml @@ -0,0 +1,117 @@ +--- + +# Pre-checks + +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." + when: "not matrix_postgres_enabled|bool" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `nedb_database_path` variable needs to be provided to this playbook, via --extra-vars" + when: "nedb_database_path is not defined or nedb_database_path.startswith('<')" + +- name: Check if the provided nedb database file exists + stat: + path: "{{ nedb_database_path }}" + register: nedb_database_path_stat_result + +- name: Fail if provided SQLite database file doesn't exist + fail: + msg: "File cannot be found on the server at {{ nedb_database_path }}" + when: "not nedb_database_path_stat_result.stat.exists" + +# We either expect `postgres_db_connection_string` specifying a full Postgres database connection string, +# or `postgres_connection_string_variable_name`, specifying a name of a variable, which contains a valid connection string. + +- block: + - name: Fail if postgres_connection_string_variable_name points to an undefined variable + fail: msg="postgres_connection_string_variable_name is defined, but there is no variable with the name `{{ postgres_connection_string_variable_name }}`" + when: "postgres_connection_string_variable_name not in vars" + + - name: Get Postgres connection string from variable + set_fact: + postgres_db_connection_string: "{{ lookup('vars', postgres_connection_string_variable_name) }}" + when: 'postgres_connection_string_variable_name is defined' + +- name: Fail if playbook called incorrectly + fail: + msg: >- + Either a `postgres_db_connection_string` variable or a `postgres_connection_string_variable_name` needs to be provided to this playbook, via `--extra-vars`. + Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:/database_name"` or `--extra-vars="postgres_connection_string_variable_name=matrix_appservice_discord_database_connString"` + when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')" + + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + + +# Actual import work + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: matrix_postgres_service_start_result + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + when: "matrix_postgres_service_start_result.changed|bool" + +# See https://github.com/matrix-org/matrix-appservice-irc/wiki/Migrating-from-NEdB-to-PostgreSQL +- name: Import appservice_irc NeDB database from {{ sqlite_database_path }} into Postgres + when: database == 'appservice_irc' + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --mount type=bind,src={{ matrix_appservice_irc_data_path }}:/data:ro + --entrypoint=/bin/sh + {{ matrix_appservice_irc_docker_image }} + -c + './scripts/migrate-db-to-pgres.sh -d /data -p passkey.pem -c {{ postgres_db_connection_string }}' + +# No migration.sh available, but found this: +# https://github.com/matrix-org/matrix-appservice-slack/blob/develop/src/scripts/migrateToPostgres.ts +# Usage should be similar to appservice_irc +- name: Import appservice_slack NeDB database from {{ sqlite_database_path }} into Postgres + when: database == 'appservice_slack' + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --mount type=bind,src={{ matrix_appservice_irc_data_path }}:/data:ro + --entrypoint=/bin/sh + {{ matrix_appservice_slack_docker_image }} + -c + 'node /lib/scripts/migrate-db-to-pgres.js -d /data -p passkey.pem -c {{ postgres_db_connection_string }}' + +- name: Archive NeDB database ({{ sqlite_database_path }} -> {{ sqlite_database_path }}.backup) + command: + cmd: "mv {{ sqlite_database_path }} {{ sqlite_database_path }}.backup" + +- name: Inject result + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your NeDB database file has been imported into Postgres. The original directory has been moved from `{{ nedb_database_path }}` to `{{ nedb_database_path }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." + ] + }} diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml index b9c2ae7c..51801314 100644 --- a/roles/matrix-postgres/tasks/main.yml +++ b/roles/matrix-postgres/tasks/main.yml @@ -32,6 +32,22 @@ tags: - import-generic-sqlite-db +# Imports appservice-irc NeDB into postgres +- import_tasks: "{{ role_path }}/tasks/import_nedb.yml" + vars: + database: appservice_irc + when: run_postgres_import_nedb|bool + tags: + - import-irc-nedb + +# Imports slacks neDB to postgres. +- import_tasks: "{{ role_path }}/tasks/import_nedb.yml" + vars: + database: appservice_slack + when: run_postgres_import_nedb|bool + tags: + - import-slack-nedb + - import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml" when: run_postgres_upgrade|bool tags: From 516ccb2b2b3eee4d110a6056302d80dcf902f03a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 18:12:03 +0200 Subject: [PATCH 1653/2384] Separate matrix-registration install/uninstall tasks --- roles/matrix-registration/tasks/main.yml | 9 +++- .../tasks/{setup.yml => setup_install.yml} | 50 ++----------------- .../tasks/setup_uninstall.yml | 30 +++++++++++ 3 files changed, 43 insertions(+), 46 deletions(-) rename roles/matrix-registration/tasks/{setup.yml => setup_install.yml} (57%) create mode 100644 roles/matrix-registration/tasks/setup_uninstall.yml diff --git a/roles/matrix-registration/tasks/main.yml b/roles/matrix-registration/tasks/main.yml index 4a884ccd..4fef6abe 100644 --- a/roles/matrix-registration/tasks/main.yml +++ b/roles/matrix-registration/tasks/main.yml @@ -8,7 +8,14 @@ - setup-all - setup-matrix-registration -- import_tasks: "{{ role_path }}/tasks/setup.yml" +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_registration_enabled|bool" + tags: + - setup-all + - setup-matrix-registration + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_registration_enabled|bool" tags: - setup-all - setup-matrix-registration diff --git a/roles/matrix-registration/tasks/setup.yml b/roles/matrix-registration/tasks/setup_install.yml similarity index 57% rename from roles/matrix-registration/tasks/setup.yml rename to roles/matrix-registration/tasks/setup_install.yml index dfe1ba8b..77c35581 100644 --- a/roles/matrix-registration/tasks/setup.yml +++ b/roles/matrix-registration/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up matrix-registration -# - - name: Ensure matrix-registration paths exist file: path: "{{ item.path }}" @@ -16,7 +12,7 @@ - { path: "{{ matrix_registration_config_path }}", when: true } - { path: "{{ matrix_registration_data_path }}", when: true } - { path: "{{ matrix_registration_docker_src_files_path }}", when: "{{ matrix_registration_container_image_self_build }}"} - when: matrix_registration_enabled|bool and item.when + when: "item.when|bool" - name: Ensure matrix-registration image is pulled docker_image: @@ -24,7 +20,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_registration_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_docker_image_force_pull }}" - when: "matrix_registration_enabled|bool and not matrix_registration_container_image_self_build|bool" + when: "not matrix_registration_container_image_self_build|bool" - name: Ensure matrix-registration repository is present when self-building git: @@ -33,7 +29,7 @@ version: "{{ matrix_registration_container_image_self_build_branch }}" force: "yes" register: matrix_registration_git_pull_results - when: "matrix_registration_enabled|bool and matrix_registration_container_image_self_build|bool" + when: "matrix_registration_container_image_self_build|bool" - name: Ensure matrix-registration Docker image is built docker_image: @@ -44,7 +40,7 @@ dockerfile: Dockerfile path: "{{ matrix_registration_docker_src_files_path }}" pull: yes - when: "matrix_registration_enabled|bool and matrix_registration_container_image_self_build|bool" + when: "matrix_registration_container_image_self_build|bool" - name: Ensure matrix-registration config installed copy: @@ -53,7 +49,6 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_registration_enabled|bool - name: Ensure matrix-registration.service installed template: @@ -61,43 +56,8 @@ dest: "{{ matrix_systemd_path }}/matrix-registration.service" mode: 0644 register: matrix_registration_systemd_service_result - when: matrix_registration_enabled|bool - name: Ensure systemd reloaded after matrix-registration.service installation service: daemon_reload: yes - when: "matrix_registration_enabled|bool and matrix_registration_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-registration (if it was previously enabled) -# - -- name: Check existence of matrix-registration service - stat: - path: "{{ matrix_systemd_path }}/matrix-registration.service" - register: matrix_registration_service_stat - -- name: Ensure matrix-registration is stopped - service: - name: matrix-registration - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_registration_enabled|bool and matrix_registration_service_stat.stat.exists" - -- name: Ensure matrix-registration.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-registration.service" - state: absent - when: "not matrix_registration_enabled|bool and matrix_registration_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-registration.service removal - service: - daemon_reload: yes - when: "not matrix_registration_enabled|bool and matrix_registration_service_stat.stat.exists" - -- name: Ensure matrix-registration Docker image doesn't exist - docker_image: - name: "{{ matrix_registration_docker_image }}" - state: absent - when: "not matrix_registration_enabled|bool" + when: "matrix_registration_systemd_service_result.changed|bool" diff --git a/roles/matrix-registration/tasks/setup_uninstall.yml b/roles/matrix-registration/tasks/setup_uninstall.yml new file mode 100644 index 00000000..573f8170 --- /dev/null +++ b/roles/matrix-registration/tasks/setup_uninstall.yml @@ -0,0 +1,30 @@ +--- + +- name: Check existence of matrix-registration service + stat: + path: "{{ matrix_systemd_path }}/matrix-registration.service" + register: matrix_registration_service_stat + +- name: Ensure matrix-registration is stopped + service: + name: matrix-registration + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_registration_service_stat.stat.exists|bool" + +- name: Ensure matrix-registration.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-registration.service" + state: absent + when: "matrix_registration_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-registration.service removal + service: + daemon_reload: yes + when: "matrix_registration_service_stat.stat.exists|bool" + +- name: Ensure matrix-registration Docker image doesn't exist + docker_image: + name: "{{ matrix_registration_docker_image }}" + state: absent From 8d7459387895a6a3c14ef4c1a751353c740c5a9d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 18:58:37 +0200 Subject: [PATCH 1654/2384] Prepare matrix-registation for (SQLite + Postgres) support Auto-migration and everything seems to work. It's just that matrix-registration cannot load the Python modules required for talking to a Postgres database. Tracked here: https://github.com/ZerataX/matrix-registration/issues/44 Until this gets fixed, we'll continue default to 'sqlite'. --- group_vars/matrix_servers | 18 +++++++++++ roles/matrix-registration/defaults/main.yml | 30 +++++++++++++++++ .../tasks/setup_install.yml | 32 +++++++++++++++++++ .../tasks/validate_config.yml | 7 ++++ .../templates/config.yaml.j2 | 2 +- 5 files changed, 88 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1223d8a6..ad62a86e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1010,6 +1010,12 @@ matrix_postgres_additional_databases: | 'password': matrix_bot_matrix_reminder_bot_database_password, }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_registration_database_db_name, + 'username': matrix_registration_database_username, + 'password': matrix_registration_database_password, + }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_appservice_discord_database_db_name, 'username': matrix_appservice_discord_database_username, @@ -1291,6 +1297,18 @@ matrix_registration_api_validate_certs: "{{ false if matrix_ssl_retrieval_method matrix_registration_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" +matrix_registration_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + +# We'd like to use 'postgres' if matrix_postgres_enabled, but the container image doesn't seem to support that. +# Learn more here: https://github.com/ZerataX/matrix-registration/issues/44 +matrix_registration_database_engine: 'sqlite' +matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx.registr.db') | to_uuid }}" + ###################################################################### # # /matrix-registration diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index 95147665..5afe4dee 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -32,6 +32,36 @@ matrix_registration_systemd_wanted_services_list: [] # Takes an ":" or "" value (e.g. "127.0.0.1:8767"), or empty string to not expose. matrix_registration_container_http_host_bind_port: '' +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_registration_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_registration_postgres_*` variables +matrix_registration_database_engine: 'sqlite' + +matrix_registration_sqlite_database_path_local: "{{ matrix_registration_data_path }}/db.sqlite3" +matrix_registration_sqlite_database_path_in_container: "/data/db.sqlite3" + +matrix_registration_database_username: 'matrix_registration' +matrix_registration_database_password: 'some-password' +matrix_registration_database_hostname: 'matrix-postgres' +matrix_registration_database_port: 5432 +matrix_registration_database_db_name: 'matrix_registration' + +matrix_registration_database_connection_string: 'postgresql://{{ matrix_registration_database_username }}:{{ matrix_registration_database_password }}@{{ matrix_registration_database_hostname }}:{{ matrix_registration_database_port }}/{{ matrix_registration_database_db_name }}' + +# For some reason, matrix-registraiton expects the `db` field to be like this: `sqlite:////data/db.sqlite3`. +# (seems like one too many slashes, but..) +matrix_registration_db: "{{ + { + 'sqlite': ('sqlite:///' + matrix_registration_sqlite_database_path_in_container), + 'postgres': matrix_registration_database_connection_string, + }[matrix_registration_database_engine] +}}" + + # The path at which Matrix Registration will be exposed on `matrix.DOMAIN` # (only applies when matrix-nginx-proxy is used). matrix_registration_public_endpoint: /matrix-registration diff --git a/roles/matrix-registration/tasks/setup_install.yml b/roles/matrix-registration/tasks/setup_install.yml index 77c35581..489bab8b 100644 --- a/roles/matrix-registration/tasks/setup_install.yml +++ b/roles/matrix-registration/tasks/setup_install.yml @@ -1,5 +1,31 @@ --- +- set_fact: + matrix_registration_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_registration_sqlite_database_path_local }}" + register: matrix_registration_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_registration_sqlite_database_path_local }}" + dst: "{{ matrix_registration_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_registration_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-registration.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_registration_requires_restart: true + when: "matrix_registration_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_registration_database_engine == 'postgres'" + - name: Ensure matrix-registration paths exist file: path: "{{ item.path }}" @@ -61,3 +87,9 @@ service: daemon_reload: yes when: "matrix_registration_systemd_service_result.changed|bool" + +- name: Ensure matrix-registration.service restarted, if necessary + service: + name: "matrix-registration.service" + state: restarted + when: "matrix_registration_requires_restart|bool" diff --git a/roles/matrix-registration/tasks/validate_config.yml b/roles/matrix-registration/tasks/validate_config.yml index 90466b46..80293bcb 100644 --- a/roles/matrix-registration/tasks/validate_config.yml +++ b/roles/matrix-registration/tasks/validate_config.yml @@ -18,3 +18,10 @@ when: "item.old in vars" with_items: - {'old': 'matrix_registration_docker_repo', 'new': 'matrix_registration_container_image_self_build_repo'} + +- name: Fail if Postgres usage attempted + fail: + msg: > + matrix-registration doesn't support using Postgres just yet. + Learn more here: https://github.com/ZerataX/matrix-registration/issues/44 + when: "matrix_registration_database_engine == 'postgres'" diff --git a/roles/matrix-registration/templates/config.yaml.j2 b/roles/matrix-registration/templates/config.yaml.j2 index f3b1c57b..ae0ba5ff 100644 --- a/roles/matrix-registration/templates/config.yaml.j2 +++ b/roles/matrix-registration/templates/config.yaml.j2 @@ -3,7 +3,7 @@ server_name: {{ matrix_registration_server_name|to_json }} shared_secret: {{ matrix_registration_shared_secret|to_json }} admin_secret: {{ matrix_registration_admin_secret|to_json }} riot_instance: {{ matrix_registration_riot_instance|to_json }} -db: 'sqlite:////data/db.sqlite3' +db: {{ matrix_registration_db|to_json }} host: '0.0.0.0' port: 5000 rate_limit: ["100 per day", "10 per minute"] From 374f43735aa362bbbb2a9068ef2fd8e81b5ab561 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 20:05:31 +0200 Subject: [PATCH 1655/2384] Separate matrix-dimension install/uninstall tasks --- roles/matrix-dimension/tasks/main.yml | 10 ++- .../tasks/setup_dimension.yml | 85 ------------------- .../matrix-dimension/tasks/setup_install.yml | 36 ++++++++ .../tasks/setup_uninstall.yml | 35 ++++++++ 4 files changed, 79 insertions(+), 87 deletions(-) delete mode 100644 roles/matrix-dimension/tasks/setup_dimension.yml create mode 100644 roles/matrix-dimension/tasks/setup_install.yml create mode 100644 roles/matrix-dimension/tasks/setup_uninstall.yml diff --git a/roles/matrix-dimension/tasks/main.yml b/roles/matrix-dimension/tasks/main.yml index 1888f945..aad55286 100644 --- a/roles/matrix-dimension/tasks/main.yml +++ b/roles/matrix-dimension/tasks/main.yml @@ -8,8 +8,14 @@ - setup-all - setup-dimension -- import_tasks: "{{ role_path }}/tasks/setup_dimension.yml" - when: run_setup|bool +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: run_setup|bool and matrix_dimension_enabled|bool + tags: + - setup-all + - setup-dimension + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: run_setup|bool and not matrix_dimension_enabled|bool tags: - setup-all - setup-dimension diff --git a/roles/matrix-dimension/tasks/setup_dimension.yml b/roles/matrix-dimension/tasks/setup_dimension.yml deleted file mode 100644 index 2437a547..00000000 --- a/roles/matrix-dimension/tasks/setup_dimension.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- - -# -# Tasks related to setting up the dimension -# - -- name: Ensure Dimension base path exists - file: - path: "{{ matrix_dimension_base_path }}" - state: directory - mode: 0770 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_dimension_user_gid }}" - when: matrix_dimension_enabled|bool - -- name: Ensure Dimension config installed - copy: - content: "{{ matrix_dimension_configuration|to_nice_yaml }}" - dest: "{{ matrix_dimension_base_path }}/config.yaml" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_dimension_user_gid }}" - when: matrix_dimension_enabled|bool - -- name: Ensure Dimension image is pulled - docker_image: - name: "{{ matrix_dimension_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}" - when: matrix_dimension_enabled|bool - -- name: Ensure matrix-dimension.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-dimension.service" - mode: 0644 - register: matrix_dimension_systemd_service_result - when: matrix_dimension_enabled|bool - -- name: Ensure systemd reloaded after matrix-dimension.service installation - service: - daemon_reload: yes - when: "matrix_dimension_enabled|bool and matrix_dimension_systemd_service_result.changed" - -# -# Tasks related to getting rid of the dimension (if it was previously enabled) -# - -- name: Check existence of matrix-dimension service - stat: - path: "{{ matrix_systemd_path }}/matrix-dimension.service" - register: matrix_dimension_service_stat - when: "not matrix_dimension_enabled|bool" - -- name: Ensure matrix-dimension is stopped - service: - name: matrix-dimension - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_dimension_enabled|bool and matrix_dimension_service_stat.stat.exists" - -- name: Ensure matrix-dimension.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-dimension.service" - state: absent - when: "not matrix_dimension_enabled|bool and matrix_dimension_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-dimension.service removal - service: - daemon_reload: yes - when: "not matrix_dimension_enabled|bool and matrix_dimension_service_stat.stat.exists" - -- name: Ensure Dimension environment variables path doesn't exist - file: - path: "{{ matrix_dimension_base_path }}" - state: absent - when: "not matrix_dimension_enabled|bool" - -- name: Ensure Dimension Docker image doesn't exist - docker_image: - name: "{{ matrix_dimension_docker_image }}" - state: absent - when: "not matrix_dimension_enabled|bool" diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml new file mode 100644 index 00000000..e118dd62 --- /dev/null +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -0,0 +1,36 @@ +--- + +- name: Ensure Dimension base path exists + file: + path: "{{ matrix_dimension_base_path }}" + state: directory + mode: 0770 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_dimension_user_gid }}" + +- name: Ensure Dimension config installed + copy: + content: "{{ matrix_dimension_configuration|to_nice_yaml }}" + dest: "{{ matrix_dimension_base_path }}/config.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_dimension_user_gid }}" + +- name: Ensure Dimension image is pulled + docker_image: + name: "{{ matrix_dimension_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}" + +- name: Ensure matrix-dimension.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-dimension.service" + mode: 0644 + register: matrix_dimension_systemd_service_result + +- name: Ensure systemd reloaded after matrix-dimension.service installation + service: + daemon_reload: yes + when: "matrix_dimension_systemd_service_result.changed|bool" diff --git a/roles/matrix-dimension/tasks/setup_uninstall.yml b/roles/matrix-dimension/tasks/setup_uninstall.yml new file mode 100644 index 00000000..9bc4ac8b --- /dev/null +++ b/roles/matrix-dimension/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-dimension service + stat: + path: "{{ matrix_systemd_path }}/matrix-dimension.service" + register: matrix_dimension_service_stat + +- name: Ensure matrix-dimension is stopped + service: + name: matrix-dimension + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_dimension_service_stat.stat.exists|bool" + +- name: Ensure matrix-dimension.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-dimension.service" + state: absent + when: "matrix_dimension_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-dimension.service removal + service: + daemon_reload: yes + when: "matrix_dimension_service_stat.stat.exists|bool" + +- name: Ensure Dimension base directory doesn't exist + file: + path: "{{ matrix_dimension_base_path }}" + state: absent + +- name: Ensure Dimension Docker image doesn't exist + docker_image: + name: "{{ matrix_dimension_docker_image }}" + state: absent From 0790a7b2a8bc21e34d12f4436b88e9a3ce75c526 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 20:31:07 +0200 Subject: [PATCH 1656/2384] Add support for matrix_dimension_systemd_{required,wanted}_services_list We were referencing them from `group_vars/matrix_servers` since recently, but there were no such variables and they weren't being put to use. --- roles/matrix-dimension/defaults/main.yml | 6 ++++++ .../templates/systemd/matrix-dimension.service.j2 | 9 +++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 3b69227a..7ead6e89 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -15,6 +15,12 @@ matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:latest" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" +# List of systemd services that matrix-dimension.service depends on. +matrix_dimension_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-dimension.service wants +matrix_dimension_systemd_wanted_services_list: [] + # The user and group id correspond to the node user in the `turt2live/matrix-dimension` image. matrix_dimension_user_uid: '1000' matrix_dimension_user_gid: '1000' diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 94c38491..1c900a16 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -1,8 +1,13 @@ #jinja2: lstrip_blocks: "True" [Unit] Description=Matrix Dimension -After=docker.service -Requires=docker.service +{% for service in matrix_dimension_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_dimension_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} DefaultDependencies=no [Service] From 2a502db2394af179bcb6def67ac89c7fd83d2d95 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 21:01:47 +0200 Subject: [PATCH 1657/2384] Add (SQLite + Postgres) support and automatic migration to matrix-dimension --- group_vars/matrix_servers | 9 +++-- roles/matrix-dimension/defaults/main.yml | 22 +++++++++++++ .../matrix-dimension/tasks/setup_install.yml | 33 +++++++++++++++++++ .../matrix-dimension/templates/config.yaml.j2 | 6 +++- .../systemd/matrix-dimension.service.j2 | 4 ++- 5 files changed, 67 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ad62a86e..d7163ab7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -716,7 +716,7 @@ matrix_dimension_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.dimension.db') | to_uuid }}" +matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db') | to_uuid }}" ###################################################################### # @@ -1092,13 +1092,12 @@ matrix_postgres_additional_databases: | }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_dimension_database_db_name, 'username': matrix_dimension_database_username, 'password': matrix_dimension_database_password, - }] if (matrix_dimension_enabled - and matrix_dimension_database_engine == 'postgres' - and matrix_dimension_database_hostname == 'matrix-postgres') else []) + }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == 'matrix-postgres') else []) }} ###################################################################### diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 7ead6e89..a6a3bf5d 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -40,6 +40,28 @@ matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_di matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048" + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_dimension_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_dimension_postgres_*` variables +matrix_dimension_database_engine: 'sqlite' + +matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db" +matrix_dimension_sqlite_database_path_in_container: "dimension.db" + +matrix_dimension_database_username: 'matrix_dimension' +matrix_dimension_database_password: 'some-password' +matrix_dimension_database_hostname: 'matrix-postgres' +matrix_dimension_database_port: 5432 +matrix_dimension_database_db_name: 'matrix_dimension' + +matrix_dimension_database_connection_string: 'postgres://{{ matrix_dimension_database_username }}:{{ matrix_dimension_database_password }}@{{ matrix_dimension_database_hostname }}:{{ matrix_dimension_database_port }}/{{ matrix_dimension_database_db_name }}' + + # Default Dimension configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml index e118dd62..9a264449 100644 --- a/roles/matrix-dimension/tasks/setup_install.yml +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -1,5 +1,32 @@ --- +- set_fact: + matrix_dimension_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_dimension_sqlite_database_path_local }}" + register: matrix_dimension_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_dimension_sqlite_database_path_local }}" + dst: "{{ matrix_dimension_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_dimension_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-dimension.service'] + pgloader_options: ['--with "quote identifiers"'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_dimension_requires_restart: true + when: "matrix_dimension_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_dimension_database_engine == 'postgres'" + - name: Ensure Dimension base path exists file: path: "{{ matrix_dimension_base_path }}" @@ -34,3 +61,9 @@ service: daemon_reload: yes when: "matrix_dimension_systemd_service_result.changed|bool" + +- name: Ensure matrix-dimension.service restarted, if necessary + service: + name: "matrix-dimension.service" + state: restarted + when: "matrix_dimension_requires_restart|bool" diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 index b7ca1ee3..200871e7 100644 --- a/roles/matrix-dimension/templates/config.yaml.j2 +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -44,7 +44,11 @@ widgetBlacklist: # Where the database for Dimension is database: - uri: "postgres://matrix_dimension:{{ matrix_additional_databases | selectattr('name', 'equalto', 'matrix_dimension') | map(attribute='pass') | first }}@{{ matrix_postgres_connection_hostname }}/matrix_dimension" +{% if matrix_dimension_database_engine == 'sqlite' %} + file: {{ matrix_dimension_sqlite_database_path_in_container|to_json }} +{% elif matrix_dimension_database_engine == 'postgres' %} + uri: {{ matrix_dimension_database_connection_string|to_json }} +{% endif %} # Display settings that apply to self-hosted go-neb instances goneb: diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 1c900a16..ff10224a 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -16,7 +16,9 @@ ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension # Fixup database ownership if it got changed somehow (during a server migration, etc.) -ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db +{% if matrix_dimension_database_engine == 'sqlite' %} +ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_sqlite_database_path_local }} +{% endif %} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \ --log-driver=none \ From dd797ba6a76e18f8b2bfa676b6f3e78f18f7cf47 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 22:28:20 +0200 Subject: [PATCH 1658/2384] Fix Postgres database importing/upgrading conflicts We were running into conflicts, because having initialized the roles (users) and databases, trying to import leads to errors (role XXX already exists, etc.). We were previously ignoring the Synapse database (`homeserver`) when upgrading/importing, because that one gets created by default whenever the container starts. For our additional databases, it's a similar situation now. It's not created by default as soon as Postgres starts with an empty database, but rather we create it as part of running the playbook. So we either need to skip those role/database creation statements while upgrading/importing, or to avoid creating the additional database and rely on the import for that. I've gone for the former, because it's already similar to what we were doing and it's simpler (it lets `setup_postgres.yml` be the same in all scenarios). --- group_vars/matrix_servers | 14 ++++++++++++++ roles/matrix-postgres/defaults/main.yml | 16 ++++++++++++++++ roles/matrix-postgres/tasks/import_postgres.yml | 4 ++-- roles/matrix-postgres/tasks/upgrade_postgres.yml | 4 ++-- 4 files changed, 34 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d7163ab7..932b288a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1100,6 +1100,20 @@ matrix_postgres_additional_databases: | }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == 'matrix-postgres') else []) }} +matrix_postgres_import_roles_to_ignore: | + {{ + [matrix_postgres_connection_username] + + + matrix_postgres_additional_databases|map(attribute='username') + }} + +matrix_postgres_import_databases_to_ignore: | + {{ + [matrix_postgres_db_name] + + + matrix_postgres_additional_databases|map(attribute='name') + }} + ###################################################################### # # /matrix-postgres diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 5755742f..0c516281 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -43,6 +43,22 @@ matrix_postgres_container_postgres_bind_port: "" # password: some_password matrix_postgres_additional_databases: [] +# A list of roles/users to avoid creating when importing (or upgrading) the database. +# If a dump file contains the roles and they've also been created beforehand (see `matrix_postgres_additional_databases`), +# importing would fail. +# We either need to not create them or to ignore the `CREATE ROLE` statements in the dump. +matrix_postgres_import_roles_to_ignore: [matrix_postgres_connection_username] + +matrix_postgres_import_roles_ignore_regex: "^CREATE ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }});" + +# A list of databases to avoid creating when importing (or upgrading) the database. +# If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`), +# importing would fail. +# We either need to not create them or to ignore the `CREATE DATABASE` statements in the dump. +matrix_postgres_import_databases_to_ignore: [matrix_postgres_db_name] + +matrix_postgres_import_databases_ignore_regex: "^CREATE DATABASE ({{ matrix_postgres_import_databases_to_ignore|join('|') }})\\s" + # The number of seconds to wait after starting `matrix-postgres.service` # and before trying to run queries for creating additional databases/users against it. # diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index 33d98691..c26affbb 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -74,8 +74,8 @@ {{ matrix_postgres_docker_image_latest }} -c "cat /{{ server_path_postgres_dump|basename }} | {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} - grep -vE '^CREATE ROLE {{ matrix_postgres_connection_username }}' | - grep -vE '^CREATE DATABASE {{ matrix_postgres_db_name }}' | + grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | + grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | psql -v ON_ERROR_STOP=1 -h matrix-postgres" # This is a hack. diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml index 72f327b3..564265d8 100644 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -135,8 +135,8 @@ {{ matrix_postgres_docker_image_latest }} -c "cat /in/{{ postgres_dump_name }} | {{ 'gunzip |' if postgres_dump_name.endswith('.gz') else '' }} - grep -vE '^CREATE ROLE {{ matrix_postgres_connection_username }}' | - grep -vE '^CREATE DATABASE {{ matrix_postgres_db_name }}' | + grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | + grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | psql -v ON_ERROR_STOP=1 -h matrix-postgres" # This is a hack. From e2ba46bf013785079eeca380a9926598b9fd1fe4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 14 Dec 2020 22:40:37 +0200 Subject: [PATCH 1659/2384] Fix Jinja2 syntax error (else if -> elif) --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- roles/matrix-bridge-appservice-slack/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-discord/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-steam/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index bf23b0ab..5110fd85 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -26,7 +26,7 @@ matrix_appservice_irc_database_name: matrix_appservice_irc matrix_appservice_irc_database_connString: >-2 {%- if matrix_appservice_irc_database_engine == 'postgres' -%} postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode=disable - {%- else if matrix_appservice_irc_database_engine == 'nedb' -%} + {%- elif matrix_appservice_irc_database_engine == 'nedb' -%} {{ matrix_appservice_irc_database_engine }}://{{ matrix_appservice_irc_database_file }} {%- endif -%} diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index e2127c29..365493ff 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -55,7 +55,7 @@ matrix_appservice_slack_database_file: /data matrix_appservice_slack_database_connString: >-2 {%- if matrix_appservice_slack_database_engine == 'postgres' -%} postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode=disable - {%- else if matrix_appservice_slack_database_engine == 'nedb' -%} + {%- elif matrix_appservice_slack_database_engine == 'nedb' -%} {{ matrix_appservice_slack_database_engine }}://{{ matrix_appservice_slack_database_file }} {%- endif -%} diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 5a65f33e..a0ad1c0a 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -66,7 +66,7 @@ matrix_mx_puppet_discord_database_file: /data/database.db matrix_mx_puppet_discord_database_connString: >-2 {%- if matrix_mx_puppet_discord_database_engine == 'postgres' -%} postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode=disable - {%- else if matrix_mx_puppet_discord_database_engine == 'sqlite' -%} + {%- elif matrix_mx_puppet_discord_database_engine == 'sqlite' -%} {{ matrix_mx_puppet_discord_database_engine }}://{{ matrix_mx_puppet_discord_database_file }} {%- endif -%} diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index c30f9b8b..4c40bda4 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -56,7 +56,7 @@ matrix_mx_puppet_instagram_database_file: /data/database.db matrix_mx_puppet_instagram_database_connString: >-2 {%- if matrix_mx_puppet_instagram_database_engine == 'postgres' -%} postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode=disable - {%- else if matrix_mx_puppet_instagram_database_engine == 'sqlite' -%} + {%- elif matrix_mx_puppet_instagram_database_engine == 'sqlite' -%} {{ matrix_mx_puppet_instagram_database_engine }}://{{ matrix_mx_puppet_instagram_database_file }} {%- endif -%} diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 3b7448c6..db0f4ede 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -64,7 +64,7 @@ matrix_mx_puppet_skype_database_file: /data/database.db matrix_mx_puppet_skype_database_connString: >-2 {%- if matrix_mx_puppet_skype_database_engine == 'postgres' -%} postgresql://{{ matrix_mx_puppet_skype_database_username }}:{{ matrix_mx_puppet_skype_database_password }}@{{ matrix_mx_puppet_skype_database_hostname }}:{{ matrix_mx_puppet_skype_database_port }}/{{ matrix_mx_puppet_skype_database_name }}?sslmode=disable - {%- else if matrix_mx_puppet_skype_database_engine == 'sqlite' -%} + {%- elif matrix_mx_puppet_skype_database_engine == 'sqlite' -%} {{ matrix_mx_puppet_skype_database_engine }}://{{ matrix_mx_puppet_skype_database_file }} {%- endif -%} diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 5f91beb8..2ed72611 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -68,7 +68,7 @@ matrix_mx_puppet_slack_database_file: /data/database.db matrix_mx_puppet_slack_database_connString: >-2 {%- if matrix_mx_puppet_slack_database_engine == 'postgres' -%} postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode=disable - {%- else if matrix_mx_puppet_slack_database_engine == 'sqlite' -%} + {%- elif matrix_mx_puppet_slack_database_engine == 'sqlite' -%} {{ matrix_mx_puppet_slack_database_engine }}://{{ matrix_mx_puppet_slack_database_file }} {%- endif -%} diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index be343db4..77f7804b 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -65,7 +65,7 @@ matrix_mx_puppet_steam_database_file: /data/database.db matrix_mx_puppet_steam_database_connString: >-2 {%- if matrix_mx_puppet_steam_database_engine == 'postgres' -%} postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode=disable - {%- else if matrix_mx_puppet_steam_database_engine == 'sqlite' -%} + {%- elif matrix_mx_puppet_steam_database_engine == 'sqlite' -%} {{ matrix_mx_puppet_steam_database_engine }}://{{ matrix_mx_puppet_steam_database_file }} {%- endif -%} diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index f536029c..91aa264a 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -71,7 +71,7 @@ matrix_mx_puppet_twitter_database_file: /data/database.db matrix_mx_puppet_twitter_database_connString: >-2 {%- if matrix_mx_puppet_twitter_database_engine == 'postgres' -%} postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode=disable - {%- else if matrix_mx_puppet_twitter_database_engine == 'sqlite' -%} + {%- elif matrix_mx_puppet_twitter_database_engine == 'sqlite' -%} {{ matrix_mx_puppet_twitter_database_engine }}://{{ matrix_mx_puppet_twitter_database_file }} {%- endif -%} From 6a3f6fbcb56b8aa2da098d1d4cbd1820a347ee34 Mon Sep 17 00:00:00 2001 From: Tomas Strand Date: Tue, 15 Dec 2020 14:15:40 +0200 Subject: [PATCH 1660/2384] Missing ` in traefik domains instructions --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 8c671df4..c930da40 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -144,7 +144,7 @@ matrix_nginx_proxy_container_extra_arguments: - '--label "traefik.enable=true"' # The Nginx proxy container will receive traffic from these subdomains - - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }},`{{ matrix_server_fqn_jitsi }}`)"' + - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`,`{{ matrix_server_fqn_jitsi }}`)"' # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' From 69f71f48a660a104bd394309edae83026e75636c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 15 Dec 2020 22:00:24 +0200 Subject: [PATCH 1661/2384] Upgrade matrix-registration (v0.7.1 -> 0.7.2) and use official image This switches us to a container image maintained by the matrix-registration developer. 0.7.2 also supports a `base_url` configuration option we can use to make it easier to reverse-proxy at a different base URL. We still keep some workarounds, because of this issue: https://github.com/ZerataX/matrix-registration/issues/47 --- roles/matrix-registration/defaults/main.yml | 6 ++++-- roles/matrix-registration/tasks/init.yml | 9 +++------ roles/matrix-registration/templates/config.yaml.j2 | 1 + 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index 95147665..d89bf070 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -12,9 +12,9 @@ matrix_registration_config_path: "{{ matrix_registration_base_path }}/config" matrix_registration_data_path: "{{ matrix_registration_base_path }}/data" matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/docker-src" -matrix_registration_version: "v0.7.1" +matrix_registration_version: "v0.7.2" -matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}devture/zeratax-matrix-registration:{{ matrix_registration_version }}" +matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}zeratax/matrix-registration:{{ matrix_registration_version }}" matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else 'docker.io/' }}" matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}" @@ -36,6 +36,8 @@ matrix_registration_container_http_host_bind_port: '' # (only applies when matrix-nginx-proxy is used). matrix_registration_public_endpoint: /matrix-registration +matrix_registration_base_url: "{{ matrix_registration_public_endpoint }}" + matrix_registration_api_register_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/register" matrix_registration_api_token_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/token" diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 8a7cdc75..bdb3928e 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -30,15 +30,12 @@ {% endif %} {# - Workaround matrix-registration serving static files at /static - (see https://github.com/ZerataX/matrix-registration/issues/29) - - Also fixing the form, which goes to /register. + Workaround matrix-registration serving the background image at /static + (see https://github.com/ZerataX/matrix-registration/issues/47) #} sub_filter_once off; - sub_filter_types text/html text/css; + sub_filter_types text/css; sub_filter "/static/" "{{ matrix_registration_public_endpoint }}/static/"; - sub_filter "/register" "{{ matrix_registration_public_endpoint }}/register"; } - name: Register matrix-registration proxying configuration with matrix-nginx-proxy diff --git a/roles/matrix-registration/templates/config.yaml.j2 b/roles/matrix-registration/templates/config.yaml.j2 index f3b1c57b..1b2464e5 100644 --- a/roles/matrix-registration/templates/config.yaml.j2 +++ b/roles/matrix-registration/templates/config.yaml.j2 @@ -28,3 +28,4 @@ logging: # password requirements password: min_length: 8 +base_url: {{ matrix_registration_base_url|to_json }} From 1bd5c240e582bfc4d4d1fcaaea5be326f5186e92 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 15 Dec 2020 23:18:29 +0200 Subject: [PATCH 1662/2384] Add support for executing additional DB migration statements In cases where pgloader is not enough and we need to do some additional migration work after it, we can now use `additional_psql_statements_list` and `additional_psql_statements_db_name`. This is to be used when migrating `matrix-registration`'s data at the very least. --- .../tasks/util/migrate_db_to_postgres.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index 5d917538..d01611ef 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -99,6 +99,29 @@ command: cmd: "mv {{ matrix_postgres_db_migration_request.src }} {{ matrix_postgres_db_migration_request.src }}.backup" +- block: + # We can't use `{{ role_path }}` here, neither with `import_tasks`, nor with `include_tasks`, + # because it refers to the role that included this util, and not to the role this file belongs to. + - import_tasks: "roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml" + + - set_fact: + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" + + - name: Execute additional Postgres SQL migration statements + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --network={{ matrix_docker_network }} + {{ matrix_postgres_docker_image_to_use }} + psql --host=matrix-postgres --dbname={{ matrix_postgres_db_migration_request.additional_psql_statements_db_name }} --command='{{ item }}' + with_items: "{{ matrix_postgres_db_migration_request.additional_psql_statements_list }}" + + when: "matrix_postgres_db_migration_request.additional_psql_statements_list|default([])|length > 0" + - name: Inject result set_fact: matrix_playbook_runtime_results: | From a197968b7f95c6f7e6d5f3882cb25e1dc1892124 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 15 Dec 2020 23:19:56 +0200 Subject: [PATCH 1663/2384] Make matrix-registration use Postgres by default Now that 0.7.2 is out, the Docker image supports Postgres and we can do the (SQLite -> Postgres) migration. I've also found out that we needed to fix up the `tokens.ex_date` column data type a bit to prevent matrix-registration from raising exceptions when comparing `datetime.now()` with `ex_date` coming from the database. Example: > File "/usr/local/lib/python3.8/site-packages/matrix_registration/tokens.py", line 58, in valid > expired = self.ex_date < datetime.now() > TypeError: can't compare offset-naive and offset-aware datetimes --- group_vars/matrix_servers | 5 ++--- roles/matrix-registration/defaults/main.yml | 1 - roles/matrix-registration/tasks/setup_install.yml | 5 +++++ roles/matrix-registration/tasks/validate_config.yml | 7 ------- 4 files changed, 7 insertions(+), 11 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 932b288a..fda40efd 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1317,9 +1317,8 @@ matrix_registration_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -# We'd like to use 'postgres' if matrix_postgres_enabled, but the container image doesn't seem to support that. -# Learn more here: https://github.com/ZerataX/matrix-registration/issues/44 -matrix_registration_database_engine: 'sqlite' +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx.registr.db') | to_uuid }}" ###################################################################### diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index b39f02c4..d85faf89 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -88,7 +88,6 @@ matrix_registration_admin_secret: "" matrix_registration_riot_instance: "https://riot.im/app/" - # Default matrix-registration configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/matrix-registration/tasks/setup_install.yml b/roles/matrix-registration/tasks/setup_install.yml index 489bab8b..708cb1df 100644 --- a/roles/matrix-registration/tasks/setup_install.yml +++ b/roles/matrix-registration/tasks/setup_install.yml @@ -18,6 +18,11 @@ engine_variable_name: 'matrix_registration_database_engine' engine_old: 'sqlite' systemd_services_to_stop: ['matrix-registration.service'] + # pgloader makes `ex_date` of type `TIMESTAMP WITH TIMEZONE`, + # which makes matrix-registration choke on it later on when comparing dates. + additional_psql_statements_list: + - ALTER TABLE tokens ALTER COLUMN ex_date TYPE TIMESTAMP WITHOUT TIME ZONE; + additional_psql_statements_db_name: "{{ matrix_registration_database_db_name }}" - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" diff --git a/roles/matrix-registration/tasks/validate_config.yml b/roles/matrix-registration/tasks/validate_config.yml index 80293bcb..90466b46 100644 --- a/roles/matrix-registration/tasks/validate_config.yml +++ b/roles/matrix-registration/tasks/validate_config.yml @@ -18,10 +18,3 @@ when: "item.old in vars" with_items: - {'old': 'matrix_registration_docker_repo', 'new': 'matrix_registration_container_image_self_build_repo'} - -- name: Fail if Postgres usage attempted - fail: - msg: > - matrix-registration doesn't support using Postgres just yet. - Learn more here: https://github.com/ZerataX/matrix-registration/issues/44 - when: "matrix_registration_database_engine == 'postgres'" From a4b8baee494e670c15999be1c2c14b314e6d6f04 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 16 Dec 2020 03:32:31 +0200 Subject: [PATCH 1664/2384] Fix inability to send (Matrix -> Discord) messages via appservice-discord Revert "Correct inabillity for appservice-discord to connect" This reverts commit 673e19f8307bdfc76dc4d1e63dcab40c84ebb37e. While certain things do work even with such a local URL, sending messages leads to an error like this: > [DiscordBot] verbose: DiscordAPIError: Invalid Form Body > avatar_url: Not a well formed URL. Fixes https://github.com/Half-Shot/matrix-appservice-discord/issues/649 The sample configuration file for appservice-discord https://github.com/Half-Shot/matrix-appservice-discord/blob/c29cfc72f55f1f81e43e2d71f5c080d752d1a884/config/config.sample.yaml#L8 explicitly says that we need a public URL. --- roles/matrix-bridge-appservice-discord/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 357b93d6..9ca06b05 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -37,7 +37,7 @@ matrix_appservice_discord_appservice_url: 'http://matrix-appservice-discord:9005 matrix_appservice_discord_bridge_domain: "{{ matrix_domain }}" # As of right now, the homeserver URL must be a public URL. See below. -matrix_appservice_discord_bridge_homeserverUrl: "http://matrix-synapse:8008" +matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}" matrix_appservice_discord_bridge_disablePresence: false matrix_appservice_discord_bridge_enableSelfServiceBridging: false From 2082242499bab3c8a91f294eb3aaba451c2b27fc Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Wed, 16 Dec 2020 10:35:37 +0100 Subject: [PATCH 1665/2384] Add `matrix_nginx_proxy_ssl_config` A new variable called `matrix_nginx_proxy_ssl_config` is created for configuring how the nginx proxy configures SSL. Also a new configuration validation option and other auxiliary variables are created. A new variable configuration called `matrix_nginx_proxy_ssl_config` is created. This allow to set the SSL configuration easily using the default options proposed by Mozilla. The default configuration is set to "Intermediate", removing the weak ciphers used in the old configurations. The new variable can also be set to "Custom" for a more granular control. This allows to set another three variables called: - `matrix_nginx_proxy_ssl_protocols`, - `matrix_nginx_proxy_ssl_prefer_server_ciphers` - `matrix_nginx_proxy_ssl_ciphers` Also a new task is added to validate the SSL configuration variable. --- roles/matrix-nginx-proxy/defaults/main.yml | 28 +++++++++++- .../tasks/validate_config.yml | 6 +++ .../conf.d/matrix-client-element.conf.j2 | 24 ++++++++-- .../nginx/conf.d/matrix-dimension.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-domain.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-jitsi.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-riot-web.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-synapse.conf.j2 | 45 +++++++++++++++++-- 8 files changed, 175 insertions(+), 16 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7331c589..224998c3 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -217,9 +217,35 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # a new SSL certificate could go into effect. matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" -# Specifies which SSL protocols to use when serving all the various vhosts +# Specifies the SSL configuration that should be used for the SSL protocols and ciphers +# This is based on the Mozilla Server Side TLS Recommended configurations. +# +# The posible values are: +# - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +# - "Intermediate" - Recommended configuration for a general-purpose server +# - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +# - "Custom" - For defining your own protocols an ciphers +# +# For more information visit: +# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations +# - https://ssl-config.mozilla.org/#server=nginx +matrix_nginx_proxy_ssl_config: "Intermediate" + +# Specifies which *SSL protocols* to use when serving all the various vhosts. +# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" +# Specifies whether to prefer *the client’s choice or the server’s choice* when +# negociating the chipher to serve all the various vhost +# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" + +# Specifies which *SSL Cipher suites* to use when serving all the various vhosts. +# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +# To see the full list for suportes ciphers run `openssl ciphers` on your server +# Remember to use '' and "" if you are specified a list of ciphers +matrix_nginx_proxy_ssl_ciphers: '"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"' + # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 993fc150..0b737662 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -18,3 +18,9 @@ msg: >- `matrix_ssl_retrieval_method` needs to be set to a known value. when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" + +- name: Fail on unknown matrix_nginx_proxy_ssl_config + fail: + msg: >- + `matrix_nginx_proxy_ssl_config` needs to be set to a known value. + when: "matrix_nginx_proxy_ssl_config not in ['Custom', 'Old', 'Intermediate', 'Modern']" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index cbabc9f6..69a61a39 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -5,7 +5,7 @@ gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; + add_header X-Frame-Options SAMEORIGIN; {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -67,9 +67,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index b041d3ca..fce652eb 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -65,9 +65,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 027f2d31..be659305 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -58,9 +58,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 500f1943..d08ac7be 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -86,9 +86,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 3ef42815..11b8a0fd 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -51,9 +51,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index adbee18e..a32b7bad 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -203,9 +203,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } @@ -235,9 +253,28 @@ server { {% if matrix_nginx_proxy_https_enabled %} ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} + {% endif %} location / { From ff6db5fd3b212630e4335a30a67a66b615829e2f Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Wed, 16 Dec 2020 10:50:08 +0100 Subject: [PATCH 1666/2384] Document the new variables for ngingx SSL config The new variables created to the nginx reverse proxy are properly added to the documentation. --- docs/configuring-playbook-nginx.md | 23 ++++++++++++++++++++++ docs/configuring-playbook-own-webserver.md | 3 ++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index 945864e9..39a96e40 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -24,6 +24,29 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: - 1.1.1.1 ``` +## Adjusting SSL in your server + +You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS +Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. +The posible values are: + +- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- "Intermediate" - Recommended configuration for a general-purpose server +- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +- "Custom" - For defining your own protocols an ciphers + +The default is set to `"Intermediate"`. + +**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the +[Federarion tester](https://federationtester.matrix.org/) won't work. + +If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set: + +- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. +- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". +- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx. + +For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. ## Synapse + OpenID Connect for Single-Sign-On diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index c930da40..4f0d3591 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -48,10 +48,11 @@ Those configuration files are adapted for use with an external web server (one n You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` -Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: +Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. +matrix_nginx_proxy_ssl_config: "Custom" matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` From 49b3cc024bd4ff8c94f74beacaf3228593e30e5c Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Wed, 16 Dec 2020 10:53:11 +0100 Subject: [PATCH 1667/2384] Document the SSL changes in the CHANGELOG The breaking changes are properly documented in the CHANGELOG.md file. The date used is specified as XXXX-XX-XX and should be modified at the moment of merge. --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 946ec5b0..8473b4aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# XXXX-XX-XX + +## New SSL Configuration + +A new variable `matrix_nginx_proxy_ssl_config`, bringing some breaking changes. The default configuration is set to `"Intermadiate"`. +This changes `ssl_prefer_server_ciphers` to `off` by default instead of `off`. It also add some more ciphers to the list, this should +give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). +To revert to the old behaviour just set `matrix_nginx_proxy_ssl_config` to `"Custom"` and don't change any of the other variables. + +If you are setting `matrix_nginx_proxy_ssl_protocols` to a custom value, you will need to `matrix_nginx_proxy_ssl_config` to `"Custom"`, +otherwise it this variable will be ignored. + # 2020-12-11 ## synapse-janitor support removed From db69a51653271d8bf563cc2ef952064fa05bb825 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 16 Dec 2020 16:25:38 +0200 Subject: [PATCH 1668/2384] Do not recommend usePrivilegedIntents for appservice-discord We're getting reports of it being broken and I can confirm that the bridge works well without it, so I don't see why we'd be asking people to enable it. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/751 --- ...configuring-playbook-bridge-appservice-discord.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 11be678e..f3efc555 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -14,20 +14,18 @@ Instructions loosely based on [this](https://github.com/Half-Shot/matrix-appserv 1. Create a Discord Application [here](https://discordapp.com/developers/applications). 2. Retrieve Client ID. 3. Create a bot from the Bot tab and retrieve the Bot token. -4. From the Bot tab, enable all checkboxes related to Privileged Gateway Intents (you can skip this step if you're not using `matrix_appservice_discord_auth_usePrivilegedIntents: true` below) -5. Enable the bridge with the following configuration in your `vars.yml` file: +4. Enable the bridge with the following configuration in your `vars.yml` file: ```yaml matrix_appservice_discord_enabled: true matrix_appservice_discord_client_id: "YOUR DISCORD APP CLIENT ID" matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" -matrix_appservice_discord_auth_usePrivilegedIntents: true ``` -6. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. -7. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S). -8. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. -9. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client. +5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. +6. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S). +7. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended. +8. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client. Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. From e2e6cfaa8b66a995aa4b4ef6b6409d071e648fe9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 16 Dec 2020 18:14:52 +0200 Subject: [PATCH 1669/2384] Document Ansible's Python interpreter discovery some more Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/570 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/641 --- docs/prerequisites.md | 2 +- examples/hosts | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index daf6ff80..488f6c6f 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -10,7 +10,7 @@ This playbook doesn't support running on ARM (see [this issue](https://github.co - `root` access to your server (or a user capable of elevating to `root` via `sudo`). -- [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`). +- [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python3`). On some distros, Ansible may incorrectly [detect the Python version](https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html) (2 vs 3) and you may need to explicitly specify the interpreter path in `inventory/hosts` during installation (e.g. `ansible_python_interpreter=/usr/bin/python3`) - A `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.* diff --git a/examples/hosts b/examples/hosts index 3b14f09e..daf2cfc5 100644 --- a/examples/hosts +++ b/examples/hosts @@ -10,6 +10,9 @@ # # If you're running this Ansible playbook on the same server as the one you're installing to, # consider adding an additional `ansible_connection=local` argument below. +# +# Ansible may fail to discover which Python interpreter to use on the host for some distros (like Ubuntu 20.04). +# You may sometimes need to explicitly add `ansible_python_interpreter=/usr/bin/python3` to lines below. [matrix_servers] matrix. ansible_host= ansible_ssh_user=root From ed159cc7427c9e856b037864bb9e923f5b7fb2ca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Dec 2020 11:33:18 +0200 Subject: [PATCH 1670/2384] Move matrix_architecture to matrix-base We were only defining this in `group_vars/matrix_servers`, which is inconsistent with how we normally do things. --- group_vars/matrix_servers | 14 -------------- roles/matrix-base/defaults/main.yml | 6 ++++++ 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 78a03851..f5eb1cb8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -24,20 +24,6 @@ matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matri # ###################################################################### -###################################################################### -# -# matrix-architecture -# -###################################################################### - -matrix_architecture: "amd64" - -###################################################################### -# -# /matrix-architecture -# -###################################################################### - ###################################################################### # diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index e0522ba8..aabbbed8 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -23,6 +23,12 @@ matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" matrix_federation_public_port: 8448 +# The architecture that your server runs. +# Recognized values by us are 'amd64', 'arm32' and 'arm64'. +# Not all architectures support all services, so your experience (on non-amd64) may vary. +# See docs/alternative-architectures.md +matrix_architecture: amd64 + matrix_user_username: "matrix" matrix_user_groupname: "matrix" From 55f252a6ed276d000e193158a4390b1315354cb2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Dec 2020 11:37:30 +0200 Subject: [PATCH 1671/2384] Do not hardcode amd64 in setup_debian.yml Until now, we've only supported non-amd64 on Raspbian. Seems like there are now people running Debian/Ubuntu on ARM, so we were forcing them into amd64 Docker packages. I've gotten a report that this change fixes support for Ubuntu Server 20.04 on RPi 4B. --- roles/matrix-base/defaults/main.yml | 5 +++++ roles/matrix-base/tasks/server_base/setup_debian.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index aabbbed8..2cc4b42f 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -29,6 +29,11 @@ matrix_federation_public_port: 8448 # See docs/alternative-architectures.md matrix_architecture: amd64 +# The architecture for Debian packages. +# See: https://wiki.debian.org/SupportedArchitectures +# We just remap from our `matrix_architecture` values to what Debian and possibly other distros call things. +matrix_debian_arch: "{{ 'armhf' if matrix_architecture == 'arm32' else matrix_architecture }}" + matrix_user_username: "matrix" matrix_user_groupname: "matrix" diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 6d8d18fa..e30d3b93 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -20,7 +20,7 @@ - name: Ensure Docker repository is enabled apt_repository: - repo: "deb [arch=amd64] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable" + repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable" state: present update_cache: yes when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' From f545de53f742e4443bf26608e67da786b8d6dc16 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Dec 2020 11:39:18 +0200 Subject: [PATCH 1672/2384] Do not hardcode "ubuntu" for the Docker APT key URL Well, `ubuntu` or `debian`, the same key is served right now, so it doesn't really matter. This seems cleaner and less prone to breakage though. --- roles/matrix-base/tasks/server_base/setup_debian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index e30d3b93..37706d1f 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -11,7 +11,7 @@ - name: Ensure Docker's APT key is trusted apt_key: - url: https://download.docker.com/linux/ubuntu/gpg + url: "https://download.docker.com/linux/{{ ansible_distribution|lower }}/gpg" id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 state: present register: add_repository_key From a09ed58892965241f0ee73b11139b5cfb5995cde Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Dec 2020 11:45:32 +0200 Subject: [PATCH 1673/2384] Ensure gnupg installed on Raspbian It's likely installed by default, but it doesn't hurt to specify it. It also makes us more the same with `setup_debian.yml`. --- roles/matrix-base/tasks/server_base/setup_raspbian.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index a9a5d20a..a84228a5 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -5,6 +5,7 @@ name: - apt-transport-https - ca-certificates + - gnupg state: present update_cache: yes From 349fbb64343bc3a877db02948ef6e715fa8c0128 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Dec 2020 11:47:34 +0200 Subject: [PATCH 1674/2384] Do not hardcode armhf for Raspbian Raspbian doesn't seem to support arm64, so this is somewhat pointless right now. However, they might in the future. Doing this should also unify us some more with `setup_debian.yml` with the ultimate goal of eliminating `setup_raspbian.yml`. --- roles/matrix-base/tasks/server_base/setup_raspbian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index a84228a5..daf6c165 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -20,7 +20,7 @@ - name: Ensure Docker repository is enabled apt_repository: - repo: "deb [arch=armhf] https://download.docker.com/linux/raspbian {{ ansible_distribution_release }} stable" + repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/raspbian {{ ansible_distribution_release }} stable" state: present update_cache: yes when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' From 8748f3d443d7b7388f41d06f2efab17f291735eb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Dec 2020 11:49:56 +0200 Subject: [PATCH 1675/2384] Move python{,3}-docker installation to another task This also adds support for installing python3-docker (not python-docker) in systems that run Python 3. --- roles/matrix-base/tasks/server_base/setup_raspbian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index daf6c165..421905a0 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -28,7 +28,6 @@ - name: Ensure APT packages are installed apt: name: - - python-docker - "{{ matrix_ntpd_package }}" - fuse state: latest @@ -38,5 +37,6 @@ apt: name: - "{{ matrix_docker_package_name }}" + - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" state: latest when: matrix_docker_installation_enabled|bool From d0ee86e0a54f5ae93c872550d8b66f5b660d0b1d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 21 Dec 2020 15:44:14 +0200 Subject: [PATCH 1676/2384] Fix matrix_corporal_docker_image_name_prefix referencing matrix_synapse_ stuff --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 1cab3119..cccaadd0 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -23,7 +23,7 @@ matrix_corporal_container_extra_arguments: [] matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" -matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}" +matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" matrix_corporal_docker_image_tag: "1.11.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" From dcd47166366ad5272525513f3aed409b752057a8 Mon Sep 17 00:00:00 2001 From: louis Date: Sun, 20 Dec 2020 17:30:28 +0100 Subject: [PATCH 1677/2384] add option to disable nginx access log --- docs/configuring-playbook-nginx.md | 9 ++++++++- roles/matrix-nginx-proxy/defaults/main.yml | 2 ++ roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 | 4 ++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index 945864e9..5693c569 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -24,7 +24,6 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: - 1.1.1.1 ``` - ## Synapse + OpenID Connect for Single-Sign-On If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse: @@ -32,3 +31,11 @@ If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID ```yaml matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true ``` + +## Disable Nginx access logs + +This will disable the access logging for nginx. + +```yaml +matrix_nginx_proxy_access_log_enabled: false +``` diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7331c589..b18bedde 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -92,6 +92,8 @@ matrix_nginx_proxy_base_domain_homepage_template: |- +# Option to disable the access log +matrix_nginx_proxy_access_log_enabled: true # Controls whether proxying the riot domain should be done. matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index 51aa8a00..975c8b4f 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -33,7 +33,11 @@ http { '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; + {% if matrix_nginx_proxy_access_log_enabled %} access_log /var/log/nginx/access.log main; + {% else %} + access_log off; + {% endif %} sendfile on; #tcp_nopush on; From 6488e11d692d0a44fc5c53e81d986ada35c92be4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 10:52:36 +0200 Subject: [PATCH 1678/2384] Relocate some tasks --- .../tasks/setup_install.yml | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index c3f2b01f..9022f309 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -8,6 +8,23 @@ The matrix-bridge-mx-puppet-discord role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_discord_base_path }}/database.db" + register: matrix_mx_puppet_discord_stat_database + +- block: + - name: (Data relocation) Ensure matrix-mx-puppet-discord.service is stopped + service: + name: matrix-mx-puppet-discord + state: stopped + daemon_reload: yes + failed_when: False + + - name: (Data relocation) Move mx-puppet-discord database file to ./data directory + command: "mv {{ matrix_mx_puppet_discord_base_path }}/database.db {{ matrix_mx_puppet_discord_data_path }}/database.db" + when: "matrix_mx_puppet_discord_stat_database.stat.exists" + - name: Ensure MX Puppet Discord image is pulled docker_image: name: "{{ matrix_mx_puppet_discord_docker_image }}" @@ -49,23 +66,6 @@ pull: yes when: "matrix_mx_puppet_discord_enabled|bool and matrix_mx_puppet_discord_container_image_self_build|bool" -- name: Check if an old database file already exists - stat: - path: "{{ matrix_mx_puppet_discord_base_path }}/database.db" - register: matrix_mx_puppet_discord_stat_database - -- name: (Data relocation) Ensure matrix-mx-puppet-discord.service is stopped - service: - name: matrix-mx-puppet-discord - state: stopped - daemon_reload: yes - failed_when: false - when: "matrix_mx_puppet_discord_stat_database.stat.exists" - -- name: (Data relocation) Move mx-puppet-discord database file to ./data directory - command: "mv {{ matrix_mx_puppet_discord_base_path }}/database.db {{ matrix_mx_puppet_discord_data_path }}/database.db" - when: "matrix_mx_puppet_discord_stat_database.stat.exists" - - name: Ensure mx-puppet-discord config.yaml installed copy: content: "{{ matrix_mx_puppet_discord_configuration|to_nice_yaml }}" From 9b4bf7358784f4f7df163cbf922e643dca5f0977 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 11:08:07 +0200 Subject: [PATCH 1679/2384] Fix undefined variable reference --- roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index c24c7e54..27f0c567 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -100,7 +100,7 @@ namePatterns: group: :name database: -{% if matrix_mx_puppet_slack_discord_database_engine == 'sqlite' %} +{% if matrix_mx_puppet_discord_database_engine == 'sqlite' %} # Use SQLite3 as a database backend # The name of the database file filename: /data/database.db From 149872e00c59960494877bac032b9a4d0a5d40ea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 11:10:10 +0200 Subject: [PATCH 1680/2384] Add support for automatic (Postgres -> SQLite) migration to mx-puppet-discord --- .../defaults/main.yml | 15 +++++------ .../tasks/setup_install.yml | 26 +++++++++++++++++++ .../tasks/validate_config.yml | 20 -------------- .../templates/config.yaml.j2 | 4 +-- 4 files changed, 35 insertions(+), 30 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index a0ad1c0a..ad86a241 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -57,18 +57,17 @@ matrix_mx_puppet_discord_login_shared_secret: '' # Database configuration matrix_mx_puppet_discord_database_engine: 'sqlite' + +matrix_mx_puppet_discord_sqlite_database_path_local: "{{ matrix_mx_puppet_discord_data_path }}/database.db" +matrix_mx_puppet_discord_sqlite_database_path_in_container: "/data/database.db" + matrix_mx_puppet_discord_database_username: matrix_mx_puppet_discord matrix_mx_puppet_discord_database_password: ~ matrix_mx_puppet_discord_database_hostname: 'matrix-postgres' matrix_mx_puppet_discord_database_port: 5432 -matrix_mx_puppet_discord_database_name: matrix_mx_puppet_discord -matrix_mx_puppet_discord_database_file: /data/database.db -matrix_mx_puppet_discord_database_connString: >-2 - {%- if matrix_mx_puppet_discord_database_engine == 'postgres' -%} - postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode=disable - {%- elif matrix_mx_puppet_discord_database_engine == 'sqlite' -%} - {{ matrix_mx_puppet_discord_database_engine }}://{{ matrix_mx_puppet_discord_database_file }} - {%- endif -%} +matrix_mx_puppet_discord_database_db_name: matrix_mx_puppet_discord + +matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_db_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index 9022f309..08a199c4 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -25,6 +25,32 @@ command: "mv {{ matrix_mx_puppet_discord_base_path }}/database.db {{ matrix_mx_puppet_discord_data_path }}/database.db" when: "matrix_mx_puppet_discord_stat_database.stat.exists" +- set_fact: + matrix_mx_puppet_discord_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_discord_sqlite_database_path_local }}" + register: matrix_mx_puppet_discord_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mx_puppet_discord_sqlite_database_path_local }}" + dst: "{{ matrix_mx_puppet_discord_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mx_puppet_discord_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mx-puppet-discord.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mx_puppet_discord_requires_restart: true + when: "matrix_mx_puppet_discord_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mx_puppet_discord_database_engine == 'postgres'" + - name: Ensure MX Puppet Discord image is pulled docker_image: name: "{{ matrix_mx_puppet_discord_docker_image }}" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml index 8db47ed1..c253eda2 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/validate_config.yml @@ -8,23 +8,3 @@ with_items: - "matrix_mx_puppet_discord_appservice_token" - "matrix_mx_puppet_discord_homeserver_token" - -- block: - - name: Check if a SQLite database already exists - stat: - path: "{{ matrix_mx_puppet_discord_data_path }}/database.db" - register: matrix_mx_puppet_discord_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >-2 - matrix_mx_puppet_discord_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_discord_data_path }}/database.db. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_discord_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_discord_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_discord_database_connString'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mx_puppet_discord_sqlite_database_path_local_stat_result.stat.exists" - when: "matrix_mx_puppet_discord_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index 27f0c567..1f4548d8 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -103,14 +103,14 @@ database: {% if matrix_mx_puppet_discord_database_engine == 'sqlite' %} # Use SQLite3 as a database backend # The name of the database file - filename: /data/database.db + filename: {{ matrix_mx_puppet_discord_sqlite_database_path_in_container|to_json }} {% else %} # Use Postgres as a database backend # If set, will be used instead of SQLite3 # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: {{ matrix_mx_puppet_discord_database_connString|to_json }} + connString: {{ matrix_mx_puppet_discord_database_connection_string|to_json }} {% endif %} logging: From e64758c11951b7d2720431b139be0edc454085bc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 13:24:53 +0200 Subject: [PATCH 1681/2384] Add missing restart task Should have been part of 149872e00c5 --- .../matrix-bridge-mx-puppet-discord/tasks/setup_install.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index 08a199c4..9801bf82 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -119,3 +119,9 @@ service: daemon_reload: yes when: "matrix_mx_puppet_discord_systemd_service_result.changed" + +- name: Ensure matrix-mx-puppet-discord.service restarted, if necessary + service: + name: "matrix-mx-puppet-discord.service" + state: restarted + when: "matrix_mx_puppet_discord_requires_restart|bool" From 44c9f4daca05fca27aa1fe8399349a34a9837015 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 13:30:52 +0200 Subject: [PATCH 1682/2384] Add support for automatic (Postgres -> SQLite) migration to mx-puppet-instagram --- .../defaults/main.yml | 15 ++++----- .../tasks/setup_install.yml | 33 ++++++++++++++++++- .../tasks/validate_config.yml | 20 ----------- .../templates/config.yaml.j2 | 4 +-- 4 files changed, 41 insertions(+), 31 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index 4c40bda4..61bf3dcf 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -47,18 +47,17 @@ matrix_mx_puppet_instagram_homeserver_token: '' matrix_mx_puppet_instagram_login_shared_secret: '' matrix_mx_puppet_instagram_database_engine: sqlite + +matrix_mx_puppet_instagram_sqlite_database_path_local: "{{ matrix_mx_puppet_instagram_data_path }}/database.db" +matrix_mx_puppet_instagram_sqlite_database_path_in_container: "/data/database.db" + matrix_mx_puppet_instagram_database_username: matrix_mx_puppet_instagram matrix_mx_puppet_instagram_database_password: ~ matrix_mx_puppet_instagram_database_hostname: 'matrix-postgres' matrix_mx_puppet_instagram_database_port: 5432 -matrix_mx_puppet_instagram_database_name: matrix_mx_puppet_instagram -matrix_mx_puppet_instagram_database_file: /data/database.db -matrix_mx_puppet_instagram_database_connString: >-2 - {%- if matrix_mx_puppet_instagram_database_engine == 'postgres' -%} - postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode=disable - {%- elif matrix_mx_puppet_instagram_database_engine == 'sqlite' -%} - {{ matrix_mx_puppet_instagram_database_engine }}://{{ matrix_mx_puppet_instagram_database_file }} - {%- endif -%} +matrix_mx_puppet_instagram_database_db_name: matrix_mx_puppet_instagram + +matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_db_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index 78bd78c1..76bbd629 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -8,6 +8,33 @@ The matrix-bridge-mx-puppet-instagram role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_mx_puppet_instagram_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_instagram_sqlite_database_path_local }}" + register: matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mx_puppet_instagram_sqlite_database_path_local }}" + dst: "{{ matrix_mx_puppet_instagram_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mx_puppet_instagram_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mx-puppet-instagram.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mx_puppet_instagram_requires_restart: true + when: "matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mx_puppet_instagram_database_engine == 'postgres'" + - name: Ensure mx-puppet-instagram image is pulled docker_image: name: "{{ matrix_mx_puppet_instagram_docker_image }}" @@ -77,4 +104,8 @@ daemon_reload: yes when: "matrix_mx_puppet_instagram_systemd_service_result.changed" - +- name: Ensure matrix-mx-puppet-instagram.service restarted, if necessary + service: + name: "matrix-mx-puppet-instagram.service" + state: restarted + when: "matrix_mx_puppet_instagram_requires_restart|bool" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml index c2115cbb..b6d9d994 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/validate_config.yml @@ -8,23 +8,3 @@ with_items: - "matrix_mx_puppet_instagram_appservice_token" - "matrix_mx_puppet_instagram_homeserver_token" - -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mx_puppet_instagram_data_path }}/database.db" - register: matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_mx_puppet_instagram_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_instagram_data_path }}/database.db. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_instagram_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_instagram_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_instagram_database_connString'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result.stat.exists" - when: "matrix_mx_puppet_instagram_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 index d89c5bdb..b830da2b 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 @@ -50,11 +50,11 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: {{ matrix_mx_puppet_instagram_database_connString | to_json }} + connString: {{ matrix_mx_puppet_instagram_database_connection_string|to_json }} {% else %} # Use SQLite3 as a database backend # The name of the database file - filename: {{ matrix_mx_puppet_instagram_database_file }} + filename: {{ matrix_mx_puppet_instagram_sqlite_database_path_in_container|to_json }} {% endif %} logging: From d135cd9cd3117ca659459db626d8ed942d474325 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 13:44:33 +0200 Subject: [PATCH 1683/2384] Ensure mx-puppet-discord directories are created before attempting migration Our old (base-path -> data-path) SQLite migration can't work otherwise. It's probably not necessary to keep it anymore, but since we still do, at least we should take care to ensure it works. --- .../tasks/setup_install.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index 9801bf82..3e3b2f94 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -8,6 +8,20 @@ The matrix-bridge-mx-puppet-discord role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- name: Ensure MX Puppet Discord paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mx_puppet_discord_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_discord_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_discord_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}", when: "{{ matrix_mx_puppet_discord_container_image_self_build }}" } + when: matrix_mx_puppet_discord_enabled|bool and item.when|bool + - name: Check if an old database file already exists stat: path: "{{ matrix_mx_puppet_discord_base_path }}/database.db" @@ -59,20 +73,6 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_discord_docker_image_force_pull }}" when: matrix_mx_puppet_discord_enabled|bool and not matrix_mx_puppet_discord_container_image_self_build -- name: Ensure MX Puppet Discord paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_mx_puppet_discord_base_path }}", when: true } - - { path: "{{ matrix_mx_puppet_discord_config_path }}", when: true } - - { path: "{{ matrix_mx_puppet_discord_data_path }}", when: true } - - { path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}", when: "{{ matrix_mx_puppet_discord_container_image_self_build }}" } - when: matrix_mx_puppet_discord_enabled|bool and item.when|bool - - name: Ensure MX Puppet Discord repository is present on self build git: repo: "{{ matrix_mx_puppet_discord_container_image_self_build_repo }}" From 10e0fa17adffde2b79048d597828f8beed00d05c Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Tue, 22 Dec 2020 08:23:37 -0600 Subject: [PATCH 1684/2384] Update nginx (1.19.5 -> 1.19.6) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index b18bedde..61653db4 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.5-alpine" +matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" From c3b63c6c97e99c81af3fe5fda48a72979dc8b5af Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Tue, 22 Dec 2020 08:29:37 -0600 Subject: [PATCH 1685/2384] Update element-web (1.7.15 -> 1.7.16) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 8b032ac2..d0297193 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.15" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.16" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From e49eb078a25bab1e320ac6d5c56f58461f8b19ad Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 16:29:47 +0200 Subject: [PATCH 1686/2384] Add support for automatic (Postgres -> SQLite) migration to mx-puppet-skype --- .../defaults/main.yml | 15 ++-- .../tasks/setup_install.yml | 82 +++++++++++++------ .../tasks/validate_config.yml | 20 ----- .../templates/config.yaml.j2 | 4 +- 4 files changed, 66 insertions(+), 55 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index db0f4ede..f3e17a59 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -55,18 +55,17 @@ matrix_mx_puppet_skype_login_shared_secret: '' # Database configuration, role default is `sqlite` but playbook default is `postgres` matrix_mx_puppet_skype_database_engine: sqlite + +matrix_mx_puppet_skype_sqlite_database_path_local: "{{ matrix_mx_puppet_skype_data_path }}/database.db" +matrix_mx_puppet_skype_sqlite_database_path_in_container: "/data/database.db" + matrix_mx_puppet_skype_database_username: matrix_mx_puppet_skype matrix_mx_puppet_skype_database_password: ~ matrix_mx_puppet_skype_database_hostname: 'matrix-postgres' matrix_mx_puppet_skype_database_port: 5432 -matrix_mx_puppet_skype_database_name: matrix_mx_puppet_skype -matrix_mx_puppet_skype_database_file: /data/database.db -matrix_mx_puppet_skype_database_connString: >-2 - {%- if matrix_mx_puppet_skype_database_engine == 'postgres' -%} - postgresql://{{ matrix_mx_puppet_skype_database_username }}:{{ matrix_mx_puppet_skype_database_password }}@{{ matrix_mx_puppet_skype_database_hostname }}:{{ matrix_mx_puppet_skype_database_port }}/{{ matrix_mx_puppet_skype_database_name }}?sslmode=disable - {%- elif matrix_mx_puppet_skype_database_engine == 'sqlite' -%} - {{ matrix_mx_puppet_skype_database_engine }}://{{ matrix_mx_puppet_skype_database_file }} - {%- endif -%} +matrix_mx_puppet_skype_database_db_name: matrix_mx_puppet_skype + +matrix_mx_puppet_skype_database_connection_string: 'postgresql://{{ matrix_mx_puppet_skype_database_username }}:{{ matrix_mx_puppet_skype_database_password }}@{{ matrix_mx_puppet_skype_database_hostname }}:{{ matrix_mx_puppet_skype_database_port }}/{{ matrix_mx_puppet_skype_database_db_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index fb5185ed..9289a793 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -8,14 +8,6 @@ The matrix-bridge-mx-puppet-skype role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" -- name: Ensure MX Puppet Skype image is pulled - docker_image: - name: "{{ matrix_mx_puppet_skype_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mx_puppet_skype_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_docker_image_force_pull }}" - when: matrix_mx_puppet_skype_enabled|bool and not matrix_mx_puppet_skype_container_image_self_build - - name: Ensure MX Puppet Skype paths exist file: path: "{{ item.path }}" @@ -30,6 +22,57 @@ - { path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}", when: "{{ matrix_mx_puppet_skype_container_image_self_build }}" } when: matrix_mx_puppet_skype_enabled|bool and item.when|bool +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_skype_base_path }}/database.db" + register: matrix_mx_puppet_skype_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-skype.service is stopped + service: + name: matrix-mx-puppet-skype + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_skype_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-skype database file to ./data directory + command: "mv {{ matrix_mx_puppet_skype_base_path }}/database.db {{ matrix_mx_puppet_skype_data_path }}/database.db" + when: "matrix_mx_puppet_skype_stat_database.stat.exists" + +- set_fact: + matrix_mx_puppet_skype_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_skype_sqlite_database_path_local }}" + register: matrix_mx_puppet_skype_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mx_puppet_skype_sqlite_database_path_local }}" + dst: "{{ matrix_mx_puppet_skype_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mx_puppet_skype_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mx-puppet-skype.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mx_puppet_skype_requires_restart: true + when: "matrix_mx_puppet_skype_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mx_puppet_skype_database_engine == 'postgres'" + +- name: Ensure MX Puppet Skype image is pulled + docker_image: + name: "{{ matrix_mx_puppet_skype_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_skype_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_docker_image_force_pull }}" + when: matrix_mx_puppet_skype_enabled|bool and not matrix_mx_puppet_skype_container_image_self_build + - name: Ensure MX Puppet Skype repository is present on self build git: repo: "{{ matrix_mx_puppet_skype_container_image_self_build_repo }}" @@ -49,23 +92,6 @@ pull: yes when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build|bool" -- name: Check if an old database file already exists - stat: - path: "{{ matrix_mx_puppet_skype_base_path }}/database.db" - register: matrix_mx_puppet_skype_stat_database - -- name: (Data relocation) Ensure matrix-mx-puppet-skype.service is stopped - service: - name: matrix-mx-puppet-skype - state: stopped - daemon_reload: yes - failed_when: false - when: "matrix_mx_puppet_skype_stat_database.stat.exists" - -- name: (Data relocation) Move mx-puppet-skype database file to ./data directory - command: "mv {{ matrix_mx_puppet_skype_base_path }}/database.db {{ matrix_mx_puppet_skype_data_path }}/database.db" - when: "matrix_mx_puppet_skype_stat_database.stat.exists" - - name: Ensure mx-puppet-skype config.yaml installed copy: content: "{{ matrix_mx_puppet_skype_configuration|to_nice_yaml }}" @@ -93,3 +119,9 @@ service: daemon_reload: yes when: "matrix_mx_puppet_skype_systemd_service_result.changed" + +- name: Ensure matrix-mx-puppet-skype.service restarted, if necessary + service: + name: "matrix-mx-puppet-skype.service" + state: restarted + when: "matrix_mx_puppet_skype_requires_restart|bool" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml index c7100e51..7ed433b1 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml @@ -8,23 +8,3 @@ with_items: - "matrix_mx_puppet_skype_appservice_token" - "matrix_mx_puppet_skype_homeserver_token" - -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mx_puppet_skype_data_path }}/database.db" - register: matrix_mx_puppet_skype_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_mx_puppet_skype_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_skype_data_path }}/database.db. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_skype_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_skype_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_skype_database_connString'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mx_puppet_skype_sqlite_database_path_local_stat_result.stat.exists" - when: "matrix_mx_puppet_skype_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 index a32523b1..d41d3a23 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 @@ -74,11 +74,11 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: {{ matrix_mx_puppet_skype_database_connString | to_json }} + connString: {{ matrix_mx_puppet_skype_database_connection_string|to_json }} {% else %} # Use SQLite3 as a database backend # The name of the database file - filename: {{ matrix_mx_puppet_skype_database_file }} + filename: {{ matrix_mx_puppet_skype_sqlite_database_path_in_container|to_json }} {% endif %} provisioning: From 262a25f997a032826b0348f3d966bcac55b9959e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 16:39:21 +0200 Subject: [PATCH 1687/2384] Add support for automatic (Postgres -> SQLite) migration to mx-puppet-slack --- .../defaults/main.yml | 15 ++-- .../tasks/setup_install.yml | 74 +++++++++++++------ .../tasks/validate_config.yml | 20 ----- .../templates/config.yaml.j2 | 4 +- 4 files changed, 62 insertions(+), 51 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 2ed72611..9aad602a 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -59,18 +59,17 @@ matrix_mx_puppet_slack_login_shared_secret: '' # Database configuration, role uses 'sqlite' per default but playbook sets up postgres by default matrix_mx_puppet_slack_database_engine: sqlite + +matrix_mx_puppet_slack_sqlite_database_path_local: "{{ matrix_mx_puppet_slack_data_path }}/database.db" +matrix_mx_puppet_slack_sqlite_database_path_in_container: "/data/database.db" + matrix_mx_puppet_slack_database_username: matrix_mx_puppet_slack matrix_mx_puppet_slack_database_password: ~ matrix_mx_puppet_slack_database_hostname: 'matrix-postgres' matrix_mx_puppet_slack_database_port: 5432 -matrix_mx_puppet_slack_database_name: matrix_mx_puppet_slack -matrix_mx_puppet_slack_database_file: /data/database.db -matrix_mx_puppet_slack_database_connString: >-2 - {%- if matrix_mx_puppet_slack_database_engine == 'postgres' -%} - postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode=disable - {%- elif matrix_mx_puppet_slack_database_engine == 'sqlite' -%} - {{ matrix_mx_puppet_slack_database_engine }}://{{ matrix_mx_puppet_slack_database_file }} - {%- endif -%} +matrix_mx_puppet_slack_database_db_name: matrix_mx_puppet_slack + +matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_db_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index 2e45ecf6..5d68435c 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -8,14 +8,6 @@ The matrix-bridge-mx-puppet-slack role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" -- name: Ensure MX Puppet Slack image is pulled - docker_image: - name: "{{ matrix_mx_puppet_slack_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mx_puppet_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_docker_image_force_pull }}" - when: matrix_mx_puppet_slack_enabled|bool and not matrix_mx_puppet_slack_container_image_self_build - - name: Ensure MX Puppet Slack paths exist file: path: "{{ item.path }}" @@ -30,6 +22,53 @@ - { path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}", when: "{{ matrix_mx_puppet_slack_container_image_self_build }}" } when: matrix_mx_puppet_slack_enabled|bool and item.when|bool +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_slack_base_path }}/database.db" + register: matrix_mx_puppet_slack_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-slack.service is stopped + service: + name: matrix-mx-puppet-slack + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_slack_stat_database.stat.exists" + +- set_fact: + matrix_mx_puppet_slack_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_slack_sqlite_database_path_local }}" + register: matrix_mx_puppet_slack_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mx_puppet_slack_sqlite_database_path_local }}" + dst: "{{ matrix_mx_puppet_slack_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mx_puppet_slack_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mx-puppet-slack.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mx_puppet_slack_requires_restart: true + when: "matrix_mx_puppet_slack_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mx_puppet_slack_database_engine == 'postgres'" + +- name: Ensure MX Puppet Slack image is pulled + docker_image: + name: "{{ matrix_mx_puppet_slack_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_docker_image_force_pull }}" + when: matrix_mx_puppet_slack_enabled|bool and not matrix_mx_puppet_slack_container_image_self_build + - name: Ensure MX Puppet Slack repository is present on self build git: repo: "{{ matrix_mx_puppet_slack_container_image_self_build_repo }}" @@ -49,19 +88,6 @@ pull: yes when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build" -- name: Check if an old database file already exists - stat: - path: "{{ matrix_mx_puppet_slack_base_path }}/database.db" - register: matrix_mx_puppet_slack_stat_database - -- name: (Data relocation) Ensure matrix-mx-puppet-slack.service is stopped - service: - name: matrix-mx-puppet-slack - state: stopped - daemon_reload: yes - failed_when: false - when: "matrix_mx_puppet_slack_stat_database.stat.exists" - - name: (Data relocation) Move mx-puppet-slack database file to ./data directory command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db" when: "matrix_mx_puppet_slack_stat_database.stat.exists" @@ -93,3 +119,9 @@ service: daemon_reload: yes when: "matrix_mx_puppet_slack_systemd_service_result.changed" + +- name: Ensure matrix-mx-puppet-slack.service restarted, if necessary + service: + name: "matrix-mx-puppet-slack.service" + state: restarted + when: "matrix_mx_puppet_slack_requires_restart|bool" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml index bc722ee6..3a0bca11 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml @@ -8,23 +8,3 @@ with_items: - "matrix_mx_puppet_slack_appservice_token" - "matrix_mx_puppet_slack_homeserver_token" - -- block: - - name: Check if sqlite database already exists - stat: - path: "{{ matrix_mx_puppet_slack_data_path }}/database.db" - register: matrix_mx_puppet_slack_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_mx_puppet_slack_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_slack_data_path }}/database.db. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_slack_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_slack_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_slack_database_connString'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mx_puppet_slack_sqlite_database_path_local_stat_result.stat.exists" - when: "matrix_mx_puppet_slack_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 index 58c5c11a..af6b5cb8 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -64,11 +64,11 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: {{ matrix_mx_puppet_slack_database_connString | to_json }} + connString: {{ matrix_mx_puppet_slack_database_connection_string|to_json }} {% else %} # Use SQLite3 as a database backend # The name of the database file - filename: {{ matrix_mx_puppet_slack_database_file }} + filename: {{ matrix_mx_puppet_slack_sqlite_database_path_in_container|to_json }} {% endif %} logging: From 69cc2145d2c710d3874fe2ec12315266561e10a1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 16:51:59 +0200 Subject: [PATCH 1688/2384] Add support for automatic (Postgres -> SQLite) migration to mx-puppet-steam --- group_vars/matrix_servers | 2 +- .../defaults/main.yml | 15 ++-- .../tasks/setup_install.yml | 82 +++++++++++++------ .../tasks/validate_config.yml | 22 ----- .../templates/config.yaml.j2 | 4 +- 5 files changed, 67 insertions(+), 58 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fda40efd..283d5b6e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -583,7 +583,7 @@ matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" # Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_mx_puppet_stream_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_steam.db') | to_uuid }}" ###################################################################### diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index 77f7804b..c1f6a385 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -56,18 +56,17 @@ matrix_mx_puppet_steam_homeserver_token: '' matrix_mx_puppet_steam_login_shared_secret: '' matrix_mx_puppet_steam_database_engine: sqlite + +matrix_mx_puppet_steam_sqlite_database_path_local: "{{ matrix_mx_puppet_steam_data_path }}/database.db" +matrix_mx_puppet_steam_sqlite_database_path_in_container: "/data/database.db" + matrix_mx_puppet_steam_database_username: matrix_mx_puppet_steam matrix_mx_puppet_steam_database_password: ~ matrix_mx_puppet_steam_database_hostname: 'matrix-postgres' matrix_mx_puppet_steam_database_port: 5432 -matrix_mx_puppet_steam_database_name: matrix_mx_puppet_steam -matrix_mx_puppet_steam_database_file: /data/database.db -matrix_mx_puppet_steam_database_connString: >-2 - {%- if matrix_mx_puppet_steam_database_engine == 'postgres' -%} - postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode=disable - {%- elif matrix_mx_puppet_steam_database_engine == 'sqlite' -%} - {{ matrix_mx_puppet_steam_database_engine }}://{{ matrix_mx_puppet_steam_database_file }} - {%- endif -%} +matrix_mx_puppet_steam_database_db_name: matrix_mx_puppet_steam + +matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_db_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 7b7f8211..71f6d889 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -8,14 +8,6 @@ The matrix-bridge-mx-puppet-steam role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" -- name: Ensure MX Puppet Steam image is pulled - docker_image: - name: "{{ matrix_mx_puppet_steam_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mx_puppet_steam_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_steam_docker_image_force_pull }}" - when: matrix_mx_puppet_steam_enabled|bool and not matrix_mx_puppet_steam_container_image_self_build - - name: Ensure MX Puppet Steam paths exist file: path: "{{ item.path }}" @@ -30,6 +22,57 @@ - { path: "{{ matrix_mx_puppet_steam_docker_src_files_path }}", when: "{{ matrix_mx_puppet_steam_container_image_self_build }}" } when: matrix_mx_puppet_steam_enabled|bool and item.when|bool +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_steam_base_path }}/database.db" + register: matrix_mx_puppet_steam_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-steam.service is stopped + service: + name: matrix-mx-puppet-steam + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_steam_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-steam database file to ./data directory + command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" + when: "matrix_mx_puppet_steam_stat_database.stat.exists" + +- set_fact: + matrix_mx_puppet_steam_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_steam_sqlite_database_path_local }}" + register: matrix_mx_puppet_steam_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mx_puppet_steam_sqlite_database_path_local }}" + dst: "{{ matrix_mx_puppet_steam_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mx_puppet_steam_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mx-puppet-steam.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mx_puppet_steam_requires_restart: true + when: "matrix_mx_puppet_steam_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mx_puppet_steam_database_engine == 'postgres'" + +- name: Ensure MX Puppet Steam image is pulled + docker_image: + name: "{{ matrix_mx_puppet_steam_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_steam_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_steam_docker_image_force_pull }}" + when: matrix_mx_puppet_steam_enabled|bool and not matrix_mx_puppet_steam_container_image_self_build + - name: Ensure MX Puppet Steam repository is present on self build git: repo: "{{ matrix_mx_puppet_steam_container_image_self_build_repo }}" @@ -49,23 +92,6 @@ pull: yes when: "matrix_mx_puppet_steam_enabled|bool and matrix_mx_puppet_steam_container_image_self_build" -- name: Check if an old database file already exists - stat: - path: "{{ matrix_mx_puppet_steam_base_path }}/database.db" - register: matrix_mx_puppet_steam_stat_database - -- name: (Data relocation) Ensure matrix-mx-puppet-steam.service is stopped - service: - name: matrix-mx-puppet-steam - state: stopped - daemon_reload: yes - failed_when: false - when: "matrix_mx_puppet_steam_stat_database.stat.exists" - -- name: (Data relocation) Move mx-puppet-steam database file to ./data directory - command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db" - when: "matrix_mx_puppet_steam_stat_database.stat.exists" - - name: Ensure mx-puppet-steam config.yaml installed copy: content: "{{ matrix_mx_puppet_steam_configuration|to_nice_yaml }}" @@ -93,3 +119,9 @@ service: daemon_reload: yes when: "matrix_mx_puppet_steam_systemd_service_result.changed" + +- name: Ensure matrix-mx-puppet-steam.service restarted, if necessary + service: + name: "matrix-mx-puppet-steam.service" + state: restarted + when: "matrix_mx_puppet_steam_requires_restart|bool" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml index 50ce15d9..a8bc6a42 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/validate_config.yml @@ -8,25 +8,3 @@ with_items: - "matrix_mx_puppet_steam_appservice_token" - "matrix_mx_puppet_steam_homeserver_token" - -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mx_puppet_steam_data_path }}" - register: matrix_mx_puppet_steam_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_mx_puppet_steam_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_steam_data_path }}/database.db. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_steam_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_steam_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_steam_database_connString'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mx_puppet_steam_sqlite_database_path_local_stat_result.stat.exists" - when: "matrix_mx_puppet_steam_database_engine == 'postgres'" - - diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 index 8eda278d..149e08b6 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 @@ -67,11 +67,11 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: {{ matrix_mx_puppet_steam_database_connString | to_json }} + connString: {{ matrix_mx_puppet_steam_database_connection_string|to_json }} {% else %} # Use SQLite3 as a database backend # The name of the database file - filename: {{ matrix_mx_puppet_steam_database_file }} + filename: {{ matrix_mx_puppet_steam_sqlite_database_path_in_container|to_json }} {% endif %} logging: From ab6563ce4e9273cc4e45fbf1b50339c10aff9452 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 17:09:08 +0200 Subject: [PATCH 1689/2384] Add support for automatic (Postgres -> SQLite) migration to mx-puppet-twitter --- .../defaults/main.yml | 17 ++-- .../tasks/setup_install.yml | 82 +++++++++++++------ .../tasks/validate_config.yml | 22 ----- .../templates/config.yaml.j2 | 4 +- 4 files changed, 67 insertions(+), 58 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index 91aa264a..da7a9ae7 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -62,18 +62,17 @@ matrix_mx_puppet_twitter_login_shared_secret: '' # Database configuration matrix_mx_puppet_twitter_database_engine: sqlite -matrix_mx_puppet_twitter_database_username: matrix:mx_puppet_twitter + +matrix_mx_puppet_twitter_sqlite_database_path_local: "{{ matrix_mx_puppet_twitter_data_path }}/database.db" +matrix_mx_puppet_twitter_sqlite_database_path_in_container: "/data/database.db" + +matrix_mx_puppet_twitter_database_username: mx_puppet_twitter matrix_mx_puppet_twitter_database_password: ~ matrix_mx_puppet_twitter_database_hostname: 'matrix-postgres' matrix_mx_puppet_twitter_database_port: 5432 -matrix_mx_puppet_twitter_database_name: matrix_mx_puppet_twitter -matrix_mx_puppet_twitter_database_file: /data/database.db -matrix_mx_puppet_twitter_database_connString: >-2 - {%- if matrix_mx_puppet_twitter_database_engine == 'postgres' -%} - postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode=disable - {%- elif matrix_mx_puppet_twitter_database_engine == 'sqlite' -%} - {{ matrix_mx_puppet_twitter_database_engine }}://{{ matrix_mx_puppet_twitter_database_file }} - {%- endif -%} +matrix_mx_puppet_twitter_database_db_name: matrix_mx_puppet_twitter + +matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_db_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 663f822c..3893981a 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -8,14 +8,6 @@ The matrix-bridge-mx-puppet-twitter role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" -- name: Ensure MX Puppet Twitter image is pulled - docker_image: - name: "{{ matrix_mx_puppet_twitter_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mx_puppet_twitter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_twitter_docker_image_force_pull }}" - when: matrix_mx_puppet_twitter_enabled|bool and not matrix_mx_puppet_twitter_container_image_self_build - - name: Ensure MX Puppet Twitter paths exist file: path: "{{ item.path }}" @@ -30,6 +22,57 @@ - { path: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}", when: "{{ matrix_mx_puppet_twitter_container_image_self_build }}" } when: matrix_mx_puppet_twitter_enabled|bool and item.when|bool +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_twitter_base_path }}/database.db" + register: matrix_mx_puppet_twitter_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-twitter.service is stopped + service: + name: matrix-mx-puppet-twitter + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_twitter_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-twitter database file to ./data directory + command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" + when: "matrix_mx_puppet_twitter_stat_database.stat.exists" + +- set_fact: + matrix_mx_puppet_twitter_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_twitter_sqlite_database_path_local }}" + register: matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mx_puppet_twitter_sqlite_database_path_local }}" + dst: "{{ matrix_mx_puppet_twitter_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mx_puppet_twitter_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mx-puppet-twitter.service'] + + - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mx_puppet_twitter_requires_restart: true + when: "matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mx_puppet_twitter_database_engine == 'postgres'" + +- name: Ensure MX Puppet Twitter image is pulled + docker_image: + name: "{{ matrix_mx_puppet_twitter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_twitter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_twitter_docker_image_force_pull }}" + when: matrix_mx_puppet_twitter_enabled|bool and not matrix_mx_puppet_twitter_container_image_self_build + - name: Ensure MX Puppet Twitter repository is present on self build git: repo: "{{ matrix_mx_puppet_twitter_container_image_self_build_repo }}" @@ -49,23 +92,6 @@ pull: yes when: "matrix_mx_puppet_twitter_enabled|bool and matrix_mx_puppet_twitter_container_image_self_build" -- name: Check if an old database file already exists - stat: - path: "{{ matrix_mx_puppet_twitter_base_path }}/database.db" - register: matrix_mx_puppet_twitter_stat_database - -- name: (Data relocation) Ensure matrix-mx-puppet-twitter.service is stopped - service: - name: matrix-mx-puppet-twitter - state: stopped - daemon_reload: yes - failed_when: false - when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - -- name: (Data relocation) Move mx-puppet-twitter database file to ./data directory - command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db" - when: "matrix_mx_puppet_twitter_stat_database.stat.exists" - - name: Ensure mx-puppet-twitter config.yaml installed copy: content: "{{ matrix_mx_puppet_twitter_configuration|to_nice_yaml }}" @@ -93,3 +119,9 @@ service: daemon_reload: yes when: "matrix_mx_puppet_twitter_systemd_service_result.changed" + +- name: Ensure matrix-mx-puppet-twitter.service restarted, if necessary + service: + name: "matrix-mx-puppet-twitter.service" + state: restarted + when: "matrix_mx_puppet_twitter_requires_restart|bool" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml index 0b3bd8f8..d13a39e1 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/validate_config.yml @@ -8,25 +8,3 @@ with_items: - "matrix_mx_puppet_twitter_appservice_token" - "matrix_mx_puppet_twitter_homeserver_token" - -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_mx_puppet_twitter_sqlite_data_path }}/database.db" - register: matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result - - - name: Fail if an SQLite database already exists when using Postgres - fail: - msg: >- - matrix_mx_puppet_twitter_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing SQLite database in {{ matrix_mx_puppet_twitter_data_path }}/database.db. - It appears that you've been using this bridge with the SQLite engine until now. - To continue using SQLite, opt into it explicitly: add `matrix_mx_puppet_twitter_database_engine: sqlite` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing SQLite database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the SQLite database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_mx_puppet_twitter_data_path }}/database.db postgres_connection_string_variable_name=matrix_mx_puppet_twitter_database_connString'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result.stat.exists" - when: "matrix_mx_puppet_twitter_database_engine == 'postgres'" - - diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 index cecb171d..bdecf1dc 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 @@ -60,11 +60,11 @@ database: # Connection string to connect to the Postgres instance # with username "user", password "pass", host "localhost" and database name "dbname". # Modify each value as necessary - connString: {{ matrix_mx_puppet_twitter_database_connString | to_json }} + connString: {{ matrix_mx_puppet_twitter_database_connection_string|to_json }} {% else %} # Use SQLite3 as a database backend # The name of the database file - filename: {{ matrix_mx_puppet_twitter_database_file }} + filename: {{ matrix_mx_puppet_twitter_sqlite_database_path_in_container|to_json }} {% endif %} logging: From 15f4cc924d30a62256cd30a0c73311223d74eac6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 17:10:02 +0200 Subject: [PATCH 1690/2384] Rename variables (_database_db_name -> _database_name) --- group_vars/matrix_servers | 34 +++++++++---------- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- .../defaults/main.yml | 4 +-- roles/matrix-dimension/defaults/main.yml | 4 +-- roles/matrix-ma1sd/defaults/main.yml | 4 +-- roles/matrix-ma1sd/templates/ma1sd.yaml.j2 | 2 +- roles/matrix-registration/defaults/main.yml | 4 +-- .../tasks/setup_install.yml | 2 +- 18 files changed, 49 insertions(+), 49 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 283d5b6e..21846592 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -999,55 +999,55 @@ matrix_postgres_db_name: "homeserver" matrix_postgres_additional_databases: | {{ ([{ - 'name': matrix_ma1sd_database_db_name, + 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, 'password': matrix_ma1sd_database_password, }] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_bot_matrix_reminder_bot_database_db_name, + 'name': matrix_bot_matrix_reminder_bot_database_name, 'username': matrix_bot_matrix_reminder_bot_database_username, 'password': matrix_bot_matrix_reminder_bot_database_password, }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_registration_database_db_name, + 'name': matrix_registration_database_name, 'username': matrix_registration_database_username, 'password': matrix_registration_database_password, }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_appservice_discord_database_db_name, + 'name': matrix_appservice_discord_database_name, 'username': matrix_appservice_discord_database_username, 'password': matrix_appservice_discord_database_password, }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_appservice_slack_database_db_name, + 'name': matrix_appservice_slack_database_name, 'username': matrix_appservice_slack_database_username, 'password': matrix_appservice_slack_database_password, }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_appservice_irc_database_db_name, + 'name': matrix_appservice_irc_database_name, 'username': matrix_appservice_irc_database_username, 'password': matrix_appservice_irc_database_password, }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_facebook_database_db_name, + 'name': matrix_mautrix_facebook_database_name, 'username': matrix_mautrix_facebook_database_username, 'password': matrix_mautrix_facebook_database_password, }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_hangouts_database_db_name, + 'name': matrix_mautrix_hangouts_database_name, 'username': matrix_mautrix_hangouts_database_username, 'password': matrix_mautrix_hangouts_database_password, }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_telegram_database_db_name, + 'name': matrix_mautrix_telegram_database_name, 'username': matrix_mautrix_telegram_database_username, 'password': matrix_mautrix_telegram_database_password, }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_whatsapp_database_db_name, + 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, 'password': matrix_mautrix_whatsapp_database_password, }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else []) @@ -1057,36 +1057,36 @@ matrix_postgres_additional_databases: | 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | to_uuid, }] if matrix_sms_bridge_enabled else []) + ([{ - 'name': matrix_mx_puppet_skype_database_db_name, + 'name': matrix_mx_puppet_skype_database_name, 'username': matrix_mx_puppet_skype_database_username, 'password': matrix_mx_puppet_skype_database_password, }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_slack_database_db_name, + 'name': matrix_mx_puppet_slack_database_name, 'username': matrix_mx_puppet_slack_database_username, 'password': matrix_mx_puppet_slack_database_password, }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_twitter_database_db_name, + 'name': matrix_mx_puppet_twitter_database_name, 'username': matrix_mx_puppet_twitter_database_username, 'password': matrix_mx_puppet_twitter_database_password, }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_instagram_database_db_name, + 'name': matrix_mx_puppet_instagram_database_name, 'username': matrix_mx_puppet_instagram_database_username, 'password': matrix_mx_puppet_instagram_database_password, }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_discord_database_db_name, + 'name': matrix_mx_puppet_discord_database_name, 'username': matrix_mx_puppet_discord_database_username, 'password': matrix_mx_puppet_discord_database_password, }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mx_puppet_steam_database_db_name, + 'name': matrix_mx_puppet_steam_database_name, 'username': matrix_mx_puppet_steam_database_username, 'password': matrix_mx_puppet_steam_database_password, }] if (matrix_mx_puppet_steam_enabled @@ -1094,7 +1094,7 @@ matrix_postgres_additional_databases: | and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_dimension_database_db_name, + 'name': matrix_dimension_database_name, 'username': matrix_dimension_database_username, 'password': matrix_dimension_database_password, }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == 'matrix-postgres') else []) diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 70e7b2d2..29bc8307 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -37,9 +37,9 @@ matrix_bot_matrix_reminder_bot_database_username: 'matrix_reminder_bot' matrix_bot_matrix_reminder_bot_database_password: 'some-password' matrix_bot_matrix_reminder_bot_database_hostname: 'matrix-postgres' matrix_bot_matrix_reminder_bot_database_port: 5432 -matrix_bot_matrix_reminder_bot_database_db_name: 'matrix_reminder_bot' +matrix_bot_matrix_reminder_bot_database_name: 'matrix_reminder_bot' -matrix_bot_matrix_reminder_bot_database_connection_string: 'postgres://{{ matrix_bot_matrix_reminder_bot_database_username }}:{{ matrix_bot_matrix_reminder_bot_database_password }}@{{ matrix_bot_matrix_reminder_bot_database_hostname }}:{{ matrix_bot_matrix_reminder_bot_database_port }}/{{ matrix_bot_matrix_reminder_bot_database_db_name }}' +matrix_bot_matrix_reminder_bot_database_connection_string: 'postgres://{{ matrix_bot_matrix_reminder_bot_database_username }}:{{ matrix_bot_matrix_reminder_bot_database_password }}@{{ matrix_bot_matrix_reminder_bot_database_hostname }}:{{ matrix_bot_matrix_reminder_bot_database_port }}/{{ matrix_bot_matrix_reminder_bot_database_name }}' matrix_bot_matrix_reminder_bot_storage_database: "{{ { diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 8e453a15..c7cdddb6 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -57,12 +57,12 @@ matrix_appservice_discord_database_username: 'matrix_appservice_discord' matrix_appservice_discord_database_password: 'some-password' matrix_appservice_discord_database_hostname: 'matrix-postgres' matrix_appservice_discord_database_port: 5432 -matrix_appservice_discord_database_db_name: 'matrix_appservice_discord' +matrix_appservice_discord_database_name: 'matrix_appservice_discord' # These 2 variables are what actually ends up in the bridge configuration. # It's best if you don't change them directly, but rather redefine the sub-variables that constitute them. matrix_appservice_discord_database_filename: "{{ matrix_appservice_discord_sqlite_database_path_in_container }}" -matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_database_username }}:{{ matrix_appservice_discord_database_password }}@{{ matrix_appservice_discord_database_hostname }}:{{ matrix_appservice_discord_database_port }}/{{ matrix_appservice_discord_database_db_name }}' +matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_database_username }}:{{ matrix_appservice_discord_database_password }}@{{ matrix_appservice_discord_database_hostname }}:{{ matrix_appservice_discord_database_port }}/{{ matrix_appservice_discord_database_name }}' # Tells whether the bot should make use of "Privileged Gateway Intents". diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index c02197a5..580934db 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -49,9 +49,9 @@ matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' matrix_mautrix_facebook_database_password: 'some-password' matrix_mautrix_facebook_database_hostname: 'matrix-postgres' matrix_mautrix_facebook_database_port: 5432 -matrix_mautrix_facebook_database_db_name: 'matrix_mautrix_facebook' +matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' -matrix_mautrix_facebook_database_connection_string: 'postgresql://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_db_name }}' +matrix_mautrix_facebook_database_connection_string: 'postgresql://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}' matrix_mautrix_facebook_appservice_database: "{{ { diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 5d38289b..984bec48 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -56,9 +56,9 @@ matrix_mautrix_hangouts_database_username: 'matrix_mautrix_hangouts' matrix_mautrix_hangouts_database_password: 'some-password' matrix_mautrix_hangouts_database_hostname: 'matrix-postgres' matrix_mautrix_hangouts_database_port: 5432 -matrix_mautrix_hangouts_database_db_name: 'matrix_mautrix_hangouts' +matrix_mautrix_hangouts_database_name: 'matrix_mautrix_hangouts' -matrix_mautrix_hangouts_database_connection_string: 'postgresql://{{ matrix_mautrix_hangouts_database_username }}:{{ matrix_mautrix_hangouts_database_password }}@{{ matrix_mautrix_hangouts_database_hostname }}:{{ matrix_mautrix_hangouts_database_port }}/{{ matrix_mautrix_hangouts_database_db_name }}' +matrix_mautrix_hangouts_database_connection_string: 'postgresql://{{ matrix_mautrix_hangouts_database_username }}:{{ matrix_mautrix_hangouts_database_password }}@{{ matrix_mautrix_hangouts_database_hostname }}:{{ matrix_mautrix_hangouts_database_port }}/{{ matrix_mautrix_hangouts_database_name }}' matrix_mautrix_hangouts_appservice_database: "{{ { diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index fcdf95db..ceebd3ec 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -60,9 +60,9 @@ matrix_mautrix_telegram_database_username: 'matrix_mautrix_telegram' matrix_mautrix_telegram_database_password: 'some-password' matrix_mautrix_telegram_database_hostname: 'matrix-postgres' matrix_mautrix_telegram_database_port: 5432 -matrix_mautrix_telegram_database_db_name: 'matrix_mautrix_telegram' +matrix_mautrix_telegram_database_name: 'matrix_mautrix_telegram' -matrix_mautrix_telegram_database_connection_string: 'postgresql://{{ matrix_mautrix_telegram_database_username }}:{{ matrix_mautrix_telegram_database_password }}@{{ matrix_mautrix_telegram_database_hostname }}:{{ matrix_mautrix_telegram_database_port }}/{{ matrix_mautrix_telegram_database_db_name }}' +matrix_mautrix_telegram_database_connection_string: 'postgresql://{{ matrix_mautrix_telegram_database_username }}:{{ matrix_mautrix_telegram_database_password }}@{{ matrix_mautrix_telegram_database_hostname }}:{{ matrix_mautrix_telegram_database_port }}/{{ matrix_mautrix_telegram_database_name }}' matrix_mautrix_telegram_appservice_database: "{{ { diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 7e198b36..0d4f9852 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -44,9 +44,9 @@ matrix_mautrix_whatsapp_database_username: 'matrix_mautrix_whatsapp' matrix_mautrix_whatsapp_database_password: 'some-password' matrix_mautrix_whatsapp_database_hostname: 'matrix-postgres' matrix_mautrix_whatsapp_database_port: 5432 -matrix_mautrix_whatsapp_database_db_name: 'matrix_mautrix_whatsapp' +matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp' -matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_db_name }}' +matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}' matrix_mautrix_whatsapp_appservice_database_type: "{{ { diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index ad86a241..97b20313 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -65,9 +65,9 @@ matrix_mx_puppet_discord_database_username: matrix_mx_puppet_discord matrix_mx_puppet_discord_database_password: ~ matrix_mx_puppet_discord_database_hostname: 'matrix-postgres' matrix_mx_puppet_discord_database_port: 5432 -matrix_mx_puppet_discord_database_db_name: matrix_mx_puppet_discord +matrix_mx_puppet_discord_database_name: matrix_mx_puppet_discord -matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_db_name }}?sslmode=disable' +matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index 61bf3dcf..cd08c010 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -55,9 +55,9 @@ matrix_mx_puppet_instagram_database_username: matrix_mx_puppet_instagram matrix_mx_puppet_instagram_database_password: ~ matrix_mx_puppet_instagram_database_hostname: 'matrix-postgres' matrix_mx_puppet_instagram_database_port: 5432 -matrix_mx_puppet_instagram_database_db_name: matrix_mx_puppet_instagram +matrix_mx_puppet_instagram_database_name: matrix_mx_puppet_instagram -matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_db_name }}?sslmode=disable' +matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index f3e17a59..83cd3dc5 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -63,9 +63,9 @@ matrix_mx_puppet_skype_database_username: matrix_mx_puppet_skype matrix_mx_puppet_skype_database_password: ~ matrix_mx_puppet_skype_database_hostname: 'matrix-postgres' matrix_mx_puppet_skype_database_port: 5432 -matrix_mx_puppet_skype_database_db_name: matrix_mx_puppet_skype +matrix_mx_puppet_skype_database_name: matrix_mx_puppet_skype -matrix_mx_puppet_skype_database_connection_string: 'postgresql://{{ matrix_mx_puppet_skype_database_username }}:{{ matrix_mx_puppet_skype_database_password }}@{{ matrix_mx_puppet_skype_database_hostname }}:{{ matrix_mx_puppet_skype_database_port }}/{{ matrix_mx_puppet_skype_database_db_name }}?sslmode=disable' +matrix_mx_puppet_skype_database_connection_string: 'postgresql://{{ matrix_mx_puppet_skype_database_username }}:{{ matrix_mx_puppet_skype_database_password }}@{{ matrix_mx_puppet_skype_database_hostname }}:{{ matrix_mx_puppet_skype_database_port }}/{{ matrix_mx_puppet_skype_database_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 9aad602a..70b98ece 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -67,9 +67,9 @@ matrix_mx_puppet_slack_database_username: matrix_mx_puppet_slack matrix_mx_puppet_slack_database_password: ~ matrix_mx_puppet_slack_database_hostname: 'matrix-postgres' matrix_mx_puppet_slack_database_port: 5432 -matrix_mx_puppet_slack_database_db_name: matrix_mx_puppet_slack +matrix_mx_puppet_slack_database_name: matrix_mx_puppet_slack -matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_db_name }}?sslmode=disable' +matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index c1f6a385..15fa889f 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -64,9 +64,9 @@ matrix_mx_puppet_steam_database_username: matrix_mx_puppet_steam matrix_mx_puppet_steam_database_password: ~ matrix_mx_puppet_steam_database_hostname: 'matrix-postgres' matrix_mx_puppet_steam_database_port: 5432 -matrix_mx_puppet_steam_database_db_name: matrix_mx_puppet_steam +matrix_mx_puppet_steam_database_name: matrix_mx_puppet_steam -matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_db_name }}?sslmode=disable' +matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index da7a9ae7..28639fda 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -70,9 +70,9 @@ matrix_mx_puppet_twitter_database_username: mx_puppet_twitter matrix_mx_puppet_twitter_database_password: ~ matrix_mx_puppet_twitter_database_hostname: 'matrix-postgres' matrix_mx_puppet_twitter_database_port: 5432 -matrix_mx_puppet_twitter_database_db_name: matrix_mx_puppet_twitter +matrix_mx_puppet_twitter_database_name: matrix_mx_puppet_twitter -matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_db_name }}?sslmode=disable' +matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode=disable' # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index a6a3bf5d..8a691946 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -57,9 +57,9 @@ matrix_dimension_database_username: 'matrix_dimension' matrix_dimension_database_password: 'some-password' matrix_dimension_database_hostname: 'matrix-postgres' matrix_dimension_database_port: 5432 -matrix_dimension_database_db_name: 'matrix_dimension' +matrix_dimension_database_name: 'matrix_dimension' -matrix_dimension_database_connection_string: 'postgres://{{ matrix_dimension_database_username }}:{{ matrix_dimension_database_password }}@{{ matrix_dimension_database_hostname }}:{{ matrix_dimension_database_port }}/{{ matrix_dimension_database_db_name }}' +matrix_dimension_database_connection_string: 'postgres://{{ matrix_dimension_database_username }}:{{ matrix_dimension_database_password }}@{{ matrix_dimension_database_hostname }}:{{ matrix_dimension_database_port }}/{{ matrix_dimension_database_name }}' # Default Dimension configuration template which covers the generic use case. diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 42e36e92..2932f3ed 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -56,9 +56,9 @@ matrix_ma1sd_database_username: 'matrix_ma1sd' matrix_ma1sd_database_password: 'some-password' matrix_ma1sd_database_hostname: 'matrix-postgres' matrix_ma1sd_database_port: 5432 -matrix_ma1sd_database_db_name: 'matrix_ma1sd' +matrix_ma1sd_database_name: 'matrix_ma1sd' -matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_db_name }}' +matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}' # ma1sd has serveral supported identity stores. diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 index 43b4022d..9a426c47 100644 --- a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 +++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 @@ -20,7 +20,7 @@ storage: backend: postgresql provider: postgresql: - database: //{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_db_name }} + database: //{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }} username: {{ matrix_ma1sd_database_username|to_json }} password: {{ matrix_ma1sd_database_password|to_json }} {% endif %} diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index d85faf89..065e0c48 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -48,9 +48,9 @@ matrix_registration_database_username: 'matrix_registration' matrix_registration_database_password: 'some-password' matrix_registration_database_hostname: 'matrix-postgres' matrix_registration_database_port: 5432 -matrix_registration_database_db_name: 'matrix_registration' +matrix_registration_database_name: 'matrix_registration' -matrix_registration_database_connection_string: 'postgresql://{{ matrix_registration_database_username }}:{{ matrix_registration_database_password }}@{{ matrix_registration_database_hostname }}:{{ matrix_registration_database_port }}/{{ matrix_registration_database_db_name }}' +matrix_registration_database_connection_string: 'postgresql://{{ matrix_registration_database_username }}:{{ matrix_registration_database_password }}@{{ matrix_registration_database_hostname }}:{{ matrix_registration_database_port }}/{{ matrix_registration_database_name }}' # For some reason, matrix-registraiton expects the `db` field to be like this: `sqlite:////data/db.sqlite3`. # (seems like one too many slashes, but..) diff --git a/roles/matrix-registration/tasks/setup_install.yml b/roles/matrix-registration/tasks/setup_install.yml index 708cb1df..9b6d1260 100644 --- a/roles/matrix-registration/tasks/setup_install.yml +++ b/roles/matrix-registration/tasks/setup_install.yml @@ -22,7 +22,7 @@ # which makes matrix-registration choke on it later on when comparing dates. additional_psql_statements_list: - ALTER TABLE tokens ALTER COLUMN ex_date TYPE TIMESTAMP WITHOUT TIME ZONE; - additional_psql_statements_db_name: "{{ matrix_registration_database_db_name }}" + additional_psql_statements_db_name: "{{ matrix_registration_database_name }}" - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" From 815a80c290d2527a74a26acb47e6f1fbbb3f000b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 17:16:56 +0200 Subject: [PATCH 1691/2384] Fix alignment issues --- group_vars/matrix_servers | 53 ++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 21846592..318ebac7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1021,78 +1021,85 @@ matrix_postgres_additional_databases: | 'username': matrix_appservice_discord_database_username, 'password': matrix_appservice_discord_database_password, }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_appservice_slack_database_name, 'username': matrix_appservice_slack_database_username, 'password': matrix_appservice_slack_database_password, }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_appservice_irc_database_name, 'username': matrix_appservice_irc_database_username, 'password': matrix_appservice_irc_database_password, }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_mautrix_facebook_database_name, 'username': matrix_mautrix_facebook_database_username, 'password': matrix_mautrix_facebook_database_password, }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_mautrix_hangouts_database_name, 'username': matrix_mautrix_hangouts_database_username, 'password': matrix_mautrix_hangouts_database_password, }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_mautrix_telegram_database_name, 'username': matrix_mautrix_telegram_database_username, 'password': matrix_mautrix_telegram_database_password, }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_mautrix_whatsapp_database_name, 'username': matrix_mautrix_whatsapp_database_username, 'password': matrix_mautrix_whatsapp_database_password, }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': 'matrix_bridge_sms', 'username': 'matrix_bridge_sms', 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | to_uuid, }] if matrix_sms_bridge_enabled else []) - + ([{ + + + ([{ 'name': matrix_mx_puppet_skype_database_name, 'username': matrix_mx_puppet_skype_database_username, 'password': matrix_mx_puppet_skype_database_password, }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_mx_puppet_slack_database_name, 'username': matrix_mx_puppet_slack_database_username, 'password': matrix_mx_puppet_slack_database_password, }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_mx_puppet_twitter_database_name, 'username': matrix_mx_puppet_twitter_database_username, 'password': matrix_mx_puppet_twitter_database_password, }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres') else []) - + ([{ + + + ([{ 'name': matrix_mx_puppet_instagram_database_name, 'username': matrix_mx_puppet_instagram_database_username, 'password': matrix_mx_puppet_instagram_database_password, - }] if (matrix_mx_puppet_instagram_enabled - and matrix_mx_puppet_instagram_database_engine == 'postgres' - and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else []) - + ([{ + }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else []) + + + ([{ 'name': matrix_mx_puppet_discord_database_name, 'username': matrix_mx_puppet_discord_database_username, 'password': matrix_mx_puppet_discord_database_password, - }] if (matrix_mx_puppet_discord_enabled - and matrix_mx_puppet_discord_database_engine == 'postgres' - and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else []) - + ([{ + }] if (matrix_mx_puppet_discord_enabled and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else []) + + + ([{ 'name': matrix_mx_puppet_steam_database_name, 'username': matrix_mx_puppet_steam_database_username, 'password': matrix_mx_puppet_steam_database_password, - }] if (matrix_mx_puppet_steam_enabled - and matrix_mx_puppet_steam_database_engine == 'postgres' - and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) - + + }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_dimension_database_name, 'username': matrix_dimension_database_username, From 715bdf2c6487c56be5ad17a4e7b80d94efa46ce2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 19:32:43 +0200 Subject: [PATCH 1692/2384] Add support for automatic (nedb -> Postgres) migration to mx-appservice-irc --- group_vars/matrix_servers | 3 +- roles/matrix-base/defaults/main.yml | 1 + .../defaults/main.yml | 17 +++-- .../tasks/migrate_nedb_to_postgres.yml | 53 ++++++++++++++++ .../tasks/setup_install.yml | 63 ++++++++++++------- .../tasks/validate_config.yml | 20 ------ .../templates/config.yaml.j2 | 4 +- roles/matrix-postgres/tasks/import_nedb.yml | 21 +------ roles/matrix-postgres/tasks/main.yml | 8 --- 9 files changed, 109 insertions(+), 81 deletions(-) create mode 100644 roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 318ebac7..4ddadb43 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -181,8 +181,7 @@ matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}" diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index e0522ba8..d0fdcdf8 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -106,6 +106,7 @@ matrix_docker_package_name: docker-ce run_postgres_import: true run_postgres_upgrade: true run_postgres_import_sqlite_db: true +run_postgres_import_nedb: true run_postgres_vacuum: true run_synapse_register_user: true run_synapse_update_user_password: true diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 5110fd85..0b671e76 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -23,12 +23,17 @@ matrix_appservice_irc_database_hostname: 'matrix-postgres' matrix_appservice_irc_database_port: 5432 matrix_appservice_irc_database_name: matrix_appservice_irc -matrix_appservice_irc_database_connString: >-2 - {%- if matrix_appservice_irc_database_engine == 'postgres' -%} - postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode=disable - {%- elif matrix_appservice_irc_database_engine == 'nedb' -%} - {{ matrix_appservice_irc_database_engine }}://{{ matrix_appservice_irc_database_file }} - {%- endif -%} +# This is just the Postgres connection string, if Postgres is used. +# Naming clashes with `matrix_appservice_irc_database_connectionString` somewhat. +matrix_appservice_irc_database_connection_string: 'postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode=disable' + +# This is what actually goes into `database.connectionString` for the bridge. +matrix_appservice_irc_database_connectionString: "{{ + { + 'nedb': 'nedb:///data', + 'postgres': matrix_appservice_irc_database_connection_string, + }[matrix_appservice_irc_database_engine] +}}" matrix_appservice_irc_ircService_servers: [] diff --git a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml new file mode 100644 index 00000000..bc6525ec --- /dev/null +++ b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml @@ -0,0 +1,53 @@ +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." + when: "not matrix_postgres_enabled|bool" + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + +# Actual import work + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: matrix_postgres_service_start_result + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + when: "matrix_postgres_service_start_result.changed|bool" + +- name: Ensure matrix-appservice-irc is stopped + service: + name: matrix-appservice-irc + state: stopped + +- name: Import appservice-irc NeDB database into Postgres + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data + --entrypoint=/bin/sh + {{ matrix_appservice_irc_docker_image }} + -c + '/usr/local/bin/node /app/lib/scripts/migrate-db-to-pgres.js --dbdir /data --privateKey /data/passkey.pem --connectionString {{ matrix_appservice_irc_database_connection_string }}' + +- name: Archive NeDB database files + command: + cmd: "mv {{ matrix_appservice_irc_data_path }}/{{ item }} {{ matrix_appservice_irc_data_path }}/{{ item }}.backup" + with_items: + - rooms.db + - users.db diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 5e313347..a748df96 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -1,12 +1,5 @@ --- -- name: Ensure Appservice IRC image is pulled - docker_image: - name: "{{ matrix_appservice_irc_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}" - - name: Ensure Appservice IRC paths exist file: path: "{{ item }}" @@ -24,25 +17,49 @@ path: "{{ matrix_appservice_irc_base_path }}/passkey.pem" register: matrix_appservice_irc_stat_passkey -- name: (Data relocation) Ensure matrix-appservice-irc.service is stopped - service: - name: matrix-appservice-irc - state: stopped - daemon_reload: yes - failed_when: false +- block: + - name: (Data relocation) Ensure matrix-appservice-irc.service is stopped + service: + name: matrix-appservice-irc + state: stopped + daemon_reload: yes + failed_when: false + + - name: (Data relocation) Move AppService IRC passkey.pem file to ./data directory + command: "mv {{ matrix_appservice_irc_base_path }}/passkey.pem {{ matrix_appservice_irc_data_path }}/passkey.pem" + + - name: (Data relocation) Move AppService IRC database files to ./data directory + command: "mv {{ matrix_appservice_irc_base_path }}/{{ item }} {{ matrix_appservice_irc_data_path }}/{{ item }}" + with_items: + - rooms.db + - users.db + failed_when: false when: "matrix_appservice_irc_stat_passkey.stat.exists" -- name: (Data relocation) Move AppService IRC passkey.pem file to ./data directory - command: "mv {{ matrix_appservice_irc_base_path }}/passkey.pem {{ matrix_appservice_irc_data_path }}/passkey.pem" - when: "matrix_appservice_irc_stat_passkey.stat.exists" -- name: (Data relocation) Move AppService IRC database files to ./data directory - command: "mv {{ matrix_appservice_irc_base_path }}/{{ item }} {{ matrix_appservice_irc_data_path }}/{{ item }}" - with_items: - - rooms.db - - users.db - failed_when: false - when: "matrix_appservice_irc_stat_passkey.stat.exists" +- set_fact: + matrix_appservice_irc_requires_restart: false + +- block: + - name: Check if a nedb database already exists + stat: + path: "{{ matrix_appservice_irc_data_path }}/users.db" + register: matrix_appservice_irc_nedb_database_path_local_stat_result + + - block: + - import_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" + + - set_fact: + matrix_appservice_irc_requires_restart: true + when: "matrix_appservice_irc_nedb_database_path_local_stat_result.stat.exists|bool" + when: "matrix_appservice_irc_database_engine == 'postgres'" + +- name: Ensure Appservice IRC image is pulled + docker_image: + name: "{{ matrix_appservice_irc_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}" - name: Ensure Matrix Appservice IRC config installed copy: diff --git a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml index 9b89a340..bd08427c 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -33,23 +33,3 @@ when: "item.old in vars" with_items: - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': ''} - -- block: - - name: Check if a neDB database already exists - stat: - path: "{{ matrix_appservice_irc_data_path }}/" - register: matrix_appservice_irc_nedb_stat_result - - - name: Fail if an neDB database already exists when using Postgres - fail: - msg: >-2 - matrix_appservice_irc_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing neDB database in {{ matrix_appservice_irc_data_path }}/. - It appears that you've been using this bridge with the neDB engine until now. - To continue using neDB, opt into it explicitly: add `matrix_appservice_irc_database_engine: nedb` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing neDB database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the neDB database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-irc-nedb --extra-vars='nedb_database_path={{ matrix_appservice_irc_data_path }} postgres_connection_string_variable_name=matrix_appservice_irc_database_connString'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_appservice_irc_nedb_stat_result.stat.exists" - when: "matrix_appservice_irc_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 index 0da28403..94bbda7b 100644 --- a/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2 @@ -127,8 +127,8 @@ advanced: # Use an external database to store bridge state. database: # database engine (must be 'postgres' or 'nedb'). Default: nedb - engine: {{ matrix_appservice_irc_database_engine }} + engine: {{ matrix_appservice_irc_database_engine|to_json }} # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: {{ matrix_appservice_irc_database_connString | to_json }} + connectionString: {{ matrix_appservice_irc_database_connectionString|to_json }} diff --git a/roles/matrix-postgres/tasks/import_nedb.yml b/roles/matrix-postgres/tasks/import_nedb.yml index cc1f9d78..2a3dd587 100644 --- a/roles/matrix-postgres/tasks/import_nedb.yml +++ b/roles/matrix-postgres/tasks/import_nedb.yml @@ -67,22 +67,6 @@ become: false when: "matrix_postgres_service_start_result.changed|bool" -# See https://github.com/matrix-org/matrix-appservice-irc/wiki/Migrating-from-NEdB-to-PostgreSQL -- name: Import appservice_irc NeDB database from {{ sqlite_database_path }} into Postgres - when: database == 'appservice_irc' - command: - cmd: >- - {{ matrix_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --mount type=bind,src={{ matrix_appservice_irc_data_path }}:/data:ro - --entrypoint=/bin/sh - {{ matrix_appservice_irc_docker_image }} - -c - './scripts/migrate-db-to-pgres.sh -d /data -p passkey.pem -c {{ postgres_db_connection_string }}' - # No migration.sh available, but found this: # https://github.com/matrix-org/matrix-appservice-slack/blob/develop/src/scripts/migrateToPostgres.ts # Usage should be similar to appservice_irc @@ -95,15 +79,12 @@ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} --cap-drop=ALL --network={{ matrix_docker_network }} - --mount type=bind,src={{ matrix_appservice_irc_data_path }}:/data:ro + --mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data,ro --entrypoint=/bin/sh {{ matrix_appservice_slack_docker_image }} -c 'node /lib/scripts/migrate-db-to-pgres.js -d /data -p passkey.pem -c {{ postgres_db_connection_string }}' -- name: Archive NeDB database ({{ sqlite_database_path }} -> {{ sqlite_database_path }}.backup) - command: - cmd: "mv {{ sqlite_database_path }} {{ sqlite_database_path }}.backup" - name: Inject result set_fact: diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml index 51801314..86b8f872 100644 --- a/roles/matrix-postgres/tasks/main.yml +++ b/roles/matrix-postgres/tasks/main.yml @@ -32,14 +32,6 @@ tags: - import-generic-sqlite-db -# Imports appservice-irc NeDB into postgres -- import_tasks: "{{ role_path }}/tasks/import_nedb.yml" - vars: - database: appservice_irc - when: run_postgres_import_nedb|bool - tags: - - import-irc-nedb - # Imports slacks neDB to postgres. - import_tasks: "{{ role_path }}/tasks/import_nedb.yml" vars: From 9b95e1937c61a2b21d3d11b3d497e16c6176d593 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 19:34:08 +0200 Subject: [PATCH 1693/2384] Auto-restart matrix-appservice-irc after (nedb -> Postgres) migration --- roles/matrix-bridge-appservice-irc/tasks/setup_install.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index a748df96..00568c0d 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -36,7 +36,6 @@ failed_when: false when: "matrix_appservice_irc_stat_passkey.stat.exists" - - set_fact: matrix_appservice_irc_requires_restart: false @@ -164,3 +163,9 @@ service: daemon_reload: yes when: "matrix_appservice_irc_systemd_service_result.changed" + +- name: Ensure matrix-appservice-irc.service restarted, if necessary + service: + name: "matrix-appservice-irc.service" + state: restarted + when: "matrix_appservice_irc_requires_restart|bool" From 8675dedbdb310425d309f6bf1725d7a6c415279e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Dec 2020 19:56:52 +0200 Subject: [PATCH 1694/2384] Add support for automatic (nedb -> Postgres) migration to matrix-appservice-slack --- roles/matrix-base/defaults/main.yml | 1 - .../tasks/migrate_nedb_to_postgres.yml | 11 +++ .../defaults/main.yml | 19 ++-- .../tasks/migrate_nedb_to_postgres.yml | 66 +++++++++++++ .../tasks/setup_install.yml | 37 +++++-- .../tasks/validate_config.yml | 20 ---- .../templates/config.yaml.j2 | 7 +- roles/matrix-postgres/tasks/import_nedb.yml | 98 ------------------- roles/matrix-postgres/tasks/main.yml | 8 -- 9 files changed, 123 insertions(+), 144 deletions(-) create mode 100644 roles/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml delete mode 100644 roles/matrix-postgres/tasks/import_nedb.yml diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index d0fdcdf8..e0522ba8 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -106,7 +106,6 @@ matrix_docker_package_name: docker-ce run_postgres_import: true run_postgres_upgrade: true run_postgres_import_sqlite_db: true -run_postgres_import_nedb: true run_postgres_vacuum: true run_synapse_register_user: true run_synapse_update_user_password: true diff --git a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml index bc6525ec..3fab195a 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml @@ -51,3 +51,14 @@ with_items: - rooms.db - users.db + +- name: Inject result + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your appservice-irc database files have been imported into Postgres. The original database files have been moved from `{{ matrix_appservice_irc_data_path }}/*.db` to `{{ matrix_appservice_irc_data_path }}/*.db.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete these files." + ] + }} diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 365493ff..28646a3c 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -51,13 +51,18 @@ matrix_appservice_slack_database_password: ~ matrix_appservice_slack_database_hostname: 'matrix-postgres' matrix_appservice_slack_database_port: 5432 matrix_appservice_slack_database_name: matrix_appservice_slack -matrix_appservice_slack_database_file: /data -matrix_appservice_slack_database_connString: >-2 - {%- if matrix_appservice_slack_database_engine == 'postgres' -%} - postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode=disable - {%- elif matrix_appservice_slack_database_engine == 'nedb' -%} - {{ matrix_appservice_slack_database_engine }}://{{ matrix_appservice_slack_database_file }} - {%- endif -%} + +# This is just the Postgres connection string, if Postgres is used. +# Naming clashes with `matrix_appservice_slack_database_connectionString` somewhat. +matrix_appservice_slack_database_connection_string: 'postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode=disable' + +# This is what actually goes into `database.connectionString` for the bridge. +matrix_appservice_slack_database_connectionString: "{{ + { + 'nedb': 'nedb:///data', + 'postgres': matrix_appservice_slack_database_connection_string, + }[matrix_appservice_slack_database_engine] +}}" matrix_appservice_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" diff --git a/roles/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml b/roles/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml new file mode 100644 index 00000000..fedad977 --- /dev/null +++ b/roles/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml @@ -0,0 +1,66 @@ +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." + when: "not matrix_postgres_enabled|bool" + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + +# Actual import work + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: matrix_postgres_service_start_result + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + when: "matrix_postgres_service_start_result.changed|bool" + +- name: Ensure matrix-appservice-slack is stopped + service: + name: matrix-appservice-slack + state: stopped + +- name: Import appservice-slack NeDB database into Postgres + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --mount type=bind,src={{ matrix_appservice_slack_data_path }},dst=/data + --entrypoint=/bin/sh + {{ matrix_appservice_slack_docker_image }} + -c + '/usr/local/bin/node /usr/src/app/lib/scripts/migrateToPostgres.js --dbdir /data --connectionString {{ matrix_appservice_slack_database_connection_string }}' + +- name: Archive NeDB database files + command: + cmd: "mv {{ matrix_appservice_slack_data_path }}/{{ item }} {{ matrix_appservice_slack_data_path }}/{{ item }}.backup" + with_items: + - teams.db + - room-store.db + - user-store.db + - event-store.db + +- name: Inject result + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your appservice-slack database files have been imported into Postgres. The original database files have been moved from `{{ matrix_appservice_slack_data_path }}/*.db` to `{{ matrix_appservice_slack_data_path }}/*.db.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete these files." + ] + }} diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index 94e0fedf..29b0f39e 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -1,12 +1,5 @@ --- -- name: Ensure Appservice Slack image is pulled - docker_image: - name: "{{ matrix_appservice_slack_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" - - name: Ensure AppService Slack paths exist file: path: "{{ item }}" @@ -19,6 +12,30 @@ - "{{ matrix_appservice_slack_config_path }}" - "{{ matrix_appservice_slack_data_path }}" +- set_fact: + matrix_appservice_slack_requires_restart: false + +- block: + - name: Check if a nedb database already exists + stat: + path: "{{ matrix_appservice_slack_data_path }}/teams.db" + register: matrix_appservice_slack_nedb_database_path_local_stat_result + + - block: + - import_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml" + + - set_fact: + matrix_appservice_slack_requires_restart: true + when: "matrix_appservice_slack_nedb_database_path_local_stat_result.stat.exists|bool" + when: "matrix_appservice_slack_database_engine == 'postgres'" + +- name: Ensure Appservice Slack image is pulled + docker_image: + name: "{{ matrix_appservice_slack_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" + - name: Ensure Matrix Appservice Slack config installed copy: content: "{{ matrix_appservice_slack_configuration|to_nice_yaml }}" @@ -46,3 +63,9 @@ service: daemon_reload: yes when: "matrix_appservice_slack_systemd_service_result.changed" + +- name: Ensure matrix-appservice-slack.service restarted, if necessary + service: + name: "matrix-appservice-slack.service" + state: restarted + when: "matrix_appservice_slack_requires_restart|bool" diff --git a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml index 5421b112..8af10f2f 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/validate_config.yml @@ -10,23 +10,3 @@ - "matrix_appservice_slack_appservice_token" - "matrix_appservice_slack_homeserver_token" - "matrix_appservice_slack_id_token" - -- block: - - name: Check if a neDB database already exists - stat: - path: "{{ matrix_appservice_slack_data_path }}/" - register: matrix_appservice_slack_nedb_stat_result - - - name: Fail if an neDB database already exists when using Postgres - fail: - msg: >-2 - matrix_appservice_slack_database_engine has been set to `postgres` (which is our new default now). - However, we've discovered an existing neDB database in {{ matrix_appservice_slack_data_path }}/. - It appears that you've been using this bridge with the neDB engine until now. - To continue using neDB, opt into it explicitly: add `matrix_appservice_slack_database_engine: nedb` to your vars.yml file and re-run this same command. - Alternatively, to migrate your existing neDB database to Postgres: - 1. Stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) - 2. Import the neDB database into Postgres (`ansible-playbook -v -i inventory/hosts setup.yml --tags=import-generic-sqlite-db --extra-vars='sqlite_database_path={{ matrix_appservice_slack_data_path }} postgres_connection_string_variable_name=matrix_appservice_slack_database_connString'`) - 3. Re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) - when: "matrix_appservice_slack_nedb_stat_result.stat.exists" - when: "matrix_appservice_slack_database_engine == 'postgres'" diff --git a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 index 0ae13738..bf8072c1 100644 --- a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2 @@ -11,9 +11,10 @@ homeserver: {% if matrix_appservice_slack_database_engine == 'nedb' %} dbdir: "/data" -{% endif %} +{% else %} db: - engine: "{{ matrix_appservice_slack_database_engine }}" - connectionString: {{ matrix_appservice_slack_database_connString | to_json }} + engine: {{ matrix_appservice_slack_database_engine|to_json }} + connectionString: {{ matrix_appservice_slack_database_connectionString|to_json }} +{% endif %} matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}" diff --git a/roles/matrix-postgres/tasks/import_nedb.yml b/roles/matrix-postgres/tasks/import_nedb.yml deleted file mode 100644 index 2a3dd587..00000000 --- a/roles/matrix-postgres/tasks/import_nedb.yml +++ /dev/null @@ -1,98 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled|bool" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `nedb_database_path` variable needs to be provided to this playbook, via --extra-vars" - when: "nedb_database_path is not defined or nedb_database_path.startswith('<')" - -- name: Check if the provided nedb database file exists - stat: - path: "{{ nedb_database_path }}" - register: nedb_database_path_stat_result - -- name: Fail if provided SQLite database file doesn't exist - fail: - msg: "File cannot be found on the server at {{ nedb_database_path }}" - when: "not nedb_database_path_stat_result.stat.exists" - -# We either expect `postgres_db_connection_string` specifying a full Postgres database connection string, -# or `postgres_connection_string_variable_name`, specifying a name of a variable, which contains a valid connection string. - -- block: - - name: Fail if postgres_connection_string_variable_name points to an undefined variable - fail: msg="postgres_connection_string_variable_name is defined, but there is no variable with the name `{{ postgres_connection_string_variable_name }}`" - when: "postgres_connection_string_variable_name not in vars" - - - name: Get Postgres connection string from variable - set_fact: - postgres_db_connection_string: "{{ lookup('vars', postgres_connection_string_variable_name) }}" - when: 'postgres_connection_string_variable_name is defined' - -- name: Fail if playbook called incorrectly - fail: - msg: >- - Either a `postgres_db_connection_string` variable or a `postgres_connection_string_variable_name` needs to be provided to this playbook, via `--extra-vars`. - Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:/database_name"` or `--extra-vars="postgres_connection_string_variable_name=matrix_appservice_discord_database_connString"` - when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time|default('') == ''" - - -# Actual import work - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed|bool" - -# No migration.sh available, but found this: -# https://github.com/matrix-org/matrix-appservice-slack/blob/develop/src/scripts/migrateToPostgres.ts -# Usage should be similar to appservice_irc -- name: Import appservice_slack NeDB database from {{ sqlite_database_path }} into Postgres - when: database == 'appservice_slack' - command: - cmd: >- - {{ matrix_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data,ro - --entrypoint=/bin/sh - {{ matrix_appservice_slack_docker_image }} - -c - 'node /lib/scripts/migrate-db-to-pgres.js -d /data -p passkey.pem -c {{ postgres_db_connection_string }}' - - -- name: Inject result - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [ - "NOTE: Your NeDB database file has been imported into Postgres. The original directory has been moved from `{{ nedb_database_path }}` to `{{ nedb_database_path }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." - ] - }} diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml index 86b8f872..b9c2ae7c 100644 --- a/roles/matrix-postgres/tasks/main.yml +++ b/roles/matrix-postgres/tasks/main.yml @@ -32,14 +32,6 @@ tags: - import-generic-sqlite-db -# Imports slacks neDB to postgres. -- import_tasks: "{{ role_path }}/tasks/import_nedb.yml" - vars: - database: appservice_slack - when: run_postgres_import_nedb|bool - tags: - - import-slack-nedb - - import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml" when: run_postgres_upgrade|bool tags: From ad1425eee4f8d9eb1f92f5f0acecef8da3447280 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 09:08:54 +0200 Subject: [PATCH 1695/2384] Add pgloader self-building support (for ARM) --- group_vars/matrix_servers | 2 + roles/matrix-postgres/defaults/main.yml | 13 ++++- .../tasks/util/migrate_db_to_postgres.yml | 55 +++++++++++++++---- 3 files changed, 58 insertions(+), 12 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4ddadb43..c8af3cf2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -995,6 +995,8 @@ matrix_postgres_connection_username: "synapse" matrix_postgres_connection_password: "synapse-password" matrix_postgres_db_name: "homeserver" +matrix_postgres_pgloader_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + matrix_postgres_additional_databases: | {{ ([{ diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 0c516281..8f1d0d78 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -65,4 +65,15 @@ matrix_postgres_import_databases_ignore_regex: "^CREATE DATABASE ({{ matrix_post # For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all. matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: 15 -matrix_postgres_pgloader_docker_image: "docker.io/illagrenan/pgloader:3.6.2" + +matrix_postgres_pgloader_container_image_self_build: false +matrix_postgres_pgloader_container_image_self_build_repo: "https://github.com/illagrenan/pgloader-docker.git" +matrix_postgres_pgloader_container_image_self_build_repo_branch: "v{{ matrix_postgres_pgloader_docker_image_tag }}" +matrix_postgres_pgloader_container_image_self_build_src_path: "{{ matrix_postgres_base_path }}/pgloader-container-src" + +# We use illagrenan/pgloader, instead of the more official dimitri/pgloader image, +# because the official one only provides a `latest` tag. +matrix_postgres_pgloader_docker_image: "{{ matrix_postgres_pgloader_docker_image_name_prefix }}illagrenan/pgloader:{{ matrix_postgres_pgloader_docker_image_tag }}" +matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else 'docker.io/' }}" +matrix_postgres_pgloader_docker_image_tag: "3.6.2" +matrix_postgres_pgloader_docker_image_force_pull: "{{ matrix_postgres_pgloader_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index d01611ef..0da48c64 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -31,17 +31,50 @@ msg: "File cannot be found on the server at {{ matrix_postgres_db_migration_request.src }}" when: "not matrix_postgres_db_migration_request_src_stat_result.stat.exists" -- name: Fail if we cannot migrate on the current architecture ({{ matrix_architecture }}) - fail: - msg: >- - {{ matrix_postgres_db_migration_request.engine_variable_name }} (part of {{ matrix_postgres_db_migration_request.caller }}) has been set to `postgres` (which is our new default now). - However, we've discovered an existing file-based database ({{ matrix_postgres_db_migration_request.engine_old }}) in {{ matrix_postgres_db_migration_request.src }}. - It appears that you've been using this bridge with a file-based database engine until now. - To continue using {{ matrix_postgres_db_migration_request.engine_old }}, opt into it explicitly: add `{{ matrix_postgres_db_migration_request.engine_variable_name }}: {{ matrix_postgres_db_migration_request.engine_old }}` to your vars.yml file and re-run this same command. - We'd normally auto-migrate you to Postgres, but we can't do it on the {{ matrix_architecture }} architecture. Our pgloader container image only supports amd64 (for now). - Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/740 - when: "matrix_architecture != 'amd64'" - +- block: + - name: Ensure pgloader repository is present on self-build + git: + repo: "{{ matrix_postgres_pgloader_container_image_self_build_repo }}" + dest: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" + version: "{{ matrix_postgres_pgloader_container_image_self_build_repo_branch }}" + force: "yes" + register: matrix_postgres_pgloader_git_pull_results + + # If `stable` is used, we hit an error when processing /opt/src/pgloader/build/quicklisp/dists/quicklisp/software/uax-15-20201220-git/data/CompositionExclusions.txt: + # > the octet sequence #(194) cannot be decoded + # + # The issue is described here and is not getting fixed for months: https://github.com/dimitri/pgloader/pull/1179 + # + # Although we're not using the dimitri/pgloader image, the one we're using suffers from the same problem. + - name: Switch pgloader base image from Debian stable (likely 10.x/Buster) to Bullseye + lineinfile: + path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}/Dockerfile" + regexp: "{{ item.match }}" + line: "{{ item.replace }}" + with_items: + - match: '^FROM debian:stable-slim as builder$' + replace: 'FROM debian:bullseye-slim as builder' + - match: '^FROM debian:stable-slim$' + replace: 'FROM debian:bullseye-slim' + + - name: Ensure pgloader Docker image is built + docker_image: + name: "{{ matrix_postgres_pgloader_docker_image }}" + source: build + force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" + pull: yes + when: "matrix_postgres_pgloader_container_image_self_build|bool" + +- name: Ensure pgloader Docker image is pulled + docker_image: + name: "{{ matrix_postgres_pgloader_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_postgres_pgloader_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_docker_image_force_pull }}" + when: "not matrix_postgres_pgloader_container_image_self_build" # Defaults From 3475b98b76ff27af5250dceba1e90195e2825ed7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 11:02:02 +0200 Subject: [PATCH 1696/2384] Announce the big move to all-on-Postgres Related to - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/740 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/686 --- CHANGELOG.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 946ec5b0..efc5c536 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,31 @@ +# 2020-12-23 + +## The big move to all-on-Postgres (potentially dangerous) + +**TLDR**: all your bridges (and other services) will likely be auto-migrated from SQLite/nedb to Postgres, hopefully without trouble. You can opt-out (see how below), if too worried about breakage. + +Until now, we've only used Postgres as a database for Synapse. All other services (bridges, bots, etc.) were kept simple and used a file-based database (SQLite or nedb). + +Since [this huge pull request](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/740), **all of our services now use Postgres by default**. Thanks to [Johanna Dorothea Reichmann](https://github.com/jdreichmann) for starting the work on it and for providing great input! + +Moving all services to Postgres brings a few **benefits** to us: + +- **improved performance** +- **improved compatibility**. Most bridges are deprecating SQLite/nedb support or offer less features when not on Postgres. +- **easier backups**. It's still some effort to take a proper backup (Postgres dump + various files, keys), but a Postgres dump now takes you much further. +- we're now **more prepared to introduce other services** that need a Postgres database - [Dendrite](https://github.com/matrix-org/dendrite), the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge (existing [pull request](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/686)), etc. + +### Key takeway + +- existing installations that use an [external Postgres](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-external-postgres.md) server should be unaffected (they remain on SQLite/nedb for all services, except Synapse) + +- for existing installations which use our integrated Postgres database server (`matrix-postgres`, which is the default), **we automatically migrate data** from SQLite/nedb to Postgres and **archive the database files** (`something.db` -> `something.db.backup`), so you can restore them if you need to go back (see how below). + +- this is a **very large and somewhat untested change** (potentially dangerous), so **if you're not feeling confident/experimental, opt-out** of it for now (see below). Still, it's the new default and what we (and various bridges) will focus on going forward, so don't stick to old ways for too long. + +- you can remain on SQLite/nedb (at least for now) by adding a variable like this to your `vars.yml` file for each service you use: `matrix_COMPONENT_database_engine: sqlite` (e.g. `matrix_mautrix_facebook_database_engine: sqlite`). Some services (like `appservice-irc` and `appservice-slack`) don't use SQLite, so use `nedb`, instead of `sqlite` for them. If the playbook had already migrated you to Postgres, you will need to rename back the database files (`something.db.backup` -> `something.db`). + + # 2020-12-11 ## synapse-janitor support removed From 4fe1248d95b116177315edb986a2c86122423c86 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 11:21:06 +0200 Subject: [PATCH 1697/2384] Update changelog entry to be more informative --- CHANGELOG.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index efc5c536..c4a586e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,9 +21,23 @@ Moving all services to Postgres brings a few **benefits** to us: - for existing installations which use our integrated Postgres database server (`matrix-postgres`, which is the default), **we automatically migrate data** from SQLite/nedb to Postgres and **archive the database files** (`something.db` -> `something.db.backup`), so you can restore them if you need to go back (see how below). -- this is a **very large and somewhat untested change** (potentially dangerous), so **if you're not feeling confident/experimental, opt-out** of it for now (see below). Still, it's the new default and what we (and various bridges) will focus on going forward, so don't stick to old ways for too long. +### Opting-out of the Postgres migration -- you can remain on SQLite/nedb (at least for now) by adding a variable like this to your `vars.yml` file for each service you use: `matrix_COMPONENT_database_engine: sqlite` (e.g. `matrix_mautrix_facebook_database_engine: sqlite`). Some services (like `appservice-irc` and `appservice-slack`) don't use SQLite, so use `nedb`, instead of `sqlite` for them. If the playbook had already migrated you to Postgres, you will need to rename back the database files (`something.db.backup` -> `something.db`). +This is a **very large and somewhat untested change** (potentially dangerous), so **if you're not feeling confident/experimental, opt-out** of it for now. Still, it's the new default and what we (and various bridges) will focus on going forward, so don't stick to old ways for too long. + +You can remain on SQLite/nedb (at least for now) by adding a variable like this to your `vars.yml` file for each service you use: `matrix_COMPONENT_database_engine: sqlite` (e.g. `matrix_mautrix_facebook_database_engine: sqlite`). + +Some services (like `appservice-irc` and `appservice-slack`) don't use SQLite, so use `nedb`, instead of `sqlite` for them. + +### Going back to SQLite/nedb if things went wrong + +If you went with the Postgres migration and it went badly for you (some bridge not working as expected or not working at all), do this: + +- stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) +- SSH into the server and rename the old database files (`something.db.backup` -> `something.db`). Example: `mv /matrix/mautrix-facebook/data/mautrix-facebook.db.backup /matrix/mautrix-facebook/data/mautrix-facebook.db` +- switch the affected service back to SQLite (e.g. `matrix_mautrix_facebook_database_engine: sqlite`). Some services (like `appservice-irc` and `appservice-slack`) don't use SQLite, so use `nedb`, instead of `sqlite` for them. +- re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`) +- [get in touch](README.md#support) with us # 2020-12-11 From c5f8b1f61bf544bdcae0cd916c3d48d17886d277 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 11:40:22 +0200 Subject: [PATCH 1698/2384] Fix mautrix-whatsapp Postgres connection string to not use SSL by default --- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 0d4f9852..beda6d7d 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -46,7 +46,7 @@ matrix_mautrix_whatsapp_database_hostname: 'matrix-postgres' matrix_mautrix_whatsapp_database_port: 5432 matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp' -matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}' +matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}?sslmode=disable' matrix_mautrix_whatsapp_appservice_database_type: "{{ { From 4675c8a715bae4da5288d14badf5d18f9e7a30e0 Mon Sep 17 00:00:00 2001 From: Jan Date: Wed, 23 Dec 2020 11:23:09 +0100 Subject: [PATCH 1699/2384] Update updating-users-passwords.md Fixed markdown error --- docs/updating-users-passwords.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/updating-users-passwords.md b/docs/updating-users-passwords.md index 785bc17c..7d2f2832 100644 --- a/docs/updating-users-passwords.md +++ b/docs/updating-users-passwords.md @@ -26,7 +26,7 @@ and then connecting to the postgres server and executing: ``` UPDATE users SET password_hash = '' WHERE name = '@someone:server.com' ``` -` + where `` is the hash returned by the docker command above. From 9f00970c90795c92dad9d1e83ea7fa4f8e2afa80 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 12:31:52 +0200 Subject: [PATCH 1700/2384] Do not use salts longer than 16 characters We've hit this problem before as well. Certain Ansible installations choke on it. --- group_vars/matrix_servers | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 904b2291..44848ae5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -208,7 +208,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matr # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_facebook.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau_fb.db') | to_uuid }}" ###################################################################### # @@ -247,7 +247,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau_hangouts.db') | to_uuid }}" ###################################################################### # @@ -289,7 +289,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau_telegram.db') | to_uuid }}" ###################################################################### # @@ -323,7 +323,7 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mautrix_whatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau_whatsapp.db') | to_uuid }}" ###################################################################### # @@ -385,7 +385,7 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_skype.db') | to_uuid }}" ###################################################################### # @@ -422,7 +422,7 @@ matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_slack.db') | to_uuid }}" ###################################################################### # @@ -460,7 +460,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_twitter.db') | to_uuid }}" ###################################################################### # @@ -497,7 +497,7 @@ matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_ # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_instagram.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_ig.db') | to_uuid }}" ###################################################################### # @@ -533,7 +533,7 @@ matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_pr # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_discord.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_dsc.db') | to_uuid }}" ###################################################################### # @@ -569,7 +569,7 @@ matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.mx_puppet_steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_steam.db') | to_uuid }}" ###################################################################### # @@ -1048,7 +1048,7 @@ matrix_postgres_additional_databases: | ([{ 'name': 'matrix_bridge_sms', 'username': 'matrix_bridge_sms', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db.secret') | to_uuid, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db') | to_uuid, }] if matrix_sms_bridge_enabled else []) + ([{ From 8b6174786b86f3ec09246228df7ad21e9a178f8f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 12:57:30 +0200 Subject: [PATCH 1701/2384] Fixup Dimension database schema a bit after pgloader import --- roles/matrix-dimension/tasks/setup_install.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml index 9a264449..b7f9b8e0 100644 --- a/roles/matrix-dimension/tasks/setup_install.yml +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -19,6 +19,12 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-dimension.service'] pgloader_options: ['--with "quote identifiers"'] + # pgloader makes `isSelfBot` of type `smallint`, instead of `boolean`. + # We need to fix it up + additional_psql_statements_list: + - 'ALTER TABLE dimension_users ALTER COLUMN "isSelfBot" DROP default;' + - 'ALTER TABLE dimension_users ALTER COLUMN "isSelfBot" TYPE BOOLEAN USING("isSelfBot"::text::boolean);' + - 'ALTER TABLE dimension_users ALTER COLUMN "isSelfBot" SET default false;' - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" From ea804f2f9fc16cdfbd9d1e30ff22f10944b8f28a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 12:59:48 +0200 Subject: [PATCH 1702/2384] Do not use underscore in salts passed to sha512 Some Ansible installations choke on it, it seems. Similar to 9f00970c907 --- group_vars/matrix_servers | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 44848ae5..a54d8baa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -208,7 +208,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matr # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau_fb.db') | to_uuid }}" +matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}" ###################################################################### # @@ -247,7 +247,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau_hangouts.db') | to_uuid }}" +matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}" ###################################################################### # @@ -289,7 +289,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau_telegram.db') | to_uuid }}" +matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.telegram.db') | to_uuid }}" ###################################################################### # @@ -323,7 +323,7 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau_whatsapp.db') | to_uuid }}" +matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}" ###################################################################### # @@ -385,7 +385,7 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_skype.db') | to_uuid }}" +matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}" ###################################################################### # @@ -422,7 +422,7 @@ matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_slack.db') | to_uuid }}" +matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}" ###################################################################### # @@ -460,7 +460,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_twitter.db') | to_uuid }}" +matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}" ###################################################################### # @@ -497,7 +497,7 @@ matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_ # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_ig.db') | to_uuid }}" +matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}" ###################################################################### # @@ -533,7 +533,7 @@ matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_pr # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_dsc.db') | to_uuid }}" +matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}" ###################################################################### # @@ -569,7 +569,7 @@ matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_prov # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" -matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup_steam.db') | to_uuid }}" +matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}" ###################################################################### # @@ -1048,7 +1048,7 @@ matrix_postgres_additional_databases: | ([{ 'name': 'matrix_bridge_sms', 'username': 'matrix_bridge_sms', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge_sms.db') | to_uuid, + 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge.sms.db') | to_uuid, }] if matrix_sms_bridge_enabled else []) + ([{ From be0c59956525f6219aa510344d03d09e850fa7ca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 13:33:25 +0200 Subject: [PATCH 1703/2384] Feed more slashes to mautrix bridges when using SQLite This makes the `sqlite://` URI match what we were using before and what the config expects. --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 580934db..80e54e0e 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -55,7 +55,7 @@ matrix_mautrix_facebook_database_connection_string: 'postgresql://{{ matrix_maut matrix_mautrix_facebook_appservice_database: "{{ { - 'sqlite': ('sqlite://' + matrix_mautrix_facebook_sqlite_database_path_in_container), + 'sqlite': ('sqlite:///' + matrix_mautrix_facebook_sqlite_database_path_in_container), 'postgres': matrix_mautrix_facebook_database_connection_string, }[matrix_mautrix_facebook_database_engine] }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 984bec48..e266bcbb 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -62,7 +62,7 @@ matrix_mautrix_hangouts_database_connection_string: 'postgresql://{{ matrix_maut matrix_mautrix_hangouts_appservice_database: "{{ { - 'sqlite': ('sqlite://' + matrix_mautrix_hangouts_sqlite_database_path_in_container), + 'sqlite': ('sqlite:///' + matrix_mautrix_hangouts_sqlite_database_path_in_container), 'postgres': matrix_mautrix_hangouts_database_connection_string, }[matrix_mautrix_hangouts_database_engine] }}" diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index ceebd3ec..539f0a9c 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -66,7 +66,7 @@ matrix_mautrix_telegram_database_connection_string: 'postgresql://{{ matrix_maut matrix_mautrix_telegram_appservice_database: "{{ { - 'sqlite': ('sqlite://' + matrix_mautrix_telegram_sqlite_database_path_in_container), + 'sqlite': ('sqlite:///' + matrix_mautrix_telegram_sqlite_database_path_in_container), 'postgres': matrix_mautrix_telegram_database_connection_string, }[matrix_mautrix_telegram_database_engine] }}" From 019a4d7dcd774776aa9c7f6fef80cb9c58cfba97 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Wed, 23 Dec 2020 10:38:47 +0000 Subject: [PATCH 1704/2384] Use role relative paths for things --- roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml | 2 +- roles/matrix-bridge-appservice-discord/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml | 2 +- roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml | 2 +- roles/matrix-dimension/tasks/setup_install.yml | 2 +- roles/matrix-ma1sd/tasks/setup_install.yml | 2 +- roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml | 2 +- roles/matrix-registration/tasks/setup_install.yml | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index fea1e00d..195485e4 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -19,7 +19,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-bot-matrix-reminder-bot.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_bot_matrix_reminder_bot_requires_restart: true diff --git a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml index 8bf50e28..6d3fdd0f 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml @@ -19,7 +19,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-appservice-discord.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_appservice_discord_requires_restart: true diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 7f310446..59998463 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -27,7 +27,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-facebook.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mautrix_facebook_requires_restart: true diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 15af9626..2ce8a441 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -27,7 +27,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-hangouts.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mautrix_hangouts_requires_restart: true diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 6a37974a..e9a93c72 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -27,7 +27,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-telegram.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mautrix_telegram_requires_restart: true diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 8d894a84..1cfa60f8 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -27,7 +27,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-whatsapp.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mautrix_whatsapp_requires_restart: true diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index 3e3b2f94..c7865e98 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -58,7 +58,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-discord.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mx_puppet_discord_requires_restart: true diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index 76bbd629..5701a916 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -28,7 +28,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-instagram.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mx_puppet_instagram_requires_restart: true diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 9289a793..68a1d7f4 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -58,7 +58,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-skype.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mx_puppet_skype_requires_restart: true diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index 5d68435c..04eab20a 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -54,7 +54,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-slack.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mx_puppet_slack_requires_restart: true diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 71f6d889..6b574656 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -58,7 +58,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-steam.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mx_puppet_steam_requires_restart: true diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 3893981a..1c48c030 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -58,7 +58,7 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mx-puppet-twitter.service'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_mx_puppet_twitter_requires_restart: true diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml index b7f9b8e0..ca12f367 100644 --- a/roles/matrix-dimension/tasks/setup_install.yml +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -26,7 +26,7 @@ - 'ALTER TABLE dimension_users ALTER COLUMN "isSelfBot" TYPE BOOLEAN USING("isSelfBot"::text::boolean);' - 'ALTER TABLE dimension_users ALTER COLUMN "isSelfBot" SET default false;' - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_dimension_requires_restart: true diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index 9ae5f077..a0a32728 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -38,7 +38,7 @@ systemd_services_to_stop: ['matrix-ma1sd.service'] pgloader_options: ['--with "quote identifiers"'] - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_ma1sd_requires_restart: true diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index 0da48c64..de0327b7 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -135,7 +135,7 @@ - block: # We can't use `{{ role_path }}` here, neither with `import_tasks`, nor with `include_tasks`, # because it refers to the role that included this util, and not to the role this file belongs to. - - import_tasks: "roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/detect_existing_postgres_version.yml" - set_fact: matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" diff --git a/roles/matrix-registration/tasks/setup_install.yml b/roles/matrix-registration/tasks/setup_install.yml index 9b6d1260..2b806fe0 100644 --- a/roles/matrix-registration/tasks/setup_install.yml +++ b/roles/matrix-registration/tasks/setup_install.yml @@ -24,7 +24,7 @@ - ALTER TABLE tokens ALTER COLUMN ex_date TYPE TIMESTAMP WITHOUT TIME ZONE; additional_psql_statements_db_name: "{{ matrix_registration_database_name }}" - - import_tasks: "roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - set_fact: matrix_registration_requires_restart: true From 21662af3be5c13fe03ed304a29860935a7a72365 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 14:11:21 +0200 Subject: [PATCH 1705/2384] Archive database only after additional_psql_statements_list had executed --- .../matrix-postgres/tasks/util/migrate_db_to_postgres.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index de0327b7..af95815f 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -128,10 +128,6 @@ -c 'pgloader {{ matrix_postgres_db_migration_request.pgloader_options|default([])|join(' ') }} /in.db {{ matrix_postgres_db_migration_request.dst }}' -- name: Archive {{ matrix_postgres_db_migration_request.engine_old }} database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) - command: - cmd: "mv {{ matrix_postgres_db_migration_request.src }} {{ matrix_postgres_db_migration_request.src }}.backup" - - block: # We can't use `{{ role_path }}` here, neither with `import_tasks`, nor with `include_tasks`, # because it refers to the role that included this util, and not to the role this file belongs to. @@ -155,6 +151,10 @@ when: "matrix_postgres_db_migration_request.additional_psql_statements_list|default([])|length > 0" +- name: Archive {{ matrix_postgres_db_migration_request.engine_old }} database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) + command: + cmd: "mv {{ matrix_postgres_db_migration_request.src }} {{ matrix_postgres_db_migration_request.src }}.backup" + - name: Inject result set_fact: matrix_playbook_runtime_results: | From 80c72615c7bfdcf47644d55f033e88f4e610cf25 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 14:11:47 +0200 Subject: [PATCH 1706/2384] Fixup all Dimension boolean fields after pgloader import This is 8b6174786b86f3 done right. There were many more fields that we had to account for. --- .../matrix-dimension/tasks/setup_install.yml | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml index ca12f367..26a75bcb 100644 --- a/roles/matrix-dimension/tasks/setup_install.yml +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -10,6 +10,44 @@ register: matrix_dimension_sqlite_database_path_local_stat_result - block: + # pgloader makes a few columns `smallint`, instead of `boolean`. + # We need to fix them up. + - set_fact: + matrix_dimension_pgloader_additional_psql_statements_list: [] + + - set_fact: + matrix_dimension_pgloader_additional_psql_statements_list: | + {{ + matrix_dimension_pgloader_additional_psql_statements_list + + + ([] if item.default == '' else ['ALTER TABLE ' + item.table + ' ALTER COLUMN "' + item.column + '" DROP default;']) + + + (['ALTER TABLE ' + item.table + ' ALTER COLUMN "' + item.column + '" TYPE BOOLEAN USING("' + item.column + '"::text::boolean);']) + + + ([] if item.default == '' else ['ALTER TABLE ' + item.table + ' ALTER COLUMN "' + item.column + '" SET default ' + item.default + ';']) + }} + with_items: + - {'table': 'dimension_widgets', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_widgets', 'column': 'isPublic', 'default': ''} + - {'table': 'dimension_webhook_bridges', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_user_sticker_packs', 'column': 'isSelected', 'default': ''} + - {'table': 'dimension_scalar_tokens', 'column': 'isDimensionToken', 'default': ''} + - {'table': 'dimension_users', 'column': 'isSelfBot', 'default': 'false'} + - {'table': 'dimension_telegram_bridges', 'column': 'allowTgPuppets', 'default': ''} + - {'table': 'dimension_telegram_bridges', 'column': 'allowMxPuppets', 'default': ''} + - {'table': 'dimension_telegram_bridges', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_sticker_packs', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_sticker_packs', 'column': 'isPublic', 'default': ''} + - {'table': 'dimension_slack_bridges', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_neb_integrations', 'column': 'isPublic', 'default': ''} + - {'table': 'dimension_irc_bridges', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_irc_bridge_networks', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_gitter_bridges', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_custom_simple_bots', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_custom_simple_bots', 'column': 'isPublic', 'default': ''} + - {'table': 'dimension_bridges', 'column': 'isEnabled', 'default': ''} + - {'table': 'dimension_bridges', 'column': 'isPublic', 'default': ''} + - set_fact: matrix_postgres_db_migration_request: src: "{{ matrix_dimension_sqlite_database_path_local }}" @@ -19,12 +57,8 @@ engine_old: 'sqlite' systemd_services_to_stop: ['matrix-dimension.service'] pgloader_options: ['--with "quote identifiers"'] - # pgloader makes `isSelfBot` of type `smallint`, instead of `boolean`. - # We need to fix it up - additional_psql_statements_list: - - 'ALTER TABLE dimension_users ALTER COLUMN "isSelfBot" DROP default;' - - 'ALTER TABLE dimension_users ALTER COLUMN "isSelfBot" TYPE BOOLEAN USING("isSelfBot"::text::boolean);' - - 'ALTER TABLE dimension_users ALTER COLUMN "isSelfBot" SET default false;' + additional_psql_statements_list: "{{ matrix_dimension_pgloader_additional_psql_statements_list }}" + additional_psql_statements_db_name: "{{ matrix_dimension_database_name }}" - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" From a2a4218e9573ad99a8c87a9edece1c4453cc3bff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Dec 2020 15:39:12 +0200 Subject: [PATCH 1707/2384] Make mautrix-python-based bridges E2EE happier Fixes a problem like this: > File "/usr/lib/python3.8/site-packages/mautrix/bridge/e2ee.py", line 79, in __init__ > raise RuntimeError("Unsupported database scheme") mautrix-python's e2ee.py module expects to find `postgres://` instead of `postgresql://`. --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 80e54e0e..da9b1889 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -51,7 +51,7 @@ matrix_mautrix_facebook_database_hostname: 'matrix-postgres' matrix_mautrix_facebook_database_port: 5432 matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' -matrix_mautrix_facebook_database_connection_string: 'postgresql://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}' +matrix_mautrix_facebook_database_connection_string: 'postgres://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}' matrix_mautrix_facebook_appservice_database: "{{ { diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index e266bcbb..8dfee030 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -58,7 +58,7 @@ matrix_mautrix_hangouts_database_hostname: 'matrix-postgres' matrix_mautrix_hangouts_database_port: 5432 matrix_mautrix_hangouts_database_name: 'matrix_mautrix_hangouts' -matrix_mautrix_hangouts_database_connection_string: 'postgresql://{{ matrix_mautrix_hangouts_database_username }}:{{ matrix_mautrix_hangouts_database_password }}@{{ matrix_mautrix_hangouts_database_hostname }}:{{ matrix_mautrix_hangouts_database_port }}/{{ matrix_mautrix_hangouts_database_name }}' +matrix_mautrix_hangouts_database_connection_string: 'postgres://{{ matrix_mautrix_hangouts_database_username }}:{{ matrix_mautrix_hangouts_database_password }}@{{ matrix_mautrix_hangouts_database_hostname }}:{{ matrix_mautrix_hangouts_database_port }}/{{ matrix_mautrix_hangouts_database_name }}' matrix_mautrix_hangouts_appservice_database: "{{ { diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 539f0a9c..3f81617a 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -62,7 +62,7 @@ matrix_mautrix_telegram_database_hostname: 'matrix-postgres' matrix_mautrix_telegram_database_port: 5432 matrix_mautrix_telegram_database_name: 'matrix_mautrix_telegram' -matrix_mautrix_telegram_database_connection_string: 'postgresql://{{ matrix_mautrix_telegram_database_username }}:{{ matrix_mautrix_telegram_database_password }}@{{ matrix_mautrix_telegram_database_hostname }}:{{ matrix_mautrix_telegram_database_port }}/{{ matrix_mautrix_telegram_database_name }}' +matrix_mautrix_telegram_database_connection_string: 'postgres://{{ matrix_mautrix_telegram_database_username }}:{{ matrix_mautrix_telegram_database_password }}@{{ matrix_mautrix_telegram_database_hostname }}:{{ matrix_mautrix_telegram_database_port }}/{{ matrix_mautrix_telegram_database_name }}' matrix_mautrix_telegram_appservice_database: "{{ { From befffa926bd0f71ab20c702fcbb6d0aeb58d730f Mon Sep 17 00:00:00 2001 From: David Gnedt Date: Wed, 23 Dec 2020 19:24:45 +0100 Subject: [PATCH 1708/2384] Fix concatenation of additional databases Otherwise the postgres upgrade fails with the following error: Unexpected templating type error occurred on ({{ [matrix_postgres_connection_username] + matrix_postgres_additional_databases|map(attribute='username') }} ): can only concatenate list (not "generator") to list --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a54d8baa..b8fc9eb4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1098,14 +1098,14 @@ matrix_postgres_import_roles_to_ignore: | {{ [matrix_postgres_connection_username] + - matrix_postgres_additional_databases|map(attribute='username') + matrix_postgres_additional_databases|map(attribute='username')|list }} matrix_postgres_import_databases_to_ignore: | {{ [matrix_postgres_db_name] + - matrix_postgres_additional_databases|map(attribute='name') + matrix_postgres_additional_databases|map(attribute='name')|list }} ###################################################################### From 6403904f596bfacc27c73fcd432d3bd3450a4b35 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Dec 2020 11:38:06 +0200 Subject: [PATCH 1709/2384] Try to make DNS SRV setup sound scarier (which it is) We've had people who get the impression that well-known = bad, DNS SRV = good, and who try to use DNS SRV for server delegation. While it's true that DNS SRV can be superior for high-availability scenarios, it's much harder to set up and comes with its own potential downsides. Using the well-known method is more straightforward and is enough for almost all of us. Throwing people into the deep for no good reason is not nice. Hopefully wording is better after this patch. --- docs/howto-server-delegation.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 1ea1091a..7bb86ec0 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -28,14 +28,14 @@ Server Delegation by means of a `/.well-known/matrix/server` file is the most st > Errors are recommended to be cached for up to an hour, and servers are encouraged to exponentially back off for repeated failures. -If this is not a concern for you, feel free to not read ahead. +**For most people, this is a reasonable tradeoff** given that it's easy and straightforward to set up. We recommend you stay on this path. -Otherwise, you can decide to go against the default for this playbook, and instead set up [Server Delegation via a DNS SRV record (advanced)](#server-delegation-via-a-dns-srv-record-advanced). +Otherwise, you can decide to go against the default for this playbook, and instead set up [Server Delegation via a DNS SRV record (advanced)](#server-delegation-via-a-dns-srv-record-advanced) (much more complicated). ## Server Delegation via a DNS SRV record (advanced) -**NOTE**: doing Server Delegation via a DNS SRV record is a more advanced way to do it and is not the default for this playbook. +**NOTE**: doing Server Delegation via a DNS SRV record is a more **advanced** way to do it and is not the default for this playbook. This is usually **much more complicated** to set up, so **we don't recommend it**. If you're not an experience sysadmi, you'd better stay away from this. As per the [Server-Server spec](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), it's possible to do Server Delegation using only a SRV record (without a `/.well-known/matrix/server` file). @@ -47,7 +47,7 @@ To use DNS SRV record validation, you need to: - ensure that you have a `_matrix._tcp` DNS SRV record for your base domain (``) with a value of `10 0 8448 matrix.` -- ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). See below. +- ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). Getting this certiface to the `matrix.` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below. ### Obtaining certificates From d023355d2e65a3a6cb3ef2018699e061caf2656f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Dec 2020 11:43:35 +0200 Subject: [PATCH 1710/2384] Fix typo --- docs/howto-server-delegation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 7bb86ec0..9f0f53c6 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -35,7 +35,7 @@ Otherwise, you can decide to go against the default for this playbook, and inste ## Server Delegation via a DNS SRV record (advanced) -**NOTE**: doing Server Delegation via a DNS SRV record is a more **advanced** way to do it and is not the default for this playbook. This is usually **much more complicated** to set up, so **we don't recommend it**. If you're not an experience sysadmi, you'd better stay away from this. +**NOTE**: doing Server Delegation via a DNS SRV record is a more **advanced** way to do it and is not the default for this playbook. This is usually **much more complicated** to set up, so **we don't recommend it**. If you're not an experience sysadmin, you'd better stay away from this. As per the [Server-Server spec](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), it's possible to do Server Delegation using only a SRV record (without a `/.well-known/matrix/server` file). From c0a62d6c17a17248757db5f71b0431f5ee44c0e4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Dec 2020 11:56:36 +0200 Subject: [PATCH 1711/2384] Mention base domain serving --- docs/howto-server-delegation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index 9f0f53c6..b89bd2f2 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -22,7 +22,7 @@ If this is okay with you, feel free to not read ahead. Server Delegation by means of a `/.well-known/matrix/server` file is the most straightforward, but suffers from the following downsides: -- you need to have a working HTTPS server for the base domain (``) +- you need to have a working HTTPS server for the base domain (``). If you don't have any server for the base domain at all, you can easily solve it by making the playbook [serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md). - any downtime on the base domain (``) or network trouble between the matrix subdomain (`matrix.`) and the base `` may cause Matrix Federation outages. As the [Server-Server spec says](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery): @@ -47,7 +47,7 @@ To use DNS SRV record validation, you need to: - ensure that you have a `_matrix._tcp` DNS SRV record for your base domain (``) with a value of `10 0 8448 matrix.` -- ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). Getting this certiface to the `matrix.` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below. +- ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `` (not `matrix.`!). Getting this certificate to the `matrix.` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below. ### Obtaining certificates From 3dd0517f0472d22efc7fc4bad6caf46dbc0e7ab2 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 26 Dec 2020 20:13:49 -0600 Subject: [PATCH 1712/2384] Check for buggy version of Ansible that Ubuntu 20.04 provides --- docs/ansible.md | 2 +- roles/matrix-base/tasks/sanity_check.yml | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index 776147bd..b5135639 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -11,7 +11,7 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv Ansible 2.7.0 or newer is required. -Ubuntu (at least 20.04) ships with a buggy version (see this [bug](https://bugs.launchpad.net/ubuntu/+source/ansible/+bug/1880359)), which can't be used in combination with a host running new systemd (more detaisl in [#517](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/517), [#669]([669](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/669))). If this problem affects you, you can: avoid running Ubuntu 20.04 on your host; run Ansible from another machine targeting your host; or try to upgrade to a newer Ansible version (see below). +Note: Ubuntu 20.04 ships with Ansible 2.9.6 which is a buggy version (see this [bug](https://bugs.launchpad.net/ubuntu/+source/ansible/+bug/1880359)), which can't be used in combination with a host running new systemd (more details in [#517](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/517), [#669](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/669)). If this problem affects you, you can: avoid running Ubuntu 20.04 on your host; run Ansible from another machine targeting your host; or try to upgrade to a newer Ansible version (see below). ## Checking your Ansible version diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index e504bfe9..22dde5f3 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -6,6 +6,14 @@ msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" when: "(ansible_version.major < 2) or (ansible_version.major <= 2 and ansible_version.minor < 7)" +# Though we do not support Ansible 2.9.6 which is buggy +- name: Fail if running on Ansible 2.9.6 on Ubuntu + fail: + msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" + when: + - ansible_distribution == 'Ubuntu' + - "ansible_version.major = 2 and ansible_version.major == 9 and ansible_version.minor = 6" + - name: (Deprecation) Catch and report renamed settings fail: msg: >- From 8827a49e21b90c2e9fdafc27f2ab293ea29fedd0 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 26 Dec 2020 20:20:00 -0600 Subject: [PATCH 1713/2384] Check equality properly --- roles/matrix-base/tasks/sanity_check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 22dde5f3..59ab8b93 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -12,7 +12,7 @@ msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" when: - ansible_distribution == 'Ubuntu' - - "ansible_version.major = 2 and ansible_version.major == 9 and ansible_version.minor = 6" + - "ansible_version.major == 2 and ansible_version.major == 9 and ansible_version.minor == 6" - name: (Deprecation) Catch and report renamed settings fail: From 86da489b9b5c2349b8943509db152a5641bc93dd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 Dec 2020 10:31:20 +0200 Subject: [PATCH 1714/2384] Never fail when stopping systemd service during (SQLite -> Postgres) migration We need to suppress systemd service-stopping requests in certain rare cases like https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/771 That issue seems to describe a case, where a migration from mxisd to ma1sd was happening (DB files had just been moved), and then we were attemping to stop `matrix-ma1sd.service` so we could import that database into Postgres. However, there's neither `matrix-mxisd.service`, nor `matrix-ma1sd.service` after `migrate_mxisd.yml` had just run, so stopping `matrix-ma1sd.service` was failing. --- roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index af95815f..d3429c97 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -112,6 +112,7 @@ service: name: "{{ item }}" state: stopped + failed_when: false with_items: "{{ matrix_postgres_db_migration_request.systemd_services_to_stop }}" - name: Import {{ matrix_postgres_db_migration_request.engine_old }} database from {{ matrix_postgres_db_migration_request.src }} into Postgres From a1ecaf54ef5de44e9d3cac37416612fae35653f9 Mon Sep 17 00:00:00 2001 From: 0hlov3 <0hlov3@protonmail.com> Date: Tue, 29 Dec 2020 12:00:01 +0100 Subject: [PATCH 1715/2384] Adds Example for Caddy2 Jitsi --- ansible.cfg | 2 +- examples/caddy2/Caddyfile | 63 +++++++++++++++++++++++++++++++++++++-- examples/caddy2/README.md | 12 ++++++++ 3 files changed, 74 insertions(+), 3 deletions(-) create mode 100644 examples/caddy2/README.md diff --git a/ansible.cfg b/ansible.cfg index 0ae274f7..6c2838d3 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,5 @@ [defaults] retry_files_enabled = False - +ansible_python_interpreter=/usr/bin/python3 [connection] pipelining = True diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 1438a50b..82728f96 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -1,4 +1,8 @@ matrix.DOMAIN.tld { + + # creates letsencrypt certificate + # tls your@email.com + @identity { path /_matrix/identity/* } @@ -94,7 +98,11 @@ matrix.DOMAIN.tld:8448 { } dimension.DOMAIN.tld { -header { + + # creates letsencrypt certificate + # tls your@email.com + + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Enable cross-site filter (XSS) and tell browser to block detected attacks @@ -121,7 +129,11 @@ header { } element.DOMAIN.tld { - header { + + # creates letsencrypt certificate + # tls your@email.com + + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Enable cross-site filter (XSS) and tell browser to block detected attacks @@ -145,3 +157,50 @@ element.DOMAIN.tld { header_up X-Forwarded-HttpsProto {proto} } } + +#jitsi.DOMAIN.tld { +# log { +# output discard +# } +# +# creates letsencrypt certificate +# tls your@email.com +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" +# +# # Disallow the site to be rendered within a frame (clickjacking protection) +# X-Frame-Options "SAMEORIGIN" +# +# # Disable some features +# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" +# +# # Referer +# Referrer-Policy "no-referrer" +# +# # X-Robots-Tag +# X-Robots-Tag "none" +# +# # Remove Server header +# -Server +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy 127.0.0.1:12080 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} \ No newline at end of file diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md new file mode 100644 index 00000000..4752140f --- /dev/null +++ b/examples/caddy2/README.md @@ -0,0 +1,12 @@ +# Caddyfile + +This directory contains sample files that show you how to do reverse-proxying using Caddy2. + +## Config + +| Variable | Function | +| ------------------ | -------- | +| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | +| tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | +| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | +| log {output discard } | No output. You can find the Options in the [Documentaton](https://caddyserver.com/docs/caddyfile/directives/log) for logging | \ No newline at end of file From 63c92fc2def26a96aea7e6c3b797c4ffa01f98f9 Mon Sep 17 00:00:00 2001 From: 0hlov3 <0hlov3@protonmail.com> Date: Tue, 29 Dec 2020 12:02:12 +0100 Subject: [PATCH 1716/2384] Adds Example for Caddy2 Jitsi --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 6c2838d3..0ae274f7 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,5 @@ [defaults] retry_files_enabled = False -ansible_python_interpreter=/usr/bin/python3 + [connection] pipelining = True From f86d781244d8220a88bb55c55f25d8dd7c374942 Mon Sep 17 00:00:00 2001 From: 0hlov3 <0hlov3@protonmail.com> Date: Tue, 29 Dec 2020 14:07:32 +0100 Subject: [PATCH 1717/2384] Updates the the caddy2 Readme and comment lines for dimension --- examples/caddy2/Caddyfile | 66 +++++++++++++++++++-------------------- examples/caddy2/README.md | 4 +-- 2 files changed, 34 insertions(+), 36 deletions(-) diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 82728f96..d13b9788 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -97,37 +97,6 @@ matrix.DOMAIN.tld:8448 { } } -dimension.DOMAIN.tld { - - # creates letsencrypt certificate - # tls your@email.com - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - handle { - encode zstd gzip - - reverse_proxy localhost:8184 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } -} - element.DOMAIN.tld { # creates letsencrypt certificate @@ -158,10 +127,39 @@ element.DOMAIN.tld { } } +#dimension.DOMAIN.tld { +# +# # creates letsencrypt certificate +# # tls your@email.com +# +# header { +# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS +# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" +# # Enable cross-site filter (XSS) and tell browser to block detected attacks +# X-XSS-Protection "1; mode=block" +# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type +# X-Content-Type-Options "nosniff" +# # Disallow the site to be rendered within a frame (clickjacking protection) +# X-Frame-Options "DENY" +# # X-Robots-Tag +# X-Robots-Tag "noindex, noarchive, nofollow" +# } +# +# handle { +# encode zstd gzip +# +# reverse_proxy localhost:8184 { +# header_up X-Forwarded-Port {http.request.port} +# header_up X-Forwarded-Proto {http.request.scheme} +# header_up X-Forwarded-TlsProto {tls_protocol} +# header_up X-Forwarded-TlsCipher {tls_cipher} +# header_up X-Forwarded-HttpsProto {proto} +# } +# } +#} + + #jitsi.DOMAIN.tld { -# log { -# output discard -# } # # creates letsencrypt certificate # tls your@email.com diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index 4752140f..022a4fec 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -8,5 +8,5 @@ This directory contains sample files that show you how to do reverse-proxying us | ------------------ | -------- | | tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | | tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | -| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | -| log {output discard } | No output. You can find the Options in the [Documentaton](https://caddyserver.com/docs/caddyfile/directives/log) for logging | \ No newline at end of file +| Dimnension | To enable Dimension support uncomment the lines for Dimension and set your data | +| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | \ No newline at end of file From ffb837d4bc069748819079390b319313820d2d99 Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sat, 2 Jan 2021 00:39:11 +0100 Subject: [PATCH 1718/2384] made the bridge use the default postgres db --- group_vars/matrix_servers | 17 +++++++--- .../defaults/main.yml | 28 +++++++++------- .../tasks/setup_install.yml | 17 +--------- .../tasks/setup_uninstall.yml | 21 +----------- .../tasks/validate_config.yml | 9 +++-- .../templates/config.yaml.j2 | 2 +- .../matrix-mautrix-signal-db.service.j2 | 33 ------------------- 7 files changed, 39 insertions(+), 88 deletions(-) delete mode 100644 roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 09253dae..c9065420 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -262,6 +262,7 @@ matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_ke # ###################################################################### +# We don't enable bridges by default. matrix_mautrix_signal_enabled: false # TODO: unclear whether to put this into the role or keep it here @@ -271,7 +272,9 @@ matrix_mautrix_signal_systemd_required_services_list: | + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + - ['matrix-mautrix-signal-daemon.service', 'matrix-mautrix-signal-db.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + ['matrix-mautrix-signal-daemon.service'] }} matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' @@ -284,9 +287,9 @@ matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_signal_db_user: 'signal-db-user' -matrix_mautrix_signal_db_password: 'signal-db-password' -matrix_mautrix_signal_db_database: 'signal-db' +matrix_mautrix_signal_database_engine: 'postgres' +matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" + ###################################################################### # @@ -1069,6 +1072,12 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_hangouts_database_password, }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_mautrix_signal_database_name, + 'username': matrix_mautrix_signal_database_username, + 'password': matrix_mautrix_signal_database_password, + }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_telegram_database_name, 'username': matrix_mautrix_telegram_database_username, diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 5d6bb7d3..d26513df 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -30,9 +30,7 @@ matrix_mautrix_signal_container_extra_arguments: [] # TODO: unclear whether to put this into group_vars or keep it here matrix_mautrix_signal_systemd_required_services_list: - 'docker.service' - - "{{ 'matrix-synapse.service' if matrix_synapse_enabled else [] }}" - 'matrix-mautrix-signal-daemon.service' - - 'matrix-mautrix-signal-db.service' # List of systemd services that matrix-mautrix-signal.service wants matrix_mautrix_signal_systemd_wanted_services_list: [] @@ -40,17 +38,25 @@ matrix_mautrix_signal_systemd_wanted_services_list: [] matrix_mautrix_signal_appservice_token: '' matrix_mautrix_signal_homeserver_token: '' -matrix_mautrix_signal_db_docker_image: "postgres:13.0-alpine" -matrix_mautrix_signal_db_docker_image_force_pull: "{{ matrix_mautrix_signal_db_docker_image.endswith(':latest') }}" -matrix_mautrix_signal_db_storage_path: "{{ matrix_mautrix_signal_base_path }}/database" +# Database-related configuration fields +# +# This bridge only supports postgres. +# +matrix_mautrix_signal_database_engine: 'postgres' + +matrix_mautrix_signal_database_username: 'matrix_mautrix_signal' +matrix_mautrix_signal_database_password: 'some-password' +matrix_mautrix_signal_database_hostname: 'matrix-postgres' +matrix_mautrix_signal_database_port: 5432 +matrix_mautrix_signal_database_name: 'matrix_mautrix_signal' -matrix_mautrix_signal_db_user: '' -matrix_mautrix_signal_db_password: '' -matrix_mautrix_signal_db_host: 'matrix-mautrix-signal-db' -matrix_mautrix_signal_db_port: '5432' -matrix_mautrix_signal_db_database: '' +matrix_mautrix_signal_database_connection_string: 'postgres://{{ matrix_mautrix_signal_database_username }}:{{ matrix_mautrix_signal_database_password }}@{{ matrix_mautrix_signal_database_hostname }}:{{ matrix_mautrix_signal_database_port }}/{{ matrix_mautrix_signal_database_name }}' -matrix_mautrix_signal_db_url: "postgres://{{ matrix_mautrix_signal_db_user }}:{{ matrix_mautrix_signal_db_password }}@{{ matrix_mautrix_signal_db_host }}:{{ matrix_mautrix_signal_db_port }}/{{ matrix_mautrix_signal_db_database }}" +matrix_mautrix_signal_appservice_database: "{{ + { + 'postgres': matrix_mautrix_facebook_database_connection_string, + }[matrix_mautrix_signal_database_engine] + }}" # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_signal_login_shared_secret: '' diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 16b68d25..9b049987 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -22,13 +22,6 @@ force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" -- name: Ensure Mautrix Signal database image is pulled - docker_image: - name: "{{ matrix_mautrix_signal_db_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mautrix_signal_db_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" - - name: Ensure Mautrix Signal paths exist file: path: "{{ item }}" @@ -40,7 +33,6 @@ - "{{ matrix_mautrix_signal_base_path }}" - "{{ matrix_mautrix_signal_config_path }}" - "{{ matrix_mautrix_signal_daemon_path }}" - - "{{ matrix_mautrix_signal_db_storage_path }}" - name: Ensure mautrix-signal config.yaml installed copy: @@ -65,13 +57,6 @@ mode: 0644 register: matrix_mautrix_signal_daemon_systemd_service_result -- name: Ensure matrix-mautrix-signal-db.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal-db.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service" - mode: 0644 - register: matrix_mautrix_signal_db_systemd_service_result - - name: Ensure matrix-mautrix-signal.service installed template: src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal.service.j2" @@ -82,4 +67,4 @@ - name: Ensure systemd reloaded after matrix-mautrix-signal.service installation service: daemon_reload: yes - when: "matrix_mautrix_signal_systemd_service_result.changed or matrix_mautrix_signal_daemon_systemd_service_result.changed or matrix_mautrix_signal_db_systemd_service_result.changed" + when: "matrix_mautrix_signal_systemd_service_result.changed or matrix_mautrix_signal_daemon_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml index 51581874..2ca6a9a9 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml @@ -1,24 +1,5 @@ --- -# Signal database service -- name: Check existence of matrix-mautrix-signal-db service - stat: - path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service" - register: matrix_mautrix_signal_db_service_stat - -- name: Ensure matrix-mautrix-signal-db is stopped - service: - name: matrix-mautrix-signal-db - state: stopped - daemon_reload: yes - when: "matrix_mautrix_signal_db_service_stat.stat.exists" - -- name: Ensure matrix-mautrix-signal-db.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service" - state: absent - when: "matrix_mautrix_signal_db_service_stat.stat.exists" - # Signal daemon service - name: Check existence of matrix-mautrix-signal-daemon service stat: @@ -61,4 +42,4 @@ - name: Ensure systemd reloaded after matrix-mautrix-signal_X.service removal service: daemon_reload: yes - when: "matrix_mautrix_signal_service_stat.stat.exists or matrix_mautrix_signal_daemon_service_stat.stat.exists or matrix_mautrix_signal_db_service_stat.stat.exists" + when: "matrix_mautrix_signal_service_stat.stat.exists or matrix_mautrix_signal_daemon_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml index 6663c641..397ef4d8 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -10,9 +10,6 @@ - "matrix_mautrix_signal_homeserver_address" - "matrix_mautrix_signal_homeserver_token" - "matrix_mautrix_signal_appservice_token" - - "matrix_mautrix_signal_db_user" - - "matrix_mautrix_signal_db_password" - - "matrix_mautrix_signal_db_database" - name: (Deprecation) Catch and report renamed Signal variables fail: @@ -22,3 +19,9 @@ when: "item.old in vars" with_items: - {'old': 'matrix_mautrix_signal_container_exposed_port_number', 'new': ''} + - {'old': 'matrix_mautrix_signal_db_user', 'new': 'matrix_mautrix_signal_database_username'} + - {'old': 'matrix_mautrix_signal_db_password', 'new': 'matrix_mautrix_signal_database_password'} + - {'old': 'matrix_mautrix_signal_db_database', 'new': 'matrix_mautrix_signal_database_name'} + - {'old': 'matrix_mautrix_signal_db_host', 'new': 'matrix_mautrix_signal_database_hostname'} + - {'old': 'matrix_mautrix_signal_db_port', 'new': 'matrix_mautrix_signal_database_port'} + - {'old': 'matrix_mautrix_signal_db_url', 'new': 'matrix_mautrix_signal_database_connection_string'} diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index ec2a4764..64a820b5 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -27,7 +27,7 @@ appservice: max_body_size: 1 # The full URI to the database. Only Postgres is currently supported. - database: {{ matrix_mautrix_signal_db_url }} + database: {{ matrix_mautrix_signal_database_connection_string }} # Provisioning API part of the web server for automated portal creation and fetching information. # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 deleted file mode 100644 index b4baed4c..00000000 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-db.service.j2 +++ /dev/null @@ -1,33 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Mautrix Signal database server - -[Service] -Type=simple - -ExecStartPre=-{{ matrix_host_command_docker }} kill {{ matrix_mautrix_signal_db_host }} -ExecStartPre=-{{ matrix_host_command_docker }} rm {{ matrix_mautrix_signal_db_host }} - -# Intentional delay, so that the homeserver (we likely depend on) can manage to start. -ExecStartPre={{ matrix_host_command_sleep }} 5 - -ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_mautrix_signal_db_host }} \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --network={{ matrix_docker_network }} \ - --env POSTGRES_USER={{ matrix_mautrix_signal_db_user }} \ - --env POSTGRES_PASSWORD={{ matrix_mautrix_signal_db_password }} \ - --env POSTGRES_DB={{ matrix_mautrix_signal_db_database }} \ - -v {{ matrix_mautrix_signal_db_storage_path }}:/var/lib/postgresql/data:z \ - -v /etc/passwd:/etc/passwd:ro \ - {{ matrix_mautrix_signal_db_docker_image }} - -ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_mautrix_signal_db_host }} -ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_mautrix_signal_db_host }} - -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-mautrix-signal-db - -[Install] -WantedBy=multi-user.target From 89f7f3c3b8290ea13e0bf53c837cfe45a7cb6a0f Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sat, 2 Jan 2021 00:55:55 +0100 Subject: [PATCH 1719/2384] added log level configuration --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 4 +++- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index d26513df..d366ed57 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -28,7 +28,7 @@ matrix_mautrix_signal_container_extra_arguments: [] # List of systemd services that matrix-mautrix-signal.service depends on. # TODO: unclear whether to put this into group_vars or keep it here -matrix_mautrix_signal_systemd_required_services_list: +matrix_mautrix_signal_systemd_required_services_list: - 'docker.service' - 'matrix-mautrix-signal-daemon.service' @@ -95,3 +95,5 @@ matrix_mautrix_signal_configuration: "{{ matrix_mautrix_signal_configuration_yam matrix_mautrix_signal_registration_yaml: "{{ lookup('template', 'templates/registration.yaml.j2') }}" matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml|from_yaml }}" + +matrix_mautrix_signal_log_level: 'DEBUG' \ No newline at end of file diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 64a820b5..df57915a 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -197,9 +197,9 @@ logging: formatter: colored loggers: mau: - level: DEBUG + level: {{ matrix_mautrix_signal_log_level }} aiohttp: level: INFO root: - level: DEBUG + level: {{ matrix_mautrix_signal_log_level }} handlers: [file, console] From 56af2b1a8cce6a46d401c4556f3faa209b41b5ed Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sat, 2 Jan 2021 00:56:45 +0100 Subject: [PATCH 1720/2384] small fixes --- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 9b049987..29555116 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -14,6 +14,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" + when: matrix_mautrix_signal_enabled|bool - name: Ensure Mautrix Signal Daemon image is pulled docker_image: @@ -21,6 +22,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" + when: matrix_mautrix_signal_enabled|bool - name: Ensure Mautrix Signal paths exist file: From 84cac25c11baad5828d6655817281cb990b8159a Mon Sep 17 00:00:00 2001 From: Sabine Laszakovits Date: Sat, 2 Jan 2021 19:01:21 +0100 Subject: [PATCH 1721/2384] added config data_dir (else in ~, which isn't set) --- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index df57915a..4335b023 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -73,6 +73,8 @@ signal: outgoing_attachment_dir: /signald/attachments # Directory where signald stores avatars for groups. avatar_dir: /signald/avatars + # Directory where signald stores auth data. Used to delete data when logging out. + data_dir: /signald/data # Whether or not message attachments should be removed from disk after they're bridged. remove_file_after_handling: true From fb83eccf99cbe2d3f3411633eda2bd02f8cffdcd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Jan 2021 16:39:07 +0200 Subject: [PATCH 1722/2384] Relocate SQL template file --- roles/matrix-postgres/tasks/util/create_additional_database.yml | 2 +- .../templates/{ => sql}/init-additional-db-user-and-role.sql.j2 | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename roles/matrix-postgres/templates/{ => sql}/init-additional-db-user-and-role.sql.j2 (100%) diff --git a/roles/matrix-postgres/tasks/util/create_additional_database.yml b/roles/matrix-postgres/tasks/util/create_additional_database.yml index ce064d59..22b3c9a2 100644 --- a/roles/matrix-postgres/tasks/util/create_additional_database.yml +++ b/roles/matrix-postgres/tasks/util/create_additional_database.yml @@ -13,7 +13,7 @@ # This way, we avoid passing sensitive data around in CLI commands that other users on the system can see. - name: Create additional database initialization SQL file for {{ additional_db.name }} template: - src: "{{ role_path }}/templates/init-additional-db-user-and-role.sql.j2" + src: "{{ role_path }}/templates/sql/init-additional-db-user-and-role.sql.j2" dest: "/tmp/matrix-postgres-init-additional-db-user-and-role.sql" mode: 0600 owner: "{{ matrix_user_uid }}" diff --git a/roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 b/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 similarity index 100% rename from roles/matrix-postgres/templates/init-additional-db-user-and-role.sql.j2 rename to roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 From b5812b539b25b2453676cd7334fedda9691ddd19 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 00:58:09 +0200 Subject: [PATCH 1723/2384] Rename ma1sd custom email template variable Keeps up with https://github.com/ma1uta/ma1sd/commit/a1f64f515919e40708a4be59e508ac0dbf86f12f#diff-0ccf69eb4d59a7645eb4d0a0b077e693948edb33ad06df043bba3fb30122879b --- roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-ma1sd/tasks/setup_install.yml | 2 +- roles/matrix-ma1sd/tasks/validate_config.yml | 1 + roles/matrix-ma1sd/templates/ma1sd.yaml.j2 | 6 +++--- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 2932f3ed..321292d1 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -92,7 +92,7 @@ matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false matrix_ma1sd_threepid_medium_email_custom_invite_template: "" matrix_ma1sd_threepid_medium_email_custom_session_validation_template: "" -matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template: "" +matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template: "" matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" # Controls whether the self-check feature should validate SSL certificates. diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index a0a32728..7cd6b72c 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -117,7 +117,7 @@ with_items: - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} - - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'} - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 691fe0ac..4ca25e7e 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -54,6 +54,7 @@ when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} + - {'old': 'matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template', 'new': 'matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template'} - name: (Deprecation) Catch and report mxisd variables fail: diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 index 9a426c47..4579b839 100644 --- a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 +++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 @@ -57,14 +57,14 @@ threepid: {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} invite: '/var/ma1sd/invite-template.eml' {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %} session: {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} validation: '/var/ma1sd/validate-template.eml' {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %} unbind: - frandulent: '/var/ma1sd/unbind-fraudulent.eml' + notification: '/var/ma1sd/unbind-notification.eml' {% endif %} {% endif %} {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} From f84c69c16415b8b37a47077be7c556a712eded4b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 07:35:13 +0200 Subject: [PATCH 1724/2384] Relocate custom ma1sd threepid email templates to config/ We used to store them in data/, but that seems inappropriate, since it's just static configuration that the playbook can recreate. --- roles/matrix-ma1sd/defaults/main.yml | 4 ++++ roles/matrix-ma1sd/tasks/setup_install.yml | 16 ++++++++++++++-- roles/matrix-ma1sd/templates/ma1sd.yaml.j2 | 8 ++++---- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 321292d1..c0faea67 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -90,9 +90,13 @@ matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" # https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md # https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/invite-template.eml matrix_ma1sd_threepid_medium_email_custom_invite_template: "" +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/validate-template.eml matrix_ma1sd_threepid_medium_email_custom_session_validation_template: "" +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/unbind-notification.eml matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template: "" +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" # Controls whether the self-check feature should validate SSL certificates. diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index 7cd6b72c..58fef962 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -107,10 +107,10 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" -- name: Ensure custom templates are installed if any +- name: Ensure custom email templates are installed, if any copy: content: "{{ item.value }}" - dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" + dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" @@ -121,6 +121,18 @@ - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" +# Only cleaning up for people who define the respective templates +- name: (Cleanup) Ensure custom email templates are not in data/ anymore (we've put them in config/) + file: + path: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" + state: absent + with_items: + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} + when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" + - name: Ensure matrix-ma1sd.service installed template: src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 index 4579b839..59fb1744 100644 --- a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 +++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 @@ -55,21 +55,21 @@ threepid: generators: template: {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} - invite: '/var/ma1sd/invite-template.eml' + invite: '/etc/ma1sd/invite-template.eml' {% endif %} {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %} session: {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} - validation: '/var/ma1sd/validate-template.eml' + validation: '/etc/ma1sd/validate-template.eml' {% endif %} {% if matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %} unbind: - notification: '/var/ma1sd/unbind-notification.eml' + notification: '/etc/ma1sd/unbind-notification.eml' {% endif %} {% endif %} {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} generic: - matrixId: '/var/ma1sd/mxid-template.eml' + matrixId: '/etc/ma1sd/mxid-template.eml' {% endif %} {% endif %} From 480563718129d63647b22da8b4a29d85b2086763 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 07:36:09 +0200 Subject: [PATCH 1725/2384] Add support for custom ma1sd view sesion templates --- roles/matrix-ma1sd/defaults/main.yml | 11 +++++++++++ roles/matrix-ma1sd/tasks/setup_install.yml | 12 ++++++++++++ roles/matrix-ma1sd/templates/ma1sd.yaml.j2 | 12 ++++++++++++ 3 files changed, 35 insertions(+) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index c0faea67..28e3405c 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -83,6 +83,17 @@ matrix_ma1sd_dns_overwrite_enabled: false matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" +# Override the default session templates +# To use this, fill in the template variables with the full desired template as a multi-line YAML variable +# +# More info: +# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/session/session-views.md +matrix_ma1sd_view_session_custom_templates_enabled: false +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitSuccess.html +matrix_ma1sd_view_session_custom_onTokenSubmit_success_template: "" +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitFailure.html +matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template: "" + # Override the default email templates # To use this, fill in the template variables with the full desired template as a multi-line YAML variable # diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index 58fef962..a4a70ea4 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -107,6 +107,18 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" +- name: Ensure custom view templates are installed, if any + copy: + content: "{{ item.value }}" + dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_success_template }}", location: 'tokenSubmitSuccess.html'} + - {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template }}", location: 'tokenSubmitFailure.html'} + when: "matrix_ma1sd_view_session_custom_templates_enabled|bool and item.value" + - name: Ensure custom email templates are installed, if any copy: content: "{{ item.value }}" diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 index 59fb1744..a4100adc 100644 --- a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 +++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 @@ -73,6 +73,18 @@ threepid: {% endif %} {% endif %} +{% if matrix_ma1sd_view_session_custom_templates_enabled %} +view: + session: + onTokenSubmit: + {% if matrix_ma1sd_view_session_custom_onTokenSubmit_success_template %} + success: '/etc/ma1sd/tokenSubmitSuccess.html' + {% endif %} + {% if matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template %} + failure: '/etc/ma1sd/tokenSubmitFailure.html' + {% endif %} +{% endif %} + {% if matrix_ma1sd_hashing_enabled %} hashing: enabled: true # enable or disable the hash lookup MSC2140 (default is false) From df8d9cfd3406433b1a6e9b234c818b70c6460daa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 07:46:55 +0200 Subject: [PATCH 1726/2384] Remove some TODOs The answer to these is: it's good to have them in both places. The role defines the obvious things it depends on (not knowing what setup it will find itself into), and then `group_vars/matrix_servers` "extends" it based on everything else it knows (the homeserver being Synapse, whether or not the internal Postgres server is being used, etc.) --- group_vars/matrix_servers | 10 ++++------ .../defaults/main.yml | 19 +++++++++---------- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c9065420..45260688 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -265,7 +265,6 @@ matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_ke # We don't enable bridges by default. matrix_mautrix_signal_enabled: false -# TODO: unclear whether to put this into the role or keep it here matrix_mautrix_signal_systemd_required_services_list: | {{ ['docker.service'] @@ -288,8 +287,7 @@ matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" matrix_mautrix_signal_database_engine: 'postgres' -matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" - +matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" ###################################################################### # @@ -1073,9 +1071,9 @@ matrix_postgres_additional_databases: | }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + ([{ - 'name': matrix_mautrix_signal_database_name, - 'username': matrix_mautrix_signal_database_username, - 'password': matrix_mautrix_signal_database_password, + 'name': matrix_mautrix_signal_database_name, + 'username': matrix_mautrix_signal_database_username, + 'password': matrix_mautrix_signal_database_password, }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == 'matrix-postgres') else []) + ([{ diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index d366ed57..d46c2c50 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -27,8 +27,7 @@ matrix_mautrix_signal_container_http_host_bind_port: '' matrix_mautrix_signal_container_extra_arguments: [] # List of systemd services that matrix-mautrix-signal.service depends on. -# TODO: unclear whether to put this into group_vars or keep it here -matrix_mautrix_signal_systemd_required_services_list: +matrix_mautrix_signal_systemd_required_services_list: - 'docker.service' - 'matrix-mautrix-signal-daemon.service' @@ -40,7 +39,7 @@ matrix_mautrix_signal_homeserver_token: '' # Database-related configuration fields # -# This bridge only supports postgres. +# This bridge only supports postgres. # matrix_mautrix_signal_database_engine: 'postgres' @@ -50,13 +49,13 @@ matrix_mautrix_signal_database_hostname: 'matrix-postgres' matrix_mautrix_signal_database_port: 5432 matrix_mautrix_signal_database_name: 'matrix_mautrix_signal' -matrix_mautrix_signal_database_connection_string: 'postgres://{{ matrix_mautrix_signal_database_username }}:{{ matrix_mautrix_signal_database_password }}@{{ matrix_mautrix_signal_database_hostname }}:{{ matrix_mautrix_signal_database_port }}/{{ matrix_mautrix_signal_database_name }}' +matrix_mautrix_signal_database_connection_string: 'postgres://{{ matrix_mautrix_signal_database_username }}:{{ matrix_mautrix_signal_database_password }}@{{ matrix_mautrix_signal_database_hostname }}:{{ matrix_mautrix_signal_database_port }}/{{ matrix_mautrix_signal_database_name }}' -matrix_mautrix_signal_appservice_database: "{{ - { - 'postgres': matrix_mautrix_facebook_database_connection_string, - }[matrix_mautrix_signal_database_engine] - }}" +matrix_mautrix_signal_appservice_database: "{{ + { + 'postgres': matrix_mautrix_facebook_database_connection_string, + }[matrix_mautrix_signal_database_engine] + }}" # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_signal_login_shared_secret: '' @@ -96,4 +95,4 @@ matrix_mautrix_signal_registration_yaml: "{{ lookup('template', 'templates/regis matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml|from_yaml }}" -matrix_mautrix_signal_log_level: 'DEBUG' \ No newline at end of file +matrix_mautrix_signal_log_level: 'DEBUG' From aac400664afeda5f93c13e93a75feacc01964add Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 07:59:49 +0200 Subject: [PATCH 1727/2384] Announce mautrix-signal bridge --- CHANGELOG.md | 7 +++++++ README.md | 4 ++++ docs/configuring-playbook-bridge-mautrix-signal.md | 2 ++ 3 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c4a586e8..b6d1f414 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# 2021-01-03 + +## Signal bridging support via mautrix-signal + +Thanks to [laszabine](https://github.com/laszabine)'s efforts, the playbook now supports bridging to [Signal](https://www.signal.org/) via the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge. See our [Setting up Mautrix Signal bridging](docs/configuring-playbook-bridge-mautrix-signal.md) documentation page for getting started. + + # 2020-12-23 ## The big move to all-on-Postgres (potentially dangerous) diff --git a/README.md b/README.md index ac2b7ca9..1ddc5016 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) +- (optional) the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) + - (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/) @@ -158,6 +160,8 @@ This playbook sets up your server using the following Docker images: - [tulir/mautrix-hangouts](https://hub.docker.com/r/tulir/mautrix-hangouts/) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) +- [tulir/mautrix-signal](https://mau.dev/tulir/mautrix-signal/container_registry) - the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge to [Signal](https://www.signal.org/) (optional) + - [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) - [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index a5410665..cc6541b5 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -4,6 +4,8 @@ The playbook can install and configure [mautrix-signal](https://github.com/tulir See the project's [documentation](https://github.com/tulir/mautrix-signal/wiki) to learn what it does and why it might be useful to you. +**Note/Prerequisite**: If you're running with the Postgres database server integrated by the playbook (which is the default), you don't need to do anything special and can easily proceed with installing. However, if you're [using an external Postgres server](configuring-playbook-external-postgres.md), you'd need to manually prepare a Postgres database for this bridge and adjust the variables related to that (`matrix_mautrix_signal_database_*`). + Use the following playbook configuration: ```yaml From da2a6682b39699d0e572a2fd5bcf0350844cd22b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 08:06:32 +0200 Subject: [PATCH 1728/2384] Get rid of matrix_mautrix_signal_configuration_permissions While it's kind of nice having it, it's also somewhat raw and unnecessary. Having a good default and not even mentioning it seems better for most users. People who need a more exposed bridge (rare) can use override the default configuration using `matrix_mautrix_signal_configuration_extension_yaml`. --- ...nfiguring-playbook-bridge-mautrix-signal.md | 18 ------------------ .../defaults/main.yml | 9 --------- .../tasks/validate_config.yml | 1 + .../templates/config.yaml.j2 | 3 ++- 4 files changed, 3 insertions(+), 28 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index cc6541b5..164b06de 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -12,24 +12,6 @@ Use the following playbook configuration: matrix_mautrix_signal_enabled: true ``` -To specify which users have access to the bridge, use the variable `matrix_mautrix_signal_configuration_permissions`. -Refer to the documentation for -```yaml -bridge: - permissions: -``` -in [the example config in mautrix-signal](https://github.com/tulir/mautrix-signal/blob/master/mautrix_signal/example-config.yaml). -For instance, use -```yaml -matrix_mautrix_signal_configuration_permissions: | - { - '{{ matrix_domain }}': 'user' - } -``` -to allow all users registered to the current host's matrix domain access to the bridge, or hard-code whatever you like. -(See [this issue](https://github.com/ansible/ansible/issues/17324#issuecomment-449642731) on how to use variable names as dictionary keys.) - - ## Set up Double Puppeting If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-whatsapp/wiki/Authentication#replacing-whatsapp-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it. diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index d46c2c50..d15ba6e3 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -67,15 +67,6 @@ matrix_mautrix_signal_login_shared_secret: '' # or completely replace this variable with your own template. matrix_mautrix_signal_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" -# Permitted values: -# user - Use the bridge with puppeting. -# admin - Use and administrate the bridge. -# Permitted keys: -# * - All Matrix users -# domain - All users on that homeserver -# mxid - Specific user -matrix_mautrix_signal_configuration_permissions: {} - matrix_mautrix_signal_configuration_extension_yaml: | # Your custom YAML configuration goes here. # This configuration extends the default starting configuration (`matrix_mautrix_signal_configuration_yaml`). diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml index 397ef4d8..100af3f8 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -25,3 +25,4 @@ - {'old': 'matrix_mautrix_signal_db_host', 'new': 'matrix_mautrix_signal_database_hostname'} - {'old': 'matrix_mautrix_signal_db_port', 'new': 'matrix_mautrix_signal_database_port'} - {'old': 'matrix_mautrix_signal_db_url', 'new': 'matrix_mautrix_signal_database_connection_string'} + - {'old': 'matrix_mautrix_signal_configuration_permissions', 'new': ''} diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 4335b023..68ed1d6d 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -172,7 +172,8 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: {{ matrix_mautrix_signal_configuration_permissions }} + permissions: + '{{ matrix_mautrix_signal_homeserver_domain }}': user # Python logging configuration. From 274f23f66868b72eea753569ee31c6374a4c7686 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 08:16:49 +0200 Subject: [PATCH 1729/2384] Make matrix-mautrix-signal-daemon.service depend on docker.service --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 6 ++++++ .../systemd/matrix-mautrix-signal-daemon.service.j2 | 9 +++++++++ 2 files changed, 15 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index d15ba6e3..962140c9 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -34,6 +34,12 @@ matrix_mautrix_signal_systemd_required_services_list: # List of systemd services that matrix-mautrix-signal.service wants matrix_mautrix_signal_systemd_wanted_services_list: [] +# List of systemd services that matrix-mautrix-signal-daemon.service depends on. +matrix_mautrix_signal_daemon_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-signal-daemon.service wants +matrix_mautrix_signal_daemon_systemd_wanted_services_list: [] + matrix_mautrix_signal_appservice_token: '' matrix_mautrix_signal_homeserver_token: '' diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index 499ee309..d8952992 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -2,6 +2,15 @@ [Unit] Description=Matrix Mautrix Signal daemon +{% for service in matrix_mautrix_signal_daemon_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} + +{% for service in matrix_mautrix_signal_daemon_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + [Service] Type=simple From 3b524ee815c5123a9d15f5bf8478bc40b705d80a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 08:20:43 +0200 Subject: [PATCH 1730/2384] Make mautrix-signal bridge not log to files We try to only use console logging (going to journald) for everything, instead of logging things twice (or more). --- .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 68ed1d6d..28fff6f0 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -189,12 +189,6 @@ logging: normal: format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" handlers: - file: - class: logging.handlers.RotatingFileHandler - formatter: normal - filename: ./mautrix-signal.log - maxBytes: 10485760 - backupCount: 10 console: class: logging.StreamHandler formatter: colored @@ -205,4 +199,4 @@ logging: level: INFO root: level: {{ matrix_mautrix_signal_log_level }} - handlers: [file, console] + handlers: [console] From 6e652e10ad33027425ff5ea97b5e3089cbccf1ea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 08:48:29 +0200 Subject: [PATCH 1731/2384] Bump minimium Ansible version to 2.7.1 Provoked by https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/743 --- docs/ansible.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index b5135639..3c062a75 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -9,7 +9,7 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv ## Supported Ansible versions -Ansible 2.7.0 or newer is required. +Ansible 2.7.1 or newer is required ([last discussion about Ansible versions](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/743)). Note: Ubuntu 20.04 ships with Ansible 2.9.6 which is a buggy version (see this [bug](https://bugs.launchpad.net/ubuntu/+source/ansible/+bug/1880359)), which can't be used in combination with a host running new systemd (more details in [#517](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/517), [#669](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/669)). If this problem affects you, you can: avoid running Ubuntu 20.04 on your host; run Ansible from another machine targeting your host; or try to upgrade to a newer Ansible version (see below). From 2c09111a3a3dba37f849a40022d7d710593f0c9d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 08:53:54 +0200 Subject: [PATCH 1732/2384] Actually enforce that we run on Ansible >= 2.7.1 Related to 6e652e10ad33 --- roles/matrix-base/tasks/sanity_check.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 59ab8b93..3372d749 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -1,10 +1,11 @@ --- -# We generally support Ansible 2.7.0 and above. -- name: Fail if running on Ansible < 2.7 +# We generally support Ansible 2.7.1 and above. +- name: Fail if running on Ansible < 2.7.1 fail: msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" - when: "(ansible_version.major < 2) or (ansible_version.major <= 2 and ansible_version.minor < 7)" + when: + - "(ansible_version.major < 2) or (ansible_version.major == 2 and ansible_version.minor < 7) or (ansible_version.major == 2 and ansible_version.minor == 7 and ansible_version.revision < 1)" # Though we do not support Ansible 2.9.6 which is buggy - name: Fail if running on Ansible 2.9.6 on Ubuntu From 6cce5383bcf1f34c06af2213c16954246060f565 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 08:55:30 +0200 Subject: [PATCH 1733/2384] Fix Ansible 2.9.6 check Fixup for https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/769 --- roles/matrix-base/tasks/sanity_check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index 3372d749..c31d9137 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -13,7 +13,7 @@ msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md" when: - ansible_distribution == 'Ubuntu' - - "ansible_version.major == 2 and ansible_version.major == 9 and ansible_version.minor == 6" + - "ansible_version.major == 2 and ansible_version.minor == 9 and ansible_version.revision == 6" - name: (Deprecation) Catch and report renamed settings fail: From 23f246b0ad45fe414c4f88f8246928b6f7ab1cc6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 09:19:06 +0200 Subject: [PATCH 1734/2384] Mention mautrix-signal migration steps to early adopters --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b6d1f414..1aa8c9b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ Thanks to [laszabine](https://github.com/laszabine)'s efforts, the playbook now supports bridging to [Signal](https://www.signal.org/) via the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge. See our [Setting up Mautrix Signal bridging](docs/configuring-playbook-bridge-mautrix-signal.md) documentation page for getting started. +If you had installed the mautrix-signal bridge while its Pull Request was still work-in-progress, you can migrate your data to the new and final setup by referring to [this comment](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/686#issuecomment-753510789). + # 2020-12-23 From bcb408497d0ceb88dc13cbd4a534839be6e3b3a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 10:18:53 +0200 Subject: [PATCH 1735/2384] Fix broken links (mautrix bridges are not on Docker Hub) --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 1ddc5016..5a9278f3 100644 --- a/README.md +++ b/README.md @@ -152,13 +152,13 @@ This playbook sets up your server using the following Docker images: - [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) (optional) -- [tulir/mautrix-telegram](https://hub.docker.com/r/tulir/mautrix-telegram/) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional) +- [tulir/mautrix-telegram](https://mau.dev/tulir/mautrix-telegram/container_registry) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional) -- [tulir/mautrix-whatsapp](https://hub.docker.com/r/tulir/mautrix-whatsapp/) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) +- [tulir/mautrix-whatsapp](https://mau.dev/tulir/mautrix-whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) -- [tulir/mautrix-facebook](https://hub.docker.com/r/tulir/mautrix-facebook/) - the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge to [Facebook](https://facebook.com/) (optional) +- [tulir/mautrix-facebook](https://mau.dev/tulir/mautrix-facebook/container_registry) - the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge to [Facebook](https://facebook.com/) (optional) -- [tulir/mautrix-hangouts](https://hub.docker.com/r/tulir/mautrix-hangouts/) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) +- [tulir/mautrix-hangouts](https://mau.dev/tulir/mautrix-hangouts/container_registry) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) - [tulir/mautrix-signal](https://mau.dev/tulir/mautrix-signal/container_registry) - the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge to [Signal](https://www.signal.org/) (optional) From 6b1e25d84327cedeca7de1e4d962779f9ac4db9c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 3 Jan 2021 10:21:59 +0200 Subject: [PATCH 1736/2384] Do not create matrix_bridge_sms Postgres database That bridge only supports its own file-based database, so preparing a Postgres database for it is pointless. --- group_vars/matrix_servers | 6 ------ 1 file changed, 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 45260688..dabe0d75 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1088,12 +1088,6 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_whatsapp_database_password, }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else []) + - ([{ - 'name': 'matrix_bridge_sms', - 'username': 'matrix_bridge_sms', - 'password': matrix_synapse_macaroon_secret_key | password_hash('sha512', 'bridge.sms.db') | to_uuid, - }] if matrix_sms_bridge_enabled else []) - + ([{ 'name': matrix_mx_puppet_skype_database_name, 'username': matrix_mx_puppet_skype_database_username, From 24d73a554d35fc009f2b6f304c194db9b2431fcd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 4 Jan 2021 23:46:34 +0200 Subject: [PATCH 1737/2384] Fix incorrect federation port in Traefik example --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index c930da40..915c2c37 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -219,7 +219,7 @@ services: - "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json" ports: - "443:443" - - "8080:8080" + - "8448:8448" volumes: - "./letsencrypt:/letsencrypt" - "/var/run/docker.sock:/var/run/docker.sock:ro" From 0a977ce113d07e9446821664eaec989943f32f88 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 5 Jan 2021 22:59:24 +0200 Subject: [PATCH 1738/2384] Fix incorrect path in docs --- docs/maintenance-postgres.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 14d5cdb9..93d0d0bf 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -69,7 +69,7 @@ This playbook can upgrade your existing Postgres setup with the following comman ansible-playbook -i inventory/hosts setup.yml --tags=upgrade-postgres -**The old Postgres data directory is backed up** automatically, by renaming it to `/matrix/postgres-auto-upgrade-backup`. +**The old Postgres data directory is backed up** automatically, by renaming it to `/matrix/postgres/data-auto-upgrade-backup`. To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"` The auto-upgrade-backup directory stays around forever, until you **manually decide to delete it**. From a2f6adbeaf1f064d1c67dbf6958f31044754309b Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Wed, 6 Jan 2021 22:00:49 +0100 Subject: [PATCH 1739/2384] Fix appservice-slack default db: nedb --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index dabe0d75..6111600e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -129,7 +129,7 @@ matrix_appservice_slack_systemd_required_services_list: | }} # Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}" matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}" ###################################################################### From 25d423e6b62a318f0021c7caa1f653368bb0b49a Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Fri, 8 Jan 2021 11:20:29 +0100 Subject: [PATCH 1740/2384] Fix errors per spantaleev suggestions The different configurations are now all lower case, for consistent naming. `matrix_nginx_proxy_ssl_config` is now called `matrix_nginx_proxy_ssl_preset`. The different options for "modern", "intermediate" and "old" are stored in the main.yml file, instead of being hardcoded in the configuration files. This will improve the maintainability of the code. The "custom" preset was removed. Now if one of the variables is set, it will use it instead of the preset. This will allow to mix and match more easily, for example using all the intermediate options but only supporting TLSv1.2. This will also provide better backward compatibility. --- CHANGELOG.md | 12 ++-- docs/configuring-playbook-nginx.md | 15 +++-- docs/configuring-playbook-own-webserver.md | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 45 ++++++++++---- .../tasks/validate_config.yml | 4 +- .../conf.d/matrix-client-element.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-dimension.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-domain.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-jitsi.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-riot-web.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-synapse.conf.j2 | 62 +++++++++---------- 11 files changed, 154 insertions(+), 142 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2833b4bb..854156e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,13 +2,15 @@ ## New SSL Configuration -A new variable `matrix_nginx_proxy_ssl_config`, bringing some breaking changes. The default configuration is set to `"Intermadiate"`. -This changes `ssl_prefer_server_ciphers` to `off` by default instead of `off`. It also add some more ciphers to the list, this should +A new variable `matrix_nginx_proxy_ssl_preset`, bringing some breaking changes. The default configuration is set to `"intermediate"`. +This changes `ssl_prefer_server_ciphers` to `off` by default instead of `on`. It also add some more ciphers to the list, this should give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). -To revert to the old behaviour just set `matrix_nginx_proxy_ssl_config` to `"Custom"` and don't change any of the other variables. +To revert to the old behaviour just set the following variables: -If you are setting `matrix_nginx_proxy_ssl_protocols` to a custom value, you will need to `matrix_nginx_proxy_ssl_config` to `"Custom"`, -otherwise it this variable will be ignored. +```yaml +matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" +``` # 2021-01-03 diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index dffd962f..a95fbf72 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -26,21 +26,20 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ## Adjusting SSL in your server -You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS +You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_preset`. This is based on the Mozilla Server Side TLS Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. The posible values are: -- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -- "Intermediate" - Recommended configuration for a general-purpose server -- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -- "Custom" - For defining your own protocols an ciphers +- "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- "intermediate" - Recommended configuration for a general-purpose server +- "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -The default is set to `"Intermediate"`. +The default is set to `"intermediate"`. -**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the +**Be really carefull when setting it to "modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the [Federarion tester](https://federationtester.matrix.org/) won't work. -If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set: +If you want to override one of the values used by the preset, you can use this three variables: - `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. - `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index ee4402b3..915c2c37 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -48,11 +48,10 @@ Those configuration files are adapted for use with an external web server (one n You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` -Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: +Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_config: "Custom" matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index e2fc107e..f88dbc7e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -223,30 +223,49 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # This is based on the Mozilla Server Side TLS Recommended configurations. # # The posible values are: -# - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -# - "Intermediate" - Recommended configuration for a general-purpose server -# - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -# - "Custom" - For defining your own protocols an ciphers +# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +# - "intermediate" - Recommended configuration for a general-purpose server +# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 # # For more information visit: # - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # - https://ssl-config.mozilla.org/#server=nginx -matrix_nginx_proxy_ssl_config: "Intermediate" +matrix_nginx_proxy_ssl_preset: "intermediate" + +# This are the presets as taken from Mozilla's Server Side TLS Recommended configurations +# DO NOT modify this values and use `matrix_nginx_proxy_ssl_protocols` and `matrix_nginx_proxy_ssl_ciphers` +matrix_nginx_proxy_ssl_presets: + modern: + protocols: TLSv1.3 + ciphers: "" + prefer_server_ciphers: "off" + intermediate: + protocols: TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + prefer_server_ciphers: "off" + old: + protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA + prefer_server_ciphers: "on" + # Specifies which *SSL protocols* to use when serving all the various vhosts. -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" -matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" +# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override +# the values from the preset +matrix_nginx_proxy_ssl_protocols: "" # Specifies whether to prefer *the client’s choice or the server’s choice* when -# negociating the chipher to serve all the various vhost -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" -matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" +# negociating the chipher to serve all the various vhost. +# +# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override +# the values from the preset +matrix_nginx_proxy_ssl_prefer_server_ciphers: "" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +# By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override +# the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server -# Remember to use '' and "" if you are specified a list of ciphers -matrix_nginx_proxy_ssl_ciphers: '"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"' +matrix_nginx_proxy_ssl_ciphers: "" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 0b737662..c12017f3 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -22,5 +22,5 @@ - name: Fail on unknown matrix_nginx_proxy_ssl_config fail: msg: >- - `matrix_nginx_proxy_ssl_config` needs to be set to a known value. - when: "matrix_nginx_proxy_ssl_config not in ['Custom', 'Old', 'Intermediate', 'Modern']" + `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. + when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 69a61a39..6d1583fd 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -68,25 +68,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index fce652eb..4557ce26 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -66,25 +66,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index be659305..0e07fa9f 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -59,25 +59,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index d08ac7be..1da48f4d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -87,25 +87,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 11b8a0fd..f4bf909d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -52,25 +52,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index a32b7bad..0455922a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -204,25 +204,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} {{ render_vhost_directives() }} @@ -254,25 +253,24 @@ server { ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {% endif %} From d7dba0a2ffdd939a01eda0c2640c9c8acf0396da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 16:37:30 +0200 Subject: [PATCH 1741/2384] Update some Docker image references --- docs/ansible.md | 2 +- docs/maintenance-postgres.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ansible.md b/docs/ansible.md index 3c062a75..ff513bbf 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -51,7 +51,7 @@ docker run -it --rm \ -v `pwd`:/work \ -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \ --entrypoint=/bin/sh \ -devture/ansible:2.9.13-r0 +docker.io/devture/ansible:2.9.14-r0 ``` The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`). diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 93d0d0bf..7c936479 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -45,7 +45,7 @@ docker run \ --log-driver=none \ --network=matrix \ --env-file=/matrix/postgres/env-postgres-psql \ -postgres:13.0-alpine \ +docker.io/postgres:13.1-alpine \ pg_dumpall -h matrix-postgres \ | gzip -c \ > /postgres.sql.gz From 5156c63a76ad963a682a478312b854cea7a02eae Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Fri, 8 Jan 2021 18:35:27 +0100 Subject: [PATCH 1742/2384] Clean up code Code was clean up and simplified to make it simpler and easier to maintain. No features were modified. --- roles/matrix-nginx-proxy/defaults/main.yml | 6 +-- .../conf.d/matrix-client-element.conf.j2 | 18 +------- .../nginx/conf.d/matrix-dimension.conf.j2 | 18 +------- .../nginx/conf.d/matrix-domain.conf.j2 | 18 +------- .../nginx/conf.d/matrix-jitsi.conf.j2 | 18 +------- .../nginx/conf.d/matrix-riot-web.conf.j2 | 18 +------- .../nginx/conf.d/matrix-synapse.conf.j2 | 42 ++++--------------- 7 files changed, 20 insertions(+), 118 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index f88dbc7e..648779b4 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -252,20 +252,20 @@ matrix_nginx_proxy_ssl_presets: # Specifies which *SSL protocols* to use when serving all the various vhosts. # By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override # the values from the preset -matrix_nginx_proxy_ssl_protocols: "" +matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" # Specifies whether to prefer *the client’s choice or the server’s choice* when # negociating the chipher to serve all the various vhost. # # By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override # the values from the preset -matrix_nginx_proxy_ssl_prefer_server_ciphers: "" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. # By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override # the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server -matrix_nginx_proxy_ssl_ciphers: "" +matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 6d1583fd..8e665298 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -68,25 +68,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 4557ce26..abfccbc1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -66,25 +66,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 0e07fa9f..1ffd95e5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -59,25 +59,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 1da48f4d..91c94de7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -87,25 +87,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index f4bf909d..87bef2f3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -52,25 +52,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 0455922a..6640054e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -204,25 +204,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} {{ render_vhost_directives() }} } @@ -253,25 +239,11 @@ server { ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; - {% endif %} + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {% endif %} From 4bc8193f698945230d7dd848ce25cb2fe931b438 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:13:01 +0200 Subject: [PATCH 1743/2384] Fix typos and improve wording --- docs/configuring-playbook-nginx.md | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index a95fbf72..ba6c5c12 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -26,26 +26,24 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ## Adjusting SSL in your server -You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_preset`. This is based on the Mozilla Server Side TLS -Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. -The posible values are: +You can adjust how the SSL is served by the nginx server using the `matrix_nginx_proxy_ssl_preset` variable. We support a few presets, based on the Mozilla Server Side TLS +Recommended configurations. These presets influence the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. +Possible values are: -- "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -- "intermediate" - Recommended configuration for a general-purpose server -- "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +- `"modern"` - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- `"intermediate"` (**default**) - Recommended configuration for a general-purpose server +- `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -The default is set to `"intermediate"`. +**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities. The +[Federarion tester](https://federationtester.matrix.org/) also won't work. -**Be really carefull when setting it to "modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the -[Federarion tester](https://federationtester.matrix.org/) won't work. - -If you want to override one of the values used by the preset, you can use this three variables: +Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables: - `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. -- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". +- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negotiating the cipher. It can set to `on` or `off`. - `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx. -For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. +For more information about these variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. ## Synapse + OpenID Connect for Single-Sign-On From de6ecd8818db9c49d1e2ef9f4ca0d263802a1672 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:15:14 +0200 Subject: [PATCH 1744/2384] Update inaccurate comments --- roles/matrix-nginx-proxy/defaults/main.yml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 648779b4..b02ecf91 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -232,8 +232,9 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # - https://ssl-config.mozilla.org/#server=nginx matrix_nginx_proxy_ssl_preset: "intermediate" -# This are the presets as taken from Mozilla's Server Side TLS Recommended configurations -# DO NOT modify this values and use `matrix_nginx_proxy_ssl_protocols` and `matrix_nginx_proxy_ssl_ciphers` +# Presets are taken from Mozilla's Server Side TLS Recommended configurations +# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers` +# if you wish to use something more custom. matrix_nginx_proxy_ssl_presets: modern: protocols: TLSv1.3 @@ -250,20 +251,12 @@ matrix_nginx_proxy_ssl_presets: # Specifies which *SSL protocols* to use when serving all the various vhosts. -# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override -# the values from the preset matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" -# Specifies whether to prefer *the client’s choice or the server’s choice* when -# negociating the chipher to serve all the various vhost. -# -# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override -# the values from the preset +# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers. matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. -# By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override -# the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" From 5822ba0c01fbc4bcd06963c29876fdfe620f2e81 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:21:33 +0200 Subject: [PATCH 1745/2384] Use a more natural if statement --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 4 ++-- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 8e665298..29641021 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -69,7 +69,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index abfccbc1..04f0e63d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -67,7 +67,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 1ffd95e5..3db17292 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -60,7 +60,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 91c94de7..ca5d5a22 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -88,7 +88,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 87bef2f3..1f7c3f97 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -53,7 +53,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 6640054e..a6c93268 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -205,7 +205,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; @@ -240,7 +240,7 @@ server { ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; From f7ae050eaf9e6169caaec0bf26ffcfbfe4544ae2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:22:44 +0200 Subject: [PATCH 1746/2384] Remove useless quotes around ssl_ciphers value Not sure if it breaks with them or not, but no other directive uses quotes and the nginx docs show examples without quotes, so we're being consistent with all of that. --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 4 ++-- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 29641021..f56d7fd5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -70,7 +70,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 04f0e63d..038d3557 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -68,7 +68,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 3db17292..227747a5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -61,7 +61,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index ca5d5a22..eb3d67b1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -89,7 +89,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 1f7c3f97..a70dcea3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -54,7 +54,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index a6c93268..1b4c0a8d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -206,7 +206,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; @@ -241,7 +241,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; From 95ebff1ef19fa63b04e44c10fc4b47336bb75909 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:30:13 +0200 Subject: [PATCH 1747/2384] Announce nginx SSL configuration presets --- CHANGELOG.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 854156e8..bb60561e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,25 @@ -# XXXX-XX-XX +# 2021-01-08 -## New SSL Configuration +## (Breaking Change) New SSL configuration -A new variable `matrix_nginx_proxy_ssl_preset`, bringing some breaking changes. The default configuration is set to `"intermediate"`. -This changes `ssl_prefer_server_ciphers` to `off` by default instead of `on`. It also add some more ciphers to the list, this should -give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). -To revert to the old behaviour just set the following variables: +SSL configuration (protocols, ciphers) can now be more easily controlled thanks to us making use of configuration presets. + +We define a few presets (old, intermediate, modern), following the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=nginx). + +A new variable `matrix_nginx_proxy_ssl_preset` controls which preset is used (defaults to `"intermediate"`). + +Compared to before, this changes nginx's `ssl_prefer_server_ciphers` to `off` (used to default to `on`). It also add some more ciphers to the list, giving better performance on mobile devices, and removes some weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). + +To revert to the old behaviour, set the following variables: ```yaml matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" ``` +Just like before, you can still use your own custom protocols by specifying them in `matrix_nginx_proxy_ssl_protocols`. Doing so overrides the values coming from the preset. + + # 2021-01-03 ## Signal bridging support via mautrix-signal From 14680101944ef4889036bda92c674119d51c28e7 Mon Sep 17 00:00:00 2001 From: Will <11353590+june07@users.noreply.github.com> Date: Sat, 9 Jan 2021 08:50:34 -0800 Subject: [PATCH 1748/2384] Update main.yml --- roles/matrix-registration/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-registration/tasks/main.yml b/roles/matrix-registration/tasks/main.yml index 4fef6abe..3324e083 100644 --- a/roles/matrix-registration/tasks/main.yml +++ b/roles/matrix-registration/tasks/main.yml @@ -24,3 +24,8 @@ when: "run_setup|bool and matrix_registration_enabled|bool" tags: - generate-matrix-registration-token + +- import_tasks: "{{ role_path }}/tasks/list_tokens.yml" + when: "run_setup|bool and matrix_registration_enabled|bool" + tags: + - list-matrix-registration-tokens From 5b0761bf405e098531b2cbb5aa3dd89d0758ab3a Mon Sep 17 00:00:00 2001 From: Will <11353590+june07@users.noreply.github.com> Date: Sat, 9 Jan 2021 08:52:02 -0800 Subject: [PATCH 1749/2384] Create list_tokens.yml --- .../matrix-registration/tasks/list_tokens.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 roles/matrix-registration/tasks/list_tokens.yml diff --git a/roles/matrix-registration/tasks/list_tokens.yml b/roles/matrix-registration/tasks/list_tokens.yml new file mode 100644 index 00000000..dea3eb31 --- /dev/null +++ b/roles/matrix-registration/tasks/list_tokens.yml @@ -0,0 +1,29 @@ +- name: Call matrix-registration list all tokens API + uri: + url: "{{ matrix_registration_api_token_endpoint }}" + follow_redirects: none + validate_certs: "{{ matrix_registration_api_validate_certs }}" + headers: + Content-Type: application/json + Authorization: "SharedSecret {{ matrix_registration_admin_secret }}" + method: GET + body_format: json + check_mode: no + register: matrix_registration_api_result + +- set_fact: + matrix_registration_api_result_message: >- + matrix-registration result: + + {{ matrix_registration_api_result.json | to_nice_json }} + check_mode: no + +- name: Inject result message into matrix_playbook_runtime_results + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [matrix_registration_api_result_message] + }} + check_mode: no From 0f9be8321c56bd98ae8f5333a5edb089caa89db7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 10 Jan 2021 10:33:36 +0200 Subject: [PATCH 1750/2384] Document --tags=list-matrix-registration-tokens Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/778 --- ...onfiguring-playbook-matrix-registration.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-matrix-registration.md b/docs/configuring-playbook-matrix-registration.md index 28616945..d6e2ac6f 100644 --- a/docs/configuring-playbook-matrix-registration.md +++ b/docs/configuring-playbook-matrix-registration.md @@ -37,11 +37,14 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`. -We make the most common API (the one for creating unique registration tokens) easy to use via the playbook. +We make the most common APIs easy to use via the playbook (see below). -**To create a new user registration token (link)**, use this command: -``` +### Creating registration tokens + +To **create a new user registration token (link)**, use this command: + +```bash ansible-playbook -i inventory/hosts setup.yml \ --tags=generate-matrix-registration-token \ --extra-vars="one_time=yes ex_date=2021-12-31" @@ -51,3 +54,13 @@ The above command creates and returns a **one-time use** token, which **expires* Adjust the `one_time` and `ex_date` variables as you see fit. Share the unique registration link (generated by the command above) with users to let them register on your Matrix server. + + +### Listing registration tokens + +To **list the existing user registration tokens**, use this command: + +```bash +ansible-playbook -i inventory/hosts setup.yml \ +--tags=list-matrix-registration-tokens +``` From 0b260a133f16b89ace38acd5fe1da2f7da28d232 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 Jan 2021 22:15:13 +0200 Subject: [PATCH 1751/2384] Add matrix-aux role to help with managing auxiliary files/directories --- roles/matrix-aux/defaults/main.yml | 72 ++++++++++++++++++++++++++++++ roles/matrix-aux/tasks/main.yml | 5 +++ roles/matrix-aux/tasks/setup.yml | 19 ++++++++ setup.yml | 1 + 4 files changed, 97 insertions(+) create mode 100644 roles/matrix-aux/defaults/main.yml create mode 100644 roles/matrix-aux/tasks/main.yml create mode 100644 roles/matrix-aux/tasks/setup.yml diff --git a/roles/matrix-aux/defaults/main.yml b/roles/matrix-aux/defaults/main.yml new file mode 100644 index 00000000..e4a4e827 --- /dev/null +++ b/roles/matrix-aux/defaults/main.yml @@ -0,0 +1,72 @@ +--- + +# matrix-aux is a role that manages auxiliary files and directories on your Matrix server. +# +# Certain components (like matrix-synapse, etc.) may sometimes require additional templates (email templates, privacy policies, etc.). +# This role allows such files to be managed by the playbook. +# +# Note that files and directories created via this role are not automatically made available for containers to use. +# If you use this role to put files in a directory that's already mounted into a container, +# you can access the files without additional work. +# Otherwise, you'd need to mount the file/directory to the container that needs it. +# Roles usually provide a `matrix_*_additional_volumes` or `matrix_*_container_extra_arguments` variable +# that you can use to mount an additional volume. + +# The default permission mode when creating directories using `matrix_aux_directory_definitions` +matrix_aux_directory_default_mode: '0750' + +# Holds a list of directories to create on the server. +# +# By default, directories are: +# - created with permissions as specified in `matrix_aux_directory_default_mode` +# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`) +# +# Example: +# +# matrix_aux_directory_definitions: +# - dest: /matrix/aux +# +# - dest: /matrix/another +# mode: '0700' +# owner: 'some-user' +# group: 'some-group' +matrix_aux_directory_definitions: [] + +# The default permission mode when creating directories using `matrix_aux_directory_definitions` +matrix_aux_file_default_mode: '0640' + +# Holds a list of files to create on the server. +# +# By default, files are: +# - created with permissions as specified in `matrix_aux_file_default_mode` +# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`) +# +# You can define the file content inline (in your `vars.yml` file) or as an external file (see the example below). +# Defining the content inline in `vars.yml` has the benefit of not splitting your configuration into multiple files, +# but rather keeping everything inside `vars.yml` (which also gets backed up on the server in `/matrix/vars.yml`). +# +# Note: parent paths for files must exist. +# If you've defined a file with a destination of `/matrix/some/path/file.txt`, +# then you likely need to add `/matrix/some/path` to `matrix_aux_directory_definitions` as well. +# You don't need to do this for directories that the playbook already creates for you. +# +# Example: +# +# matrix_aux_file_definitions: +# - dest: "{{ matrix_synapse_config_dir_path }}/something.html" +# content: | +# +# Something +# +# - dest: /matrix/aux/some-other-file.txt +# content: "Something" +# mode: '0600' +# owner: 'some-user' +# group: 'some-group' +# +# - dest: /matrix/aux/yet-another-file.txt +# content: "{{ lookup('template', '/path/to/file.txt.j2') }}" +# mode: '0600' +# owner: 'some-user' +# group: 'some-group' +matrix_aux_file_definitions: [] diff --git a/roles/matrix-aux/tasks/main.yml b/roles/matrix-aux/tasks/main.yml new file mode 100644 index 00000000..ee93f63a --- /dev/null +++ b/roles/matrix-aux/tasks/main.yml @@ -0,0 +1,5 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: run_stop|bool + tags: + - setup-all + - setup-aux-files diff --git a/roles/matrix-aux/tasks/setup.yml b/roles/matrix-aux/tasks/setup.yml new file mode 100644 index 00000000..949c0b4a --- /dev/null +++ b/roles/matrix-aux/tasks/setup.yml @@ -0,0 +1,19 @@ +--- + +- name: Ensure AUX directories are created + file: + dest: "{{ item.dest }}" + state: directory + owner: "{{ item.owner|default(matrix_user_username) }}" + group: "{{ item.group|default(matrix_user_groupname) }}" + mode: "{{ item.mode|default(matrix_aux_directory_default_mode) }}" + with_items: "{{ matrix_aux_directory_definitions }}" + +- name: Ensure AUX files are created + copy: + dest: "{{ item.dest }}" + content: "{{ item.content }}" + owner: "{{ item.owner|default(matrix_user_username) }}" + group: "{{ item.group|default(matrix_user_groupname) }}" + mode: "{{ item.mode|default(matrix_aux_file_default_mode) }}" + with_items: "{{ matrix_aux_file_definitions }}" diff --git a/setup.yml b/setup.yml index cc913b65..d070bcae 100755 --- a/setup.yml +++ b/setup.yml @@ -36,4 +36,5 @@ - matrix-email2matrix - matrix-nginx-proxy - matrix-coturn + - matrix-aux - matrix-common-after From 999fd2596ffd717b86cc0595d248b81b842e2920 Mon Sep 17 00:00:00 2001 From: Panagiotis Georgiadis Date: Tue, 12 Jan 2021 19:29:50 +0100 Subject: [PATCH 1752/2384] Local rebuild for Telegram --- ...guring-playbook-bridge-mautrix-telegram.md | 11 ++++++++++ .../defaults/main.yml | 4 ++++ .../tasks/setup_install.yml | 20 +++++++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 2e6b4d8c..9246230b 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -12,6 +12,17 @@ matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH ``` +**Note**: For architectures different from `amd64` you need to trigger a local rebuild: + +```yaml +matrix_mautrix_telegram_container_self_build: true +``` + +Lastly, to take these changes into effect, re-run the playbook: + +```yaml +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` ## Set up Double Puppeting diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 3f81617a..7e072b5a 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -3,6 +3,10 @@ matrix_mautrix_telegram_enabled: true +matrix_mautrix_telegram_container_self_build: false +matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git" +matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" + # See: https://mau.dev/tulir/mautrix-telegram/container_registry matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index e9a93c72..0e5d9ae1 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -40,6 +40,26 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" + when: "matrix_mautrix_telegram_enabled|bool and not matrix_mautrix_telegram_container_self_build|bool" + +- name: Ensure matrix-mautrix-telegram repository is present when self-building + git: + repo: "{{ matrix_mautrix_telegram_docker_repo }}" + dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_telegram_git_pull_results + when: "matrix_mautrix_telegram_enabled|bool and matrix_mautrix_telegram_container_self_build|bool" + +- name: Ensure matrix-mautrix-telegram Docker image is build + docker_image: + name: "{{ matrix_mautrix_telegram_docker_image }}" + source: build + force_source: yes + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_telegram_enabled|bool and matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - name: Ensure Mautrix Telegram paths exist file: From 018f213c60d7551d2b32a8ea439f9cf12766b4b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 12 Jan 2021 22:43:28 +0200 Subject: [PATCH 1753/2384] Fix URL typo --- docs/configuring-playbook-matrix-registration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-registration.md b/docs/configuring-playbook-matrix-registration.md index d6e2ac6f..74cdfa01 100644 --- a/docs/configuring-playbook-matrix-registration.md +++ b/docs/configuring-playbook-matrix-registration.md @@ -10,7 +10,7 @@ Use matrix-registration to **create unique registration links**, which people ca - **an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below) -- **a user registration page**, where people can use these registration tokens. By default, exposed at `https:///matrix.DOMAIN/matrix-registration` +- **a user registration page**, where people can use these registration tokens. By default, exposed at `https://matrix.DOMAIN/matrix-registration` ## Installing From 21d3802ed76bfcd8598c62192ffc943a1e0381f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 12 Jan 2021 22:44:55 +0200 Subject: [PATCH 1754/2384] Fix one more URL typo --- docs/configuring-playbook-matrix-registration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-registration.md b/docs/configuring-playbook-matrix-registration.md index 74cdfa01..b0240d3f 100644 --- a/docs/configuring-playbook-matrix-registration.md +++ b/docs/configuring-playbook-matrix-registration.md @@ -33,7 +33,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -**matrix-registration** gets exposed at `https:///matrix.DOMAIN/matrix-registration` +**matrix-registration** gets exposed at `https://matrix.DOMAIN/matrix-registration` It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`. From d5945c6e789752fb952033d95f2d605ab522a733 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 13:02:49 +0200 Subject: [PATCH 1755/2384] Upgrade Synapse (v1.24.0 -> v1.25.0) for amd64 --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 144 ++++++++++++++---- 2 files changed, 113 insertions(+), 33 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 0dc71646..fddac7aa 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. -matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}" +matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 41b28c88..fe28779c 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -120,6 +120,47 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # #enable_search: false +# Prevent outgoing requests from being sent to the following blacklisted IP address +# CIDR ranges. If this option is not specified then it defaults to private IP +# address ranges (see the example below). +# +# The blacklist applies to the outbound requests for federation, identity servers, +# push servers, and for checking key validity for third-party invite events. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. +# +#ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '192.0.0.0/24' +# - '169.254.0.0/16' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' +# - '::1/128' +# - 'fe80::/10' +# - 'fc00::/7' + +# List of IP address CIDR ranges that should be allowed for federation, +# identity servers, push servers, and for checking key validity for +# third-party invite events. This is useful for specifying exceptions to +# wide-ranging blacklisted target IP ranges - e.g. for communication with +# a push server only visible in your network. +# +# This whitelist overrides ip_range_blacklist and defaults to an empty +# list. +# +#ip_range_whitelist: +# - '192.168.1.1' + # List of ports that Synapse should listen on, their purpose and their # configuration. # @@ -633,27 +674,6 @@ acme: federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} {% endif %} -# Prevent federation requests from being sent to the following -# blacklist IP address CIDR ranges. If this option is not specified, or -# specified with an empty list, no ip range blacklist will be enforced. -# -# As of Synapse v1.4.0 this option also affects any outbound requests to identity -# servers provided by user input. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -federation_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' - # Report prometheus metrics on the age of PDUs being sent to and received from # the following domains. This can be used to give an idea of "delay" on inbound # and outbound federation, though be aware that any delay can be due to problems @@ -919,9 +939,15 @@ url_preview_ip_range_blacklist: - '172.16.0.0/12' - '192.168.0.0/16' - '100.64.0.0/10' + - '192.0.0.0/24' - '169.254.0.0/16' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' - '::1/128' - - 'fe80::/64' + - 'fe80::/10' - 'fc00::/7' # List of IP address CIDR ranges that the URL preview spider is allowed @@ -1776,7 +1802,8 @@ oidc_config: # * user: The claims returned by the UserInfo Endpoint and/or in the ID # Token # - # This must be configured if using the default mapping provider. + # If this is not set, the user will be prompted to choose their + # own username. # localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" @@ -1854,11 +1881,8 @@ sso: # - https://my.custom.client/ # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. - # - # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. - # If you *do* uncomment it, you will need to make sure that all the templates - # below are in the directory. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. # # Synapse will look for the following templates in this directory: # @@ -1987,6 +2011,56 @@ password_config: # pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 15 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + +ui_auth: + # The number of milliseconds to allow a user-interactive authentication + # session to be active. + # + # This defaults to 0, meaning the user is queried for their credentials + # before every action, but this can be overridden to alow a single + # validation to be re-used. This weakens the protections afforded by + # the user-interactive authentication process, by allowing for multiple + # (and potentially different) operations to use the same validation session. + # + # Uncomment below to allow for credential validation to last for 15 + # seconds. + # + #session_timeout: 15000 + {% if matrix_synapse_email_enabled %} # Configuration for sending emails from Synapse. @@ -2061,9 +2135,8 @@ email: #validation_token_lifetime: 15m # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. - # - # Do not uncomment this setting unless you want to customise the templates. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. # # Synapse will look for the following templates in this directory: # @@ -2309,7 +2382,7 @@ enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} # If enabled, non server admins can only create groups with local parts # starting with this prefix # -#group_creation_prefix: "unofficial/" +#group_creation_prefix: "unofficial_" @@ -2580,6 +2653,13 @@ opentracing: # #run_background_tasks_on: worker1 +# A shared secret used by the replication APIs to authenticate HTTP requests +# from workers. +# +# By default this is unused and traffic is not authenticated. +# +#worker_replication_secret: "" + # Configuration for Redis when using workers. This *must* be enabled when # using workers (unless using old style direct TCP configuration). From 24100342e149d5cf70741c64ec9478e3c2935472 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 13:47:51 +0200 Subject: [PATCH 1756/2384] Tell people that federation_ip_range_blacklist is gone Related to d5945c6e789752fb95 --- roles/matrix-synapse/tasks/validate_config.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index f39ef3fe..fe3cb2e6 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -33,3 +33,12 @@ - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': ''} + +- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml + fail: + msg: >- + Your matrix_synapse_configuration_extension_yaml configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in matrix_synapse_configuration_extension" + with_items: + - {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'} From 568cb3d86f67bab638816f06342aec875fb6fe2e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 17:27:41 +0200 Subject: [PATCH 1757/2384] Upgrade matrix-mailer (4.93-r0 -> 4.93-r1) This is a bit misleading, because the old Docker image was tagged as `4.93.1`. There hasn't been a `4.93.1` version yet though. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/792 --- roles/matrix-mailer/defaults/main.yml | 4 +++- roles/matrix-mailer/templates/env-mailer.j2 | 1 + .../matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 2 ++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index f396d8ee..18608ef4 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93.1-r0" +matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" @@ -19,6 +19,8 @@ matrix_mailer_container_user_gid: 101 # A list of extra arguments to pass to the container matrix_mailer_container_extra_arguments: [] +matrix_mailer_hostname: "{{ matrix_server_fqn_matrix }}" + matrix_mailer_sender_address: "matrix@{{ matrix_domain }}" matrix_mailer_relay_use: false matrix_mailer_relay_host_name: "mail.example.com" diff --git a/roles/matrix-mailer/templates/env-mailer.j2 b/roles/matrix-mailer/templates/env-mailer.j2 index 180bc500..eb3f8699 100644 --- a/roles/matrix-mailer/templates/env-mailer.j2 +++ b/roles/matrix-mailer/templates/env-mailer.j2 @@ -6,3 +6,4 @@ SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port SMTP_USERNAME={{ matrix_mailer_relay_auth_username }} SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }} {% endif %} +HOSTNAME={{ matrix_mailer_hostname }} diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index 9345a1d6..a5d48264 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -10,6 +10,8 @@ Type=simple ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer +# --hostname gives us a friendlier hostname than the default. +# The real hostname is passed via a `HOSTNAME` environment variable though. ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ --log-driver=none \ --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ From fd540d859206743a836895cd1d01b7cea24e3704 Mon Sep 17 00:00:00 2001 From: Panagiotis Georgiadis Date: Wed, 13 Jan 2021 16:51:45 +0100 Subject: [PATCH 1758/2384] Enable Telegram self-building --- docs/configuring-playbook-bridge-mautrix-telegram.md | 12 ------------ group_vars/matrix_servers | 3 +++ 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 9246230b..693c8168 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -12,18 +12,6 @@ matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH ``` -**Note**: For architectures different from `amd64` you need to trigger a local rebuild: - -```yaml -matrix_mautrix_telegram_container_self_build: true -``` - -Lastly, to take these changes into effect, re-run the playbook: - -```yaml -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start -``` - ## Set up Double Puppeting If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6111600e..6b54029b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -305,6 +305,9 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key # We don't enable bridges by default. matrix_mautrix_telegram_enabled: false +# self-building +matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture != 'amd64'}}" + matrix_mautrix_telegram_systemd_required_services_list: | {{ ['docker.service'] From 105354a0520745fc878640b81950eb1aa2e63eca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 17:56:10 +0200 Subject: [PATCH 1759/2384] Remove useless comment --- group_vars/matrix_servers | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6b54029b..4caf64fa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -305,8 +305,7 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key # We don't enable bridges by default. matrix_mautrix_telegram_enabled: false -# self-building -matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture != 'amd64'}}" +matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture != 'amd64' }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ From 5fa30cdfcb15a2392b1af1074198da50e77aabee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 17:59:46 +0200 Subject: [PATCH 1760/2384] Ensure matrix_mautrix_facebook_docker_src_files_path created Before we potentially clone to that path, we'd better make sure it exists. We also simplify `when` statements a bit. Given that we're in `setup_install.yml`, we know that the bridge is enabled, so there's no need to check for that. --- .../tasks/setup_install.yml | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 0e5d9ae1..9743915a 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -34,13 +34,27 @@ when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_mautrix_telegram_database_engine == 'postgres'" +- name: Ensure Mautrix Telegram paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true } + - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true } + - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } + when: item.when|bool + - name: Ensure Mautrix Telegram image is pulled docker_image: name: "{{ matrix_mautrix_telegram_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" - when: "matrix_mautrix_telegram_enabled|bool and not matrix_mautrix_telegram_container_self_build|bool" + when: "not matrix_mautrix_telegram_container_self_build|bool" - name: Ensure matrix-mautrix-telegram repository is present when self-building git: @@ -48,7 +62,7 @@ dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}" force: "yes" register: matrix_mautrix_telegram_git_pull_results - when: "matrix_mautrix_telegram_enabled|bool and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_mautrix_telegram_container_self_build|bool" - name: Ensure matrix-mautrix-telegram Docker image is build docker_image: @@ -59,19 +73,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_telegram_enabled|bool and matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - -- name: Ensure Mautrix Telegram paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_mautrix_telegram_base_path }}" - - "{{ matrix_mautrix_telegram_config_path }}" - - "{{ matrix_mautrix_telegram_data_path }}" + when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - name: Check if an old database file already exists stat: From 52fa7e576b2686999955597f13526a45c1961a98 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 18:00:32 +0200 Subject: [PATCH 1761/2384] Fix path typo --- roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 9743915a..b564c61b 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -45,7 +45,7 @@ - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true } - - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } + - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } when: item.when|bool - name: Ensure Mautrix Telegram image is pulled From 789f9b46063d3fde2a2601783b3744994bd37b0a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 18:01:50 +0200 Subject: [PATCH 1762/2384] Mention matrix-bridge-mautrix-telegram in self-building docs Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/786 --- docs/self-building.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/self-building.md b/docs/self-building.md index fa4db222..da8c24b0 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -20,6 +20,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-mailer` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` +- `matrix-bridge-mautrix-telegram` - `matrix-bridge-mx-puppet-skype` Adding self-building support to other roles is welcome. Feel free to contribute! From 88acc98c23ea361191825a7ec3eca51f4f204e58 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 19:39:08 +0200 Subject: [PATCH 1763/2384] Mention LXC --- docs/prerequisites.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 488f6c6f..40a075b4 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -6,7 +6,11 @@ - **Ubuntu** (16.04+, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) - **Archlinux** -This playbook doesn't support running on ARM (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Alternative Architectures](alternative-architectures.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. + +This playbook somewhat supports running on non-`amd64` architectures like ARM. See [Alternative Architectures](alternative-architectures.md). + +If your distro runs within an [LXC container](https://linuxcontainers.org/), you may hit [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/703). It can be worked around, if absolutely necessary, but we suggest that you avoid running from within an LXC container. - `root` access to your server (or a user capable of elevating to `root` via `sudo`). From 2a25b63bb682c1546605bcbfb7ab9e828c4fe678 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 20:14:47 +0200 Subject: [PATCH 1764/2384] Don't self-build ma1sd every time unless git sources changed --- roles/matrix-ma1sd/tasks/setup_install.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index a4a70ea4..0784b24d 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -87,6 +87,7 @@ shell: "./gradlew dockerBuild" args: chdir: "{{ matrix_ma1sd_docker_src_files_path }}" + when: "matrix_ma1sd_git_pull_results.changed|bool" - name: Ensure ma1sd Docker image is tagged correctly docker_image: @@ -97,6 +98,7 @@ repository: "{{ matrix_ma1sd_docker_image }}" force_tag: yes source: local + when: "matrix_ma1sd_git_pull_results.changed|bool" when: "matrix_ma1sd_container_image_self_build|bool" - name: Ensure ma1sd config installed From 48b6487d411ec148d3a0d30384fbc6e01cb0b708 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 22:40:47 +0200 Subject: [PATCH 1765/2384] Use ready-made image for mautrix-telegram on arm64 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/793 --- group_vars/matrix_servers | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4caf64fa..42c2e3af 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -305,7 +305,8 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key # We don't enable bridges by default. matrix_mautrix_telegram_enabled: false -matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture != 'amd64' }}" +# Images are multi-arch (amd64 and arm64, but not arm32). +matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ From a66a604e53d4dbc2a3c3434e9ea543600e24d79a Mon Sep 17 00:00:00 2001 From: Panagiotis Georgiadis Date: Thu, 14 Jan 2021 01:29:11 +0100 Subject: [PATCH 1766/2384] Selfbuild appservice-slack bridge --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 ++ .../defaults/main.yml | 4 +++ .../tasks/setup_install.yml | 27 ++++++++++++++++--- 4 files changed, 31 insertions(+), 3 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index da8c24b0..d8dc03e0 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -18,6 +18,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-corporal` - `matrix-ma1sd` - `matrix-mailer` +- `matrix-bridge-appservice-slack` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-telegram` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 42c2e3af..b43ed11f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -110,6 +110,8 @@ matrix_appservice_webhooks_systemd_required_services_list: | # We don't enable bridges by default. matrix_appservice_slack_enabled: false +matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-slack's client-server port to the local host. diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 28646a3c..997cfa5e 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,6 +3,10 @@ matrix_appservice_slack_enabled: true +matrix_appservice_slack_container_self_build: false +matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" +matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" + matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index 29b0f39e..bcf6297a 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -8,9 +8,11 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_appservice_slack_base_path }}" - - "{{ matrix_appservice_slack_config_path }}" - - "{{ matrix_appservice_slack_data_path }}" + - { path: "{{ matrix_appservice_slack_base_path }}", when: true } + - { path: "{{ matrix_appservice_slack_config_path }}", when: true } + - { path: "{{ matrix_appservice_slack_data_path }}", when: true } + - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_self_build }}" } + when: item.when|bool - set_fact: matrix_appservice_slack_requires_restart: false @@ -36,6 +38,25 @@ force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" +- name: Ensure matrix-appservice-slack repository is present when self-building + git: + repo: "{{ matrix_appservice_slack_docker_repo }}" + dest: "{{ matrix_appservice_slack_docker_src_files_path }}" + force: "yes" + register: matrix_appservice_slack_git_pull_results + when: "matrix_appservice_slack_container_self_build|bool" + +- name: Ensure matrix-appservice-slack Docker image is build + docker_image: + name: "{{ matrix_appservice_slack_docker_image }}" + source: build + force_source: yes + build: + dockerfile: Dockerfile + path: "{{ matrix_appservice_slack_docker_src_files_path }}" + pull: yes + when: "matrix_appservice_slack_container_self_build|bool and matrix_appservice_slack_git_pull_results.changed" + - name: Ensure Matrix Appservice Slack config installed copy: content: "{{ matrix_appservice_slack_configuration|to_nice_yaml }}" From b15da29ebbf0474ed79dcc9725edaf5e019290fc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 10:41:47 +0200 Subject: [PATCH 1767/2384] Bump Synapse to v1.25.0 for ARM --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index fddac7aa..0e7cf987 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. -matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}" +matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.25.0' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 862a6276a037f820f3218688fafae16eaaafd8da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 10:47:23 +0200 Subject: [PATCH 1768/2384] Do not pull appservice-slack when self-building --- roles/matrix-bridge-appservice-slack/tasks/setup_install.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index bcf6297a..721a5d6b 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -37,6 +37,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" + when: "not matrix_appservice_slack_container_self_build|bool" - name: Ensure matrix-appservice-slack repository is present when self-building git: @@ -46,7 +47,7 @@ register: matrix_appservice_slack_git_pull_results when: "matrix_appservice_slack_container_self_build|bool" -- name: Ensure matrix-appservice-slack Docker image is build +- name: Ensure matrix-appservice-slack Docker image is built docker_image: name: "{{ matrix_appservice_slack_docker_image }}" source: build From 7a90eb6d4fa0c4c26dcb7998946ff8e2fddefa67 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 17:00:46 +0200 Subject: [PATCH 1769/2384] Relocate some validation tasks --- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 18 ------------------ .../tasks/validate_config.yml | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 2946c111..cc84d207 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -11,28 +11,10 @@ - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" - # # Tasks related to setting up Let's Encrypt's management of certificates # -- name: (Deprecation) Catch and report renamed settings - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - with_items: - - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} - - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} - when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item.old in vars" - -- name: Fail if required variables are undefined - fail: - msg: "Detected an undefined required variable" - with_items: - - "matrix_ssl_lets_encrypt_support_email" - when: "matrix_ssl_retrieval_method == 'lets-encrypt' and vars[item] is none" - - name: Ensure certbot Docker image is pulled docker_image: name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index c12017f3..974df308 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -24,3 +24,22 @@ msg: >- `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" + +- block: + - name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + with_items: + - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} + - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} + when: "item.old in vars" + + - name: Fail if required variables are undefined + fail: + msg: "Detected an undefined required variable" + with_items: + - "matrix_ssl_lets_encrypt_support_email" + when: "vars[item] is none" + when: "matrix_ssl_retrieval_method == 'lets-encrypt'" From 57ea43d8b0250c0a9c76bba5dd9768fc1ab81fe0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 17:47:13 +0200 Subject: [PATCH 1770/2384] Remove unused variable This variable has been useless since 2019-01-08. We probably don't need to check for its usage anymore, given how much time has passed since then, but .. --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ---- roles/matrix-nginx-proxy/tasks/validate_config.yml | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index b02ecf91..7c383383 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -215,10 +215,6 @@ matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base domain server configuration. matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] -# Specifies when to reload the matrix-nginx-proxy service so that -# a new SSL certificate could go into effect. -matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" - # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 974df308..3197bd97 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -12,6 +12,8 @@ # People who configured this to disable Riot, would now wish to be disabling Element. # We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default. - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'} + - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': ''} + - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} - name: Fail on unknown matrix_ssl_retrieval_method fail: From 6f5aaad48d15ed9d5537f6dc1d5540ca14602831 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 22:11:38 +0200 Subject: [PATCH 1771/2384] Split install/uninstall tasks in matrix-coturn --- roles/matrix-coturn/tasks/main.yml | 10 ++- .../{setup_coturn.yml => setup_install.yml} | 65 +++---------------- roles/matrix-coturn/tasks/setup_uninstall.yml | 44 +++++++++++++ 3 files changed, 60 insertions(+), 59 deletions(-) rename roles/matrix-coturn/tasks/{setup_coturn.yml => setup_install.yml} (59%) create mode 100644 roles/matrix-coturn/tasks/setup_uninstall.yml diff --git a/roles/matrix-coturn/tasks/main.yml b/roles/matrix-coturn/tasks/main.yml index 007a7ede..9794bcb3 100644 --- a/roles/matrix-coturn/tasks/main.yml +++ b/roles/matrix-coturn/tasks/main.yml @@ -8,8 +8,14 @@ - setup-all - setup-coturn -- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml" - when: run_setup|bool +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_coturn_enabled|bool" + tags: + - setup-all + - setup-coturn + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_coturn_enabled|bool" tags: - setup-all - setup-coturn diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_install.yml similarity index 59% rename from roles/matrix-coturn/tasks/setup_coturn.yml rename to roles/matrix-coturn/tasks/setup_install.yml index f3c1048f..2fe66221 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up Coturn -# - - name: Ensure Matrix Coturn path exists file: path: "{{ item.path }}" @@ -13,7 +9,7 @@ group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"} - when: matrix_coturn_enabled|bool and item.when + when: "item.when|bool" - name: Ensure Coturn image is pulled docker_image: @@ -21,7 +17,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}" - when: matrix_coturn_enabled|bool and not matrix_coturn_container_image_self_build + when: "not matrix_coturn_container_image_self_build|bool" - name: Ensure Coturn repository is present on self-build git: @@ -30,7 +26,7 @@ version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" register: matrix_coturn_git_pull_results - when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build" + when: "matrix_coturn_container_image_self_build|bool" - name: Ensure Coturn Docker image is built docker_image: @@ -41,7 +37,7 @@ dockerfile: Dockerfile path: "{{ matrix_coturn_docker_src_files_path }}" pull: yes - when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build|bool" + when: "matrix_coturn_container_image_self_build|bool" - name: Ensure Coturn configuration path exists file: @@ -50,20 +46,17 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_coturn_enabled|bool - name: Ensure turnserver.conf installed template: src: "{{ role_path }}/templates/turnserver.conf.j2" dest: "{{ matrix_coturn_config_path }}" mode: 0644 - when: matrix_coturn_enabled|bool - name: Ensure Coturn network is created in Docker docker_network: name: "{{ matrix_coturn_docker_network }}" driver: bridge - when: matrix_coturn_enabled|bool - name: Ensure matrix-coturn.service installed template: @@ -71,12 +64,11 @@ dest: "{{ matrix_systemd_path }}/matrix-coturn.service" mode: 0644 register: matrix_coturn_systemd_service_result - when: matrix_coturn_enabled|bool - name: Ensure systemd reloaded after matrix-coturn.service installation service: daemon_reload: yes - when: "matrix_coturn_enabled|bool and matrix_coturn_systemd_service_result.changed" + when: "matrix_coturn_systemd_service_result.changed" # This may be unnecessary when more long-lived certificates are used. # We optimize for the common use-case though (short-lived Let's Encrypt certificates). @@ -86,52 +78,11 @@ src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2" dest: /etc/cron.d/matrix-coturn-ssl-reload mode: 0644 - when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" - - -# -# Tasks related to getting rid of Coturn (if it was previously enabled) -# + when: "matrix_coturn_tls_enabled|bool" +# A similar task exists in `setup_uninstall.yml` - name: Ensure matrix-coturn-ssl-reload cronjob removed file: path: /etc/cron.d/matrix-coturn-ssl-reload state: absent - when: "not matrix_coturn_enabled|bool or not matrix_coturn_tls_enabled|bool" - -- name: Check existence of matrix-coturn service - stat: - path: "{{ matrix_systemd_path }}/matrix-coturn.service" - register: matrix_coturn_service_stat - when: "not matrix_coturn_enabled|bool" - -- name: Ensure matrix-coturn is stopped - service: - name: matrix-coturn - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" - -- name: Ensure matrix-coturn.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-coturn.service" - state: absent - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-coturn.service removal - service: - daemon_reload: yes - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" - -- name: Ensure Matrix coturn paths don't exist - file: - path: "{{ matrix_coturn_base_path }}" - state: absent - when: "not matrix_coturn_enabled|bool" - -- name: Ensure coturn Docker image doesn't exist - docker_image: - name: "{{ matrix_coturn_docker_image }}" - state: absent - when: "not matrix_coturn_enabled|bool" + when: "not matrix_coturn_tls_enabled|bool" diff --git a/roles/matrix-coturn/tasks/setup_uninstall.yml b/roles/matrix-coturn/tasks/setup_uninstall.yml new file mode 100644 index 00000000..c083c568 --- /dev/null +++ b/roles/matrix-coturn/tasks/setup_uninstall.yml @@ -0,0 +1,44 @@ +--- + +# A similar task exists in `setup_install.yml` +- name: Ensure matrix-coturn-ssl-reload cronjob removed + file: + path: /etc/cron.d/matrix-coturn-ssl-reload + state: absent + +- name: Check existence of matrix-coturn service + stat: + path: "{{ matrix_systemd_path }}/matrix-coturn.service" + register: matrix_coturn_service_stat + when: "not matrix_coturn_enabled|bool" + +- name: Ensure matrix-coturn is stopped + service: + name: matrix-coturn + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + +- name: Ensure matrix-coturn.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-coturn.service" + state: absent + when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-coturn.service removal + service: + daemon_reload: yes + when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + +- name: Ensure Matrix coturn paths don't exist + file: + path: "{{ matrix_coturn_base_path }}" + state: absent + when: "not matrix_coturn_enabled|bool" + +- name: Ensure coturn Docker image doesn't exist + docker_image: + name: "{{ matrix_coturn_docker_image }}" + state: absent + when: "not matrix_coturn_enabled|bool" From 653d1d7924d78847498b71597cd645fc2a2575f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 22:20:51 +0200 Subject: [PATCH 1772/2384] Revert "Don't self-build ma1sd every time unless git sources changed" This reverts commit 2a25b63bb682c1546605bcbfb7ab9e828c4fe678. Looking at other roles, we trigger building regardless of this. It's better to always trigger it, because it's less fragile. If the build fails and we only trigger it on "git changes" then we won't trigger it for a while. That's not good. Triggering it each and every time may seem like a waste, but it supposedly runs quickly due to Docker caching. --- roles/matrix-ma1sd/tasks/setup_install.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index 0784b24d..a4a70ea4 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -87,7 +87,6 @@ shell: "./gradlew dockerBuild" args: chdir: "{{ matrix_ma1sd_docker_src_files_path }}" - when: "matrix_ma1sd_git_pull_results.changed|bool" - name: Ensure ma1sd Docker image is tagged correctly docker_image: @@ -98,7 +97,6 @@ repository: "{{ matrix_ma1sd_docker_image }}" force_tag: yes source: local - when: "matrix_ma1sd_git_pull_results.changed|bool" when: "matrix_ma1sd_container_image_self_build|bool" - name: Ensure ma1sd config installed From 05ca9357a8fc20ade1ed5f190cc75a18d8676512 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 23:02:10 +0200 Subject: [PATCH 1773/2384] Add .service suffix to systemd units list We'll be adding `.timer` units later on, so it's good to be more explicit. --- roles/matrix-bot-matrix-reminder-bot/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-discord/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-irc/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-slack/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-webhooks/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-facebook/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-signal/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-telegram/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-discord/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-steam/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml | 2 +- roles/matrix-bridge-sms/tasks/init.yml | 2 +- roles/matrix-client-element/tasks/init.yml | 2 +- roles/matrix-common-after/tasks/start.yml | 2 +- roles/matrix-corporal/tasks/init.yml | 2 +- roles/matrix-coturn/tasks/init.yml | 2 +- roles/matrix-dimension/tasks/init.yml | 2 +- roles/matrix-dynamic-dns/tasks/init.yml | 2 +- roles/matrix-email2matrix/tasks/init.yml | 2 +- roles/matrix-jitsi/tasks/init.yml | 2 +- roles/matrix-ma1sd/tasks/init.yml | 2 +- roles/matrix-mailer/tasks/init.yml | 2 +- roles/matrix-nginx-proxy/tasks/init.yml | 2 +- roles/matrix-postgres/tasks/init.yml | 2 +- roles/matrix-registration/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/init.yml | 2 +- roles/matrix-synapse/tasks/init.yml | 4 ++-- 32 files changed, 33 insertions(+), 33 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml index 9bc471de..7fd12524 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot.service'] }}" when: matrix_bot_matrix_reminder_bot_enabled|bool diff --git a/roles/matrix-bridge-appservice-discord/tasks/init.yml b/roles/matrix-bridge-appservice-discord/tasks/init.yml index 1f492526..ef64e78a 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/init.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord.service'] }}" when: matrix_appservice_discord_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index 0f5a2787..ddf1b031 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_appservice_irc_enabled|bool and matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc.service'] }}" when: matrix_appservice_irc_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 5f9fe866..045b6b73 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack.service'] }}" when: matrix_appservice_slack_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index bc275f78..53e2cce8 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks.service'] }}" when: matrix_appservice_webhooks_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index c9688cf0..9e127316 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" when: matrix_mautrix_facebook_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 9dd09d81..9209fa40 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" when: matrix_mautrix_hangouts_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-signal/tasks/init.yml b/roles/matrix-bridge-mautrix-signal/tasks/init.yml index c2b37841..6133e865 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal', 'matrix-mautrix-signal-daemon'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal.service', 'matrix-mautrix-signal-daemon.service'] }}" when: matrix_mautrix_signal_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index a95c9416..721e98da 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" when: matrix_mautrix_telegram_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml index fa42bfce..f320bc74 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp.service'] }}" when: matrix_mautrix_whatsapp_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 5d461931..4d8444e1 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" when: matrix_mx_puppet_discord_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml index dafa59c0..0d319bc8 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" when: matrix_mx_puppet_instagram_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 801c71c2..605ea492 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}" when: matrix_mx_puppet_skype_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index dac04b9b..16afef20 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" when: matrix_mx_puppet_slack_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index 60b66074..9687944f 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" when: matrix_mx_puppet_steam_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 8f4aca6c..86f30237 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" when: matrix_mx_puppet_twitter_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-sms/tasks/init.yml b/roles/matrix-bridge-sms/tasks/init.yml index cca4d4c5..5979d132 100644 --- a/roles/matrix-bridge-sms/tasks/init.yml +++ b/roles/matrix-bridge-sms/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge.service'] }}" when: matrix_sms_bridge_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index a8b64854..a42e3143 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}" when: matrix_client_element_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index bad84d92..0798341c 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -46,7 +46,7 @@ Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. with_items: "{{ matrix_systemd_services_list }}" when: - - "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" + - "ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running'" when: " ansible_distribution != 'Archlinux'" - block: diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index e2001844..ffe5d5da 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" when: matrix_corporal_enabled|bool diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index b59feebd..95fbf247 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" when: matrix_coturn_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters diff --git a/roles/matrix-dimension/tasks/init.yml b/roles/matrix-dimension/tasks/init.yml index e1d94683..85ca04ea 100644 --- a/roles/matrix-dimension/tasks/init.yml +++ b/roles/matrix-dimension/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension.service'] }}" when: matrix_dimension_enabled|bool diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 7b87fdb1..1a0f1b3d 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" when: "matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-email2matrix/tasks/init.yml b/roles/matrix-email2matrix/tasks/init.yml index 007a5476..0c8ffc0c 100644 --- a/roles/matrix-email2matrix/tasks/init.yml +++ b/roles/matrix-email2matrix/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}" when: matrix_email2matrix_enabled|bool diff --git a/roles/matrix-jitsi/tasks/init.yml b/roles/matrix-jitsi/tasks/init.yml index 328a3a25..1f7a2d1c 100644 --- a/roles/matrix-jitsi/tasks/init.yml +++ b/roles/matrix-jitsi/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web', 'matrix-jitsi-prosody', 'matrix-jitsi-jicofo', 'matrix-jitsi-jvb'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}" when: matrix_jitsi_enabled|bool diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index 31a2e28f..89283a1f 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" when: matrix_ma1sd_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml index 1557bc64..e48e2a85 100644 --- a/roles/matrix-mailer/tasks/init.yml +++ b/roles/matrix-mailer/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" when: matrix_mailer_enabled|bool diff --git a/roles/matrix-nginx-proxy/tasks/init.yml b/roles/matrix-nginx-proxy/tasks/init.yml index c968d093..1d5794c0 100644 --- a/roles/matrix-nginx-proxy/tasks/init.yml +++ b/roles/matrix-nginx-proxy/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}" when: matrix_nginx_proxy_enabled|bool diff --git a/roles/matrix-postgres/tasks/init.yml b/roles/matrix-postgres/tasks/init.yml index 6b8e40ba..a0f2ae60 100644 --- a/roles/matrix-postgres/tasks/init.yml +++ b/roles/matrix-postgres/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres.service'] }}" when: matrix_postgres_enabled|bool diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index bdb3928e..158ad605 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" when: matrix_registration_enabled|bool - block: diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index c8d74e04..36bdb611 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" when: matrix_synapse_admin_enabled|bool - block: diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 004a2a92..bdb62476 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -1,9 +1,9 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse.service'] }}" when: matrix_synapse_enabled|bool - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters From e1690722f7f5a0bb23edbcfbb9666c092a2b3cad Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 23:23:46 +0200 Subject: [PATCH 1774/2384] Replace cronjobs with systemd timers Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/756 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/737 I feel like timers are somewhat more complicated and dirty (compared to cronjobs), but they come with these benefits: - log output goes to journald - on newer systemd distros, you can see when the timer fired, when it will fire, etc. - we don't need to rely on cron (reducing our dependencies to just systemd + Docker) Cronjobs work well, but it's one more dependency that needs to be installed. We were even asking people to install it manually (in `docs/prerequisites.md`), which could have gone unnoticed. Once in a while someone says "my SSL certificates didn't renew" and it's likely because they forgot to install a cron daemon. Switching to systemd timers means that installation is simpler and more unified. --- CHANGELOG.md | 11 +++ docs/prerequisites.md | 2 - docs/uninstalling.md | 6 +- roles/matrix-base/defaults/main.yml | 4 ++ .../usr-local-bin/matrix-remove-all.j2 | 2 - roles/matrix-common-after/tasks/start.yml | 4 +- roles/matrix-coturn/tasks/init.yml | 4 ++ roles/matrix-coturn/tasks/setup_install.yml | 72 +++++++++++-------- roles/matrix-coturn/tasks/setup_uninstall.yml | 33 +++++---- .../cron.d/matrix-coturn-ssl-reload.j2 | 1 - .../systemd/matrix-coturn-reload.service.j2 | 6 ++ .../systemd/matrix-coturn-reload.timer.j2 | 10 +++ roles/matrix-nginx-proxy/tasks/init.yml | 5 ++ .../tasks/ssl/setup_ssl_lets_encrypt.yml | 71 +++++++++--------- .../cron.d/matrix-ssl-lets-encrypt.j2 | 5 -- ...lets-encrypt-certificates-renew.service.j2 | 6 ++ ...l-lets-encrypt-certificates-renew.timer.j2 | 10 +++ .../matrix-ssl-nginx-proxy-reload.service.j2 | 6 ++ .../matrix-ssl-nginx-proxy-reload.timer.j2 | 10 +++ ...rix-ssl-lets-encrypt-certificates-renew.j2 | 1 - roles/matrix-nginx-proxy/vars/main.yml | 16 ++++- 21 files changed, 190 insertions(+), 95 deletions(-) delete mode 100644 roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 create mode 100644 roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 create mode 100644 roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index bb60561e..aa5c2270 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2021-01-14 + +## Moving from cronjobs to systemd timers + +We no longer use cronjobs for Let's Encrypt SSL renewal and `matrix-nginx-proxy`/`matrix-coturn` reloading. Instead, we've switched to systemd timers. + +The largest benefit of this is that we no longer require you to install a cron daemon, thus simplifying our install procedure. + +The playbook will migrate you from cronjobs to systemd timers automatically. This is just a heads up. + + # 2021-01-08 ## (Breaking Change) New SSL configuration diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 40a075b4..ae9a992f 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -16,8 +16,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python3`). On some distros, Ansible may incorrectly [detect the Python version](https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html) (2 vs 3) and you may need to explicitly specify the interpreter path in `inventory/hosts` during installation (e.g. `ansible_python_interpreter=/usr/bin/python3`) -- A `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.* - - The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. - Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. diff --git a/docs/uninstalling.md b/docs/uninstalling.md index cb55a7b5..73af01d9 100644 --- a/docs/uninstalling.md +++ b/docs/uninstalling.md @@ -23,15 +23,13 @@ If you prefer to uninstall manually, run these commands (most are meant to be ex - ensure all Matrix services are stopped: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` (if you can't get Ansible working to run this command, you can run `systemctl stop 'matrix*'` manually on the server) -- delete the Matrix-related systemd `.service` files (`rm -f /etc/systemd/system/matrix*.service`) and reload systemd (`systemctl daemon-reload`) - -- delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*`) +- delete the Matrix-related systemd `.service` and `.timer` files (`rm -f /etc/systemd/system/matrix*.{service,timer}`) and reload systemd (`systemctl daemon-reload`) - delete some helper scripts (`rm -f /usr/local/bin/matrix*`) - delete some cached Docker images (`docker system prune -a`) or just delete them all (`docker rmi $(docker images -aq)`) -- delete the Docker network: `docker network rm matrix` (might have been deleted already if you ran the `docker system prune` command) +- delete the Docker networks: `docker network rm matrix matrix-coturn` (might have been deleted already if you ran the `docker system prune` command) - uninstall Docker itself, if necessary diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 2cc4b42f..601a0f83 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -48,7 +48,11 @@ matrix_base_data_path_mode: "750" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_systemd_path: "/etc/systemd/system" + +# This is now unused. We keep it so that cleanup tasks can use it. +# To be removed in the future. matrix_cron_path: "/etc/cron.d" + matrix_local_bin_path: "/usr/local/bin" matrix_host_command_docker: "/usr/bin/env docker" diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 2a2314a5..2a647aba 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -20,8 +20,6 @@ else rm -f {{ matrix_systemd_path }}/$s done systemctl daemon-reload - echo "Remove matrix cronjobs" - find /etc/cron.d/ -name "matrix-*" -delete echo "Remove matrix scripts" find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete echo "Remove unused Docker images and resources" diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 0798341c..b1477cf6 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -1,6 +1,6 @@ --- -- name: Deterimne whether we should make services autostart +- name: Determine whether we should make services autostart set_fact: matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled|default('') == '' else matrix_services_autostart_enabled|bool }}" @@ -46,7 +46,7 @@ Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. with_items: "{{ matrix_systemd_services_list }}" when: - - "ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running'" + - "item.endswith('.service') and (ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running')" when: " ansible_distribution != 'Archlinux'" - block: diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index 95fbf247..be011b7f 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -2,6 +2,10 @@ matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" when: matrix_coturn_enabled|bool +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}" + when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" + # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building diff --git a/roles/matrix-coturn/tasks/setup_install.yml b/roles/matrix-coturn/tasks/setup_install.yml index 2fe66221..2f3664f1 100644 --- a/roles/matrix-coturn/tasks/setup_install.yml +++ b/roles/matrix-coturn/tasks/setup_install.yml @@ -1,5 +1,11 @@ --- +# This is a cleanup/migration task. It can be removed some time in the future. +- name: (Migration) Remove deprecated cronjob + file: + path: "{{ matrix_cron_path }}/matrix-coturn-ssl-reload" + state: absent + - name: Ensure Matrix Coturn path exists file: path: "{{ item.path }}" @@ -19,24 +25,24 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}" when: "not matrix_coturn_container_image_self_build|bool" -- name: Ensure Coturn repository is present on self-build - git: - repo: "{{ matrix_coturn_container_image_self_build_repo }}" - dest: "{{ matrix_coturn_docker_src_files_path }}" - version: "{{ matrix_coturn_docker_image.split(':')[1] }}" - force: "yes" - register: matrix_coturn_git_pull_results - when: "matrix_coturn_container_image_self_build|bool" +- block: + - name: Ensure Coturn repository is present on self-build + git: + repo: "{{ matrix_coturn_container_image_self_build_repo }}" + dest: "{{ matrix_coturn_docker_src_files_path }}" + version: "{{ matrix_coturn_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_coturn_git_pull_results -- name: Ensure Coturn Docker image is built - docker_image: - name: "{{ matrix_coturn_docker_image }}" - source: build - force_source: "{{ matrix_coturn_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_coturn_docker_src_files_path }}" - pull: yes + - name: Ensure Coturn Docker image is built + docker_image: + name: "{{ matrix_coturn_docker_image }}" + source: build + force_source: "{{ matrix_coturn_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_coturn_docker_src_files_path }}" + pull: yes when: "matrix_coturn_container_image_self_build|bool" - name: Ensure Coturn configuration path exists @@ -52,6 +58,8 @@ src: "{{ role_path }}/templates/turnserver.conf.j2" dest: "{{ matrix_coturn_config_path }}" mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Coturn network is created in Docker docker_network: @@ -63,26 +71,34 @@ src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" dest: "{{ matrix_systemd_path }}/matrix-coturn.service" mode: 0644 - register: matrix_coturn_systemd_service_result - -- name: Ensure systemd reloaded after matrix-coturn.service installation - service: - daemon_reload: yes - when: "matrix_coturn_systemd_service_result.changed" + register: matrix_coturn_systemd_service_change_results # This may be unnecessary when more long-lived certificates are used. # We optimize for the common use-case though (short-lived Let's Encrypt certificates). # Reloading doesn't hurt anyway, so there's no need to make this more flexible. -- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload) +- name: Ensure reloading systemd units installed, if necessary template: - src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2" - dest: /etc/cron.d/matrix-coturn-ssl-reload + src: "{{ role_path }}/templates/systemd/{{ item }}.j2" + dest: "{{ matrix_systemd_path }}/{{ item }}" mode: 0644 + register: "matrix_coturn_systemd_service_change_results" when: "matrix_coturn_tls_enabled|bool" + with_items: + - matrix-coturn-reload.service + - matrix-coturn-reload.timer # A similar task exists in `setup_uninstall.yml` -- name: Ensure matrix-coturn-ssl-reload cronjob removed +- name: Ensure reloading systemd units uninstalled, if unnecessary file: - path: /etc/cron.d/matrix-coturn-ssl-reload + path: "{{ item }}" state: absent + register: "matrix_coturn_systemd_service_change_results" when: "not matrix_coturn_tls_enabled|bool" + with_items: + - matrix-coturn-reload.service + - matrix-coturn-reload.timer + +- name: Ensure systemd reloaded if systemd units changed + service: + daemon_reload: yes + when: "matrix_coturn_systemd_service_change_results.changed" diff --git a/roles/matrix-coturn/tasks/setup_uninstall.yml b/roles/matrix-coturn/tasks/setup_uninstall.yml index c083c568..99a7080e 100644 --- a/roles/matrix-coturn/tasks/setup_uninstall.yml +++ b/roles/matrix-coturn/tasks/setup_uninstall.yml @@ -1,11 +1,5 @@ --- -# A similar task exists in `setup_install.yml` -- name: Ensure matrix-coturn-ssl-reload cronjob removed - file: - path: /etc/cron.d/matrix-coturn-ssl-reload - state: absent - - name: Check existence of matrix-coturn service stat: path: "{{ matrix_systemd_path }}/matrix-coturn.service" @@ -17,28 +11,37 @@ name: matrix-coturn state: stopped daemon_reload: yes - register: stopping_result - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + when: "matrix_coturn_service_stat.stat.exists|bool" -- name: Ensure matrix-coturn.service doesn't exist +- name: Ensure matrix-coturn-reload.timer is stopped + service: + name: matrix-coturn + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_coturn_service_stat.stat.exists|bool" + +- name: Ensure systemd units don't exist file: - path: "{{ matrix_systemd_path }}/matrix-coturn.service" + path: "{{ matrix_systemd_path }}/{{ item }}" state: absent - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + register: matrix_coturn_systemd_unit_uninstallation_result + with_items: + - matrix-coturn.service + - matrix-coturn-reload.service + - matrix-coturn-reload.timer -- name: Ensure systemd reloaded after matrix-coturn.service removal +- name: Ensure systemd reloaded after unit removal service: daemon_reload: yes - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + when: "matrix_coturn_systemd_unit_uninstallation_result.changed|bool" - name: Ensure Matrix coturn paths don't exist file: path: "{{ matrix_coturn_base_path }}" state: absent - when: "not matrix_coturn_enabled|bool" - name: Ensure coturn Docker image doesn't exist docker_image: name: "{{ matrix_coturn_docker_image }}" state: absent - when: "not matrix_coturn_enabled|bool" diff --git a/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 b/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 deleted file mode 100644 index 1076f539..00000000 --- a/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 +++ /dev/null @@ -1 +0,0 @@ -20 4 */5 * * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 new file mode 100644 index 00000000..e006e5a0 --- /dev/null +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=Reloads matrix-coturn so that new SSL certificates can kick in + +[Service] +Type=oneshot +ExecStart={{ matrix_host_command_systemctl }} reload matrix-coturn.service diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 new file mode 100644 index 00000000..622cd80a --- /dev/null +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in + +[Timer] +Unit=matrix-coturn-reload.service +OnCalendar=Sunday *-*-* 13:00:00 +RandomizedDelaySec=3h + +[Install] +WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/tasks/init.yml b/roles/matrix-nginx-proxy/tasks/init.yml index 1d5794c0..0161da23 100644 --- a/roles/matrix-nginx-proxy/tasks/init.yml +++ b/roles/matrix-nginx-proxy/tasks/init.yml @@ -1,3 +1,8 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}" when: matrix_nginx_proxy_enabled|bool + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}" + when: "item.applicable|bool and item.enableable|bool" + with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index cc84d207..b976923f 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -10,53 +10,56 @@ - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew" - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" + - "/etc/cron.d/matrix-ssl-lets-encrypt" + - "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" # # Tasks related to setting up Let's Encrypt's management of certificates # -- name: Ensure certbot Docker image is pulled - docker_image: - name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}" - when: "matrix_ssl_retrieval_method == 'lets-encrypt'" +- block: + - name: Ensure certbot Docker image is pulled + docker_image: + name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}" -- name: Obtain Let's Encrypt certificates - include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" - loop_control: - loop_var: domain_name - when: "matrix_ssl_retrieval_method == 'lets-encrypt'" + - name: Obtain Let's Encrypt certificates + include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" + loop_control: + loop_var: domain_name -- name: Ensure Let's Encrypt SSL renewal script installed - template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" - dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - mode: 0750 - when: "matrix_ssl_retrieval_method == 'lets-encrypt'" + - name: Ensure Let's Encrypt SSL renewal script installed + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" + dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + mode: 0750 -- name: Ensure periodic SSL renewal cronjob configured - template: - src: "{{ role_path }}/templates/cron.d/matrix-ssl-lets-encrypt.j2" - dest: /etc/cron.d/matrix-ssl-lets-encrypt - mode: 0644 + - name: Ensure SSL renewal systemd units installed + template: + src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2" + dest: "{{ matrix_systemd_path }}/{{ item.name }}" + mode: 0644 + when: "item.applicable|bool" + with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" when: "matrix_ssl_retrieval_method == 'lets-encrypt'" - # # Tasks related to getting rid of Let's Encrypt's management of certificates # -- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed - file: - path: /etc/cron.d/matrix-ssl-lets-encrypt - state: absent - when: "matrix_ssl_retrieval_method != 'lets-encrypt'" +- block: + - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed + file: + path: "{{ matrix_systemd_path }}/{{ item.name }}" + state: absent + when: "{{ not item.applicable }}" + with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" -- name: Ensure Let's Encrypt SSL renewal script removed - file: - path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - state: absent + - name: Ensure Let's Encrypt SSL renewal script removed + file: + path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + state: absent when: "matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 b/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 deleted file mode 100644 index f58e37d4..00000000 --- a/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 +++ /dev/null @@ -1,5 +0,0 @@ -MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}" -15 4 * * * root {{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew -{% if matrix_nginx_proxy_enabled %} -20 5 * * * root {{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 new file mode 100644 index 00000000..e95740da --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=Renews Let's Encrypt SSL certificates + +[Service] +Type=oneshot +ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 new file mode 100644 index 00000000..91b13b29 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Renews Let's Encrypt SSL certificates periodically + +[Timer] +Unit=matrix-ssl-lets-encrypt-certificates-renew.service +OnCalendar=Sunday *-*-* 05:00:00 +RandomizedDelaySec=3h + +[Install] +WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 new file mode 100644 index 00000000..851655ba --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=Reloads matrix-nginx-proxy so that new SSL certificates can kick in + +[Service] +Type=oneshot +ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 new file mode 100644 index 00000000..73c1848e --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates can kick in + +[Timer] +Unit=matrix-ssl-nginx-proxy-reload.service +OnCalendar=Sunday *-*-* 13:00:00 +RandomizedDelaySec=3h + +[Install] +WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 39366abf..40cab22a 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -24,7 +24,6 @@ docker run \ {% if matrix_ssl_lets_encrypt_staging %} --staging \ {% endif %} - --quiet \ --standalone \ --preferred-challenges http \ --agree-tos \ diff --git a/roles/matrix-nginx-proxy/vars/main.yml b/roles/matrix-nginx-proxy/vars/main.yml index 4d0235cb..5c51fe5b 100644 --- a/roles/matrix-nginx-proxy/vars/main.yml +++ b/roles/matrix-nginx-proxy/vars/main.yml @@ -1,4 +1,18 @@ --- # Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_nginx_proxy_role_executed: false \ No newline at end of file +matrix_nginx_proxy_role_executed: false + +matrix_ssl_renewal_systemd_units_list: + - name: matrix-ssl-lets-encrypt-certificates-renew.service + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" + enableable: false + - name: matrix-ssl-lets-encrypt-certificates-renew.timer + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" + enableable: true + - name: matrix-ssl-nginx-proxy-reload.service + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}" + enableable: false + - name: matrix-ssl-nginx-proxy-reload.timer + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}" + enableable: true From 9e936e45ad85ad775eb9de483b5a6dcbd92b99d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 23:48:30 +0200 Subject: [PATCH 1775/2384] Use BuildKit for ma1sd Docker building Newer versions (`master`) use things like `--platform=...`, which are not supported unless we enable the new BuildKit building backend. --- roles/matrix-ma1sd/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index a4a70ea4..7decaa2e 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -84,7 +84,7 @@ register: matrix_ma1sd_git_pull_results - name: Ensure ma1sd Docker image is built - shell: "./gradlew dockerBuild" + shell: "DOCKER_BUILDKIT=1 ./gradlew dockerBuild" args: chdir: "{{ matrix_ma1sd_docker_src_files_path }}" From 26f0bbfdef5c8a87e616f7b8c00cb85fa991bee5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 23:57:38 +0200 Subject: [PATCH 1776/2384] Fix self-building for matrix-ma1sd on non-version tag/branch Building `master` or something like this was failing. --- roles/matrix-ma1sd/defaults/main.yml | 5 ++++- roles/matrix-ma1sd/tasks/setup_install.yml | 13 ++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 28e3405c..62828d95 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -5,10 +5,13 @@ matrix_ma1sd_enabled: true matrix_ma1sd_container_image_self_build: false matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" +matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}" matrix_ma1sd_architecture: "amd64" -matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:2.4.0-{{ matrix_ma1sd_architecture }}" +matrix_ma1sd_version: "2.4.0" + +matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else 'docker.io/' }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index 7decaa2e..3f319eef 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -79,7 +79,7 @@ git: repo: "{{ matrix_ma1sd_container_image_self_build_repo }}" dest: "{{ matrix_ma1sd_docker_src_files_path }}" - version: "{{ matrix_ma1sd_docker_image.split(':')[1].split('-')[0] }}" + version: "{{ matrix_ma1sd_container_image_self_build_branch }}" force: "yes" register: matrix_ma1sd_git_pull_results @@ -90,10 +90,13 @@ - name: Ensure ma1sd Docker image is tagged correctly docker_image: - # The build script always tags the image with something like `ma1uta/ma1sd:2.4.0`. - # Remove the `-{{ matrix_ma1sd_architecture }}` suffix and our `localhost/` prefix (applied when self-building) - # to get to what has actually been built, so we can retag it as `{{ matrix_ma1sd_docker_image }}`. - name: "{{ matrix_ma1sd_docker_image.split('-')[0].replace('localhost/', '') }}" + # The build script always tags the image with 2 tags: + # - based on the branch/version: e.g. `ma1uta/ma1sd:2.4.0` (when on `2.4.0`) + # or `ma1uta/ma1sd:2.4.0-19-ga71d32b` (when on a given commit for a pre-release) + # - generic one: `ma1uta/ma1sd:latest-dev` + # + # It's hard to predict the first one, so we'll use the latter. + name: "ma1uta/ma1sd:latest-dev" repository: "{{ matrix_ma1sd_docker_image }}" force_tag: yes source: local From 1692a28fe4f3246b986d5d71966d592928a4fa19 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 15 Jan 2021 00:21:55 +0200 Subject: [PATCH 1777/2384] Work around annoying Docker warning about undefined $HOME > WARNING: Error loading config file: .dockercfg: $HOME is not defined .. which appeared in Docker 20.10. --- roles/matrix-base/defaults/main.yml | 5 +++++ .../systemd/matrix-bot-matrix-reminder-bot.service.j2 | 1 + .../templates/systemd/matrix-appservice-discord.service.j2 | 1 + .../templates/systemd/matrix-appservice-irc.service.j2 | 1 + .../templates/systemd/matrix-appservice-slack.service.j2 | 1 + .../templates/systemd/matrix-appservice-webhooks.service.j2 | 1 + .../templates/systemd/matrix-mautrix-facebook.service.j2 | 1 + .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 1 + .../systemd/matrix-mautrix-signal-daemon.service.j2 | 1 + .../templates/systemd/matrix-mautrix-signal.service.j2 | 1 + .../templates/systemd/matrix-mautrix-telegram.service.j2 | 1 + .../templates/systemd/matrix-mautrix-whatsapp.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-discord.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-instagram.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-steam.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-twitter.service.j2 | 1 + .../templates/systemd/matrix-sms-bridge.service.j2 | 1 + .../templates/systemd/matrix-client-element.service.j2 | 1 + .../templates/systemd/matrix-corporal.service.j2 | 1 + .../matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 1 + .../templates/systemd/matrix-dimension.service.j2 | 1 + .../templates/systemd/matrix-dynamic-dns.service.j2 | 1 + .../templates/systemd/matrix-email2matrix.service.j2 | 1 + .../templates/jicofo/matrix-jitsi-jicofo.service.j2 | 1 + roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 | 1 + .../templates/prosody/matrix-jitsi-prosody.service.j2 | 1 + roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 | 1 + roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 | 1 + .../matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 1 + .../templates/systemd/matrix-nginx-proxy.service.j2 | 1 + .../matrix-ssl-lets-encrypt-certificates-renew.service.j2 | 1 + .../templates/systemd/matrix-postgres.service.j2 | 1 + .../templates/systemd/matrix-registration.service.j2 | 1 + .../templates/systemd/matrix-synapse-admin.service.j2 | 1 + .../templates/goofys/systemd/matrix-goofys.service.j2 | 1 + .../templates/synapse/systemd/matrix-synapse.service.j2 | 1 + 38 files changed, 42 insertions(+) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 601a0f83..d8285e1c 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -49,6 +49,11 @@ matrix_base_data_path_mode: "750" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_systemd_path: "/etc/systemd/system" +# Specifies the path to use for the `HOME` environment variable for systemd unit files. +# Docker 20.10 complains with `WARNING: Error loading config file: .dockercfg: $HOME is not defined` +# if `$HOME` is not defined, so we define something to make it happy. +matrix_systemd_unit_home_path: /root + # This is now unused. We keep it so that cleanup tasks can use it. # To be removed in the future. matrix_cron_path: "/etc/cron.d" diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index 950242e5..825072e8 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 7ec15752..412b4a3d 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-discord ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index c86eb835..2287a774 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-irc ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index b16b2fed..bf7a12ed 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-slack ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index 2049ee65..667cfd73 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index caa52eb5..52e28859 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \ diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index 39559190..f6b16bea 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts-db \ diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index d8952992..35120317 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -13,6 +13,7 @@ Wants={{ service }} [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index c1c835a2..223f6dac 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -13,6 +13,7 @@ Wants={{ service }} [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index d61cdaa4..ef4440bc 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \ diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index 972d4e01..22384fbd 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 index 36a4da8b..4f195ef6 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 index 4c94c84a..6eb28da0 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index cd958662..e61a369c 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index 2b1456f5..b564c3b3 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 index e263154b..498b6ad3 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 index 8d7898eb..77424bfa 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 0eb0eb58..46c3463f 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index e0dd2e7e..f1f9eb3f 100644 --- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-client-element ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-client-element diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index e8ce8c0a..cc9c4587 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-corporal ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-corporal diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 16ca5d2a..f8550e36 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-coturn ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-coturn diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index ff10224a..30d78d0d 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index df7d810a..8dc2443d 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index 1577877b..1b9d6642 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -7,6 +7,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-email2matrix ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-email2matrix diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index 6b5cc941..3d093795 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 2931133f..c109b600 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 4f532d89..c1cd32bc 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 1978fb0e..63535f91 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-web ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-web diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 95f15254..697b5aba 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-ma1sd ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-ma1sd diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index a5d48264..d773d698 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -7,6 +7,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 58f5c953..2dd2619e 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 index e95740da..c14905ce 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 @@ -3,4 +3,5 @@ Description=Renews Let's Encrypt SSL certificates [Service] Type=oneshot +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 0a935fb0..13df99a4 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -7,6 +7,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} stop matrix-postgres ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-postgres diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 index 3744c2de..f0b50030 100644 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-registration ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-registration diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 7b1e40de..d376238a 100644 --- a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse-admin ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse-admin diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index 0bbfde99..d96ab4a6 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -7,6 +7,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill %n ExecStartPre=-{{ matrix_host_command_docker }} rm %n diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 30c85b99..88789908 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse {% if matrix_s3_media_store_enabled %} From 8549926395de16e26e8208622b9979b31ac2aa74 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 15 Jan 2021 17:13:47 +0200 Subject: [PATCH 1778/2384] Attempt to fix mautrix-whatsapp DB migration user table conflict Discussed in https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/791 --- roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 1cfa60f8..9691a58f 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -26,6 +26,7 @@ engine_variable_name: 'matrix_mautrix_whatsapp_database_engine' engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-whatsapp.service'] + pgloader_options: ['--with "quote identifiers"'] - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" From 6f51c1ed9640cfb50d6c6468948ca3ba5a496a5e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 16 Jan 2021 00:25:51 +0200 Subject: [PATCH 1779/2384] Fix Docker image link for matrix-registration Related to 69f71f48 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5a9278f3..b195a7f8 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ This playbook sets up your server using the following Docker images: - [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional) -- [devture/zeratax-matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional) +- [zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional) - [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) From 28d86e3aaa9cb314fa41eff70548c2ffb8fcd5a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 16 Jan 2021 23:47:14 +0200 Subject: [PATCH 1780/2384] Initial work on support for matrix-corporal v2 --- docs/configuring-playbook-matrix-corporal.md | 17 ++++++++++++++--- group_vars/matrix_servers | 3 +++ roles/matrix-corporal/defaults/main.yml | 10 ++++++++-- roles/matrix-corporal/tasks/validate_config.yml | 2 +- roles/matrix-corporal/templates/config.json.j2 | 10 ++++++++-- 5 files changed, 34 insertions(+), 8 deletions(-) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index 6d7faad0..15de634e 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -11,7 +11,9 @@ The playbook can install and configure [matrix-corporal](https://github.com/devt In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment. See that project's documentation to learn what it does and why it might be useful to you. -If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md). +If you decide that you'd like to let this playbook install it for you, you'd need to also: +- (required) [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) +- (optional, but encouraged) [set up the REST authentication password provider module](configuring-playbook-rest-auth.md) ## Playbook configuration @@ -24,6 +26,15 @@ You would then need some configuration like this: matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE +# When matrix-corporal is acting as the primary authentication provider, +# you need to set up the REST authentication password provider module +# to make Interactive User Authentication work. +# This is necessary for certain user actions (like E2EE, device management, etc). +# +# See configuring-playbook-rest-auth.md +matrix_synapse_ext_password_provider_rest_auth_enabled: true +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal" + matrix_corporal_enabled: true matrix_corporal_policy_provider_config: | @@ -40,9 +51,9 @@ matrix_corporal_policy_provider_config: | matrix_corporal_http_api_enabled: true matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE" -# If you need to change the reconciliator user's id from the default (matrix-corporal).. +# If you need to change matrix-corporal's user id from the default (matrix-corporal). # In any case, you need to make sure this Matrix user is created on your server. -matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" +matrix_corporal_corporal_user_id_local_part: "matrix-corporal" # Because Corporal peridoically performs lots of user logins from the same IP, # you may need raise Synapse's ratelimits. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b43ed11f..e5517084 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -674,6 +674,9 @@ matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" +# This is only useful if there's REST auth provider to make use of it. +matrix_corporal_http_gateway_internal_rest_auth_enabled: "{{ matrix_synapse_ext_password_provider_rest_auth_enabled }}" + matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}" ###################################################################### diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index cccaadd0..9e73f1f1 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" -matrix_corporal_docker_image_tag: "1.11.0" +matrix_corporal_docker_image_tag: "2.0.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" @@ -50,10 +50,16 @@ matrix_corporal_matrix_registration_shared_secret: "" matrix_corporal_matrix_timeout_milliseconds: 45000 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 -matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" +matrix_corporal_corporal_user_id_local_part: "matrix-corporal" matrix_corporal_http_gateway_timeout_milliseconds: 60000 +# If enabled, matrix-corporal exposes a `POST /_matrix/corporal/_matrix-internal/identity/v1/check_credentials` API +# on the gateway (Client-Server API) server. +# This API can then be used together with the REST Auth password provider by pointing it to matrix-corporal (e.g. `http://matrix-corporal:41080/_matrix/corporal`). +# Doing so allows Interactive Authentication to work. +matrix_corporal_http_gateway_internal_rest_auth_enabled: false + matrix_corporal_http_api_enabled: false matrix_corporal_http_api_auth_token: "" matrix_corporal_http_api_timeout_milliseconds: 15000 diff --git a/roles/matrix-corporal/tasks/validate_config.yml b/roles/matrix-corporal/tasks/validate_config.yml index 9c6b295e..a8930e7e 100644 --- a/roles/matrix-corporal/tasks/validate_config.yml +++ b/roles/matrix-corporal/tasks/validate_config.yml @@ -16,7 +16,6 @@ msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`" when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''" - - name: (Deprecation) Catch and report renamed corporal variables fail: msg: >- @@ -25,3 +24,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_corporal_container_expose_ports', 'new': ''} + - {'old': 'matrix_corporal_reconciliation_user_id_local_part', 'new': 'matrix_corporal_corporal_user_id_local_part'} diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index dff73830..d8d22f66 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -7,14 +7,20 @@ "TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }} }, + "Corporal": { + "UserId": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}" + }, + "Reconciliation": { - "UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ matrix_domain }}", "RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }} }, "HttpGateway": { "ListenAddress": "0.0.0.0:41080", - "TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }} + "TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }}, + "InternalRESTAuth": { + "Enabled": {{ matrix_corporal_http_gateway_internal_rest_auth_enabled|to_json }} + } }, "HttpApi": { From d95cbe38d704c9f2bc507fdf7444ee4fb8520538 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 17 Jan 2021 18:29:26 +0200 Subject: [PATCH 1781/2384] Rename configuration setting --- roles/matrix-corporal/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index d8d22f66..9b4c7414 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -8,7 +8,7 @@ }, "Corporal": { - "UserId": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}" + "UserID": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}" }, "Reconciliation": { From ef64c88dc7f5cf41f7513a9624338aecdaa784a8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 17 Jan 2021 18:48:21 +0200 Subject: [PATCH 1782/2384] Announce matrix-corporal v2 --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index aa5c2270..8452d2d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2021-01-17 + +## matrix-corporal goes 2.0 + +[matrix-corporal v2 has been released](https://github.com/devture/matrix-corporal/releases/tag/2.0.0) and the playbook also supports it now. + +No manual intervention is required in the common case. + +The new [matrix-corporal](https://github.com/devture/matrix-corporal) version is also the first one to support Interactive Authentication. If you wish to enable that (hint: you should), you'll need to set up the [REST auth password provider](docs/configuring-playbook-rest-auth.md). There's more information in [our matrix-corporal docs](docs/configuring-playbook-matrix-corporal.md). + + # 2021-01-14 ## Moving from cronjobs to systemd timers From cf06f846087709e6e39619d6aaf039bd4f63f908 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 17 Jan 2021 22:05:26 +0200 Subject: [PATCH 1783/2384] Upgrade matrix-corporal (2.0.0 -> 2.0.1) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 9e73f1f1..adf77423 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" -matrix_corporal_docker_image_tag: "2.0.0" +matrix_corporal_docker_image_tag: "2.0.1" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" From c1008fde44fbfaf7141562b6f32150607e47c0df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 18 Jan 2021 00:41:47 +0200 Subject: [PATCH 1784/2384] Upgrade matrix-coturn (4.5.1.3 -> 4.5.2) --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 8cbb3e3f..8e781306 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -3,7 +3,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git" -matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.1.3" +matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 56c54d5cc73790046bfbf34c20c145f9b4a300e0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 18 Jan 2021 18:23:17 +0200 Subject: [PATCH 1785/2384] Upgrade matrix-corporal (2.0.1 -> 2.1.0) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index adf77423..4b4c46c9 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" -matrix_corporal_docker_image_tag: "2.0.1" +matrix_corporal_docker_image_tag: "2.1.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" From c9d96d8135eb622570ed8084d3e411b2d4445516 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 Jan 2021 09:15:34 +0200 Subject: [PATCH 1786/2384] Fix mautrix-telegram paths creation bug --- roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index b564c61b..04267161 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -36,7 +36,7 @@ - name: Ensure Mautrix Telegram paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" From 39ea3496a4a74d52f991cba1dd52993eee97b286 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 Jan 2021 18:44:15 +0200 Subject: [PATCH 1787/2384] Downgrade/lock mautrix-facebook to pre-mobile times The `mobile` branch got merged to `master`, which ends up becoming `:latest`. It's a "rewrite" of the bridge's backend and only supports a Postgres database. We'd like to go back (well, forward) to `:latest`, but that will take a little longer, because: - we need to handle and document things for people still on SQLite (especially those with external Postgres, who are likely on SQLite for bridges) - I'd rather test the new builds (and migration) a bit before releasing it to others and possibly breaking their bridge Brave ones who are already using the bridge with Postgres can jump on `:latest` and report their experience. --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index da9b1889..04a81c75 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" # See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest" +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" From d51ea252193672cb81a41f968dfb77359cc980e8 Mon Sep 17 00:00:00 2001 From: pushytoxin Date: Tue, 19 Jan 2021 18:41:45 +0100 Subject: [PATCH 1788/2384] When validating LE certs, do not wait for a random time While administering we will occasionally invoke this script interactively with the "non-interactive" switch still there, yet still sit at the desk waiting for 300 seconds for this timer to run out. The systemd-timer already uses a 3h randomized delay for automatic renewals, which serves this purpose well. --- .../matrix-ssl-lets-encrypt-certificates-renew.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 40cab22a..bc45e85e 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -27,4 +27,5 @@ docker run \ --standalone \ --preferred-challenges http \ --agree-tos \ - --email={{ matrix_ssl_lets_encrypt_support_email }} + --email={{ matrix_ssl_lets_encrypt_support_email }} \ + --no-random-sleep-on-renew From 024a23ed1754a414c738022f664716ad7c9d2ba9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 20 Jan 2021 10:12:51 +0200 Subject: [PATCH 1789/2384] Upgrade mautrix-facebook to the new Postgres-only version I had intentionally held it back in 39ea3496a4a74d52 until: - it received more testing (there were a few bugs during the migration, but now it seems OK) - this migration guide was written --- CHANGELOG.md | 60 +++++++++++++++++++ group_vars/matrix_servers | 3 +- .../defaults/main.yml | 11 ++-- .../tasks/validate_config.yml | 21 +++++++ .../templates/config.yaml.j2 | 42 ++++++++++--- 5 files changed, 123 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8452d2d7..7a592bba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,63 @@ +# 2021-01-20 + +## (Breaking Change) The mautrix-facebook bridge now requires a Postgres database + +A new version of the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge has been released. It's a full rewrite of its backend and the bridge now requires Postgres. New versions of the bridge can no longer run on SQLite. + +**TLDR**: if you're NOT using an [external Postgres server](docs/configuring-playbook-external-postgres.md) and have NOT forcefully kept the bridge on SQLite during [The big move to all-on-Postgres (potentially dangerous)](#the-big-move-to-all-on-postgres-potentially-dangerous), you will be automatically upgraded without manual intervention. All you need to do is send a `login` message to the Facebook bridge bot again. + +Whether this change requires your intervention depends mostly on: +- whether you're using an [external Postgres server](docs/configuring-playbook-external-postgres.md). If yes, then [you need to do something](#upgrade-path-for-people-running-an-external-postgres-server). +- or whether you've force-changed the bridge's database engine to SQLite (`matrix_mautrix_facebook_database_engine: 'sqlite'` in your `vars.yml`) some time in the past (likely during [The big move to all-on-Postgres (potentially dangerous)](#the-big-move-to-all-on-postgres-potentially-dangerous)). + +As already mentioned above, you most likely don't need to do anything. If you rerun the playbook and don't get an error, you've been automatically upgraded. Just send a `login` message to the Facebook bridge bot again. Otherwise, read below for a solution. + +### Upgrade path for people NOT running an external Postgres server (default for the playbook) + +If you're **not running an external Postgres server**, then this bridge either already works Postgres for you, or you've intentionally kept it back on SQLite with custom configuration (`matrix_mautrix_facebook_database_engine: 'sqlite'` in your `vars.yml`) . + +Simply remove that custom configuration from your `vars.yml` file (if it's there) and re-run the playbook. It should upgrade you automatically. +You'll need to send a `login` message to the Facebook bridge bot again. + +Alternatively, [you can stay on SQLite for a little longer](#staying-on-sqlite-for-a-little-longer-temporary-solution). + +### Upgrade path for people running an external Postgres server + +For people using the internal Postgres server (the default for the playbook): +- we automatically create an additional `matrix_mautrix_facebook` Postgres database and credentials to access it +- we automatically adjust the bridge's `matrix_mautrix_facebook_database_*` variables to point the bridge to that Postgres database +- we use [pgloader](https://pgloader.io/) to automatically import the existing SQLite data for the bridge into the `matrix_mautrix_facebook` Postgres database + +If you are using an [external Postgres server](docs/configuring-playbook-external-postgres.md), unfortunately we currently can't do any of that for you. + +You have 3 ways to proceed: + +- contribute to the playbook to make this possible (difficult) +- or, do the above "steps" manually: + - stop the bridge (`systemctl stop matrix-mautrix-facebook`) + - create a new `matrix_mautrix_facebook` Postgres database for it + - run pgloader manually (we run it with default settings for this bridge) + - adjust the `matrix_mautrix_facebook_database_*` database variables (credentials, etc.) + - switch the bridge to use Postgres (`matrix_mautrix_facebook_database_engine: 'postgres'`) + - re-run the playbook (`--tags=setup-all,start`) and ensure the bridge works (`systemctl status matrix-mautrix-facebook` and `journalctl -fu matrix-mautrix-facebook`) + - send a `login` message to the Facebook bridge bot again +- or, [stay on SQLite for a little longer (temporary solution)](#staying-on-sqlite-for-a-little-longer-temporary-solution) + +### Staying on SQLite for a little longer (temporary solution) + +To keep using this bridge with SQLite for a little longer (**not recommended**), use the following configuration in your `vars.yml` file: + +```yaml +# Force-change the database engine to SQLite. +matrix_mautrix_facebook_database_engine: 'sqlite' + +# Force-downgrade to the last bridge version which supported SQLite. +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b" +``` + +If you do this, keep in mind that **you can't run this forever**. This SQLite-supporting bridge version is not getting any updates and will break sooner or later. The playbook will also drop support for SQLite at some point in the future. + + # 2021-01-17 ## matrix-corporal goes 2.0 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e5517084..4ec0e8e9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -208,7 +208,8 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain +# and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 04a81c75..e99514e0 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" # See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b" +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" @@ -35,12 +35,15 @@ matrix_mautrix_facebook_homeserver_token: '' # Database-related configuration fields. # -# To use SQLite, stick to these defaults. +# To use SQLite: +# - change the engine (`matrix_mautrix_facebook_database_engine: 'sqlite'`) +# - change to the last bridge version that supported SQLite: +# `matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b"` +# - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). # # To use Postgres: -# - change the engine (`matrix_mautrix_facebook_database_engine: 'postgres'`) # - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables -matrix_mautrix_facebook_database_engine: 'sqlite' +matrix_mautrix_facebook_database_engine: 'postgres' matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml index dfbe072b..0879bad9 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml @@ -8,3 +8,24 @@ with_items: - "matrix_mautrix_facebook_appservice_token" - "matrix_mautrix_facebook_homeserver_token" + +- block: + - name: Fail if on SQLite, unless on the last version supporting SQLite + fail: + msg: >- + You're trying to use the mautrix-facebook bridge with an SQLite database. + Going forward, this bridge only supports Postgres. + To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database + when: "not matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" + + - name: Inject warning if still on SQLite + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your mautrix-facebook bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database" + ] + }} + when: "matrix_mautrix_facebook_database_engine == 'sqlite'" diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 09287362..6fe3254d 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -8,6 +8,10 @@ homeserver: # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true + # Whether or not the homeserver supports asmux-specific endpoints, + # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically + # updating m.direct. + asmux: false # Application service host/registration related details # Changing these values requires regeneration of the registration. @@ -22,11 +26,7 @@ appservice: # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s max_body_size: 1 - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname + # The full URI to the database. Only Postgres is currently supported. database: {{ matrix_mautrix_facebook_appservice_database|to_json }} # Public part of web server for out-of-Matrix interaction with the bridge. @@ -38,6 +38,10 @@ appservice: # The base URL where the public-facing endpoints are available. The prefix is not added # implicitly. external: https://example.com/public + # Shared secret for integration managers such as mautrix-manager. + # If set to "generate", a random string will be generated on the next startup. + # If null, integration manager access to the API will not be possible. + shared_secret: generate # The unique ID of this appservice. id: facebook @@ -46,12 +50,17 @@ appservice: # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Facebook bridge bot - bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv + bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak # Authentication tokens for AS <-> HS communication. as_token: "{{ matrix_mautrix_facebook_appservice_token }}" hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + # Bridge config bridge: # Localpart template of MXIDs for Facebook users. @@ -76,6 +85,7 @@ bridge: # "own_nickname" (user-specific!) displayname_preference: - name + - first_name # The prefix for commands. Only required in non-management rooms. command_prefix: "!fb" @@ -120,6 +130,18 @@ bridge: # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. default: false + # Options for automatic key sharing. + key_sharing: + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow: false + # Require the requesting device to have a valid cross-signing signature? + # This doesn't require that the bridge has verified the device, only that the user has verified it. + # Not yet implemented. + require_cross_signing: false + # Require devices to be verified by the bridge? + # Verification by the bridge is not yet implemented. + require_verification: true # Whether or not the bridge should send a read receipt from the bridge bot when a message has # been sent to Facebook. delivery_receipts: false @@ -161,6 +183,10 @@ bridge: # Whether or not the bridge should try to "refresh" the connection if a normal reconnection # attempt fails. refresh_on_reconnection_fail: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false # Permissions for using the bridge. # Permitted values: @@ -192,9 +218,7 @@ logging: loggers: mau: level: DEBUG - fbchat: - level: DEBUG - hbmqtt: + paho: level: INFO aiohttp: level: INFO From f6861e3c659d0900aaa311421376e90558bfe580 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 20 Jan 2021 10:19:39 +0200 Subject: [PATCH 1790/2384] Improve wording a bit --- CHANGELOG.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a592bba..02bc926f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ As already mentioned above, you most likely don't need to do anything. If you re ### Upgrade path for people NOT running an external Postgres server (default for the playbook) -If you're **not running an external Postgres server**, then this bridge either already works Postgres for you, or you've intentionally kept it back on SQLite with custom configuration (`matrix_mautrix_facebook_database_engine: 'sqlite'` in your `vars.yml`) . +If you're **not running an external Postgres server**, then this bridge either already works on Postgres for you, or you've intentionally kept it back on SQLite with custom configuration (`matrix_mautrix_facebook_database_engine: 'sqlite'` in your `vars.yml`) . Simply remove that custom configuration from your `vars.yml` file (if it's there) and re-run the playbook. It should upgrade you automatically. You'll need to send a `login` message to the Facebook bridge bot again. @@ -33,12 +33,12 @@ If you are using an [external Postgres server](docs/configuring-playbook-externa You have 3 ways to proceed: - contribute to the playbook to make this possible (difficult) -- or, do the above "steps" manually: +- or, do the migration "steps" manually: - stop the bridge (`systemctl stop matrix-mautrix-facebook`) - create a new `matrix_mautrix_facebook` Postgres database for it - - run pgloader manually (we run it with default settings for this bridge) - - adjust the `matrix_mautrix_facebook_database_*` database variables (credentials, etc.) - - switch the bridge to use Postgres (`matrix_mautrix_facebook_database_engine: 'postgres'`) + - run [pgloader](https://pgloader.io/) manually (we import this bridge's data using default settings and it works well) + - define `matrix_mautrix_facebook_database_*` variables in your `vars.yml` file (credentials, etc.) - you can find their defaults in `roles/matrix-mautrix-facebook/defaults/main.yml` + - switch the bridge to Postgres (`matrix_mautrix_facebook_database_engine: 'postgres'` in your `vars.yml` file) - re-run the playbook (`--tags=setup-all,start`) and ensure the bridge works (`systemctl status matrix-mautrix-facebook` and `journalctl -fu matrix-mautrix-facebook`) - send a `login` message to the Facebook bridge bot again - or, [stay on SQLite for a little longer (temporary solution)](#staying-on-sqlite-for-a-little-longer-temporary-solution) From a30ef0cc29ea466898b62726569fb4ffc16fde83 Mon Sep 17 00:00:00 2001 From: throwawayay Date: Wed, 20 Jan 2021 08:35:07 -0500 Subject: [PATCH 1791/2384] Update element-web (1.7.16 -> 1.7.17) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index d0297193..96116b1a 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.16" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.17" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From fb28f59f8c6e1b022141afd124a36a2b3aa1709b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jan 2021 12:39:03 +0200 Subject: [PATCH 1792/2384] Initial work on a FAQ document --- docs/README.md | 4 +- docs/faq.md | 357 ++++++++++++++++++++++++++++++++++++++++++ docs/prerequisites.md | 4 +- 3 files changed, 363 insertions(+), 2 deletions(-) create mode 100644 docs/faq.md diff --git a/docs/README.md b/docs/README.md index 8c95eff3..77c5099d 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,6 +1,8 @@ # Table of Contents -- [Prerequisites](prerequisites.md) +- [FAQ](faq.md) - lots of questions and answers. Jump to [Prerequisites](prerequisites.md) to avoid reading too much and to just start a guided installation. + +- [Prerequisites](prerequisites.md) - go here to a guided installation using this Ansible playbook - [Configuring your DNS server](configuring-dns.md) diff --git a/docs/faq.md b/docs/faq.md new file mode 100644 index 00000000..b4cdac64 --- /dev/null +++ b/docs/faq.md @@ -0,0 +1,357 @@ +# Frequently Asked Questions + +This documentation page tries to answer various Frequently Asked Questions about all things [Matrix](https://matrix.org/), with a focus on this [Ansible](https://www.ansible.com/) playbook ([What is Ansible? How does it work?](#what-is-ansible-how-does-it-work)). + +This FAQ page does not intend to replace the [matrix.org FAQ](https://matrix.org/faq/) (please see that one too). + +We've only started this FAQ recently, so it's still somewhat empty. + +Also, we encourage you to not dig yourself into a hole by reading way too much. When you've heard enough, proceed to [Prerequisites](prerequisites.md) to get guided into installing Matrix. + + +## Introductory + +## Where do I find more questions and answers about Matrix? + +This is a Frequently Asked Questions page focused on this [Ansible](https://www.ansible.com/) playbook ([What is Ansible? How does it work?](#what-is-ansible-how-does-it-work)) for deploying a [Matrix](https://matrix.org/) server. + +For a lot more generic questions and answers, see the [matrix.org FAQ](https://matrix.org/faq/). + +## What is Matrix? What is Element? What is Synapse? Why are you confusing me with so many terms? + +[Matrix](https://matrix.org/) is a new type of realtime communication (chat) network, the closest analogy to which is probably "email". + +You don't just use the "email" protocols (SMTP, POP3, IMAP) directly though. There's a some *server* somewhere which stores your data (`@gmail.com`, `@yahoo.com`, `@hotmail.com`, `@your-company.com`) and you access using these "email" protocol using use some *client* program (Outlook, Thunderbird, some website, etc). + +In the world of the Matrix chat protocol, there are various client programs. The first and currently most full-featured one is called [Element](https://element.io/) (used to be called Riot.im and Vector.im in the past). There are [many other clients](https://matrix.org/clients/). You can switch clients as much as you want until you find the one that is right for you on a given platform (you may use Element on your desktop, but Fluffychat on your phone, etc). + +Matrix is also like email due to the fact that are many servers around the world which can all talk to each other (you can send email from `@gmail.com` addresses to `@yahoo.com` and `@hotmail.com` addresses). It's the same with Matrix (`@bob:his-domain.com` can talk to `@alice:her-domain.org`). + +If someone else is hosting your Matrix server (you being `@user:matrix.org` or some other public server like this), all you need is a Matrix client program, like Element. + +If you'd like to host your own server (you being `@user:your-own-domain.com`), you'd need to set up a Matrix server program, like Synapse. + +In short: + +- Matrix is the protocol - a set of rules about how the chat network operates +- Element is a client program you can use to participate on the Matrix chat network via some server (yours or someone else's). There are also [many other client programs](https://matrix.org/clients/). +- Synapse is a server program you can use to host your very own Matrix server. + +This FAQ here mostly focuses on installing Matrix services using the Ansible automation tool. You can learn much more about Matrix in the [matrix.org FAQ](https://matrix.org/faq/). + +## People I wish to talk to are not on Matrix. Can I talk to them? + +You most likely can. Besides Matrix-native chats, Matrix also supports this concept of "bridging", which allows you to plug other networks into it. + +This Ansible playbook can help you install [tens of bridges for various networks](configuring-playbook.md#bridging-other-networks). + +Besides setting up your own bridges (preferable), you can also use some [public bridges hosted by others](https://publiclist.anchel.nl/#bridges). + +## How do I get started with Matrix? + +One of [Matrix](https://matrix.org/)'s distinguishing strengths (compared to other chat networks) is its decentralized nature. There's not just one entity (company, organization) controlling the servers. Rather there's thousands of servers operated by different people - one server being insecure, slow or disrespective toward its users does not affect the rest of the network. To participate in that decentralization in its fullest, consider hosting your own server or using some public server other than the largest/default one (`matrix.org`). + +There are 3 ways to get into Martix, depending on your technical ability and needs: + +- **using the existing default server** - the easiest way is to use an existing server. The largest public Matrix server is `matrix.org` and it's configured as a default server in clients such as [Element](https://element.io) and many others. Just use Element on the browser via that link (or download the Element app on a smartphone), create an account and start chatting. + +- **using some other server** - instead of using the largest public server (`matrix.org`), you can use another public one. Here's a [list of public Matrix servers](https://publiclist.anchel.nl/) to choose from. Again, you download [Element](https://element.io) or [some other client](https://matrix.org/clients/) of your choosing and adjust the homeserver URL during login. + +- **using your own server** - running your own server puts you in ultimate control of your data. It also lets you have your own user identifiers (e.g. `@bob:your-domain.com`). See [How do I set up my own Matrix server](#how-do-i-set-up-my-own-matrix-server). + +### How do I set up my own Matrix server? + +Normally, you'd first choose the [Matrix](https://matrix.org/) server software you'd like to run. At the time of this writing (January/2021), there's only one fully-featured server program, so there's only one reasonable choice. That's [Synapse](https://github.com/matrix-org/synapse). + +There are [many guides about installing Synapse](https://matrix.org/docs/guides/#installing-synapse). Using this Ansible playbook is just one way of doing it. + +Naturally, we're biased, so our usual recommendation is to go with this [Ansible](https://www.ansible.com/) playbook, instead of installing Synapse (and many many other things around it) manually. +To get started with the playbook, start at the [Prerequisites](prerequisites.md) page. + +### What is Ansible? How does it work? + +[Ansible](https://www.ansible.com/) is an automation program. This "playbook" is a collection of tasks/scripts that will set up a [Matrix](https://matrix.org/) server for you, so you don't have to perform these tasks manually. + +We have written these automated tasks for you and all you need to do is execute them using the Ansible program. + +You can install Ansible and this playbook code repository on your own computer and tell it to install Matrix services at the server living at `matrix.DOMAIN`. We recommend installing Ansible on your own computer. + +Alternatively, you can download Ansible and the playbook itself directly on the `matrix.DOMAIN` server. + +To learn more, see our [dedicated Ansible documentation page](ansible.md). + +### Why use this playbook and not install Synapse and other things manually? + +There's various guides telling you how easy it is to install [Synapse](https://github.com/matrix-org/synapse). + +Reading this Ansible playbook's documentation, you may also be thinking: + +> I don't know what [Ansible](https://www.ansible.com/) is. I don't know what [Docker](https://www.docker.com/) is. This looks more complicated. + +.. so you may be leaning toward [installing Synapse manually](https://github.com/matrix-org/synapse/blob/master/INSTALL.md). + +The problem with a manual installation is: + +- Synapse is written in Python. If not packaged for your distribution, you'd need to install various Python modules, etc., and keep them updated. +- Synapse requires a [Postgres](https://www.postgresql.org/) database (it can run on SQLite, but that's very much discouraged). So you'd need to install Postgres as well. +- you may also need a reverse-proxy server in front of it (nginx, Apache), so you'd need to be familiar with that +- SSL is required, so you'd need to obtain Let's Encrypt (or other free or non-free) certificates for one or more domain names. You'd need to be familiar with [certbot](https://certbot.eff.org/) (when using Let's Encrypt) or similar software. +- for each additional component you'd like to add (client like [Element](https://element.io), bridge to some other chat network, Integration Manager (sitckers, other services), Identity Manager, etc.), you'll need to spend extra time installing and wiring it with the rest of the system in a way that works. +- you'll likely get slower updates for all of these components, depending on your distro packaging or your own time and ability + +The playbook, on the other hand, installs a bunch of components for you by default, obtains SSL certificates for you, etc. If you'd like, you can enable various bridges and other services with very little effort. All the components are wired to work together. + +All services run in Docker containers (most being officially provided by each component's developers), so we're not at the mercy of distro packaging. + +### Why use this playbook and not just use the Docker image directly? + +Reasons are similar to the reasons for not installing manually. + +Besides Synapse, you'd need other things - a Postgres database, likely the [Element](https://element.io) client, etc., etc. + +Using the playbook, you get all these components in a way that works well together out of the box. + + +## Server-related + +### What kind of server do I need to install Matrix using this Ansible playbook? + +We list our server requirements in [Prerequisites](prerequisites.md). + +### Why not run Matrix on Kubernetes? + +There's no reason not to run Matrix on [Kubernetes](https://kubernetes.io/). + +However, that's overly complicated for thousands of us who just want to run a single small (and sometimes not so small) Matrix server, either using "cloud" servers or even a [Raspberry Pi](https://www.raspberrypi.org/) at home. + +For us, a Kubernetes-based setup which requires a cluster of multiple computers and is more technically-involved is a no-go. + +There are others working on automating a Matrix-on-Kubernetes setup, such as this [Helm](https://helm.sh/) chart: https://github.com/dacruz21/matrix-chart. + +### Why don't you use Podman instead of Docker? + +We like the philosophy of a daemonless container runtime, but [Podman](https://podman.io) is just not ready for our use case yet. + +Learn more about our past experiences/attempts to give Podman a chance, by reading [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/520). + +In short, `alias podman=docker` is a lie (for us). + +### Why use Docker? + +[Docker](https://www.docker.com/) is one of our 2 hard dependencies (the other one being [systemd](https://systemd.io/)). + +It lets us run services in an isolated manner and independently of the (usually old) packages available for distributions. + +It also lets us have a unified setup which runs the same across various supported distros (see them on [Prerequisites](prerequisites.md)). + +### Is Docker a hard requirement? + +Yes. See [Why don't you use Podman instead of Docker?](#is-docker-a-hard-requirement) for why we're not using another container runtime. + +All of our services run in containers. It's how we achieve predictability and also how we support tens of different services across lots of distros. + +The only thing we need on the distro is systemd and Python (we install Docker ourselves, unless you ask us not to). + +### Why don't you use docker-compose? + +Instead of using [docker-compose](https://docs.docker.com/compose/), we prefer installing systemd services and scheduling those independently. + +There are people who have worked on turning this setup into a docker-compose-based one. See these experiments [here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/64#issuecomment-603164625). + +### Can I run this on a distro without systemd? + +No. [systemd](https://systemd.io/) is one of our 2 hard dependencies (the other one being [Docker](https://www.docker.com/)). + +### Can I install this on a Raspberry Pi? + +Yes, you can. See our [Alternative Architectures](alternative-architectures.md) documentation page. + +Whether a Raspberry Pi has enough power to give you a good experience is another question. It depends on your use case. + +Also see: [What kind of server specs do I need?](#what-kind-of-server-specs-do-i-need). + +### What kind of server specs do I need? + +This largely depends on your use case. It's not so much the number of users that you plan to host, but rather the number of large rooms they will join. + +Federated rooms with lots of history and containing hundreds of other servers are very heavy CPU-wise and memory-wise. + +You can probably use a 1 CPU + 1GB memory server to host hundreds of local users just fine, but as soon as of them joins a federated room like `#matrix:matrix.org` (Matrix HQ) or some IRC-bridged room (say `##linux`), your server will get the need for a lot more power (at least 2GB RAM, etc). + +Running Matrix on a server with 1GB of memory is possible (especially if you disable some not-so-important services). See [How do I optimize this setup for a low-power server?](#how-do-i-optimize-this-setup-for-a-low-power-server). + +**We recommend starting with a server having at least 2GB of memory** and even then using it sparingly. If you know for sure you'll be joining various large rooms, etc., then going for 4GB of memory or more is a good idea. + +Besides the regular Matrix stuff, we also support things like video-conferencing using [Jitsi](configuring-playbook-jitsi.md) and other additional services which (when installed) may use up a lot of memory. Things do add up. Besides the Synapse Matrix server, Jitsi is especially notorious for consuming a lot of resources. If you plan on running Jitsi, we recommend a server with at least 2GB of memory (preferrably more). See our [Jitsi documentation page](configuring-playbook-jitsi.md) to learn how to optimize its memory/CPU usage. + +### Can I run this in an LXC container? + +If your distro runs within an [LXC container](https://linuxcontainers.org/), you may hit [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/703). It can be worked around, if absolutely necessary, but we suggest that you avoid running from within an LXC container. + + +## Configuration + +### Why install my server at matrix.DOMAIN and not at the base DOMAIN? + +It's the same with email servers. Your email address is likely `name@company.com`, not `name@mail.company.com`, even though it's really `mail.company.com` that is really handling your data for `@company.com` email to work. + +Using a separate domain name is easier to manage (although it's a little hard to get right at first) and keeps your Matrix server isolated from your website (if you have one), from your email server (if you have one), etc. + +We allow `matrix.DOMAIN` to be the Matrix server handling Matrix stuff for `DOMAIN` by [Server Delegation](howto-server-delegation.md). During the installation procedure, we recommend that you set up server delegation using the [.well-known](configuring-well-known.md) method. + +If you'd really like to install Matrix services directly on the base domain, see [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain). + +### I don't control anything on the base domain and can't set up delegation to matrix.DOMAIN. What do I do? + +If you're not in control of your base domain (or server handling it) at all, you can take a look at [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain) + +### I can't set up HTTPS on the base domain. How will I get Matrix federating? + +If you really can't obtain an HTTPS certificate for your base domain, you can take a look at [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain) + +### How do I install on matrix.DOMAIN without involving the base DOMAIN? + +This Ansible playbook guides you into installing a server for `DOMAIN` (user identifiers are like this: `@user:DOMAIN`), while the server is at `matrix.DOMAIN`. + +We allow `matrix.DOMAIN` to be the Matrix server handling Matrix stuff for `DOMAIN` by [Server Delegation](howto-server-delegation.md). During the installation procedure, we recommend that you set up server delegation using the [.well-known](configuring-well-known.md) method. + +If you're fine with uglier identifiers (`@user:matrix.DOMAIN`, which is the equivalent of having an email address like `bob@mail.company.com`, instead of just `bob@company.com`), you can do that as well using the following configuration in your `vars.yml` file: + +```yaml +# This is what your identifiers are like (e.g. `@bob:matrix.YOUR_BASE_DOMAIN`). +matrix_domain: "matrix.YOUR_BASE_DOMAIN" + +# This is where Matrix services +matrix_server_fqn_matrix: "matrix.YOUR_BASE_DOMAIN" + +# This is where you access the Element web UI from (if enabled via `matrix_client_element_enabled: true`; enabled by default). +# This and the Matrix FQN (see above) are expected to be on the same server. +# +# Feel free to use `element.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. +matrix_server_fqn_element: "element.YOUR_BASE_DOMAIN" + +# This is where you access Dimension (if enabled via `matrix_dimension_enabled: true`; NOT enabled by default). +# +# Feel free to use `dimension.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. +matrix_server_fqn_dimension: "dimension.YOUR_BASE_DOMAIN" + +# This is where you access Jitsi (if enabled via `matrix_jitsi_enabled: true`; NOT enabled by default). +# +# Feel free to use `jitsi.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. +matrix_server_fqn_jitsi: "jitsi.YOUR_BASE_DOMAIN" +``` + +### I don't use the base domain for anything. How am I supposed to set up Server Delegation for Matrix services? + +If you don't use your base domain for anything, then it's hard for you to "serve files over HTTPS" on it -- something we ask you to do for the [.well-known](configuring-well-known.md) setup (needed for [Server Delegation](howto-server-delegation.md)). + +Luckily, the playbook can set up your Matrix server (at `matrix.DOMAIN`) to also handle traffic for the base domain (`DOMAIN`). + +See [Serving the base domain](configuring-playbook-base-domain-serving.md). + +### How do I optimize this setup for a low-power server? + +You can disable some not-so-important services to save on memory. + +```yaml +# An identity server is not a must. +matrix_ma1sd_enabled: false + +# Disabling this will prevent email-notifications and other such things from working. +matrix_mailer_enabled: false + +# You can also disable this to save more RAM, +# at the expense of audio/video calls being unreliable. +matrix_coturn_enabled: true + +# This makes Synapse not keep track of who is online/offline. +# +# Keeping track of this and announcing such online-status in federated rooms with +# hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971). +# +# If your server does not federate with hundreds of others, enabling this doesn't hurt much. +matrix_synapse_use_presence: false +``` + +You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms: + +```yaml +matrix_synapse_configuration_extension_yaml: | + limit_remote_rooms: + enabled: true + complexity: 1.0 # this limits joining complex (~large) rooms, can be + # increased, but larger values can require more RAM +``` + +If you've installed [Jitsi](configuring-playbook-jitsi.md) (not installed by default), there are additional optimizations listed on its documentation page that you can perform. + +### I already have Docker on my server. Can you stop installing Docker via the playbook? + +Yes, we can stop installing Docker ourselves. Just use this in your `vars.yml` file: + +```yaml +matrix_docker_installation_enabled: true +``` + +### I run another webserver on the same server where I wish to install Matrix. What now? + +By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md). + + +## Installation + +### How do I run the installation? + +See [Installing](installing.md) to learn how to use Ansible to install Matrix services. + +Of course, don't just jump straight to Installing. Rather, start at [Prerequisites](prerequisites.md) and get guided from there (into [setting up DNS](configuring-dns.md), [configuring the playbook](configuring-playbook.md), etc). + +### I installed Synapse some other way. Can I migrate such a setup to the playbook? + +Yes, you can. + +You generally need to do a playbook installation (start at the [Prerequisites](prerequisites.md) page), followed by importing your existing data into it. + +This Ansible playbook guides you into installing a server for `DOMAIN` (user identifiers are like this: `@user:DOMAIN`), while the server is at `matrix.DOMAIN`. If your existing setup has a server name (`server_name` configuration setting in Synapse's `homeserver.yaml` file) other than the base `DOMAIN`, you may need to tweak some additional variables. This FAQ entry may be of use if you're dealing with a more complicated setup - [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain) + +After configuring the playbook and installing and **before starting** services (done with `ansible-playbook ... --tags=start`) you'd import [your SQLite](importing-synapse-sqlite.md) (or [Postgres](importing-postgres.md)) database and also [import your media store](importing-synapse-media-store.md). + +### I've downloaded Ansible and the playbook on the server. It can't connect using SSH. + +If you're using the playbook directly on the server, then Ansible doesn't need to connect using SSH. + +It can perform a local connection instead. Just set `ansible_connection=local` at the end of the server line in `inventory/hosts` and re-run the playbook. + +If you're running Ansible from within a container (one of the possibilities we list on our [dedicated Ansible documentation page](ansible.md)), then using `ansible_connection=local` is not possible. + + +## Maintenance + +### Do I need to do anything to keep my Matrix server updated? + +Yes. We don't update anything for you automatically. + +See our [documentation page about upgrading services](maintenance-upgrading-services.md). + +### How do I move my existing installation to another (VM) server? + +If you have an existing installation done using this Ansible playbook, you can easily migrate that to another server using [our dedicated server migration guide](maintenance-migrating.md). + +If your previous installation is done in some other way (not using this Ansible playbook), see [I installed Synapse some other way. Can I migrate such a setup to the playbook?](#i-installed-synapse-some-other-way-can-i-migrate-such-a-setup-to-the-playbook). + +### How do I back up the data on my server? + +We haven't document this properly yet, but the general advice is to: + +- back up Postgres by making a database dump. See [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) + +- back up all `/matrix` files, except for `/matrix/postgres/data` (you already have a dump) and `/matrix/postgres/data-auto-upgrade-backup` (this directory may exist and contain your old data if you've [performed a major Postgres upgrade](maintenance-postgres.md#upgrading-postgresql)). + +You can later restore these roughly like this: + +- restore the `/matrix` directory and files on the new server manually +- run the playbook again (see [Installing](installing.md)), but **don't** start services yet (**don't run** `... --tags=start`). This step will fix any file permission mismatches and will also set up additional software (Docker, etc.) and files on the server (systemd service, etc.). +- perform a Postgres database import (see [Importing Postgres](importing-postgres.md)) to restore your database backup +- start services (see [Starting the services](installing.md#starting-the-services)) + +If your server's IP address has changed, you may need to [set up DNS](configuring-dns.md) again. diff --git a/docs/prerequisites.md b/docs/prerequisites.md index ae9a992f..28afeb94 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -1,6 +1,8 @@ # Prerequisites -- An **x86** server running one of these operating systems: +To install Matrix services using this Ansible playbook, you need: + +- (Recommended) An **x86** server running one of these operating systems: - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)) - **Debian** (9/Stretch+) - **Ubuntu** (16.04+, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) From 3b5907d83d47b7c948f22d0f2bcbd6ba79a43fc5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jan 2021 13:01:20 +0200 Subject: [PATCH 1793/2384] Update FAQ with details about /matrix/postgres/data-auto-upgrade-backup --- docs/faq.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/faq.md b/docs/faq.md index b4cdac64..6f5123bf 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -355,3 +355,9 @@ You can later restore these roughly like this: - start services (see [Starting the services](installing.md#starting-the-services)) If your server's IP address has changed, you may need to [set up DNS](configuring-dns.md) again. + +### What is this `/matrix/postgres/data-auto-upgrade-backup` directory that is taking up so much space? + +When you [perform a major Postgres upgrade](maintenance-postgres.md#upgrading-postgresql), we save the the old data files in `/matrix/postgres/data-auto-upgrade-backup`, just so you could easily restore them should something have gone wrong. + +After verifying that everything still works after the Postgres upgrade, you can safely delete `/matrix/postgres/data-auto-upgrade-backup` From a47813585d033eac83dda764bb96cc177e936b4c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jan 2021 19:24:05 +0200 Subject: [PATCH 1794/2384] Rename file to prevent common mistake Prompted by this: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/779#issuecomment-764807507 --- docs/configuring-playbook.md | 2 +- examples/{host-vars.yml => vars.yml} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename examples/{host-vars.yml => vars.yml} (100%) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 3bb28c3f..11b801a7 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -10,7 +10,7 @@ You can then follow these steps inside the playbook directory: - create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) -- copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix./vars.yml`) +- copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) - edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. diff --git a/examples/host-vars.yml b/examples/vars.yml similarity index 100% rename from examples/host-vars.yml rename to examples/vars.yml From 703f1b1a04dcd1dc66184ea0ac8f208a964fd33d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jan 2021 22:07:50 +0200 Subject: [PATCH 1795/2384] Add some more questions/answers to the FAQ --- docs/faq.md | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/docs/faq.md b/docs/faq.md index 6f5123bf..4e63784b 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -297,6 +297,36 @@ matrix_docker_installation_enabled: true By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md). +### How is the effective configuration determined? + +Configuration variables are defined in multiple places in this playbook and are considered in this order: + +- there are defaults coming from each role's defaults file (`role/matrix*/defaults/main.yml`). These variable values aim to be good defaults for when the role is used standalone (outside of this collection of roles, also called playbook). + +- then, there are overrides in `group_vars/matrix_servers`, which aim to adjust these "standalone role defaults" to something which better fits the playbook in its entirety. + +- finally, there's your `inventory/host_vars/matrix.DOMAIN/vars.yml` file, which is the ultimate override + +### What configuration variables are available? + +You can discover the variables you can override in each role (`role/matrix*/defaults/main.yml`). + +As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`. + +Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features). + +### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it? + +The playbook doesn't aim to expose all configuration settings for all services using variables. +Doing so would amount is to hundreds of variables that we have to create and maintain. + +Instead, we only try to make some important basics configurable using dedicated variables you can see in each role. +See [What configuration variables are available?](#what-configuration-variables-are-available). + +Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_configuration_extension_yaml` (or `matrix_SOME_COMPONENT_configuration_extension_json`) variable, which can be used to override the configuration. + +Check each role's `role/matrix*/defaults/main.yml` for the corresponding variable and an example for how use it. + ## Installation @@ -325,6 +355,46 @@ It can perform a local connection instead. Just set `ansible_connection=local` a If you're running Ansible from within a container (one of the possibilities we list on our [dedicated Ansible documentation page](ansible.md)), then using `ansible_connection=local` is not possible. +## Troubleshooting + +### I get "Error response from daemon: configured logging driver does not support reading" when I do `docker logs matrix-synapse`. + +See [How can I see the logs?](#how-can-i-see-the-logs). + +### How can I see the logs? + +We utilize [systemd/journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html#Description) for logging. + +To see logs for Synapse, run `journalctl -fu matrix-synapse.service`. You may wish to see the [manual page for journalctl](https://www.commandlinux.com/man-page/man1/journalctl.1.html). + +Available service names can be seen by doing `ls /etc/systemd/system/matrix*.service` on the server. + +Some services also log to files in `/matrix/*/data/..`, but we're slowly moving away from that. + +We also disable Docker logging, so you can't use `docker logs matrix-*` either. We do this to prevent useless double (or even tripple) logging and to avoid having to rotate log files. + +We just simply delegate logging to journald and it takes care of persistenec and expiring old data. + +Also see: [How long do systemd/journald logs persist for?](#how-long-do-systemdjournald-logs-persist-for) + +### How long do systemd/journald logs persist for? + +On some distros, the journald logs are just in-memory and not persisted to disk. + +Consult (and feel free to adjust) your distro's journald logging configuration in `/etc/systemd/journald.conf`. + +To enable persistence and put some limits on how large the journal log files can become, adjust your configuration like this: + +```ini +[Journal] +RuntimeMaxUse=200M +SystemMaxUse=1G +RateLimitInterval=0 +RateLimitBurst=0 +Storage=persistent +``` + + ## Maintenance ### Do I need to do anything to keep my Matrix server updated? From 95346f3117f2a3a67a5287a5d75e487f7bf4cefb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 12:23:00 +0200 Subject: [PATCH 1796/2384] Reorganize Postgres access (breaking change) In short, this makes Synapse a 2nd class citizen, preparing for a future where it's just one-of-many homeserver software options. We also no longer have a default Postgres superuser password, which improves security. The changelog explains more as to why this was done and how to proceed from here. --- CHANGELOG.md | 82 +++++++++++++++++++ .../configuring-playbook-external-postgres.md | 1 + docs/maintenance-postgres.md | 11 +++ examples/vars.yml | 14 +++- group_vars/matrix_servers | 19 +++-- roles/matrix-postgres/defaults/main.yml | 7 +- .../matrix-postgres/tasks/validate_config.yml | 16 +++- roles/matrix-synapse/defaults/main.yml | 6 +- .../matrix-synapse/tasks/validate_config.yml | 4 + 9 files changed, 139 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02bc926f..82d66157 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,85 @@ +# 2021-01-22 + +## (Breaking Change) Postgres changes that require manual intervention + +We've made a lot of changes to our Postgres setup and some manual action is required (described below). Sorry about the hassle. + +**TLDR**: people running an [external Postgres server](docs/configuring-playbook-external-postgres.md) don't need to change anything for now. Everyone else (the common/default case) is affected and manual intervention is required. + +### Why? + +- we had a default Postgres password (`matrix_postgres_connection_password: synapse-password`), which we think is **not ideal for security anymore**. We now ask you to generate/provide a strong password yourself. Postgres is normally not exposed outside the container network, making it relatively secure, but still: + - by tweaking the configuration, you may end up intentionally or unintentionally exposing your Postgres server to the local network (or even publicly), while still using the default default credentials (`synapse` + `synapse-password`) + - we can't be sure we trust all these services (bridges, etc). Some of them may try to talk to or attack `matrix-postgres` using the default credentials (`synapse` + `synapse-password`) + - you may have other containers running on the same Docker network, which may try to talk to or attack `matrix-postgres` using the default credentials (`synapse` + `synapse-password`) +- our Postgres usage **was overly-focused on Synapse** (default username of `synapse` and default/main database of `homeserver`). Additional homeserver options are likely coming in the future ([Dendrite](https://matrix.org/docs/projects/server/dendrite), [Conduit](https://matrix.org/docs/projects/server/conduit), [The Construct](https://matrix.org/docs/projects/server/construct)), so being too focused on `matrix-synapse` is not great. From now on, Synapse is just another component of this playbook, which happens to have an *additional database* (called `synapse`) on the Postgres server. +- we try to reorganize things a bit, to make the playbook even friendlier to people running an [external Postgres server](docs/configuring-playbook-external-postgres.md). Work on this will proceed in the future. + +So, this is some **effort to improve security** and to **prepare for a brighter future of having more homeserver options** than just Synapse. + +### What has really changed? + +- the default superuser Postgres username is now `matrix` (used to be `synapse`) +- the default Postgres database is now `matrix` (used to be `homeserver`) +- Synapse's database is now `synapse` (used to be `homeserver`). This is now just another "additional database" that the playbook manages for you +- Synapse's user called `synapse` is just a regular user that can only use the `synapse` database (not a superuser anymore) + +### What do I do if I'm using the integrated Postgres server (default)? + +By default, the playbook runs an integrated Postgres server for you in a container (`matrix-postgres`). Unless you've explicitly configured an [external Postgres server](docs/configuring-playbook-external-postgres.md), these steps are meant for you. + +To migrate to the new setup, expect a few minutes of downtime, while you follow these steps: + +1. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. + +2. Update your playbook's `inventory/host_vars/matrix.DOMAIN/vars.yml` file, adding a line like this: +```yaml +matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE +``` + +.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. + +3. Stop all services: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` +4. Log in to the server via SSH. The next commands will be performed there. +5. Start the Postgres database server: `systemctl start matrix-postgres` +6. Open a Postgres shell: `/usr/local/bin/matrix-postgres-cli` +7. Execute the following query, while making sure to **change the password inside**: + +```sql +CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; +``` + +.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. + +8. Execute the following queries as you see them (no modifications necessary, so you can just paste them): + +```sql +CREATE DATABASE matrix OWNER matrix; + +ALTER DATABASE postgres OWNER TO matrix; +ALTER DATABASE template0 OWNER TO matrix; +ALTER DATABASE template1 OWNER TO matrix; + +\c matrix; + +ALTER DATABASE homeserver RENAME TO synapse; + +ALTER ROLE synapse NOSUPERUSER NOCREATEDB NOCREATEROLE; + +\quit +``` + +You may need to press *Enter* after pasting the lines above. + +1. Re-run the playbook normally: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` + +### What do I do if I'm using an external Postgres server? + +If you've explicitly configured an [external Postgres server](docs/configuring-playbook-external-postgres.md), there are changes that you need to do at this time. + +The fact that we've renamed Synapse's database from `homeserver` to `synapse` (in our defaults) should not affect you, as you're already explicitly defining `matrix_synapse_database_database` (if you've followed our guide, that is). If you're not explicitly defining this variable, you may wish to do so (`matrix_synapse_database_database: homeserver`), to avoid the new `synapse` default and keep things as they were. + + # 2021-01-20 ## (Breaking Change) The mautrix-facebook bridge now requires a Postgres database diff --git a/docs/configuring-playbook-external-postgres.md b/docs/configuring-playbook-external-postgres.md index f3671a64..0becc8ff 100644 --- a/docs/configuring-playbook-external-postgres.md +++ b/docs/configuring-playbook-external-postgres.md @@ -4,6 +4,7 @@ By default, this playbook would set up a PostgreSQL database server on your mach If that's alright, you can skip this. If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file (`inventory/host_vars/matrix./vars.yml`). + It should be something like this: ```yaml diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 7c936479..14ac5d8e 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -19,6 +19,17 @@ You can use the `/usr/local/bin/matrix-postgres-cli` tool to get interactive ter If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above tool will not be available. +By default, this tool puts you in the `matrix` database, which contains nothing. + +To see the available databases, run `\list` (or just `\l`). + +To change to another database (for example `synapse`), run `\connect synapse` (or just `\c synapse`). + +You can then proceed to write queries. Example: `SELECT COUNT(*) FROM users;` + +**Be careful**. Modifying the database directly (especially as services are running) is dangerous and may lead to irreversible database corruption. +When in doubt, consider [making a backup](#backing-up-postgresql). + ## Vacuuming PostgreSQL diff --git a/examples/vars.yml b/examples/vars.yml index 409f344a..eb355744 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -4,7 +4,7 @@ # Note: this playbook does not touch the server referenced here. # Installation happens on another server ("matrix."). # -# If you've deployed using the wrong domain, you'll have to run the Uninstalling step, +# If you've deployed using the wrong domain, you'll have to run the Uninstalling step, # because you can't change the Domain after deployment. # # Example value: example.com @@ -18,12 +18,18 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE # you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`). # # Example value: someone@example.com -matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE +matrix_ssl_lets_encrypt_support_email: '' # A shared secret (between Coturn and Synapse) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_coturn_turn_static_auth_secret: "" +matrix_coturn_turn_static_auth_secret: '' # A secret used to protect access keys issued by the server. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_synapse_macaroon_secret_key: "" +matrix_synapse_macaroon_secret_key: '' + +# A Postgres password to used for the superuser Postgres user (called `matrix` by default). +# +# The playbook creates additional Postgres users and databases (one for each enabled service) +# using this superuser account. +matrix_postgres_connection_password: '' diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4ec0e8e9..77876e33 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1021,16 +1021,20 @@ matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matr matrix_postgres_enabled: true -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_username: "synapse" -# Please note that the max length of the password is 99 characters -matrix_postgres_connection_password: "synapse-password" -matrix_postgres_db_name: "homeserver" +# We unset this if internal Postgres disabled, which will cascade to some other variables +# and tell users they need to set it (either here or in those variables). +matrix_postgres_connection_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}" matrix_postgres_pgloader_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" matrix_postgres_additional_databases: | {{ + ([{ + 'name': matrix_synapse_database_database, + 'username': matrix_synapse_database_user, + 'password': matrix_synapse_database_password, + }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, @@ -1243,10 +1247,7 @@ matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (ma # For exposing the Synapse Manhole port (plain HTTP) to the local host. matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}" -matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}" -matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}" -matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}" -matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" +matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 8f1d0d78..07eeffad 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -1,9 +1,10 @@ matrix_postgres_enabled: true -matrix_postgres_connection_hostname: "" -matrix_postgres_connection_username: "" +matrix_postgres_connection_hostname: "matrix-postgres" +matrix_postgres_connection_port: 5432 +matrix_postgres_connection_username: "matrix" matrix_postgres_connection_password: "" -matrix_postgres_db_name: "" +matrix_postgres_db_name: "matrix" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" diff --git a/roles/matrix-postgres/tasks/validate_config.yml b/roles/matrix-postgres/tasks/validate_config.yml index 6ff5adb0..9158e926 100644 --- a/roles/matrix-postgres/tasks/validate_config.yml +++ b/roles/matrix-postgres/tasks/validate_config.yml @@ -6,17 +6,29 @@ The `matrix_postgres_use_external` variable defined in your configuration is not used by this playbook anymore! You'll need to adapt to the new way of using an external Postgres server. It's a combination of `matrix_postgres_enabled: false` and specifying Postgres connection - details in a few `matrix_synapse_database_` variables. + details in a few `matrix_postgres_connection_` variables. See the "Using an external PostgreSQL server (optional)" documentation page. when: "'matrix_postgres_use_external' in vars" +# This is separate (from the other required variables below), +# because we'd like to have a friendlier message for our existing users. +- name: Fail if matrix_postgres_connection_password not defined + fail: + msg: >- + The playbook no longer has a default Postgres password defined in the `matrix_postgres_connection_password` variable, among lots of other Postgres changes. + You need to perform multiple manual steps to resolve this. + See our changelog for more details: + https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-postgres-changes-that-require-manual-intervention + when: "matrix_postgres_connection_password == ''" + - name: Fail if required Postgres settings not defined fail: - msg: > + msg: >- You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" with_items: - "matrix_postgres_connection_hostname" + - "matrix_postgres_connection_port" - "matrix_postgres_connection_username" - "matrix_postgres_connection_password" - "matrix_postgres_db_name" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 0e7cf987..985b86bb 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -294,10 +294,10 @@ matrix_synapse_manhole_enabled: false matrix_synapse_sentry_dsn: "" # Postgres database information -matrix_synapse_database_host: "" -matrix_synapse_database_user: "" +matrix_synapse_database_host: "matrix-postgres" +matrix_synapse_database_user: "synapse" matrix_synapse_database_password: "" -matrix_synapse_database_database: "" +matrix_synapse_database_database: "synapse" matrix_synapse_turn_uris: [] matrix_synapse_turn_shared_secret: "" diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index fe3cb2e6..b2c1f3a7 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -7,6 +7,10 @@ when: "vars[item] == ''" with_items: - "matrix_synapse_macaroon_secret_key" + - "matrix_synapse_database_host" + - "matrix_synapse_database_user" + - "matrix_synapse_database_password" + - "matrix_synapse_database_database" - name: (Deprecation) Catch and report renamed settings fail: From f9c1d624351f88c9dd0e7b869bb8c3ebd62741d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 13:52:55 +0200 Subject: [PATCH 1797/2384] Fix Postgres database (-alpine) failing to start on ARM32 --- group_vars/matrix_servers | 2 ++ roles/matrix-postgres/defaults/main.yml | 18 +++++++++++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 77876e33..4415c86c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1021,6 +1021,8 @@ matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matr matrix_postgres_enabled: true +matrix_postgres_architecture: "{{ matrix_architecture }}" + # We unset this if internal Postgres disabled, which will cascade to some other variables # and tell users they need to set it (either here or in those variables). matrix_postgres_connection_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}" diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 07eeffad..21891583 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -9,11 +9,19 @@ matrix_postgres_db_name: "matrix" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.20-alpine" -matrix_postgres_docker_image_v10: "docker.io/postgres:10.15-alpine" -matrix_postgres_docker_image_v11: "docker.io/postgres:11.10-alpine" -matrix_postgres_docker_image_v12: "docker.io/postgres:12.5-alpine" -matrix_postgres_docker_image_v13: "docker.io/postgres:13.1-alpine" +matrix_postgres_architecture: amd64 + +# matrix_postgres_docker_image_suffix controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. +# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). +# On ARM32, `-alpine` images fail with the following error: +# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault +matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" + +matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.20{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "docker.io/postgres:10.15{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "docker.io/postgres:11.10{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "docker.io/postgres:12.5{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "docker.io/postgres:13.1{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. From e88dcfa252252c7f17aa5762757411847d4a6eb6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 13:58:55 +0200 Subject: [PATCH 1798/2384] Mention Postgres backup --- CHANGELOG.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82d66157..0cdddd27 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,20 +30,22 @@ By default, the playbook runs an integrated Postgres server for you in a contain To migrate to the new setup, expect a few minutes of downtime, while you follow these steps: -1. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. +1. We believe the steps below are safe and you won't encounter any data loss, but consider [making a Postgres backup](docs/maintenance-postgres.md#backing-up-postgresql) anyway. If you've never backed up Postgres, now would be a good time to try it. -2. Update your playbook's `inventory/host_vars/matrix.DOMAIN/vars.yml` file, adding a line like this: +2. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. + +3. Update your playbook's `inventory/host_vars/matrix.DOMAIN/vars.yml` file, adding a line like this: ```yaml matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE ``` .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. -3. Stop all services: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` -4. Log in to the server via SSH. The next commands will be performed there. -5. Start the Postgres database server: `systemctl start matrix-postgres` -6. Open a Postgres shell: `/usr/local/bin/matrix-postgres-cli` -7. Execute the following query, while making sure to **change the password inside**: +4. Stop all services: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` +5. Log in to the server via SSH. The next commands will be performed there. +6. Start the Postgres database server: `systemctl start matrix-postgres` +7. Open a Postgres shell: `/usr/local/bin/matrix-postgres-cli` +8. Execute the following query, while making sure to **change the password inside**: ```sql CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; @@ -51,7 +53,7 @@ CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. -8. Execute the following queries as you see them (no modifications necessary, so you can just paste them): +9. Execute the following queries as you see them (no modifications necessary, so you can just paste them): ```sql CREATE DATABASE matrix OWNER matrix; @@ -71,7 +73,7 @@ ALTER ROLE synapse NOSUPERUSER NOCREATEDB NOCREATEROLE; You may need to press *Enter* after pasting the lines above. -1. Re-run the playbook normally: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` +10. Re-run the playbook normally: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` ### What do I do if I'm using an external Postgres server? From d3aea8f4b84b1cba414f51b9d1583f389ceee9fd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 14:04:36 +0200 Subject: [PATCH 1799/2384] Update Postgres backup docs for ARM32 --- docs/maintenance-postgres.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 14ac5d8e..50f5a55d 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -64,6 +64,8 @@ pg_dumpall -h matrix-postgres \ If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because the credentials file (`/matrix/postgres/env-postgres-psql`) is not available. +If your server is on the ARM32 [architecture](alternative-architectures.md), you may need to remove the `-alpine` suffix from the image name in the command above. + Restoring a backup made this way can be done by [importing it](importing-postgres.md). From 1a3034b0c876d91e1a9b2e18e0d396ea39d83c53 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 14:13:56 +0200 Subject: [PATCH 1800/2384] Fix typo --- examples/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vars.yml b/examples/vars.yml index eb355744..f79e5e3c 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -28,7 +28,7 @@ matrix_coturn_turn_static_auth_secret: '' # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_synapse_macaroon_secret_key: '' -# A Postgres password to used for the superuser Postgres user (called `matrix` by default). +# A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) # using this superuser account. From 89db6be5682b4702b32bcb219654c815cd96a7de Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 14:33:02 +0200 Subject: [PATCH 1801/2384] Fix typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0cdddd27..05548cc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,7 +77,7 @@ You may need to press *Enter* after pasting the lines above. ### What do I do if I'm using an external Postgres server? -If you've explicitly configured an [external Postgres server](docs/configuring-playbook-external-postgres.md), there are changes that you need to do at this time. +If you've explicitly configured an [external Postgres server](docs/configuring-playbook-external-postgres.md), there are **no changes** that you need to do at this time. The fact that we've renamed Synapse's database from `homeserver` to `synapse` (in our defaults) should not affect you, as you're already explicitly defining `matrix_synapse_database_database` (if you've followed our guide, that is). If you're not explicitly defining this variable, you may wish to do so (`matrix_synapse_database_database: homeserver`), to avoid the new `synapse` default and keep things as they were. From d95f16070545247251529ae4754b2ce2e1108f6c Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 22 Jan 2021 06:48:25 -0600 Subject: [PATCH 1802/2384] Fix typos --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 05548cc0..9ab6bccc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,7 +39,7 @@ To migrate to the new setup, expect a few minutes of downtime, while you follow matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE ``` -.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. +.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. 4. Stop all services: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` 5. Log in to the server via SSH. The next commands will be performed there. @@ -51,7 +51,7 @@ matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; ``` -.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. +.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. 9. Execute the following queries as you see them (no modifications necessary, so you can just paste them): From 3273f023dce6c499d287f55e512af9b7814354d7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 15:50:24 +0200 Subject: [PATCH 1803/2384] Fix Postgres importing guide This fixes things to make them compatible with the changes done in 95346f3117f2a3 --- docs/importing-postgres.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 0dd75cb2..0e2d3fe7 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -7,8 +7,8 @@ Run this if you'd like to import your database from a previous installation. ## Prerequisites For this to work, **the database name in Postgres must match** what this playbook uses. -This playbook uses a Postgres database name of `homeserver` by default (controlled by the `matrix_postgres_db_name` variable). -If your database name differs, be sure to change `matrix_postgres_db_name` to your desired name and to re-run the playbook before proceeding. +This playbook uses a Postgres database name of `synapse` by default (controlled by the `matrix_synapse_database_database` variable). +If your database name differs, be sure to change `matrix_synapse_database_database` to your desired name and to re-run the playbook before proceeding. The playbook supports importing Postgres dump files in **text** (e.g. `pg_dump > dump.sql`) or **gzipped** formats (e.g. `pg_dump | gzip -c > dump.sql.gz`). From bef0702feaeae2836ccc40c29337cffc165a86a3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 16:21:30 +0200 Subject: [PATCH 1804/2384] Wait some more when starting Postgres during setup on ARM --- roles/matrix-postgres/defaults/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 21891583..d96a3ce8 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -72,7 +72,10 @@ matrix_postgres_import_databases_ignore_regex: "^CREATE DATABASE ({{ matrix_post # and before trying to run queries for creating additional databases/users against it. # # For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all. -matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: 15 +# +# On ARM, we wait some more. ARM32 devices are especially known for being slow. +# ARM64 likely don't need such a long delay, but it doesn't hurt too much having it. +matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: "{{ 45 if matrix_postgres_architecture in ['arm32', 'arm64'] else 15 }}" matrix_postgres_pgloader_container_image_self_build: false From 88addd71fc31d4c245b05a2c00d820e05a94e7d3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 17:39:08 +0200 Subject: [PATCH 1805/2384] Fix Postgres imports going to the matrix DB by default Well, they still do go to that DB by default, but our docs give a better command to users, which would do the right thing. --- docs/importing-postgres.md | 9 ++++++++- roles/matrix-postgres/tasks/import_postgres.yml | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 0e2d3fe7..b905ba7b 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -21,10 +21,17 @@ Before doing the actual import, **you need to upload your Postgres dump file to To import, run this command (make sure to replace `` with a file path on your server): - ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_postgres_dump=' --tags=import-postgres +```sh +ansible-playbook -i inventory/hosts setup.yml \ +--extra-vars='postgres_default_import_database=synapse server_path_postgres_dump=' \ +--tags=import-postgres +``` + +We specify the `synapse` database as the default import database. If your dump is a single-database dump (`pg_dump`), then we need to tell it where to go to. If you're redefining `matrix_synapse_database_database` to something other than `synapse`, please adjust it here too. For database dumps spanning multiple databases (`pg_dumpall`), you can remove the `postgres_default_import_database` definition (but it doesn't hurt to keep it too). **Note**: `` must be a file path to a Postgres dump file on the server (not on your local machine!). + ## Troubleshooting A table ownership issue can occur if you are importing from a Synapse installation which was both: diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index c26affbb..b8e93219 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -35,6 +35,13 @@ postgres_import_wait_time: "{{ 7 * 86400 }}" when: "postgres_import_wait_time|default('') == ''" +# By default, we connect and import into the main (`matrix`) database. +# Single-database dumps for Synapse may wish to import into `synapse` instead. +- name: Set postgres_default_import_database, if not provided + set_fact: + postgres_default_import_database: "{{ matrix_postgres_db_name }}" + when: "postgres_default_import_database|default('') == ''" + # Actual import work - name: Ensure matrix-postgres is started @@ -76,7 +83,7 @@ {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | - psql -v ON_ERROR_STOP=1 -h matrix-postgres" + psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname={{ postgres_default_import_database }}" # This is a hack. # See: https://ansibledaily.com/print-to-standard-output-without-escaping/ From 37909aa7a9c4834b8cb21f082d48a60448413db7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 18:40:51 +0200 Subject: [PATCH 1806/2384] Create signald/{avatars,attachments,data} and rename config dir --- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 3 +++ .../templates/systemd/matrix-mautrix-signal.service.j2 | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 29555116..d6c3c24d 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -35,6 +35,9 @@ - "{{ matrix_mautrix_signal_base_path }}" - "{{ matrix_mautrix_signal_config_path }}" - "{{ matrix_mautrix_signal_daemon_path }}" + - "{{ matrix_mautrix_signal_daemon_path }}/avatars" + - "{{ matrix_mautrix_signal_daemon_path }}/attachments" + - "{{ matrix_mautrix_signal_daemon_path }}/data" - name: Ensure mautrix-signal config.yaml installed copy: diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index 223f6dac..f9ab7324 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -27,12 +27,12 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ {% endif %} -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ - -v {{ matrix_mautrix_signal_config_path }}:/data:z \ + -v {{ matrix_mautrix_signal_config_path }}:/config:z \ {% for arg in matrix_mautrix_signal_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_mautrix_signal_docker_image }} \ - python3 -m mautrix_signal -c /data/config.yaml + python3 -m mautrix_signal -c /config/config.yaml ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal From 8ec975e3c81e006e720b6d29fca50a7651d799fc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 18:52:20 +0200 Subject: [PATCH 1807/2384] Use matrix:matrix for Signal bridge (not root) --- .../templates/systemd/matrix-mautrix-signal.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index f9ab7324..e88ec15c 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -23,6 +23,7 @@ ExecStartPre={{ matrix_host_command_sleep }} 5 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ {% if matrix_mautrix_signal_container_http_host_bind_port %} -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ {% endif %} From f3dd34672416e48692e158a45b27b1d1b3089b0c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 18:56:08 +0200 Subject: [PATCH 1808/2384] Try to tighten Signal bridge security --- .../templates/systemd/matrix-mautrix-signal-daemon.service.j2 | 2 ++ .../templates/systemd/matrix-mautrix-signal.service.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index 35120317..e3e11a6d 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -21,9 +21,11 @@ ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 +# We can't use `--read-only` for this bridge. ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal-daemon \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ {{ matrix_mautrix_signal_daemon_docker_image }} diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index e88ec15c..ec6f5159 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -24,6 +24,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal --log-driver=none \ --network={{ matrix_docker_network }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ {% if matrix_mautrix_signal_container_http_host_bind_port %} -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ {% endif %} From 2997a7fc3e83a71e0e778d30347b20ec17c7bbb4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 19:22:26 +0200 Subject: [PATCH 1809/2384] Make mx-puppet-* bridges not log to files We log everything in systemd/journald for every service already, so there's no need for double-logging, bridges rotating log files manually and other such nonsense. --- .../templates/config.yaml.j2 | 18 +------------ .../templates/config.yaml.j2 | 18 +------------ .../templates/config.yaml.j2 | 25 +------------------ .../templates/config.yaml.j2 | 18 +------------ .../templates/config.yaml.j2 | 18 +------------ .../templates/config.yaml.j2 | 18 +------------ 6 files changed, 6 insertions(+), 109 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index 1f4548d8..93c0a491 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -122,20 +122,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 index b830da2b..1c4bb1bd 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 @@ -66,20 +66,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 index d41d3a23..1d6d4828 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 @@ -42,30 +42,7 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m - # Optionally enable/disable logging for certain modules - #disabled: - # - PresenceHandler - # - module: bot-sdk-MatrixLiteClient - # regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log - #enabled: - # - Store + files: [] database: {% if matrix_mx_puppet_skype_database_engine == 'postgres' %} diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 index af6b5cb8..01714cb3 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -80,20 +80,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 index 149e08b6..fd59471d 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 @@ -83,20 +83,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 index bdecf1dc..1d269057 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 @@ -76,20 +76,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] From 49c0e254db27733237e2478fc49a0cb15e3866f0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 20:21:22 +0200 Subject: [PATCH 1810/2384] Add some warning about ; in SQL statements I got at least a few reports of people pasting these statements one by one and missing the `;`. --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ab6bccc..c567cc70 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,7 +53,7 @@ CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. -9. Execute the following queries as you see them (no modifications necessary, so you can just paste them): +9. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once** and **don't forget the sneaky `;`**): ```sql CREATE DATABASE matrix OWNER matrix; From 3647b23628cb58e2f3a383c846e9addde8b633dd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 20:23:35 +0200 Subject: [PATCH 1811/2384] Add some warning about ; in SQL statements (take 2) --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c567cc70..e8e82899 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,7 +45,7 @@ matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE 5. Log in to the server via SSH. The next commands will be performed there. 6. Start the Postgres database server: `systemctl start matrix-postgres` 7. Open a Postgres shell: `/usr/local/bin/matrix-postgres-cli` -8. Execute the following query, while making sure to **change the password inside**: +8. Execute the following query, while making sure to **change the password inside** (**don't forget the ending `;`**): ```sql CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; @@ -53,7 +53,7 @@ CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. -9. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once** and **don't forget the sneaky `;`**): +1. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once**): ```sql CREATE DATABASE matrix OWNER matrix; From f9968b6981448f21bf886d405dd0c4d32dc75164 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 21:22:58 +0200 Subject: [PATCH 1812/2384] Fix matrix_postgres_connection_password length check --- CHANGELOG.md | 2 +- roles/matrix-postgres/tasks/validate_config.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e8e82899..f3c821f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,7 +32,7 @@ To migrate to the new setup, expect a few minutes of downtime, while you follow 1. We believe the steps below are safe and you won't encounter any data loss, but consider [making a Postgres backup](docs/maintenance-postgres.md#backing-up-postgresql) anyway. If you've never backed up Postgres, now would be a good time to try it. -2. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. +2. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. The **maximum length** for a Postgres password is 100 bytes (characters). Don't go crazy! 3. Update your playbook's `inventory/host_vars/matrix.DOMAIN/vars.yml` file, adding a line like this: ```yaml diff --git a/roles/matrix-postgres/tasks/validate_config.yml b/roles/matrix-postgres/tasks/validate_config.yml index 9158e926..eac4dd5b 100644 --- a/roles/matrix-postgres/tasks/validate_config.yml +++ b/roles/matrix-postgres/tasks/validate_config.yml @@ -36,4 +36,4 @@ - name: Fail if Postgres password length exceeded fail: msg: "The maximum `matrix_postgres_connection_password` length is 99 characters" - when: "matrix_postgres_connection_hostname|length > 99" + when: "matrix_postgres_connection_password|length > 99" From 0f64f4dc4bf22e236bc414e099fa8c644fa85caf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 22:05:48 +0200 Subject: [PATCH 1813/2384] Stop using + to mean "or newer" --- docs/prerequisites.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 28afeb94..f7db27f5 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -4,11 +4,11 @@ To install Matrix services using this Ansible playbook, you need: - (Recommended) An **x86** server running one of these operating systems: - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)) - - **Debian** (9/Stretch+) - - **Ubuntu** (16.04+, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) + - **Debian** (9/Stretch or newer) + - **Ubuntu** (16.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) - **Archlinux** -We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +Generally, newer is better. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. This playbook somewhat supports running on non-`amd64` architectures like ARM. See [Alternative Architectures](alternative-architectures.md). From e502ee33da38502bbef0c65b833b823c553f14f2 Mon Sep 17 00:00:00 2001 From: Panagiotis Georgiadis Date: Fri, 22 Jan 2021 21:28:53 +0100 Subject: [PATCH 1814/2384] Selfbuild appservice-irc bridge --- docs/self-building.md | 2 ++ group_vars/matrix_servers | 2 ++ .../defaults/main.yml | 4 ++++ .../tasks/setup_install.yml | 20 +++++++++++++++++++ 4 files changed, 28 insertions(+) diff --git a/docs/self-building.md b/docs/self-building.md index da8c24b0..fb53f25f 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -18,6 +18,8 @@ List of roles where self-building the Docker image is currently possible: - `matrix-corporal` - `matrix-ma1sd` - `matrix-mailer` +- `matrix-bridge-appservice-slack` +- `matrix-bridge-appservice-irc` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-telegram` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 42c2e3af..1d989c5d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -147,6 +147,8 @@ matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_ke # We don't enable bridges by default. matrix_appservice_irc_enabled: false +matrix_appservice_irc_container_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-irc's client-server port to the local host. diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 0b671e76..ba4e1e1b 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,6 +3,10 @@ matrix_appservice_irc_enabled: true +matrix_appservice_irc_container_self_build: false +matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" +matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" + matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.17.1" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 00568c0d..856cde1c 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -59,6 +59,26 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}" + when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_self_build|bool" + +- name: Ensure matrix-appservice-irc repository is present when self-building + git: + repo: "{{ matrix_appservice_irc_docker_repo }}" + dest: "{{ matrix_appservice_irc_docker_src_files_path }}" + force: "yes" + register: matrix_appservice_irc_git_pull_results + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool" + +- name: Ensure matrix-appservice-irc Docker image is build + docker_image: + name: "{{ matrix_appservice_irc_docker_image }}" + source: build + force_source: yes + build: + dockerfile: Dockerfile + path: "{{ matrix_appservice_irc_docker_src_files_path }}" + pull: yes + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool and matrix_appservice_irc_git_pull_results.changed" - name: Ensure Matrix Appservice IRC config installed copy: From 3051655d21403de36c0cdb4c5ef9a6b53802d5b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 22:42:40 +0200 Subject: [PATCH 1815/2384] Ensure matrix_appservice_irc_docker_src_files_path created when self-building The git module will create it anyway, but that would likely use `root:root`. --- .../tasks/setup_install.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 856cde1c..09e1d4ba 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -2,15 +2,17 @@ - name: Ensure Appservice IRC paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_appservice_irc_base_path }}" - - "{{ matrix_appservice_irc_config_path }}" - - "{{ matrix_appservice_irc_data_path }}" + - { path: "{{ matrix_appservice_irc_base_path }}", when: true } + - { path: "{{ matrix_appservice_irc_config_path }}", when: true } + - { path: "{{ matrix_appservice_irc_data_path }}", when: true } + - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_self_build }}" } + when: item.when|bool - name: Check if an old passkey file already exists stat: From b61c8a7e72baebf503f066008e4b01dfc233049b Mon Sep 17 00:00:00 2001 From: Prasiddh Pooskur Date: Fri, 22 Jan 2021 16:38:27 -0800 Subject: [PATCH 1816/2384] fixed typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b195a7f8..17036a1e 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,7 @@ This playbook sets up your server using the following Docker images: - [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) -- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-brdige](https://github.com/benkuly/matrix-sms-bridge) (optional) +- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) (optional) - [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https://www.skype.com) (optional) From acf7866442ec32002269b7e90995becb120605db Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 09:23:49 +0200 Subject: [PATCH 1817/2384] Fix step number --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3c821f4..2c8888f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,7 +53,7 @@ CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. -1. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once**): +9. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once**): ```sql CREATE DATABASE matrix OWNER matrix; From f085362149745626141d4154841c3306ed3b1a5f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 11:38:34 +0200 Subject: [PATCH 1818/2384] Fix some Postgres CLI scripts to target the correct database Fixes a regression introduced in 95346f3117f2a3a67a52. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/814 Using `matrix_synapse_` variables in the `matrix-postgres` role is not ideal, but.. this script belongs neither here, nor there. We'll have it be like that for now. --- .../templates/usr-local-bin/matrix-change-user-admin-status.j2 | 2 +- .../usr-local-bin/matrix-postgres-update-user-password-hash.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 index e9c76674..6c3082ef 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -16,4 +16,4 @@ docker run \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" + psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 index e546b2c5..0fbf4f21 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -13,4 +13,4 @@ docker run \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" + psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" From 1cd251ed7840791a24a29b7705d2a429bc9b84a9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 14:01:27 +0200 Subject: [PATCH 1819/2384] Don't delete Docker images which may have been pulled by another Some people run Coturn or Jitsi, etc., by themselves and disable it in the playbook. Because the playbook is trying to be nice and clean up after itself, it was deleting these Docker images. However, people wish to pull and use them separately and would rather they don't get deleted. We could make this configurable for the sake of this special case, but it's simpler to just avoid deleting these images. It's not like this "cleaning things up" thing works anyway. As time goes on, the playbook gets updated with newer image tags and we leave so many images behind. If one doesn't run `docker system prune -a` manually once in a while, they'd get swamped with images anyway. Whether we leave a few images behind due to the lack of this cleanup now is pretty much irrelevant. --- roles/matrix-coturn/tasks/setup_uninstall.yml | 6 ++---- roles/matrix-dynamic-dns/tasks/uninstall.yml | 3 +++ roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 7 ++----- roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 7 ++----- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 7 ++----- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 8 +++----- 6 files changed, 14 insertions(+), 24 deletions(-) diff --git a/roles/matrix-coturn/tasks/setup_uninstall.yml b/roles/matrix-coturn/tasks/setup_uninstall.yml index 99a7080e..4674903f 100644 --- a/roles/matrix-coturn/tasks/setup_uninstall.yml +++ b/roles/matrix-coturn/tasks/setup_uninstall.yml @@ -41,7 +41,5 @@ path: "{{ matrix_coturn_base_path }}" state: absent -- name: Ensure coturn Docker image doesn't exist - docker_image: - name: "{{ matrix_coturn_docker_image }}" - state: absent +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-dynamic-dns/tasks/uninstall.yml b/roles/matrix-dynamic-dns/tasks/uninstall.yml index 98dca0e8..f3caba25 100644 --- a/roles/matrix-dynamic-dns/tasks/uninstall.yml +++ b/roles/matrix-dynamic-dns/tasks/uninstall.yml @@ -22,3 +22,6 @@ service: daemon_reload: yes when: "matrix_dynamic_dns_service_stat.stat.exists" + +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml index 63da7fcf..dd2a7bd2 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -89,8 +89,5 @@ state: absent when: "not matrix_jitsi_enabled|bool" -- name: Ensure jitsi-jicofo Docker image doesn't exist - docker_image: - name: "{{ matrix_jitsi_jicofo_docker_image }}" - state: absent - when: "not matrix_jitsi_enabled|bool" +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index e4c7f277..b73426db 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -89,8 +89,5 @@ state: absent when: "not matrix_jitsi_enabled|bool" -- name: Ensure jitsi-jvb Docker image doesn't exist - docker_image: - name: "{{ matrix_jitsi_jvb_docker_image }}" - state: absent - when: "not matrix_jitsi_enabled|bool" +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 66299f64..fd051fda 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -80,8 +80,5 @@ state: absent when: "not matrix_jitsi_enabled|bool" -- name: Ensure jitsi-prosody Docker image doesn't exist - docker_image: - name: "{{ matrix_jitsi_prosody_docker_image }}" - state: absent - when: "not matrix_jitsi_enabled|bool" +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 3dd6f30c..2b8a2cd2 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -90,8 +90,6 @@ state: absent when: "not matrix_jitsi_enabled|bool" -- name: Ensure jitsi-web Docker image doesn't exist - docker_image: - name: "{{ matrix_jitsi_web_docker_image }}" - state: absent - when: "not matrix_jitsi_enabled|bool" +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. + From a2422c458a3a0d87e9a3b580821ab12dd36724e6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 14:04:51 +0200 Subject: [PATCH 1820/2384] Notify of remaining matrix-postgres local data in a better way --- roles/matrix-postgres/tasks/setup_postgres.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 518d1a5f..3f1d4fbe 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -155,9 +155,17 @@ when: "not matrix_postgres_enabled|bool" # We just want to notify the user. Deleting data is too destructive. -- name: Notify if matrix-postgres local data remains - debug: - msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." + +- name: Inject warning if matrix-postgres local data remains + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." + ] + }} when: "not matrix_postgres_enabled|bool and matrix_postgres_data_path_stat.stat.exists" - name: Remove Postgres scripts From a56cb34850ddf542948b914ad06636388d15c8d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 14:14:45 +0200 Subject: [PATCH 1821/2384] Notify people if /matrix/postgres/data-auto-upgrade-backup exists --- .../matrix-postgres/tasks/setup_postgres.yml | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 3f1d4fbe..c072b2ea 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -120,6 +120,25 @@ - always when: "matrix_postgres_enabled|bool and matrix_postgres_additional_databases|length > 0" +- name: Check existence of matrix-postgres backup data path + stat: + path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" + register: matrix_postgres_data_backup_path_stat + when: "matrix_postgres_enabled|bool" + +- name: Inject warning if backup data remains + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: You have some Postgres backup data in `{{ matrix_postgres_data_path }}-auto-upgrade-backup`, which was created during the last major Postgres update you ran. If your setup works well after this upgrade, feel free to delete this whole directory." + ] + }} + when: "matrix_postgres_enabled|bool and matrix_postgres_data_backup_path_stat.stat.exists" + + # # Tasks related to getting rid of the internal postgres server (if it was previously enabled) # @@ -155,7 +174,6 @@ when: "not matrix_postgres_enabled|bool" # We just want to notify the user. Deleting data is too destructive. - - name: Inject warning if matrix-postgres local data remains set_fact: matrix_playbook_runtime_results: | From f2c7d79238cd0f79544b9bc37442a9f5e889524c Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sat, 23 Jan 2021 14:06:25 +0100 Subject: [PATCH 1822/2384] Drop probably incorrect comment from synapse homeserver.yaml.j2 --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 8c6f5cb4..b6a7a5e2 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -265,7 +265,6 @@ start_pushers: false update_user_directory: false {% endif %} -# rather let systemd handle the forking daemonize: false {% endif %} From c8f051a42dabb12a404e47054a7ba0076e50cb4a Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sat, 23 Jan 2021 14:34:41 +0100 Subject: [PATCH 1823/2384] Track workers endpoint list in repo instead of regenerating on user side --- .gitignore | 2 - .../files/workers-doc-to-yaml.sh | 6 + .../tasks/workers/setup_install.yml | 16 - roles/matrix-synapse/vars/workers.yml | 308 ++++++++++++++++++ 4 files changed, 314 insertions(+), 18 deletions(-) create mode 100755 roles/matrix-synapse/files/workers-doc-to-yaml.sh create mode 100644 roles/matrix-synapse/vars/workers.yml diff --git a/.gitignore b/.gitignore index c5279a46..36c65bda 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,5 @@ !/inventory/host_vars/.gitkeep !/inventory/scripts /roles/*/files/scratchpad -/roles/matrix-synapse/files/workers.upstream-documentation.md -/roles/matrix-synapse/vars/workers.yml .DS_Store .python-version diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.sh b/roles/matrix-synapse/files/workers-doc-to-yaml.sh new file mode 100755 index 00000000..5981523b --- /dev/null +++ b/roles/matrix-synapse/files/workers-doc-to-yaml.sh @@ -0,0 +1,6 @@ +#!/bin/sh +# Fetch the synapse worker documentation and extract endpoint URLs +# matrix-org/synapse master branch points to current stable release + +URL=https://github.com/matrix-org/synapse/raw/master/docs/workers.md +curl -L ${URL} | awk -f workers-doc-to-yaml.awk > ../vars/workers.yml diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index 6cd7ae42..947dcd55 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -1,21 +1,5 @@ --- -- name: Download synapse workers doc - local_action: - module: get_url - url: https://github.com/matrix-org/synapse/raw/master/docs/workers.md - dest: "{{ role_path }}/files/workers.upstream-documentation.md" - vars: - ansible_become: no - -- name: Download synapse workers doc and convert into YAML - local_action: - module: shell - cmd: "awk -f '{{ role_path }}/files/workers-doc-to-yaml.awk' -- '{{ role_path }}/files/workers.upstream-documentation.md' > '{{ role_path }}/vars/workers.yml'" - creates: "{{ role_path }}/vars/workers.yml" - vars: - ansible_become: no - - name: Load list of available worker apps and endpoints include_vars: "{{ role_path }}/vars/workers.yml" diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml new file mode 100644 index 00000000..9dc79360 --- /dev/null +++ b/roles/matrix-synapse/vars/workers.yml @@ -0,0 +1,308 @@ +--- + +matrix_synapse_workers_generic_worker_endpoints: + # This worker can handle API requests matching the following regular + # expressions: + + # Sync requests + - ^/_matrix/client/(v2_alpha|r0)/sync$ + - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ + - ^/_matrix/client/(api/v1|r0)/initialSync$ + - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ + + # Federation requests + - ^/_matrix/federation/v1/event/ + - ^/_matrix/federation/v1/state/ + - ^/_matrix/federation/v1/state_ids/ + - ^/_matrix/federation/v1/backfill/ + - ^/_matrix/federation/v1/get_missing_events/ + - ^/_matrix/federation/v1/publicRooms + - ^/_matrix/federation/v1/query/ + - ^/_matrix/federation/v1/make_join/ + - ^/_matrix/federation/v1/make_leave/ + - ^/_matrix/federation/v1/send_join/ + - ^/_matrix/federation/v2/send_join/ + - ^/_matrix/federation/v1/send_leave/ + - ^/_matrix/federation/v2/send_leave/ + - ^/_matrix/federation/v1/invite/ + - ^/_matrix/federation/v2/invite/ + - ^/_matrix/federation/v1/query_auth/ + - ^/_matrix/federation/v1/event_auth/ + - ^/_matrix/federation/v1/exchange_third_party_invite/ + - ^/_matrix/federation/v1/user/devices/ + - ^/_matrix/federation/v1/get_groups_publicised$ + - ^/_matrix/key/v2/query + + # Inbound federation transaction request + - ^/_matrix/federation/v1/send/ + + # Client API requests + - ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$ + - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ + - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$ + - ^/_matrix/client/(api/v1|r0|unstable)/keys/changes$ + - ^/_matrix/client/versions$ + - ^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$ + - ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ + - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ + - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ + - ^/_synapse/client/password_reset/email/submit_token$ + + # Registration/login requests + - ^/_matrix/client/(api/v1|r0|unstable)/login$ + - ^/_matrix/client/(r0|unstable)/register$ + # FIXME: possible bug with SSO and multiple generic workers + # see https://github.com/matrix-org/synapse/issues/7530 + # ^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$ + + # Event sending requests + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ + - ^/_matrix/client/(api/v1|r0|unstable)/join/ + - ^/_matrix/client/(api/v1|r0|unstable)/profile/ + + + # Additionally, the following REST endpoints can be handled for GET requests: + + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/federation/v1/groups/ + + # Pagination requests can also be handled, but all requests for a given + # room must be routed to the same instance. Additionally, care must be taken to + # ensure that the purge history admin API is not used while pagination requests + # for the room are in flight: + + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/messages$ + + # Additionally, the following endpoints should be included if Synapse is configured + # to use SSO (you only need to include the ones for whichever SSO provider you're + # using): + + # OpenID Connect requests. + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect$ + # ^/_synapse/oidc/callback$ + + # SAML requests. + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect$ + # ^/_matrix/saml2/authn_response$ + + # CAS requests. + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/login/(cas|sso)/redirect$ + # ^/_matrix/client/(api/v1|r0|unstable)/login/cas/ticket$ + + # Note that a HTTP listener with `client` and `federation` resources must be + # configured in the `worker_listeners` option in the worker config. + + # Ensure that all SSO logins go to a single process (usually the main process). + # For multiple workers not handling the SSO endpoints properly, see + # [#7530](https://github.com/matrix-org/synapse/issues/7530). + + # #### Load balancing + + # It is possible to run multiple instances of this worker app, with incoming requests + # being load-balanced between them by the reverse-proxy. However, different endpoints + # have different characteristics and so admins + # may wish to run multiple groups of workers handling different endpoints so that + # load balancing can be done in different ways. + + # For `/sync` and `/initialSync` requests it will be more efficient if all + # requests from a particular user are routed to a single instance. Extracting a + # user ID from the access token or `Authorization` header is currently left as an + # exercise for the reader. Admins may additionally wish to separate out `/sync` + # requests that have a `since` query parameter from those that don't (and + # `/initialSync`), as requests that don't are known as "initial sync" that happens + # when a user logs in on a new device and can be *very* resource intensive, so + # isolating these requests will stop them from interfering with other users ongoing + # syncs. + + # Federation and client requests can be balanced via simple round robin. + + # The inbound federation transaction request `^/_matrix/federation/v1/send/` + # should be balanced by source IP so that transactions from the same remote server + # go to the same process. + + # Registration/login requests can be handled separately purely to help ensure that + # unexpected load doesn't affect new logins and sign ups. + + # Finally, event sending requests can be balanced by the room ID in the URI (or + # the full URI, or even just round robin), the room ID is the path component after + # `/rooms/`. If there is a large bridge connected that is sending or may send lots + # of events, then a dedicated set of workers can be provisioned to limit the + # effects of bursts of events from that bridge on events sent by normal users. + + # #### Stream writers + + # Additionally, there is *experimental* support for moving writing of specific + # streams (such as events) off of the main process to a particular worker. (This + # is only supported with Redis-based replication.) + + # Currently supported streams are `events` and `typing`. + + # To enable this, the worker must have a HTTP replication listener configured, + # have a `worker_name` and be listed in the `instance_map` config. For example to + # move event persistence off to a dedicated worker, the shared configuration would + # include: + + # ```yaml + # instance_map: + # event_persister1: + # host: localhost + # port: 8034 + + # stream_writers: + # events: event_persister1 + # ``` + + # The `events` stream also experimentally supports having multiple writers, where + # work is sharded between them by room ID. Note that you *must* restart all worker + # instances when adding or removing event persisters. An example `stream_writers` + # configuration with multiple writers: + + # ```yaml + # stream_writers: + # events: + # - event_persister1 + # - event_persister2 + # ``` + + # #### Background tasks + + # There is also *experimental* support for moving background tasks to a separate + # worker. Background tasks are run periodically or started via replication. Exactly + # which tasks are configured to run depends on your Synapse configuration (e.g. if + # stats is enabled). + + # To enable this, the worker must have a `worker_name` and can be configured to run + # background tasks. For example, to move background tasks to a dedicated worker, + # the shared configuration would include: + + # ```yaml + # run_background_tasks_on: background_worker + # ``` + + # You might also wish to investigate the `update_user_directory` and + # `media_instance_running_background_jobs` settings. + +# pusher worker (no API endpoints) [ + # Handles sending push notifications to sygnal and email. Doesn't handle any + # REST endpoints itself, but you should set `start_pushers: False` in the + # shared configuration file to stop the main synapse sending push notifications. + + # Note this worker cannot be load-balanced: only one instance should be active. +# ] + +# appservice worker (no API endpoints) [ + # Handles sending output traffic to Application Services. Doesn't handle any + # REST endpoints itself, but you should set `notify_appservices: False` in the + # shared configuration file to stop the main synapse sending appservice notifications. + + # Note this worker cannot be load-balanced: only one instance should be active. + +# ] + +# federation_sender worker (no API endpoints) [ + # Handles sending federation traffic to other servers. Doesn't handle any + # REST endpoints itself, but you should set `send_federation: False` in the + # shared configuration file to stop the main synapse sending this traffic. + + # If running multiple federation senders then you must list each + # instance in the `federation_sender_instances` option by their `worker_name`. + # All instances must be stopped and started when adding or removing instances. + # For example: + + # ```yaml + # federation_sender_instances: + # - federation_sender1 + # - federation_sender2 + # ``` +# ] + +matrix_synapse_workers_media_repository_endpoints: + # Handles the media repository. It can handle all endpoints starting with: + + - ^/_matrix/media/ + + # ... and the following regular expressions matching media-specific administration APIs: + + - ^/_synapse/admin/v1/purge_media_cache$ + - ^/_synapse/admin/v1/room/.*/media.*$ + - ^/_synapse/admin/v1/user/.*/media.*$ + - ^/_synapse/admin/v1/media/.*$ + - ^/_synapse/admin/v1/quarantine_media/.*$ + + # You should also set `enable_media_repo: False` in the shared configuration + # file to stop the main synapse running background jobs related to managing the + # media repository. + + # In the `media_repository` worker configuration file, configure the http listener to + # expose the `media` resource. For example: + + # ```yaml + # worker_listeners: + # - type: http + # port: 8085 + # resources: + # - names: + # - media + # ``` + + # Note that if running multiple media repositories they must be on the same server + # and you must configure a single instance to run the background tasks, e.g.: + + # ```yaml + # media_instance_running_background_jobs: "media-repository-1" + # ``` + + # Note that if a reverse proxy is used , then `/_matrix/media/` must be routed for both inbound client and federation requests (if they are handled separately). + +matrix_synapse_workers_user_dir_endpoints: + # Handles searches in the user directory. It can handle REST endpoints matching + # the following regular expressions: + + - ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ + + # When using this worker you must also set `update_user_directory: False` in the + # shared configuration file to stop the main synapse running background + # jobs related to updating the user directory. + +matrix_synapse_workers_frontend_proxy_endpoints: + # Proxies some frequently-requested client endpoints to add caching and remove + # load from the main synapse. It can handle REST endpoints matching the following + # regular expressions: + + - ^/_matrix/client/(api/v1|r0|unstable)/keys/upload + + # If `use_presence` is False in the homeserver config, it can also handle REST + # endpoints matching the following regular expressions: + + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status + + # This "stub" presence handler will pass through `GET` request but make the + # `PUT` effectively a no-op. + + # It will proxy any requests it cannot handle to the main synapse instance. It + # must therefore be configured with the location of the main instance, via + # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration + # file. For example: + + # worker_main_http_uri: http://127.0.0.1:8008 + +matrix_synapse_workers_avail_list: + - appservice + - federation_sender + - frontend_proxy + - generic_worker + - media_repository + - pusher + - user_dir From edc21f15e575e9d40c96e67757e8f8a18722bc0e Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 24 Jan 2021 08:53:09 +0100 Subject: [PATCH 1824/2384] Restrict publishing worker (metrics) ports to localhost --- .../templates/synapse/systemd/matrix-synapse.service.j2 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index a88bb366..3bf51b6f 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -47,14 +47,15 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {% endif %} {% for worker in matrix_synapse_workers_enabled_list %} {% if matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled|default(False) %} - {# Expose worker ports (by default 18xxx range) on host if not using internal nginx proxy #} + {# Expose worker ports (by default in 18xxx range) on localhost, f.e. when using + an external reverse proxy outside the matrix docker network #} {% if worker.port != 0 %} - -p {{ worker.port }}:{{ worker.port }} \ + -p 127.0.0.1:{{ worker.port }}:{{ worker.port }} \ {% endif %} {% endif %} - {# Expose worker metrics ports on host if defined #} + {# Expose worker metrics ports on localhost #} {% if worker.metrics_port != 0 %} - -p {{ worker.metrics_port }}:{{ worker.metrics_port }} \ + -p 127.0.0.1:{{ worker.metrics_port }}:{{ worker.metrics_port }} \ {% endif %} {% endfor %} --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ From 07c7afb8617713b372ef0bce792694747ea94bb6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 24 Jan 2021 10:04:30 +0200 Subject: [PATCH 1825/2384] Make README more tidy --- README.md | 120 +++------------------------------------ docs/container-images.md | 85 +++++++++++++++++++++++++++ docs/faq.md | 27 +++++++++ 3 files changed, 121 insertions(+), 111 deletions(-) create mode 100644 docs/container-images.md diff --git a/README.md b/README.md index 17036a1e..93c022d9 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,16 @@ ## Purpose -This Ansible playbook is meant to easily let you run your own [Matrix](http://matrix.org/) homeserver. +This [Ansible](https://www.ansible.com/) playbook is meant to help you run your own [Matrix](http://matrix.org/) homeserver, along with the [various services](#supported-services) related to that. -That is, it lets you join the Matrix network with your own `@:` identifier, all hosted on your own server. +That is, it lets you join the Matrix network using your own `@:` identifier, all hosted on your own server (see [prerequisites](docs/prerequisites.md)). + +We run all services in [Docker](https://www.docker.com/) containers (see [the container images we use](docs/container-images.md)), which lets us have a predictable and up-to-date setup, across multiple supported distros (see [prerequisites](docs/prerequisites.md)) and [architectures](docs/alternative-architectures.md) (x86/amd64 being recommended). + +[Installation](docs/README.md) (upgrades) and some maintenance tasks are automated using [Ansible](https://www.ansible.com/) (see [our Ansible guide](docs/ansible.md)). + + +## Supported services Using this playbook, you can get the following services configured on your server: @@ -85,33 +92,6 @@ Sticking with the defaults (which install a subset of the above components) is t You can always re-run the playbook later to add or remove components. -## What's different about this Ansible playbook? - -This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) Ansible deployment, but: - -- this one is a complete Ansible playbook (instead of just a role), so it's **easier to run** - especially for folks not familiar with Ansible - -- this one installs and hooks together **a lot more Matrix-related services** for you (see above) - -- this one **can be executed more than once** without causing trouble - -- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux** - -- this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place - -- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can also [use your own webserver](docs/configuring-playbook-own-webserver.md) - -- this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](#docker-images-used-by-this-playbook)) - -- this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you - -- this one optionally can store the `media_store` content repository files on [Amazon S3](https://aws.amazon.com/s3/) (but defaults to storing files on the server's filesystem) - -- this one optionally **allows you to use an external PostgreSQL server** for Synapse's database (but defaults to running one in a container) - -- helps you **import data from a previous installation** (so you can migrate your manual virtualenv/Docker setup to a more managed one) - - ## Installation To configure and install Matrix on your own server, follow the [README in the docs/ directory](docs/README.md). @@ -124,88 +104,6 @@ This playbook evolves over time, sometimes with backward-incompatible changes. When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up with what's new. -## Docker images used by this playbook - -This playbook sets up your server using the following Docker images: - -- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional) - -- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) - -- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional) - -- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) - -- [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) - -- [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) - -- [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay/) - the [Exim](https://www.exim.org/) email server (optional) - -- [devture/email2matrix](https://hub.docker.com/r/devture/email2matrix/) - the [Email2Matrix](https://github.com/devture/email2matrix) email server, which can relay email messages to Matrix rooms (optional) - -- [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional) - -- [zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional) - -- [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) - -- [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) (optional) - -- [tulir/mautrix-telegram](https://mau.dev/tulir/mautrix-telegram/container_registry) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional) - -- [tulir/mautrix-whatsapp](https://mau.dev/tulir/mautrix-whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) - -- [tulir/mautrix-facebook](https://mau.dev/tulir/mautrix-facebook/container_registry) - the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge to [Facebook](https://facebook.com/) (optional) - -- [tulir/mautrix-hangouts](https://mau.dev/tulir/mautrix-hangouts/container_registry) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) - -- [tulir/mautrix-signal](https://mau.dev/tulir/mautrix-signal/container_registry) - the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge to [Signal](https://www.signal.org/) (optional) - -- [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) - -- [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional) - -- [cadair/matrix-appservice-slack](https://hub.docker.com/r/cadair/matrix-appservice-slack) - the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge to [Slack](https://slack.com/) (optional) - -- [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) - -- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) (optional) - -- [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https://www.skype.com) (optional) - -- [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https://slack.com) (optional) - -- [sorunome/mx-puppet-instagram](https://hub.docker.com/r/sorunome/mx-puppet-instagram) - the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge to [Instagram](https://www.instagram.com) (optional) - -- [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) - the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge to [Twitter](https://twitter.com) (optional) - -- [sorunome/mx-puppet-discord](https://hub.docker.com/r/sorunome/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Discord](https://discordapp.com) (optional) - -- [icewind1991/mx-puppet-steam](https://hub.docker.com/r/icewind1991/mx-puppet-steam) - the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge to [Steam](https://steampowered.com) (optional) - -- [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) - -- [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) - -- [jitsi/jicofo](https://hub.docker.com/r/jitsi/jicofo) - the [Jitsi](https://jitsi.org/) Focus component (optional) - -- [jitsi/prosody](https://hub.docker.com/r/jitsi/prosody) - the [Jitsi](https://jitsi.org/) Prosody XMPP server component (optional) - -- [jitsi/jvb](https://hub.docker.com/r/jitsi/jvb) - the [Jitsi](https://jitsi.org/) Video Bridge component (optional) - -- [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional) - -- [awesometechnologies/synapse-admin](https://hub.docker.com/r/awesometechnologies/synapse-admin) - the [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) web UI tool for administrating users and rooms on your Matrix server (optional) - - -## Deficiencies - -This Ansible playbook can be improved in the following ways: - -- setting up automatic backups to one or more storage providers - - ## Support - Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) diff --git a/docs/container-images.md b/docs/container-images.md new file mode 100644 index 00000000..33cfa727 --- /dev/null +++ b/docs/container-images.md @@ -0,0 +1,85 @@ +# Container Images used by the playbook + +This page summarizes the container ([Docker](https://www.docker.com/)) images used by the playbook when setting up your server. + +We try to stick to official images (provided by their respective projects) as much as possible. + + +## Container images used by default + +These services are enabled and used by default, but you can turn them off, if you wish. + +- [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional) + +- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) + +- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional) + +- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) + +- [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) + +- [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay/) - the [Exim](https://www.exim.org/) email server (optional) + +- [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) + +- [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) (optional) + + +## Optional other container images we may use + +These services are not part of our default installation, but can be enabled by [configuring the playbook](configuring-playbook.md) (either before the initial installation or any time later): + +- [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) + +- [devture/email2matrix](https://hub.docker.com/r/devture/email2matrix/) - the [Email2Matrix](https://github.com/devture/email2matrix) email server, which can relay email messages to Matrix rooms (optional) + +- [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional) + +- [zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional) + +- [tulir/mautrix-telegram](https://mau.dev/tulir/mautrix-telegram/container_registry) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional) + +- [tulir/mautrix-whatsapp](https://mau.dev/tulir/mautrix-whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional) + +- [tulir/mautrix-facebook](https://mau.dev/tulir/mautrix-facebook/container_registry) - the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge to [Facebook](https://facebook.com/) (optional) + +- [tulir/mautrix-hangouts](https://mau.dev/tulir/mautrix-hangouts/container_registry) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) + +- [tulir/mautrix-signal](https://mau.dev/tulir/mautrix-signal/container_registry) - the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge to [Signal](https://www.signal.org/) (optional) + +- [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) + +- [halfshot/matrix-appservice-discord](https://hub.docker.com/r/halfshot/matrix-appservice-discord) - the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge to [Discord](https://discordapp.com/) (optional) + +- [cadair/matrix-appservice-slack](https://hub.docker.com/r/cadair/matrix-appservice-slack) - the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge to [Slack](https://slack.com/) (optional) + +- [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) + +- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) (optional) + +- [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https://www.skype.com) (optional) + +- [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https://slack.com) (optional) + +- [sorunome/mx-puppet-instagram](https://hub.docker.com/r/sorunome/mx-puppet-instagram) - the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge to [Instagram](https://www.instagram.com) (optional) + +- [sorunome/mx-puppet-twitter](https://hub.docker.com/r/sorunome/mx-puppet-twitter) - the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge to [Twitter](https://twitter.com) (optional) + +- [sorunome/mx-puppet-discord](https://hub.docker.com/r/sorunome/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Discord](https://discordapp.com) (optional) + +- [icewind1991/mx-puppet-steam](https://hub.docker.com/r/icewind1991/mx-puppet-steam) - the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge to [Steam](https://steampowered.com) (optional) + +- [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) + +- [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) + +- [jitsi/jicofo](https://hub.docker.com/r/jitsi/jicofo) - the [Jitsi](https://jitsi.org/) Focus component (optional) + +- [jitsi/prosody](https://hub.docker.com/r/jitsi/prosody) - the [Jitsi](https://jitsi.org/) Prosody XMPP server component (optional) + +- [jitsi/jvb](https://hub.docker.com/r/jitsi/jvb) - the [Jitsi](https://jitsi.org/) Video Bridge component (optional) + +- [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional) + +- [awesometechnologies/synapse-admin](https://hub.docker.com/r/awesometechnologies/synapse-admin) - the [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) web UI tool for administrating users and rooms on your Matrix server (optional) diff --git a/docs/faq.md b/docs/faq.md index 4e63784b..fcdc7e8c 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -111,6 +111,33 @@ Besides Synapse, you'd need other things - a Postgres database, likely the [Elem Using the playbook, you get all these components in a way that works well together out of the box. +### What's different about this Ansible playbook compared to [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy)? + +This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EMnify/matrix-synapse-auto-deploy) Ansible deployment, but: + +- this one is a complete Ansible playbook (instead of just a role), so it's **easier to run** - especially for folks not familiar with Ansible + +- this one installs and hooks together **a lot more Matrix-related services** for you (see above) + +- this one **can be executed more than once** without causing trouble + +- works on various distros: **CentOS** (7.0+), Debian-based distributions (**Debian** 9/Stretch+, **Ubuntu** 16.04+), **Archlinux** + +- this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place + +- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md) + +- this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](container-images.md)) + +- this one retrieves and automatically renews free [Let's Encrypt](https://letsencrypt.org/) **SSL certificates** for you + +- this one optionally can store the `media_store` content repository files on [Amazon S3](https://aws.amazon.com/s3/) (but defaults to storing files on the server's filesystem) + +- this one optionally **allows you to use an external PostgreSQL server** for Synapse's database (but defaults to running one in a container) + +- helps you **import data from a previous installation** (so you can migrate your manual virtualenv/Docker setup to a more managed one) + +- this one is actually **maintained** ## Server-related From 9b5daf54f04776e00930f58a63974e2790e198ff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 24 Jan 2021 10:08:11 +0200 Subject: [PATCH 1826/2384] Fix wording a bit --- docs/alternative-architectures.md | 2 +- docs/self-building.md | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index 7a3e35eb..80749adf 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -21,6 +21,6 @@ matrix_architecture: "arm32" ## Implementation details -For `amd64`, prebuilt images are used everywhere (because all images are available for this architecture). +For `amd64`, prebuilt container images (see the [container images we use](container-images.md)) are used everywhere, because all images are available for this architecture. For other architectures, components which have a prebuilt image make use of it. If the component is not available for the specific architecture, [self-building](self-building.md) will be used. Not all components support self-building though, so your mileage may vary. diff --git a/docs/self-building.md b/docs/self-building.md index 31b7a5ef..0d41e419 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -2,13 +2,14 @@ **Caution: self-building does not have to be used on its own. See the [Alternative Architectures](alternative-architectures.md) page.** -The playbook supports the self-building of various components, which don't have a container image for your architecture. For `amd64`, self-building is not required. +The playbook supports self-building of various components, which don't have a container image for your architecture (see the [container images we use](container-images.md)). For `amd64`, self-building is not required. For other architectures (e.g. `arm32`, `arm64`), ready-made container images are used when available. If there's no ready-made image for a specific component and said component supports self-building, an image will be built on the host. Building images like this takes more time and resources (some build tools need to get installed by the playbook to assist building). -To make use of self-building, you don't need to do anything besides change your architecture variable (e.g. `matrix_architecture: arm64`). If a component has an image for the specified architecture, the playbook will use it. If not, it will build the image. +To make use of self-building, you don't need to do anything besides change your architecture variable (e.g. `matrix_architecture: arm64`). If a component has an image for the specified architecture, the playbook will use it directly. If not, it will build the image on the server itself. Note that **not all components support self-building yet**. + List of roles where self-building the Docker image is currently possible: - `matrix-synapse` - `matrix-synapse-admin` From 67fab21d7e6d5739a6b3f7e05b58a615173125d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?T=2E=20K=C3=BCchel?= Date: Sun, 24 Jan 2021 12:31:07 +0000 Subject: [PATCH 1827/2384] Update CHANGELOG.md propose explicit showing single quotes around the password, since I forgot to put them there. --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c8888f2..5ce03e79 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,7 +36,7 @@ To migrate to the new setup, expect a few minutes of downtime, while you follow 3. Update your playbook's `inventory/host_vars/matrix.DOMAIN/vars.yml` file, adding a line like this: ```yaml -matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE +matrix_postgres_connection_password: 'YOUR_POSTGRES_PASSWORD_HERE' ``` .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. From 8fa913dca7cd98eb77845b2b425f1943497e8453 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 24 Jan 2021 19:11:28 +0200 Subject: [PATCH 1828/2384] Fix Ansible warning --- roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index b976923f..f0b14327 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -55,7 +55,7 @@ file: path: "{{ matrix_systemd_path }}/{{ item.name }}" state: absent - when: "{{ not item.applicable }}" + when: "not item.applicable|bool" with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" - name: Ensure Let's Encrypt SSL renewal script removed From 92ee3d78a05dd52eacffae287c3ab3145ef780ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 24 Jan 2021 19:42:32 +0200 Subject: [PATCH 1829/2384] Fix matrix-remove-all for when Synapse workers are enabled --- .../usr-local-bin/matrix-remove-all.j2 | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 2a647aba..699d26ad 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -15,11 +15,26 @@ if [ "$sure" != "Yes, I really want to remove everything!" ]; then exit 0 else echo "Stop and remove matrix services" - for s in $(find {{ matrix_systemd_path }}/ -name "matrix-*" -printf "%f\n"); do + + # Look for and stop services, avoiding things like + # 'matrix-synapse-worker@.service' (just a template for instantiated services; can't stop it directly). + # We use '-xtype f' and not '-type f', because we wish to match symlinks like this: + # '/etc/systemd/system/matrix-synapse.service.wants/matrix-synapse-worker@generic_worker:18111.service' + # and stop these instantiated services as well. + for s in $(find {{ matrix_systemd_path }}/ -xtype f -name "matrix-*" -printf "%f\n" | grep -v '@.service' | uniq); do systemctl stop $s + done + + # Get rid of regular service files, as well as symlinks like + # '/etc/systemd/system/matrix-synapse.service.wants/matrix-synapse-worker@generic_worker:18111.service' + # and even + # '/etc/systemd/system/multi-user.target.wants/matrix-synapse.service'. + for s in $(find {{ matrix_systemd_path }}/ -xtype f -name "matrix-*" -printf "%p\n"); do rm -f {{ matrix_systemd_path }}/$s done + systemctl daemon-reload + echo "Remove matrix scripts" find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete echo "Remove unused Docker images and resources" From cc5cf0d7257ed093abad322fe842d235eaf8b4c5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 24 Jan 2021 20:17:10 +0200 Subject: [PATCH 1830/2384] Load roles/matrix-synapse/vars/workers.yml earlier to not break --tags=setup-nginx-proxy If we load it at runtime, during matrix-synapse role execution, it's good enough for matrix-synapse and all roles after that, but.. it breaks when someone uses `--tags=setup-nginx-proxy` alone. The downside of including this vars file like this in `setup.yml` is that the variables contained in it cannot be overriden by the user (in their inventory's `vars.yml`). ... but it's not like overriding these variables was possible anyway when including them at runtime. --- roles/matrix-synapse/tasks/workers/setup_install.yml | 3 --- setup.yml | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index 947dcd55..33ddb0b9 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -1,8 +1,5 @@ --- -- name: Load list of available worker apps and endpoints - include_vars: "{{ role_path }}/vars/workers.yml" - - name: Ensure synapse worker base service file installed template: src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse-worker@.service.j2" diff --git a/setup.yml b/setup.yml index 1f883243..d277b912 100755 --- a/setup.yml +++ b/setup.yml @@ -3,6 +3,9 @@ hosts: "{{ target if target is defined else 'matrix_servers' }}" become: true + vars_files: + - roles/matrix-synapse/vars/workers.yml + roles: - matrix-base - matrix-dynamic-dns From 5ca68210cdda7c7302da52fa1ae7c457cbbb857b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 24 Jan 2021 22:18:31 +0200 Subject: [PATCH 1831/2384] Do not handle /_matrix/federation on client-server port, nor /_matrix/client stuff on federation port I guess it didn't hurt to do it until now, but it's not great serving federation APIs on the client-server API port, etc. matrix-corporal doesn't work yet (still something to be solved in the future), but its firewalling operations will also be sabotaged by Client-Server APIs being served on the federation port (it's a way to get around its firewalling). --- group_vars/matrix_servers | 5 ++-- roles/matrix-nginx-proxy/defaults/main.yml | 3 ++- .../nginx/conf.d/matrix-synapse.conf.j2 | 5 ++-- roles/matrix-synapse/vars/main.yml | 25 +++++++++++++++++++ 4 files changed, 32 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index aa0c1fbe..56c9ebf6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -975,8 +975,9 @@ matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presenc matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" -matrix_nginx_proxy_synapse_generic_worker_locations: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) }}" -matrix_nginx_proxy_synapse_media_repository_locations: "{{ matrix_synapse_workers_media_repository_endpoints|default([]) }}" +matrix_nginx_proxy_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" +matrix_nginx_proxy_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}" +matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}" matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}" matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 148116e2..44ed8acf 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -324,7 +324,8 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_def # synapse worker activation and endpoint mappings matrix_nginx_proxy_synapse_workers_enabled: false matrix_nginx_proxy_synapse_workers_list: [] -matrix_nginx_proxy_synapse_generic_worker_locations: [] +matrix_nginx_proxy_synapse_generic_worker_client_server_locations: [] +matrix_nginx_proxy_synapse_generic_worker_federation_locations: [] matrix_nginx_proxy_synapse_media_repository_locations: [] matrix_nginx_proxy_synapse_user_dir_locations: [] matrix_nginx_proxy_synapse_frontend_proxy_locations: [] diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 632241e7..5d204343 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -109,14 +109,13 @@ {% if generic_workers %} # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker - {% for location in matrix_nginx_proxy_synapse_generic_worker_locations %} + {% for location in matrix_nginx_proxy_synapse_generic_worker_client_server_locations %} location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} - # FIXME: add GET ^/_matrix/federation/v1/groups/ {% endif %} {% if media_repository_workers %} @@ -361,7 +360,7 @@ server { {% if matrix_nginx_proxy_synapse_workers_enabled %} {% if generic_workers %} # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker - {% for location in matrix_nginx_proxy_synapse_generic_worker_locations %} + {% for location in matrix_nginx_proxy_synapse_generic_worker_federation_locations %} location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; proxy_set_header Host $host; diff --git a/roles/matrix-synapse/vars/main.yml b/roles/matrix-synapse/vars/main.yml index 7c07145b..83325975 100644 --- a/roles/matrix-synapse/vars/main.yml +++ b/roles/matrix-synapse/vars/main.yml @@ -8,3 +8,28 @@ matrix_synapse_role_executed: false matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}" matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}" + +# A Synapse generic worker can handle both federation and client-server API endpoints. +# We wish to split these, as we normally serve federation separately and don't want them mixed up. +# +# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492), +# which takes a list of various strings and removes the ones NOT containing `/_matrix/client` anywhere in them. +# +# We intentionally don't do a diff between everything possible (`matrix_synapse_workers_generic_worker_endpoints`) and `matrix_synapse_workers_generic_worker_federation_endpoints`, +# because `matrix_synapse_workers_generic_worker_endpoints` also contains things like `/_synapse/client/`, etc. +# While /_synapse/client/ endpoints are somewhat client-server API-related, they're: +# - neither part of the client-server API spec (and are thus, different) +# - nor always OK to forward to a worker (we're supposed to obey `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled`) +# +# It's also not too many of these APIs (only `^/_synapse/client/password_reset/email/submit_token$` at the time of this writing / 2021-01-24), +# so it's not that important whether we forward them or not. +# +# Basically, we aim to cover most things. Skipping `/_synapse/client` or a few other minor things doesn't matter too much. +matrix_synapse_workers_generic_worker_client_server_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*/_matrix/client.*')| list | difference([none]) }}" + +# A Synapse generic worker can handle both federation and client-server API endpoints. +# We wish to split these, as we normally serve federation separately and don't want them mixed up. +# +# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492), +# which takes a list of various strings and removes the ones NOT containing `/_matrix/federation` anywhere in them. +matrix_synapse_workers_generic_worker_federation_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*/_matrix/federation.*')| list | difference([none]) }}" From f66a6b066b18b4ebd8288d40349d42164b56db84 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 01:34:58 +0200 Subject: [PATCH 1832/2384] Be more specific with the Redis version being used --- roles/matrix-redis/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index f48ea542..74728d87 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -5,8 +5,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_docker_image_v5: "redis:5.0-alpine" -matrix_redis_docker_image_v6: "redis:6.0-alpine" +matrix_redis_docker_image_v6: "docker.io/redis:6.0.10-alpine" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' From 63301b0ef1e3c1b85c7e0822abb03ea4be079aef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 08:25:43 +0200 Subject: [PATCH 1833/2384] Improvements around Synapse worker/metrics ports exposure There was a `matrix_nginx_proxy_enabled|default(False)` check, but: - it didn't seem to work reliably for some reason (hmm) - referring to a `matrix_nginx_proxy_*` variable from within the `matrix-synapse` role is not ideal - exposing always happened on `127.0.0.1`, which may not be good enough for some rarer setups (where the own webserver is external to the host) --- group_vars/matrix_servers | 3 +++ roles/matrix-synapse/defaults/main.yml | 8 ++++++++ .../synapse/systemd/matrix-synapse.service.j2 | 11 ++++------- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 56c9ebf6..f64b02a0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1276,6 +1276,9 @@ matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (ma # # For exposing the Synapse Manhole port (plain HTTP) to the local host. matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}" +# +# For exposing the Synapse worker (and metrics) ports to the local host. +matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d159f8a3..7c00c3e5 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -301,6 +301,14 @@ matrix_synapse_manhole_enabled: false # Enable support for Synapse workers matrix_synapse_workers_enabled: false + +# Controls whether the matrix-synapse container exposes the various worker ports +# (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container. +# +# Takes an "" value (e.g. "127.0.0.1", "0.0.0.0", etc), or empty string to not expose. +# It takes "*" to signify "bind on all interfaces" ("0.0.0.0" is IPv4-only). +matrix_synapse_workers_container_host_bind_address: '' + # Default list of workers to spawn (order in accord to docs) # - no endpoints / doesn't need port mapping if port ends on 0 # - single-instance-only if 2nd last digit of port number is 0 diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 3bf51b6f..3b9ccdf8 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -45,19 +45,16 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %} -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} + {% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %} {% for worker in matrix_synapse_workers_enabled_list %} - {% if matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled|default(False) %} - {# Expose worker ports (by default in 18xxx range) on localhost, f.e. when using - an external reverse proxy outside the matrix docker network #} {% if worker.port != 0 %} - -p 127.0.0.1:{{ worker.port }}:{{ worker.port }} \ + -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ worker.port }}:{{ worker.port }} \ {% endif %} - {% endif %} - {# Expose worker metrics ports on localhost #} {% if worker.metrics_port != 0 %} - -p 127.0.0.1:{{ worker.metrics_port }}:{{ worker.metrics_port }} \ + -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ worker.metrics_port }}:{{ worker.metrics_port }} \ {% endif %} {% endfor %} + {% endif %} --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ {% for volume in matrix_synapse_container_additional_volumes %} From c05d3d09bd223a2337e1323d2648ce38b390e1d0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 08:58:23 +0200 Subject: [PATCH 1834/2384] Disable systemd services while stopping them This removes some `multi-target.wants` symlinks as well, etc. But despite systemd saying: > Removed symlink /etc/systemd/system/matrix-synapse.service.wants/matrix-synapse-worker@appservice:0.service .. I still see such symlinks tehre for me for some reason, so keeping the code (below) to find & delete them still seems like a good idea. --- roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 699d26ad..01e0ac70 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -22,7 +22,7 @@ else # '/etc/systemd/system/matrix-synapse.service.wants/matrix-synapse-worker@generic_worker:18111.service' # and stop these instantiated services as well. for s in $(find {{ matrix_systemd_path }}/ -xtype f -name "matrix-*" -printf "%f\n" | grep -v '@.service' | uniq); do - systemctl stop $s + systemctl disable --now $s done # Get rid of regular service files, as well as symlinks like From 4d62a75f6f46becb0ece21bd4c063830db229ece Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 09:21:17 +0200 Subject: [PATCH 1835/2384] Get matrix-corporal to play nicely with a Synapse worker setup We do this by creating one more layer of indirection. First we reach some generic vhost handling matrix.DOMAIN. A bunch of override rules are added there (capturing traffic to send to ma1sd, etc). nginx-status and similar generic things also live there. We then proxy to the homeserver on some other vhost (only Synapse being available right now, but repointing this to Dendrite or other will be possible in the future). Then that homeserver-specific vhost does its thing to proxy to the homeserver. It may or may not use workers, etc. Without matrix-corporal, the flow is now: 1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf) 2. matrix-nginx-proxy/matrix-synapse.conf 3. matrix-synapse With matrix-corporal enabled, it becomes: 1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf) 2. matrix-corporal 3. matrix-nginx-proxy/matrix-synapse.conf 4. matrix-synapse (matrix-corporal gets injected at step 2). --- group_vars/matrix_servers | 17 +- roles/matrix-nginx-proxy/defaults/main.yml | 38 ++- .../tasks/setup_nginx_proxy.yml | 24 +- .../nginx/conf.d/matrix-base-domain.conf.j2 | 70 +++++ .../nginx/conf.d/matrix-domain.conf.j2 | 196 +++++++++++- .../nginx/conf.d/matrix-synapse.conf.j2 | 278 +++--------------- 6 files changed, 360 insertions(+), 263 deletions(-) create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f64b02a0..88afb186 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -673,7 +673,8 @@ matrix_corporal_systemd_required_services_list: | (['matrix-synapse.service']) }} -matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008" +# This goes to Synapse's vhost +matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-nginx-proxy:12080" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" @@ -885,7 +886,7 @@ matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matr matrix_ma1sd_dns_overwrite_enabled: true matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}" # By default, we send mail through the `matrix-mailer` service. matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" @@ -932,8 +933,8 @@ matrix_ma1sd_database_password: "{{ matrix_synapse_macaroon_secret_key | passwor # If that's not the case, you may wish to disable this and take care of proxying yourself. matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}" +matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" @@ -956,8 +957,12 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:809 # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: "{{ matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled }}" -matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" -matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048" +matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" +matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" + +# Settings controlling matrix-synapse-proxy.conf +matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" +matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 44ed8acf..6ab7e624 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -99,6 +99,10 @@ matrix_nginx_proxy_access_log_enabled: true matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}" +# Controls whether proxying the Synapse domain should be done. +matrix_nginx_proxy_proxy_synapse_enabled: false +matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" + # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" @@ -146,8 +150,13 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. -matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008" +matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" + +# The addresses where the Matrix Client API is, when using Synapse. +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:8008" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:8008" + # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 @@ -185,34 +194,41 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "" # Controls whether proxying for the Matrix Federation API should be done. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false -matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" -matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048" +matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" +matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088" matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" +# The addresses where the Federation API is, when using Synapse. +matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048" + # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" -# A list of strings containing additional configuration blocks to add to the nginx http's server configuration. +# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to the matrix synapse's server configuration. +# A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to Riot's server configuration. +# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf). +matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf). matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to Element's server configuration. +# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to Dimension's server configuration. +# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to Jitsi's server configuration. +# A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf). matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to the base domain server configuration. +# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # Specifies the SSL configuration that should be used for the SSL protocols and ciphers diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 90f0da73..9a9bef2d 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -45,12 +45,18 @@ mode: 0644 when: matrix_nginx_proxy_enabled|bool -- name: Ensure Matrix nginx-proxy configuration for matrix domain exists +- name: Ensure Matrix nginx-proxy configuration for matrix-synapse exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2" dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" mode: 0644 - when: matrix_nginx_proxy_proxy_matrix_enabled|bool + when: matrix_nginx_proxy_proxy_synapse_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for matrix-synapse deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool" - name: Ensure Matrix nginx-proxy configuration for Element domain exists template: @@ -80,6 +86,12 @@ mode: 0644 when: matrix_nginx_proxy_proxy_jitsi_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" + mode: 0644 + - name: Ensure Matrix nginx-proxy data directory for base domain exists file: path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain" @@ -100,8 +112,8 @@ - name: Ensure Matrix nginx-proxy configuration for base domain exists template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" + src: "{{ role_path }}/templates/nginx/conf.d/matrix-base-domain.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf" mode: 0644 when: matrix_nginx_proxy_base_domain_serving_enabled|bool @@ -161,7 +173,7 @@ - name: Ensure Matrix nginx-proxy configuration for matrix domain deleted file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" state: absent when: "not matrix_nginx_proxy_proxy_matrix_enabled|bool" @@ -191,7 +203,7 @@ - name: Ensure Matrix nginx-proxy configuration for base domain deleted file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf" state: absent when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 new file mode 100644 index 00000000..227747a5 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -0,0 +1,70 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + root /nginx-data/matrix-domain; + + gzip on; + gzip_types text/plain application/json; + {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location /.well-known/matrix { + root {{ matrix_static_files_base_path }}; + {# + A somewhat long expires value is used to prevent outages + in case this is unreachable due to network failure. + #} + expires 4h; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_base_domain_hostname }}; + server_tokens off; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_base_domain_hostname }}; + server_tokens off; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 227747a5..2ab78a1b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -1,31 +1,148 @@ #jinja2: lstrip_blocks: "True" +{% macro render_nginx_status_location_block(addresses) %} + {# Empty first line to make indentation prettier. #} + + location /nginx_status { + stub_status on; + access_log off; + {% for address in addresses %} + allow {{ address }}; + {% endfor %} + deny all; + } +{% endmacro %} -{% macro render_vhost_directives() %} - root /nginx-data/matrix-domain; +{% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json; - {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} location /.well-known/matrix { root {{ matrix_static_files_base_path }}; {# A somewhat long expires value is used to prevent outages - in case this is unreachable due to network failure. + in case this is unreachable due to network failure or + due to the base domain's server completely dying. #} expires 4h; default_type application/json; add_header Access-Control-Allow-Origin *; } + + {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} + {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} + {% endif %} + + {% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} + location ^~ /_matrix/corporal { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + + {% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %} + location ^~ /_matrix/identity { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} + location ^~ /_matrix/client/r0/user_directory/search { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + + {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %} + location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + {# + This handles the Matrix Client API only. + The Matrix Federation API is handled by a separate vhost. + #} + location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } + + location / { + {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} + return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; + {% else %} + rewrite ^/$ /_matrix/static/ last; + {% endif %} + } {% endmacro %} server { listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; - server_name {{ matrix_nginx_proxy_base_domain_hostname }}; server_tokens off; + root /dev/null; {% if matrix_nginx_proxy_https_enabled %} location /.well-known/acme-challenge { @@ -40,6 +157,10 @@ server { {% endif %} } + {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} + {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} + {% endif %} + location / { return 301 https://$http_host$request_uri; } @@ -53,11 +174,13 @@ server { listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - server_name {{ matrix_nginx_proxy_base_domain_hostname }}; + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; + server_tokens off; + root /dev/null; - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} @@ -68,3 +191,56 @@ server { {{ render_vhost_directives() }} } {% endif %} + +{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} +{# + This federation vhost is a little special. + It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`. +#} +server { + {% if matrix_nginx_proxy_https_enabled %} + listen 8448 ssl http2; + listen [::]:8448 ssl http2; + {% else %} + listen 8448; + {% endif %} + + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; + server_tokens off; + + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% if matrix_nginx_proxy_https_enabled %} + ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; + ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% endif %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 5d204343..0dcaf9a6 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -1,108 +1,58 @@ #jinja2: lstrip_blocks: "True" -{% macro render_nginx_status_location_block(addresses) %} - {# Empty first line to make indentation prettier. #} - - location /nginx_status { - stub_status on; - access_log off; - {% for address in addresses %} - allow {{ address }}; - {% endfor %} - deny all; - } -{% endmacro %} +{% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %} +{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %} +{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %} +{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %} +{% if matrix_nginx_proxy_synapse_workers_enabled %} + # Round Robin "upstream" pools for workers -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json; + {% if generic_workers %} + upstream generic_worker_upstream { + # ensures that requests from the same client will always be passed + # to the same server (except when this server is unavailable) + ip_hash; - location /.well-known/matrix { - root {{ matrix_static_files_base_path }}; - {# - A somewhat long expires value is used to prevent outages - in case this is unreachable due to network failure or - due to the base domain's server completely dying. - #} - expires 4h; - default_type application/json; - add_header Access-Control-Allow-Origin *; + {% for worker in generic_workers %} + server "matrix-synapse:{{ worker.port }}"; + {% endfor %} } - - {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} - {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} {% endif %} - {% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} - location ^~ /_matrix/corporal { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + {% if frontend_proxy_workers %} + upstream frontend_proxy_upstream { + {% for worker in frontend_proxy_workers %} + server "matrix-synapse:{{ worker.port }}"; + {% endfor %} } {% endif %} - {% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %} - location ^~ /_matrix/identity { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + {% if media_repository_workers %} + upstream media_repository_upstream { + {% for worker in media_repository_workers %} + server "matrix-synapse:{{ worker.port }}"; + {% endfor %} } {% endif %} - {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} - # NOTE: This redirects user lookup requests to the identity server instead of - # synapse, so user_dir_workers endpoints listed further down in this file will - # not be reached and workers of this kind should be disabled for consistency. - location ^~ /_matrix/client/r0/user_directory/search { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; + {% if user_dir_workers %} + upstream user_dir_upstream { + {% for worker in user_dir_workers %} + server "matrix-synapse:{{ worker.port }}"; + {% endfor %} } {% endif %} +{% endif %} - {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %} - location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}; - {% endif %} +server { + listen 12080; + server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } - {% endif %} + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json; {% if matrix_nginx_proxy_synapse_workers_enabled %} {# Workers redirects BEGIN #} @@ -167,7 +117,7 @@ {% endif %} - {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} + {% for configuration_block in matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -193,19 +143,16 @@ } {% endif %} - {# - This handles the Matrix Client API only. - The Matrix Federation API is handled by a separate vhost. - #} - location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) { + {# Everything else just goes to the API server ##} + location / { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"; + set $backend "{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container }}"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; + proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container }}; {% endif %} proxy_set_header Host $host; @@ -215,129 +162,13 @@ client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; proxy_max_temp_file_size 0; } - - location / { - {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} - return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; - {% else %} - rewrite ^/$ /_matrix/static/ last; - {% endif %} - } -{% endmacro %} - -{% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %} -{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %} -{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %} -{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %} -{% if matrix_nginx_proxy_synapse_workers_enabled %} - # Round Robin "upstream" pools for workers - - {% if generic_workers %} - upstream generic_worker_upstream { - # ensures that requests from the same client will always be passed - # to the same server (except when this server is unavailable) - ip_hash; - - {% for worker in generic_workers %} - server "matrix-synapse:{{ worker.port }}"; - {% endfor %} - } - {% endif %} - - {% if frontend_proxy_workers %} - upstream frontend_proxy_upstream { - {% for worker in frontend_proxy_workers %} - server "matrix-synapse:{{ worker.port }}"; - {% endfor %} - } - {% endif %} - - {% if media_repository_workers %} - upstream media_repository_upstream { - {% for worker in media_repository_workers %} - server "matrix-synapse:{{ worker.port }}"; - {% endfor %} - } - {% endif %} - - {% if user_dir_workers %} - upstream user_dir_upstream { - {% for worker in user_dir_workers %} - server "matrix-synapse:{{ worker.port }}"; - {% endfor %} - } - {% endif %} -{% endif %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} - {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} - {% endif %} - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {{ render_vhost_directives() }} } -{% endif %} -{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} -{# - This federation vhost is a little special. - It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`. -#} +{% if matrix_nginx_proxy_proxy_synapse_federation_api_enabled %} server { - {% if matrix_nginx_proxy_https_enabled %} - listen 8448 ssl http2; - listen [::]:8448 ssl http2; - {% else %} - listen 8448; - {% endif %} + listen 12088; - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; + server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; server_tokens off; root /dev/null; @@ -345,18 +176,6 @@ server { gzip on; gzip_types text/plain application/json; - {% if matrix_nginx_proxy_https_enabled %} - ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; - ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% endif %} - {% if matrix_nginx_proxy_synapse_workers_enabled %} {% if generic_workers %} # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker @@ -367,7 +186,6 @@ server { proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} - # FIXME: add GET ^/_matrix/federation/v1/groups/ {% endif %} {% if media_repository_workers %} # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository @@ -389,11 +207,11 @@ server { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}"; + set $backend "{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container }}"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }}; + proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container }}; {% endif %} proxy_set_header Host $host; From da50fb27a07e19bf5ee1433c21f20064296a9639 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 09:31:52 +0200 Subject: [PATCH 1836/2384] Whitelist /_matrix/key requests for going to generic workers on the federation port --- roles/matrix-synapse/vars/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/vars/main.yml b/roles/matrix-synapse/vars/main.yml index 83325975..9c6d8ce4 100644 --- a/roles/matrix-synapse/vars/main.yml +++ b/roles/matrix-synapse/vars/main.yml @@ -31,5 +31,5 @@ matrix_synapse_workers_generic_worker_client_server_endpoints: "{{ matrix_synaps # We wish to split these, as we normally serve federation separately and don't want them mixed up. # # This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492), -# which takes a list of various strings and removes the ones NOT containing `/_matrix/federation` anywhere in them. -matrix_synapse_workers_generic_worker_federation_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*/_matrix/federation.*')| list | difference([none]) }}" +# which takes a list of various strings and removes the ones NOT containing `/_matrix/federation` or `/_matrix/key` anywhere in them. +matrix_synapse_workers_generic_worker_federation_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*(/_matrix/federation|/_matrix/key).*')| list | difference([none]) }}" From 6fc214480cbfc16d6e6fc699003ebd27a15fde42 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 10:42:23 +0200 Subject: [PATCH 1837/2384] Fix Signal role using incorrect database string variable Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/823 --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 962140c9..65318f19 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -59,7 +59,7 @@ matrix_mautrix_signal_database_connection_string: 'postgres://{{ matrix_mautrix_ matrix_mautrix_signal_appservice_database: "{{ { - 'postgres': matrix_mautrix_facebook_database_connection_string, + 'postgres': matrix_mautrix_signal_database_connection_string, }[matrix_mautrix_signal_database_engine] }}" From 70796703d36efcbe0f67cbf18466335a9a78e849 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 12:14:46 +0200 Subject: [PATCH 1838/2384] Run Synapse workers in their own containers This switches the `docker exec` method of spawning Synapse workers inside the `matrix-synapse` container with dedicated containers for each worker. We also have dedicated systemd services for each worker, so this are now: - more consistent with everything else (we don't use systemd instantiated services anywhere) - we don't need the "parse systemd instance name into worker name + port" part - we don't need to keep track of PIDs manually - we don't need jq (less depenendencies) - workers dying would be restarted by systemd correctly, like any other service - `docker ps` shows each worker separately and we can observe resource usage --- .../nginx/conf.d/matrix-synapse.conf.j2 | 8 +- .../matrix-synapse-worker-write-pid | 30 ------- roles/matrix-synapse/tasks/init.yml | 7 ++ roles/matrix-synapse/tasks/workers/setup.yml | 14 ++++ .../tasks/workers/setup_install.yml | 84 ++++--------------- .../tasks/workers/setup_uninstall.yml | 42 +++------- .../inject_systemd_services_for_worker.yml | 6 ++ .../workers/util/setup_files_for_worker.yml | 20 +++++ .../systemd/matrix-synapse-worker.service.j2 | 58 +++++++++++++ .../systemd/matrix-synapse-worker@.service.j2 | 39 --------- .../synapse/systemd/matrix-synapse.service.j2 | 20 ++--- .../templates/synapse/worker.yaml.j2 | 22 ++--- 12 files changed, 160 insertions(+), 190 deletions(-) delete mode 100644 roles/matrix-synapse/files/usr-local-bin/matrix-synapse-worker-write-pid create mode 100644 roles/matrix-synapse/tasks/workers/util/inject_systemd_services_for_worker.yml create mode 100644 roles/matrix-synapse/tasks/workers/util/setup_files_for_worker.yml create mode 100644 roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 delete mode 100644 roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 0dcaf9a6..6801f4f9 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -14,7 +14,7 @@ ip_hash; {% for worker in generic_workers %} - server "matrix-synapse:{{ worker.port }}"; + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.port }}:{{ worker.port }}"; {% endfor %} } {% endif %} @@ -22,7 +22,7 @@ {% if frontend_proxy_workers %} upstream frontend_proxy_upstream { {% for worker in frontend_proxy_workers %} - server "matrix-synapse:{{ worker.port }}"; + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.port }}:{{ worker.port }}"; {% endfor %} } {% endif %} @@ -30,7 +30,7 @@ {% if media_repository_workers %} upstream media_repository_upstream { {% for worker in media_repository_workers %} - server "matrix-synapse:{{ worker.port }}"; + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.port }}:{{ worker.port }}"; {% endfor %} } {% endif %} @@ -38,7 +38,7 @@ {% if user_dir_workers %} upstream user_dir_upstream { {% for worker in user_dir_workers %} - server "matrix-synapse:{{ worker.port }}"; + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.port }}:{{ worker.port }}"; {% endfor %} } {% endif %} diff --git a/roles/matrix-synapse/files/usr-local-bin/matrix-synapse-worker-write-pid b/roles/matrix-synapse/files/usr-local-bin/matrix-synapse-worker-write-pid deleted file mode 100644 index 02c5ba09..00000000 --- a/roles/matrix-synapse/files/usr-local-bin/matrix-synapse-worker-write-pid +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# Find a synapse worker's PID and write it to a file so systemd can manage it as a service - -# example invocation: -# matrix-synapse-worker-write-pid user_dir:18700 /run/matrix-synapse-worker.user_dir:18700.pid - -docker_api_call() { curl --silent --unix-socket /var/run/docker.sock ${@}; } - -TARGETCONTAINER=matrix-synapse -TARGETWORKER=${1} -PIDFILE=${2} - -# get ID list of subprocesses executed in $TARGETCONTAINER, and for each.. -for EXECID in $(docker_api_call http://localhost/containers/${TARGETCONTAINER}/json | jq --raw-output '.ExecIDs[]') -do - # fetch detailed process info - EXECINFO=$(docker_api_call http://localhost/exec/${EXECID}/json) - - # extract config file path from last command argument - WORKERCONFIGFILE=$(echo ${EXECINFO} | jq --raw-output .ProcessConfig.arguments[-1]) - - # reconstruct worker name - WORKERNAME=${WORKERCONFIGFILE#*/worker.} - WORKERNAME=${WORKERNAME%.yaml} - - # if name matches the target worker: write out most recent PID & quit - [ "${WORKERNAME}" = "${TARGETWORKER}" ] \ - && echo ${EXECINFO} | jq --raw-output .Pid > ${PIDFILE} \ - && exit 0 -done diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index bdb62476..46c7d22b 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -2,6 +2,13 @@ matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse.service'] }}" when: matrix_synapse_enabled|bool +- name: Ensure systemd services for workers are injected + include_tasks: "{{ role_path }}/tasks/workers/util/inject_systemd_services_for_worker.yml" + with_items: "{{ matrix_synapse_workers_enabled_list }}" + loop_control: + loop_var: matrix_synapse_worker_details + when: matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool diff --git a/roles/matrix-synapse/tasks/workers/setup.yml b/roles/matrix-synapse/tasks/workers/setup.yml index 083da807..3a7e6c98 100644 --- a/roles/matrix-synapse/tasks/workers/setup.yml +++ b/roles/matrix-synapse/tasks/workers/setup.yml @@ -1,5 +1,19 @@ --- +# A previous version of the worker setup used this. +# This is a temporary cleanup for people who ran that version. +- name: Ensure old matrix-synapse.service.wants directory is gone + file: + path: "{{ matrix_systemd_path }}/matrix-synapse.service.wants" + state: absent + +# Same. This was part of a previous version of the worker setup. +# No longer necessary. +- name: Ensure matrix-synapse-worker-write-pid script is removed + file: + path: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" + state: absent + - include_tasks: "{{ role_path }}/tasks/workers/setup_install.yml" when: "matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool" diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index 33ddb0b9..ff34210a 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -1,81 +1,33 @@ --- -- name: Ensure synapse worker base service file installed - template: - src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse-worker@.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-synapse-worker@.service" - mode: 0644 - register: matrix_synapse_worker_systemd_service_result - -- name: Ensure previous worker service symlinks are cleaned - file: - path: "{{ item.root + '/' + item.path }}" - state: absent - when: - - item.state == 'link' - - item.path is match('matrix-synapse-worker@.*\\.service') - with_filetree: - - "{{ matrix_systemd_path }}/matrix-synapse.service.wants" - -- name: Ensure systemd reloaded the worker service unit - service: - daemon_reload: yes - -- name: Ensure individual worker service symlinks exist - service: - name: "matrix-synapse-worker@{{ item.type }}:{{ item.port }}.service" - enabled: true - with_items: "{{ matrix_synapse_workers_enabled_list }}" - - name: Find worker configs to be cleaned find: path: "{{ matrix_synapse_config_dir_path }}" patterns: "worker.*.yaml" use_regex: true - register: worker_config_files + register: matrix_synapse_workers_current_config_files - name: Ensure previous worker configs are cleaned file: path: "{{ item.path }}" state: absent - with_items: "{{ worker_config_files.files }}" + with_items: "{{ matrix_synapse_workers_current_config_files.files }}" -- name: Ensure creation of specific worker configs - template: - src: "{{ role_path }}/templates/synapse/worker.yaml.j2" - dest: "{{ matrix_synapse_config_dir_path }}/worker.{{ item.type }}:{{ item.port }}.yaml" - with_list: "{{ matrix_synapse_workers_enabled_list }}" - -- name: Add workers to synapse.wants list - set_fact: - matrix_synapse_systemd_wanted_services_list: > - {{ matrix_synapse_systemd_wanted_services_list + - ['matrix-synapse-worker@' + item.type + ':' + item.port|string + '.service'] }} - with_items: "{{ matrix_synapse_workers_enabled_list }}" - -- name: Ensure matrix-synapse-worker-write-pid script is created - copy: - src: "{{ role_path }}/files/usr-local-bin/matrix-synapse-worker-write-pid" - dest: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" - mode: 0750 - -- name: Ensure jq is installed (Archlinux) - pacman: - name: - - jq - state: present - when: (ansible_distribution == 'Archlinux') +- name: Find worker systemd services to be cleaned + find: + path: "{{ matrix_systemd_path }}" + patterns: "matrix-synapse-worker.*.service" + use_regex: true + register: matrix_synapse_workers_current_systemd_services -- name: Ensure jq is installed (CentOS) - yum: - name: - - jq - state: present - when: (ansible_distribution == 'CentOS') +- name: Ensure previous worker systemd services are cleaned + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" -- name: Ensure jq is installed (Debian) - apt: - name: - - jq - state: present - when: (ansible_os_family == 'Debian') +- name: Ensure creation of worker systemd service files and configuration files + include_tasks: "{{ role_path }}/tasks/workers/util/setup_files_for_worker.yml" + with_items: "{{ matrix_synapse_workers_enabled_list }}" + loop_control: + loop_var: matrix_synapse_worker_details diff --git a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml index a9884fca..4a90bfa6 100644 --- a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/workers/setup_uninstall.yml @@ -7,46 +7,30 @@ service: name: "{{ item.key }}" state: stopped - with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker@.+\\.service')|list|items2dict }}" - -- name: Ensure worker service symlinks are cleaned - file: - path: "{{ item.root + '/' + item.path }}" - state: absent - when: - - item.state == 'link' - - item.path is match('matrix-synapse-worker@.*\\.service') - with_filetree: - - "{{ matrix_systemd_path }}/matrix-synapse.service.wants" - -- name: Ensure synapse worker base service file gets removed - file: - path: "{{ matrix_systemd_path }}/matrix-synapse-worker@.service" - state: absent - register: matrix_synapse_worker_systemd_service_result + with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}" - name: Find worker configs to be cleaned find: path: "{{ matrix_synapse_config_dir_path }}" patterns: "worker.*.yaml" use_regex: true - register: worker_config_files + register: matrix_synapse_workers_current_config_files -- name: Ensure worker configs are cleaned +- name: Ensure previous worker configs are cleaned file: path: "{{ item.path }}" state: absent - with_items: "{{ worker_config_files.files }}" + with_items: "{{ matrix_synapse_workers_current_config_files.files }}" -- name: Remove workers from synapse.wants list - set_fact: - matrix_synapse_systemd_wanted_services_list: "{{ matrix_synapse_systemd_wanted_services_list | reject('search', '^matrix-synapse-worker@') | list }}" - -- name: Ensure systemd noticed removal of worker service units - service: - daemon_reload: yes +- name: Find worker systemd services to be cleaned + find: + path: "{{ matrix_systemd_path }}" + patterns: "matrix-synapse-worker.*.service" + use_regex: true + register: matrix_synapse_workers_current_systemd_services -- name: Ensure matrix-synapse-worker-write-pid script is removed +- name: Ensure previous worker systemd services are cleaned file: - path: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" + path: "{{ item.path }}" state: absent + with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" diff --git a/roles/matrix-synapse/tasks/workers/util/inject_systemd_services_for_worker.yml b/roles/matrix-synapse/tasks/workers/util/inject_systemd_services_for_worker.yml new file mode 100644 index 00000000..c95f881a --- /dev/null +++ b/roles/matrix-synapse/tasks/workers/util/inject_systemd_services_for_worker.yml @@ -0,0 +1,6 @@ + +- set_fact: + matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.port }}.service" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + [matrix_synapse_worker_systemd_service_name] }}" diff --git a/roles/matrix-synapse/tasks/workers/util/setup_files_for_worker.yml b/roles/matrix-synapse/tasks/workers/util/setup_files_for_worker.yml new file mode 100644 index 00000000..6a15e048 --- /dev/null +++ b/roles/matrix-synapse/tasks/workers/util/setup_files_for_worker.yml @@ -0,0 +1,20 @@ + +- set_fact: + matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.port }}" + +- set_fact: + matrix_synapse_worker_container_name: "{{ matrix_synapse_worker_systemd_service_name }}" + +- set_fact: + matrix_synapse_worker_config_file_name: "worker.{{ matrix_synapse_worker_details.type }}_{{ matrix_synapse_worker_details.port }}.yaml" + +- name: Ensure configuration exists for {{ matrix_synapse_worker_systemd_service_name }} + template: + src: "{{ role_path }}/templates/synapse/worker.yaml.j2" + dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_config_file_name }}" + +- name: Ensure systemd service exists for {{ matrix_synapse_worker_systemd_service_name }} + template: + src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse-worker.service.j2" + dest: "{{ matrix_systemd_path }}/{{ matrix_synapse_worker_systemd_service_name }}.service" + mode: 0644 diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 new file mode 100644 index 00000000..0f5e7be2 --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -0,0 +1,58 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Synapse worker ({{ matrix_synapse_worker_container_name }}) +AssertPathExists={{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_config_file_name }} +After=matrix-synapse.service + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" + +ExecStartPre=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} +ExecStartPre=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} + +# Intentional delay, so that the homeserver can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --entrypoint=python \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ + --network={{ matrix_docker_network }} \ + {% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %} + {% if matrix_synapse_worker_details.port != 0 %} + -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.port }}:{{ matrix_synapse_worker_details.port }} \ + {% endif %} + {% if matrix_synapse_worker_details.metrics_port != 0 %} + -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.metrics_port }}:{{ matrix_synapse_worker_details.metrics_port }} \ + {% endif %} + {% endif %} + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ + --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ + {% for volume in matrix_synapse_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} + {% for arg in matrix_synapse_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_synapse_docker_image }} \ + -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} + + +ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} +ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} + +ExecReload={{ matrix_host_command_docker }} exec {{ matrix_synapse_worker_container_name }} /bin/sh -c 'kill -HUP 1' +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_synapse_worker_container_name }} + +# Intentionally not making this WantedBy=matrix-synapse.service, +# as matrix.synapse.service already has `Wants=` lines. +# Also, WantedBy will trigger the creation of some `matrix-synapse.service.wants/` directory, +# which we'd have to clean, etc. Better not. +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 deleted file mode 100644 index 983426ba..00000000 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker@.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# Instantiable worker service, running inside the synapse container -# alongside the homeserver main process. -# c.f. https://github.com/matrix-org/synapse/pull/4662 -[Unit] -Description=Matrix worker synapse.app.%i -AssertPathExists={{ matrix_synapse_config_dir_path }}/worker.%i.yaml -After=matrix-synapse.service -BindsTo=matrix-synapse.service - -[Service] -Type=simple - -# Intentional delay, so that the homeserver can manage to start. -ExecStartPre={{ matrix_host_command_sleep }} 5 - -# no sane way of instancing more than one variable (systemd "cant-fix" 🤦) -# c.f. https://github.com/systemd/systemd/issues/14895#issuecomment-594123923 -# So use good ol' shell parameter expansion to get the worker type.. -ExecStart=/bin/sh -c "WORKER=%i; WORKER=$${WORKER%%:*}; \ - exec {{ matrix_host_command_docker }} exec \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - matrix-synapse \ - python -m synapse.app.$${WORKER} -c /data/homeserver.yaml -c /data/worker.%i.yaml" - -# wait for worker startup & write out PID of actual worker process so systemd can handle it -ExecStartPost={{ matrix_host_command_sleep }} 5 -ExecStartPost={{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid %i /run/matrix-synapse-worker.%i.pid - -ExecReload=/bin/kill -HUP $MAINPID -ExecStop=/bin/kill $MAINPID -PIDFile=/run/matrix-synapse-worker.%i.pid -KillMode=process -Restart=always -RestartSec=10 -SyslogIdentifier=matrix-synapse-%i - -[Install] -WantedBy=matrix-synapse.service diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 3b9ccdf8..3028cfc1 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -4,10 +4,18 @@ Description=Synapse server {% for service in matrix_synapse_systemd_required_services_list %} Requires={{ service }} After={{ service }} + {% endfor %} {% for service in matrix_synapse_systemd_wanted_services_list %} Wants={{ service }} {% endfor %} + +{% if matrix_synapse_workers_enabled %} +{% for matrix_synapse_worker_details in matrix_synapse_workers_enabled_list %} +Wants=matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.port }}.service +{% endfor %} +{% endif %} + DefaultDependencies=no [Service] @@ -45,16 +53,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %} -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ {% endif %} - {% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %} - {% for worker in matrix_synapse_workers_enabled_list %} - {% if worker.port != 0 %} - -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ worker.port }}:{{ worker.port }} \ - {% endif %} - {% if worker.metrics_port != 0 %} - -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ worker.metrics_port }}:{{ worker.metrics_port }} \ - {% endif %} - {% endfor %} - {% endif %} --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ {% for volume in matrix_synapse_container_additional_volumes %} @@ -68,7 +66,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ ExecStop=-{{ matrix_host_command_docker }} kill matrix-synapse ExecStop=-{{ matrix_host_command_docker }} rm matrix-synapse -ExecReload={{ matrix_host_command_docker }} exec matrix-synapse kill -HUP 1 +ExecReload={{ matrix_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1' Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index f77ff4ad..bac2f7ee 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -1,32 +1,32 @@ #jinja2: lstrip_blocks: "True" -worker_app: synapse.app.{{ item.type }} -worker_name: {{ item.type ~ ':' ~ item.port }} +worker_app: synapse.app.{{ matrix_synapse_worker_details.type }} +worker_name: {{ matrix_synapse_worker_details.type ~ ':' ~ matrix_synapse_worker_details.port }} -worker_replication_host: 127.0.0.1 +worker_replication_host: matrix-synapse worker_replication_http_port: {{ matrix_synapse_replication_http_port }} worker_listeners: -{% if item.type not in [ 'appservice', 'federation_sender', 'pusher' ] %} +{% if matrix_synapse_worker_details.type not in [ 'appservice', 'federation_sender', 'pusher' ] %} - type: http - port: {{ item.port }} + port: {{ matrix_synapse_worker_details.port }} resources: - names: -{% if item.type in [ 'generic_worker', 'frontend_proxy', 'user_dir' ] %} +{% if matrix_synapse_worker_details.type in [ 'generic_worker', 'frontend_proxy', 'user_dir' ] %} - client {% endif %} -{% if item.type in [ 'generic_worker' ] %} +{% if matrix_synapse_worker_details.type in [ 'generic_worker' ] %} - federation -{% elif item.type in [ 'media_repository' ] %} +{% elif matrix_synapse_worker_details.type in [ 'media_repository' ] %} - media {% endif %} {% endif %} - type: metrics bind_address: ['127.0.0.1'] - port: {{ item.metrics_port }} + port: {{ matrix_synapse_worker_details.metrics_port }} -{% if item.type == 'frontend_proxy' %} -worker_main_http_uri: http://127.0.0.1:8008 +{% if matrix_synapse_worker_details.type == 'frontend_proxy' %} +worker_main_http_uri: http://matrix-synapse:8008 {% endif %} worker_daemonize: false From 01747c8cc45ffd809ed558b3e9ec3082c6e33557 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 12:24:12 +0200 Subject: [PATCH 1839/2384] Prevent Synapse warning about enabling metric listeners with enable_metrics: false > synapse.app.generic_worker - 606 - WARNING - None - Metrics listener configured, but enable_metrics is not True! --- roles/matrix-synapse/templates/synapse/worker.yaml.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index bac2f7ee..7bfc94cb 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -19,11 +19,12 @@ worker_listeners: {% elif matrix_synapse_worker_details.type in [ 'media_repository' ] %} - media {% endif %} - {% endif %} +{% if matrix_synapse_metrics_enabled %} - type: metrics bind_address: ['127.0.0.1'] port: {{ matrix_synapse_worker_details.metrics_port }} +{% endif %} {% if matrix_synapse_worker_details.type == 'frontend_proxy' %} worker_main_http_uri: http://matrix-synapse:8008 From 1462409b3481d3f54cd527acebb86b4bb27873e7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 12:29:47 +0200 Subject: [PATCH 1840/2384] Fix worker listening addresses Not specifying bind addresses for the worker resulted in this warning: > synapse.app - 47 - WARNING - None - Failed to listen on 0.0.0.0, continuing because listening on [::] Additionally, metrics listening only on 127.0.0.1 seems like a no-op. Only having it accessible from within the container is likely not what we intend. Changed that to all interfaces as well. Whether it actually gets exposed or not depends on the systemd service and `matrix_synapse_workers_container_host_bind_address`. --- roles/matrix-synapse/templates/synapse/worker.yaml.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index 7bfc94cb..1acc4df2 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -8,6 +8,7 @@ worker_replication_http_port: {{ matrix_synapse_replication_http_port }} worker_listeners: {% if matrix_synapse_worker_details.type not in [ 'appservice', 'federation_sender', 'pusher' ] %} - type: http + bind_addresses: ['::'] port: {{ matrix_synapse_worker_details.port }} resources: - names: @@ -22,7 +23,7 @@ worker_listeners: {% endif %} {% if matrix_synapse_metrics_enabled %} - type: metrics - bind_address: ['127.0.0.1'] + bind_addresses: ['::'] port: {{ matrix_synapse_worker_details.metrics_port }} {% endif %} From 66cdc7bf5aa6081caa6545aa670a113b9f22b18b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 13:02:01 +0200 Subject: [PATCH 1841/2384] Clean up worker.yaml generation a bit and make it more flexible --- roles/matrix-synapse/defaults/main.yml | 11 ++++++- .../templates/synapse/homeserver.yaml.j2 | 3 ++ .../templates/synapse/worker.yaml.j2 | 30 ++++++++++++------- 3 files changed, 33 insertions(+), 11 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 7c00c3e5..1f1057dd 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -333,7 +333,16 @@ matrix_synapse_redis_host: "" matrix_synapse_redis_port: 6379 matrix_synapse_redis_password: "" -# Port used for communication between main synapse process and workers +# Controls whether Synapse starts a replication listener necessary for workers. +# +# If Redis is available, we prefer to use that, instead of talking over Synapse's custom replication protocol. +# +# matrix_synapse_replication_listener_enabled: "{{ matrix_synapse_workers_enabled and not matrix_redis_enabled }}" +# We force-enable this listener for now until we debug why communication via Redis fails. +matrix_synapse_replication_listener_enabled: true + +# Port used for communication between main synapse process and workers. +# Only gets used if `matrix_synapse_replication_listener_enabled: true` matrix_synapse_replication_http_port: 9093 # Send ERROR logs to sentry.io for easier tracking diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 9738ea4b..3bfada51 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -277,6 +277,8 @@ listeners: {% endif %} {% if matrix_synapse_workers_enabled %} + +{% if matrix_synapse_replication_listener_enabled %} # c.f. https://github.com/matrix-org/synapse/tree/master/docs/workers.md # HTTP replication: for the workers to send data to the main synapse process - port: {{ matrix_synapse_replication_http_port }} @@ -284,6 +286,7 @@ listeners: type: http resources: - names: [replication] +{% endif %} # c.f. https://github.com/matrix-org/synapse/tree/master/contrib/systemd-with-workers/README.md worker_app: synapse.app.homeserver diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index 1acc4df2..330086ad 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -2,30 +2,40 @@ worker_app: synapse.app.{{ matrix_synapse_worker_details.type }} worker_name: {{ matrix_synapse_worker_details.type ~ ':' ~ matrix_synapse_worker_details.port }} +{% if matrix_synapse_replication_listener_enabled %} worker_replication_host: matrix-synapse worker_replication_http_port: {{ matrix_synapse_replication_http_port }} +{% endif %} + +{% set has_listeners = (matrix_synapse_worker_details.type not in [ 'appservice', 'federation_sender', 'pusher' ] or matrix_synapse_metrics_enabled) %} + +{% set http_resources = [] %} + +{% if matrix_synapse_worker_details.type in ['generic_worker', 'frontend_proxy', 'user_dir'] %} + {% set http_resources = http_resources + ['client'] %} +{% endif %} +{% if matrix_synapse_worker_details.type in ['generic_worker'] %} + {% set http_resources = http_resources+ ['federation'] %} +{% endif %} +{% if matrix_synapse_worker_details.type in ['media_repository'] %} + {% set http_resources = http_resources + ['media'] %} +{% endif %} +{% if http_resources|length > 0 or matrix_synapse_metrics_enabled %} worker_listeners: -{% if matrix_synapse_worker_details.type not in [ 'appservice', 'federation_sender', 'pusher' ] %} +{% if http_resources|length > 0 %} - type: http bind_addresses: ['::'] port: {{ matrix_synapse_worker_details.port }} resources: - - names: -{% if matrix_synapse_worker_details.type in [ 'generic_worker', 'frontend_proxy', 'user_dir' ] %} - - client -{% endif %} -{% if matrix_synapse_worker_details.type in [ 'generic_worker' ] %} - - federation -{% elif matrix_synapse_worker_details.type in [ 'media_repository' ] %} - - media -{% endif %} + - names: {{ http_resources|to_json }} {% endif %} {% if matrix_synapse_metrics_enabled %} - type: metrics bind_addresses: ['::'] port: {{ matrix_synapse_worker_details.metrics_port }} {% endif %} +{% endif %} {% if matrix_synapse_worker_details.type == 'frontend_proxy' %} worker_main_http_uri: http://matrix-synapse:8008 From d3ecc6f017c801fcf5de10392265faf3cab28420 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 13:55:08 +0200 Subject: [PATCH 1842/2384] Fix bridges failing to upload media when Synapse workers are enabled --- group_vars/matrix_servers | 10 +++++++--- roles/matrix-base/defaults/main.yml | 5 +++++ roles/matrix-bot-matrix-reminder-bot/defaults/main.yml | 2 +- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- .../matrix-bridge-mx-puppet-discord/defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-steam/defaults/main.yml | 2 +- .../matrix-bridge-mx-puppet-twitter/defaults/main.yml | 2 +- roles/matrix-dimension/templates/config.yaml.j2 | 2 +- 14 files changed, 24 insertions(+), 15 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 88afb186..11783fc6 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -18,6 +18,10 @@ matrix_identity_server_url: "{{ ('https://' + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}" +# If Synapse workers are enabled and matrix-nginx-proxy is disabled, certain APIs may not work over 'http://matrix-synapse:8008'. +# This is because we explicitly disable them for the main Synapse process. +matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix_nginx_proxy_enabled else 'http://matrix-synapse:8008' }}" + ###################################################################### # # /matrix-base @@ -283,7 +287,7 @@ matrix_mautrix_signal_systemd_required_services_list: | matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}' -matrix_mautrix_signal_homeserver_address: "{{ 'http://matrix-synapse:8008' if matrix_synapse_enabled else '' }}" +matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}" @@ -674,7 +678,7 @@ matrix_corporal_systemd_required_services_list: | }} # This goes to Synapse's vhost -matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-nginx-proxy:12080" +matrix_corporal_matrix_homeserver_api_endpoint: "{{ matrix_homeserver_container_url }}" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" @@ -1388,7 +1392,7 @@ matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret if matrix_synapse_enabled else '' }}" -matrix_registration_server_location: "{{ 'http://matrix-synapse:8008' if matrix_synapse_enabled else '' }}" +matrix_registration_server_location: "{{ matrix_homeserver_container_url }}" matrix_registration_api_validate_certs: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index d8285e1c..02b5906d 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -72,6 +72,11 @@ matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_dist matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" +# Specifies where the homeserver is on the container network. +# Where this is depends on whether there's a reverse-proxy in front of it, etc. +# This likely gets overriden elsewhere. +matrix_homeserver_container_url: "http://matrix-synapse:8008" + matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 29bc8307..c3deb2f2 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -58,7 +58,7 @@ matrix_bot_matrix_reminder_bot_matrix_user_id: '@{{ matrix_bot_matrix_reminder_b # The password that the bot uses to authenticate. matrix_bot_matrix_reminder_bot_matrix_user_password: '' -matrix_bot_matrix_reminder_bot_matrix_homeserver_url: 'http://matrix-synapse:8008' +matrix_bot_matrix_reminder_bot_matrix_homeserver_url: "{{ matrix_homeserver_container_url }}" # The timezone to use when creating reminders. # Examples: 'Europe/London', 'Etc/UTC' diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index ba4e1e1b..e2c91926 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -14,7 +14,7 @@ matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" matrix_appservice_irc_config_path: "{{ matrix_appservice_irc_base_path }}/config" matrix_appservice_irc_data_path: "{{ matrix_appservice_irc_base_path }}/data" -matrix_appservice_irc_homeserver_url: 'http://matrix-synapse:8008' +matrix_appservice_irc_homeserver_url: "{{ matrix_homeserver_container_url }}" matrix_appservice_irc_homeserver_media_url: 'https://{{ matrix_server_fqn_matrix }}' matrix_appservice_irc_homeserver_domain: '{{ matrix_domain }}' matrix_appservice_irc_homeserver_enablePresence: true diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index e99514e0..120c2960 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -16,7 +16,7 @@ matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/co matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data" matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src" -matrix_mautrix_facebook_homeserver_address: 'http://matrix-synapse:8008' +matrix_mautrix_facebook_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:29319' diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 8dfee030..183c3ac7 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -18,7 +18,7 @@ matrix_mautrix_hangouts_docker_src_files_path: "{{ matrix_mautrix_hangouts_base_ matrix_mautrix_hangouts_public_endpoint: '/mautrix-hangouts' -matrix_mautrix_hangouts_homeserver_address: 'http://matrix-synapse:8008' +matrix_mautrix_hangouts_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_hangouts_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_hangouts_appservice_address: 'http://matrix-mautrix-hangouts:8080' diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 7e072b5a..5eab0c0b 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -25,7 +25,7 @@ matrix_mautrix_telegram_bot_token: disabled # Example: /741a0483-ba17-4682-9900-30bd7269f1cc matrix_mautrix_telegram_public_endpoint: '' -matrix_mautrix_telegram_homeserver_address: 'http://matrix-synapse:8008' +matrix_mautrix_telegram_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_telegram_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080' matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }}' diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 97b20313..25f6ae06 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -22,7 +22,7 @@ matrix_mx_puppet_discord_docker_src_files_path: "{{ matrix_mx_puppet_discord_bas matrix_mx_puppet_discord_appservice_port: "8432" -matrix_mx_puppet_discord_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index cd08c010..4c9fbd98 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -16,7 +16,7 @@ matrix_mx_puppet_instagram_data_path: "{{ matrix_mx_puppet_instagram_base_path } matrix_mx_puppet_instagram_docker_src_files_path: "{{ matrix_mx_puppet_instagram_base_path }}/docker-src" matrix_mx_puppet_instagram_appservice_port: "8440" -matrix_mx_puppet_instagram_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_instagram_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mx_puppet_instagram_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_instagram_appservice_address: 'http://matrix-mx-puppet-instagram:{{ matrix_mx_puppet_instagram_appservice_port }}' diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 83cd3dc5..53c8e379 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_pa matrix_mx_puppet_skype_appservice_port: "8438" -matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_skype_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mx_puppet_skype_appservice_address: 'http://matrix-mx-puppet-skype:{{ matrix_mx_puppet_skype_appservice_port }}' # "@user:server.com" to allow specific user diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 70b98ece..b1fb7487 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -22,7 +22,7 @@ matrix_mx_puppet_slack_docker_src_files_path: "{{ matrix_mx_puppet_slack_base_pa matrix_mx_puppet_slack_appservice_port: "8432" -matrix_mx_puppet_slack_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_slack_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mx_puppet_slack_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_slack_appservice_address: 'http://matrix-mx-puppet-slack:{{ matrix_mx_puppet_slack_appservice_port }}' diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index 15fa889f..c3ac977e 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -22,7 +22,7 @@ matrix_mx_puppet_steam_docker_src_files_path: "{{ matrix_mx_puppet_steam_base_pa matrix_mx_puppet_steam_appservice_port: "8432" -matrix_mx_puppet_steam_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_steam_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mx_puppet_steam_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_steam_appservice_address: 'http://matrix-mx-puppet-steam:{{ matrix_mx_puppet_steam_appservice_port }}' diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index 28639fda..d8582e53 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -22,7 +22,7 @@ matrix_mx_puppet_twitter_docker_src_files_path: "{{ matrix_mx_puppet_twitter_bas matrix_mx_puppet_twitter_appservice_port: "8432" -matrix_mx_puppet_twitter_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_twitter_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mx_puppet_twitter_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_twitter_appservice_address: 'http://matrix-mx-puppet-twitter:{{ matrix_mx_puppet_twitter_appservice_port }}' diff --git a/roles/matrix-dimension/templates/config.yaml.j2 b/roles/matrix-dimension/templates/config.yaml.j2 index 200871e7..39721d71 100644 --- a/roles/matrix-dimension/templates/config.yaml.j2 +++ b/roles/matrix-dimension/templates/config.yaml.j2 @@ -13,7 +13,7 @@ homeserver: # The URL that Dimension, go-neb, and other services provisioned by Dimension should # use to access the homeserver with. - clientServerUrl: "http://matrix-synapse:8008" + clientServerUrl: "{{ matrix_homeserver_container_url }}" # The URL that Dimension should use when trying to communicate with federated APIs on # the homeserver. If not supplied or left empty Dimension will try to resolve the address From 70dcdd41a738f2450060b89f9c6f0d59b02727a7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 14:02:06 +0200 Subject: [PATCH 1843/2384] Simplify matrix-remove-all We don't have instantiated services anymore, nor /etc/systemd/system/matrix-synapse.service.wants/ stuff. --- .../templates/usr-local-bin/matrix-remove-all.j2 | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 01e0ac70..f4b23b44 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -16,20 +16,8 @@ if [ "$sure" != "Yes, I really want to remove everything!" ]; then else echo "Stop and remove matrix services" - # Look for and stop services, avoiding things like - # 'matrix-synapse-worker@.service' (just a template for instantiated services; can't stop it directly). - # We use '-xtype f' and not '-type f', because we wish to match symlinks like this: - # '/etc/systemd/system/matrix-synapse.service.wants/matrix-synapse-worker@generic_worker:18111.service' - # and stop these instantiated services as well. - for s in $(find {{ matrix_systemd_path }}/ -xtype f -name "matrix-*" -printf "%f\n" | grep -v '@.service' | uniq); do + for s in $(find {{ matrix_systemd_path }}/ -type f -name "matrix-*" -printf "%f\n"); do systemctl disable --now $s - done - - # Get rid of regular service files, as well as symlinks like - # '/etc/systemd/system/matrix-synapse.service.wants/matrix-synapse-worker@generic_worker:18111.service' - # and even - # '/etc/systemd/system/multi-user.target.wants/matrix-synapse.service'. - for s in $(find {{ matrix_systemd_path }}/ -xtype f -name "matrix-*" -printf "%p\n"); do rm -f {{ matrix_systemd_path }}/$s done From dd24942c036ac0bfd5d2ad6fa5b60d036c6167cc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 15:15:27 +0200 Subject: [PATCH 1844/2384] Use |to_json for mautrix-telegram config Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/824 --- .../templates/config.yaml.j2 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 52efba02..d2848ec1 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -13,7 +13,7 @@ homeserver: # Changing these values requires regeneration of the registration. appservice: # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_telegram_appservice_address }} + address: {{ matrix_mautrix_telegram_appservice_address|to_json }} # The hostname and port where this appservice should listen. hostname: 0.0.0.0 @@ -36,10 +36,10 @@ appservice: # Whether or not the public-facing endpoints should be enabled. enabled: true # The prefix to use in the public-facing endpoints. - prefix: {{ matrix_mautrix_telegram_public_endpoint }} + prefix: {{ matrix_mautrix_telegram_public_endpoint|to_json }} # The base URL where the public-facing endpoints are available. The prefix is not added # implicitly. - external: {{ matrix_mautrix_telegram_appservice_public_external }} + external: {{ matrix_mautrix_telegram_appservice_public_external|to_json }} # Provisioning API part of the web server for automated portal creation and fetching information. # Used by things like Dimension (https://dimension.t2bot.io/). @@ -62,8 +62,8 @@ appservice: bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_telegram_appservice_token }}" - hs_token: "{{ matrix_mautrix_telegram_homeserver_token }}" + as_token: {{ matrix_mautrix_telegram_appservice_token|to_json }} + hs_token: {{ matrix_mautrix_telegram_homeserver_token|to_json }} # Bridge config bridge: @@ -330,10 +330,10 @@ bridge: # Telegram config telegram: # Get your own API keys at https://my.telegram.org/apps - api_id: {{ matrix_mautrix_telegram_api_id }} - api_hash: {{ matrix_mautrix_telegram_api_hash }} + api_id: {{ matrix_mautrix_telegram_api_id|to_json }} + api_hash: {{ matrix_mautrix_telegram_api_hash|to_json }} # (Optional) Create your own bot at https://t.me/BotFather - bot_token: {{ matrix_mautrix_telegram_bot_token }} + bot_token: {{ matrix_mautrix_telegram_bot_token|to_json }} # Telethon connection options. connection: From a535226210a0cbe100219cf69bb97db7c9941039 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 15:20:37 +0200 Subject: [PATCH 1845/2384] Stop/disable unnecessary worker services before deleting them --- .../tasks/workers/setup_install.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/workers/setup_install.yml index ff34210a..c77bd737 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/workers/setup_install.yml @@ -1,26 +1,35 @@ --- -- name: Find worker configs to be cleaned +- name: Determine current worker configs find: path: "{{ matrix_synapse_config_dir_path }}" patterns: "worker.*.yaml" use_regex: true register: matrix_synapse_workers_current_config_files +# This also deletes some things which we need. They will be recreated below. - name: Ensure previous worker configs are cleaned file: path: "{{ item.path }}" state: absent with_items: "{{ matrix_synapse_workers_current_config_files.files }}" -- name: Find worker systemd services to be cleaned +- name: Determine current worker systemd services find: path: "{{ matrix_systemd_path }}" patterns: "matrix-synapse-worker.*.service" use_regex: true register: matrix_synapse_workers_current_systemd_services -- name: Ensure previous worker systemd services are cleaned +- name: Ensure unnecessary worker systemd services are stopped and disabled + service: + name: "{{ item.path|basename }}" + state: stopped + enabled: false + with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" + when: "not ansible_check_mode and item.path|basename not in matrix_systemd_services_list" + +- name: Ensure unnecessary worker systemd services are cleaned file: path: "{{ item.path }}" state: absent From d9bf2f59db84971fa95bd7fc1e26180c465c766e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jan 2021 15:36:08 +0200 Subject: [PATCH 1846/2384] Fix adminme.js usage for matrix-appservice-discord (still hacky) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/795 and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/822 A better fix will come later: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/825 --- docs/configuring-playbook-bridge-appservice-discord.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index f3efc555..82a2edc2 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -38,8 +38,9 @@ To [adjust room access privileges](#adjusting-room-access-privileges) or do vari There's the Discord bridge's guide for [setting privileges on bridge managed rooms](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#set-privileges-on-bridge-managed-rooms). To do the same with our container setup, run the following command on the server: -``` -docker exec -it matrix-appservice-discord /bin/sh -c 'cp /build/tools/adminme.js /tmp/adminme.js && cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /tmp/adminme.js -c /cfg/config.yaml -r "!ROOM_ID:SERVER" -u "@USER:SERVER" -p 100' +```sh +docker exec -it matrix-appservice-discord \ +/bin/sh -c 'cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /build/tools/adminme.js -c /cfg/config.yaml -m "!ROOM_ID:SERVER" -u "@USER:SERVER" -p 100' ``` From 8355348aae080da8eefac7c089a5c91480bd1888 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Wed, 20 Jan 2021 15:52:26 +0100 Subject: [PATCH 1847/2384] Etherpad documentation --- README.md | 2 ++ docs/configuring-playbook-etherpad.md | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 docs/configuring-playbook-etherpad.md diff --git a/README.md b/README.md index 93c022d9..26e059af 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients - see [docs/configuring-playbook-dimension.md](docs/configuring-playbook-dimension.md) for setup documentation +- (optional) [Etherpad](https://etherpad.org), an open source collaborative text editor - see [docs/configuring-playbook-etherpad.md](docs/configuring-playbook-etherpad.md) for setup documentation + - (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform - see [docs/configuring-playbook-jitsi.md](docs/configuring-playbook-jitsi.md) for setup documentation - (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md new file mode 100644 index 00000000..9ec24d33 --- /dev/null +++ b/docs/configuring-playbook-etherpad.md @@ -0,0 +1,26 @@ +# Setting up Etherpad (optional) + +[Etherpad](https://etherpad.org) is is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) + +When enabled together with Jitsi, it will be made available as an option during the conferences. + +## Prerequisites + +For the self-hosted Etherpad instance to be available to your users, you must first enable and configure the **Dimension integrations manager** as described in [the playbook documentation](configuring-playbook-dimension.md) + +## Enable + +[Etherpad](https://etherpad.org) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_etherpad_enabled: true +``` + +## Set Dimension default to the self-hosted Etherpad + +The Dimension administrator users can configure the default URL template. The Dimension configuration menu can be accessed with the sprocket icon as you begin to add a widget to a room in Element. There you will find the Etherpad Widget Configuration action beneath the _Widgets_ tab. Replace `scalar.vector.im` with your own Dimension domain. + +### Removing the integrated Etherpad chat + +If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. +Example: `https://dimension./etherpad/p/$roomId_$padName?showChat=false` From 4b451ff782000d49c1c5b601447bc240369a3f91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Thu, 21 Jan 2021 00:06:35 +0100 Subject: [PATCH 1848/2384] Etherpad role --- group_vars/matrix_servers | 29 +++++ roles/matrix-etherpad/defaults/main.yml | 93 +++++++++++++++ roles/matrix-etherpad/tasks/init.yml | 3 + roles/matrix-etherpad/tasks/main.yml | 15 +++ roles/matrix-etherpad/tasks/setup_install.yml | 36 ++++++ .../matrix-etherpad/tasks/setup_uninstall.yml | 35 ++++++ .../matrix-etherpad/tasks/validate_config.yml | 7 ++ .../templates/settings.json.j2 | 106 ++++++++++++++++++ .../systemd/matrix-etherpad.service.j2 | 49 ++++++++ setup.yml | 1 + 10 files changed, 374 insertions(+) create mode 100644 roles/matrix-etherpad/defaults/main.yml create mode 100644 roles/matrix-etherpad/tasks/init.yml create mode 100644 roles/matrix-etherpad/tasks/main.yml create mode 100644 roles/matrix-etherpad/tasks/setup_install.yml create mode 100644 roles/matrix-etherpad/tasks/setup_uninstall.yml create mode 100644 roles/matrix-etherpad/tasks/validate_config.yml create mode 100644 roles/matrix-etherpad/templates/settings.json.j2 create mode 100644 roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7c736ba4..50d34bcc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -757,7 +757,30 @@ matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | pas # ###################################################################### +###################################################################### +# +# matrix-etherpad +# +###################################################################### + +matrix_etherpad_enabled: false +matrix_etherpad_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_etherpad_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_etherpad_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'etherpad.db') | to_uuid }}" + +###################################################################### +# +# /matrix-etherpad +# +###################################################################### ###################################################################### # @@ -1146,6 +1169,12 @@ matrix_postgres_additional_databases: | 'username': matrix_dimension_database_username, 'password': matrix_dimension_database_password, }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == 'matrix-postgres') else []) + + + ([{ + 'name': matrix_etherpad_database_name, + 'username': matrix_etherpad_database_username, + 'password': matrix_etherpad_database_password, + }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == 'matrix-postgres') else []) }} matrix_postgres_import_roles_to_ignore: | diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml new file mode 100644 index 00000000..353adac7 --- /dev/null +++ b/roles/matrix-etherpad/defaults/main.yml @@ -0,0 +1,93 @@ +matrix_etherpad_enabled: false + +matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" + +matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:latest" +matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" + +# List of systemd services that matrix-etherpad.service depends on. +matrix_etherpad_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-etherpad.service wants +matrix_etherpad_systemd_wanted_services_list: [] + +# Container user has to be able to write to the source file directories until this bug is fixed: +# https://github.com/ether/etherpad-lite/issues/2683 +matrix_etherpad_user_uid: '5001' +matrix_etherpad_user_gid: '5001' + +# Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9001"), or empty string to not expose. +matrix_etherpad_container_http_host_bind_port: '9001' + +# A list of extra arguments to pass to the container +matrix_etherpad_container_extra_arguments: [] + +matrix_etherpad_public_endpoint: '/etherpad' + +# By default, the Etherpad app can be accessed within the Dimension domain +matrix_etherpad_base_url: "https://{{ matrix_server_fqn_dimension }}{{ matrix_etherpad_public_endpoint }}" + +# Database-related configuration fields. +# +# Etherpad recommends using a dedicated database, and supports Sqliite only for development +# +# To use Postgres: +# - change the engine (`matrix_etherpad_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_etherpad_postgres_*` variables +matrix_etherpad_database_engine: 'sqlite' + +matrix_etherpad_sqlite_database_path_local: "{{ matrix_etherpad_base_path }}/etherpad.db" +matrix_etherpad_sqlite_database_path_in_container: "/data/etherpad.db" + +matrix_etherpad_database_username: 'matrix_etherpad' +matrix_etherpad_database_password: 'some-password' +matrix_etherpad_database_hostname: 'matrix-postgres' +matrix_etherpad_database_port: 5432 +matrix_etherpad_database_name: 'matrix_etherpad' + +matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' + +# Variables configuring the etherpad +matrix_etherpad_title: 'Etherpad' +matrix_etherpad_default_pad_text: | + Welcome to Etherpad! + + This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! + + Get involved with Etherpad at https://etherpad.org + +# Default Etherpad configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_etherpad_configuration_extension_json`) +# or completely replace this variable with your own template. +matrix_etherpad_configuration_default: "{{ lookup('template', 'templates/settings.json.j2') }}" + +# Your custom JSON configuration for Etherpad goes here. +# This configuration extends the default starting configuration (`matrix_etherpad_configuration_json`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_etherpad_configuration_json`. +# +# Example configuration extension follows: +# +# matrix_etherpad_configuration_extension_json: | +# { +# "loadTest": true, +# "commitRateLimiting": { +# "duration": 1, +# "points": 10 +# } +# } +# +matrix_etherpad_configuration_extension_json: '{}' + +matrix_etherpad_configuration_extension: "{{ matrix_etherpad_configuration_extension_json|from_json if matrix_etherpad_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final Etherpad configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_etherpad_configuration_json`. +matrix_etherpad_configuration: "{{ matrix_etherpad_configuration_default|combine(matrix_etherpad_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml new file mode 100644 index 00000000..7496d4b4 --- /dev/null +++ b/roles/matrix-etherpad/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-etherpad.service'] }}" + when: matrix_etherpad_enabled|bool diff --git a/roles/matrix-etherpad/tasks/main.yml b/roles/matrix-etherpad/tasks/main.yml new file mode 100644 index 00000000..09ead973 --- /dev/null +++ b/roles/matrix-etherpad/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: run_setup|bool and matrix_etherpad_enabled|bool + tags: + - setup-all + - setup-etherpad + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: run_setup|bool and not matrix_etherpad_enabled|bool + tags: + - setup-all + - setup-etherpad diff --git a/roles/matrix-etherpad/tasks/setup_install.yml b/roles/matrix-etherpad/tasks/setup_install.yml new file mode 100644 index 00000000..a93c28de --- /dev/null +++ b/roles/matrix-etherpad/tasks/setup_install.yml @@ -0,0 +1,36 @@ +--- + +- name: Ensure Etherpad base path exists + file: + path: "{{ matrix_etherpad_base_path }}" + state: directory + mode: 0770 + owner: "{{ matrix_etherpad_user_uid }}" + group: "{{ matrix_etherpad_user_gid }}" + +- name: Ensure Etherpad config installed + copy: + content: "{{ matrix_etherpad_configuration|to_nice_json }}" + dest: "{{ matrix_etherpad_base_path }}/settings.json" + mode: 0640 + owner: "{{ matrix_etherpad_user_uid }}" + group: "{{ matrix_etherpad_user_gid }}" + +- name: Ensure Etherpad image is pulled + docker_image: + name: "{{ matrix_etherpad_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_etherpad_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_etherpad_docker_image_force_pull }}" + +- name: Ensure matrix-etherpad.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-etherpad.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-etherpad.service" + mode: 0644 + register: matrix_etherpad_systemd_service_result + +- name: Ensure systemd reloaded after matrix-etherpad.service installation + service: + daemon_reload: yes + when: "matrix_etherpad_systemd_service_result.changed|bool" diff --git a/roles/matrix-etherpad/tasks/setup_uninstall.yml b/roles/matrix-etherpad/tasks/setup_uninstall.yml new file mode 100644 index 00000000..865389f2 --- /dev/null +++ b/roles/matrix-etherpad/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-etherpad service + stat: + path: "{{ matrix_systemd_path }}/matrix-etherpad.service" + register: matrix_etherpad_service_stat + +- name: Ensure matrix-etherpad is stopped + service: + name: matrix-etherpad + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_etherpad_service_stat.stat.exists|bool" + +- name: Ensure matrix-etherpad.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-etherpad.service" + state: absent + when: "matrix_etherpad_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-etherpad.service removal + service: + daemon_reload: yes + when: "matrix_etherpad_service_stat.stat.exists|bool" + +- name: Ensure Etherpad base directory doesn't exist + file: + path: "{{ matrix_etherpad_base_path }}" + state: absent + +- name: Ensure Dimension Docker image doesn't exist + docker_image: + name: "{{ matrix_etherpad_docker_image }}" + state: absent diff --git a/roles/matrix-etherpad/tasks/validate_config.yml b/roles/matrix-etherpad/tasks/validate_config.yml new file mode 100644 index 00000000..e5621a07 --- /dev/null +++ b/roles/matrix-etherpad/tasks/validate_config.yml @@ -0,0 +1,7 @@ +- name: Fail if required Etherpad settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Etherpad. + with_items: + - + when: "matrix_etherpad_enabled and vars[item] == ''" diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 new file mode 100644 index 00000000..6435cf6d --- /dev/null +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -0,0 +1,106 @@ +{ + "title": {{ matrix_etherpad_title|to_json }}, + "favicon": "favicon.ico", + "skinName": "colibris", + "skinVariants": "super-light-toolbar super-light-editor light-background", + "ip": "::", + "port": 9001, + "showSettingsInAdminPage": true, + "dbType": {{ matrix_etherpad_database_engine|to_json }}, + "dbSettings": { + {% if matrix_etherpad_database_engine == 'sqlite' %} + "filename": {{ matrix_etherpad_sqlite_database_path_in_container|to_json }} + {% elif matrix_etherpad_database_engine == 'postgres' %} + "database": {{ matrix_etherpad_database_name|to_json }}, + "host": {{ matrix_etherpad_database_hostname|to_json }}, + "password": {{ matrix_etherpad_database_password|to_json }}, + "port": {{ matrix_etherpad_database_port|to_json }}, + "user": {{ matrix_etherpad_database_username|to_json }} + {% endif %} + }, + "defaultPadText" : {{ matrix_etherpad_default_pad_text|to_json }}, + "suppressErrorsInPadText": false, + "requireSession": false, + "editOnly": false, + "minify": true, + "maxAge": 21600, + "abiword": null, + "soffice": null, + "tidyHtml": null, + "allowUnknownFileEnds": true, + "requireAuthentication": false, + "requireAuthorization": false, + "trustProxy": true, + "cookie": { + "sameSite": "Lax" + }, + "disableIPlogging": true, + "automaticReconnectionTimeout": 0, + "scrollWhenFocusLineIsOutOfViewport": { + "percentage": { + "editionAboveViewport": 0, + "editionBelowViewport": 0 + }, + "duration": 0, + "scrollWhenCaretIsInTheLastLineOfViewport": false, + "percentageToScrollWhenUserPressesArrowUp": 0 + }, + "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], + "loadTest": false, + "importExportRateLimiting": { + "windowMs": 90000, + "max": 10 + }, + "importMaxFileSize": 52428800, + "commitRateLimiting": { + "duration": 1, + "points": 10 + }, + "exposeVersion": false, + "padOptions": { + "noColors": false, + "showControls": true, + "showChat": false, + "showLineNumbers": true, + "useMonospaceFont": false, + "userName": false, + "userColor": false, + "rtl": false, + "alwaysShowChat": false, + "chatAndUsers": false, + "lang": "en-gb" + }, + "padShortcutEnabled" : { + "altF9": true, + "altC": true, + "cmdShift2": true, + "delete": true, + "return": true, + "esc": true, + "cmdS": true, + "tab": true, + "cmdZ": true, + "cmdY": true, + "cmdI": true, + "cmdB": true, + "cmdU": true, + "cmd5": true, + "cmdShiftL": true, + "cmdShiftN": true, + "cmdShift1": true, + "cmdShiftC": true, + "cmdH": true, + "ctrlHome": true, + "pageUp": true, + "pageDown": true + }, + "loglevel": "INFO", + "logconfig" : + { "appenders": [ + { "type": "console", + "layout": {"type": "messagePassThrough"} + } + ] + }, + "customLocaleStrings": {} +} diff --git a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 new file mode 100644 index 00000000..6f662aa7 --- /dev/null +++ b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 @@ -0,0 +1,49 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Etherpad +{% for service in matrix_etherpad_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_etherpad_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-etherpad +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-etherpad + +# Fixup database ownership if it got changed somehow (during a server migration, etc.) +{% if matrix_etherpad_database_engine == 'sqlite' %} +ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_etherpad_user_uid }} {{ matrix_etherpad_sqlite_database_path_local }} +{% endif %} + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \ + --log-driver=none \ + --user={{ matrix_etherpad_user_uid }}:{{ matrix_etherpad_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_etherpad_container_http_host_bind_port %} + -p {{ matrix_etherpad_container_http_host_bind_port }}:9001 \ + {% endif %} + --mount type=bind,src={{ matrix_etherpad_base_path }},dst=/data \ + {% for arg in matrix_etherpad_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_etherpad_docker_image }} \ + node --experimental-worker /opt/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js \ + --settings /data/settings.json --credentials /data/credentials.json \ + --sessionkey /data/sessionkey.json --apikey /data/apijey.json + + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-etherpad +ExecStop=-{{ matrix_host_command_docker }} rm matrix-etherpad +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-etherpad + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index d070bcae..9bb1788f 100755 --- a/setup.yml +++ b/setup.yml @@ -33,6 +33,7 @@ - matrix-jitsi - matrix-ma1sd - matrix-dimension + - matrix-etherpad - matrix-email2matrix - matrix-nginx-proxy - matrix-coturn From 38bf1eda7026b75ddf0993910e50f8b0ecb6467b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Thu, 21 Jan 2021 00:06:59 +0100 Subject: [PATCH 1849/2384] Etherpad Jitsi integration --- group_vars/matrix_servers | 7 +++++++ roles/matrix-jitsi/defaults/main.yml | 3 +++ roles/matrix-jitsi/templates/web/custom-config.js.j2 | 3 +++ roles/matrix-jitsi/templates/web/env.j2 | 2 ++ 4 files changed, 15 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 50d34bcc..5d76a60c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -843,6 +843,13 @@ matrix_jitsi_web_stun_servers: | else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443'] }} +# If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences, +# unless explicitly disabled by setting `matrix_jitsi_etherpad_enabled` to false. +# Falls back to the scalar.vector.im etherpad in case someone sets `matrix_jitsi_etherpad_enabled` to true, +# while also setting `matrix_etherpad_enabled` to false. +matrix_jitsi_etherpad_enabled: "{{ matrix_etherpad_enabled }}" +matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" + ###################################################################### # # /matrix-jitsi diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 924198b4..028d9c19 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -67,6 +67,9 @@ matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" # Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`. matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443'] +# Controls whether Etherpad will be available within Jitsi +matrix_jitsi_etherpad_enabled: false + # Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:12080"), or empty string to not expose. diff --git a/roles/matrix-jitsi/templates/web/custom-config.js.j2 b/roles/matrix-jitsi/templates/web/custom-config.js.j2 index 02316ca0..bbe85798 100644 --- a/roles/matrix-jitsi/templates/web/custom-config.js.j2 +++ b/roles/matrix-jitsi/templates/web/custom-config.js.j2 @@ -11,5 +11,8 @@ config.p2p.stunServers = [ ]; {% endif %} +{% if matrix_jitsi_etherpad_enabled %} +config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }} +{% endif %} {{ matrix_jitsi_web_custom_config_extension }} diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index 353a3d14..7b763a3c 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -37,4 +37,6 @@ RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} +ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} + {{ matrix_jitsi_web_environment_variables_extension }} From 7bc9be95cb2225b3ccdd8db2ff6e604e345157ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Thu, 21 Jan 2021 13:32:25 +0100 Subject: [PATCH 1850/2384] Add map directive to the base of nginx.conf This needs to be added for WebSocket upgrades to work properly (see doc: http://nginx.org/en/docs/http/websocket.html) --- roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index 975c8b4f..facb0901 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -45,6 +45,11 @@ http { keepalive_timeout 65; #gzip on; + {# Map directive needed for proxied WebSocket upgrades #} + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } include /etc/nginx/conf.d/*.conf; } From 42f338016ba87480a948d89e224901dd8215673e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Thu, 21 Jan 2021 15:27:29 +0100 Subject: [PATCH 1851/2384] Etherpad matrix-nginx-proxy configuration --- roles/matrix-etherpad/tasks/init.yml | 59 ++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml index 7496d4b4..081d4c23 100644 --- a/roles/matrix-etherpad/tasks/init.yml +++ b/roles/matrix-etherpad/tasks/init.yml @@ -1,3 +1,62 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-etherpad.service'] }}" when: matrix_etherpad_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-etherpad role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Etherpad proxying configuration for matrix-nginx-proxy + set_fact: + matrix_etherpad_matrix_nginx_proxy_configuration: | + rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; + + location {{ matrix_etherpad_public_endpoint }}/ { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + proxy_pass http://matrix-etherpad:9001/; + {# These are proxy directives needed specifically by Etherpad #} + proxy_buffering off; + proxy_http_version 1.1; # recommended with keepalive connections + proxy_pass_header Server; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used + # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + {% else %} + {# Generic configuration for use outside of our container setup #} + # A good guide for setting up your Etherpad behind nginx: + # https://docs.gandi.net/en/cloud/tutorials/etherpad_lite.html + proxy_pass http://127.0.0.1:9001/; + {% endif %} + } + + - name: Register Etherpad proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks|default([]) + + + [matrix_etherpad_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_etherpad_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Etherpad tool but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_etherpad_public_endpoint }}` + URL endpoint to the matrix-etherpad container. + You can expose the container's port using the `matrix_etherpad_container_http_host_bind_port` variable. + when: "matrix_etherpad_enabled|bool and matrix_nginx_proxy_enabled is not defined" From 26542308b32cc2af97e27088749b79913e31a630 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 26 Jan 2021 10:00:07 +0200 Subject: [PATCH 1852/2384] Use |to_json in more places in matrix-appservice-discord config I don't think this was causing an issue, but it might if the bot token has a more special value in the future. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/828 --- .../templates/config.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 index b2ecd198..6286a5d4 100644 --- a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2 @@ -1,10 +1,10 @@ #jinja2: lstrip_blocks: "True" bridge: # Domain part of the bridge, e.g. matrix.org - domain: {{ matrix_appservice_discord_bridge_domain }} + domain: {{ matrix_appservice_discord_bridge_domain|to_json }} # This should be your publically facing URL because Discord may use it to # fetch media from the media store. - homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }} + homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl|to_json }} # Interval at which to process users in the 'presence queue'. If you have # 5 users, one user will be processed every 500 milliseconds according to the # value below. This has a minimum value of 250. @@ -33,7 +33,7 @@ bridge: # Authentication configuration for the discord bot. auth: clientID: {{ matrix_appservice_discord_client_id|string|to_json }} - botToken: {{ matrix_appservice_discord_bot_token }} + botToken: {{ matrix_appservice_discord_bot_token|to_json }} # You must enable "Privileged Gateway Intents" in your bot settings on discord.com (e.g. https://discord.com/developers/applications/12345/bot) # for this to work usePrivilegedIntents: {{ matrix_appservice_discord_auth_usePrivilegedIntents|to_json }} From 346f8b347536575b84e020860d08d255009317d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 26 Jan 2021 10:13:08 +0200 Subject: [PATCH 1853/2384] Fix typo --- roles/matrix-etherpad/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 353adac7..19a79bd1 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -31,7 +31,7 @@ matrix_etherpad_base_url: "https://{{ matrix_server_fqn_dimension }}{{ matrix_et # Database-related configuration fields. # -# Etherpad recommends using a dedicated database, and supports Sqliite only for development +# Etherpad recommends using a dedicated database, and supports Sqlite only for development # # To use Postgres: # - change the engine (`matrix_etherpad_database_engine: 'postgres'`) From e443b376b9e7b20948066bd2ea3d34dec8274c41 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 26 Jan 2021 17:19:28 +0200 Subject: [PATCH 1854/2384] Improve "things to do after installation" docs section --- docs/configuring-playbook.md | 2 +- docs/installing.md | 24 ++++++++++++++++-------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 11b801a7..90dc01c5 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -33,7 +33,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md) (optional) -- [Setting Dynamic DNS](configuring-playbook-dynamic-dns.md) (optional) +- [Setting up Dynamic DNS](configuring-playbook-dynamic-dns.md) (optional) ### Core service adjustments diff --git a/docs/installing.md b/docs/installing.md index a2ce1371..0e9dadd1 100644 --- a/docs/installing.md +++ b/docs/installing.md @@ -36,11 +36,19 @@ When you're ready to start the Matrix services (and set them up to auto-start in ansible-playbook -i inventory/hosts setup.yml --tags=start ``` -Now that the services are running, you might want to: - -- **finalize the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md) -- or [create your first user account](registering-users.md) -- or [set up the Dimension Integrations Manager](configuring-playbook-dimension.md) -- or [check if services work](maintenance-checking-services.md) -- or learn how to [upgrade your services when new versions are released](maintenance-upgrading-services.md) -- or learn how to [migrate to another server](maintenance-migrating.md) +Now that services are running, you need to **finalize the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md) + + +## Things to do next + +If you have started services and **finalized the installation process** (required for federation to work!) by [Configuring Service Discovery via .well-known](configuring-well-known.md), you can: + +- [check if services work](maintenance-checking-services.md) +- or [create your first Matrix user account](registering-users.md) +- or [set up additional services](configuring-playbook.md#other-configuration-options) (bridges to other chat networks, bots, etc.) +- or learn how to [upgrade services when new versions are released](maintenance-upgrading-services.md) +- or learn how to [maintain your server](faq.md#maintenance) +- or join some Matrix rooms: + * via the *Explore rooms* feature in Element or some other client, or by discovering them using this [matrix-static list](https://view.matrix.org). Note: joining large rooms may overload small servers. + * or come say Hi in our support room - [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com). You might learn something or get to help someone else new to Matrix hosting. +- or help make this playbook better by contributing (code, documentation, or [coffee/beer](https://liberapay.com/s.pantaleev/donate)) From deff7421fb98580e4f311ad101f79cb9df6ba86c Mon Sep 17 00:00:00 2001 From: phirz <55414535+phirz@users.noreply.github.com> Date: Wed, 27 Jan 2021 00:13:22 +0100 Subject: [PATCH 1855/2384] Correct some typos in FAQ --- docs/faq.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index fcdc7e8c..a6782231 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -21,11 +21,11 @@ For a lot more generic questions and answers, see the [matrix.org FAQ](https://m [Matrix](https://matrix.org/) is a new type of realtime communication (chat) network, the closest analogy to which is probably "email". -You don't just use the "email" protocols (SMTP, POP3, IMAP) directly though. There's a some *server* somewhere which stores your data (`@gmail.com`, `@yahoo.com`, `@hotmail.com`, `@your-company.com`) and you access using these "email" protocol using use some *client* program (Outlook, Thunderbird, some website, etc). +You don't just use the "email" protocols (SMTP, POP3, IMAP) directly though. There's a *server* somewhere which stores your data (`@gmail.com`, `@yahoo.com`, `@hotmail.com`, `@your-company.com`) and you access it by using these "email" protocols via some *client* program (Outlook, Thunderbird, some website, etc). In the world of the Matrix chat protocol, there are various client programs. The first and currently most full-featured one is called [Element](https://element.io/) (used to be called Riot.im and Vector.im in the past). There are [many other clients](https://matrix.org/clients/). You can switch clients as much as you want until you find the one that is right for you on a given platform (you may use Element on your desktop, but Fluffychat on your phone, etc). -Matrix is also like email due to the fact that are many servers around the world which can all talk to each other (you can send email from `@gmail.com` addresses to `@yahoo.com` and `@hotmail.com` addresses). It's the same with Matrix (`@bob:his-domain.com` can talk to `@alice:her-domain.org`). +Matrix is also like email due to the fact that there are many servers around the world which can all talk to each other (you can send email from `@gmail.com` addresses to `@yahoo.com` and `@hotmail.com` addresses). It's the same with Matrix (`@bob:his-domain.com` can talk to `@alice:her-domain.org`). If someone else is hosting your Matrix server (you being `@user:matrix.org` or some other public server like this), all you need is a Matrix client program, like Element. @@ -37,11 +37,11 @@ In short: - Element is a client program you can use to participate on the Matrix chat network via some server (yours or someone else's). There are also [many other client programs](https://matrix.org/clients/). - Synapse is a server program you can use to host your very own Matrix server. -This FAQ here mostly focuses on installing Matrix services using the Ansible automation tool. You can learn much more about Matrix in the [matrix.org FAQ](https://matrix.org/faq/). +This FAQ here mostly focuses on installing various Matrix services using the Ansible automation tool. You can learn much more about Matrix in the [matrix.org FAQ](https://matrix.org/faq/). ## People I wish to talk to are not on Matrix. Can I talk to them? -You most likely can. Besides Matrix-native chats, Matrix also supports this concept of "bridging", which allows you to plug other networks into it. +You most likely can. Besides Matrix-native chats, Matrix also supports the concept of "bridging", which allows you to plug other networks into it. This Ansible playbook can help you install [tens of bridges for various networks](configuring-playbook.md#bridging-other-networks). @@ -82,9 +82,9 @@ To learn more, see our [dedicated Ansible documentation page](ansible.md). ### Why use this playbook and not install Synapse and other things manually? -There's various guides telling you how easy it is to install [Synapse](https://github.com/matrix-org/synapse). +There are various guides telling you how easy it is to install [Synapse](https://github.com/matrix-org/synapse). -Reading this Ansible playbook's documentation, you may also be thinking: +Reading the documentation of this Ansible playbook, you may also be thinking: > I don't know what [Ansible](https://www.ansible.com/) is. I don't know what [Docker](https://www.docker.com/) is. This looks more complicated. @@ -173,7 +173,7 @@ It also lets us have a unified setup which runs the same across various supporte ### Is Docker a hard requirement? -Yes. See [Why don't you use Podman instead of Docker?](#is-docker-a-hard-requirement) for why we're not using another container runtime. +Yes. See [Why don't you use Podman instead of Docker?](#why-dont-you-use-podman-instead-of-docker) for why we're not using another container runtime. All of our services run in containers. It's how we achieve predictability and also how we support tens of different services across lots of distros. @@ -203,7 +203,7 @@ This largely depends on your use case. It's not so much the number of users that Federated rooms with lots of history and containing hundreds of other servers are very heavy CPU-wise and memory-wise. -You can probably use a 1 CPU + 1GB memory server to host hundreds of local users just fine, but as soon as of them joins a federated room like `#matrix:matrix.org` (Matrix HQ) or some IRC-bridged room (say `##linux`), your server will get the need for a lot more power (at least 2GB RAM, etc). +You can probably use a 1 CPU + 1GB memory server to host hundreds of local users just fine, but as soon as one of them joins a federated room like `#matrix:matrix.org` (Matrix HQ) or some IRC-bridged room (say `##linux`), your server will get the need for a lot more power (at least 2GB RAM, etc). Running Matrix on a server with 1GB of memory is possible (especially if you disable some not-so-important services). See [How do I optimize this setup for a low-power server?](#how-do-i-optimize-this-setup-for-a-low-power-server). @@ -220,7 +220,7 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you ### Why install my server at matrix.DOMAIN and not at the base DOMAIN? -It's the same with email servers. Your email address is likely `name@company.com`, not `name@mail.company.com`, even though it's really `mail.company.com` that is really handling your data for `@company.com` email to work. +It's the same with email servers. Your email address is likely `name@company.com`, not `name@mail.company.com`, even though it's `mail.company.com` that is really handling your data for `@company.com` email to work. Using a separate domain name is easier to manage (although it's a little hard to get right at first) and keeps your Matrix server isolated from your website (if you have one), from your email server (if you have one), etc. @@ -230,7 +230,7 @@ If you'd really like to install Matrix services directly on the base domain, see ### I don't control anything on the base domain and can't set up delegation to matrix.DOMAIN. What do I do? -If you're not in control of your base domain (or server handling it) at all, you can take a look at [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain) +If you're not in control of your base domain (or the server handling it) at all, you can take a look at [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain) ### I can't set up HTTPS on the base domain. How will I get Matrix federating? @@ -345,7 +345,7 @@ Refer to both of these for inspiration. Still, as mentioned in [Configuring the ### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it? The playbook doesn't aim to expose all configuration settings for all services using variables. -Doing so would amount is to hundreds of variables that we have to create and maintain. +Doing so would amount to hundreds of variables that we have to create and maintain. Instead, we only try to make some important basics configurable using dedicated variables you can see in each role. See [What configuration variables are available?](#what-configuration-variables-are-available). @@ -398,9 +398,9 @@ Available service names can be seen by doing `ls /etc/systemd/system/matrix*.ser Some services also log to files in `/matrix/*/data/..`, but we're slowly moving away from that. -We also disable Docker logging, so you can't use `docker logs matrix-*` either. We do this to prevent useless double (or even tripple) logging and to avoid having to rotate log files. +We also disable Docker logging, so you can't use `docker logs matrix-*` either. We do this to prevent useless double (or even triple) logging and to avoid having to rotate log files. -We just simply delegate logging to journald and it takes care of persistenec and expiring old data. +We just simply delegate logging to journald and it takes care of persistence and expiring old data. Also see: [How long do systemd/journald logs persist for?](#how-long-do-systemdjournald-logs-persist-for) @@ -438,7 +438,7 @@ If your previous installation is done in some other way (not using this Ansible ### How do I back up the data on my server? -We haven't document this properly yet, but the general advice is to: +We haven't documented this properly yet, but the general advice is to: - back up Postgres by making a database dump. See [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) From 869727a402208b824656768a0157e10078b4ae79 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Jan 2021 10:13:44 +0200 Subject: [PATCH 1856/2384] Add comment to mautrix-facebook bridge regarding alembic migrations --- .../templates/systemd/matrix-mautrix-facebook.service.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index 52e28859..4220e878 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -15,6 +15,11 @@ Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook + +# This bridge uses another mechanism for migrations now (migrations happen automatically during regular startup), +# so going forward, running this alembic stuff will not necessary. +# People who are upgrading from an older version of the bridge should go through this migration +# first though, so we're keeping it around for now. ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ From 512f42aa766d8a066b4d19fe25b0db482780f6f5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Jan 2021 10:22:46 +0200 Subject: [PATCH 1857/2384] Do not report docker kill/rm attempts as errors These are just defensive cleanup tasks that we run. In the good case, there's nothing to kill or remove, so they trigger an error like this: > Error response from daemon: Cannot kill container: something: No such container: something and: > Error: No such container: something People often ask us if this is a problem, so instead of always having to answer with "no, this is to be expected", we'd rather eliminate it now and make logs cleaner. In the event that: - a container is really stuck and needs cleanup using kill/rm - and cleanup fails, and we fail to report it because of error suppression (`2>/dev/null`) .. we'd still get an error when launching ("container name already in use .."), so it shouldn't be too hard to investigate. --- roles/matrix-base/defaults/main.yml | 1 + .../systemd/matrix-bot-matrix-reminder-bot.service.j2 | 8 ++++---- .../systemd/matrix-appservice-discord.service.j2 | 8 ++++---- .../templates/systemd/matrix-appservice-irc.service.j2 | 8 ++++---- .../templates/systemd/matrix-appservice-slack.service.j2 | 8 ++++---- .../systemd/matrix-appservice-webhooks.service.j2 | 8 ++++---- .../templates/systemd/matrix-mautrix-facebook.service.j2 | 8 ++++---- .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 8 ++++---- .../systemd/matrix-mautrix-signal-daemon.service.j2 | 8 ++++---- .../templates/systemd/matrix-mautrix-signal.service.j2 | 8 ++++---- .../templates/systemd/matrix-mautrix-telegram.service.j2 | 8 ++++---- .../templates/systemd/matrix-mautrix-whatsapp.service.j2 | 8 ++++---- .../templates/systemd/matrix-mx-puppet-discord.service.j2 | 8 ++++---- .../systemd/matrix-mx-puppet-instagram.service.j2 | 8 ++++---- .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 8 ++++---- .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 8 ++++---- .../templates/systemd/matrix-mx-puppet-steam.service.j2 | 8 ++++---- .../templates/systemd/matrix-mx-puppet-twitter.service.j2 | 8 ++++---- .../templates/systemd/matrix-client-element.service.j2 | 8 ++++---- .../templates/systemd/matrix-corporal.service.j2 | 8 ++++---- .../templates/systemd/matrix-coturn.service.j2 | 8 ++++---- .../templates/systemd/matrix-dimension.service.j2 | 8 ++++---- .../templates/systemd/matrix-dynamic-dns.service.j2 | 8 ++++---- .../templates/systemd/matrix-email2matrix.service.j2 | 8 ++++---- .../templates/jicofo/matrix-jitsi-jicofo.service.j2 | 8 ++++---- .../templates/jvb/matrix-jitsi-jvb.service.j2 | 8 ++++---- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 8 ++++---- .../templates/web/matrix-jitsi-web.service.j2 | 8 ++++---- .../templates/systemd/matrix-ma1sd.service.j2 | 8 ++++---- .../templates/systemd/matrix-mailer.service.j2 | 8 ++++---- .../templates/systemd/matrix-nginx-proxy.service.j2 | 8 ++++---- .../templates/systemd/matrix-postgres.service.j2 | 4 ++-- .../templates/systemd/matrix-registration.service.j2 | 8 ++++---- .../templates/systemd/matrix-synapse-admin.service.j2 | 8 ++++---- .../templates/synapse/systemd/matrix-synapse.service.j2 | 8 ++++---- 35 files changed, 135 insertions(+), 134 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index d8285e1c..a238e503 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -66,6 +66,7 @@ matrix_host_command_chown: "/usr/bin/env chown" matrix_host_command_fusermount: "/usr/bin/env fusermount" matrix_host_command_openssl: "/usr/bin/env openssl" matrix_host_command_systemctl: "/usr/bin/env systemctl" +matrix_host_command_sh: "/usr/bin/env sh" matrix_ntpd_package: "ntp" matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index 825072e8..b1fe3c32 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-matrix-reminder-bot \ --log-driver=none \ @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-matrix-rem {{ matrix_bot_matrix_reminder_bot_docker_image }} \ -c "matrix-reminder-bot /config/config.yaml" -ExecStop=-{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot -ExecStop=-{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-bot-matrix-reminder-bot diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 412b4a3d..84dee801 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-discord -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-discord +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-dis {{ matrix_appservice_discord_docker_image }} \ node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml -ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-discord -ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-discord +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-discord 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 2287a774..8650bd8d 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-irc -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-irc +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc {{ matrix_appservice_irc_docker_image }} \ -c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999' -ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-irc -ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-irc +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-irc 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-irc 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index bf7a12ed..21ba27ef 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-slack -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-slack +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-sla {{ matrix_appservice_slack_docker_image }} \ node app.js -p {{matrix_appservice_slack_matrix_port}} -c /config/config.yaml -f /config/slack-registration.yaml -ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-slack -ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-slack +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-slack 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index 667cfd73..f27111b3 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-web {{ matrix_appservice_webhooks_docker_image }} \ node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml -ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks -ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-appservice-webhooks diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index 4220e878..95f0e3da 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' # This bridge uses another mechanism for migrations now (migrations happen automatically during regular startup), # so going forward, running this alembic stuff will not necessary. @@ -46,8 +46,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebo {{ matrix_mautrix_facebook_docker_image }} \ python3 -m mautrix_facebook -c /config/config.yaml -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-facebook diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index f6b16bea..9d69bd84 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db 2>/dev/null' ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ @@ -44,8 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangou {{ matrix_mautrix_hangouts_docker_image }} \ python3 -m mautrix_hangouts -c /config/config.yaml -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-hangouts diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index e3e11a6d..6f128da3 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -15,8 +15,8 @@ Wants={{ service }} Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -30,8 +30,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ {{ matrix_mautrix_signal_daemon_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index ec6f5159..0c513a22 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -14,8 +14,8 @@ Wants={{ service }} [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -37,8 +37,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal {{ matrix_mautrix_signal_docker_image }} \ python3 -m mautrix_signal -c /config/config.yaml -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' Restart=always RestartSec=30 diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index ef4440bc..18bd15ba 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ @@ -44,8 +44,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegr {{ matrix_mautrix_telegram_docker_image }} \ python3 -m mautrix_telegram -c /config/config.yaml -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-telegram diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index 22384fbd..4a492492 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-whatsa {{ matrix_mautrix_whatsapp_docker_image }} \ /usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mautrix-whatsapp diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 index 4f195ef6..6ffb87cd 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-disc {% endfor %} {{ matrix_mx_puppet_discord_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-discord diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 index 6eb28da0..965bb41c 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-inst {% endfor %} {{ matrix_mx_puppet_instagram_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-instagram diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index e61a369c..9a7986e4 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-skyp {% endfor %} {{ matrix_mx_puppet_skype_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index b564c3b3..973771b3 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-slac {% endfor %} {{ matrix_mx_puppet_slack_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 index 498b6ad3..0772872b 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -33,8 +33,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-stea {% endfor %} {{ matrix_mx_puppet_steam_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-steam diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 index 77424bfa..7e1b1c32 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 @@ -36,8 +36,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-twit {% endfor %} {{ matrix_mx_puppet_twitter_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mx-puppet-twitter diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index f1f9eb3f..fe2a3a86 100644 --- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -10,8 +10,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-client-element -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-client-element +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-element \ --log-driver=none \ @@ -35,8 +35,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-element {% endfor %} {{ matrix_client_element_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-client-element -ExecStop=-{{ matrix_host_command_docker }} rm matrix-client-element +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-element 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-element 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-client-element diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index cc9c4587..262e2e77 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -10,8 +10,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-corporal -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-corporal +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \ --log-driver=none \ @@ -34,8 +34,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \ {{ matrix_corporal_docker_image }} \ /matrix-corporal -config=/etc/matrix-corporal/config.json -ExecStop=-{{ matrix_host_command_docker }} kill matrix-corporal -ExecStop=-{{ matrix_host_command_docker }} rm matrix-corporal +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-corporal 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-corporal 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-corporal diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index f8550e36..930db7c1 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -10,8 +10,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-coturn -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-coturn +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ --log-driver=none \ @@ -42,8 +42,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ {{ matrix_coturn_docker_image }} \ -c /turnserver.conf -ExecStop=-{{ matrix_host_command_docker }} kill matrix-coturn -ExecStop=-{{ matrix_host_command_docker }} rm matrix-coturn +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-coturn 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-coturn 2>/dev/null' # This only reloads certificates (not other configuration). # See: https://github.com/coturn/coturn/pull/236 diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index 30d78d0d..e27a5558 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' # Fixup database ownership if it got changed somehow (during a server migration, etc.) {% if matrix_dimension_database_engine == 'sqlite' %} @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \ {% endfor %} {{ matrix_dimension_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-dimension -ExecStop=-{{ matrix_host_command_docker }} rm matrix-dimension +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dimension 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dimension 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dimension diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index 8dc2443d..dfdd2f72 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ --log-driver=none \ --network={{ matrix_docker_network }} \ @@ -26,8 +26,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ {% endfor %} {{ matrix_dynamic_dns_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns -ExecStop=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-dynamic-dns diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index 1b9d6642..c9226768 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -8,8 +8,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-email2matrix -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-email2matrix +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ --log-driver=none \ @@ -24,8 +24,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ {% endfor %} {{ matrix_email2matrix_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-email2matrix -ExecStop=-{{ matrix_host_command_docker }} rm matrix-email2matrix +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-email2matrix diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index 3d093795..6ecafaa0 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -10,8 +10,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ --log-driver=none \ @@ -23,8 +23,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ {% endfor %} {{ matrix_jitsi_jicofo_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo -ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jicofo diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index c109b600..53c0c83a 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -10,8 +10,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ --log-driver=none \ @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ {% endfor %} {{ matrix_jitsi_jvb_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb -ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-jvb diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index c1cd32bc..b3525a74 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -10,8 +10,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ @@ -24,8 +24,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody {% endfor %} {{ matrix_jitsi_prosody_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody -ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-prosody diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 63535f91..6ae2074d 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -10,8 +10,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-web -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-web +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ --log-driver=none \ @@ -27,8 +27,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ {% endfor %} {{ matrix_jitsi_web_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-web -ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-web +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-jitsi-web diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 697b5aba..c2adffc0 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-ma1sd -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-ma1sd +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' # ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, # so /tmp needs to be mounted with an exec option. @@ -38,8 +38,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ {% endfor %} {{ matrix_ma1sd_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-ma1sd -ExecStop=-{{ matrix_host_command_docker }} rm matrix-ma1sd +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-ma1sd diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index d773d698..14712935 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -8,8 +8,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' # --hostname gives us a friendlier hostname than the default. # The real hostname is passed via a `HOSTNAME` environment variable though. @@ -28,8 +28,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ {% endfor %} {{ matrix_mailer_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-mailer -ExecStop=-{{ matrix_host_command_docker }} rm matrix-mailer +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-mailer diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 2dd2619e..bd3070ac 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ --log-driver=none \ @@ -47,8 +47,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ {% endfor %} {{ matrix_nginx_proxy_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy -ExecStop=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload Restart=always RestartSec=30 diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 13df99a4..f4a01ec9 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -9,7 +9,7 @@ DefaultDependencies=no Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} stop matrix-postgres -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-postgres +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ --log-driver=none \ @@ -31,7 +31,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ {{ matrix_postgres_docker_image_to_use }} ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres -ExecStop=-{{ matrix_host_command_docker }} rm matrix-postgres +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-postgres diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 index f0b50030..e73e3e5f 100644 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-registration -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-registration +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \ --log-driver=none \ @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \ {{ matrix_registration_docker_image }} \ serve -ExecStop=-{{ matrix_host_command_docker }} kill matrix-registration -ExecStop=-{{ matrix_host_command_docker }} rm matrix-registration +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-registration diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index d376238a..4823d89c 100644 --- a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse-admin -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse-admin +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse-admin \ --log-driver=none \ @@ -32,8 +32,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse-admin {% endfor %} {{ matrix_synapse_admin_docker_image }} -ExecStop=-{{ matrix_host_command_docker }} kill matrix-synapse-admin -ExecStop=-{{ matrix_host_command_docker }} rm matrix-synapse-admin +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' Restart=always RestartSec=30 SyslogIdentifier=matrix-synapse-admin diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 88789908..86917720 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' {% if matrix_s3_media_store_enabled %} # Allow for some time before starting, so that media store can mount. # Mounting can happen later too, but if we start writing, @@ -56,8 +56,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {{ matrix_synapse_docker_image }} \ -m synapse.app.homeserver -c /data/homeserver.yaml -ExecStop=-{{ matrix_host_command_docker }} kill matrix-synapse -ExecStop=-{{ matrix_host_command_docker }} rm matrix-synapse +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' ExecReload={{ matrix_host_command_docker }} exec matrix-synapse kill -HUP 1 Restart=always RestartSec=30 From 07f1ea24eed34ceb6b2bc3d155335e34914b1f77 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Jan 2021 12:36:57 +0200 Subject: [PATCH 1858/2384] Make it possible to override the welcome.html.j2 template used for Element --- roles/matrix-client-element/defaults/main.yml | 2 ++ roles/matrix-client-element/tasks/setup.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 96116b1a..09bd2461 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -59,6 +59,8 @@ matrix_client_element_branding_authHeaderLogoUrl: "{{ matrix_client_element_welc # URL to Wallpaper, shown in background of welcome page matrix_client_element_branding_welcomeBackgroundUrl: ~ +matrix_client_element_page_template_welcome_path: "{{ role_path }}/templates/welcome.html.j2" + # By default, there's no Element homepage (when logged in). If you wish to have one, # point this to a `home.html` template file on your local filesystem. matrix_client_element_embedded_pages_home_path: ~ diff --git a/roles/matrix-client-element/tasks/setup.yml b/roles/matrix-client-element/tasks/setup.yml index 3b542b14..c4ed0847 100644 --- a/roles/matrix-client-element/tasks/setup.yml +++ b/roles/matrix-client-element/tasks/setup.yml @@ -62,7 +62,7 @@ group: "{{ matrix_user_groupname }}" with_items: - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - - {src: "{{ role_path }}/templates/welcome.html.j2", name: "welcome.html"} + - {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"} - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} when: "matrix_client_element_enabled|bool and item.src is not none" From f6097fbba1fb1367bf18946f652cbbe79665233a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Jan 2021 15:43:33 +0200 Subject: [PATCH 1859/2384] E2BE not working for mautrix bridges Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/806 --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 7 ++++++- .../templates/config.yaml.j2 | 2 +- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 7 ++++++- .../templates/config.yaml.j2 | 2 +- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 2 ++ .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 +- .../templates/registration.yaml.j2 | 5 ++++- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 7 ++++++- .../templates/config.yaml.j2 | 2 +- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 7 ++++++- .../templates/config.yaml.j2 | 2 +- 11 files changed, 35 insertions(+), 10 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index e99514e0..14db76d8 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -69,6 +69,8 @@ matrix_mautrix_facebook_login_shared_secret: '' matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" +matrix_mautrix_facebook_appservice_bot_username: facebookbot + matrix_mautrix_facebook_bridge_presence: true # Default configuration template which covers the generic use case. @@ -101,8 +103,11 @@ matrix_mautrix_facebook_registration_yaml: | users: - exclusive: true regex: '^@facebook_.+:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_facebook_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' url: {{ matrix_mautrix_facebook_appservice_address }} - sender_localpart: facebookbot + # See https://github.com/tulir/mautrix-signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username|to_json }} rate_limited: false matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 6fe3254d..628db713 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -46,7 +46,7 @@ appservice: # The unique ID of this appservice. id: facebook # Username of the appservice bot. - bot_username: facebookbot + bot_username: {{ matrix_mautrix_facebook_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Facebook bridge bot diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 8dfee030..2b13ea21 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -71,6 +71,8 @@ matrix_mautrix_hangouts_appservice_database: "{{ # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_hangouts_login_shared_secret: '' +matrix_mautrix_hangouts_appservice_bot_username: hangoutsbot + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -101,8 +103,11 @@ matrix_mautrix_hangouts_registration_yaml: | users: - exclusive: true regex: '^@hangouts_.+:{{ matrix_mautrix_hangouts_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_hangouts_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_hangouts_homeserver_domain|regex_escape }}$' url: {{ matrix_mautrix_hangouts_appservice_address }} - sender_localpart: hangoutsbot + # See https://github.com/tulir/mautrix-signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_hangouts_appservice_bot_username }} rate_limited: false matrix_mautrix_hangouts_registration: "{{ matrix_mautrix_hangouts_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 index cc2ca90b..7ff7d539 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 @@ -32,7 +32,7 @@ appservice: # The unique ID of this appservice. id: hangouts # Username of the appservice bot. - bot_username: hangoutsbot + bot_username: {{ matrix_mautrix_hangouts_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Hangouts bridge bot diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 65318f19..aaa0a166 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -43,6 +43,8 @@ matrix_mautrix_signal_daemon_systemd_wanted_services_list: [] matrix_mautrix_signal_appservice_token: '' matrix_mautrix_signal_homeserver_token: '' +matrix_mautrix_signal_appservice_bot_username: signalbot + # Database-related configuration fields # # This bridge only supports postgres. diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 28fff6f0..dc2cff36 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -43,7 +43,7 @@ appservice: # The unique ID of this appservice. id: signal # Username of the appservice bot. - bot_username: signalbot + bot_username: {{ matrix_mautrix_signal_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Signal bridge bot diff --git a/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 index 45cc5a0f..db486b9c 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 @@ -6,9 +6,12 @@ namespaces: users: - exclusive: true regex: '^@signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_signal_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' aliases: - exclusive: true regex: '^#signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' url: {{ matrix_mautrix_signal_appservice_address }} -sender_localpart: signalbot +# See https://github.com/tulir/mautrix-signal/issues/43 +sender_localpart: _bot_{{ matrix_mautrix_signal_appservice_bot_username|to_json }} rate_limited: false diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 7e072b5a..7ab200d0 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -30,6 +30,8 @@ matrix_mautrix_telegram_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080' matrix_mautrix_telegram_appservice_public_external: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mautrix_telegram_public_endpoint }}' +matrix_mautrix_telegram_appservice_bot_username: telegrambot + # Controls whether the matrix-mautrix-telegram container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9006"), or empty string to not expose. @@ -109,10 +111,13 @@ matrix_mautrix_telegram_registration_yaml: | users: - exclusive: true regex: '^@telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_telegram_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$' aliases: - exclusive: true regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$' - url: {{ matrix_mautrix_telegram_appservice_address }} + # See https://github.com/tulir/mautrix-signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username|to_json }} sender_localpart: telegrambot rate_limited: false diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index d2848ec1..39a18462 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -55,7 +55,7 @@ appservice: # The unique ID of this appservice. id: telegram # Username of the appservice bot. - bot_username: telegrambot + bot_username: {{ matrix_mautrix_telegram_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Telegram bridge bot diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index beda6d7d..0467c3b7 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -27,6 +27,8 @@ matrix_mautrix_whatsapp_systemd_wanted_services_list: [] matrix_mautrix_whatsapp_appservice_token: '' matrix_mautrix_whatsapp_homeserver_token: '' +matrix_mautrix_whatsapp_appservice_bot_username: whatsappbot + # Database-related configuration fields. # @@ -93,11 +95,14 @@ matrix_mautrix_whatsapp_registration_yaml: | url: {{ matrix_mautrix_whatsapp_appservice_address }} as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}" hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}" - sender_localpart: whatsappbot + # See https://github.com/tulir/mautrix-signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_whatsapp_appservice_bot_username|to_json }} rate_limited: false namespaces: users: - regex: '^@whatsapp_[0-9]+:{{ matrix_mautrix_whatsapp_homeserver_domain|regex_escape }}$' exclusive: true + - exclusive: true + regex: '^@{{ matrix_mautrix_whatsapp_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_whatsapp_homeserver_domain|regex_escape }}$' matrix_mautrix_whatsapp_registration: "{{ matrix_mautrix_whatsapp_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 89216695..b3b1caf1 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -36,7 +36,7 @@ appservice: # Appservice bot details. bot: # Username of the appservice bot. - username: whatsappbot + username: {{ matrix_mautrix_whatsapp_appservice_bot_username|to_json }} # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. displayname: WhatsApp bridge bot From e3290d8bcb419f670db48c5c47940ea34c130dc2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Jan 2021 15:48:35 +0200 Subject: [PATCH 1860/2384] Remove |to_json causing trouble Fixes a regression introduced in f6097fbba1fb, which was cauing Synapse to die with this error message: > ValueError: sender_localpart needs characters which are not URL encoded. --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- .../matrix-bridge-mautrix-signal/templates/registration.yaml.j2 | 2 +- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 14db76d8..240ddf17 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -107,7 +107,7 @@ matrix_mautrix_facebook_registration_yaml: | regex: '^@{{ matrix_mautrix_facebook_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_facebook_homeserver_domain|regex_escape }}$' url: {{ matrix_mautrix_facebook_appservice_address }} # See https://github.com/tulir/mautrix-signal/issues/43 - sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username|to_json }} + sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }} rate_limited: false matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 index db486b9c..6891c2b5 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 @@ -13,5 +13,5 @@ namespaces: regex: '^#signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$' url: {{ matrix_mautrix_signal_appservice_address }} # See https://github.com/tulir/mautrix-signal/issues/43 -sender_localpart: _bot_{{ matrix_mautrix_signal_appservice_bot_username|to_json }} +sender_localpart: _bot_{{ matrix_mautrix_signal_appservice_bot_username }} rate_limited: false diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 7ab200d0..866369d3 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -117,7 +117,7 @@ matrix_mautrix_telegram_registration_yaml: | - exclusive: true regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$' # See https://github.com/tulir/mautrix-signal/issues/43 - sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username|to_json }} + sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }} sender_localpart: telegrambot rate_limited: false diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 0467c3b7..581d47de 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -96,7 +96,7 @@ matrix_mautrix_whatsapp_registration_yaml: | as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}" hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}" # See https://github.com/tulir/mautrix-signal/issues/43 - sender_localpart: _bot_{{ matrix_mautrix_whatsapp_appservice_bot_username|to_json }} + sender_localpart: _bot_{{ matrix_mautrix_whatsapp_appservice_bot_username }} rate_limited: false namespaces: users: From 008049f2a92242864a013a13bf441be46aaa7229 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Jan 2021 17:11:46 +0200 Subject: [PATCH 1861/2384] Fix mautrix-telegram registration file mistake Regression since f6097fbba1fb136 --- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 866369d3..6173c3f4 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -118,7 +118,7 @@ matrix_mautrix_telegram_registration_yaml: | regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$' # See https://github.com/tulir/mautrix-signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }} - sender_localpart: telegrambot + url: {{ matrix_mautrix_telegram_appservice_address }} rate_limited: false matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}" From c6feb0b99eab02304c8d24ba7199481af550072d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Jan 2021 21:41:47 +0200 Subject: [PATCH 1862/2384] Upgrade Synapse (v1.25.0 -> v1.26.0) --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 353 ++++++++++-------- 2 files changed, 196 insertions(+), 159 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 985b86bb..1b19bd7c 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. -matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.25.0' }}" +matrix_synapse_docker_image_tag: "{{ 'v1.26.0' if matrix_architecture == 'amd64' else 'v1.26.0' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index fe28779c..702f6540 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -43,11 +43,16 @@ pid_file: /homeserver.pid # #web_client_location: https://riot.example.com/ -# The public-facing base URL that clients use to access this HS -# (not including _matrix/...). This is the same URL a user would -# enter into the 'custom HS URL' field on their client. If you -# use synapse with a reverse proxy, this should be the URL to reach -# synapse via the proxy. +# The public-facing base URL that clients use to access this Homeserver (not +# including _matrix/...). This is the same URL a user might enter into the +# 'Custom Homeserver URL' field on their client. If you use Synapse with a +# reverse proxy, this should be the URL to reach Synapse via the proxy. +# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see +# 'listeners' below). +# +# If this is left unset, it defaults to 'https:///'. (Note that +# that will not work unless you configure Synapse or a reverse-proxy to listen +# on port 443.) # public_baseurl: https://{{ matrix_server_fqn_matrix }}/ @@ -1116,8 +1121,9 @@ account_validity: # send an email to the account's email address with a renewal link. By # default, no such emails are sent. # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. + # If you enable this setting, you will also need to fill out the 'email' + # configuration section. You should also check that 'public_baseurl' is set + # correctly. # #renew_at: 1w @@ -1214,8 +1220,7 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} # The identity server which we suggest that clients should use when users log # in on this server. # -# (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) +# (By default, no suggestion is made, so it is left up to the client.) # #default_identity_server: https://matrix.org @@ -1240,8 +1245,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} # by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # -# If a delegate is specified, the config option public_baseurl must also be filled out. -# account_threepid_delegates: email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} @@ -1686,141 +1689,158 @@ saml2_config: #idp_entityid: 'https://our_idp/entityid' -# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. +# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration +# and login. # -# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md -# for some example configurations. +# Options for each entry include: # -oidc_config: - # Uncomment the following to enable authorization against an OpenID Connect - # server. Defaults to false. - # - #enabled: true - - # Uncomment the following to disable use of the OIDC discovery mechanism to - # discover endpoints. Defaults to true. - # - #discover: false - - # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to - # discover the provider's endpoints. - # - # Required if 'enabled' is true. - # - #issuer: "https://accounts.example.com/" - - # oauth2 client id to use. - # - # Required if 'enabled' is true. - # - #client_id: "provided-by-your-issuer" - - # oauth2 client secret to use. - # - # Required if 'enabled' is true. - # - #client_secret: "provided-by-your-issuer" - - # auth method to use when exchanging the token. - # Valid values are 'client_secret_basic' (default), 'client_secret_post' and - # 'none'. - # - #client_auth_method: client_secret_post - - # list of scopes to request. This should normally include the "openid" scope. - # Defaults to ["openid"]. - # - #scopes: ["openid", "profile"] - - # the oauth2 authorization endpoint. Required if provider discovery is disabled. - # - #authorization_endpoint: "https://accounts.example.com/oauth2/auth" - - # the oauth2 token endpoint. Required if provider discovery is disabled. - # - #token_endpoint: "https://accounts.example.com/oauth2/token" - - # the OIDC userinfo endpoint. Required if discovery is disabled and the - # "openid" scope is not requested. - # - #userinfo_endpoint: "https://accounts.example.com/userinfo" - - # URI where to fetch the JWKS. Required if discovery is disabled and the - # "openid" scope is used. - # - #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" - - # Uncomment to skip metadata verification. Defaults to false. - # - # Use this if you are connecting to a provider that is not OpenID Connect - # compliant. - # Avoid this in production. - # - #skip_verification: true - - # Whether to fetch the user profile from the userinfo endpoint. Valid - # values are: "auto" or "userinfo_endpoint". - # - # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included - # in `scopes`. Uncomment the following to always fetch the userinfo endpoint. - # - #user_profile_method: "userinfo_endpoint" - - # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead - # of failing. This could be used if switching from password logins to OIDC. Defaults to false. - # - #allow_existing_users: true - - # An external module can be provided here as a custom solution to mapping - # attributes returned from a OIDC provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. - # - # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers - # for information on implementing a custom mapping provider. - # - #module: mapping_provider.OidcMappingProvider - - # Custom configuration values for the module. This section will be passed as - # a Python dictionary to the user mapping provider module's `parse_config` - # method. - # - # The examples below are intended for the default provider: they should be - # changed if using a custom provider. - # - config: - # name of the claim containing a unique identifier for the user. - # Defaults to `sub`, which OpenID Connect compliant providers should provide. - # - #subject_claim: "sub" - - # Jinja2 template for the localpart of the MXID. - # - # When rendering, this template is given the following variables: - # * user: The claims returned by the UserInfo Endpoint and/or in the ID - # Token - # - # If this is not set, the user will be prompted to choose their - # own username. - # - localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" - - # Jinja2 template for the display name to set on first login. - # - # If unset, no displayname will be set. - # - #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}" - - # Jinja2 templates for extra attributes to send back to the client during - # login. - # - # Note that these are non-standard and clients will ignore them without modifications. - # - #extra_attributes: - #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}" - +# idp_id: a unique identifier for this identity provider. Used internally +# by Synapse; should be a single word such as 'github'. +# +# Note that, if this is changed, users authenticating via that provider +# will no longer be recognised as the same user! +# +# idp_name: A user-facing name for this identity provider, which is used to +# offer the user a choice of login mechanisms. +# +# idp_icon: An optional icon for this identity provider, which is presented +# by identity picker pages. If given, must be an MXC URI of the format +# mxc:///. (An easy way to obtain such an MXC URI +# is to upload an image to an (unencrypted) room and then copy the "url" +# from the source of the event.) +# +# discover: set to 'false' to disable the use of the OIDC discovery mechanism +# to discover endpoints. Defaults to true. +# +# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery +# is enabled) to discover the provider's endpoints. +# +# client_id: Required. oauth2 client id to use. +# +# client_secret: Required. oauth2 client secret to use. +# +# client_auth_method: auth method to use when exchanging the token. Valid +# values are 'client_secret_basic' (default), 'client_secret_post' and +# 'none'. +# +# scopes: list of scopes to request. This should normally include the "openid" +# scope. Defaults to ["openid"]. +# +# authorization_endpoint: the oauth2 authorization endpoint. Required if +# provider discovery is disabled. +# +# token_endpoint: the oauth2 token endpoint. Required if provider discovery is +# disabled. +# +# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is +# disabled and the 'openid' scope is not requested. +# +# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and +# the 'openid' scope is used. +# +# skip_verification: set to 'true' to skip metadata verification. Use this if +# you are connecting to a provider that is not OpenID Connect compliant. +# Defaults to false. Avoid this in production. +# +# user_profile_method: Whether to fetch the user profile from the userinfo +# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. +# +# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is +# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the +# userinfo endpoint. +# +# allow_existing_users: set to 'true' to allow a user logging in via OIDC to +# match a pre-existing account instead of failing. This could be used if +# switching from password logins to OIDC. Defaults to false. +# +# user_mapping_provider: Configuration for how attributes returned from a OIDC +# provider are mapped onto a matrix user. This setting has the following +# sub-properties: +# +# module: The class name of a custom mapping module. Default is +# 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. +# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers +# for information on implementing a custom mapping provider. +# +# config: Configuration for the mapping provider module. This section will +# be passed as a Python dictionary to the user mapping provider +# module's `parse_config` method. +# +# For the default provider, the following settings are available: +# +# sub: name of the claim containing a unique identifier for the +# user. Defaults to 'sub', which OpenID Connect compliant +# providers should provide. +# +# localpart_template: Jinja2 template for the localpart of the MXID. +# If this is not set, the user will be prompted to choose their +# own username. +# +# display_name_template: Jinja2 template for the display name to set +# on first login. If unset, no displayname will be set. +# +# extra_attributes: a map of Jinja2 templates for extra attributes +# to send back to the client during login. +# Note that these are non-standard and clients will ignore them +# without modifications. +# +# When rendering, the Jinja2 templates are given a 'user' variable, +# which is set to the claims returned by the UserInfo Endpoint and/or +# in the ID Token. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md +# for information on how to configure these options. +# +# For backwards compatibility, it is also possible to configure a single OIDC +# provider via an 'oidc_config' setting. This is now deprecated and admins are +# advised to migrate to the 'oidc_providers' format. (When doing that migration, +# use 'oidc' for the idp_id to ensure that existing users continue to be +# recognised.) +# +oidc_providers: + # Generic example + # + #- idp_id: my_idp + # idp_name: "My OpenID provider" + # idp_icon: "mxc://example.com/mediaid" + # discover: false + # issuer: "https://accounts.example.com/" + # client_id: "provided-by-your-issuer" + # client_secret: "provided-by-your-issuer" + # client_auth_method: client_secret_post + # scopes: ["openid", "profile"] + # authorization_endpoint: "https://accounts.example.com/oauth2/auth" + # token_endpoint: "https://accounts.example.com/oauth2/token" + # userinfo_endpoint: "https://accounts.example.com/userinfo" + # jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + # skip_verification: true + + # For use with Keycloak + # + #- idp_id: keycloak + # idp_name: Keycloak + # issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name" + # client_id: "synapse" + # client_secret: "copy secret generated in Keycloak UI" + # scopes: ["openid", "profile"] + + # For use with Github + # + #- idp_id: github + # idp_name: Github + # discover: false + # issuer: "https://github.com/" + # client_id: "your-client-id" # TO BE FILLED + # client_secret: "your-client-secret" # TO BE FILLED + # authorization_endpoint: "https://github.com/login/oauth/authorize" + # token_endpoint: "https://github.com/login/oauth/access_token" + # userinfo_endpoint: "https://api.github.com/user" + # scopes: ["read:user"] + # user_mapping_provider: + # config: + # subject_claim: "id" + # localpart_template: "{ user.login }" + # display_name_template: "{ user.name }" # Enable Central Authentication Service (CAS) for registration and login. @@ -1870,9 +1890,9 @@ sso: # phishing attacks from evil.site. To avoid this, include a slash after the # hostname: "https://my.client/". # - # If public_baseurl is set, then the login fallback page (used by clients - # that don't natively support the required login flows) is whitelisted in - # addition to any URLs in this list. + # The login fallback page (used by clients that don't natively support the + # required login flows) is automatically whitelisted in addition to any URLs + # in this list. # # By default, this list is empty. # @@ -1886,22 +1906,31 @@ sso: # # Synapse will look for the following templates in this directory: # - # * HTML page for a confirmation step before redirecting back to the client - # with the login token: 'sso_redirect_confirm.html'. + # * HTML page to prompt the user to choose an Identity Provider during + # login: 'sso_login_idp_picker.html'. # - # When rendering, this template is given three variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # This is only used if multiple SSO Identity Providers are configured. # - # * display_url: the same as `redirect_url`, but with the query - # parameters stripped. The intention is to have a - # human-readable URL to show to users, not to use it as - # the final address to redirect to. Needs manual escaping - # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # When rendering, this template is given the following variables: + # * redirect_url: the URL that the user will be redirected to after + # login. Needs manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). # # * server_name: the homeserver's name. # + # * providers: a list of available Identity Providers. Each element is + # an object with the following attributes: + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # + # The rendered HTML page should contain a form which submits its results + # back as a GET request, with the following query parameters: + # + # * redirectUrl: the client redirect URI (ie, the `redirect_url` passed + # to the template) + # + # * idp: the 'idp_id' of the chosen IDP. + # # * HTML page which notifies the user that they are authenticating to confirm # an operation on their account during the user interactive authentication # process: 'sso_auth_confirm.html'. @@ -1921,6 +1950,14 @@ sso: # # This template has no additional variables. # + # * HTML page shown after a user-interactive authentication session which + # does not map correctly onto the expected user: 'sso_auth_bad_user.html'. + # + # When rendering, this template is given the following variables: + # * server_name: the homeserver's name. + # * user_id_to_verify: the MXID of the user that we are trying to + # validate. + # # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) # attempts to login: 'sso_account_deactivated.html'. # From 26b287bd17db3e688d89e9b69ab1392587b1fb70 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Jan 2021 21:51:46 +0200 Subject: [PATCH 1863/2384] Upgrade certbot (1.10.1 -> 1.11.0) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7c383383..5eedb4ce 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -295,7 +295,7 @@ matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.10.1" +matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.11.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From e7f3f7c4318ccc6d2d2c5c4ad726b99eb3c63bf3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 27 Jan 2021 22:18:47 +0200 Subject: [PATCH 1864/2384] Enable /devices endpoint for generic workers --- roles/matrix-synapse/vars/workers.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 9dc79360..a3b50dc4 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -43,6 +43,7 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$ - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$ - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ + - ^/_matrix/client/(api/v1|r0|unstable)/devices$ - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$ - ^/_matrix/client/(api/v1|r0|unstable)/keys/changes$ - ^/_matrix/client/versions$ From 3ea90ca4369285b0a3fa7ec9419823038d19ee6b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 28 Jan 2021 09:23:23 +0200 Subject: [PATCH 1865/2384] Upgrade Element (1.7.17 -> 1.7.18) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 09bd2461..e8678b49 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.17" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.18" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From b7261dc09878de3b14a9a784ea8178a58261db84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Thu, 28 Jan 2021 15:11:22 +0100 Subject: [PATCH 1866/2384] Etherpad role: Etherpad needs Dimension The default scalar.vector.im integrations manager doesn't support custom URL's for etherpad, therefore Dimension needs to be enabled. --- roles/matrix-etherpad/tasks/main.yml | 6 ++++++ roles/matrix-etherpad/tasks/validate_config.yml | 8 +++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/roles/matrix-etherpad/tasks/main.yml b/roles/matrix-etherpad/tasks/main.yml index 09ead973..27548aaf 100644 --- a/roles/matrix-etherpad/tasks/main.yml +++ b/roles/matrix-etherpad/tasks/main.yml @@ -13,3 +13,9 @@ tags: - setup-all - setup-etherpad + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool and matrix_etherpad_enabled|bool + tags: + - setup-all + - setup-etherpad diff --git a/roles/matrix-etherpad/tasks/validate_config.yml b/roles/matrix-etherpad/tasks/validate_config.yml index e5621a07..77623558 100644 --- a/roles/matrix-etherpad/tasks/validate_config.yml +++ b/roles/matrix-etherpad/tasks/validate_config.yml @@ -1,7 +1,5 @@ -- name: Fail if required Etherpad settings not defined +- name: Fail if Etherpad is enabled without the Dimension integrations manager fail: msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Etherpad. - with_items: - - - when: "matrix_etherpad_enabled and vars[item] == ''" + To integrate Etherpad notes with Matrix rooms you need to set "matrix_dimension_enabled" to true + when: "not matrix_dimension_enabled|bool" From 2edc9cb83c2dcb4882e2406838679bc7fcede3af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Thu, 28 Jan 2021 17:54:02 +0100 Subject: [PATCH 1867/2384] Name the Synapse database on state compression import Fixes: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/833 --- .../tasks/rust-synapse-compress-state/compress_room.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml index 8570411f..46cad808 100644 --- a/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml +++ b/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml @@ -34,7 +34,7 @@ --entrypoint=/bin/sh {{ matrix_postgres_docker_image_latest }} -c "cat /work/state-compressor.sql | - psql -v ON_ERROR_STOP=1 -h matrix-postgres" + psql -v ON_ERROR_STOP=1 -h matrix-postgres -d {{ matrix_synapse_database_database }}" - name: Import compression SQL into Postgres command: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_command }}" From 1a0f64f23b925273d54b97cfdc979eef0970b30b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 28 Jan 2021 19:18:26 +0200 Subject: [PATCH 1868/2384] Mention specs on the Prerequisites page Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/682 --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index f7db27f5..e678a0bd 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -2,7 +2,7 @@ To install Matrix services using this Ansible playbook, you need: -- (Recommended) An **x86** server running one of these operating systems: +- (Recommended) An **x86** server ([What kind of server specs do I need?](faq.md#what-kind-of-server-specs-do-i-need)) running one of these operating systems: - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)) - **Debian** (9/Stretch or newer) - **Ubuntu** (16.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) From bcdc42624feda65647b1e6fe2d37512bc97ddf82 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 29 Jan 2021 17:31:27 -0600 Subject: [PATCH 1869/2384] Add mx-puppet-skype and mx-puppet-slack to README I also moved matrix-sms-bridge up to match the order from container-images.md --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 93c022d9..872c9286 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,12 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) +- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation + +- (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation + +- (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation + - (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation - (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation @@ -71,8 +77,6 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation -- (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation - - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - see [docs/configuring-playbook-email2matrix.md](docs/configuring-playbook-email2matrix.md) for setup documentation - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients - see [docs/configuring-playbook-dimension.md](docs/configuring-playbook-dimension.md) for setup documentation From 473936065d17e8496408028954982a175b98eac1 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Sat, 30 Jan 2021 08:21:46 +0100 Subject: [PATCH 1870/2384] Use Debian Buster Docker repo on Debian Bullseye Future maintainer: check on https://docs.docker.com/engine/install/debian/ if Docker for Debian 11 is released, then undo this commit --- roles/matrix-base/tasks/server_base/setup_debian.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 37706d1f..42b6f30c 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -23,7 +23,14 @@ repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable" state: present update_cache: yes - when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' + when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce and not ansible_distribution_release == 'bullseye' + +- name: Ensure Docker repository is enabled (using Debian Buster on Debian Bullseye, for which there is no Docker yet) + apt_repository: + repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} buster stable" + state: present + update_cache: yes + when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce and ansible_distribution_release == 'bullseye' - name: Ensure APT packages are installed apt: From efbffa26bf79139043f6c0c0e1ca69fb03c93616 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 30 Jan 2021 11:37:08 +0200 Subject: [PATCH 1871/2384] Fix typo --- roles/matrix-etherpad/tasks/setup_uninstall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-etherpad/tasks/setup_uninstall.yml b/roles/matrix-etherpad/tasks/setup_uninstall.yml index 865389f2..8f40f420 100644 --- a/roles/matrix-etherpad/tasks/setup_uninstall.yml +++ b/roles/matrix-etherpad/tasks/setup_uninstall.yml @@ -29,7 +29,7 @@ path: "{{ matrix_etherpad_base_path }}" state: absent -- name: Ensure Dimension Docker image doesn't exist +- name: Ensure Etherpad Docker image doesn't exist docker_image: name: "{{ matrix_etherpad_docker_image }}" state: absent From e0e459ac0c09d9618ab73c194dec0a996443cc15 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Sat, 30 Jan 2021 11:53:02 +0100 Subject: [PATCH 1872/2384] Fixed missing quotes --- roles/matrix-base/tasks/server_base/setup_debian.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 42b6f30c..54e52c1b 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -23,14 +23,14 @@ repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable" state: present update_cache: yes - when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce and not ansible_distribution_release == 'bullseye' + when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' and not ansible_distribution_release == 'bullseye' - name: Ensure Docker repository is enabled (using Debian Buster on Debian Bullseye, for which there is no Docker yet) apt_repository: repo: "deb [arch={{ matrix_debian_arch }}] https://download.docker.com/linux/{{ ansible_distribution|lower }} buster stable" state: present update_cache: yes - when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce and ansible_distribution_release == 'bullseye' + when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' and ansible_distribution_release == 'bullseye' - name: Ensure APT packages are installed apt: From 8de739132a9e52170380d3d5f1a01034abacd82c Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Sat, 30 Jan 2021 12:47:56 +0100 Subject: [PATCH 1873/2384] Update IRC bridge to 0.23.0 --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index ba4e1e1b..a6a45f5d 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.17.1" +matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.23.0" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" From 0a0c9a4efc85c7382f92a31067dc299f1d18419e Mon Sep 17 00:00:00 2001 From: o8F0LY <61626020+o8F0LY@users.noreply.github.com> Date: Sat, 30 Jan 2021 22:54:51 +0100 Subject: [PATCH 1874/2384] Add double quotes to avoid synatx errors --- .../sql/init-additional-db-user-and-role.sql.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 b/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 index 609a1344..a5a3385b 100644 --- a/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 +++ b/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 @@ -2,18 +2,18 @@ -- Seen here: https://stackoverflow.com/a/49858797 DO $$ BEGIN - CREATE USER {{ additional_db.username }}; + CREATE USER "{{ additional_db.username }}"; EXCEPTION WHEN DUPLICATE_OBJECT THEN - RAISE NOTICE 'not creating user {{ additional_db.username }}, since it already exists'; + RAISE NOTICE 'not creating user "{{ additional_db.username }}", since it already exists'; END $$; -- This is useful for initial user creation (since we don't assign a password above) and for handling subsequent password changes -- TODO - we should escape quotes in the password. -ALTER ROLE {{ additional_db.username }} PASSWORD '{{ additional_db.password }}'; +ALTER ROLE "{{ additional_db.username }}" PASSWORD '{{ additional_db.password }}'; -- This will generate an error on subsequent execution -CREATE DATABASE {{ additional_db.name }} WITH LC_CTYPE 'C' LC_COLLATE 'C' OWNER {{ additional_db.username }}; +CREATE DATABASE "{{ additional_db.name }}" WITH LC_CTYPE 'C' LC_COLLATE 'C' OWNER "{{ additional_db.username }}"; -- This is useful for changing the database owner subsequently -ALTER DATABASE {{ additional_db.name }} OWNER TO {{ additional_db.username }}; +ALTER DATABASE "{{ additional_db.name }}" OWNER TO "{{ additional_db.username }}"; From 7804060eee3a7b6437c767980d2edd605799ced7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 09:47:47 +0200 Subject: [PATCH 1875/2384] Use Etherpad 1.8.7, not :latest --- roles/matrix-etherpad/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 19a79bd1..28bb0c8d 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -2,7 +2,7 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" -matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:latest" +matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:1.8.7" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" # List of systemd services that matrix-etherpad.service depends on. @@ -53,9 +53,9 @@ matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_datab matrix_etherpad_title: 'Etherpad' matrix_etherpad_default_pad_text: | Welcome to Etherpad! - + This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! - + Get involved with Etherpad at https://etherpad.org # Default Etherpad configuration template which covers the generic use case. From 5df2f6cdd1ff9a79d9998ca57cf320ea2f43d30b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 09:54:12 +0200 Subject: [PATCH 1876/2384] Update docs and changelog --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-etherpad.md | 4 ++-- docs/container-images.md | 2 ++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ce03e79..1e23e58d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2021-01-31 + +## Etherpad support + +Thanks to [@pushytoxin](https://github.com/pushytoxin), the playbook can now install the [Etherpad](https://etherpad.org) realtime collaborative text editor. It can be used in a [Jitsi](https://jitsi.org/) audio/video call or integrated as a widget into Matrix chat rooms via the [Dimension](https://dimension.t2bot.io) integration manager. + +To get it installed, follow [our Etherpad docs page](docs/configuring-playbook-etherpad.md). + + # 2021-01-22 ## (Breaking Change) Postgres changes that require manual intervention diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index 9ec24d33..af1a9c7d 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -2,13 +2,13 @@ [Etherpad](https://etherpad.org) is is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) -When enabled together with Jitsi, it will be made available as an option during the conferences. +When enabled together with the Jitsi audio/video conferencing system (see [our docs on Jitsi](configuring-playbook-jitsi.md)), it will be made available as an option during the conferences. ## Prerequisites For the self-hosted Etherpad instance to be available to your users, you must first enable and configure the **Dimension integrations manager** as described in [the playbook documentation](configuring-playbook-dimension.md) -## Enable +## Installing [Etherpad](https://etherpad.org) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): diff --git a/docs/container-images.md b/docs/container-images.md index 33cfa727..aee24b04 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -32,6 +32,8 @@ These services are not part of our default installation, but can be enabled by [ - [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) +- [etherpad/etherpad](https://hub.docker.com/r/etherpad/etherpad/) - the [Etherpad](https://etherpad.org) realtime collaborative text editor that can be used in a Jitsi audio/video call or integrated as a widget into Matrix chat rooms via the Dimension integration manager (optional) + - [devture/email2matrix](https://hub.docker.com/r/devture/email2matrix/) - the [Email2Matrix](https://github.com/devture/email2matrix) email server, which can relay email messages to Matrix rooms (optional) - [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional) From a8b61adb8dab3cbfa52a87b629cb8fadd54fa285 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 1 Feb 2021 03:22:04 -0600 Subject: [PATCH 1877/2384] Clarify hosts file wording --- examples/hosts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/hosts b/examples/hosts index daf2cfc5..ba08107b 100644 --- a/examples/hosts +++ b/examples/hosts @@ -9,10 +9,11 @@ # to the host line below or by adding `ansible_ssh_pipelining: False` to your variables file. # # If you're running this Ansible playbook on the same server as the one you're installing to, -# consider adding an additional `ansible_connection=local` argument below. +# consider adding an additional `ansible_connection=local` argument to the host line below. # # Ansible may fail to discover which Python interpreter to use on the host for some distros (like Ubuntu 20.04). -# You may sometimes need to explicitly add `ansible_python_interpreter=/usr/bin/python3` to lines below. +# You may sometimes need to explicitly add the argument `ansible_python_interpreter=/usr/bin/python3` +# to the host line below. [matrix_servers] matrix. ansible_host= ansible_ssh_user=root From c4a05b760ad6d4ab33aab36d64252a03b754dc6c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Feb 2021 13:22:05 +0200 Subject: [PATCH 1878/2384] Make mautrix bridges not overwrite their config If they do, our next playbook runs would simply revert it and report "changed" for that task. There's no benefit to letting the bridge spew a new config file. This does not apply to the mautrix whatsapp bridge, because that one is written in Go (not Python) and takes different flags. There's no equivalent flag there. --- .../templates/systemd/matrix-mautrix-facebook.service.j2 | 2 +- .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 2 +- .../templates/systemd/matrix-mautrix-signal.service.j2 | 2 +- .../templates/systemd/matrix-mautrix-telegram.service.j2 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index 95f0e3da..acd2c885 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -44,7 +44,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebo {{ arg }} \ {% endfor %} {{ matrix_mautrix_facebook_docker_image }} \ - python3 -m mautrix_facebook -c /config/config.yaml + python3 -m mautrix_facebook -c /config/config.yaml --no-update ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index 9d69bd84..60f0e055 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -42,7 +42,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangou {{ arg }} \ {% endfor %} {{ matrix_mautrix_hangouts_docker_image }} \ - python3 -m mautrix_hangouts -c /config/config.yaml + python3 -m mautrix_hangouts -c /config/config.yaml --no-update ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts 2>/dev/null' ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts 2>/dev/null' diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index 0c513a22..e3e02424 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -35,7 +35,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal {{ arg }} \ {% endfor %} {{ matrix_mautrix_signal_docker_image }} \ - python3 -m mautrix_signal -c /config/config.yaml + python3 -m mautrix_signal -c /config/config.yaml --no-update ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-signal 2>/dev/null' ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null' diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index 18bd15ba..ae1ac675 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -42,7 +42,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegr {{ arg }} \ {% endfor %} {{ matrix_mautrix_telegram_docker_image }} \ - python3 -m mautrix_telegram -c /config/config.yaml + python3 -m mautrix_telegram -c /config/config.yaml --no-update ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-telegram 2>/dev/null' ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-telegram 2>/dev/null' From d1f28d17bb0da8c5fe3a28c39ba618e1b9316897 Mon Sep 17 00:00:00 2001 From: Julian Foad Date: Wed, 3 Feb 2021 12:52:15 +0000 Subject: [PATCH 1879/2384] Allow psql args to be given to matrix-postgres-cli This passes any arguments given to 'matrix-postgres-cli' to the 'psql' command. Examples: $ # start an interactive shell connected to a given db $ sudo matrix-postgres-cli -d synapse $ # run a query, non-interactively $ sudo matrix-postgres-cli -d synapse -c 'SELECT group_id FROM groups;' --- .../templates/usr-local-bin/matrix-postgres-cli.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 index 61f4cf80..de09a4eb 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -9,4 +9,5 @@ docker run \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} + psql -h {{ matrix_postgres_connection_hostname }} \ + "$@" From b8ac0895621de89e76c6f8d4821493f62ab11716 Mon Sep 17 00:00:00 2001 From: Julian Foad Date: Wed, 3 Feb 2021 13:11:27 +0000 Subject: [PATCH 1880/2384] Fix wrong links in mautrix-signal docs --- docs/configuring-playbook-bridge-mautrix-signal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 164b06de..6d3c4dfb 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -14,7 +14,7 @@ matrix_mautrix_signal_enabled: true ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-whatsapp/wiki/Authentication#replacing-whatsapp-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-signal/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth From 47784d465a0771e4c7ba6be2461e269133a959e2 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 3 Feb 2021 09:50:58 -0600 Subject: [PATCH 1881/2384] Remove note about federation tester not working with TLS 1.3 --- docs/configuring-playbook-nginx.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index ba6c5c12..3c0bad5b 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -34,8 +34,7 @@ Possible values are: - `"intermediate"` (**default**) - Recommended configuration for a general-purpose server - `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities. The -[Federarion tester](https://federationtester.matrix.org/) also won't work. +**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities. Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables: From 5cb976c321fd1a9d6c7d8538892001dc8d5ebfff Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 3 Feb 2021 10:07:43 -0600 Subject: [PATCH 1882/2384] Upgrade Element (1.7.18 -> 1.7.19) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index e8678b49..5e1300a4 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.18" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.19" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 9ad67d7cdf057acdadd16c088f71a8489cde5f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Paul=20T=C3=B6tterman?= Date: Thu, 4 Feb 2021 16:26:56 +0200 Subject: [PATCH 1883/2384] Upgrade Element (1.7.19 -> 1.7.20) https://github.com/vector-im/element-web/releases/tag/v1.7.20 https://hub.docker.com/layers/vectorim/element-web/v1.7.20/images/sha256-44cae3a532d86c16940deb70866b522ba6acc8c5d7adf3c661cfc8b06f1de681?context=explore --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 5e1300a4..f2c46443 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.19" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.20" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 064b2e533ccb1e3db9b9d1a0df075c6978ba8033 Mon Sep 17 00:00:00 2001 From: Stuart Thomson Date: Sat, 6 Feb 2021 20:02:39 +1300 Subject: [PATCH 1884/2384] Add variable for extra domains to get LE certs for I felt that adding another variable was probably going to be the easiest way to do this. I may end up adding another variable to enable this feature, for consistency with some of the other things. --- group_vars/matrix_servers | 2 ++ roles/matrix-nginx-proxy/defaults/main.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5d76a60c..17181531 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1025,6 +1025,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | ([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else []) + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) + + + matrix_ssl_additional_domains_to_obtain_certificates_for }} matrix_ssl_architecture: "{{ diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 5eedb4ce..cb066277 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -292,6 +292,7 @@ matrix_ssl_architecture: "amd64" # The list of domains that this role will obtain certificates for. matrix_ssl_domains_to_obtain_certificates_for: [] +matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false From f7bea5bb05ecf97e087bb4e164ed636717f81d1a Mon Sep 17 00:00:00 2001 From: Stuart Thomson Date: Sat, 6 Feb 2021 20:31:24 +1300 Subject: [PATCH 1885/2384] Add documentation for new variable --- docs/configuring-playbook-nginx.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index 3c0bad5b..c4788710 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -59,3 +59,17 @@ This will disable the access logging for nginx. ```yaml matrix_nginx_proxy_access_log_enabled: false ``` + +## Additional configuration + + + + + +Make sure that you have set the DNS configuration for the domains you want to include to point at your server. + +```yaml +matrix_ssl_additional_domains_to_obtain_certificates_for: + - domain.one.example + - domain.two.example +``` From d416b0cebee888d74290c4526731303df8b5cb0d Mon Sep 17 00:00:00 2001 From: pushytoxin Date: Sat, 6 Feb 2021 12:45:54 +0100 Subject: [PATCH 1886/2384] Etherpad docs: Padname length bug Warn users of the known bug https://github.com/turt2live/matrix-dimension/issues/395 --- docs/configuring-playbook-etherpad.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/configuring-playbook-etherpad.md b/docs/configuring-playbook-etherpad.md index af1a9c7d..e5533e71 100644 --- a/docs/configuring-playbook-etherpad.md +++ b/docs/configuring-playbook-etherpad.md @@ -24,3 +24,8 @@ The Dimension administrator users can configure the default URL template. The Di If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Example: `https://dimension./etherpad/p/$roomId_$padName?showChat=false` + +## Known issues + +If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it. +`$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`. From 093ecba40503a91b2d116c1c8140398da121e1a6 Mon Sep 17 00:00:00 2001 From: Stuart Thomson Date: Sun, 7 Feb 2021 16:09:20 +1300 Subject: [PATCH 1887/2384] Add more documentation --- docs/configuring-playbook-nginx.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index c4788710..91bed77c 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -62,14 +62,23 @@ matrix_nginx_proxy_access_log_enabled: false ## Additional configuration - +This playbook also allows for additional configuration to be applied to the nginx server. - - -Make sure that you have set the DNS configuration for the domains you want to include to point at your server. +If you want this playbook to obtain and renew certificates for other domains, then you can set the `matrix_ssl_additional_domains_to_obtain_certificates_for` variable. Make sure that you have set the DNS configuration for the domains you want to include to point at your server. ```yaml matrix_ssl_additional_domains_to_obtain_certificates_for: - domain.one.example - domain.two.example ``` + +You can include additional nginx configuration by setting the `matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks` variable. + +```yaml +matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: + - | + # These lines will be included in the nginx configuration. + # This is at the top level of the file, so you will need to define all of the `server { ... }` blocks. + - | + # For advanced use, have a look at the template files in `roles/matrix-nginx-proxy/templates/nginx/conf.d` +``` From 479d8b3e44394f1fa6fe9b6543c1756d05e086c5 Mon Sep 17 00:00:00 2001 From: buxel Date: Mon, 8 Feb 2021 11:35:31 +0100 Subject: [PATCH 1888/2384] Update configuring-dns.md Added note about cloudflare, related to #821 --- docs/configuring-dns.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 9d738477..cef4cd50 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -29,6 +29,7 @@ If you decide to go with the alternative method ([Server Delegation via a DNS SR DNS records marked with `(*)` above are optional. They refer to services that will not be installed by default (see the section below). If you won't be installing these services, feel free to skip creating these DNS records. Also be mindful as to how long it will take for the DNS records to propagate. +> If you are using Cloudflare DNS, make sure to disable the proxy and set all records to `DNS only`. Otherwise, fetching certificates will fail. ## Subdomains setup From 599ff34be98a42bdc43321b078cf27bb68d9c56c Mon Sep 17 00:00:00 2001 From: Yan Date: Mon, 8 Feb 2021 18:22:59 +0100 Subject: [PATCH 1889/2384] fix typo from skype to slack --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bffe9266..91f9314d 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation -- (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation +- (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation - (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation From 385b6c623e6c4144d99760b851bb3fcf9ecbc148 Mon Sep 17 00:00:00 2001 From: Yan Date: Tue, 9 Feb 2021 00:02:48 +0100 Subject: [PATCH 1890/2384] Fixes: a66a604e ("Selfbuild appservice-slack bridge") --- roles/matrix-bridge-appservice-slack/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index 721a5d6b..703d3fab 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -2,7 +2,7 @@ - name: Ensure AppService Slack paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" From 7e8e95a09a994dba9e02be0f8348862f85b9042c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 Feb 2021 22:04:35 +0200 Subject: [PATCH 1891/2384] Make S3-mounting path configurable This will make data migration easier. --- roles/matrix-synapse/defaults/main.yml | 1 + roles/matrix-synapse/tasks/goofys/setup_install.yml | 8 ++++---- .../templates/goofys/systemd/matrix-goofys.service.j2 | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 1b19bd7c..62a8c347 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -354,6 +354,7 @@ matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" matrix_s3_media_store_region: "eu-central-1" +matrix_s3_media_store_path: "{{ matrix_synapse_media_store_path }}" # Controls whether the self-check feature should validate SSL certificates. matrix_synapse_self_check_validate_certificates: true diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml index 93237986..b5e95614 100644 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -8,18 +8,18 @@ # This will throw a Permission Denied error if already mounted - name: Check Matrix Goofys external storage mountpoint path stat: - path: "{{ matrix_synapse_media_store_path }}" - register: local_path_matrix_synapse_media_store_path_stat + path: "{{ matrix_s3_media_store_path }}" + register: local_path_matrix_s3_media_store_path_stat ignore_errors: yes - name: Ensure Matrix Goofys external storage mountpoint exists file: - path: "{{ matrix_synapse_media_store_path }}" + path: "{{ matrix_s3_media_store_path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: "not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists" + when: "not local_path_matrix_s3_media_store_path_stat.failed and not local_path_matrix_s3_media_store_path_stat.stat.exists" - name: Ensure goofys environment variables file created template: diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index d96ab4a6..df4a4f23 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -16,7 +16,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ --mount type=bind,src=/etc/group,dst=/etc/group,ro \ - --mount type=bind,src={{ matrix_synapse_media_store_path }},dst=/s3,bind-propagation=shared \ + --mount type=bind,src={{ matrix_s3_media_store_path }},dst=/s3,bind-propagation=shared \ --security-opt apparmor:unconfined \ --cap-add mknod \ --cap-add sys_admin \ @@ -30,7 +30,7 @@ TimeoutStartSec=5min ExecStop=-{{ matrix_host_command_docker }} stop %n ExecStop=-{{ matrix_host_command_docker }} kill %n ExecStop=-{{ matrix_host_command_docker }} rm %n -ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_synapse_media_store_path }} +ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} Restart=always RestartSec=5 SyslogIdentifier=matrix-goofys From 96e6111aa62fe29b251c8fe9c1dd2d4c473375da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 Feb 2021 22:09:08 +0200 Subject: [PATCH 1892/2384] Improve S3 docs around data migration --- docs/configuring-playbook-s3.md | 135 ++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md index 643edb5b..9132ff71 100644 --- a/docs/configuring-playbook-s3.md +++ b/docs/configuring-playbook-s3.md @@ -6,6 +6,11 @@ If that's alright, you can skip this. If you'd like to store Synapse's content repository (`media_store`) files on Amazon S3 (or other S3-compatible service), you can let this playbook configure [Goofys](https://github.com/kahing/goofys) for you. +Using a Goofys-backed media store works, but performance may not be ideal. If possible, try to use a region which is close to your Matrix server. + +If you'd like to move your locally-stored media store data to Amazon S3 (or another S3-compatible object store), we also provide some migration instructions below. + + ## Amazon S3 You'll need an Amazon S3 bucket and some IAM user credentials (access key + secret key) with full write access to the bucket. Example security policy: @@ -50,3 +55,133 @@ matrix_s3_media_store_custom_endpoint_enabled: true # Example: "https://storage.googleapis.com" matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" ``` + +### Backblaze B2 + +To use [Backblaze B2](https://www.backblaze.com/b2/cloud-storage.html): + +- create a new **private** bucket through its user interface (you can call it something like `matrix-DOMAIN-media-store`) +- note the **Endpoint** for your bucket (something like `s3.us-west-002.backblazeb2.com`) +- adjust its lifecycle rules to use the following **custom** rules: + - File Path: *empty value* + - Days Till Hide: *empty value* + - Days Till Delete: `1` +- go to [App Keys](https://secure.backblaze.com/app_keys.htm) and use the **Add a New Application Key** to create a new one + - restrict it to the previously created bucket (e.g. `matrix-DOMAIN-media-store`) + - give it *Read & Write* access + +Copy the `keyID` and `applicationKey`. + +You need the following *additional* playbook configuration (on top of what you see above): + +```yaml +matrix_s3_media_store_bucket_name: "YOUR_BUCKET_NAME_GOES_HERE" +matrix_s3_media_store_aws_access_key: "YOUR_keyID_GOES_HERE" +matrix_s3_media_store_aws_secret_key: "YOUR_applicationKey_GOES_HERE" +matrix_s3_media_store_custom_endpoint_enabled: true +matrix_s3_media_store_custom_endpoint: "https://s3.us-west-002.backblazeb2.com" # this may be different for your bucket +``` + +If you have local media store files and wish to migrate to Backblaze B2 subsequently, follow our [migration guide to Backblaze B2](#migrating-to-backblaze-b2) below instead of applying this configuration as-is. + + +## Migrating from local filesystem storage to S3 + +It's a good idea to [make a complete server backup](faq.md#how-do-i-backup-the-data-on-my-server) before migrating your local media store to an S3-backed one. + +Follow one of the guides below for a migration path from a locally-stored media store to one stored on S3-compatible storage: + +- [Migrating to any S3-compatible storage (universal, but likely slow)](#migrating-to-any-s3-compatible-storage-universal-but-likely-slow) +- [Migrating to Backblaze B2](#migrating-to-backblaze-b2) + +### Migrating to any S3-compatible storage (universal, but likely slow) + +It's a good idea to [make a complete server backup](faq.md#how-do-i-backup-the-data-on-my-server) before doing this. + +1. Proceed with the steps below without stopping Matrix services + +2. Start by adding the base S3 configuration in your `vars.yml` file (seen above, may be different depending on the S3 provider of your choice) + +3. In addition to the base configuration you see above, add this to your `vars.yml` file: + +```yaml +matrix_s3_media_store_path: /matrix/s3-media-store +``` + +This enables S3 support, but mounts the S3 storage bucket to `/matrix/s3-media-store` without hooking it to your homeserver yet. Your homeserver will still continue using your local filesystem for its media store. + +5. Run the playbook to apply the changes: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` + +6. Do an **initial sync of your files** by running this **on the server** (it may take a very long time): + +```sh +sudo -u matrix -- rsync --size-only --ignore-existing -avr /matrix/synapse/storage/media-store/. /matrix/s3-media-store/. +``` + +You may need to install `rsync` manually. + +7. Stop all Matrix services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + +8. Start the S3 service by running this **on the server**: `systemctl start matrix-goofys` + +9. Sync the files again by re-running the `rsync` command you see in step #6 + +10. Stop the S3 service by running this **on the server**: `systemctl stop matrix-goofys` + +11. Get the old media store out of the way by running this command on the server: + +```sh +mv /matrix/synapse/storage/media-store /matrix/synapse/storage/media-store-local-backup +``` + +12. Remove the `matrix_s3_media_store_path` configuration from your `vars.yml` file (undoing step #3 above) + +13. Run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` + +14. You're done! Verify that loading existing (old) media files works and that you can upload new ones. + +15. When confident that it all works, get rid of the local media store directory: `rm -rf /matrix/synapse/storage/media-store-local-backup` + + +### Migrating to Backblaze B2 + +It's a good idea to [make a complete server backup](faq.md#how-do-i-backup-the-data-on-my-server) before doing this. + +1. While all Matrix services are running, run the following command on the server: + +(you need to adjust the 3 `--env` line below with your own data) + +```sh +docker run -it --rm -w /work \ +--env='B2_KEY_ID=YOUR_KEY_GOES_HERE' \ +--env='B2_KEY_SECRET=YOUR_SECRET_GOES_HERE' \ +--env='B2_BUCKET_NAME=YOUR_BUCKET_NAME_GOES_HERE' \ +-v /matrix/synapse/storage/media-store/:/work \ +--entrypoint=/bin/sh \ +docker.io/tianon/backblaze-b2:2.1.0 \ +-c 'b2 authorize-account $B2_KEY_ID $B2_KEY_SECRET > /dev/null && b2 sync /work/ b2://$B2_BUCKET_NAME' +``` + +This is some initial file sync, which may take a very long time. + +2. Stop all Matrix services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`) + +3. Run the command from step #1 again. + +Doing this will sync any new files that may have been created locally in the meantime. + +Now that Matrix services aren't running, we're sure to get Backblaze B2 and your local media store fully in sync. + +4. Get the old media store out of the way by running this command on the server: + +```sh +mv /matrix/synapse/storage/media-store /matrix/synapse/storage/media-store-local-backup +``` + +5. Put the [Backblaze B2 settings seen above](#backblaze-b2) in your `vars.yml` file + +6. Run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` + +7. You're done! Verify that loading existing (old) media files works and that you can upload new ones. + +8. When confident that it all works, get rid of the local media store directory: `rm -rf /matrix/synapse/storage/media-store-local-backup` From 13ef9e85cf664a03942e3d38280238988a247a2f Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Fri, 29 Jan 2021 05:29:25 +0100 Subject: [PATCH 1893/2384] Prometheus Initial attempt. Seems to work fine. Only tested on debian amd64 so far --- group_vars/matrix_servers | 21 +++++ roles/matrix-prometheus/defaults/main.yml | 51 ++++++++++ roles/matrix-prometheus/tasks/init.yml | 5 + roles/matrix-prometheus/tasks/main.yml | 14 +++ roles/matrix-prometheus/tasks/setup.yml | 93 +++++++++++++++++++ .../tasks/validate_config.yml | 7 ++ .../templates/prometheus.yml.j2 | 35 +++++++ .../systemd/matrix-prometheus.service.j2 | 42 +++++++++ setup.yml | 1 + 9 files changed, 269 insertions(+) create mode 100644 roles/matrix-prometheus/defaults/main.yml create mode 100644 roles/matrix-prometheus/tasks/init.yml create mode 100644 roles/matrix-prometheus/tasks/main.yml create mode 100644 roles/matrix-prometheus/tasks/setup.yml create mode 100644 roles/matrix-prometheus/tasks/validate_config.yml create mode 100644 roles/matrix-prometheus/templates/prometheus.yml.j2 create mode 100644 roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5d76a60c..833089a2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1368,6 +1368,27 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }} +###################################################################### +# +# matrix-prometheus +# +###################################################################### + +matrix_prometheus_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# Prometheus' HTTP port to the local host. +matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9090' }}" + +###################################################################### +# +# /matrix-prometheus +# +###################################################################### + + + ###################################################################### # # matrix-registration diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml new file mode 100644 index 00000000..10424424 --- /dev/null +++ b/roles/matrix-prometheus/defaults/main.yml @@ -0,0 +1,51 @@ +# matrix-prometheus is an open-source systems monitoring and alerting toolkit +# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md + +matrix_prometheus_enabled: false + +matrix_prometheus_docker_image: "docker.io/prom/prometheus:v2.24.1" +matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" + +matrix_synapse_prometheus_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_synapse_docker_image_tag }}/contrib/prometheus/synapse-v2.rules" + +matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" +matrix_prometheus_config_path: "{{ matrix_prometheus_base_path }}/config" +matrix_prometheus_data_path: "{{ matrix_prometheus_base_path }}/data" + +# A list of extra arguments to pass to the container +matrix_prometheus_container_extra_arguments: [] + +# List of systemd services that matrix-prometheus.service depends on +matrix_prometheus_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus.service wants +matrix_prometheus_systemd_wanted_services_list: [] + +# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9090"), or empty string to not expose. +matrix_prometheus_container_http_host_bind_port: '' + + +# Default prometheus configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_prometheus_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_prometheus_configuration_yaml: "{{ lookup('template', 'templates/prometheus.yml.j2') }}" + +matrix_prometheus_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_prometheus_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_prometheus_configuration_yaml`. + +matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_extension_yaml|from_yaml if matrix_prometheus_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`. +matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml|from_yaml|combine(matrix_prometheus_configuration_extension, recursive=True) }}" + diff --git a/roles/matrix-prometheus/tasks/init.yml b/roles/matrix-prometheus/tasks/init.yml new file mode 100644 index 00000000..12fae831 --- /dev/null +++ b/roles/matrix-prometheus/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus.service'] }}" + when: matrix_prometheus_enabled|bool + + diff --git a/roles/matrix-prometheus/tasks/main.yml b/roles/matrix-prometheus/tasks/main.yml new file mode 100644 index 00000000..2290048f --- /dev/null +++ b/roles/matrix-prometheus/tasks/main.yml @@ -0,0 +1,14 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-prometheus + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-prometheus diff --git a/roles/matrix-prometheus/tasks/setup.yml b/roles/matrix-prometheus/tasks/setup.yml new file mode 100644 index 00000000..1746b961 --- /dev/null +++ b/roles/matrix-prometheus/tasks/setup.yml @@ -0,0 +1,93 @@ +--- + +# +# Tasks related to setting up matrix-prometheus +# + +- name: Ensure matrix-prometheus image is pulled + docker_image: + name: "{{ matrix_prometheus_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_docker_image_force_pull }}" + when: "matrix_prometheus_enabled|bool" + +- name: Ensure Prometheus paths exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_prometheus_base_path }}" + - "{{ matrix_prometheus_config_path }}" + - "{{ matrix_prometheus_data_path }}" + when: matrix_prometheus_enabled|bool + +- name: Ensure prometheus.yml installed + copy: + content: "{{ matrix_prometheus_configuration|to_nice_yaml }}" + dest: "{{ matrix_prometheus_config_path }}/prometheus.yml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_prometheus_enabled|bool + +- name: Download synapse-v2.rules + get_url: + url: "{{ matrix_synapse_prometheus_rules_download_url }}" + dest: "{{ matrix_prometheus_config_path }}/synapse-v2.rules" + force: true + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_prometheus_enabled|bool + + +- name: Ensure matrix-prometheus.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-prometheus.service" + mode: 0644 + register: matrix_prometheus_systemd_service_result + when: matrix_prometheus_enabled|bool + +- name: Ensure systemd reloaded after matrix-prometheus.service installation + service: + daemon_reload: yes + when: "matrix_prometheus_enabled|bool and matrix_prometheus_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-prometheus (if it was previously enabled) +# + +- name: Check existence of matrix-prometheus service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus.service" + register: matrix_prometheus_service_stat + +- name: Ensure matrix-prometheus is stopped + service: + name: matrix-prometheus + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_prometheus_enabled|bool and matrix_prometheus_service_stat.stat.exists" + +- name: Ensure matrix-prometheus.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus.service" + state: absent + when: "not matrix_prometheus_enabled|bool and matrix_prometheus_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-prometheus.service removal + service: + daemon_reload: yes + when: "not matrix_prometheus_enabled|bool and matrix_prometheus_service_stat.stat.exists" + +- name: Ensure matrix-prometheus Docker image doesn't exist + docker_image: + name: "{{ matrix_prometheus_docker_image }}" + state: absent + when: "not matrix_prometheus_enabled|bool" diff --git a/roles/matrix-prometheus/tasks/validate_config.yml b/roles/matrix-prometheus/tasks/validate_config.yml new file mode 100644 index 00000000..b614b438 --- /dev/null +++ b/roles/matrix-prometheus/tasks/validate_config.yml @@ -0,0 +1,7 @@ +--- + +- name: Fail if Synapse metrics not enabled + fail: + msg: > + You need to enable `matrix_synapse_metrics_enabled` for Prometheus grab metrics. + when: "not matrix_synapse_metrics_enabled" diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 new file mode 100644 index 00000000..7b90baeb --- /dev/null +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -0,0 +1,35 @@ +#jinja2: lstrip_blocks: "True" +global: + scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. + evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. + # scrape_timeout is set to the global default (10s). + +# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. +rule_files: + {% if matrix_synapse_metrics_enabled %} + - 'synapse-v2.rules' + {% endif %} + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + # The job name is added as a label `job=` to any timeseries scraped from this config. + - job_name: 'prometheus' + + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + scrape_timeout: 5s + + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + static_configs: + - targets: ['localhost:9090'] + + {% if matrix_synapse_metrics_enabled %} + - job_name: 'synapse' + metrics_path: '/_synapse/metrics' + static_configs: + - targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] + {% endif %} + diff --git a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 new file mode 100644 index 00000000..dd3ac72c --- /dev/null +++ b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-prometheus +{% for service in matrix_prometheus_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_container_http_host_bind_port %} + -p {{ matrix_prometheus_container_http_host_bind_port }}:9090 \ + {% endif %} + -v {{ matrix_prometheus_config_path }}:/etc/prometheus:z \ + -v {{ matrix_prometheus_data_path }}:/prometheus:z \ + {% for arg in matrix_prometheus_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_prometheus_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-prometheus + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 9bb1788f..7965185c 100755 --- a/setup.yml +++ b/setup.yml @@ -28,6 +28,7 @@ - matrix-bot-matrix-reminder-bot - matrix-synapse - matrix-synapse-admin + - matrix-prometheus - matrix-registration - matrix-client-element - matrix-jitsi From e525970b393350f9280bdf8ddcb78f9d55c1da24 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Fri, 29 Jan 2021 06:17:45 +0100 Subject: [PATCH 1894/2384] Prometheus Node Exporter Basic system stats, to show stuff the synapse metrics can't show such as resource usage by bridges, etc Seems to work fine as well. This too has only been tested on debian amd64 so far --- group_vars/matrix_servers | 21 +++++++ .../defaults/main.yml | 21 +++++++ .../tasks/init.yml | 5 ++ .../tasks/main.yml | 8 +++ .../tasks/setup.yml | 60 +++++++++++++++++++ .../tasks/validate_config.yml | 7 +++ ...matrix-prometheus-node-exporter.service.j2 | 40 +++++++++++++ .../tasks/validate_config.yml | 6 +- .../templates/prometheus.yml.j2 | 5 ++ setup.yml | 1 + 10 files changed, 171 insertions(+), 3 deletions(-) create mode 100644 roles/matrix-prometheus-node-exporter/defaults/main.yml create mode 100644 roles/matrix-prometheus-node-exporter/tasks/init.yml create mode 100644 roles/matrix-prometheus-node-exporter/tasks/main.yml create mode 100644 roles/matrix-prometheus-node-exporter/tasks/setup.yml create mode 100644 roles/matrix-prometheus-node-exporter/tasks/validate_config.yml create mode 100644 roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 833089a2..4f2cfa6a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1368,6 +1368,27 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }} +###################################################################### +# +# matrix-prometheus-node-exporter +# +###################################################################### + +matrix_prometheus_node_exporter_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# Prometheus' HTTP port to the local host. +matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9100' }}" + +###################################################################### +# +# /matrix-prometheus-node-exporter +# +###################################################################### + + + ###################################################################### # # matrix-prometheus diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml new file mode 100644 index 00000000..a5664b83 --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -0,0 +1,21 @@ +# matrix-prometheus-node-exporter is an Prometheus exporter for machine metrics +# See: https://prometheus.io/docs/guides/node-exporter/ + +matrix_prometheus_node_exporter_enabled: false + +matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:v1.0.1" +matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_prometheus_node_exporter_container_extra_arguments: [] + +# List of systemd services that matrix-prometheus.service depends on +matrix_prometheus_node_exporter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus.service wants +matrix_prometheus_node_exporter_systemd_wanted_services_list: [] + +# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/tasks/init.yml b/roles/matrix-prometheus-node-exporter/tasks/init.yml new file mode 100644 index 00000000..2894b717 --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-node-exporter.service'] }}" + when: matrix_prometheus_node_exporter_enabled|bool + + diff --git a/roles/matrix-prometheus-node-exporter/tasks/main.yml b/roles/matrix-prometheus-node-exporter/tasks/main.yml new file mode 100644 index 00000000..172b5721 --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/tasks/main.yml @@ -0,0 +1,8 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-prometheus-node-exporter diff --git a/roles/matrix-prometheus-node-exporter/tasks/setup.yml b/roles/matrix-prometheus-node-exporter/tasks/setup.yml new file mode 100644 index 00000000..6f03fbaa --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/tasks/setup.yml @@ -0,0 +1,60 @@ +--- + +# +# Tasks related to setting up matrix-prometheus-node-exporter +# + +- name: Ensure matrix-prometheus-node-exporter image is pulled + docker_image: + name: "{{ matrix_prometheus_node_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_node_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_node_exporter_docker_image_force_pull }}" + when: "matrix_prometheus_node_exporter_enabled|bool" + +- name: Ensure matrix-prometheus-node-exporter.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-node-exporter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-prometheus-node-exporter.service" + mode: 0644 + register: matrix_prometheus_node_exporter_systemd_service_result + when: matrix_prometheus_node_exporter_enabled|bool + +- name: Ensure systemd reloaded after matrix-prometheus.service installation + service: + daemon_reload: yes + when: "matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-prometheus-node-exporter (if it was previously enabled) +# + +- name: Check existence of matrix-prometheus-node-exporter service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus-node-exporter.service" + register: matrix_prometheus_node_exporter_service_stat + +- name: Ensure matrix-prometheus-node-exporter is stopped + service: + name: matrix-prometheus-node-exporter + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" + +- name: Ensure matrix-prometheus-node-exporter.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus-node-exporter.service" + state: absent + when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-prometheus-node-exporter.service removal + service: + daemon_reload: yes + when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" + +- name: Ensure matrix-prometheus-node-exporter Docker image doesn't exist + docker_image: + name: "{{ matrix_prometheus_node_exporter_docker_image }}" + state: absent + when: "not matrix_prometheus_node_exporter_enabled|bool" diff --git a/roles/matrix-prometheus-node-exporter/tasks/validate_config.yml b/roles/matrix-prometheus-node-exporter/tasks/validate_config.yml new file mode 100644 index 00000000..713646ae --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/tasks/validate_config.yml @@ -0,0 +1,7 @@ +--- + +- name: Fail if Synapse metrics or Prometheus Node Exporter not enabled + fail: + msg: > + You need to enable `matrix_synapse_metrics_enabled` and/or `matrix_prometheus_node_exporter_enabled` for Prometheus grab metrics. + when: "not matrix_synapse_metrics_enabled and not matrix_prometheus_node_exporter_enabled" diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 new file mode 100644 index 00000000..622947d0 --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -0,0 +1,40 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-prometheus-node-exporter +{% for service in matrix_prometheus_node_exporter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_node_exporter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-node-exporter \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ + {% endif %} + {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_prometheus_node_exporter_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-prometheus-node-exporter + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-prometheus/tasks/validate_config.yml b/roles/matrix-prometheus/tasks/validate_config.yml index b614b438..713646ae 100644 --- a/roles/matrix-prometheus/tasks/validate_config.yml +++ b/roles/matrix-prometheus/tasks/validate_config.yml @@ -1,7 +1,7 @@ --- -- name: Fail if Synapse metrics not enabled +- name: Fail if Synapse metrics or Prometheus Node Exporter not enabled fail: msg: > - You need to enable `matrix_synapse_metrics_enabled` for Prometheus grab metrics. - when: "not matrix_synapse_metrics_enabled" + You need to enable `matrix_synapse_metrics_enabled` and/or `matrix_prometheus_node_exporter_enabled` for Prometheus grab metrics. + when: "not matrix_synapse_metrics_enabled and not matrix_prometheus_node_exporter_enabled" diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 7b90baeb..317dcd16 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -33,3 +33,8 @@ scrape_configs: - targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] {% endif %} + {% if matrix_prometheus_node_exporter_enabled %} + - job_name: node + static_configs: + - targets: ['matrix-prometheus-node-exporter:9100'] + {% endif %} diff --git a/setup.yml b/setup.yml index 7965185c..838e08c8 100755 --- a/setup.yml +++ b/setup.yml @@ -28,6 +28,7 @@ - matrix-bot-matrix-reminder-bot - matrix-synapse - matrix-synapse-admin + - matrix-prometheus-node-exporter - matrix-prometheus - matrix-registration - matrix-client-element From eb5aa93e8a5b83593de4030982e583eae8aa8ee8 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Fri, 29 Jan 2021 09:10:49 +0100 Subject: [PATCH 1895/2384] Grafana Also includes the dashboards for Synapse and for Node Exporter. Again has only been tested on debian amd64 so far, but the grafana docker image is available for arm64 and arm32. Nice. --- group_vars/matrix_servers | 21 ++++ roles/matrix-grafana/defaults/main.yml | 47 +++++++ roles/matrix-grafana/tasks/init.yml | 5 + roles/matrix-grafana/tasks/main.yml | 14 +++ roles/matrix-grafana/tasks/setup.yml | 115 ++++++++++++++++++ .../matrix-grafana/tasks/validate_config.yml | 7 ++ .../templates/dashboards.yaml.j2 | 9 ++ .../templates/datasources.yaml.j2 | 8 ++ roles/matrix-grafana/templates/grafana.ini.j2 | 20 +++ .../systemd/matrix-grafana.service.j2 | 42 +++++++ setup.yml | 1 + 11 files changed, 289 insertions(+) create mode 100644 roles/matrix-grafana/defaults/main.yml create mode 100644 roles/matrix-grafana/tasks/init.yml create mode 100644 roles/matrix-grafana/tasks/main.yml create mode 100644 roles/matrix-grafana/tasks/setup.yml create mode 100644 roles/matrix-grafana/tasks/validate_config.yml create mode 100644 roles/matrix-grafana/templates/dashboards.yaml.j2 create mode 100644 roles/matrix-grafana/templates/datasources.yaml.j2 create mode 100644 roles/matrix-grafana/templates/grafana.ini.j2 create mode 100644 roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4f2cfa6a..976a0de1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1410,6 +1410,27 @@ matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en +###################################################################### +# +# matrix-grafana +# +###################################################################### + +matrix_grafana_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# Grafana's HTTP port to the local host. +matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}" + +###################################################################### +# +# /matrix-grafana +# +###################################################################### + + + ###################################################################### # # matrix-registration diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml new file mode 100644 index 00000000..2257d794 --- /dev/null +++ b/roles/matrix-grafana/defaults/main.yml @@ -0,0 +1,47 @@ +# matrix-grafana is open source visualization and analytics software +# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md + +matrix_grafana_enabled: false + +matrix_grafana_docker_image: "docker.io/grafana/grafana:7.3.7" +matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" + +# Not conditional, because when someone disables metrics +# they might still want to look at the old existing data. +# So it would be silly to delete the dashboard in such case. +matrix_grafana_dashboard_download_urls: +- "https://raw.githubusercontent.com/matrix-org/synapse/master/contrib/grafana/synapse.json" +- "https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-full.json" + +matrix_grafana_base_path: "{{ matrix_base_data_path }}/grafana" +matrix_grafana_config_path: "{{ matrix_grafana_base_path }}/config" +matrix_grafana_data_path: "{{ matrix_grafana_base_path }}/data" + +# Allow viewing Grafana without logging in +matrix_grafana_anonymous_access: false + +# specify organization name that should be used for unauthenticated users +# if you change this in the Grafana admin panel, this needs to be updated +# to match to keep anonymous logins working +matrix_grafana_anonymous_access_org_name: 'Main Org.' + + +# default admin credentials, you are asked to change these on first login +matrix_grafana_default_admin_user: admin +matrix_grafana_default_admin_password: admin + +# A list of extra arguments to pass to the container +matrix_grafana_container_extra_arguments: [] + +# List of systemd services that matrix-grafana.service depends on +matrix_grafana_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-grafana.service wants +matrix_grafana_systemd_wanted_services_list: [] + +# Controls whether the matrix-grafana container exposes its HTTP port (tcp/3000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:3000"), or empty string to not expose. +matrix_grafana_container_http_host_bind_port: '' + + diff --git a/roles/matrix-grafana/tasks/init.yml b/roles/matrix-grafana/tasks/init.yml new file mode 100644 index 00000000..8a22e301 --- /dev/null +++ b/roles/matrix-grafana/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-grafana.service'] }}" + when: matrix_grafana_enabled|bool + + diff --git a/roles/matrix-grafana/tasks/main.yml b/roles/matrix-grafana/tasks/main.yml new file mode 100644 index 00000000..122ec65e --- /dev/null +++ b/roles/matrix-grafana/tasks/main.yml @@ -0,0 +1,14 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-grafana + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-grafana diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml new file mode 100644 index 00000000..581e6617 --- /dev/null +++ b/roles/matrix-grafana/tasks/setup.yml @@ -0,0 +1,115 @@ +--- + +# +# Tasks related to setting up matrix-grafana +# + +- name: Ensure matrix-grafana image is pulled + docker_image: + name: "{{ matrix_grafana_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_grafana_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_grafana_docker_image_force_pull }}" + when: "matrix_grafana_enabled|bool" + +- name: Ensure grafana paths exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_grafana_base_path }}" + - "{{ matrix_grafana_config_path }}" + - "{{ matrix_grafana_config_path }}/provisioning" + - "{{ matrix_grafana_config_path }}/provisioning/datasources" + - "{{ matrix_grafana_config_path }}/provisioning/dashboards" + - "{{ matrix_grafana_config_path }}/dashboards" + - "{{ matrix_grafana_data_path }}" + when: matrix_grafana_enabled|bool + +- name: Ensure grafana.ini present + template: + src: "{{ role_path }}/templates/grafana.ini.j2" + dest: "{{ matrix_grafana_config_path }}/grafana.ini" + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_grafana_enabled|bool + +- name: Ensure provisioning/datasources/default.yaml present + template: + src: "{{ role_path }}/templates/datasources.yaml.j2" + dest: "{{ matrix_grafana_config_path }}/provisioning/datasources/default.yaml" + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_grafana_enabled|bool + +- name: Ensure provisioning/dashboards/default.yaml present + template: + src: "{{ role_path }}/templates/dashboards.yaml.j2" + dest: "{{ matrix_grafana_config_path }}/provisioning/dashboards/default.yaml" + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_grafana_enabled|bool + +- name: Ensure dashboard(s) downloaded + get_url: + url: "{{ item }}" + dest: "{{ matrix_grafana_config_path }}/dashboards/" + force: true + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: "{{ matrix_grafana_dashboard_download_urls }}" + when: matrix_grafana_enabled|bool + +- name: Ensure matrix-grafana.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-grafana.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-grafana.service" + mode: 0644 + register: matrix_grafana_systemd_service_result + when: matrix_grafana_enabled|bool + +- name: Ensure systemd reloaded after matrix-grafana.service installation + service: + daemon_reload: yes + when: "matrix_grafana_enabled|bool and matrix_grafana_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-grafana (if it was previously enabled) +# + +- name: Check existence of matrix-grafana service + stat: + path: "{{ matrix_systemd_path }}/matrix-grafana.service" + register: matrix_grafana_service_stat + +- name: Ensure matrix-grafana is stopped + service: + name: matrix-grafana + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" + +- name: Ensure matrix-grafana.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-grafana.service" + state: absent + when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-grafana.service removal + service: + daemon_reload: yes + when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" + +- name: Ensure matrix-grafana Docker image doesn't exist + docker_image: + name: "{{ matrix_grafana_docker_image }}" + state: absent + when: "not matrix_grafana_enabled|bool" diff --git a/roles/matrix-grafana/tasks/validate_config.yml b/roles/matrix-grafana/tasks/validate_config.yml new file mode 100644 index 00000000..63d4919a --- /dev/null +++ b/roles/matrix-grafana/tasks/validate_config.yml @@ -0,0 +1,7 @@ +--- + +- name: Fail if Prometheus not enabled + fail: + msg: > + You need to enable `matrix_prometheus_enabled` to use Prometheus as data source for Grafana. + when: "not matrix_prometheus_enabled" diff --git a/roles/matrix-grafana/templates/dashboards.yaml.j2 b/roles/matrix-grafana/templates/dashboards.yaml.j2 new file mode 100644 index 00000000..b6662e59 --- /dev/null +++ b/roles/matrix-grafana/templates/dashboards.yaml.j2 @@ -0,0 +1,9 @@ +apiVersion: 1 + +providers: + - name: {{ matrix_domain }} - Dashboards + folder: '' # The folder where to place the dashboards + type: file + allowUiUpdates: true + options: + path: /etc/grafana/dashboards diff --git a/roles/matrix-grafana/templates/datasources.yaml.j2 b/roles/matrix-grafana/templates/datasources.yaml.j2 new file mode 100644 index 00000000..ffa6046b --- /dev/null +++ b/roles/matrix-grafana/templates/datasources.yaml.j2 @@ -0,0 +1,8 @@ +apiVersion: 1 + +datasources: + - name: {{ matrix_domain }} - Prometheus + type: prometheus + # Access mode - proxy (server in the UI) or direct (browser in the UI). + access: proxy + url: http://matrix-prometheus:9090 diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 new file mode 100644 index 00000000..694bf7d7 --- /dev/null +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -0,0 +1,20 @@ +[security] +# default admin user, created on startup +admin_user = {{ matrix_grafana_default_admin_user }} + +# default admin password, can be changed before first start of grafana, or in profile settings +admin_password = {{ matrix_grafana_default_admin_password }} + +[auth.anonymous] +# enable anonymous access +enabled = {{ matrix_grafana_anonymous_access }} + +# specify organization name that should be used for unauthenticated users +org_name = {{ matrix_grafana_anonymous_access_org_name }} + +[dashboards] +{% if matrix_synapse_metrics_enabled %} +default_home_dashboard_path = /etc/grafana/dashboards/synapse.json +{% else %} +default_home_dashboard_path = /etc/grafana/dashboards/node-exporter-full.json +{% endif %} diff --git a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 new file mode 100644 index 00000000..f2ab6642 --- /dev/null +++ b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-grafana +{% for service in matrix_grafana_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_grafana_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_grafana_container_http_host_bind_port %} + -p {{ matrix_grafana_container_http_host_bind_port }}:3000 \ + {% endif %} + -v {{ matrix_grafana_config_path }}:/etc/grafana:z \ + -v {{ matrix_grafana_data_path }}:/var/lib/grafana:z \ + {% for arg in matrix_grafana_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_grafana_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-grafana + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 838e08c8..e7fdae19 100755 --- a/setup.yml +++ b/setup.yml @@ -30,6 +30,7 @@ - matrix-synapse-admin - matrix-prometheus-node-exporter - matrix-prometheus + - matrix-grafana - matrix-registration - matrix-client-element - matrix-jitsi From 989100b1c14a126051d7ad68c323d954061714b8 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Fri, 29 Jan 2021 10:30:04 +0100 Subject: [PATCH 1896/2384] Grafana nginx proxy config --- group_vars/matrix_servers | 3 + roles/matrix-base/defaults/main.yml | 3 + roles/matrix-nginx-proxy/defaults/main.yml | 7 ++ .../tasks/setup_nginx_proxy.yml | 13 +++ .../nginx/conf.d/matrix-grafana.conf.j2 | 79 +++++++++++++++++++ 5 files changed, 105 insertions(+) create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 976a0de1..b314dc99 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -974,6 +974,7 @@ matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" +matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -1024,6 +1025,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else []) + + ([matrix_server_fqn_grafana] if matrix_grafana_enabled else []) + + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) }} diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index a238e503..2aa99a32 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -21,6 +21,9 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" # This is where you access Jitsi. matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" +# This is where you access Grafana. +matrix_server_fqn_grafana: "stats.{{ matrix_domain }}" + matrix_federation_public_port: 8448 # The architecture that your server runs. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 5eedb4ce..d0ff6d95 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -115,6 +115,10 @@ matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" matrix_nginx_proxy_proxy_jitsi_enabled: false matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +# Controls whether proxying the grafana domain should be done. +matrix_nginx_proxy_proxy_grafana_enabled: false +matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" + # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -212,6 +216,9 @@ matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Jitsi's server configuration. matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Grafana's server configuration. +matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to the base domain server configuration. matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 90f0da73..9d7ea515 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -80,6 +80,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_jitsi_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for grafana domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-grafana.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_grafana_enabled|bool + - name: Ensure Matrix nginx-proxy data directory for base domain exists file: path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain" @@ -183,6 +190,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_jitsi_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for grafana domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool" + - name: Ensure Matrix nginx-proxy homepage for base domain deleted file: path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 new file mode 100644 index 00000000..0e1f1c2d --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -0,0 +1,79 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-grafana:3000"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:3000; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {{ render_vhost_directives() }} +} +{% endif %} From a10e3244d914cd42ef88688949994d245b852556 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Fri, 29 Jan 2021 10:59:27 +0100 Subject: [PATCH 1897/2384] Documentation for graphs --- ...configuring-playbook-prometheus-grafana.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 docs/configuring-playbook-prometheus-grafana.md diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md new file mode 100644 index 00000000..5ad1449b --- /dev/null +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -0,0 +1,36 @@ +# Enabling metrics and graphs for your Matrix server (optional) + +It can be useful to have some (visual) insight in the performance of your homeserver. + +You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_prometheus_enabled: true + +matrix_synapse_metrics_enabled: true +matrix_prometheus_node_exporter_enabled: true + +matrix_grafana_enabled: true +matrix_grafana_anonymous_access: true +matrix_grafana_default_admin_user: yourname +matrix_grafana_default_admin_password: securelongpassword +``` + +## What does it do? + +Name | Description +-----|---------- +`matrix_prometheus_enabled`|Prometheus is a time series database. It holds all the data we're going to talk about. +`matrix_synapse_metrics_enabled`|Enables metrics specific to Synapse +`matrix_prometheus_node_exporter_enabled`|Node Exporter is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures +`matrix_grafana_enabled`|Grafana is the visual component. It shows the dashboards with the graphs that we're interested in +`matrix_grafana_anonymous_access`|By default you need to login to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. +`matrix_grafana_default_admin_user`
`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here + +## More inforation + +- [Understanding Synapse Performance Issues Through Grafana Graphs](https://github.com/matrix-org/synapse/wiki/Understanding-Synapse-Performance-Issues-Through-Grafana-Graphs) at the Synapse Github Wiki +- [The Prometheus scraping rules](https://github.com/matrix-org/synapse/tree/master/contrib/prometheus) (we use v2) +- [The Synapse Grafana dashboard](https://github.com/matrix-org/synapse/tree/master/contrib/grafana) +- [The Node Exporter dashboard](https://github.com/rfrail3/grafana-dashboards) (for generic non-synapse performance graphs) + From 76d7e84be533884ac8148ad3084f1e89cb3e9550 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Fri, 29 Jan 2021 12:23:59 +0100 Subject: [PATCH 1898/2384] Make prometheus-node-exporter a bit more capable By running it in a more privileged container with access to the host network stack and such --- .../systemd/matrix-prometheus-node-exporter.service.j2 | 7 +++++-- roles/matrix-prometheus/templates/prometheus.yml.j2 | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 622947d0..b7f410f1 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -21,14 +21,17 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_prometheus_node_exporter_docker_image }} + --net="host" \ + --pid="host" \ + -v "/:/host:ro,rslave" \ + {{ matrix_prometheus_node_exporter_docker_image }} \ + --path.rootfs=/host ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 317dcd16..6e91ace2 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -36,5 +36,5 @@ scrape_configs: {% if matrix_prometheus_node_exporter_enabled %} - job_name: node static_configs: - - targets: ['matrix-prometheus-node-exporter:9100'] + - targets: ['172.18.0.1:9100'] {% endif %} From 1079272563ea95b132bc0fda55358a04c51abbd1 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Sat, 30 Jan 2021 06:11:44 +0100 Subject: [PATCH 1899/2384] Mention stats subdomain in docs --- docs/configuring-dns.md | 3 +++ docs/configuring-playbook-prometheus-grafana.md | 2 ++ 2 files changed, 5 insertions(+) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index cef4cd50..84e2cd0b 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -24,6 +24,7 @@ If you decide to go with the alternative method ([Server Delegation via a DNS SR | CNAME | `element` | - | - | - | `matrix.` | | CNAME | `dimension` (*) | - | - | - | `matrix.` | | CNAME | `jitsi` (*) | - | - | - | `matrix.` | +| CNAME | `stats` (*) | - | - | - | `matrix.` | | SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | @@ -42,6 +43,8 @@ The `dimension.` subdomain may be necessary, because this playbook The `jitsi.` subdomain may be necessary, because this playbook could install the [Jitsi video-conferencing platform](https://jitsi.org/) for you. Jitsi installation is disabled by default, because it may be heavy and is not a core required component. To learn how to install it, see our [Jitsi](configuring-playbook-jitsi.md) guide. If you do not wish to set up Jitsi, feel free to skip the `jitsi.` DNS record. +The `stats.` subdomain may be necessary, because this playbook could install [Grafana](https://grafana.com/) and setup performance metrics for you. Grafana installation is disabled by default, it is not a core required component. To learn how to install it, see our [metrics and graphs guide](configuring-playbook-prometheus-grafana.md). If you do not wish to set up Grafana, feel free to skip the `stats.` DNS record. It is possible to install Prometheus without installing Grafana, this would also not require the `stats.` subdomain. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 5ad1449b..b714dc2c 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -16,6 +16,8 @@ matrix_grafana_default_admin_user: yourname matrix_grafana_default_admin_password: securelongpassword ``` +The dashboards will by default be available on the `stats.` subdomain, proxied via Nginx. + ## What does it do? Name | Description From 8aafb44cb86c19d2bfaa8cea296edc954c1428f0 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Sat, 30 Jan 2021 06:38:15 +0100 Subject: [PATCH 1900/2384] Mention new images in docks --- docs/container-images.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/container-images.md b/docs/container-images.md index aee24b04..28fce950 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -85,3 +85,9 @@ These services are not part of our default installation, but can be enabled by [ - [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional) - [awesometechnologies/synapse-admin](https://hub.docker.com/r/awesometechnologies/synapse-admin) - the [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) web UI tool for administrating users and rooms on your Matrix server (optional) + +- [prom/prometheus](https://hub.docker.com/r/prom/prometheus/) - [Prometheus](https://github.com/prometheus/prometheus/) is a systems and service monitoring system + +- [prom/node-exporter](https://hub.docker.com/r/prom/node-exporter/) - [Prometheus Node Exporter](https://github.com/prometheus/node_exporter/) is an addon for Prometheus that gathers standard system metrics + +- [grafana/grafana](https://hub.docker.com/r/grafana/grafana/) - [Grafana](https://github.com/grafana/grafana/) is a graphing tool that works well with the above two images. Our playbook also adds two dashboards for [Synapse](https://github.com/matrix-org/synapse/tree/master/contrib/grafana) and [Node Exporter](https://github.com/rfrail3/grafana-dashboards) From da82d670af40140923fee9703d3c5487df1b6805 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Sat, 30 Jan 2021 07:43:26 +0100 Subject: [PATCH 1901/2384] Document security and privacy considerations for stats. --- docs/configuring-playbook-prometheus-grafana.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index b714dc2c..9e2c5dd4 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -29,6 +29,12 @@ Name | Description `matrix_grafana_anonymous_access`|By default you need to login to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. `matrix_grafana_default_admin_user`
`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here +## Security and privacy + +Metrics and resulting graphs can contain a lot if information. This includes system specs but also usage patterns. This applies especially to small personal/family scale homeservers. Someone might be able to figure out when you wake up and go to sleep by looking at the graphs over time. Think about this before enabling anonymous access. And you should really not forget to change your Grafana password. + +Most of our docker containers run with limited system access, but the `prometheus-node-exporter` has access to the host network stack and (readonly) root filesystem. This is required to report on them. If you don't like that, you can set `matrix_prometheus_node_exporter_enabled: false` (which is actually the default). You will still get Synapse metrics with this container disabled. Both of the dashboards will always be enabled, so you can still look at historical data after disabling either source. + ## More inforation - [Understanding Synapse Performance Issues Through Grafana Graphs](https://github.com/matrix-org/synapse/wiki/Understanding-Synapse-Performance-Issues-Through-Grafana-Graphs) at the Synapse Github Wiki From 144a5e61983e77045247c5b7aaade0aba43be84d Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Sun, 31 Jan 2021 02:09:12 +0100 Subject: [PATCH 1902/2384] Register docker network info and use it for prometheus-node-exporter Using the hardcoded IP did break while I was messing with IPv6 stuff on the other branch --- roles/matrix-base/tasks/setup_matrix_base.yml | 1 + roles/matrix-prometheus/templates/prometheus.yml.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index 0fad2b3d..b74b0316 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -23,6 +23,7 @@ docker_network: name: "{{ matrix_docker_network }}" driver: bridge + register: matrix_docker_network_info - name: Ensure matrix-remove-all script created template: diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 6e91ace2..08e6fcf1 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -36,5 +36,5 @@ scrape_configs: {% if matrix_prometheus_node_exporter_enabled %} - job_name: node static_configs: - - targets: ['172.18.0.1:9100'] + - targets: ['{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100'] {% endif %} From 3a77261dc60ef00f51f598ef38d00895e5e931e0 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Wed, 10 Feb 2021 23:11:02 +0100 Subject: [PATCH 1903/2384] Update Grafana 7.3.7 => 7.4.0 --- roles/matrix-grafana/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 2257d794..00ed947e 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_docker_image: "docker.io/grafana/grafana:7.3.7" +matrix_grafana_docker_image: "docker.io/grafana/grafana:7.4.0" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" # Not conditional, because when someone disables metrics @@ -12,7 +12,7 @@ matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith matrix_grafana_dashboard_download_urls: - "https://raw.githubusercontent.com/matrix-org/synapse/master/contrib/grafana/synapse.json" - "https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-full.json" - + matrix_grafana_base_path: "{{ matrix_base_data_path }}/grafana" matrix_grafana_config_path: "{{ matrix_grafana_base_path }}/config" matrix_grafana_data_path: "{{ matrix_grafana_base_path }}/data" From fde222a0417a66220784a4c59778f82850719321 Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Wed, 10 Feb 2021 23:11:17 +0100 Subject: [PATCH 1904/2384] Update Prometheus Node Exporter 1.0.1 => 1.1.0 --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index a5664b83..29dce364 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:v1.0.1" +matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:v1.1.0" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container From 0fe6352cf739c2cb6b7d301f26134e7282c015fa Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Thu, 11 Feb 2021 17:18:25 +0100 Subject: [PATCH 1905/2384] - Added role to setup https://github.com/prodrigestivill/docker-postgres-backup-local container to backup all postgres databases --- .../matrix-postgres-backup/defaults/main.yml | 140 ++++++++++++++ .../tasks/build_database_list.yml | 176 ++++++++++++++++++ roles/matrix-postgres-backup/tasks/init.yml | 3 + roles/matrix-postgres-backup/tasks/main.yml | 17 ++ .../tasks/setup_postgres_backup.yml | 108 +++++++++++ .../util/detect_existing_postgres_version.yml | 56 ++++++ .../tasks/validate_config.yml | 27 +++ .../templates/env-postgres-backup.j2 | 12 ++ .../systemd/matrix-postgres-backup.service.j2 | 31 +++ setup.yml | 2 + 10 files changed, 572 insertions(+) create mode 100644 roles/matrix-postgres-backup/defaults/main.yml create mode 100644 roles/matrix-postgres-backup/tasks/build_database_list.yml create mode 100644 roles/matrix-postgres-backup/tasks/init.yml create mode 100644 roles/matrix-postgres-backup/tasks/main.yml create mode 100644 roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml create mode 100644 roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml create mode 100644 roles/matrix-postgres-backup/tasks/validate_config.yml create mode 100644 roles/matrix-postgres-backup/templates/env-postgres-backup.j2 create mode 100644 roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml new file mode 100644 index 00000000..d01534d0 --- /dev/null +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -0,0 +1,140 @@ +matrix_postgres_backaup_enabled: false + +matrix_postgres_connection_hostname: "matrix-postgres" +matrix_postgres_connection_port: 5432 +matrix_postgres_connection_username: "matrix" +matrix_postgres_connection_password: "" + +matrix_postgres_backup_extra_opts: "-Z9 --schema=public --blobs" +matrix_postgres_backup_schedule: "@daily" +matrix_postgres_backup_keep_days: "7" +matrix_postgres_backup_keep_weeks: "4" +matrix_postgres_backup_keep_months: "12" +matrix_postgres_backup_healthcheck_port: "8080" +matrix_postgres_backup_db_list: "" +matrix_postgres_backup_path: "{{ matrix_base_data_path }}/postgres-backup" + +matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" +matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" + +# uses sqlite per default +matrix_postgres_backup_matrix_reminder_bot_enabled: false +matrix_bot_matrix_reminder_bot_database_name: 'matrix_reminder_bot' + +# uses sqlite per default +matrix_postgres_backup_matrix_appservice_discord_enabled: false +matrix_appservice_discord_database_name: 'matrix_appservice_discord' + +# uses nedb per default +matrix_postgres_backup_matrix_appservice_irc_enabled: false +matrix_appservice_irc_database_name: 'matrix_appservice_irc' + +# uses nedb per default +matrix_postgres_backup_matrix_appservice_slack_enabled: false +matrix_appservice_slack_database_name: 'matrix_appservice_slack' + +# uses postgres per default +matrix_postgres_backup_matrix_mautrix_facebook_enabled: false +matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' + +# uses sqlite per default +matrix_postgres_backup_matrix_mautrix_hangouts_enabled: false +matrix_mautrix_hangouts_database_name: 'matrix_mautrix_hangouts' + +# uses postgres per default +matrix_postgres_backup_matrix_mautrix_signal_enabled: false +matrix_mautrix_signal_database_name: 'matrix_mautrix_signal' + +# uses sqlite per default +matrix_postgres_backup_matrix_mautrix_telegram_enabled: false +matrix_mautrix_telegram_database_name: 'matrix_mautrix_telegram' + +# uses sqlite per default +matrix_postgres_backup_matrix_mautrix_whatsapp_enabled: false +matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp' + +# uses sqlite per default +matrix_postgres_backup_matrix_mx_puppet_discord_enabled: false +matrix_mx_puppet_discord_database_name: 'matrix_mx_puppet_discord' + +# uses sqlite per default +matrix_postgres_backup_matrix_mx_puppet_instagram_enabled: false +matrix_postgres_backup_matrix_mx_puppet_instagram_name: 'matrix_mx_puppet_instagram' + +# uses sqlite per default +matrix_postgres_backup_matrix_mx_puppet_skype_enabled: false +matrix_mx_puppet_skype_database_name: 'matrix_mx_puppet_skype' + +# uses sqlite per default +matrix_postgres_backup_matrix_mx_puppet_slack_enabled: false +matrix_mx_puppet_slack_database_name: 'matrix_mx_puppet_slack' + +# uses sqlite per default +matrix_postgres_backup_matrix_mx_puppet_steam_enabled: false +matrix_mx_puppet_steam_database_name: 'matrix_mx_puppet_steam' + +# uses sqlite per default +matrix_postgres_backup_matrix_mx_puppet_twitter_enabled: false +matrix_mx_puppet_twitter_database_name: 'matrix_mx_puppet_twitter' + +# uses sqlite per default +matrix_postgres_backup_matrix_dimension_enabled: false +matrix_dimension_database_name: 'matrix_dimension' + +# uses sqlite per default +matrix_postgres_backup_matrix_etherpad_enabled: false +matrix_etherpad_database_name: 'matrix_etherpad' + +# uses sqlite per default +matrix_postgres_backup_matrix_ma1sd_enabled: false +matrix_ma1sd_database_name: 'matrix_ma1sd' + +# uses sqlite per default +matrix_postgres_backup_matrix_registration_enabled: false +matrix_registration_database_engine: 'matrix_registration' + +# uses postgres per default +matrix_postgres_backup_matrix_synapse_enabled: true +matrix_postgres_db_name: 'matrix' + +matrix_postgres_backup_db_dict: + - { enabled: '{{matrix_postgres_backup_matrix_reminder_bot_enabled|bool}}' , dbname: '{{ matrix_bot_matrix_reminder_bot_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_appservice_discord_enabled|bool}}' , dbname: '{{ matrix_appservice_discord_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_appservice_irc_enabled|bool}}' , dbname: '{{ matrix_appservice_irc_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_appservice_slack_enabled|bool}}' , dbname: '{{ matrix_appservice_slack_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mautrix_facebook_enabled|bool}}' , dbname: '{{ matrix_mautrix_facebook_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mautrix_hangouts_enabled|bool}}' , dbname: '{{ matrix_mautrix_hangouts_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mautrix_signal_enabled|bool}}' , dbname: '{{ matrix_mautrix_signal_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mautrix_telegram_enabled|bool}}' , dbname: '{{ matrix_mautrix_telegram_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mautrix_whatsapp_enabled|bool}}' , dbname: '{{ matrix_mautrix_whatsapp_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_instagram_enabled|bool}}' , dbname: '{{ matrix_postgres_backup_matrix_mx_puppet_instagram_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_skype_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_skype_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_slack_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_slack_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_steam_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_steam_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_twitter_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_twitter_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_dimension_enabled|bool}}' , dbname: '{{ matrix_dimension_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_etherpad_enabled|bool}}' , dbname: '{{ matrix_etherpad_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_ma1sd_enabled|bool}}' , dbname: '{{ matrix_ma1sd_database_name }}' } + - { enabled: '{{matrix_postgres_backup_matrix_registration_enabled|bool}}' , dbname: '{{ matrix_registration_database_engine }}' } + - { enabled: '{{matrix_postgres_backup_matrix_synapse_enabled|bool}}' , dbname: '{{ matrix_postgres_db_name }}' } + + +matrix_postgres_backup_architecture: amd64 + +# matrix_postgres_docker_image_suffix controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. +# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). +# On ARM32, `-alpine` images fail with the following error: +# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault +matrix_postgres_backup_docker_image_suffix: "{{ '-alpine' if matrix_postgres_backup_architecture in ['amd64', 'arm64'] else '' }}" + +matrix_postgres_backup_docker_image_v9: "docker.io/prodrigestivill/postgres-backup-local:9.6{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v10: "docker.io/prodrigestivill/postgres-backup-local:10{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v11: "docker.io/prodrigestivill/postgres-backup-local:11{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v12: "docker.io/prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v13: "docker.io/prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}" + +# This variable is assigned at runtime. Overriding its value has no effect. +matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}' + +matrix_postgres_backup_docker_image_force_pull: "{{ matrix_postgres_backup_docker_image_to_use.endswith(':latest') }}" \ No newline at end of file diff --git a/roles/matrix-postgres-backup/tasks/build_database_list.yml b/roles/matrix-postgres-backup/tasks/build_database_list.yml new file mode 100644 index 00000000..9937c4d0 --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/build_database_list.yml @@ -0,0 +1,176 @@ + +--- + +# Detect wich databases have to backuped +# Default value is the "matrix_postgres_db_name" +# has to be extended for each service using a seperate db in postgres +# - name: Check if matrix_reminder_bot uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_bot_matrix_reminder_bot_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_bot_matrix_reminder_bot_database_engine == 'postgres' + +# - name: Check if matrix_appservice_discord uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_discord_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_appservice_discord_database_engine == 'postgres' + +# - name: Check if matrix_appservice_irc uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_irc_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_appservice_irc_database_engine == 'postgres' + +# - name: Check if matrix_appservice_slack_database uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_slack_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_appservice_slack_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_facebook uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_facebook_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_facebook_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_hangouts uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_hangouts_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_hangouts_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_signal uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_signal_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_signal_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_telegram uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_telegram_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_telegram_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_whatsapp uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_whatsapp_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_whatsapp_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_discord uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_discord_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_discord_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_instagram uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_instagram_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_instagram_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_skype uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_skype_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_skype_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_slack uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_slack_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_slack_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_steam uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_steam_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_steam_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_twitter uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_twitter_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_twitter_database_engine == 'postgres' + +# - name: Check if matrix_dimension uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_dimension_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_dimension_database_engine == 'postgres' + +# - name: Check if matrix_etherpad uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_etherpad_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_etherpad_database_engine == 'postgres' + +# - name: Check if matrix_ma1sd uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_ma1sd_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_ma1sd_database_engine == 'postgres' + +# - name: Check if matrix_registration uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_registration_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_registration_database_engine == 'postgres' + +#- name: Build list of all databases to backup - part 1 +# set_fact: +# matrix_postgres_backup_db_list: '{% if item.enabled %}{% if matrix_postgres_backup_db_list=="" %}{{item.dbname}}{% else %}{{ matrix_postgres_backup_db_list }},{{item.dbname}}{% endif %}{% else %}{% endif %}' +# loop: +# - { enabled: '{{matrix_postgres_backup_matrix_reminder_bot_enabled|bool}}' , dbname: '{{ matrix_bot_matrix_reminder_bot_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_appservice_discord_enabled|bool}}' , dbname: '{{ matrix_appservice_discord_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_appservice_irc_enabled|bool}}' , dbname: '{{ matrix_appservice_irc_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_appservice_slack_enabled|bool}}' , dbname: '{{ matrix_appservice_slack_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_facebook_enabled|bool}}' , dbname: '{{ matrix_mautrix_facebook_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_hangouts_enabled|bool}}' , dbname: '{{ matrix_mautrix_hangouts_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_signal_enabled|bool}}' , dbname: '{{ matrix_mautrix_signal_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_telegram_enabled|bool}}' , dbname: '{{ matrix_mautrix_telegram_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_whatsapp_enabled|bool}}' , dbname: '{{ matrix_mautrix_whatsapp_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_instagram_enabled|bool}}' , dbname: '{{ matrix_postgres_backup_matrix_mx_puppet_instagram_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_skype_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_skype_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_slack_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_slack_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_steam_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_steam_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_twitter_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_twitter_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_dimension_enabled|bool}}' , dbname: '{{ matrix_dimension_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_etherpad_enabled|bool}}' , dbname: '{{ matrix_etherpad_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_ma1sd_enabled|bool}}' , dbname: '{{ matrix_ma1sd_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_registration_enabled|bool}}' , dbname: '{{ matrix_registration_database_engine }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_synapse_enabled|bool}}' , dbname: '{{ matrix_postgres_db_name }}' } + +- name: Build list of all databases to backup - part 2 + set_fact: + matrix_postgres_backup_db_list_prepare: "{% set res = [ ] %}{% for db in matrix_postgres_backup_db_dict %}{% if db.enabled %}{% set ignored = res.append(db.dbname) %}{% endif %}{% endfor %}{{ res }}" + +- name: Build list of all databases to backup - part 1 + set_fact: + matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list_prepare | join(',') }}" + +- name: Going to backup the following list of databases + debug: + msg: "{{ matrix_postgres_backup_db_list }}" + when: matrix_postgres_backup_enabled|bool + \ No newline at end of file diff --git a/roles/matrix-postgres-backup/tasks/init.yml b/roles/matrix-postgres-backup/tasks/init.yml new file mode 100644 index 00000000..c6a9bd7e --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres-backup.service'] }}" + when: matrix_postgres_backup_enabled|bool diff --git a/roles/matrix-postgres-backup/tasks/main.yml b/roles/matrix-postgres-backup/tasks/main.yml new file mode 100644 index 00000000..f819b8e9 --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_postgres_enabled|bool" + tags: + - setup-all + - setup-postgres-backup + +- import_tasks: "{{ role_path }}/tasks/setup_postgres_backup.yml" + when: run_setup|bool + tags: + - setup-all + - setup-postgres-backup \ No newline at end of file diff --git a/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml new file mode 100644 index 00000000..dc6e68c4 --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml @@ -0,0 +1,108 @@ +--- + +# +# Tasks related to setting up an internal postgres server +# + +- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml" + when: matrix_postgres_enabled|bool + +# If we have found an existing version (installed from before), we use its corresponding Docker image. +# If not, we install using the latest Postgres. +# +# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). +- set_fact: + matrix_postgres_backup_docker_image_to_use: "{{ matrix_postgres_backup_docker_image_latest if matrix_postgres_backup_detected_version_corresponding_docker_image == '' else matrix_postgres_backup_detected_version_corresponding_docker_image }}" + when: matrix_postgres_backup_enabled|bool + +- name: Ensure postgres backup Docker image is pulled + docker_image: + name: "{{ matrix_postgres_backup_docker_image_to_use }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_postgres_backup_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_backup_docker_image_force_pull }}" + when: matrix_postgres_backup_enabled|bool + +- name: Ensure Postgres backup paths exist + file: + path: "{{ item }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_postgres_backup_path }}" + when: matrix_postgres_backup_enabled|bool + +#Build database list to backup +- import_tasks: "{{ role_path }}/tasks/build_database_list.yml" + when: matrix_postgres_backup_enabled|bool + +- name: Ensure Postgres environment variables file created + template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_postgres_backup_path }}/{{ item }}" + mode: 0640 + with_items: + - "env-postgres-backup" + when: matrix_postgres_backup_enabled|bool + +- name: Ensure matrix-postgres-backup.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-postgres-backup.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-postgres-backup.service" + mode: 0644 + register: matrix_postgres_backup_systemd_service_result + when: matrix_postgres_backup_enabled|bool + +- name: Ensure systemd reloaded after matrix-postgres-backup.service installation + service: + daemon_reload: yes + when: "matrix_postgres_backup_enabled|bool and matrix_postgres_backup_systemd_service_result.changed" + +# +# Tasks related to getting rid of the internal postgres backup server (if it was previously enabled) +# + +- name: Check existence of matrix-postgres-backup service + stat: + path: "{{ matrix_systemd_path }}/matrix-postgres-backup.service" + register: matrix_postgres_backup_service_stat + when: "not matrix_postgres_backup_enabled|bool" + +- name: Ensure matrix-postgres-backup is stopped + service: + name: matrix-postgres-backup + state: stopped + daemon_reload: yes + when: "not matrix_postgres_backup_enabled|bool and matrix_postgres_backup_service_stat.stat.exists" + +- name: Ensure matrix-postgres-backup.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-postgres-backup.service" + state: absent + when: "not matrix_postgres_backup_enabled|bool and matrix_postgres_backup_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-postgres-backup.service removal + service: + daemon_reload: yes + when: "not matrix_postgres_backup_enabled|bool and matrix_postgres_backup_service_stat.stat.exists" + +- name: Check existence of matrix-postgres-backup backup path + stat: + path: "{{ matrix_postgres_backup_path }}" + register: matrix_postgres_backup_path_stat + when: "not matrix_postgres_backup_enabled|bool" + +# We just want to notify the user. Deleting data is too destructive. +- name: Inject warning if matrix-postgres backup data remains + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: You are not using the local backup service to backup the PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_backup_path }}`. Feel free to delete it." + ] + }} + when: "not matrix_postgres_backup_enabled|bool and matrix_postgres_backup_path_stat.stat.exists" diff --git a/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml new file mode 100644 index 00000000..da15a287 --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml @@ -0,0 +1,56 @@ +--- + +# This utility aims to determine if there is some existing Postgres version in use or not. +# If there is, it also tries to detect the Docker image that corresponds to that version. + +- name: Initialize Postgres version determination variables (default to empty) + set_fact: + matrix_postgres_detection_pg_version_path: "{{ matrix_postgres_data_path }}/PG_VERSION" + matrix_postgres_detected_existing: false + matrix_postgres_detected_version: "" + matrix_postgres_detected_version_corresponding_docker_image: "" + +- name: Determine existing Postgres version (check PG_VERSION file) + stat: + path: "{{ matrix_postgres_detection_pg_version_path }}" + register: result_pg_version_stat + +- set_fact: + matrix_postgres_detected_existing: true + when: "result_pg_version_stat.stat.exists" + +- name: Determine existing Postgres version (read PG_VERSION file) + slurp: + src: "{{ matrix_postgres_detection_pg_version_path }}" + register: result_pg_version + when: matrix_postgres_detected_existing|bool + +- name: Determine existing Postgres version (make sense of PG_VERSION file) + set_fact: + matrix_postgres_detected_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" + when: matrix_postgres_detected_existing|bool + +- name: Determine corresponding Docker image to detected version (assume default of latest) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_latest }}" + when: "matrix_postgres_detected_version != ''" + +- name: Determine corresponding Docker image to detected version (use 9.x, if detected) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v9 }}" + when: "matrix_postgres_detected_version.startswith('9.')" + +- name: Determine corresponding Docker image to detected version (use 10.x, if detected) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v10 }}" + when: "matrix_postgres_detected_version == '10' or matrix_postgres_detected_version.startswith('10.')" + +- name: Determine corresponding Docker image to detected version (use 11.x, if detected) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v11 }}" + when: "matrix_postgres_detected_version == '11' or matrix_postgres_detected_version.startswith('11.')" + +- name: Determine corresponding Docker image to detected version (use 12.x, if detected) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v12 }}" + when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" diff --git a/roles/matrix-postgres-backup/tasks/validate_config.yml b/roles/matrix-postgres-backup/tasks/validate_config.yml new file mode 100644 index 00000000..91d1783b --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/validate_config.yml @@ -0,0 +1,27 @@ +--- + +# This is separate (from the other required variables below), +# because we'd like to have a friendlier message for our existing users. +- name: Fail if matrix_postgres_connection_password not defined + fail: + msg: >- + The playbook no longer has a default Postgres password defined in the `matrix_postgres_connection_password` variable, among lots of other Postgres changes. + You need to perform multiple manual steps to resolve this. + See our changelog for more details: + https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-postgres-changes-that-require-manual-intervention + when: "matrix_postgres_connection_password == ''" + +- name: Fail if required Postgres settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_postgres_connection_hostname" + - "matrix_postgres_connection_username" + - "matrix_postgres_connection_password" + - "matrix_postgres_backup_schedule" + - "matrix_postgres_backup_keep_days" + - "matrix_postgres_backup_keep_weeks" + - "matrix_postgres_backup_keep_months" + - "matrix_postgres_backup_path" diff --git a/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 new file mode 100644 index 00000000..1d617fd3 --- /dev/null +++ b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 @@ -0,0 +1,12 @@ +#jinja2: lstrip_blocks: "True" +POSTGRES_USER={{ matrix_postgres_connection_username }} +POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} +POSTGRES_HOST={{ matrix_postgres_connection_hostname }} +POSTGRES_DB={{ matrix_postgres_backup_db_list }} +POSTGRES_EXTRA_OPTS={{ matrix_postgres_backup_extra_opts }} +SCHEDULE={{ matrix_postgres_backup_schedule }} +BACKUP_KEEP_DAYS={{ matrix_postgres_backup_keep_days }} +BACKUP_KEEP_WEEKS={{ matrix_postgres_backup_keep_weeks }} +BACKUP_KEEP_MONTHS={{ matrix_postgres_backup_keep_months }} +HEALTHCHECK_PORT={{ matrix_postgres_backup_healthcheck_port }} +POSTGRES_PORT={{ matrix_postgres_connection_port }} \ No newline at end of file diff --git a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 new file mode 100644 index 00000000..97c9ae7f --- /dev/null +++ b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 @@ -0,0 +1,31 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Automatic Backup of Matrix Postgres server +After=docker.service +Requires=docker.service +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} stop matrix-postgres-backup +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres-backup \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_postgres_backup_path }}/env-postgres-backup \ + --mount type=bind,src={{ matrix_postgres_backup_path }},dst=/backups \ + {{ matrix_postgres_backup_docker_image_to_use }} + +ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres-backup +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-postgres-backup + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 9bb1788f..386db939 100755 --- a/setup.yml +++ b/setup.yml @@ -38,4 +38,6 @@ - matrix-nginx-proxy - matrix-coturn - matrix-aux + - matrix-postgres-backup - matrix-common-after + From b7e68cb779bc5c125eb03cb406807efda814f737 Mon Sep 17 00:00:00 2001 From: efraimbart Date: Thu, 11 Feb 2021 22:56:37 -0500 Subject: [PATCH 1906/2384] Fix wrong docker image being pulled Changed `matrix_mautrix_signal_docker_image_force_pull` to `matrix_mautrix_signal_daemon_docker_image_force_pull` when force pulling the daemon --- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index d6c3c24d..61c6adff 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -21,7 +21,7 @@ name: "{{ matrix_mautrix_signal_daemon_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_docker_image_force_pull }}" when: matrix_mautrix_signal_enabled|bool - name: Ensure Mautrix Signal paths exist From 9531d137869af24ea14f8583997c599f576bd7fd Mon Sep 17 00:00:00 2001 From: Peetz0r Date: Sat, 30 Jan 2021 08:05:52 +0100 Subject: [PATCH 1907/2384] Split DNS table in default and optional parts --- docs/configuring-dns.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 84e2cd0b..c25b079e 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -15,22 +15,25 @@ As we discuss in [Server Delegation](howto-server-delegation.md), there are 2 di This playbook mostly discusses the well-known file method, because it's easier to manage with regard to certificates. If you decide to go with the alternative method ([Server Delegation via a DNS SRV record (advanced)](howto-server-delegation.md#server-delegation-via-a-dns-srv-record-advanced)), please be aware that the general flow that this playbook guides you through may not match what you need to do. - -## General outline of DNS settings you need to do +## Required DNS settings for services enabled by default | Type | Host | Priority | Weight | Port | Target | | ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- | | A | `matrix` | - | - | - | `matrix-server-IP` | | CNAME | `element` | - | - | - | `matrix.` | -| CNAME | `dimension` (*) | - | - | - | `matrix.` | -| CNAME | `jitsi` (*) | - | - | - | `matrix.` | -| CNAME | `stats` (*) | - | - | - | `matrix.` | | SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | +Be mindful as to how long it will take for the DNS records to propagate. + +If you are using Cloudflare DNS, make sure to disable the proxy and set all records to `DNS only`. Otherwise, fetching certificates will fail. -DNS records marked with `(*)` above are optional. They refer to services that will not be installed by default (see the section below). If you won't be installing these services, feel free to skip creating these DNS records. Also be mindful as to how long it will take for the DNS records to propagate. +## Required DNS settings for optional services -> If you are using Cloudflare DNS, make sure to disable the proxy and set all records to `DNS only`. Otherwise, fetching certificates will fail. +| Type | Host | Priority | Weight | Port | Target | +| ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- | +| CNAME | `dimension` (*) | - | - | - | `matrix.` | +| CNAME | `jitsi` (*) | - | - | - | `matrix.` | +| CNAME | `stats` (*) | - | - | - | `matrix.` | ## Subdomains setup From f0cd29462845c70ba8b1e25bb8c5a927b4a7a207 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 11:41:22 +0200 Subject: [PATCH 1908/2384] Fix matrix-prometheus-node-exporter failure to start The quotes around "host" for both `--pid` and `--net` were causing trouble for me: > docker: --pid: invalid PID mode. and: > docker: Error response from daemon: network "host" not found. I've also changed the `-v` call to `--mount` for consistency with the rest of the playbook. --- .../systemd/matrix-prometheus-node-exporter.service.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index b7f410f1..58349444 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -27,9 +27,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} - --net="host" \ - --pid="host" \ - -v "/:/host:ro,rslave" \ + --net=host \ + --pid=host \ + --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ --path.rootfs=/host From 3ce97123888473cd29fab16a847196fd1538d724 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 12:01:56 +0200 Subject: [PATCH 1909/2384] Fix Grafana dashboard/datasource label --- roles/matrix-grafana/templates/dashboards.yaml.j2 | 2 +- roles/matrix-grafana/templates/datasources.yaml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-grafana/templates/dashboards.yaml.j2 b/roles/matrix-grafana/templates/dashboards.yaml.j2 index b6662e59..aae42ba2 100644 --- a/roles/matrix-grafana/templates/dashboards.yaml.j2 +++ b/roles/matrix-grafana/templates/dashboards.yaml.j2 @@ -1,7 +1,7 @@ apiVersion: 1 providers: - - name: {{ matrix_domain }} - Dashboards + - name: {{ matrix_server_fqn_matrix }} - Dashboards folder: '' # The folder where to place the dashboards type: file allowUiUpdates: true diff --git a/roles/matrix-grafana/templates/datasources.yaml.j2 b/roles/matrix-grafana/templates/datasources.yaml.j2 index ffa6046b..6ccbe374 100644 --- a/roles/matrix-grafana/templates/datasources.yaml.j2 +++ b/roles/matrix-grafana/templates/datasources.yaml.j2 @@ -1,7 +1,7 @@ apiVersion: 1 datasources: - - name: {{ matrix_domain }} - Prometheus + - name: {{ matrix_server_fqn_matrix }} - Prometheus type: prometheus # Access mode - proxy (server in the UI) or direct (browser in the UI). access: proxy From 1d7d99c5cd94c961d7fc78c6fb9e6b67ce7ec99c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 12:02:14 +0200 Subject: [PATCH 1910/2384] Improve metrics docs page a bit We mainly switch the anonymous metrics viewing variable to false, along with other wording changes. --- docs/configuring-playbook-prometheus-grafana.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 9e2c5dd4..0c759692 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -1,6 +1,6 @@ # Enabling metrics and graphs for your Matrix server (optional) -It can be useful to have some (visual) insight in the performance of your homeserver. +It can be useful to have some (visual) insight into the performance of your homeserver. You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): @@ -11,8 +11,13 @@ matrix_synapse_metrics_enabled: true matrix_prometheus_node_exporter_enabled: true matrix_grafana_enabled: true -matrix_grafana_anonymous_access: true + +matrix_grafana_anonymous_access: false + matrix_grafana_default_admin_user: yourname + +# Passwords containing special characters may be troublesome. +# Changing the password subsequently won't work. matrix_grafana_default_admin_password: securelongpassword ``` @@ -26,7 +31,7 @@ Name | Description `matrix_synapse_metrics_enabled`|Enables metrics specific to Synapse `matrix_prometheus_node_exporter_enabled`|Node Exporter is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures `matrix_grafana_enabled`|Grafana is the visual component. It shows the dashboards with the graphs that we're interested in -`matrix_grafana_anonymous_access`|By default you need to login to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. +`matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. `matrix_grafana_default_admin_user`
`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here ## Security and privacy From df3dd1c82459b61b4ed549797580de4c37ebad4b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 17:34:32 +0200 Subject: [PATCH 1911/2384] Use --read-only FS for metrics-related containers It seems like it doesn't cause any issues for any of these services. --- roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 | 1 + .../templates/systemd/matrix-prometheus-node-exporter.service.j2 | 1 + .../templates/systemd/matrix-prometheus.service.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 index f2ab6642..a4f81e35 100644 --- a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 +++ b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 @@ -21,6 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ --network={{ matrix_docker_network }} \ {% if matrix_grafana_container_http_host_bind_port %} -p {{ matrix_grafana_container_http_host_bind_port }}:3000 \ diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 58349444..93638c19 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -21,6 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ {% endif %} diff --git a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 index dd3ac72c..ad75d664 100644 --- a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 @@ -21,6 +21,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --read-only \ --network={{ matrix_docker_network }} \ {% if matrix_prometheus_container_http_host_bind_port %} -p {{ matrix_prometheus_container_http_host_bind_port }}:9090 \ From 85a260daaf5d04795f2be4a8de09fac26be57ecd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 18:17:57 +0200 Subject: [PATCH 1912/2384] Make --tags=setup-prometheus not break, relying on matrix-base facts --- roles/matrix-base/tasks/setup_matrix_base.yml | 1 - roles/matrix-prometheus/defaults/main.yml | 3 +++ roles/matrix-prometheus/tasks/setup.yml | 17 ++++++++++++++++- .../templates/prometheus.yml.j2 | 2 +- 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/roles/matrix-base/tasks/setup_matrix_base.yml b/roles/matrix-base/tasks/setup_matrix_base.yml index b74b0316..0fad2b3d 100644 --- a/roles/matrix-base/tasks/setup_matrix_base.yml +++ b/roles/matrix-base/tasks/setup_matrix_base.yml @@ -23,7 +23,6 @@ docker_network: name: "{{ matrix_docker_network }}" driver: bridge - register: matrix_docker_network_info - name: Ensure matrix-remove-all script created template: diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 10424424..a0e79acc 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -26,6 +26,9 @@ matrix_prometheus_systemd_wanted_services_list: [] # Takes an ":" or "" value (e.g. "127.0.0.1:9090"), or empty string to not expose. matrix_prometheus_container_http_host_bind_port: '' +# Target addresses for the "node" scraper configuration. +# Unless you define this as a non-empty list, it gets populated at runtime with the IP address of `matrix-prometheus-node-exporter` and port 9100. +matrix_prometheus_endpoint_node_targets: [] # Default prometheus configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-prometheus/tasks/setup.yml b/roles/matrix-prometheus/tasks/setup.yml index 1746b961..c9a207ec 100644 --- a/roles/matrix-prometheus/tasks/setup.yml +++ b/roles/matrix-prometheus/tasks/setup.yml @@ -24,7 +24,22 @@ - "{{ matrix_prometheus_config_path }}" - "{{ matrix_prometheus_data_path }}" when: matrix_prometheus_enabled|bool - + +- block: + # Well, this actually creates the network if it doesn't exist, but.. + # The network should have been created by `matrix-base` already. + # We don't rely on that other call and its result, because it runs + # on `--tags=setup-all`, but will get skipped during `--tags=setup-prometheus`. + - name: Fetch Matrix Docker network details + docker_network: + name: "{{ matrix_docker_network }}" + driver: bridge + register: matrix_docker_network_info + + - set_fact: + matrix_prometheus_endpoint_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] + when: "matrix_prometheus_enabled|bool and matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_endpoint_node_targets|length == 0" + - name: Ensure prometheus.yml installed copy: content: "{{ matrix_prometheus_configuration|to_nice_yaml }}" diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 08e6fcf1..4fdf9905 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -36,5 +36,5 @@ scrape_configs: {% if matrix_prometheus_node_exporter_enabled %} - job_name: node static_configs: - - targets: ['{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100'] + - targets: {{ matrix_prometheus_endpoint_node_targets|to_json }} {% endif %} From 18e31526a885cd9590b8d639e75da507db29fa35 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 18:26:08 +0200 Subject: [PATCH 1913/2384] Rename some variables --- group_vars/matrix_servers | 2 ++ roles/matrix-prometheus/defaults/main.yml | 6 +++++- roles/matrix-prometheus/tasks/setup.yml | 4 ++-- roles/matrix-prometheus/templates/prometheus.yml.j2 | 4 ++-- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b314dc99..ad700597 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1405,6 +1405,8 @@ matrix_prometheus_enabled: false # Prometheus' HTTP port to the local host. matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9090' }}" +matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" + ###################################################################### # # /matrix-prometheus diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index a0e79acc..c07c3801 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -26,9 +26,13 @@ matrix_prometheus_systemd_wanted_services_list: [] # Takes an ":" or "" value (e.g. "127.0.0.1:9090"), or empty string to not expose. matrix_prometheus_container_http_host_bind_port: '' +# Tells whether the "node" scraper configuration is enabled. +# This configuration aims to scrape the current node (this server). +matrix_prometheus_scraper_node_enabled: false + # Target addresses for the "node" scraper configuration. # Unless you define this as a non-empty list, it gets populated at runtime with the IP address of `matrix-prometheus-node-exporter` and port 9100. -matrix_prometheus_endpoint_node_targets: [] +matrix_prometheus_scraper_node_targets: [] # Default prometheus configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-prometheus/tasks/setup.yml b/roles/matrix-prometheus/tasks/setup.yml index c9a207ec..7b98b76a 100644 --- a/roles/matrix-prometheus/tasks/setup.yml +++ b/roles/matrix-prometheus/tasks/setup.yml @@ -37,8 +37,8 @@ register: matrix_docker_network_info - set_fact: - matrix_prometheus_endpoint_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] - when: "matrix_prometheus_enabled|bool and matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_endpoint_node_targets|length == 0" + matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] + when: "matrix_prometheus_enabled|bool and matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" - name: Ensure prometheus.yml installed copy: diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 4fdf9905..4fe8394d 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -33,8 +33,8 @@ scrape_configs: - targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] {% endif %} - {% if matrix_prometheus_node_exporter_enabled %} + {% if matrix_prometheus_scraper_node_enabled %} - job_name: node static_configs: - - targets: {{ matrix_prometheus_endpoint_node_targets|to_json }} + - targets: {{ matrix_prometheus_scraper_node_targets|to_json }} {% endif %} From 6842102e008a0682bc676793556f32c2593ff723 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 18:30:02 +0200 Subject: [PATCH 1914/2384] Split install/uninstall tasks in matrix-prometheus --- roles/matrix-prometheus/tasks/main.yml | 9 +++- .../tasks/{setup.yml => setup_install.yml} | 48 +------------------ .../tasks/setup_uninstall.yml | 31 ++++++++++++ 3 files changed, 41 insertions(+), 47 deletions(-) rename roles/matrix-prometheus/tasks/{setup.yml => setup_install.yml} (59%) create mode 100644 roles/matrix-prometheus/tasks/setup_uninstall.yml diff --git a/roles/matrix-prometheus/tasks/main.yml b/roles/matrix-prometheus/tasks/main.yml index 2290048f..edb01988 100644 --- a/roles/matrix-prometheus/tasks/main.yml +++ b/roles/matrix-prometheus/tasks/main.yml @@ -8,7 +8,14 @@ - setup-all - setup-prometheus -- import_tasks: "{{ role_path }}/tasks/setup.yml" +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_prometheus_enabled|bool" + tags: + - setup-all + - setup-prometheus + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_prometheus_enabled|bool" tags: - setup-all - setup-prometheus diff --git a/roles/matrix-prometheus/tasks/setup.yml b/roles/matrix-prometheus/tasks/setup_install.yml similarity index 59% rename from roles/matrix-prometheus/tasks/setup.yml rename to roles/matrix-prometheus/tasks/setup_install.yml index 7b98b76a..b69e349d 100644 --- a/roles/matrix-prometheus/tasks/setup.yml +++ b/roles/matrix-prometheus/tasks/setup_install.yml @@ -1,16 +1,11 @@ --- -# -# Tasks related to setting up matrix-prometheus -# - - name: Ensure matrix-prometheus image is pulled docker_image: name: "{{ matrix_prometheus_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_prometheus_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_docker_image_force_pull }}" - when: "matrix_prometheus_enabled|bool" - name: Ensure Prometheus paths exists file: @@ -23,7 +18,6 @@ - "{{ matrix_prometheus_base_path }}" - "{{ matrix_prometheus_config_path }}" - "{{ matrix_prometheus_data_path }}" - when: matrix_prometheus_enabled|bool - block: # Well, this actually creates the network if it doesn't exist, but.. @@ -38,7 +32,7 @@ - set_fact: matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] - when: "matrix_prometheus_enabled|bool and matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" + when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" - name: Ensure prometheus.yml installed copy: @@ -47,7 +41,6 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_prometheus_enabled|bool - name: Download synapse-v2.rules get_url: @@ -57,8 +50,6 @@ mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_prometheus_enabled|bool - - name: Ensure matrix-prometheus.service installed template: @@ -66,43 +57,8 @@ dest: "{{ matrix_systemd_path }}/matrix-prometheus.service" mode: 0644 register: matrix_prometheus_systemd_service_result - when: matrix_prometheus_enabled|bool - name: Ensure systemd reloaded after matrix-prometheus.service installation service: daemon_reload: yes - when: "matrix_prometheus_enabled|bool and matrix_prometheus_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-prometheus (if it was previously enabled) -# - -- name: Check existence of matrix-prometheus service - stat: - path: "{{ matrix_systemd_path }}/matrix-prometheus.service" - register: matrix_prometheus_service_stat - -- name: Ensure matrix-prometheus is stopped - service: - name: matrix-prometheus - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_prometheus_enabled|bool and matrix_prometheus_service_stat.stat.exists" - -- name: Ensure matrix-prometheus.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-prometheus.service" - state: absent - when: "not matrix_prometheus_enabled|bool and matrix_prometheus_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-prometheus.service removal - service: - daemon_reload: yes - when: "not matrix_prometheus_enabled|bool and matrix_prometheus_service_stat.stat.exists" - -- name: Ensure matrix-prometheus Docker image doesn't exist - docker_image: - name: "{{ matrix_prometheus_docker_image }}" - state: absent - when: "not matrix_prometheus_enabled|bool" + when: "matrix_prometheus_systemd_service_result.changed|bool" diff --git a/roles/matrix-prometheus/tasks/setup_uninstall.yml b/roles/matrix-prometheus/tasks/setup_uninstall.yml new file mode 100644 index 00000000..0a4a8cb6 --- /dev/null +++ b/roles/matrix-prometheus/tasks/setup_uninstall.yml @@ -0,0 +1,31 @@ +--- + +- name: Check existence of matrix-prometheus service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus.service" + register: matrix_prometheus_service_stat + +- name: Ensure matrix-prometheus is stopped + service: + name: matrix-prometheus + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_prometheus_service_stat.stat.exists|bool" + +- name: Ensure matrix-prometheus.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus.service" + state: absent + when: "matrix_prometheus_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-prometheus.service removal + service: + daemon_reload: yes + when: "matrix_prometheus_service_stat.stat.exists|bool" + +- name: Ensure matrix-prometheus Docker image doesn't exist + docker_image: + name: "{{ matrix_prometheus_docker_image }}" + state: absent + when: "not matrix_prometheus_enabled|bool" From c8ab200cb1ded35d57b45514902ed807821e4b89 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 19:23:12 +0200 Subject: [PATCH 1915/2384] Break dependency between matrix-prometheus and (matrix-prometheus-node-exporter, matrix-synapse) --- group_vars/matrix_servers | 4 ++++ roles/matrix-prometheus/defaults/main.yml | 12 ++++++++++-- .../matrix-prometheus/tasks/setup_install.yml | 18 ++++++++++-------- .../tasks/validate_config.yml | 4 ++-- .../templates/prometheus.yml.j2 | 6 +++--- 5 files changed, 29 insertions(+), 15 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ad700597..a8bddf6e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1405,6 +1405,10 @@ matrix_prometheus_enabled: false # Prometheus' HTTP port to the local host. matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9090' }}" +matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" +matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] +matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" + matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" ###################################################################### diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index c07c3801..56018ba6 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -6,8 +6,6 @@ matrix_prometheus_enabled: false matrix_prometheus_docker_image: "docker.io/prom/prometheus:v2.24.1" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" -matrix_synapse_prometheus_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_synapse_docker_image_tag }}/contrib/prometheus/synapse-v2.rules" - matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" matrix_prometheus_config_path: "{{ matrix_prometheus_base_path }}/config" matrix_prometheus_data_path: "{{ matrix_prometheus_base_path }}/data" @@ -26,6 +24,16 @@ matrix_prometheus_systemd_wanted_services_list: [] # Takes an ":" or "" value (e.g. "127.0.0.1:9090"), or empty string to not expose. matrix_prometheus_container_http_host_bind_port: '' +# Tells whether the "synapse" scraper configuration is enabled. +matrix_prometheus_scraper_synapse_enabled: false + +# Tells whether to download and load a Synapse rules file +matrix_prometheus_scraper_synapse_rules_enabled: "{{ matrix_prometheus_scraper_synapse_enabled }}" +matrix_prometheus_scraper_synapse_rules_synapse_tag: "master" +matrix_prometheus_scraper_synapse_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_scraper_synapse_rules_synapse_tag }}/contrib/prometheus/synapse-v2.rules" + +matrix_prometheus_scraper_synapse_targets: [] + # Tells whether the "node" scraper configuration is enabled. # This configuration aims to scrape the current node (this server). matrix_prometheus_scraper_node_enabled: false diff --git a/roles/matrix-prometheus/tasks/setup_install.yml b/roles/matrix-prometheus/tasks/setup_install.yml index b69e349d..8aee5178 100644 --- a/roles/matrix-prometheus/tasks/setup_install.yml +++ b/roles/matrix-prometheus/tasks/setup_install.yml @@ -34,22 +34,24 @@ matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" -- name: Ensure prometheus.yml installed - copy: - content: "{{ matrix_prometheus_configuration|to_nice_yaml }}" - dest: "{{ matrix_prometheus_config_path }}/prometheus.yml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - name: Download synapse-v2.rules get_url: - url: "{{ matrix_synapse_prometheus_rules_download_url }}" + url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}" dest: "{{ matrix_prometheus_config_path }}/synapse-v2.rules" force: true mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" + when: "matrix_prometheus_scraper_synapse_rules_enabled|bool" + +- name: Ensure prometheus.yml installed + copy: + content: "{{ matrix_prometheus_configuration|to_nice_yaml }}" + dest: "{{ matrix_prometheus_config_path }}/prometheus.yml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure matrix-prometheus.service installed template: diff --git a/roles/matrix-prometheus/tasks/validate_config.yml b/roles/matrix-prometheus/tasks/validate_config.yml index 713646ae..9fcfe12b 100644 --- a/roles/matrix-prometheus/tasks/validate_config.yml +++ b/roles/matrix-prometheus/tasks/validate_config.yml @@ -3,5 +3,5 @@ - name: Fail if Synapse metrics or Prometheus Node Exporter not enabled fail: msg: > - You need to enable `matrix_synapse_metrics_enabled` and/or `matrix_prometheus_node_exporter_enabled` for Prometheus grab metrics. - when: "not matrix_synapse_metrics_enabled and not matrix_prometheus_node_exporter_enabled" + You need to enable `matrix_prometheus_scraper_synapse_enabled` and/or `matrix_prometheus_scraper_node_enabled` for Prometheus grab metrics. + when: "not matrix_prometheus_scraper_synapse_enabled and not matrix_prometheus_scraper_node_enabled" diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 4fe8394d..9502a08b 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -6,7 +6,7 @@ global: # Load rules once and periodically evaluate them according to the global 'evaluation_interval'. rule_files: - {% if matrix_synapse_metrics_enabled %} + {% if matrix_prometheus_scraper_synapse_rules_enabled %} - 'synapse-v2.rules' {% endif %} @@ -26,11 +26,11 @@ scrape_configs: static_configs: - targets: ['localhost:9090'] - {% if matrix_synapse_metrics_enabled %} + {% if matrix_prometheus_scraper_synapse_enabled %} - job_name: 'synapse' metrics_path: '/_synapse/metrics' static_configs: - - targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] + - targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }} {% endif %} {% if matrix_prometheus_scraper_node_enabled %} From eb9aac0ac9682104955a3498951fd02d102bb370 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 31 Jan 2021 19:43:47 +0200 Subject: [PATCH 1916/2384] Minor docs updates --- docs/configuring-playbook-prometheus-grafana.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 0c759692..2010b1b5 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -8,17 +8,19 @@ You can enable this with the following settings in your configuration file (`inv matrix_prometheus_enabled: true matrix_synapse_metrics_enabled: true + matrix_prometheus_node_exporter_enabled: true matrix_grafana_enabled: true matrix_grafana_anonymous_access: false -matrix_grafana_default_admin_user: yourname +# This has no relation to your Matrix user id. It can be any username you'd like. +matrix_grafana_default_admin_user: some_username_chosen_by_you # Passwords containing special characters may be troublesome. # Changing the password subsequently won't work. -matrix_grafana_default_admin_password: securelongpassword +matrix_grafana_default_admin_password: some_strong_password_chosen_by_you ``` The dashboards will by default be available on the `stats.` subdomain, proxied via Nginx. @@ -28,7 +30,7 @@ The dashboards will by default be available on the `stats.` subdoma Name | Description -----|---------- `matrix_prometheus_enabled`|Prometheus is a time series database. It holds all the data we're going to talk about. -`matrix_synapse_metrics_enabled`|Enables metrics specific to Synapse +`matrix_synapse_metrics_enabled`|Tell the Synapse server to expose metrics. This also cascades to other variables, which makes Prometheus collect said metrics `matrix_prometheus_node_exporter_enabled`|Node Exporter is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures `matrix_grafana_enabled`|Grafana is the visual component. It shows the dashboards with the graphs that we're interested in `matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. @@ -36,7 +38,7 @@ Name | Description ## Security and privacy -Metrics and resulting graphs can contain a lot if information. This includes system specs but also usage patterns. This applies especially to small personal/family scale homeservers. Someone might be able to figure out when you wake up and go to sleep by looking at the graphs over time. Think about this before enabling anonymous access. And you should really not forget to change your Grafana password. +Metrics and resulting graphs can contain a lot of information. This includes system specs but also usage patterns. This applies especially to small personal/family scale homeservers. Someone might be able to figure out when you wake up and go to sleep by looking at the graphs over time. Think about this before enabling anonymous access. And you should really not forget to change your Grafana password. Most of our docker containers run with limited system access, but the `prometheus-node-exporter` has access to the host network stack and (readonly) root filesystem. This is required to report on them. If you don't like that, you can set `matrix_prometheus_node_exporter_enabled: false` (which is actually the default). You will still get Synapse metrics with this container disabled. Both of the dashboards will always be enabled, so you can still look at historical data after disabling either source. From 2b47258c6cc382218cb659b3882bed247e304807 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 Feb 2021 13:47:53 +0200 Subject: [PATCH 1917/2384] Do not auto-expose metrics on matrix.DOMAIN/_synapse/metrics .. and other documentation improvements. --- ...configuring-playbook-prometheus-grafana.md | 23 +++++++++++++++---- group_vars/matrix_servers | 8 ++++++- 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 2010b1b5..006c99e9 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -7,8 +7,6 @@ You can enable this with the following settings in your configuration file (`inv ```yaml matrix_prometheus_enabled: true -matrix_synapse_metrics_enabled: true - matrix_prometheus_node_exporter_enabled: true matrix_grafana_enabled: true @@ -25,23 +23,40 @@ matrix_grafana_default_admin_password: some_strong_password_chosen_by_you The dashboards will by default be available on the `stats.` subdomain, proxied via Nginx. + ## What does it do? Name | Description -----|---------- `matrix_prometheus_enabled`|Prometheus is a time series database. It holds all the data we're going to talk about. -`matrix_synapse_metrics_enabled`|Tell the Synapse server to expose metrics. This also cascades to other variables, which makes Prometheus collect said metrics `matrix_prometheus_node_exporter_enabled`|Node Exporter is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures -`matrix_grafana_enabled`|Grafana is the visual component. It shows the dashboards with the graphs that we're interested in +`matrix_grafana_enabled`|Grafana is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in `matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. `matrix_grafana_default_admin_user`
`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here + ## Security and privacy Metrics and resulting graphs can contain a lot of information. This includes system specs but also usage patterns. This applies especially to small personal/family scale homeservers. Someone might be able to figure out when you wake up and go to sleep by looking at the graphs over time. Think about this before enabling anonymous access. And you should really not forget to change your Grafana password. Most of our docker containers run with limited system access, but the `prometheus-node-exporter` has access to the host network stack and (readonly) root filesystem. This is required to report on them. If you don't like that, you can set `matrix_prometheus_node_exporter_enabled: false` (which is actually the default). You will still get Synapse metrics with this container disabled. Both of the dashboards will always be enabled, so you can still look at historical data after disabling either source. + +## Collecting metrics to an external Prometheus server + +If you wish, you could expose homeserver metrics without enabling (installing) Prometheus and Grafana via the playbook. + +To do this, you may be interested in the following variables: + `matrix_synapse_metrics_enabled` to `true` + +Name | Description +-----|---------- +`matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network) +`matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` +`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) +`matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) + + ## More inforation - [Understanding Synapse Performance Issues Through Grafana Graphs](https://github.com/matrix-org/synapse/wiki/Understanding-Synapse-Performance-Issues-Through-Grafana-Graphs) at the Synapse Github Wiki diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a8bddf6e..6d54f01d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -992,7 +992,10 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8 matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}" -matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" +# This used to be hooked to `matrix_synapse_metrics_enabled`, but we don't do it anymore. +# The fact that someone wishes to enable Synapse metrics does not necessarily mean they want to make them public. +# A local Prometheus can consume them over the container network. +matrix_nginx_proxy_proxy_synapse_metrics: false matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" @@ -1300,6 +1303,9 @@ matrix_synapse_tls_private_key_path: ~ matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled) }}" +# If someone instals Prometheus via the playbook, they most likely wish to monitor Synapse. +matrix_synapse_metrics_enabled: "{{ matrix_prometheus_enabled }}" + matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_smtp_host: "matrix-mailer" matrix_synapse_email_smtp_port: 8025 From 890e4ad1af0e89f14c9f87148919636d8628944e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 Feb 2021 14:02:53 +0200 Subject: [PATCH 1918/2384] Announce Prometheus/Grafana --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-prometheus-grafana.md | 12 ++++++------ docs/configuring-playbook.md | 2 ++ 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e23e58d..a31fbc16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2021-02-12 + +## Monitoring/metrics support using Prometheus and Grafana + +Thanks to [@Peetz0r](https://github.com/Peetz0r), the playbook can now install a bunch of tools for monitoring your Matrix server: the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI. + +To get get these installed, follow our [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) docs page. + + # 2021-01-31 ## Etherpad support diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 006c99e9..a10497cc 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -14,6 +14,7 @@ matrix_grafana_enabled: true matrix_grafana_anonymous_access: false # This has no relation to your Matrix user id. It can be any username you'd like. +# Changing the username subsequently won't work. matrix_grafana_default_admin_user: some_username_chosen_by_you # Passwords containing special characters may be troublesome. @@ -21,16 +22,16 @@ matrix_grafana_default_admin_user: some_username_chosen_by_you matrix_grafana_default_admin_password: some_strong_password_chosen_by_you ``` -The dashboards will by default be available on the `stats.` subdomain, proxied via Nginx. +By default, a [Grafana](https://grafana.com/) web user-interface will be available at `https://stats.`. ## What does it do? Name | Description -----|---------- -`matrix_prometheus_enabled`|Prometheus is a time series database. It holds all the data we're going to talk about. -`matrix_prometheus_node_exporter_enabled`|Node Exporter is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures -`matrix_grafana_enabled`|Grafana is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in +`matrix_prometheus_enabled`|[Prometheus](https://prometheus.io) is a time series database. It holds all the data we're going to talk about. +`matrix_prometheus_node_exporter_enabled`|[Node Exporter](https://prometheus.io/docs/guides/node-exporter/) is an addon of sorts to Prometheus that collects generic system information such as CPU, memory, filesystem, and even system temperatures +`matrix_grafana_enabled`|[Grafana](https://grafana.com/) is the visual component. It shows (on the `stats.` subdomain) the dashboards with the graphs that we're interested in `matrix_grafana_anonymous_access`|By default you need to log in to see graphs. If you want to publicly share your graphs (e.g. when asking for help in [`#synapse:matrix.org`](https://matrix.to/#/#synapse:matrix.org?via=matrix.org&via=privacytools.io&via=mozilla.org)) you'll want to enable this option. `matrix_grafana_default_admin_user`
`matrix_grafana_default_admin_password`|By default Grafana creates a user with `admin` as the username and password. If you feel this is insecure and you want to change it beforehand, you can do that here @@ -44,10 +45,9 @@ Most of our docker containers run with limited system access, but the `prometheu ## Collecting metrics to an external Prometheus server -If you wish, you could expose homeserver metrics without enabling (installing) Prometheus and Grafana via the playbook. +If you wish, you could expose homeserver metrics without enabling (installing) Prometheus and Grafana via the playbook. This may be useful for hooking Matrix services to an external Prometheus/Grafana installation. To do this, you may be interested in the following variables: - `matrix_synapse_metrics_enabled` to `true` Name | Description -----|---------- diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 90dc01c5..70060292 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -35,6 +35,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Dynamic DNS](configuring-playbook-dynamic-dns.md) (optional) +- [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](configuring-playbook-prometheus-grafana.md) (optional) + ### Core service adjustments - [Configuring Synapse](configuring-playbook-synapse.md) (optional) From 87ce12c3ebb788758cc10cf89d27f413c983a397 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 Feb 2021 14:06:42 +0200 Subject: [PATCH 1919/2384] Add note about potential breaking change --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a31fbc16..54031268 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,13 @@ # 2021-02-12 -## Monitoring/metrics support using Prometheus and Grafana +## (Potential Breaking Change) Monitoring/metrics support using Prometheus and Grafana Thanks to [@Peetz0r](https://github.com/Peetz0r), the playbook can now install a bunch of tools for monitoring your Matrix server: the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI. To get get these installed, follow our [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) docs page. +This update comes with a **potential breaking change** for people who were already exposing Synapse metrics (for consumption via another Prometheus installation). From now on, `matrix_synapse_metrics_enabled: true` no longer exposes metrics publicly via matrix-nginx-proxy (at `https://matrix.DOMAIN/_synapse/metrics`). To do so, you'd need to explicitly set `matrix_nginx_proxy_proxy_synapse_metrics: true`. + # 2021-01-31 From 66d5b0e5b90d85f7802083e521e3cf3a43041a65 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 Feb 2021 15:41:15 +0200 Subject: [PATCH 1920/2384] Do not fail on unrelated validation tasks when Prometheus not enabled These validation tasks should only run when Prometheus is enabled. --- .../tasks/validate_config.yml | 7 ------- roles/matrix-prometheus/tasks/main.yml | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) delete mode 100644 roles/matrix-prometheus-node-exporter/tasks/validate_config.yml diff --git a/roles/matrix-prometheus-node-exporter/tasks/validate_config.yml b/roles/matrix-prometheus-node-exporter/tasks/validate_config.yml deleted file mode 100644 index 713646ae..00000000 --- a/roles/matrix-prometheus-node-exporter/tasks/validate_config.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: Fail if Synapse metrics or Prometheus Node Exporter not enabled - fail: - msg: > - You need to enable `matrix_synapse_metrics_enabled` and/or `matrix_prometheus_node_exporter_enabled` for Prometheus grab metrics. - when: "not matrix_synapse_metrics_enabled and not matrix_prometheus_node_exporter_enabled" diff --git a/roles/matrix-prometheus/tasks/main.yml b/roles/matrix-prometheus/tasks/main.yml index edb01988..20f18cc3 100644 --- a/roles/matrix-prometheus/tasks/main.yml +++ b/roles/matrix-prometheus/tasks/main.yml @@ -3,7 +3,7 @@ - always - import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup|bool + when: "run_setup|bool and matrix_prometheus_enabled|bool" tags: - setup-all - setup-prometheus From 8434af10dec713e2ebcddccf64857d83e9fecdde Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 Feb 2021 15:45:19 +0200 Subject: [PATCH 1921/2384] Do not fail on unrelated validation tasks when Grafana not enabled --- roles/matrix-grafana/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/tasks/main.yml b/roles/matrix-grafana/tasks/main.yml index 122ec65e..fb16c394 100644 --- a/roles/matrix-grafana/tasks/main.yml +++ b/roles/matrix-grafana/tasks/main.yml @@ -3,7 +3,7 @@ - always - import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup|bool + when: "run_setup|bool and matrix_grafana_enabled|bool" tags: - setup-all - setup-grafana From 70a9a28ca32011dda7a5bc4c9b6fbbff5c033971 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 Feb 2021 16:32:49 +0200 Subject: [PATCH 1922/2384] Mention Prometheus/Grafana on the README --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 91f9314d..55a69bea 100644 --- a/README.md +++ b/README.md @@ -71,11 +71,11 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation -- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation +- (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation -- (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation +- (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation -- (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation +- (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - see [docs/configuring-playbook-email2matrix.md](docs/configuring-playbook-email2matrix.md) for setup documentation @@ -91,6 +91,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation +- (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. From 5a70a56ff00a6b62ccc43cd3bc665b962b22c6c9 Mon Sep 17 00:00:00 2001 From: Cody Neiman Date: Fri, 12 Feb 2021 23:13:30 -0500 Subject: [PATCH 1923/2384] Initial implementation --- group_vars/matrix_servers | 35 +++++ .../defaults/main.yml | 110 +++++++++++++++ .../tasks/init.yml | 23 ++++ .../tasks/main.yml | 21 +++ .../tasks/setup_install.yml | 127 ++++++++++++++++++ .../tasks/setup_uninstall.yml | 24 ++++ .../tasks/validate_config.yml | 10 ++ .../templates/config.yaml.j2 | 86 ++++++++++++ .../matrix-mx-puppet-groupme.service.j2 | 43 ++++++ setup.yml | 1 + 10 files changed, 480 insertions(+) create mode 100644 roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml create mode 100644 roles/matrix-bridge-mx-puppet-groupme/tasks/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mx-puppet-groupme/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6d54f01d..7e3e131b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -622,6 +622,41 @@ matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key # ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-groupme +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_groupme_enabled: false + +matrix_mx_puppet_groupme_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + +matrix_mx_puppet_groupme_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + +matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" + +matrix_mx_puppet_groupme_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" + +matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mx_puppet_groupme_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-groupme +# +###################################################################### ###################################################################### # diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml new file mode 100644 index 00000000..911e3d4d --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -0,0 +1,110 @@ +# Mx Puppet GroupMe is a Matrix <-> GroupMe bridge +# See: https://gitlab.com/robintown/mx-puppet-groupme + +matrix_mx_puppet_groupme_enabled: true + +matrix_mx_puppet_groupme_container_image_self_build: false +matrix_mx_puppet_groupme_container_image_self_build_repo: "https://gitlab.com/robintown/mx-puppet-groupme" + +# Controls whether the mx-puppet-groupme container exposes its HTTP port (tcp/8432 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8437"), or empty string to not expose. +matrix_mx_puppet_groupme_container_http_host_bind_port: '' + +matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}jeffcasavant/mx-puppet-groupme:latest" +matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_groupme_base_path: "{{ matrix_base_data_path }}/mx-puppet-groupme" +matrix_mx_puppet_groupme_config_path: "{{ matrix_mx_puppet_groupme_base_path }}/config" +matrix_mx_puppet_groupme_data_path: "{{ matrix_mx_puppet_groupme_base_path }}/data" +matrix_mx_puppet_groupme_docker_src_files_path: "{{ matrix_mx_puppet_groupme_base_path }}/docker-src" + +matrix_mx_puppet_groupme_appservice_port: "8437" + +matrix_mx_puppet_groupme_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_groupme_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_groupme_appservice_address: 'http://matrix-mx-puppet-groupme:{{ matrix_mx_puppet_groupme_appservice_port }}' + +matrix_mx_puppet_groupme_client_id: '' +matrix_mx_puppet_groupme_client_secret: '' + +# "@user:server.com" to allow specific user +# "@.*:yourserver.com" to allow users on a specific homeserver +# "@.*" to allow anyone +matrix_mx_puppet_groupme_provisioning_whitelist: + - "@.*:{{ matrix_domain|regex_escape }}" + +# Leave empty to disable blacklist +# "@user:server.com" disallow a specific user +# "@.*:yourserver.com" disallow users on a specific homeserver +matrix_mx_puppet_groupme_provisioning_blacklist: [] + +# A list of extra arguments to pass to the container +matrix_mx_puppet_groupme_container_extra_arguments: [] + +# List of systemd services that matrix-puppet-groupme.service depends on. +matrix_mx_puppet_groupme_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-puppet-groupme.service wants +matrix_mx_puppet_groupme_systemd_wanted_services_list: [] + +matrix_mx_puppet_groupme_appservice_token: '' +matrix_mx_puppet_groupme_homeserver_token: '' + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mx_puppet_groupme_login_shared_secret: '' + +matrix_mx_puppet_groupme_database_engine: sqlite + +matrix_mx_puppet_groupme_sqlite_database_path_local: "{{ matrix_mx_puppet_groupme_data_path }}/database.db" +matrix_mx_puppet_groupme_sqlite_database_path_in_container: "/data/database.db" + +matrix_mx_puppet_groupme_database_username: matrix_mx_puppet_groupme +matrix_mx_puppet_groupme_database_password: ~ +matrix_mx_puppet_groupme_database_hostname: 'matrix-postgres' +matrix_mx_puppet_groupme_database_port: 5432 +matrix_mx_puppet_groupme_database_name: matrix_mx_puppet_groupme + +matrix_mx_puppet_groupme_database_connection_string: 'postgresql://{{ matrix_mx_puppet_groupme_database_username }}:{{ matrix_mx_puppet_groupme_database_password }}@{{ matrix_mx_puppet_groupme_database_hostname }}:{{ matrix_mx_puppet_groupme_database_port }}/{{ matrix_mx_puppet_groupme_database_name }}?sslmode=disable' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_groupme_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_groupme_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mx_puppet_groupme_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_groupme_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_groupme_configuration_yaml`. + +matrix_mx_puppet_groupme_configuration_extension: "{{ matrix_mx_puppet_groupme_configuration_extension_yaml|from_yaml if matrix_mx_puppet_groupme_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_groupme_configuration_yaml`. +matrix_mx_puppet_groupme_configuration: "{{ matrix_mx_puppet_groupme_configuration_yaml|from_yaml|combine(matrix_mx_puppet_groupme_configuration_extension, recursive=True) }}" + +matrix_mx_puppet_groupme_registration_yaml: | + as_token: "{{ matrix_mx_puppet_groupme_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_groupme_homeserver_token }}" + id: groupme-puppet + namespaces: + users: + - exclusive: true + regex: '@_groupmepuppet_.*:{{ matrix_mx_puppet_groupme_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#_groupmepuppet_.*:{{ matrix_mx_puppet_groupme_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _groupmepuppet_bot + url: {{ matrix_mx_puppet_groupme_appservice_address }} + +matrix_mx_puppet_groupme_registration: "{{ matrix_mx_puppet_groupme_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml new file mode 100644 index 00000000..1f00e8a5 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -0,0 +1,23 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" + when: matrix_mx_puppet_groupme_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_groupme_config_path }}/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-groupme-registration.yaml"] }} + when: matrix_mx_puppet_groupme_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/main.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/main.yml new file mode 100644 index 00000000..994e7e45 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_groupme_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-groupme + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_groupme_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-groupme + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_groupme_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-groupme diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml new file mode 100644 index 00000000..58fe9485 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -0,0 +1,127 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-groupme role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure MX Puppet Groupme paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mx_puppet_groupme_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_groupme_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_groupme_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_groupme_docker_src_files_path }}", when: "{{ matrix_mx_puppet_groupme_container_image_self_build }}" } + when: matrix_mx_puppet_groupme_enabled|bool and item.when|bool + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_groupme_base_path }}/database.db" + register: matrix_mx_puppet_groupme_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-groupme.service is stopped + service: + name: matrix-mx-puppet-groupme + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_groupme_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-groupme database file to ./data directory + command: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db" + when: "matrix_mx_puppet_groupme_stat_database.stat.exists" + +- set_fact: + matrix_mx_puppet_groupme_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_mx_puppet_groupme_sqlite_database_path_local }}" + register: matrix_mx_puppet_groupme_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_mx_puppet_groupme_sqlite_database_path_local }}" + dst: "{{ matrix_mx_puppet_groupme_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_mx_puppet_groupme_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-mx-puppet-groupme.service'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_mx_puppet_groupme_requires_restart: true + when: "matrix_mx_puppet_groupme_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_mx_puppet_groupme_database_engine == 'postgres'" + +- name: Ensure MX Puppet Groupme image is pulled + docker_image: + name: "{{ matrix_mx_puppet_groupme_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_groupme_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_groupme_docker_image_force_pull }}" + when: matrix_mx_puppet_groupme_enabled|bool and not matrix_mx_puppet_groupme_container_image_self_build + +- name: Ensure MX Puppet Groupme repository is present on self build + git: + repo: "{{ matrix_mx_puppet_groupme_container_image_self_build_repo }}" + dest: "{{ matrix_mx_puppet_groupme_docker_src_files_path }}" + force: "yes" + register: matrix_mx_puppet_groupme_git_pull_results + when: "matrix_mx_puppet_groupme_enabled|bool and matrix_mx_puppet_groupme_container_image_self_build" + +- name: Ensure MX Puppet Groupme Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_groupme_docker_image }}" + source: build + force_source: "{{ matrix_mx_puppet_groupme_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_groupme_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_groupme_enabled|bool and matrix_mx_puppet_groupme_container_image_self_build" + +- name: Ensure mx-puppet-groupme config.yaml installed + copy: + content: "{{ matrix_mx_puppet_groupme_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_groupme_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mx-puppet-groupme groupme-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_groupme_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_groupme_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mx-puppet-groupme.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-groupme.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-groupme.service" + mode: 0644 + register: matrix_mx_puppet_groupme_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-groupme.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_groupme_systemd_service_result.changed" + +- name: Ensure matrix-mx-puppet-groupme.service restarted, if necessary + service: + name: "matrix-mx-puppet-groupme.service" + state: restarted + when: "matrix_mx_puppet_groupme_requires_restart|bool" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml new file mode 100644 index 00000000..cc4fdfa5 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-groupme service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-groupme.service" + register: matrix_mx_puppet_groupme_service_stat + +- name: Ensure matrix-mx-puppet-groupme is stopped + service: + name: matrix-mx-puppet-groupme + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_groupme_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-groupme.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-groupme.service" + state: absent + when: "matrix_mx_puppet_groupme_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-groupme.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_groupme_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml new file mode 100644 index 00000000..5c5463ce --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_groupme_appservice_token" + - "matrix_mx_puppet_groupme_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-groupme/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-groupme/templates/config.yaml.j2 new file mode 100644 index 00000000..a9ab7701 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-groupme/templates/config.yaml.j2 @@ -0,0 +1,86 @@ +#jinja2: lstrip_blocks: "True" +bridge: + # Port to host the bridge on + # Used for communication between the homeserver and the bridge + port: {{ matrix_mx_puppet_groupme_appservice_port }} + # The host connections to the bridge's webserver are allowed from + bindAddress: 0.0.0.0 + # Public domain of the homeserver + domain: {{ matrix_mx_puppet_groupme_homeserver_domain }} + # Reachable URL of the Matrix homeserver + homeserverUrl: {{ matrix_mx_puppet_groupme_homeserver_address }} + {% if matrix_mx_puppet_groupme_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_domain }}: {{ matrix_mx_puppet_groupme_login_shared_secret }} + {% endif %} + # Display name of the bridge bot + displayname: GroupMe Puppet Bridge + # Optionally specify a different media URL used for the media store + # + # This is where GroupMe will download user profile pictures and media + # from + #mediaUrl: https://external-url.org + +presence: + # Bridge GroupMe online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 5000 + +provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: {{ matrix_mx_puppet_groupme_provisioning_whitelist|to_json }} + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + #- "@.*:yourserver\\.com" + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + blacklist: {{ matrix_mx_puppet_groupme_provisioning_blacklist|to_json }} + +relay: + # Regex of Matrix IDs who are allowed to use the bridge in relay mode. + # Relay mode is when a single GroupMe bot account relays messages of + # multiple Matrix users + # + # Same format as in provisioning + whitelist: {{ matrix_mx_puppet_groupme_provisioning_whitelist|to_json }} + blacklist: {{ matrix_mx_puppet_groupme_provisioning_blacklist|to_json }} + +selfService: + # Regex of Matrix IDs who are allowed to use bridge self-servicing (plumbed rooms) + # + # Same format as in provisioning + whitelist: {{ matrix_mx_puppet_groupme_provisioning_whitelist|to_json }} + blacklist: {{ matrix_mx_puppet_groupme_provisioning_blacklist|to_json }} + +database: +{% if matrix_mx_puppet_groupme_database_engine == 'postgres' %} + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + connString: {{ matrix_mx_puppet_groupme_database_connection_string|to_json }} +{% else %} + # Use SQLite3 as a database backend + # The name of the database file + filename: {{ matrix_mx_puppet_groupme_sqlite_database_path_in_container|to_json }} +{% endif %} + +logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: [] diff --git a/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 new file mode 100644 index 00000000..dabafd18 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-groupme/templates/systemd/matrix-mx-puppet-groupme.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mx Puppet Groupme bridge +{% for service in matrix_mx_puppet_groupme_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_groupme_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-groupme \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_groupme_config_path }}:/config:z \ + -v {{ matrix_mx_puppet_groupme_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_groupme_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_groupme_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mx-puppet-groupme 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mx-puppet-groupme 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-groupme + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index e7fdae19..c8251c13 100755 --- a/setup.yml +++ b/setup.yml @@ -19,6 +19,7 @@ - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp - matrix-bridge-mx-puppet-discord + - matrix-bridge-mx-puppet-groupme - matrix-bridge-mx-puppet-steam - matrix-bridge-mx-puppet-skype - matrix-bridge-mx-puppet-slack From b900a4a3ba170c579598ad958249da0a0569d760 Mon Sep 17 00:00:00 2001 From: Cody Neiman Date: Sat, 13 Feb 2021 00:50:00 -0500 Subject: [PATCH 1924/2384] Add groupme postgres --- group_vars/matrix_servers | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 7e3e131b..1f1db73c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1212,6 +1212,12 @@ matrix_postgres_additional_databases: | 'password': matrix_mx_puppet_steam_database_password, }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_mx_puppet_groupme_database_name, + 'username': matrix_mx_puppet_groupme_database_username, + 'password': matrix_mx_puppet_groupme_database_password, + }] if (matrix_mx_puppet_groupme_enabled and matrix_mx_puppet_groupme_database_engine == 'postgres' and matrix_mx_puppet_groupme_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_dimension_database_name, 'username': matrix_dimension_database_username, From c9579cf90273b5f140728f72c00e3e439393b037 Mon Sep 17 00:00:00 2001 From: Cody Neiman Date: Sat, 13 Feb 2021 10:55:54 -0500 Subject: [PATCH 1925/2384] Add docs --- README.md | 2 + ...uring-playbook-bridge-mx-puppet-groupme.md | 38 +++++++++++++++++++ docs/configuring-playbook.md | 2 + docs/container-images.md | 2 + 4 files changed, 44 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mx-puppet-groupme.md diff --git a/README.md b/README.md index 55a69bea..2560a7de 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation +- (optional) the [mx-puppet-groupme](https://gitlab.com/robintown/mx-puppet-groupme) bridge for [GroupMe](https://groupme.com/) - see [docs/configuring-playbook-bridge-mx-puppet-groupme.md](docs/configuring-playbook-bridge-mx-puppet-groupme.md) for setup documentation + - (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - see [docs/configuring-playbook-email2matrix.md](docs/configuring-playbook-email2matrix.md) for setup documentation diff --git a/docs/configuring-playbook-bridge-mx-puppet-groupme.md b/docs/configuring-playbook-bridge-mx-puppet-groupme.md new file mode 100644 index 00000000..10791729 --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-puppet-groupme.md @@ -0,0 +1,38 @@ +# Setting up MX Puppet GroupMe (optional) + +The playbook can install and configure +[mx-puppet-groupme](https://gitlab.com/robintown/mx-puppet-groupme) for you. + +See the project page to learn what it does and why it might be useful to you. + +To enable the [GroupMe](https://groupme.com/) bridge just use the following +playbook configuration: + + +```yaml +matrix_mx_puppet_groupme_enabled: true +matrix_mx_puppet_groupme_client_id: "" +matrix_mx_puppet_groupme_client_secret: "" +``` + + +## Usage + +Once the bot is enabled you need to start a chat with `GroupMe Puppet Bridge` with +the handle `@_groupmepuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +One authentication method is available. + +To link your GroupMe account, go to [dev.groupme.com](https://dev.groupme.com/), sign in, and select "Access Token" from the top menu. Copy the token and message the bridge with: + +``` +link +``` + +Once logged in, send `list` to the bot user to list the available rooms. + +Clicking rooms in the list will result in you receiving an invitation to the +bridged room. + +Also send `help` to the bot to see the commands available. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 70060292..c3fbd276 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -116,6 +116,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up MX Puppet Discord bridging](configuring-playbook-bridge-mx-puppet-discord.md) (optional) +- [Setting up MX Puppet GroupMe bridging](configuring-playbook-bridge-mx-puppet-groupme.md) (optional) + - [Setting up MX Puppet Steam bridging](configuring-playbook-bridge-mx-puppet-steam.md) (optional) - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 28fce950..8aabf7be 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -70,6 +70,8 @@ These services are not part of our default installation, but can be enabled by [ - [sorunome/mx-puppet-discord](https://hub.docker.com/r/sorunome/mx-puppet-discord) - the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge to [Discord](https://discordapp.com) (optional) +- [xangelix/mx-puppet-groupme](https://hub.docker.com/r/xangelix/mx-puppet-groupme) - the [mx-puppet-groupme](https://gitlab.com/robintown/mx-puppet-groupme) bridge to [GroupMe](https://groupme.com/) (optional) + - [icewind1991/mx-puppet-steam](https://hub.docker.com/r/icewind1991/mx-puppet-steam) - the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge to [Steam](https://steampowered.com) (optional) - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) From 2b3c143487f04e693921a33f66950429225b3b36 Mon Sep 17 00:00:00 2001 From: Cody Neiman Date: Sat, 13 Feb 2021 11:10:53 -0500 Subject: [PATCH 1926/2384] Update mx-puppet-groupme docker image --- roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index 911e3d4d..18a1a063 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -11,7 +11,7 @@ matrix_mx_puppet_groupme_container_image_self_build_repo: "https://gitlab.com/ro # Takes an ":" or "" value (e.g. "127.0.0.1:8437"), or empty string to not expose. matrix_mx_puppet_groupme_container_http_host_bind_port: '' -matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}jeffcasavant/mx-puppet-groupme:latest" +matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:latest" matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}" From dc5e7eed3f8be894edfe90c96d266abdad581650 Mon Sep 17 00:00:00 2001 From: Cody Neiman Date: Sat, 13 Feb 2021 11:20:35 -0500 Subject: [PATCH 1927/2384] Fix mx-puppet-groupme port typo --- roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index 18a1a063..c0bafcf0 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -6,7 +6,7 @@ matrix_mx_puppet_groupme_enabled: true matrix_mx_puppet_groupme_container_image_self_build: false matrix_mx_puppet_groupme_container_image_self_build_repo: "https://gitlab.com/robintown/mx-puppet-groupme" -# Controls whether the mx-puppet-groupme container exposes its HTTP port (tcp/8432 in the container). +# Controls whether the mx-puppet-groupme container exposes its HTTP port (tcp/8437 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8437"), or empty string to not expose. matrix_mx_puppet_groupme_container_http_host_bind_port: '' From 3459cc09c9b52b63561708f2051831995ec25acc Mon Sep 17 00:00:00 2001 From: Cody Neiman Date: Sat, 13 Feb 2021 12:55:30 -0500 Subject: [PATCH 1928/2384] Fix listrooms mx-puppet-groupme command --- docs/configuring-playbook-bridge-mx-puppet-groupme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mx-puppet-groupme.md b/docs/configuring-playbook-bridge-mx-puppet-groupme.md index 10791729..c3b9663f 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-groupme.md +++ b/docs/configuring-playbook-bridge-mx-puppet-groupme.md @@ -30,7 +30,7 @@ To link your GroupMe account, go to [dev.groupme.com](https://dev.groupme.com/), link ``` -Once logged in, send `list` to the bot user to list the available rooms. +Once logged in, send `listrooms` to the bot user to list the available rooms. Clicking rooms in the list will result in you receiving an invitation to the bridged room. From 7d39e5153a871a1db83d37f8f0772d2939c9b089 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 14 Feb 2021 09:12:29 +0200 Subject: [PATCH 1929/2384] Upgrade Postgres minor versions --- roles/matrix-postgres/defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index d96a3ce8..09f3eb61 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -17,11 +17,11 @@ matrix_postgres_architecture: amd64 # > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" -matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.20{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "docker.io/postgres:10.15{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "docker.io/postgres:11.10{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "docker.io/postgres:12.5{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "docker.io/postgres:13.1{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "docker.io/postgres:10.16{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "docker.io/postgres:11.11{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "docker.io/postgres:12.6{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "docker.io/postgres:13.2{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. From a8e9f35708fa87746bb15d097d9a76a3f389d2a2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 14 Feb 2021 11:05:05 +0200 Subject: [PATCH 1930/2384] Touch up documentation a bit --- docs/configuring-playbook-nginx.md | 4 ++-- docs/configuring-playbook-ssl-certificates.md | 15 ++++++--------- roles/matrix-nginx-proxy/defaults/main.yml | 8 ++++++-- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index 91bed77c..c8500b37 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -64,7 +64,7 @@ matrix_nginx_proxy_access_log_enabled: false This playbook also allows for additional configuration to be applied to the nginx server. -If you want this playbook to obtain and renew certificates for other domains, then you can set the `matrix_ssl_additional_domains_to_obtain_certificates_for` variable. Make sure that you have set the DNS configuration for the domains you want to include to point at your server. +If you want this playbook to obtain and renew certificates for other domains, then you can set the `matrix_ssl_additional_domains_to_obtain_certificates_for` variable (as mentioned in the [Obtaining SSL certificates for additional domains](configuring-playbook-ssl-certificates.md#obtaining-ssl-certificates-for-additional-domains) documentation as well). Make sure that you have set the DNS configuration for the domains you want to include to point at your server. ```yaml matrix_ssl_additional_domains_to_obtain_certificates_for: @@ -72,7 +72,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: - domain.two.example ``` -You can include additional nginx configuration by setting the `matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks` variable. +You can include additional nginx configuration by setting the `matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks` variable. ```yaml matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 7f05a5b2..1b5ea234 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -74,15 +74,12 @@ If you are hosting other domains on the Matrix machine, you can make the playboo To do that, simply define your own custom configuration like this: ```yaml -# Note: we need to explicitly list the aforementioned Matrix domains that you use (Matrix, Element, Dimension). -# In this example, we retrieve an extra certificate - one for the base domain (in the `matrix_domain` variable). +# In this example, we retrieve 2 extra certificates, +# one for the base domain (in the `matrix_domain` variable) and one for a hardcoded domain. # Adding any other additional domains (hosted on the same machine) is possible. -matrix_ssl_domains_to_obtain_certificates_for: - - '{{ matrix_server_fqn_matrix }}' - - '{{ matrix_server_fqn_element }}' - - '{{ matrix_server_fqn_dimension }}' - - '{{ matrix_server_fqn_jitsi }}' +matrix_ssl_additional_domains_to_obtain_certificates_for: - '{{ matrix_domain }}' + - 'another.domain.example.com' ``` After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually obtain certificates you should: @@ -91,9 +88,9 @@ After redefining `matrix_ssl_domains_to_obtain_certificates_for`, to actually ob - re-run the SSL part of the playbook and restart all services: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-ssl,start` -The certificate files would be available in `/matrix/ssl/config/live//...`. +The certificate files would be made available in `/matrix/ssl/config/live//...`. For automated certificate renewal to work, each port `80` vhost for each domain you are obtaining certificates for needs to forward requests for `/.well-known/acme-challenge` to the certbot container we use for renewal. See how this is configured for the `matrix.` subdomain in `/matrix/nginx-proxy/conf.d/matrix-synapse.conf` -Don't be alarmed if the above configuraiton file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers. +Don't be alarmed if the above configuration file says port `8080`, instead of port `80`. It's due to port mapping due to our use of containers. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index cb066277..6d2c9856 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -290,8 +290,12 @@ matrix_ssl_retrieval_method: "lets-encrypt" matrix_ssl_architecture: "amd64" -# The list of domains that this role will obtain certificates for. -matrix_ssl_domains_to_obtain_certificates_for: [] +# The full list of domains that this role will obtain certificates for. +# This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled). +# To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead. +matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" + +# A list of additional domain names to obtain certificates for. matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. From c15d5a58a943a7d2e07b45c85d18662654cc4366 Mon Sep 17 00:00:00 2001 From: Cody Neiman Date: Sun, 14 Feb 2021 13:37:12 -0500 Subject: [PATCH 1931/2384] Make mx-puppet-groupme tokens unique --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1f1db73c..fc6d1dfe 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -642,9 +642,9 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" +matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" -matrix_mx_puppet_groupme_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}" +matrix_mx_puppet_groupme_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}" matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" From 453a4ec2d859dcb8563f1e637ee167a2387d0158 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Feb 2021 10:42:20 +0200 Subject: [PATCH 1932/2384] Relocate tasks related to Synapse workers --- roles/matrix-synapse/tasks/init.yml | 2 +- roles/matrix-synapse/tasks/setup_synapse.yml | 2 +- roles/matrix-synapse/tasks/{ => synapse}/workers/setup.yml | 4 ++-- .../tasks/{ => synapse}/workers/setup_install.yml | 2 +- .../tasks/{ => synapse}/workers/setup_uninstall.yml | 0 .../workers/util/inject_systemd_services_for_worker.yml | 0 .../{ => synapse}/workers/util/setup_files_for_worker.yml | 0 7 files changed, 5 insertions(+), 5 deletions(-) rename roles/matrix-synapse/tasks/{ => synapse}/workers/setup.yml (81%) rename roles/matrix-synapse/tasks/{ => synapse}/workers/setup_install.yml (94%) rename roles/matrix-synapse/tasks/{ => synapse}/workers/setup_uninstall.yml (100%) rename roles/matrix-synapse/tasks/{ => synapse}/workers/util/inject_systemd_services_for_worker.yml (100%) rename roles/matrix-synapse/tasks/{ => synapse}/workers/util/setup_files_for_worker.yml (100%) diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 46c7d22b..60eb3f17 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -3,7 +3,7 @@ when: matrix_synapse_enabled|bool - name: Ensure systemd services for workers are injected - include_tasks: "{{ role_path }}/tasks/workers/util/inject_systemd_services_for_worker.yml" + include_tasks: "{{ role_path }}/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml" with_items: "{{ matrix_synapse_workers_enabled_list }}" loop_control: loop_var: matrix_synapse_worker_details diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml index 68d9f5f6..f8bc05a1 100644 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -18,7 +18,7 @@ - import_tasks: "{{ role_path }}/tasks/ext/setup.yml" -- import_tasks: "{{ role_path }}/tasks/workers/setup.yml" +- import_tasks: "{{ role_path }}/tasks/synapse/workers/setup.yml" - import_tasks: "{{ role_path }}/tasks/synapse/setup.yml" diff --git a/roles/matrix-synapse/tasks/workers/setup.yml b/roles/matrix-synapse/tasks/synapse/workers/setup.yml similarity index 81% rename from roles/matrix-synapse/tasks/workers/setup.yml rename to roles/matrix-synapse/tasks/synapse/workers/setup.yml index 3a7e6c98..ce66a2e4 100644 --- a/roles/matrix-synapse/tasks/workers/setup.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/setup.yml @@ -14,8 +14,8 @@ path: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" state: absent -- include_tasks: "{{ role_path }}/tasks/workers/setup_install.yml" +- include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" when: "matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool" -- include_tasks: "{{ role_path }}/tasks/workers/setup_uninstall.yml" +- include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" when: "not matrix_synapse_workers_enabled|bool" diff --git a/roles/matrix-synapse/tasks/workers/setup_install.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_install.yml similarity index 94% rename from roles/matrix-synapse/tasks/workers/setup_install.yml rename to roles/matrix-synapse/tasks/synapse/workers/setup_install.yml index c77bd737..983f1876 100644 --- a/roles/matrix-synapse/tasks/workers/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/setup_install.yml @@ -36,7 +36,7 @@ with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" - name: Ensure creation of worker systemd service files and configuration files - include_tasks: "{{ role_path }}/tasks/workers/util/setup_files_for_worker.yml" + include_tasks: "{{ role_path }}/tasks/synapse/workers/util/setup_files_for_worker.yml" with_items: "{{ matrix_synapse_workers_enabled_list }}" loop_control: loop_var: matrix_synapse_worker_details diff --git a/roles/matrix-synapse/tasks/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml similarity index 100% rename from roles/matrix-synapse/tasks/workers/setup_uninstall.yml rename to roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml diff --git a/roles/matrix-synapse/tasks/workers/util/inject_systemd_services_for_worker.yml b/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml similarity index 100% rename from roles/matrix-synapse/tasks/workers/util/inject_systemd_services_for_worker.yml rename to roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml diff --git a/roles/matrix-synapse/tasks/workers/util/setup_files_for_worker.yml b/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml similarity index 100% rename from roles/matrix-synapse/tasks/workers/util/setup_files_for_worker.yml rename to roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml From 43059bb040aab5a8ed426689b86c84e0030d95d0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Feb 2021 11:19:07 +0200 Subject: [PATCH 1933/2384] Fix metrics listeners for Synapse workers `::` leads to errors like: > socket.gaierror: [Errno -9] Address family for hostname not supported --- roles/matrix-synapse/templates/synapse/worker.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 index 330086ad..36ae5a7e 100644 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -32,7 +32,7 @@ worker_listeners: {% endif %} {% if matrix_synapse_metrics_enabled %} - type: metrics - bind_addresses: ['::'] + bind_addresses: ['0.0.0.0'] port: {{ matrix_synapse_worker_details.metrics_port }} {% endif %} {% endif %} From 85a05f38e873d71baf175effc5be1b1972ab1707 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Feb 2021 11:25:35 +0200 Subject: [PATCH 1934/2384] Allow Synapse worker list to be generated dynamically This leads to much easier management and potential safety features (validation). In the future, we could try to avoid port conflicts as well, but it didn't seem worth the effort to do it now. Our port ranges seem large enough. This can also pave the way for a "presets" feature (similar to `matrix_nginx_proxy_ssl_presets`) which makes it even easier for people to configure worker counts. --- roles/matrix-synapse/defaults/main.yml | 71 +++++++++++----- roles/matrix-synapse/tasks/init.yml | 5 ++ .../tasks/synapse/workers/init.yml | 80 +++++++++++++++++++ .../matrix-synapse/tasks/validate_config.yml | 9 +++ 4 files changed, 147 insertions(+), 18 deletions(-) create mode 100644 roles/matrix-synapse/tasks/synapse/workers/init.yml diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index c25f79b0..058d4a3c 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -301,7 +301,6 @@ matrix_synapse_manhole_enabled: false # Enable support for Synapse workers matrix_synapse_workers_enabled: false - # Controls whether the matrix-synapse container exposes the various worker ports # (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container. # @@ -309,23 +308,59 @@ matrix_synapse_workers_enabled: false # It takes "*" to signify "bind on all interfaces" ("0.0.0.0" is IPv4-only). matrix_synapse_workers_container_host_bind_address: '' -# Default list of workers to spawn (order in accord to docs) -# - no endpoints / doesn't need port mapping if port ends on 0 -# - single-instance-only if 2nd last digit of port number is 0 -matrix_synapse_workers_enabled_list: - - { type: generic_worker, port: 18111, metrics_port: 19111 } - - { type: generic_worker, port: 18112, metrics_port: 19112 } - - { type: generic_worker, port: 18113, metrics_port: 19113 } - - { type: generic_worker, port: 18114, metrics_port: 19114 } - - { type: generic_worker, port: 18115, metrics_port: 19115 } - - { type: generic_worker, port: 18116, metrics_port: 19116 } - - { type: pusher, port: 00, metrics_port: 19200 } - - { type: appservice, port: 00, metrics_port: 19300 } - - { type: federation_sender, port: 0, metrics_port: 19400 } - - { type: media_repository, port: 18551, metrics_port: 19551 } -# disable until https://github.com/matrix-org/synapse/issues/8787 resolved -# - { type: user_dir, port: 18661, metrics_port: 19661 } - - { type: frontend_proxy, port: 18771, metrics_port: 19771 } +matrix_synapse_workers_generic_workers_count: 3 +matrix_synapse_workers_generic_workers_port_range_start: 18111 +matrix_synapse_workers_generic_workers_metrics_range_start: 19111 + +# matrix_synapse_workers_pusher_workers_count can only be 0 or 1. More instances are not supported. +matrix_synapse_workers_pusher_workers_count: 1 +matrix_synapse_workers_pusher_workers_metrics_range_start: 19200 + +# matrix_synapse_workers_appservice_workers_count can only be 0 or 1. More instances are not supported. +matrix_synapse_workers_appservice_workers_count: 1 +matrix_synapse_workers_appservice_workers_metrics_range_start: 19300 + +matrix_synapse_workers_federation_sender_workers_count: 1 +matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 + +matrix_synapse_workers_media_repository_workers_count: 1 +matrix_synapse_workers_media_repository_workers_port_range_start: 18551 +matrix_synapse_workers_media_repository_workers_metrics_range_start: 19551 + +# Disabled until https://github.com/matrix-org/synapse/issues/8787 is resolved. +matrix_synapse_workers_user_dir_workers_count: 0 +matrix_synapse_workers_user_dir_workers_port_range_start: 18661 +matrix_synapse_workers_user_dir_workers_metrics_range_start: 19661 + +matrix_synapse_workers_frontend_proxy_workers_count: 1 +matrix_synapse_workers_frontend_proxy_workers_port_range_start: 18771 +matrix_synapse_workers_frontend_proxy_workers_metrics_range_start: 19771 + +# Default list of workers to spawn. +# +# Unless you populate this manually, this list is dynamically generated +# based on other variables above: +# - `matrix_synapse_workers_*_workers_count` +# - `matrix_synapse_workers_*_workers_port_range_start` +# - `matrix_synapse_workers_*_workers_port_metrics_range_start` +# +# We advise that you use those variables and let this list be populated dynamically. +# Doing that is simpler and also protects you from shooting yourself in the foot, +# as certain workers can only be spawned just once. +# +# Example of what this needs to look like: +# matrix_synapse_workers_enabled_list: +# - { type: generic_worker, port: 18111, metrics_port: 19111 } +# - { type: generic_worker, port: 18112, metrics_port: 19112 } +# - { type: generic_worker, port: 18113, metrics_port: 19113 } +# - { type: generic_worker, port: 18114, metrics_port: 19114 } +# - { type: generic_worker, port: 18115, metrics_port: 19115 } +# - { type: generic_worker, port: 18116, metrics_port: 19116 } +# - { type: pusher, port: 0, metrics_port: 19200 } +# - { type: appservice, port: 0, metrics_port: 19300 } +# - { type: federation_sender, port: 0, metrics_port: 19400 } +# - { type: media_repository, port: 18551, metrics_port: 19551 } +matrix_synapse_workers_enabled_list: [] # Redis information matrix_synapse_redis_enabled: false diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 60eb3f17..04b8d2b8 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -1,3 +1,8 @@ +# Unless `matrix_synapse_workers_enabled_list` is explicitly defined, +# we'll generate it dynamically. +- import_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" + when: "matrix_synapse_enabled and matrix_synapse_workers_enabled and matrix_synapse_workers_enabled_list|length == 0" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse.service'] }}" when: matrix_synapse_enabled|bool diff --git a/roles/matrix-synapse/tasks/synapse/workers/init.yml b/roles/matrix-synapse/tasks/synapse/workers/init.yml new file mode 100644 index 00000000..a4c4f36f --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/workers/init.yml @@ -0,0 +1,80 @@ +# Below is a huge hack for dynamically building a list of workers and finally assigning it to `matrix_synapse_workers_enabled_list`. +# +# set_fact within a loop does not work reliably in Ansible (it only executes on the first iteration for some reason), +# so we're forced to do something much uglier. + +- name: Build generic workers + set_fact: + worker: + type: 'generic_worker' + port: "{{ matrix_synapse_workers_generic_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_generic_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_generic_workers" + loop: "{{ range(0, matrix_synapse_workers_generic_workers_count)|list }}" + +- name: Build federation sender workers + set_fact: + worker: + type: 'federation_sender' + port: 0 + metrics_port: "{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_federation_sender_workers" + loop: "{{ range(0, matrix_synapse_workers_federation_sender_workers_count)|list }}" + +# This type of worker can only have a count of 1, at most +- name: Build pusher workers + set_fact: + worker: + type: 'pusher' + port: 0 + metrics_port: "{{ matrix_synapse_workers_pusher_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_pusher_workers" + loop: "{{ range(0, matrix_synapse_workers_pusher_workers_count)|list }}" + +# This type of worker can only have a count of 1, at most +- name: Build appservice workers + set_fact: + worker: + type: 'appservice' + port: 0 + metrics_port: "{{ matrix_synapse_workers_appservice_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_appservice_workers" + loop: "{{ range(0, matrix_synapse_workers_appservice_workers_count)|list }}" + +- name: Build media_repository workers + set_fact: + worker: + type: 'media_repository' + port: "{{ matrix_synapse_workers_media_repository_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_media_repository_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_media_repository_workers" + loop: "{{ range(0, matrix_synapse_workers_media_repository_workers_count)|list }}" + +- name: Build frontend_proxy workers + set_fact: + worker: + type: 'frontend_proxy' + port: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_frontend_proxy_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_frontend_proxy_workers" + loop: "{{ range(0, matrix_synapse_workers_frontend_proxy_workers_count)|list }}" + +- set_fact: + matrix_synapse_dynamic_workers_list: "{{ matrix_synapse_dynamic_workers_list|default([]) + [item.ansible_facts.worker] }}" + with_items: | + {{ + matrix_synapse_workers_list_results_generic_workers.results + + + matrix_synapse_workers_list_results_federation_sender_workers.results + + + matrix_synapse_workers_list_results_pusher_workers.results + + + matrix_synapse_workers_list_results_appservice_workers.results + + + matrix_synapse_workers_list_results_media_repository_workers.results + + + matrix_synapse_workers_list_results_frontend_proxy_workers.results + }} + +- set_fact: + matrix_synapse_workers_enabled_list: "{{ matrix_synapse_dynamic_workers_list }}" diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index b2c1f3a7..d05718d9 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -12,6 +12,15 @@ - "matrix_synapse_database_password" - "matrix_synapse_database_database" +- name: Fail if asking for more than 1 instance of single-instance workers + fail: + msg: >- + `{{ item }}` cannot be more than 1. This is a single-instance worker. + when: "vars[item] > 1" + with_items: + - "matrix_synapse_workers_appservice_workers_count" + - "matrix_synapse_workers_pusher_workers_count" + - name: (Deprecation) Catch and report renamed settings fail: msg: >- From 61e427d690c2ed9ebb28d6b2671e0415c3e2898f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Feb 2021 11:37:03 +0200 Subject: [PATCH 1935/2384] Do not let people enable more than 1 federation_sender worker --- roles/matrix-synapse/defaults/main.yml | 3 +++ roles/matrix-synapse/tasks/validate_config.yml | 1 + 2 files changed, 4 insertions(+) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 058d4a3c..31af47bc 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -320,6 +320,9 @@ matrix_synapse_workers_pusher_workers_metrics_range_start: 19200 matrix_synapse_workers_appservice_workers_count: 1 matrix_synapse_workers_appservice_workers_metrics_range_start: 19300 +# matrix_synapse_workers_federation_sender_workers_count can only be 0 or 1 for now. +# More instances are not supported due to a playbook limitation having to do with keeping `federation_sender_instances` in `homeserver.yaml` updated. +# See https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfederation_sender matrix_synapse_workers_federation_sender_workers_count: 1 matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index d05718d9..283483b4 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -20,6 +20,7 @@ with_items: - "matrix_synapse_workers_appservice_workers_count" - "matrix_synapse_workers_pusher_workers_count" + - "matrix_synapse_workers_federation_sender_workers_count" - name: (Deprecation) Catch and report renamed settings fail: From 1434c371bd4c699783a21a2e321f2d8afce2e9f1 Mon Sep 17 00:00:00 2001 From: Marc Leuser Date: Mon, 15 Feb 2021 10:46:23 +0100 Subject: [PATCH 1936/2384] safer port binding of etherpad docker container don't bind to any host port if nginx_proxy is used only bind to localhost if it's not used --- group_vars/matrix_servers | 2 ++ roles/matrix-etherpad/defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 11d6e715..843dfb20 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -765,6 +765,8 @@ matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | pas matrix_etherpad_enabled: false +matrix_etherpad_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9001' }}" + matrix_etherpad_systemd_required_services_list: | {{ ['docker.service'] diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 28bb0c8d..d5cac2f3 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -19,7 +19,7 @@ matrix_etherpad_user_gid: '5001' # Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9001"), or empty string to not expose. -matrix_etherpad_container_http_host_bind_port: '9001' +matrix_etherpad_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_etherpad_container_extra_arguments: [] From fd3d48bb6d7f1e1584d2e7d1ba20580be1d103f4 Mon Sep 17 00:00:00 2001 From: Marc Leuser Date: Mon, 15 Feb 2021 10:50:45 +0100 Subject: [PATCH 1937/2384] trust the reverse proxy by default --- roles/matrix-etherpad/defaults/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index d5cac2f3..e7ba6002 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -22,7 +22,12 @@ matrix_etherpad_user_gid: '5001' matrix_etherpad_container_http_host_bind_port: '' # A list of extra arguments to pass to the container -matrix_etherpad_container_extra_arguments: [] +# +# We assume that a reverse proxy is used and tell the container to trust it +# Details: https://github.com/ether/etherpad-lite/blob/develop/doc/docker.md +matrix_etherpad_container_extra_arguments: [ + '--env TRUST_PROXY=true' +] matrix_etherpad_public_endpoint: '/etherpad' From 6e72fb9a585302e3bf73f81268320bbcdb2f9e94 Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Mon, 15 Feb 2021 20:41:06 +0100 Subject: [PATCH 1938/2384] - added a description howto use the postgres-backup role --- docs/configuring-playbook-postgres-backup.md | 42 ++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 docs/configuring-playbook-postgres-backup.md diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md new file mode 100644 index 00000000..282700c4 --- /dev/null +++ b/docs/configuring-playbook-postgres-backup.md @@ -0,0 +1,42 @@ +# Setting up postgres backup (optional) + +The playbook can install and configure [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) for you. + +## Adjusting the playbook configuration + +| Name | Default value | Description | +| :-------------------------------- | :--------------------------- | :--------------------------------------------------------------- | +|matrix_postgres_backaup_enabled|false|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| +|matrix_postgres_backup_schedule| '@daily' |Cron-schedule specifying the interval between postgres backups.| +|matrix_postgres_backup_keep_days|"7"|Number of daily backups to keep| +|matrix_postgres_backup_keep_weeks|"4"|Number of weekly backups to keep| +|matrix_postgres_backup_keep_months|"12"|Number of monthly backups to keep| +|matrix_postgres_backup_path | "{{ matrix_base_data_path }}/postgres-backup" | Storagepath for the database backups| +|matrix_postgres_backup_matrix_reminder_bot_enabled| false | Set to true to backup matrix_reminder_bot database. Per default matrix-reminder-bot uses an sqlite database. Only use this if you are using a postgres database for matrix-reminder-bot. | +|matrix_postgres_backup_matrix_appservice_discord_enabled| false | Set to true to backup matrix_appservice_discord database. Per default matrix_appservice_discord uses an sqlite database. Only use this if you are using a postgres database for matrix_appservice_discord. | +|matrix_postgres_backup_matrix_appservice_irc_enabled| false | Set to true to backup matrix_appservice_irc database. Per default matrix_appservice_irc uses an nedb database. Only use this if you are using a postgres database for matrix_appservice_irc. | +|matrix_postgres_backup_matrix_appservice_slack_enabled| false | Set to true to backup matrix_appservice_slack database. Per default matrix_appservice_slack uses an nedb database. Only use this if you are using a postgres database for matrix_appservice_slack. | +|matrix_postgres_backup_matrix_mautrix_facebook_enabled| false | Set to true to backup matrix_mautrix_facebook database. Per default matrix_mautrix_facebook uses an postgresned database. | +|matrix_postgres_backup_matrix_mautrix_hangouts_enabled| false | Set to true to backup _matrix_mautrix_hangouts database. Per default _matrix_mautrix_hangouts uses an sqlite database. Only use this if you are using a postgres database for _matrix_mautrix_hangouts. | +|matrix_postgres_backup_matrix_mautrix_signal_enabled| false | Set to true to backup matrix_mautrix_signal database. Per default matrix_mautrix_signal uses an postgres database. | +|matrix_postgres_backup_matrix_mautrix_telegram_enabled| false | Set to true to backup matrix_mautrix_telegram database. Per default matrix_mautrix_telegram uses an sqlite database. Only use this if you are using a postgres database for matrix_mautrix_telegram. | +|matrix_postgres_backup_matrix_mautrix_whatsapp_enabled| false | Set to true to backup matrix_mautrix_whatsapp database. Per default matrix_mautrix_whatsapp uses an sqlite database. Only use this if you are using a postgres database for matrix_mautrix_whatsapp. | +|matrix_postgres_backup_matrix_mx_puppet_discord_enabled| false | Set to true to backup matrix_mx_puppet_discord database. Per default matrix_mx_puppet_discord uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_discord. | +|matrix_postgres_backup_matrix_mx_puppet_instagram_enabled| false | Set to true to backup matrix_mx_puppet_instagram database. Per default matrix_mx_puppet_instagram uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_instagram. | +|matrix_postgres_backup_matrix_mx_puppet_skype_enabled| false | Set to true to backup matrix_mx_puppet_skype database. Per default matrix_mx_puppet_skype uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_skype. | +|matrix_postgres_backup_matrix_mx_puppet_slack_enabled| false | Set to true to backup matrix_mx_puppet_slack database. Per default matrix_mx_puppet_slack uses an sqlite database. Only use this if you +|matrix_postgres_backup_matrix_mx_puppet_steam_enabled| false | Set to true to backup matrix_mx_puppet_steam database. Per default matrix_mx_puppet_steam uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_steam. | +|matrix_postgres_backup_matrix_mx_puppet_twitter_enabled| false | Set to true to backup matrix_mx_puppet_twitter database. Per default matrix_mx_puppet_twitter uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_twitter. | +|matrix_postgres_backup_matrix_dimension_enabled| false | Set to true to backup matrix_dimension database. Per default matrix_dimension uses an sqlite database. Only use this if you are using a postgres database for matrix_dimension. | +|matrix_postgres_backup_matrix_etherpad_enabled| false | Set to true to backup matrix_etherpad database. Per default matrix_etherpad uses an sqlite database. Only use this if you are using a postgres database for matrix_etherpad. | +|matrix_postgres_backup_matrix_ma1sd_enabled| false | Set to true to backup matrix_ma1sd database. Per default matrix_ma1sd uses an sqlite database. Only use this if you are using a postgres database for matrix_ma1sd. | +|matrix_postgres_backup_matrix_registration_enabled| false | Set to true to backup matrix_registration database. Per default matrix_registration uses an sqlite database. Only use this if you are using a postgres database for matrix_registration. | +|matrix_postgres_backup_matrix_synapse_enabled| true | Set to false to disabble backup of matrix_synapse database. | + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` \ No newline at end of file From ba7148e52e2c355a438adda084ccebb44f5d4ebc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Feb 2021 10:44:35 +0200 Subject: [PATCH 1939/2384] Update configuring-playbook-matrix-corporal.md --- docs/configuring-playbook-matrix-corporal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index 15de634e..fb12e94a 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -89,4 +89,4 @@ The following local filesystem paths are mounted in the `matrix-corporal` contai - `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write) -As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container path `/etc/matrix-corporal` +As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container paths - `/etc/matrix-corporal` (read-only), `/var/matrix-corporal` (read and write), `/var/cache/matrix-corporal` (read and write). From 865d71e35a14375276fabf90d402df2da0f39065 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Feb 2021 13:44:28 +0200 Subject: [PATCH 1940/2384] Upgrade Element (1.7.20 -> 1.7.21) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index f2c46443..db2e7945 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.20" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 521160c12fe7d9c52f69606507c599a48c81d0d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Feb 2021 17:30:48 +0200 Subject: [PATCH 1941/2384] Upgrade Synapse (v1.26.0 -> v1.27.0) --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 162 +++++++++++++++--- 2 files changed, 135 insertions(+), 29 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 62a8c347..ddd7f517 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. -matrix_synapse_docker_image_tag: "{{ 'v1.26.0' if matrix_architecture == 'amd64' else 'v1.26.0' }}" +matrix_synapse_docker_image_tag: "{{ 'v1.27.0' if matrix_architecture == 'amd64' else 'v1.26.0' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 702f6540..c9ee406f 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -50,10 +50,6 @@ pid_file: /homeserver.pid # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see # 'listeners' below). # -# If this is left unset, it defaults to 'https:///'. (Note that -# that will not work unless you configure Synapse or a reverse-proxy to listen -# on port 443.) -# public_baseurl: https://{{ matrix_server_fqn_matrix }}/ # Set the soft limit on the number of file descriptors synapse can use @@ -785,6 +781,9 @@ log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" # users are joining rooms the server is already in (this is cheap) vs # "remote" for when users are trying to join rooms not on the server (which # can be more expensive) +# - one for ratelimiting how often a user or IP can attempt to validate a 3PID. +# - two for ratelimiting how often invites can be sent in a room or to a +# specific user. # # The defaults are as shown below. # @@ -821,7 +820,18 @@ rc_login: {{ matrix_synapse_rc_login|to_json }} # remote: # per_second: 0.01 # burst_count: 3 - +# +#rc_3pid_validation: +# per_second: 0.003 +# burst_count: 5 +# +#rc_invites: +# per_room: +# per_second: 0.3 +# burst_count: 10 +# per_user: +# per_second: 0.003 +# burst_count: 5 # Ratelimiting settings for incoming federation # @@ -1121,9 +1131,8 @@ account_validity: # send an email to the account's email address with a renewal link. By # default, no such emails are sent. # - # If you enable this setting, you will also need to fill out the 'email' - # configuration section. You should also check that 'public_baseurl' is set - # correctly. + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. # #renew_at: 1w @@ -1220,7 +1229,8 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} # The identity server which we suggest that clients should use when users log # in on this server. # -# (By default, no suggestion is made, so it is left up to the client.) +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) # #default_identity_server: https://matrix.org @@ -1245,6 +1255,8 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} # by the Matrix Identity Service API specification: # https://matrix.org/docs/spec/identity_service/latest # +# If a delegate is specified, the config option public_baseurl must also be filled out. +# account_threepid_delegates: email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} @@ -1529,10 +1541,10 @@ trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} # enable SAML login. # # Once SAML support is enabled, a metadata file will be exposed at -# https://:/_matrix/saml2/metadata.xml, which you may be able to +# https://:/_synapse/client/saml2/metadata.xml, which you may be able to # use to configure your SAML IdP with. Alternatively, you can manually configure # the IdP to use an ACS location of -# https://:/_matrix/saml2/authn_response. +# https://:/_synapse/client/saml2/authn_response. # saml2_config: # `sp_config` is the configuration for the pysaml2 Service Provider. @@ -1768,17 +1780,21 @@ saml2_config: # # For the default provider, the following settings are available: # -# sub: name of the claim containing a unique identifier for the -# user. Defaults to 'sub', which OpenID Connect compliant -# providers should provide. +# subject_claim: name of the claim containing a unique identifier +# for the user. Defaults to 'sub', which OpenID Connect +# compliant providers should provide. # # localpart_template: Jinja2 template for the localpart of the MXID. # If this is not set, the user will be prompted to choose their -# own username. +# own username (see 'sso_auth_account_details.html' in the 'sso' +# section of this file). # # display_name_template: Jinja2 template for the display name to set # on first login. If unset, no displayname will be set. # +# email_template: Jinja2 template for the email address of the user. +# If unset, no email address will be added to the account. +# # extra_attributes: a map of Jinja2 templates for extra attributes # to send back to the client during login. # Note that these are non-standard and clients will ignore them @@ -1813,7 +1829,12 @@ oidc_providers: # token_endpoint: "https://accounts.example.com/oauth2/token" # userinfo_endpoint: "https://accounts.example.com/userinfo" # jwks_uri: "https://accounts.example.com/.well-known/jwks.json" - # skip_verification: true + # user_mapping_provider: + # config: + # subject_claim: "id" + # localpart_template: "{ user.login }" + # display_name_template: "{ user.name }" + # email_template: "{ user.email }" # For use with Keycloak # @@ -1828,6 +1849,7 @@ oidc_providers: # #- idp_id: github # idp_name: Github + # idp_brand: org.matrix.github # discover: false # issuer: "https://github.com/" # client_id: "your-client-id" # TO BE FILLED @@ -1855,10 +1877,6 @@ cas_config: # #server_url: "https://cas-server.com" - # The public URL of the homeserver. - # - #service_url: "https://homeserver.domain.com:8448" - # The attribute of the CAS response to use as the display name. # # If unset, no displayname will be set. @@ -1890,9 +1908,9 @@ sso: # phishing attacks from evil.site. To avoid this, include a slash after the # hostname: "https://my.client/". # - # The login fallback page (used by clients that don't natively support the - # required login flows) is automatically whitelisted in addition to any URLs - # in this list. + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. # # By default, this list is empty. # @@ -1913,15 +1931,19 @@ sso: # # When rendering, this template is given the following variables: # * redirect_url: the URL that the user will be redirected to after - # login. Needs manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # login. # # * server_name: the homeserver's name. # # * providers: a list of available Identity Providers. Each element is # an object with the following attributes: + # # * idp_id: unique identifier for the IdP # * idp_name: user-facing name for the IdP + # * idp_icon: if specified in the IdP config, an MXC URI for an icon + # for the IdP + # * idp_brand: if specified in the IdP config, a textual identifier + # for the brand of the IdP # # The rendered HTML page should contain a form which submits its results # back as a GET request, with the following query parameters: @@ -1931,17 +1953,101 @@ sso: # # * idp: the 'idp_id' of the chosen IDP. # + # * HTML page to prompt new users to enter a userid and confirm other + # details: 'sso_auth_account_details.html'. This is only shown if the + # SSO implementation (with any user_mapping_provider) does not return + # a localpart. + # + # When rendering, this template is given the following variables: + # + # * server_name: the homeserver's name. + # + # * idp: details of the SSO Identity Provider that the user logged in + # with: an object with the following attributes: + # + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # * idp_icon: if specified in the IdP config, an MXC URI for an icon + # for the IdP + # * idp_brand: if specified in the IdP config, a textual identifier + # for the brand of the IdP + # + # * user_attributes: an object containing details about the user that + # we received from the IdP. May have the following attributes: + # + # * display_name: the user's display_name + # * emails: a list of email addresses + # + # The template should render a form which submits the following fields: + # + # * username: the localpart of the user's chosen user id + # + # * HTML page allowing the user to consent to the server's terms and + # conditions. This is only shown for new users, and only if + # `user_consent.require_at_registration` is set. + # + # When rendering, this template is given the following variables: + # + # * server_name: the homeserver's name. + # + # * user_id: the user's matrix proposed ID. + # + # * user_profile.display_name: the user's proposed display name, if any. + # + # * consent_version: the version of the terms that the user will be + # shown + # + # * terms_url: a link to the page showing the terms. + # + # The template should render a form which submits the following fields: + # + # * accepted_version: the version of the terms accepted by the user + # (ie, 'consent_version' from the input variables). + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given the following variables: + # + # * redirect_url: the URL the user is about to be redirected to. + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. + # + # * server_name: the homeserver's name. + # + # * new_user: a boolean indicating whether this is the user's first time + # logging in. + # + # * user_id: the user's matrix ID. + # + # * user_profile.avatar_url: an MXC URI for the user's avatar, if any. + # None if the user has not set an avatar. + # + # * user_profile.display_name: the user's display name. None if the user + # has not set a display name. + # # * HTML page which notifies the user that they are authenticating to confirm # an operation on their account during the user interactive authentication # process: 'sso_auth_confirm.html'. # # When rendering, this template is given the following variables: - # * redirect_url: the URL the user is about to be redirected to. Needs - # manual escaping (see - # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # * redirect_url: the URL the user is about to be redirected to. # # * description: the operation which the user is being asked to confirm # + # * idp: details of the Identity Provider that we will use to confirm + # the user's identity: an object with the following attributes: + # + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # * idp_icon: if specified in the IdP config, an MXC URI for an icon + # for the IdP + # * idp_brand: if specified in the IdP config, a textual identifier + # for the brand of the IdP + # # * HTML page shown after a successful user interactive authentication session: # 'sso_auth_success.html'. # From d33483b8ce1221d2b457626d2fce8e8afcd93a2c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Feb 2021 17:45:41 +0200 Subject: [PATCH 1942/2384] Document that Synapse pusher worker instances are shardable Related to: - https://github.com/matrix-org/synapse/pull/9407 - https://github.com/matrix-org/synapse/pull/7855 --- roles/matrix-synapse/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a60530c3..17f2556a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -312,7 +312,9 @@ matrix_synapse_workers_generic_workers_count: 3 matrix_synapse_workers_generic_workers_port_range_start: 18111 matrix_synapse_workers_generic_workers_metrics_range_start: 19111 -# matrix_synapse_workers_pusher_workers_count can only be 0 or 1. More instances are not supported. +# matrix_synapse_workers_pusher_workers_count can only be 0 or 1 for now. +# More instances are not supported due to a playbook limitation having to do with keeping `pusher_instances` in `homeserver.yaml` updated. +# See https://github.com/matrix-org/synapse/commit/ddfdf945064925eba761ae3748e38f3a1c73c328 matrix_synapse_workers_pusher_workers_count: 1 matrix_synapse_workers_pusher_workers_metrics_range_start: 19200 From 85e4c1690572dc2c801ea4cccf024b00f1dad628 Mon Sep 17 00:00:00 2001 From: Joel Bennett Date: Wed, 17 Feb 2021 01:37:52 -0500 Subject: [PATCH 1943/2384] Change the new app link to use classsic apps Until [this issue](https://github.com/matrix-org/matrix-appservice-slack/issues/348) is fixed --- docs/configuring-playbook-bridge-appservice-slack.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index 371195b6..a409a050 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -27,7 +27,7 @@ matrix_appservice_slack_control_room_id: "Your matrix admin room id" Note that the bot's domain is your server's domain **without the `matrix.` prefix.** -5. Create a new Slack App [here](https://api.slack.com/apps). +5. Create a Classic Slack App [here](https://api.slack.com/apps?new_classic_app=1). Name the app "matrixbot" (or anything else you'll remember). From 996f732f98f45750e486037624fb8cf4661748ce Mon Sep 17 00:00:00 2001 From: rakshazi Date: Thu, 18 Feb 2021 12:05:21 +0000 Subject: [PATCH 1944/2384] Update synapse-admin (0.6.1 -> 0.7.0) --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 1dbf0ad2..ce0ccd39 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.6.1" +matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.7.0" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 05bf1c045b839c8c94e2382a84525af16b2c3c50 Mon Sep 17 00:00:00 2001 From: pushytoxin Date: Thu, 18 Feb 2021 15:57:05 +0100 Subject: [PATCH 1945/2384] Use the yaml callback plugin when running ansible-playbook The default default Ansible screen output encodes and prints error outputs as a hard to read dense line of JSON. This patch changes the ansible-playbook command behavior for this project to output yaml instead. --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index 0ae274f7..360ce153 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,6 @@ [defaults] retry_files_enabled = False +stdout_callback = yaml [connection] pipelining = True From d6c4d41c2b9ff16967190e57cb1bad213711e6ab Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 18 Feb 2021 18:19:51 +0200 Subject: [PATCH 1946/2384] Define instanceId property on workers This give us the possibility to run multiple instances of workers that that don't expose a port. Right now, we don't support that, but in the future we could run multiple `federation_sender` or `pusher` workers, without them fighting over naming (previously, they'd all be named something like `matrix-synapse-worker-pusher-0`, because they'd all define `port` as `0`). --- .../nginx/conf.d/matrix-synapse.conf.j2 | 8 +++--- roles/matrix-synapse/defaults/main.yml | 28 +++++++++++-------- .../tasks/synapse/workers/init.yml | 6 ++++ .../inject_systemd_services_for_worker.yml | 14 +++++++++- .../workers/util/setup_files_for_worker.yml | 5 ++-- 5 files changed, 42 insertions(+), 19 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 6801f4f9..0b44678c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -14,7 +14,7 @@ ip_hash; {% for worker in generic_workers %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.port }}:{{ worker.port }}"; + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; {% endfor %} } {% endif %} @@ -22,7 +22,7 @@ {% if frontend_proxy_workers %} upstream frontend_proxy_upstream { {% for worker in frontend_proxy_workers %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.port }}:{{ worker.port }}"; + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; {% endfor %} } {% endif %} @@ -30,7 +30,7 @@ {% if media_repository_workers %} upstream media_repository_upstream { {% for worker in media_repository_workers %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.port }}:{{ worker.port }}"; + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; {% endfor %} } {% endif %} @@ -38,7 +38,7 @@ {% if user_dir_workers %} upstream user_dir_upstream { {% for worker in user_dir_workers %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.port }}:{{ worker.port }}"; + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; {% endfor %} } {% endif %} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 17f2556a..dc7f4347 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -353,18 +353,24 @@ matrix_synapse_workers_frontend_proxy_workers_metrics_range_start: 19771 # Doing that is simpler and also protects you from shooting yourself in the foot, # as certain workers can only be spawned just once. # -# Example of what this needs to look like: +# Each worker instance in the list defines the following fields: +# - `type` - the type of worker (`generic_worker`, etc.) +# - `instanceId` - a string that identifies the worker. The combination of (`type` + `instanceId`) represents the name of the worker and must be unique. +# - `port` - an HTTP port where the worker listens for requests (can be `0` for workers that don't do HTTP request processing) +# - `metrics_port` - an HTTP port where the worker exports Prometheus metrics +# +# Example of what this needs to look like, if you're defining it manually: # matrix_synapse_workers_enabled_list: -# - { type: generic_worker, port: 18111, metrics_port: 19111 } -# - { type: generic_worker, port: 18112, metrics_port: 19112 } -# - { type: generic_worker, port: 18113, metrics_port: 19113 } -# - { type: generic_worker, port: 18114, metrics_port: 19114 } -# - { type: generic_worker, port: 18115, metrics_port: 19115 } -# - { type: generic_worker, port: 18116, metrics_port: 19116 } -# - { type: pusher, port: 0, metrics_port: 19200 } -# - { type: appservice, port: 0, metrics_port: 19300 } -# - { type: federation_sender, port: 0, metrics_port: 19400 } -# - { type: media_repository, port: 18551, metrics_port: 19551 } +# - { type: generic_worker, instanceId: '18111', port: 18111, metrics_port: 19111 } +# - { type: generic_worker, instanceId: '18112', port: 18112, metrics_port: 19112 } +# - { type: generic_worker, instanceId: '18113', port: 18113, metrics_port: 19113 } +# - { type: generic_worker, instanceId: '18114', port: 18114, metrics_port: 19114 } +# - { type: generic_worker, instanceId: '18115', port: 18115, metrics_port: 19115 } +# - { type: generic_worker, instanceId: '18116', port: 18116, metrics_port: 19116 } +# - { type: pusher, instanceId: '0', port: 0, metrics_port: 19200 } +# - { type: appservice, instanceId: '0', port: 0, metrics_port: 19300 } +# - { type: federation_sender, instanceId: '0', port: 0, metrics_port: 19400 } +# - { type: media_repository, instanceId: '18551', port: 18551, metrics_port: 19551 } matrix_synapse_workers_enabled_list: [] # Redis information diff --git a/roles/matrix-synapse/tasks/synapse/workers/init.yml b/roles/matrix-synapse/tasks/synapse/workers/init.yml index a4c4f36f..204a0841 100644 --- a/roles/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/init.yml @@ -7,6 +7,7 @@ set_fact: worker: type: 'generic_worker' + instanceId: "{{ matrix_synapse_workers_generic_workers_port_range_start + item }}" port: "{{ matrix_synapse_workers_generic_workers_port_range_start + item }}" metrics_port: "{{ matrix_synapse_workers_generic_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_generic_workers" @@ -16,6 +17,7 @@ set_fact: worker: type: 'federation_sender' + instanceId: "{{ item }}" port: 0 metrics_port: "{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_federation_sender_workers" @@ -26,6 +28,7 @@ set_fact: worker: type: 'pusher' + instanceId: "{{ item }}" port: 0 metrics_port: "{{ matrix_synapse_workers_pusher_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_pusher_workers" @@ -36,6 +39,7 @@ set_fact: worker: type: 'appservice' + instanceId: "{{ item }}" port: 0 metrics_port: "{{ matrix_synapse_workers_appservice_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_appservice_workers" @@ -45,6 +49,7 @@ set_fact: worker: type: 'media_repository' + instanceId: "{{ matrix_synapse_workers_media_repository_workers_port_range_start + item }}" port: "{{ matrix_synapse_workers_media_repository_workers_port_range_start + item }}" metrics_port: "{{ matrix_synapse_workers_media_repository_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_media_repository_workers" @@ -54,6 +59,7 @@ set_fact: worker: type: 'frontend_proxy' + instanceId: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" port: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" metrics_port: "{{ matrix_synapse_workers_frontend_proxy_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_frontend_proxy_workers" diff --git a/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml b/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml index c95f881a..62b42625 100644 --- a/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml @@ -1,6 +1,18 @@ +# The tasks below run before `validate_config.yml`. +# To avoid failing with a cryptic error message, we'll do validation here. +# +# This check is mostly relevant to people who explicitly define `matrix_synapse_workers_enabled_list` +# (Synapse Workers users from the earlier days of this PR - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456). +# +# In the future, it should be possible to remove this check. +# Our own code which dynamically builds `matrix_synapse_workers_enabled_list` does things right. +- name: Fail if instanceId not defined for worker + fail: + msg: "Synapse workers (like {{ matrix_synapse_worker_details|to_json }}) need to define an instanceId property (type + instanceId must be unique)" + when: "'instanceId' not in matrix_synapse_worker_details" - set_fact: - matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.port }}.service" + matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.instanceId }}.service" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + [matrix_synapse_worker_systemd_service_name] }}" diff --git a/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml b/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml index 6a15e048..93ed6575 100644 --- a/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml @@ -1,12 +1,11 @@ - - set_fact: - matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.port }}" + matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.instanceId }}" - set_fact: matrix_synapse_worker_container_name: "{{ matrix_synapse_worker_systemd_service_name }}" - set_fact: - matrix_synapse_worker_config_file_name: "worker.{{ matrix_synapse_worker_details.type }}_{{ matrix_synapse_worker_details.port }}.yaml" + matrix_synapse_worker_config_file_name: "worker.{{ matrix_synapse_worker_details.type }}_{{ matrix_synapse_worker_details.instanceId }}.yaml" - name: Ensure configuration exists for {{ matrix_synapse_worker_systemd_service_name }} template: From 005f4d57f9f26da9f35d4c9f556fca20792fd0dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Thu, 18 Feb 2021 17:39:36 +0100 Subject: [PATCH 1947/2384] Remove mention of sqlite3 support for Etherpad The official Etherpad Docker image has no support for sqlite3 databases. --- group_vars/matrix_servers | 2 -- roles/matrix-etherpad/defaults/main.yml | 11 ++--------- roles/matrix-etherpad/templates/settings.json.j2 | 14 +++++--------- .../templates/systemd/matrix-etherpad.service.j2 | 5 ----- 4 files changed, 7 insertions(+), 25 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 843dfb20..11e15def 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -774,8 +774,6 @@ matrix_etherpad_systemd_required_services_list: | (['matrix-postgres.service'] if matrix_postgres_enabled else []) }} -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) -matrix_etherpad_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_etherpad_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'etherpad.db') | to_uuid }}" ###################################################################### diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index e7ba6002..7c63fe03 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -36,15 +36,8 @@ matrix_etherpad_base_url: "https://{{ matrix_server_fqn_dimension }}{{ matrix_et # Database-related configuration fields. # -# Etherpad recommends using a dedicated database, and supports Sqlite only for development -# -# To use Postgres: -# - change the engine (`matrix_etherpad_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_etherpad_postgres_*` variables -matrix_etherpad_database_engine: 'sqlite' - -matrix_etherpad_sqlite_database_path_local: "{{ matrix_etherpad_base_path }}/etherpad.db" -matrix_etherpad_sqlite_database_path_in_container: "/data/etherpad.db" +# Etherpad requires a dedicated database +matrix_etherpad_database_engine: 'postgres' matrix_etherpad_database_username: 'matrix_etherpad' matrix_etherpad_database_password: 'some-password' diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index 6435cf6d..b3b87f43 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -8,15 +8,11 @@ "showSettingsInAdminPage": true, "dbType": {{ matrix_etherpad_database_engine|to_json }}, "dbSettings": { - {% if matrix_etherpad_database_engine == 'sqlite' %} - "filename": {{ matrix_etherpad_sqlite_database_path_in_container|to_json }} - {% elif matrix_etherpad_database_engine == 'postgres' %} - "database": {{ matrix_etherpad_database_name|to_json }}, - "host": {{ matrix_etherpad_database_hostname|to_json }}, - "password": {{ matrix_etherpad_database_password|to_json }}, - "port": {{ matrix_etherpad_database_port|to_json }}, - "user": {{ matrix_etherpad_database_username|to_json }} - {% endif %} + "database": {{ matrix_etherpad_database_name|to_json }}, + "host": {{ matrix_etherpad_database_hostname|to_json }}, + "password": {{ matrix_etherpad_database_password|to_json }}, + "port": {{ matrix_etherpad_database_port|to_json }}, + "user": {{ matrix_etherpad_database_username|to_json }} }, "defaultPadText" : {{ matrix_etherpad_default_pad_text|to_json }}, "suppressErrorsInPadText": false, diff --git a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 index 6f662aa7..b8a26664 100644 --- a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 @@ -16,11 +16,6 @@ Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-etherpad ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-etherpad -# Fixup database ownership if it got changed somehow (during a server migration, etc.) -{% if matrix_etherpad_database_engine == 'sqlite' %} -ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_etherpad_user_uid }} {{ matrix_etherpad_sqlite_database_path_local }} -{% endif %} - ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \ --log-driver=none \ --user={{ matrix_etherpad_user_uid }}:{{ matrix_etherpad_user_gid }} \ From 65eab14a64654168e12921a65d899e4c3ee818d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Thu, 18 Feb 2021 17:43:14 +0100 Subject: [PATCH 1948/2384] Make sure Etherpad has a database to write to --- roles/matrix-etherpad/tasks/validate_config.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-etherpad/tasks/validate_config.yml b/roles/matrix-etherpad/tasks/validate_config.yml index 77623558..c76dc3b5 100644 --- a/roles/matrix-etherpad/tasks/validate_config.yml +++ b/roles/matrix-etherpad/tasks/validate_config.yml @@ -3,3 +3,9 @@ msg: >- To integrate Etherpad notes with Matrix rooms you need to set "matrix_dimension_enabled" to true when: "not matrix_dimension_enabled|bool" + +- name: Fail if no database is configured for Etherpad + fail: + msg: >- + Etherpad requires a dedicated Postgres database. Please enable the built in one, or configure an external DB by redefining "matrix_etherpad_database_hostname" + when: matrix_etherpad_database_hostname == "matrix-postgres" and not matrix_postgres_enabled From d5f2d99ac7634372583231f372828a31750c14a3 Mon Sep 17 00:00:00 2001 From: Marcus Date: Thu, 18 Feb 2021 20:48:56 +0100 Subject: [PATCH 1949/2384] fix wrong json parameter fixes HTTP 400 Error: "{\"errcode\":\"M_MISSING_PARAM\",\"error\":\"Missing key 'avatar_url'\"}" --- docs/configuring-playbook-bridge-appservice-webhooks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-webhooks.md b/docs/configuring-playbook-bridge-appservice-webhooks.md index a4851146..3654bfa4 100644 --- a/docs/configuring-playbook-bridge-appservice-webhooks.md +++ b/docs/configuring-playbook-bridge-appservice-webhooks.md @@ -45,7 +45,7 @@ matrix_appservice_webhooks_log_level: '' "text": "Hello world!", "format": "plain", "displayName": "My Cool Webhook", - "avatarUrl": "http://i.imgur.com/IDOBtEJ.png" + "avatar_url": "http://i.imgur.com/IDOBtEJ.png" } ``` @@ -57,7 +57,7 @@ curl --header "Content-Type: application/json" \ "text": "Hello world!", "format": "plain", "displayName": "My Cool Webhook", -"avatarUrl": "http://i.imgur.com/IDOBtEJ.png" +"avatar_url": "http://i.imgur.com/IDOBtEJ.png" }' \ ``` From c3fcaa5afe333b14abdaaca789d15ef3cc9d3926 Mon Sep 17 00:00:00 2001 From: Martha Sokolska Date: Fri, 19 Feb 2021 02:37:01 +0100 Subject: [PATCH 1950/2384] Add Netlify instructions --- docs/configuring-well-known.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 5e910c3b..2bedaeed 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -148,6 +148,13 @@ backend matrix-backend rsprep ^Location:\ (http|https)://matrix.example.com\/(.*) Location:\ \1://matrix.example.com/.well-known/matrix/\2 if response-is-redirect ``` +**For Netlify**, it would be something like this: + +``` +# In the _redirects file in the website's root +/.well-known/matrix/* https://matrix.DOMAIN/.well-known/matrix/:splat 200! +``` + Make sure to: - **replace `DOMAIN`** in the server configuration with your actual domain name From 217b4a8808839212987c76b2f60890d3882fb4d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Feb 2021 09:09:13 +0200 Subject: [PATCH 1951/2384] Release Synapse v1.27.0 to ARM32 via self-building Related to: https://matrix.org/blog/2021/02/18/synapse-1-27-0-released#dropping-armv7-docker-images --- group_vars/matrix_servers | 2 +- roles/matrix-synapse/defaults/main.yml | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 11e15def..cbb43fa8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1269,7 +1269,7 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr # ###################################################################### -matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm32', 'arm64', 'amd64'] }}" +matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" # When ma1sd is enabled, we can use it to validate email addresses and phone numbers. # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index ddd7f517..1b6db986 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -11,7 +11,11 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. -matrix_synapse_docker_image_tag: "{{ 'v1.27.0' if matrix_architecture == 'amd64' else 'v1.26.0' }}" +# +# amd64 gets released first. +# arm32 relies on self-building, so the same version can be built immediately. +# arm64 users need to wait for a prebuilt image to become available. +matrix_synapse_docker_image_tag: "{{ 'v1.27.0' if matrix_architecture in ['arm32', 'amd64'] else 'v1.26.0' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 2f732e4234cba5db64e590edf08c9162822ef87a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Feb 2021 11:36:14 +0200 Subject: [PATCH 1952/2384] Update Synapse worker endpoints --- roles/matrix-synapse/vars/workers.yml | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index a3b50dc4..3adfd9c3 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -51,7 +51,6 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ - - ^/_synapse/client/password_reset/email/submit_token$ # Registration/login requests - ^/_matrix/client/(api/v1|r0|unstable)/login$ @@ -86,28 +85,33 @@ matrix_synapse_workers_generic_worker_endpoints: # to use SSO (you only need to include the ones for whichever SSO provider you're # using): + # for all SSO providers + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect + # ^/_synapse/client/pick_idp$ + # ^/_synapse/client/pick_username + # ^/_synapse/client/new_user_consent$ + # ^/_synapse/client/sso_register$ + # OpenID Connect requests. # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect$ - # ^/_synapse/oidc/callback$ + # ^/_synapse/client/oidc/callback$ # SAML requests. # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect$ - # ^/_matrix/saml2/authn_response$ + # ^/_synapse/client/saml2/authn_response$ # CAS requests. # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/login/(cas|sso)/redirect$ # ^/_matrix/client/(api/v1|r0|unstable)/login/cas/ticket$ - # Note that a HTTP listener with `client` and `federation` resources must be - # configured in the `worker_listeners` option in the worker config. - - # Ensure that all SSO logins go to a single process (usually the main process). + # Ensure that all SSO logins go to a single process. # For multiple workers not handling the SSO endpoints properly, see # [#7530](https://github.com/matrix-org/synapse/issues/7530). + # Note that a HTTP listener with `client` and `federation` resources must be + # configured in the `worker_listeners` option in the worker config. + # #### Load balancing # It is possible to run multiple instances of this worker app, with incoming requests From eaea2152820badabe3c057db61eb0077c3c9e572 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Feb 2021 11:36:48 +0200 Subject: [PATCH 1953/2384] Allow Synapse workers to be used with an external nginx webserver We're talking about a webserver running on the same machine, which imports the configuration files generated by the `matrix-nginx-proxy` in the `/matrix/nginx-proxy/conf.d` directory. Users who run an nginx webserver on some other machine will need to do something different. --- .../nginx/conf.d/matrix-synapse.conf.j2 | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 0b44678c..7041468e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -14,7 +14,11 @@ ip_hash; {% for worker in generic_workers %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% if matrix_nginx_proxy_enabled %} + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% else %} + server "127.0.0.1:{{ worker.port }}"; + {% endif %} {% endfor %} } {% endif %} @@ -22,7 +26,11 @@ {% if frontend_proxy_workers %} upstream frontend_proxy_upstream { {% for worker in frontend_proxy_workers %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% if matrix_nginx_proxy_enabled %} + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% else %} + server "127.0.0.1:{{ worker.port }}"; + {% endif %} {% endfor %} } {% endif %} @@ -30,7 +38,11 @@ {% if media_repository_workers %} upstream media_repository_upstream { {% for worker in media_repository_workers %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% if matrix_nginx_proxy_enabled %} + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% else %} + server "127.0.0.1:{{ worker.port }}"; + {% endif %} {% endfor %} } {% endif %} @@ -38,7 +50,11 @@ {% if user_dir_workers %} upstream user_dir_upstream { {% for worker in user_dir_workers %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% if matrix_nginx_proxy_enabled %} + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% else %} + server "127.0.0.1:{{ worker.port }}"; + {% endif %} {% endfor %} } {% endif %} From 9dc87bb948d57196158956306d6b58f491b7d27d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Feb 2021 11:38:47 +0200 Subject: [PATCH 1954/2384] Add Synapse worker presets for easier configuration Adding more presets in the future would be nice. --- docs/configuring-playbook-synapse.md | 22 +++++++--- roles/matrix-synapse/defaults/main.yml | 43 ++++++++++++++++--- .../tasks/synapse/workers/init.yml | 12 +++--- .../matrix-synapse/tasks/validate_config.yml | 2 +- 4 files changed, 60 insertions(+), 19 deletions(-) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 29afa70e..bdfdfa63 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -19,18 +19,30 @@ Alternatively, **if there is no pre-defined variable** for a Synapse setting you ## Load balancing with workers -To have synapse gracefully handle thousands of users, worker support should be enabled. It factors out some homeserver tasks and spreads the load of incoming client and server-to-server traffic between multiple processes. More information can be found at https://github.com/matrix-org/synapse/blob/master/docs/workers.md (which, coincidentally, also is the file which an awk script extracts the endpoint URLs from when running with tag `setup-synapse`). -To enable synapse worker support, set +To have Synapse gracefully handle thousands of users, worker support should be enabled. It factors out some homeserver tasks and spreads the load of incoming client and server-to-server traffic between multiple processes. More information can be found in the [official Synapse workers documentation](https://github.com/matrix-org/synapse/blob/master/docs/workers.md). + +To enable Synapse worker support, update your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: ```yaml matrix_synapse_workers_enabled: true ``` -in your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. -There, you can also override the default `matrix_synapse_workers_enabled_list` from [`roles/matrix-synapse/defaults/main.yml`](../roles/matrix-synapse/defaults/main.yml). +We support a few configuration presets (`matrix_synapse_workers_preset: one-of-each` being the default configuration): +- `little-federation-helper` - a very minimal worker configuration to improve federation performance +- `one-of-each` - one worker of each supported type + +If you'd like more customization power, you can start with one of the presets and tweak various `matrix_synapse_workers_*_count` variables manually. + +If you increase worker counts too much, you may need to increase the maximum number of Postgres connections too (example): + +```yaml +matrix_postgres_process_extra_arguments: [ + "-c 'max_connections=200'" +] +``` -If you are not using the inbuilt nginx proxy container but an instance managed by yourself, you are currently on your own as the template needs yet to be adapted to better support this use case. +If you're using the default setup (the `matrix-nginx-proxy` webserver being enabled) or you're using your own `nginx` server (which imports the configuration files generated by the playbook), you're good to go. If you use some other webserver, you may need to tweak your reverse-proxy setup manually to forward traffic to the various workers. In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`. diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index dc7f4347..04678136 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -301,6 +301,35 @@ matrix_synapse_manhole_enabled: false # Enable support for Synapse workers matrix_synapse_workers_enabled: false +# Specifies worker configuration that should be used when workers are enabled. +# +# The posible values (as seen in `matrix_synapse_workers_presets`) are: +# - "little-federation-helper" - a very minimal worker configuration to improve federation performance +# - "one-of-each" - one worker of each supported type +# +# You can override `matrix_synapse_workers_presets` to define your own presets, which is ill-advised, because it's fragile. +# To use a more custom configuration, start with one of these presets as a base and configure `matrix_synapse_workers_*_count` variables manually, to suit your liking. +matrix_synapse_workers_preset: one-of-each + +matrix_synapse_workers_presets: + little-federation-helper: + generic_workers_count: 0 + pusher_workers_count: 0 + appservice_workers_count: 0 + federation_sender_workers_count: 1 + media_repository_workers_count: 0 + user_dir_workers_count: 0 + frontend_proxy_workers_count: 0 + one-of-each: + generic_workers_count: 1 + pusher_workers_count: 1 + appservice_workers_count: 1 + federation_sender_workers_count: 1 + media_repository_workers_count: 1 + # Disabled until https://github.com/matrix-org/synapse/issues/8787 is resolved. + user_dir_workers_count: 0 + frontend_proxy_workers_count: 1 + # Controls whether the matrix-synapse container exposes the various worker ports # (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container. # @@ -308,36 +337,36 @@ matrix_synapse_workers_enabled: false # It takes "*" to signify "bind on all interfaces" ("0.0.0.0" is IPv4-only). matrix_synapse_workers_container_host_bind_address: '' -matrix_synapse_workers_generic_workers_count: 3 +matrix_synapse_workers_generic_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['generic_workers_count'] }}" matrix_synapse_workers_generic_workers_port_range_start: 18111 matrix_synapse_workers_generic_workers_metrics_range_start: 19111 # matrix_synapse_workers_pusher_workers_count can only be 0 or 1 for now. # More instances are not supported due to a playbook limitation having to do with keeping `pusher_instances` in `homeserver.yaml` updated. # See https://github.com/matrix-org/synapse/commit/ddfdf945064925eba761ae3748e38f3a1c73c328 -matrix_synapse_workers_pusher_workers_count: 1 +matrix_synapse_workers_pusher_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['pusher_workers_count'] }}" matrix_synapse_workers_pusher_workers_metrics_range_start: 19200 # matrix_synapse_workers_appservice_workers_count can only be 0 or 1. More instances are not supported. -matrix_synapse_workers_appservice_workers_count: 1 +matrix_synapse_workers_appservice_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['appservice_workers_count'] }}" matrix_synapse_workers_appservice_workers_metrics_range_start: 19300 # matrix_synapse_workers_federation_sender_workers_count can only be 0 or 1 for now. # More instances are not supported due to a playbook limitation having to do with keeping `federation_sender_instances` in `homeserver.yaml` updated. # See https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfederation_sender -matrix_synapse_workers_federation_sender_workers_count: 1 +matrix_synapse_workers_federation_sender_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['federation_sender_workers_count'] }}" matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 -matrix_synapse_workers_media_repository_workers_count: 1 +matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] }}" matrix_synapse_workers_media_repository_workers_port_range_start: 18551 matrix_synapse_workers_media_repository_workers_metrics_range_start: 19551 # Disabled until https://github.com/matrix-org/synapse/issues/8787 is resolved. -matrix_synapse_workers_user_dir_workers_count: 0 +matrix_synapse_workers_user_dir_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['user_dir_workers_count'] }}" matrix_synapse_workers_user_dir_workers_port_range_start: 18661 matrix_synapse_workers_user_dir_workers_metrics_range_start: 19661 -matrix_synapse_workers_frontend_proxy_workers_count: 1 +matrix_synapse_workers_frontend_proxy_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['frontend_proxy_workers_count'] }}" matrix_synapse_workers_frontend_proxy_workers_port_range_start: 18771 matrix_synapse_workers_frontend_proxy_workers_metrics_range_start: 19771 diff --git a/roles/matrix-synapse/tasks/synapse/workers/init.yml b/roles/matrix-synapse/tasks/synapse/workers/init.yml index 204a0841..c6fc32c3 100644 --- a/roles/matrix-synapse/tasks/synapse/workers/init.yml +++ b/roles/matrix-synapse/tasks/synapse/workers/init.yml @@ -11,7 +11,7 @@ port: "{{ matrix_synapse_workers_generic_workers_port_range_start + item }}" metrics_port: "{{ matrix_synapse_workers_generic_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_generic_workers" - loop: "{{ range(0, matrix_synapse_workers_generic_workers_count)|list }}" + loop: "{{ range(0, matrix_synapse_workers_generic_workers_count|int)|list }}" - name: Build federation sender workers set_fact: @@ -21,7 +21,7 @@ port: 0 metrics_port: "{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_federation_sender_workers" - loop: "{{ range(0, matrix_synapse_workers_federation_sender_workers_count)|list }}" + loop: "{{ range(0, matrix_synapse_workers_federation_sender_workers_count|int)|list }}" # This type of worker can only have a count of 1, at most - name: Build pusher workers @@ -32,7 +32,7 @@ port: 0 metrics_port: "{{ matrix_synapse_workers_pusher_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_pusher_workers" - loop: "{{ range(0, matrix_synapse_workers_pusher_workers_count)|list }}" + loop: "{{ range(0, matrix_synapse_workers_pusher_workers_count|int)|list }}" # This type of worker can only have a count of 1, at most - name: Build appservice workers @@ -43,7 +43,7 @@ port: 0 metrics_port: "{{ matrix_synapse_workers_appservice_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_appservice_workers" - loop: "{{ range(0, matrix_synapse_workers_appservice_workers_count)|list }}" + loop: "{{ range(0, matrix_synapse_workers_appservice_workers_count|int)|list }}" - name: Build media_repository workers set_fact: @@ -53,7 +53,7 @@ port: "{{ matrix_synapse_workers_media_repository_workers_port_range_start + item }}" metrics_port: "{{ matrix_synapse_workers_media_repository_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_media_repository_workers" - loop: "{{ range(0, matrix_synapse_workers_media_repository_workers_count)|list }}" + loop: "{{ range(0, matrix_synapse_workers_media_repository_workers_count|int)|list }}" - name: Build frontend_proxy workers set_fact: @@ -63,7 +63,7 @@ port: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" metrics_port: "{{ matrix_synapse_workers_frontend_proxy_workers_metrics_range_start + item }}" register: "matrix_synapse_workers_list_results_frontend_proxy_workers" - loop: "{{ range(0, matrix_synapse_workers_frontend_proxy_workers_count)|list }}" + loop: "{{ range(0, matrix_synapse_workers_frontend_proxy_workers_count|int)|list }}" - set_fact: matrix_synapse_dynamic_workers_list: "{{ matrix_synapse_dynamic_workers_list|default([]) + [item.ansible_facts.worker] }}" diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index 283483b4..f7631111 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -16,7 +16,7 @@ fail: msg: >- `{{ item }}` cannot be more than 1. This is a single-instance worker. - when: "vars[item] > 1" + when: "vars[item]|int > 1" with_items: - "matrix_synapse_workers_appservice_workers_count" - "matrix_synapse_workers_pusher_workers_count" From b754c2778b38698002b575d0c6e68a0c17495dd3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Feb 2021 11:39:58 +0200 Subject: [PATCH 1955/2384] Announce Synapse workers support --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 54031268..3138a96a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +# 2021-02-19 + +## Synapse workers support + +After [lots and lots of work](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456) (done over many months by [Marcel Partap](https://github.com/eMPee584), [Max Klenk](https://github.com/maxklenk), a few others from the [Technical University of Dresden, Germany](https://tu-dresden.de/) and various other contributors), support for Synapse workers has finally landed. + +Having support for workers makes the playbook suitable for larger homeserver deployments. + +Our setup is not yet perfect (we don't support all types of workers; scaling some of them (like `pusher`, `federation_sender`) beyond a single instance is not yet supported). Still, it's a great start and can already power homeservers with thousands of users, like the [Matrix deployment at TU Dresden](https://doc.matrix.tu-dresden.de/en/) discussed in [Matrix Live S06E09 - TU Dresden on their Matrix deployment](https://www.youtube.com/watch?v=UHJX2pmT2gk). + +By default, workers are disabled and Synapse runs as a single process (homeservers don't necessarily need the complexity and increased memory requirements of running a worker-based setup). + +To enable Synapse workers, follow our [Load balancing with workers](docs/configuring-playbook-synapse.md#load-balancing-with-workers) documentation. + + # 2021-02-12 ## (Potential Breaking Change) Monitoring/metrics support using Prometheus and Grafana From e56fcbbc0de79953e668f9faab81c7661286b160 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Feb 2021 11:54:47 +0200 Subject: [PATCH 1956/2384] Announce mx-puppet-groupme support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/872 --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3138a96a..dfa28cca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # 2021-02-19 +## GroupMe bridging support via mx-puppet-groupme + +Thanks to [Cody Neiman](https://github.com/xangelix), the playbook can now install the [mx-puppet-groupme](https://gitlab.com/robintown/mx-puppet-groupme) bridge for bridging to [GroupMe](https://groupme.com). + +This brings the total number of bridges supported by the playbook up to 18. See all supported bridges [here](docs/configuring-playbook.md#bridging-other-networks). + +To get started, follow our [Setting up MX Puppet GroupMe](docs/configuring-playbook-bridge-mx-puppet-groupme.md) docs. + + ## Synapse workers support After [lots and lots of work](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456) (done over many months by [Marcel Partap](https://github.com/eMPee584), [Max Klenk](https://github.com/maxklenk), a few others from the [Technical University of Dresden, Germany](https://tu-dresden.de/) and various other contributors), support for Synapse workers has finally landed. From 9f91eaa54b59293495dc63e966be818fd9cf680a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Feb 2021 12:12:21 +0200 Subject: [PATCH 1957/2384] Fix incorrect service name Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/887 --- roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml index 744f474d..141e61ba 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml @@ -7,7 +7,7 @@ - name: Ensure matrix-matrix-reminder-bot is stopped service: - name: matrix-matrix-reminder-bot + name: matrix-bot-matrix-reminder-bot state: stopped daemon_reload: yes register: stopping_result From 1dbdfeec07335873bd652ef1ac32114b12ecb3a9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Feb 2021 15:52:55 +0200 Subject: [PATCH 1958/2384] Fix matrix-postgres stopping for consistency with other services This probably got lost somehow in all the work that happened in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456 --- .../templates/systemd/matrix-postgres.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index e61137ed..c14d317e 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -8,7 +8,7 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} stop matrix-postgres +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ @@ -34,7 +34,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ {{ arg }} \ {% endfor %} -ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' Restart=always RestartSec=30 From 108aed53bec7fa685c59bb74446d47ca488d3e88 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Feb 2021 16:33:21 +0200 Subject: [PATCH 1959/2384] Fix invalid matrix-postgres.service when matrix_postgres_process_extra_arguments is empty This only seems to be affecting some people badly enough to cause matrix-postgres not to start. Certain systemd versions probably handle it better or something. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/889 (hopefully) --- .../templates/systemd/matrix-postgres.service.j2 | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index c14d317e..6d1b1c6f 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -29,10 +29,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ {{ arg }} \ {% endfor %} {{ matrix_postgres_docker_image_to_use }} \ - postgres \ - {% for arg in matrix_postgres_process_extra_arguments %} - {{ arg }} \ - {% endfor %} + postgres {{ matrix_postgres_process_extra_arguments|join(' ') }} ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' From b99372a3c58b13b22e2d2e874280f7adcde1c966 Mon Sep 17 00:00:00 2001 From: Marcus Proest Date: Fri, 19 Feb 2021 12:58:54 +0100 Subject: [PATCH 1960/2384] initial commit of mautrix-instagram role --- ...uring-playbook-bridge-mautrix-instagram.md | 17 ++ group_vars/matrix_servers | 46 ++++ .../defaults/main.yml | 103 ++++++++ .../tasks/init.yml | 23 ++ .../tasks/main.yml | 21 ++ .../tasks/setup_install.yml | 80 ++++++ .../tasks/setup_uninstall.yml | 23 ++ .../tasks/validate_config.yml | 9 + .../templates/config.yaml.j2 | 234 ++++++++++++++++++ .../matrix-mautrix-instagram.service.j2 | 42 ++++ setup.yml | 1 + 11 files changed, 599 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mautrix-instagram.md create mode 100644 roles/matrix-bridge-mautrix-instagram/defaults/main.yml create mode 100644 roles/matrix-bridge-mautrix-instagram/tasks/init.yml create mode 100644 roles/matrix-bridge-mautrix-instagram/tasks/main.yml create mode 100644 roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mautrix-instagram/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 create mode 100644 roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 diff --git a/docs/configuring-playbook-bridge-mautrix-instagram.md b/docs/configuring-playbook-bridge-mautrix-instagram.md new file mode 100644 index 00000000..7cdbc7a8 --- /dev/null +++ b/docs/configuring-playbook-bridge-mautrix-instagram.md @@ -0,0 +1,17 @@ +# Setting up Mautrix Instagram (optional) + +The playbook can install and configure [mautrix-instagram](https://github.com/tulir/mautrix-instagram) for you. + +See the project's [documentation](https://docs.mau.fi/bridges/python/instagram/index.html) to learn what it does and why it might be useful to you. + +```yaml +matrix_mautrix_instagram_enabled: true +``` + +## Usage + +You then need to start a chat with `@instagrambot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). + +Send `login YOUR_INSTAGRAM_EMAIL_ADDRESS YOUR_INSTAGRAM_PASSWORD` to the bridge bot to enable bridging for your instagram/Messenger account. + +You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/instagram/authentication.html). diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cbb43fa8..7bf05bea 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -261,6 +261,46 @@ matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_ke ###################################################################### +###################################################################### +# +# matrix-bridge-mautrix-instagram +# +###################################################################### + +# We don't enable bridges by default. +matrix_mautrix_instagram_enabled: false + +matrix_mautrix_instagram_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" + +matrix_mautrix_instagram_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + +matrix_mautrix_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.as.token') | to_uuid }}" + +matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.hs.token') | to_uuid }}" + +matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" + +# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain +# and point them to a migration path. +matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_mautrix_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.ig.db') | to_uuid }}" + +###################################################################### +# +# /matrix-bridge-mautrix-instagram +# +###################################################################### + + ###################################################################### # # matrix-bridge-mautrix-signal @@ -1125,6 +1165,12 @@ matrix_postgres_additional_databases: | 'password': matrix_mautrix_hangouts_database_password, }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else []) + + ([{ + 'name': matrix_mautrix_instagram_database_name, + 'username': matrix_mautrix_instagram_database_username, + 'password': matrix_mautrix_instagram_database_password, + }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == 'matrix-postgres') else []) + + ([{ 'name': matrix_mautrix_signal_database_name, 'username': matrix_mautrix_signal_database_username, diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml new file mode 100644 index 00000000..411ec7ed --- /dev/null +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -0,0 +1,103 @@ +# mautrix-instagram is a Matrix <-> Instagram bridge +# See: https://github.com/tulir/mautrix-instagram + +matrix_mautrix_instagram_enabled: true + +matrix_mautrix_instagram_container_image_self_build: false +matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/tulir/mautrix-instagram.git" + +# See: https://mau.dev/tulir/mautrix-instagram/container_registry +matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:latest" +matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" +matrix_mautrix_instagram_docker_image_force_pull: "{{ matrix_mautrix_instagram_docker_image.endswith(':latest') }}" + +matrix_mautrix_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-instagram" +matrix_mautrix_instagram_config_path: "{{ matrix_mautrix_instagram_base_path }}/config" +matrix_mautrix_instagram_data_path: "{{ matrix_mautrix_instagram_base_path }}/data" +matrix_mautrix_instagram_docker_src_files_path: "{{ matrix_mautrix_instagram_base_path }}/docker-src" + +matrix_mautrix_instagram_homeserver_address: 'http://matrix-synapse:8008' +matrix_mautrix_instagram_homeserver_domain: '{{ matrix_domain }}' +matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29330' + +# A list of extra arguments to pass to the container +matrix_mautrix_instagram_container_extra_arguments: [] + +# List of systemd services that matrix-mautrix-instagram.service depends on. +matrix_mautrix_instagram_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-mautrix-instagram.service wants +matrix_mautrix_instagram_systemd_wanted_services_list: [] + +matrix_mautrix_instagram_appservice_token: '' +matrix_mautrix_instagram_homeserver_token: '' + + +# Database-related configuration fields. +# +# To use Postgres: +# - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables +matrix_mautrix_instagram_database_engine: 'postgres' + +matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram' +matrix_mautrix_instagram_database_password: 'some-password' +matrix_mautrix_instagram_database_hostname: 'matrix-postgres' +matrix_mautrix_instagram_database_port: 5432 +matrix_mautrix_instagram_database_name: 'matrix_mautrix_instagram' + +matrix_mautrix_instagram_database_connection_string: 'postgres://{{ matrix_mautrix_instagram_database_username }}:{{ matrix_mautrix_instagram_database_password }}@{{ matrix_mautrix_instagram_database_hostname }}:{{ matrix_mautrix_instagram_database_port }}/{{ matrix_mautrix_instagram_database_name }}' + +matrix_mautrix_instagram_appservice_database: "{{ + { + 'postgres': matrix_mautrix_instagram_database_connection_string, + }[matrix_mautrix_instagram_database_engine] +}}" + + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mautrix_instagram_login_shared_secret: '' + +matrix_mautrix_instagram_bridge_login_shared_secret_map: "{{ {matrix_mautrix_instagram_homeserver_domain: matrix_mautrix_instagram_login_shared_secret} if matrix_mautrix_instagram_login_shared_secret else {} }}" + +matrix_mautrix_instagram_appservice_bot_username: instagrambot + +matrix_mautrix_instagram_bridge_presence: true + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mautrix_instagram_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mautrix_instagram_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_mautrix_instagram_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mautrix_instagram_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mautrix_instagram_configuration_yaml`. + +matrix_mautrix_instagram_configuration_extension: "{{ matrix_mautrix_instagram_configuration_extension_yaml|from_yaml if matrix_mautrix_instagram_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_instagram_configuration_yaml`. +matrix_mautrix_instagram_configuration: "{{ matrix_mautrix_instagram_configuration_yaml|from_yaml|combine(matrix_mautrix_instagram_configuration_extension, recursive=True) }}" + +matrix_mautrix_instagram_registration_yaml: | + id: instagram + as_token: "{{ matrix_mautrix_instagram_appservice_token }}" + hs_token: "{{ matrix_mautrix_instagram_homeserver_token }}" + namespaces: + users: + - exclusive: true + regex: '^@instagram_.+:{{ matrix_mautrix_instagram_homeserver_domain|regex_escape }}$' + - exclusive: true + regex: '^@{{ matrix_mautrix_instagram_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_instagram_homeserver_domain|regex_escape }}$' + url: {{ matrix_mautrix_instagram_appservice_address }} + # See https://github.com/tulir/mautrix-signal/issues/43 + sender_localpart: _bot_{{ matrix_mautrix_instagram_appservice_bot_username }} + rate_limited: false + +matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml new file mode 100644 index 00000000..2b407358 --- /dev/null +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -0,0 +1,23 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" + when: matrix_mautrix_instagram_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mautrix_instagram_config_path }}/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mautrix-instagram-registration.yaml"] }} + when: matrix_mautrix_instagram_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/matrix-bridge-mautrix-instagram/tasks/main.yml new file mode 100644 index 00000000..7326e22d --- /dev/null +++ b/roles/matrix-bridge-mautrix-instagram/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mautrix_instagram_enabled|bool" + tags: + - setup-all + - setup-mautrix-instagram + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mautrix_instagram_enabled|bool" + tags: + - setup-all + - setup-mautrix-instagram + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mautrix_instagram_enabled|bool" + tags: + - setup-all + - setup-mautrix-instagram diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml new file mode 100644 index 00000000..b83deab3 --- /dev/null +++ b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml @@ -0,0 +1,80 @@ +--- +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mautrix-instagram role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure Mautrix instagram image is pulled + docker_image: + name: "{{ matrix_mautrix_instagram_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_instagram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_docker_image_force_pull }}" + when: matrix_mautrix_instagram_enabled|bool and not matrix_mautrix_instagram_container_image_self_build + +- name: Ensure Mautrix instagram paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_instagram_base_path }}", when: true } + - { path: "{{ matrix_mautrix_instagram_config_path }}", when: true } + - { path: "{{ matrix_mautrix_instagram_data_path }}", when: true } + - { + path: "{{ matrix_mautrix_instagram_docker_src_files_path }}", + when: "{{ matrix_mautrix_instagram_container_image_self_build }}", + } + when: item.when|bool + +- name: Ensure Mautrix instagram repository is present on self-build + git: + repo: "{{ matrix_mautrix_instagram_container_image_self_build_repo }}" + dest: "{{ matrix_mautrix_instagram_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_instagram_git_pull_results + when: "matrix_mautrix_instagram_enabled|bool and matrix_mautrix_instagram_container_image_self_build" + +- name: Ensure Mautrix instagram Docker image is built + docker_image: + name: "{{ matrix_mautrix_instagram_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_instagram_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_instagram_enabled|bool and matrix_mautrix_instagram_container_image_self_build|bool" + +- name: Ensure mautrix-instagram config.yaml installed + copy: + content: "{{ matrix_mautrix_instagram_configuration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_instagram_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure mautrix-instagram registration.yaml installed + copy: + content: "{{ matrix_mautrix_instagram_registration|to_nice_yaml }}" + dest: "{{ matrix_mautrix_instagram_config_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-mautrix-instagram.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mautrix-instagram.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mautrix-instagram.service" + mode: 0644 + register: matrix_mautrix_instagram_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mautrix-instagram.service installation + service: + daemon_reload: yes + when: "matrix_mautrix_instagram_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml b/roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml new file mode 100644 index 00000000..c5c8a3e6 --- /dev/null +++ b/roles/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml @@ -0,0 +1,23 @@ +--- +- name: Check existence of matrix-mautrix-instagram service + stat: + path: "{{ matrix_systemd_path }}/matrix-mautrix-instagram.service" + register: matrix_mautrix_instagram_service_stat + +- name: Ensure matrix-mautrix-instagram is stopped + service: + name: matrix-mautrix-instagram + state: stopped + daemon_reload: yes + when: "matrix_mautrix_instagram_service_stat.stat.exists" + +- name: Ensure matrix-mautrix-instagram.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mautrix-instagram.service" + state: absent + when: "matrix_mautrix_instagram_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mautrix-instagram.service removal + service: + daemon_reload: yes + when: "matrix_mautrix_instagram_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-instagram/tasks/validate_config.yml new file mode 100644 index 00000000..24992ff5 --- /dev/null +++ b/roles/matrix-bridge-mautrix-instagram/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mautrix_instagram_appservice_token" + - "matrix_mautrix_instagram_homeserver_token" diff --git a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 new file mode 100644 index 00000000..db57bd0d --- /dev/null +++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -0,0 +1,234 @@ +#jinja2: lstrip_blocks: "True" +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: {{ matrix_mautrix_instagram_homeserver_address }} + # The domain of the homeserver (for MXIDs, etc). + domain: {{ matrix_mautrix_instagram_homeserver_domain }} + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + # Whether or not the homeserver supports asmux-specific endpoints, + # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically + # updating m.direct. + asmux: false + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: {{ matrix_mautrix_instagram_appservice_address }} + # When using https:// the TLS certificate and key files for the address. + tls_cert: false + tls_key: false + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29330 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. Only Postgres is currently supported. + database: {{ matrix_mautrix_instagram_appservice_database|to_json }} + # Additional arguments for asyncpg.create_pool() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + database_opts: + min_size: 5 + max_size: 10 + + # The unique ID of this appservice. + id: instagram + # Username of the appservice bot. + bot_username: {{ matrix_mautrix_instagram_appservice_bot_username|to_json }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: instagram bridge bot + bot_avatar: mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv + + # Community ID for bridged users (changes registration file) and rooms. + # Must be created manually. + # + # Example: "+instagram:example.com". Set to false to disable. + community_id: false + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + # You should disable bridge -> sync_with_custom_puppets when this is enabled. + ephemeral_events: false + + # Authentication tokens for AS <-> HS communication. + as_token: "{{ matrix_mautrix_instagram_appservice_token }}" + hs_token: "{{ matrix_mautrix_instagram_homeserver_token }}" + +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + +instagram: + # Seed for generating devices. This is secret because the seed is used to generate + # device IDs, which can apparently be used to bypass two-factor authentication after + # logging out, because Instagram is insecure. + device_seed: generate + +# Bridge config +bridge: + # Localpart template of MXIDs for Instagram users. + # {userid} is replaced with the user ID of the Instagram user. + username_template: "instagram_{userid}" + # Displayname template for Instagram users. + # {displayname} is replaced with the display name of the Instagram user. + # {username} is replaced with the username of the Instagram user. + displayname_template: "{username} (Instagram)" + + # Maximum length of displayname + displayname_max_length: 100 + + # Maximum number of seconds since the last activity in a chat to automatically create portals. + portal_create_max_age: 86400 + # Maximum number of chats to fetch for startup sync + chat_sync_limit: 100 + # Whether or not to use /sync to get read receipts and typing notifications + # when double puppeting is enabled + sync_with_custom_puppets: true + # Whether or not to update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. + double_puppet_server_map: {} + # example.com: https://example.com + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + # If using this for other servers than the bridge's server, + # you must also set the URL in the double_puppet_server_map. + login_shared_secret_map: + {{ matrix_mautrix_instagram_bridge_login_shared_secret_map|to_json }} + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Settings for backfilling messages from Instagram. + backfill: + # Whether or not the Instagram users of logged in Matrix users should be + # invited to private chats when backfilling history from Instagram. This is + # usually needed to prevent rate limits and to allow timestamp massaging. + invite_own_puppet: true + # Maximum number of messages to backfill initially. + # Set to 0 to disable backfilling when creating portal. + initial_limit: 0 + # Maximum number of messages to backfill if messages were missed while + # the bridge was disconnected. + # Set to 0 to disable backfilling missed messages. + missed_limit: 1000 + # If using double puppeting, should notifications be disabled + # while the initial backfill is in progress? + disable_notifications: false + periodic_reconnect: + # Interval in seconds in which to automatically reconnect all users. + # This can be used to automatically mitigate the bug where Instagram stops sending messages. + # Set to -1 to disable periodic reconnections entirely. + interval: -1 + # Whether or not the bridge should backfill chats when reconnecting. + resync: true + # Should even disconnected users be reconnected? + always: false + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Options for automatic key sharing. + key_sharing: + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow: false + # Require the requesting device to have a valid cross-signing signature? + # This doesn't require that the bridge has verified the device, only that the user has verified it. + # Not yet implemented. + require_cross_signing: false + # Require devices to be verified by the bridge? + # Verification by the bridge is not yet implemented. + require_verification: true + # Whether or not to explicitly set the avatar and room name for private + # chat portal rooms. This will be implicitly enabled if encryption.default is true. + private_chat_portal_meta: false + # Whether or not the bridge should send a read receipt from the bridge bot when a message has + # been sent to Instagram. + delivery_receipts: false + # Whether or not delivery errors should be reported as messages in the Matrix room. + delivery_error_reports: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false + # Whether or not unimportant bridge notices should be sent to the user. + # (e.g. connected, disconnected but will retry) + unimportant_bridge_notices: true + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!ig" + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "{{ matrix_mautrix_instagram_homeserver_domain }}": user + # Provisioning API part of the web server for automated portal creation and fetching information. + # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). + provisioning: + # Whether or not the provisioning API should be enabled. + enabled: true + # The prefix to use in the provisioning API endpoints. + prefix: /_matrix/provision/v1 + # The shared secret to authorize users of the API. + # Set to "generate" to generate and save a new token. + shared_secret: generate + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_instagram.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + mauigpapi: + level: DEBUG + paho: + level: INFO + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [console] diff --git a/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 new file mode 100644 index 00000000..33a5bab3 --- /dev/null +++ b/roles/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mautrix Instagram bridge +{% for service in matrix_mautrix_instagram_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mautrix_instagram_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-instagram \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mautrix_instagram_config_path }}:/config:z \ + -v {{ matrix_mautrix_instagram_data_path }}:/data:z \ + {% for arg in matrix_mautrix_instagram_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mautrix_instagram_docker_image }} \ + python3 -m mautrix_instagram -c /config/config.yaml --no-update + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-instagram 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mautrix-instagram + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index e7fdae19..160a29ba 100755 --- a/setup.yml +++ b/setup.yml @@ -15,6 +15,7 @@ - matrix-bridge-appservice-irc - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts + - matrix-bridge-mautrix-instagram - matrix-bridge-mautrix-signal - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp From 913e0dae42d196a518398211c8dd407a6673d09e Mon Sep 17 00:00:00 2001 From: Marcus Proest Date: Fri, 19 Feb 2021 19:37:36 +0100 Subject: [PATCH 1961/2384] update informational files. --- CHANGELOG.md | 5 +++++ README.md | 2 ++ docs/configuring-playbook.md | 2 ++ docs/container-images.md | 2 ++ 4 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dfa28cca..329b2ea8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,11 @@ This brings the total number of bridges supported by the playbook up to 18. See To get started, follow our [Setting up MX Puppet GroupMe](docs/configuring-playbook-bridge-mx-puppet-groupme.md) docs. +## Mautrix Instagram bridging support + +The playbook now supports bridging with [Instagram](https://www.instagram.com/) by installing the [mautrix-instagram](https://github.com/tulir/mautrix-instagram) bridge. This playbook functionality is available thanks to [@MarcProe](https://github.com/MarcProe). + +Additional details are available in [Setting up Mautrix Instagram bridging](docs/configuring-playbook-bridge-mautrix-instagram.md). ## Synapse workers support diff --git a/README.md b/README.md index 2560a7de..463a1504 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) +- (optional) the [mautrix-instagram](https://github.com/tulir/mautrix-instagram) bridge for bridging your Matrix server to [Instagram](https://instagram.com/) + - (optional) the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) - (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index c3fbd276..34c52efc 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -96,6 +96,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mautrix Hangouts bridging](configuring-playbook-bridge-mautrix-hangouts.md) (optional) +- [Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (optional) + - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional) - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 8aabf7be..a5e304f4 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -48,6 +48,8 @@ These services are not part of our default installation, but can be enabled by [ - [tulir/mautrix-hangouts](https://mau.dev/tulir/mautrix-hangouts/container_registry) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional) +- [tulir/mautrix-instagram](https://mau.dev/tulir/mautrix-instagram/container_registry) - the [mautrix-instagram](https://github.com/tulir/mautrix-instagram) bridge to [Instagram](https://instagram.com/) (optional) + - [tulir/mautrix-signal](https://mau.dev/tulir/mautrix-signal/container_registry) - the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge to [Signal](https://www.signal.org/) (optional) - [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional) From 4c882c513b631ac412a7d3a01bd198fdfa9b9120 Mon Sep 17 00:00:00 2001 From: Michael Date: Sat, 20 Feb 2021 17:19:17 +0800 Subject: [PATCH 1962/2384] initial PR --- roles/matrix-awx/defaults/main.yml | 2 + .../surveys/configure_corporal.json.j2 | 88 ++++++ .../surveys/configure_element.json.j2 | 78 ++++++ .../surveys/configure_jitsi.json.j2 | 31 +++ .../surveys/configure_ma1sd.json.j2 | 41 +++ .../surveys/configure_synapse.json.j2 | 198 ++++++++++++++ .../surveys/configure_synapse_admin.json.j2 | 18 ++ .../configure_website_access_backup.json.j2 | 30 +++ roles/matrix-awx/tasks/create_user.yml | 31 +++ .../tasks/customise_website_access_backup.yml | 159 +++++++++++ roles/matrix-awx/tasks/import_awx.yml | 21 ++ .../tasks/load_hosting_and_org_variables.yml | 10 + .../tasks/load_matrix_variables.yml | 6 + roles/matrix-awx/tasks/main.yml | 73 +++++ roles/matrix-awx/tasks/self_check.yml | 94 +++++++ .../tasks/set_variables_corporal.yml | 254 ++++++++++++++++++ .../tasks/set_variables_element.yml | 77 ++++++ .../matrix-awx/tasks/set_variables_jitsi.yml | 58 ++++ .../matrix-awx/tasks/set_variables_ma1sd.yml | 130 +++++++++ .../tasks/set_variables_synapse.yml | 223 +++++++++++++++ .../tasks/set_variables_synapse_admin.yml | 58 ++++ .../templates/sftp/ssh_sftp.service | 23 ++ .../templates/sftp/sshd_sftp_config | 33 +++ roles/matrix-common-after/tasks/awx_post.yml | 20 ++ roles/matrix-common-after/tasks/main.yml | 8 + .../systemd/matrix-nginx-proxy.service.j2 | 5 + setup.yml | 1 + 27 files changed, 1770 insertions(+) create mode 100755 roles/matrix-awx/defaults/main.yml create mode 100755 roles/matrix-awx/surveys/configure_corporal.json.j2 create mode 100755 roles/matrix-awx/surveys/configure_element.json.j2 create mode 100755 roles/matrix-awx/surveys/configure_jitsi.json.j2 create mode 100644 roles/matrix-awx/surveys/configure_ma1sd.json.j2 create mode 100755 roles/matrix-awx/surveys/configure_synapse.json.j2 create mode 100644 roles/matrix-awx/surveys/configure_synapse_admin.json.j2 create mode 100755 roles/matrix-awx/surveys/configure_website_access_backup.json.j2 create mode 100755 roles/matrix-awx/tasks/create_user.yml create mode 100755 roles/matrix-awx/tasks/customise_website_access_backup.yml create mode 100644 roles/matrix-awx/tasks/import_awx.yml create mode 100644 roles/matrix-awx/tasks/load_hosting_and_org_variables.yml create mode 100755 roles/matrix-awx/tasks/load_matrix_variables.yml create mode 100755 roles/matrix-awx/tasks/main.yml create mode 100644 roles/matrix-awx/tasks/self_check.yml create mode 100755 roles/matrix-awx/tasks/set_variables_corporal.yml create mode 100755 roles/matrix-awx/tasks/set_variables_element.yml create mode 100755 roles/matrix-awx/tasks/set_variables_jitsi.yml create mode 100755 roles/matrix-awx/tasks/set_variables_ma1sd.yml create mode 100755 roles/matrix-awx/tasks/set_variables_synapse.yml create mode 100644 roles/matrix-awx/tasks/set_variables_synapse_admin.yml create mode 100755 roles/matrix-awx/templates/sftp/ssh_sftp.service create mode 100755 roles/matrix-awx/templates/sftp/sshd_sftp_config create mode 100644 roles/matrix-common-after/tasks/awx_post.yml mode change 100644 => 100755 roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 diff --git a/roles/matrix-awx/defaults/main.yml b/roles/matrix-awx/defaults/main.yml new file mode 100755 index 00000000..9394ecab --- /dev/null +++ b/roles/matrix-awx/defaults/main.yml @@ -0,0 +1,2 @@ + +matrix_awx_enabled: false diff --git a/roles/matrix-awx/surveys/configure_corporal.json.j2 b/roles/matrix-awx/surveys/configure_corporal.json.j2 new file mode 100755 index 00000000..4c4ead83 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_corporal.json.j2 @@ -0,0 +1,88 @@ +{ + "name": "Configure Matrix Corporal", + "description": "", + "spec": [ + { + "question_name": "Enable Corporal", + "question_description": "Controls if Matrix Corporal is enabled at all. If you're unsure if you need Matrix Corporal or not, you most likely don't.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_corporal_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_corporal_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Corporal Policy Provider", + "question_description": "Controls what provider policy is used with Matrix Corporal.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_corporal_policy_provider_mode }}", + "choices": "Simple Static File\nHTTP Pull Mode (API Enabled)\nHTTP Push Mode (API Enabled)", + "new_question": true, + "variable": "matrix_corporal_policy_provider_mode", + "type": "multiplechoice" + }, + { + "question_name": "Simple Static File Configuration", + "question_description": "The configuration file for Matrix Corporal, only needed if 'Simple Static File' provider is selected, any configuration entered here will be saved and applied.", + "required": false, + "min": 0, + "max": 65536, + "default": "", + "new_question": true, + "variable": "matrix_corporal_simple_static_config", + "type": "textarea" + }, + { + "question_name": "HTTP Pull Mode URI", + "question_description": "The network address to remotely fetch the configuration from. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected.", + "required": false, + "min": 0, + "max": 4096, + "default": "{{ matrix_corporal_pull_mode_uri }}", + "new_question": true, + "variable": "matrix_corporal_pull_mode_uri", + "type": "text" + }, + { + "question_name": "HTTP Pull Mode Authentication Token", + "question_description": "An authentication token for pulling the Corporal configuration from a network location. Only needed if 'HTTP Pull Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 256, + "default": "{{ matrix_corporal_pull_mode_token }}", + "choices": "", + "new_question": true, + "variable": "matrix_corporal_pull_mode_token", + "type": "password" + }, + { + "question_name": "Corporal API Authentication Token", + "question_description": "An authentication token for interfacing with Corporals API. Only needed to be set if 'HTTP Pull Mode (API Enabled)' or 'HTTP Push Mode (API Enabled)' provider is selected. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 256, + "default": "{{ matrix_corporal_http_api_auth_token }}", + "choices": "", + "new_question": true, + "variable": "matrix_corporal_http_api_auth_token", + "type": "password" + }, + { + "question_name": "Raise Synapse Ratelimits", + "question_description": "For Matrix Corporal to work you will need to temporarily raise the rate limits for logins, please return this value to 'Normal' after you're done using Corporal.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_corporal_raise_ratelimits }}", + "choices": "Normal\nRaised", + "new_question": true, + "variable": "matrix_corporal_raise_ratelimits", + "type": "multiplechoice" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_element.json.j2 b/roles/matrix-awx/surveys/configure_element.json.j2 new file mode 100755 index 00000000..121682f6 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_element.json.j2 @@ -0,0 +1,78 @@ +{ + "name": "", + "description": "", + "spec": [ + { + "question_name": "Enable Element-Web", + "question_description": "Set if Element web client is enabled or not.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_client_element_enabled }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_client_element_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Set Branding for Web Client", + "question_description": "Sets the 'branding' seen in the tab and on the welcome page to a custom value.", + "required": false, + "min": 0, + "max": 256, + "default": "{{ matrix_client_element_brand }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_brand", + "type": "text" + }, + { + "question_name": "Set Theme for Web Client", + "question_description": "Sets the default theme for the web client, can be changed later by individual users.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_client_element_default_theme }}", + "choices": "light\ndark", + "new_question": true, + "variable": "matrix_client_element_default_theme", + "type": "multiplechoice" + }, + { + "question_name": "Set Welcome Page Background", + "question_description": "URL to Wallpaper, shown in background of the welcome page. Must be a 'https' link, otherwise it won't be set.", + "required": false, + "min": 0, + "max": 1024, + "default": "{{ matrix_client_element_branding_welcomeBackgroundUrl }}", + "choices": "", + "new_question": true, + "variable": "matrix_client_element_branding_welcomeBackgroundUrl", + "type": "text" + }, + { + "question_name": "Show Registration Button", + "question_description": "If you show the registration button on the welcome page.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_client_element_registration_enabled }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_client_element_registration_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Set Element Subdomain.", + "question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.", + "required": false, + "min": 0, + "max": 2048, + "default": "{{ element_subdomain }}", + "choices": "", + "new_question": true, + "variable": "element_subdomain", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_jitsi.json.j2 b/roles/matrix-awx/surveys/configure_jitsi.json.j2 new file mode 100755 index 00000000..87537f20 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_jitsi.json.j2 @@ -0,0 +1,31 @@ +{ + "name": "", + "description": "", + "spec": [ + { + "question_name": "Enable Jitsi", + "question_description": "Set if Jitsi is enabled or not. If disabled your server will use the https://jitsi.riot.im server. If you're on a smaller server disabling this might increase the performance of your Matrix service.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_jitsi_enabled }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_jitsi_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Set Default Language.", + "question_description": "2 digit 639-1 language code to adjust the language of the web client. For a list of possible codes see: https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes", + "required": false, + "min": 0, + "max": 2, + "default": "{{ matrix_jitsi_web_config_defaultLanguage }}", + "choices": "", + "new_question": true, + "variable": "matrix_jitsi_web_config_defaultLanguage", + "type": "text" + } + ] +} + diff --git a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 new file mode 100644 index 00000000..ad2110a0 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 @@ -0,0 +1,41 @@ +{ + "name": "", + "description": "", + "spec": [ + { + "question_name": "Enable ma1sd", + "question_description": "Set if ma1sd is enabled or not. If disabled your server will loose identity functionality (not recommended).", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_ma1sd_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_ma1sd_enabled", + "type": "multiplechoice" + }, + { + "question_name": "ma1sd Authentication Mode", + "question_description": "Set the source of user account authentication credentials with the ma1sd.", + "required": false, + "min": null, + "max": null, + "default": "{{ ext_matrix_ma1sd_auth_store }}", + "choices": "Synapse Internal\nLDAP/AD", + "new_question": true, + "variable": "ext_matrix_ma1sd_auth_store", + "type": "multiplechoice" + }, + { + "question_name": "LDAP/AD Configuration", + "question_description": "Settings for connecting LDAP/AD to the ma1sd service. (ignored if using Synapse Internal, see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md )", + "required": false, + "min": 0, + "max": 65536, + "default": {{ ext_matrix_ma1sd_configuration_extension_yaml | to_json }}, + "new_question": true, + "variable": "ext_matrix_ma1sd_configuration_extension_yaml", + "type": "textarea" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 new file mode 100755 index 00000000..32d54646 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -0,0 +1,198 @@ +{ + "name": "Configure Synapse", + "description": "", + "spec": [ + { + "question_name": "Enable Public Registration", + "question_description": "Controls whether people with access to the homeserver can register by themselves.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_enable_registration|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_enable_registration", + "type": "multiplechoice" + }, + { + "question_name": "Enable Federation", + "question_description": "Controls whether Synapse will federate at all. Disable this to completely isolate your server from the rest of the Matrix network.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_federation_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_federation_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Allow Public Rooms Over Federation", + "question_description": "Controls whether remote servers can fetch this server's public rooms directory via federation. For private servers, you'll most likely want to forbid this.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_allow_public_rooms_over_federation|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_allow_public_rooms_over_federation", + "type": "multiplechoice" + }, + { + "question_name": "Enable Community Creation", + "question_description": "Allows regular users (who aren't server admins) to create 'communities', which are basically groups of rooms.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_enable_group_creation|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_enable_group_creation", + "type": "multiplechoice" + }, + { + "question_name": "Enable Synapse Presence", + "question_description": "Controls whether presence is enabled. This shows who's online and reading your posts. Disabling it will increase both performance and user privacy.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_use_presence|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_use_presence", + "type": "multiplechoice" + }, + { + "question_name": "Enable URL Previews", + "question_description": "Controls whether URL previews should be generated. This will cause a request from Synapse to URLs shared by users.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_url_preview_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_url_preview_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Enable Guest Access", + "question_description": "Controls whether 'guest accounts' can access rooms without registering. Guest users do not count towards your servers user limit.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_allow_guest_access|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_allow_guest_access", + "type": "multiplechoice" + }, + { + "question_name": "Registration Requires Email", + "question_description": "Controls whether an email address is required to register on the server.", + "required": false, + "min": null, + "max": null, + "default": "{{ ext_registrations_require_3pid|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "ext_registrations_require_3pid", + "type": "multiplechoice" + }, + { + "question_name": "Registration Shared Secret", + "question_description": "A secret that allows registration of standard or admin accounts by anyone who has the shared secret, even if registration is otherwise disabled. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 256, + "default": "", + "choices": "", + "new_question": true, + "variable": "matrix_synapse_registration_shared_secret", + "type": "password" + }, + { + "question_name": "Synapse Max Upload Size", + "question_description": "Sets the maximum size for uploaded files in MB.", + "required": false, + "min": 0, + "max": 3, + "default": "{{ matrix_synapse_max_upload_size_mb }}", + "choices": "", + "new_question": true, + "variable": "matrix_synapse_max_upload_size_mb", + "type": "text" + }, + { + "question_name": "URL Preview Languages", + "question_description": "Sets the languages that URL previews will be generated in. Entries are a 2-3 letter IETF language tag, they must be seperated with newlines. For example: 'fr' https://en.wikipedia.org/wiki/IETF_language_tag", + "required": false, + "min": 0, + "max": 65536, + "default": {{ ext_url_preview_accept_language_default|to_json }}, + "choices": "", + "new_question": true, + "variable": "ext_url_preview_accept_language_raw", + "type": "textarea" + }, + { + "question_name": "Federation Whitelist", + "question_description": "Here you can list the URLs of other Matrix homeservers and Synapse will only federate with those homeservers. Entries must be seperated with newlines and must not have a 'https://' prefix. For example: 'matrix.example.org'", + "required": false, + "min": 0, + "max": 65536, + "default": {{ ext_federation_whitelist_raw|to_json }}, + "choices": "", + "new_question": true, + "variable": "ext_federation_whitelist_raw", + "type": "textarea" + }, + { + "question_name": "Synapse Auto-Join Rooms", + "question_description": "Sets the 'auto-join' rooms, where new users will be automatically invited to, these rooms must already exist. Entries must be room addresses that are separated with newlines. For example: '#announcements:example.org'", + "required": false, + "min": 0, + "max": 65536, + "default": {{ matrix_synapse_auto_join_rooms_raw|to_json }}, + "choices": "", + "new_question": true, + "variable": "matrix_synapse_auto_join_rooms_raw", + "type": "textarea" + }, + { + "question_name": "Enable ReCaptcha on Registration", + "question_description": "Enables Googles ReCaptcha verification for registering an account, recommended for public servers.", + "required": false, + "min": null, + "max": null, + "default": "{{ ext_enable_registration_captcha|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "ext_enable_registration_captcha", + "type": "multiplechoice" + }, + { + "question_name": "Recaptcha Public Key", + "question_description": "Sets the Google ReCaptcha public key for this website.", + "required": false, + "min": 0, + "max": 40, + "default": "{{ ext_recaptcha_public_key }}", + "choices": "", + "new_question": true, + "variable": "ext_recaptcha_public_key", + "type": "text" + }, + { + "question_name": "Recaptcha Private Key", + "question_description": "Sets the Google ReCaptcha private key for this website.", + "required": false, + "min": 0, + "max": 40, + "default": "{{ ext_recaptcha_private_key }}", + "choices": "", + "new_question": true, + "variable": "ext_recaptcha_private_key", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 b/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 new file mode 100644 index 00000000..f5a740aa --- /dev/null +++ b/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 @@ -0,0 +1,18 @@ +{ + "name": "Configure Synapse Admin", + "description": "Configure 'Synapse Admin', a moderation tool to help you manage your server.", + "spec": [ + { + "question_name": "Enable Synapse Admin", + "question_description": "Set if Synapse Admin is enabled or not. If enabled you can access it at https://matrix.{{ matrix_domain }}/synapse-admin.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_synapse_admin_enabled|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_synapse_admin_enabled", + "type": "multiplechoice" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_website_access_backup.json.j2 b/roles/matrix-awx/surveys/configure_website_access_backup.json.j2 new file mode 100755 index 00000000..990e11f1 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_website_access_backup.json.j2 @@ -0,0 +1,30 @@ +{ + "name": "Configure Website Access Backup", + "description": "Configure base domain website settings and access the services backup.", + "spec": [ + { + "question_name": "Customise Base Domain Website", + "question_description": "Set if you want to adjust the base domain website using SFTP.", + "required": true, + "min": null, + "max": null, + "default": "{{ customise_base_domain_website|string|lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "customise_base_domain_website", + "type": "multiplechoice" + }, + { + "question_name": "SFTP Password", + "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as download the latest copy of your services backup. If empty the password won't be updated. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 64, + "default": "{{ sftp_password }}", + "choices": "", + "new_question": true, + "variable": "sftp_password", + "type": "password" + } + ] +} diff --git a/roles/matrix-awx/tasks/create_user.yml b/roles/matrix-awx/tasks/create_user.yml new file mode 100755 index 00000000..9d0027a1 --- /dev/null +++ b/roles/matrix-awx/tasks/create_user.yml @@ -0,0 +1,31 @@ +# +# Create user and define if they are admin +# +# /usr/local/bin/matrix-synapse-register-user +# + +- name: Set admin bool to zero + set_fact: + admin_bool: 0 + when: admin_access == 'false' + +- name: Examine if server admin set + set_fact: + admin_bool: 1 + when: admin_access == 'true' + +- name: Set boolean value to exit playbook + set_fact: + end_playbook: true + +- name: Create user account + command: | + /usr/local/bin/matrix-synapse-register-user {{ new_username }} '{{ new_password }}' {{ admin_bool }} + register: cmd + +- name: Result + debug: msg="{{ cmd.stdout }}" + +- name: End playbook if this task list is called. + meta: end_play + when: end_playbook is defined and end_playbook|bool diff --git a/roles/matrix-awx/tasks/customise_website_access_backup.yml b/roles/matrix-awx/tasks/customise_website_access_backup.yml new file mode 100755 index 00000000..f0252f38 --- /dev/null +++ b/roles/matrix-awx/tasks/customise_website_access_backup.yml @@ -0,0 +1,159 @@ + + +- name: Enable index.html creation if user doesn't wish to customise base domain + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Base Domain Settings' + with_dict: + 'matrix_nginx_proxy_base_domain_homepage_enabled': 'true' + when: customise_base_domain_website|bool == false + +- name: Disable index.html creation to allow multi-file site if user does wish to customise base domain + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Base Domain Settings' + with_dict: + 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' + when: customise_base_domain_website|bool == true + +- name: Record 'Customise Website + Access Backup' variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# AWX Settings' + with_dict: + 'customise_base_domain_website': '{{ customise_base_domain_website }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Reload vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + +- name: Save new 'Customise Website + Access Backup' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: './roles/matrix-awx/surveys/configure_website_access_backup.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json' + +- name: Copy new 'Customise Website + Access Backup' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json' + dest: '/matrix/awx/configure_website_access_backup.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Customise Base Domain Website' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Website + Access Backup" + description: "Configure base domain website settings and access the services backup." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-nginx-proxy" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + +# Copied over from provision stage + +- name: Copy ssh_sftp.service file + copy: + src: './roles/matrix-awx/templates/sftp/ssh_sftp.service' + dest: '/lib/systemd/system/ssh_sftp.service' + mode: 0644 + +- name: Copy sshd config file + copy: + src: './roles/matrix-awx/templates/sftp/sshd_sftp_config' + dest: '/etc/ssh/sshd_sftp_config' + mode: 0644 + +- name: Ensure group "sftp" exists + group: + name: sftp + state: present + +- name: If user defines sftp_password, enable account / set password on 'stfp' account. + user: + name: sftp + comment: SFTP user to set custom web files + shell: /bin/false + home: /home/sftp/ + group: sftp + password: "{{ sftp_password | password_hash('sha512') }}" + update_password: always + when: (sftp_password is defined) and (sftp_password|length > 0) + +# would be safer if it generated the password for you! + +- name: Setup SFTP users default root path + shell: sudo usermod -d / sftp + +- name: adding existing user 'sftp' to group matrix + user: + name: sftp + groups: matrix + append: yes + +- name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container) + file: + path: /chroot + state: directory + owner: root + group: root + mode: '1755' + +- name: Create the rw /chroot/website directory if it doesn't exist. + file: + path: /chroot/website + state: directory + owner: matrix + group: matrix + mode: '0574' + +- name: Ensure /chroot/backup/ location exists + file: + path: /chroot/backup + state: directory + owner: sftp + group: sftp + mode: '0700' + +- name: Enable service ssh_sftp.service + service: + name: ssh_sftp.service + enabled: yes + +- name: Start service ssh_sftp.service + service: + name: ssh_sftp.service + state: started + diff --git a/roles/matrix-awx/tasks/import_awx.yml b/roles/matrix-awx/tasks/import_awx.yml new file mode 100644 index 00000000..8879cf1c --- /dev/null +++ b/roles/matrix-awx/tasks/import_awx.yml @@ -0,0 +1,21 @@ + +- name: Ensure /matrix/awx is empty + shell: rm -r /matrix/awx/* + +- name: Ensure /matrix/synapse is empty + shell: rm -r /matrix/synapse/* + +- name: Extract from /chroot/backup + shell: tar -xvzf /chroot/backup/matrix.tar.gz -C /matrix/ + +- name: Ensure correct ownership of /matrix/awx + shell: chown -R matrix:matrix /matrix/awx + +- name: Ensure correct ownership of /matrix/synapse + shell: chown -R matrix:matrix /matrix/synapse + +- name: Fetch matrix_vars.yml file to AWX + fetch: + src: /matrix/awx/matrix_vars.yml + dest: /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/ + flat: yes diff --git a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml new file mode 100644 index 00000000..6789431a --- /dev/null +++ b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml @@ -0,0 +1,10 @@ + +- name: Include vars in organisation.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/organisation.yml' + no_log: True + +- name: Include vars in hosting_vars.yml + include_vars: + file: '/var/lib/awx/projects/hosting/hosting_vars.yml' + no_log: True diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml new file mode 100755 index 00000000..388f901d --- /dev/null +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -0,0 +1,6 @@ + +- name: Include vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' +# no_log: True + diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml new file mode 100755 index 00000000..81852d61 --- /dev/null +++ b/roles/matrix-awx/tasks/main.yml @@ -0,0 +1,73 @@ + +# Load initial hosting and organisation variables from AWX volume +- import_tasks: "{{ role_path }}/tasks/load_hosting_and_org_variables.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + +# Create a user account if called +- import_tasks: "{{ role_path }}/tasks/create_user.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - create-user + +# Perform extra self-check functions +- import_tasks: "{{ role_path }}/tasks/self_check.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - self-check + +# Import configs, media repo from /chroot/backup import +- import_tasks: "{{ role_path }}/tasks/import_awx.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - import-awx + +# Configure SFTP so user can upload a static website +- import_tasks: "{{ role_path }}/tasks/customise_website_access_backup.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-nginx-proxy + +# Additional playbook to set the variable file during Element configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_element.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-client-element + +# Additional playbook to set the variable file during Synapse configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_synapse.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-synapse + +# Additional playbook to set the variable file during Jitsi configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_jitsi.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-jitsi + +# Additional playbook to set the variable file during Ma1sd configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_ma1sd.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-ma1sd + +# Additional playbook to set the variable file during Corporal configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_corporal.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-corporal + +# Additional playbook to set the variable file during Synapse Admin configuration +- import_tasks: "{{ role_path }}/tasks/set_variables_synapse_admin.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-all + +# Load newly formed matrix variables from tower volume +- import_tasks: "{{ role_path }}/tasks/load_matrix_variables.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml new file mode 100644 index 00000000..977293d0 --- /dev/null +++ b/roles/matrix-awx/tasks/self_check.yml @@ -0,0 +1,94 @@ + +- name: Install prerequisite apt packages on target + apt: + name: + - sysstat + state: present + +- name: Install prerequisite yum packages on AWX + delegate_to: 127.0.0.1 + yum: + name: + - bind-utils + state: present + +- name: Install prerequisite pip packages on AWX + delegate_to: 127.0.0.1 + pip: + name: + - dnspython + state: present + +- name: Calculate CPU usage statistics + shell: iostat -c + register: cpu_usage_stat + no_log: True + +- name: Print CPU usage statistics + debug: + msg: "{{ cpu_usage_stat.stdout.split('\n') }}" + when: cpu_usage_stat is defined + +- name: Calculate RAM usage statistics + shell: free -mh + register: ram_usage_stat + no_log: True + +- name: Print RAM usage statistics + debug: + msg: "{{ ram_usage_stat.stdout.split('\n') }}" + when: ram_usage_stat is defined + +- name: Calculate free disk space + shell: df -h + register: disk_space_stat + no_log: True + +- name: Print free disk space + debug: + msg: "{{ disk_space_stat.stdout.split('\n') }}" + when: disk_space_stat is defined + +- name: Calculate size of Synapse database + shell: du -sh /matrix/postgres/data + register: db_size_stat + no_log: True + +- name: Print size of Synapse database + debug: + msg: "{{ db_size_stat.stdout.split('\n') }}" + when: db_size_stat is defined + +- name: Calculate size of local media repository + shell: du -sh /matrix/synapse/storage/media-store/local* + register: local_media_size_stat + ignore_errors: yes + no_log: True + +- name: Print size of local media repository + debug: + msg: "{{ local_media_size_stat.stdout.split('\n') }}" + when: local_media_size_stat is defined + +- name: Calculate size of remote media repository + shell: du -sh /matrix/synapse/storage/media-store/remote* + register: remote_media_size_stat + ignore_errors: yes + no_log: True + +- name: Print size of remote media repository + debug: + msg: "{{ remote_media_size_stat.stdout.split('\n') }}" + when: remote_media_size_stat is defined + +- name: Calculate docker container statistics + shell: docker stats --all --no-stream + register: docker_stats + ignore_errors: yes + no_log: True + +- name: Print docker container statistics + debug: + msg: "{{ docker_stats.stdout.split('\n') }}" + when: docker_stats is defined + diff --git a/roles/matrix-awx/tasks/set_variables_corporal.yml b/roles/matrix-awx/tasks/set_variables_corporal.yml new file mode 100755 index 00000000..efc44a42 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_corporal.yml @@ -0,0 +1,254 @@ + +- name: Record Corporal Enabled/Disabled variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Corporal Settings' + with_dict: + 'matrix_corporal_enabled': '{{ matrix_corporal_enabled }}' + +- name: Enable Shared Secret Auth if Corporal enabled + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Shared Secret Auth Settings' + with_dict: + 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'true' + when: matrix_corporal_enabled|bool + +- name: Disable Shared Secret Auth if Corporal disabled + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Shared Secret Auth Settings' + with_dict: + 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'false' + when: not matrix_corporal_enabled|bool + +- name: Enable Rest Auth Endpoint if Corporal enabled + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Extension' + with_dict: + 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true' + when: matrix_corporal_enabled|bool + +- name: Disable Rest Auth Endpoint if Corporal disabled + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Extension' + with_dict: + 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false' + when: not matrix_corporal_enabled|bool + +- name: Disable Corporal API if Simple Static File mode selected + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Corporal Settings' + with_dict: + 'matrix_corporal_http_api_enabled': 'false' + when: (matrix_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool) + +- name: Enable Corporal API if Push/Pull mode delected + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Corporal Settings' + with_dict: + 'matrix_corporal_http_api_enabled': 'true' + when: (matrix_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool) + +- name: Record Corporal API Access Token if it's defined + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Corporal Settings' + with_dict: + 'matrix_corporal_http_api_auth_token': '{{ matrix_corporal_http_api_auth_token }}' + when: matrix_corporal_http_api_auth_token|length > 0 + +- name: Record 'Simple Static File' configuration variables in matrix_vars.yml + delegate_to: 127.0.0.1 + blockinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: "# Corporal Policy Provider Settings" + block: | + matrix_corporal_policy_provider_config: | + { + "Type": "static_file", + "Path": "/etc/matrix-corporal/corporal-policy.json" + } + when: matrix_corporal_policy_provider_mode == "Simple Static File" + +- name: Touch the /matrix/corporal/ directory + file: + path: "/matrix/corporal/" + state: directory + owner: matrix + group: matrix + mode: '750' + +- name: Touch the /matrix/corporal/config/ directory + file: + path: "/matrix/corporal/config/" + state: directory + owner: matrix + group: matrix + mode: '750' + +- name: Touch the /matrix/corporal/cache/ directory + file: + path: "/matrix/corporal/cache/" + state: directory + owner: matrix + group: matrix + mode: '750' + +- name: Touch the corporal-policy.json file to ensure it exists + file: + path: "/matrix/corporal/config/corporal-policy.json" + state: touch + owner: matrix + group: matrix + mode: '660' + +- name: Touch the last-policy.json file to ensure it exists + file: + path: "/matrix/corporal/config/last-policy.json" + state: touch + owner: matrix + group: matrix + mode: '660' + +- name: Record 'Simple Static File' configuration content in corporal-policy.json + copy: + content: "{{ matrix_corporal_simple_static_config | string }}" + dest: "/matrix/corporal/config/corporal-policy.json" + owner: matrix + group: matrix + mode: '660' + when: (matrix_corporal_policy_provider_mode == "Simple Static File") and (matrix_corporal_simple_static_config|length > 0) + +- name: Record 'HTTP Pull Mode' configuration variables in matrix_vars.yml + delegate_to: 127.0.0.1 + blockinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: "# Corporal Policy Provider Settings" + block: | + matrix_corporal_policy_provider_config: | + { + "Type": "http", + "Uri": "{{ matrix_corporal_pull_mode_uri }}", + "AuthorizationBearerToken": "{{ matrix_corporal_pull_mode_token }}", + "CachePath": "/var/cache/matrix-corporal/last-policy.json", + "ReloadIntervalSeconds": 1800, + "TimeoutMilliseconds": 30000 + } + when: (matrix_corporal_policy_provider_mode == "HTTP Pull Mode (API Enabled)") and (matrix_corporal_pull_mode_uri|length > 0) and (matrix_corporal_pull_mode_token|length > 0) + +- name: Record 'HTTP Push Mode' configuration variables in matrix_vars.yml + delegate_to: 127.0.0.1 + blockinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: "# Corporal Policy Provider Settings" + block: | + matrix_corporal_policy_provider_config: | + { + "Type": "last_seen_store_policy", + "CachePath": "/var/cache/matrix-corporal/last-policy.json" + } + when: (matrix_corporal_policy_provider_mode == "HTTP Push Mode (API Enabled)") + +- name: Lower RateLimit if set to 'Normal' + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' + replace: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' + when: matrix_corporal_raise_ratelimits == "Normal" + +- name: Raise RateLimit if set to 'Raised' + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' + replace: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' + when: matrix_corporal_raise_ratelimits == "Raised" + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0664' + +- name: Save new 'Configure Corporal' survey.json to the AWX tower + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_corporal.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json' + +- name: Copy new 'Configure Corporal' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json' + dest: '/matrix/awx/configure_corporal.json' + mode: '0660' + +- debug: + msg: "matrix_corporal_matrix_homeserver_api_endpoint: {{ matrix_corporal_matrix_homeserver_api_endpoint }}" + +- debug: + msg: "matrix_corporal_matrix_auth_shared_secret: {{ matrix_corporal_matrix_auth_shared_secret }}" + +- debug: + msg: "matrix_corporal_http_gateway_internal_rest_auth_enabled: {{ matrix_corporal_http_gateway_internal_rest_auth_enabled }}" + +- debug: + msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}" + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Corporal (Advanced)' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Corporal (Advanced)" + description: "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-corporal" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + diff --git a/roles/matrix-awx/tasks/set_variables_element.yml b/roles/matrix-awx/tasks/set_variables_element.yml new file mode 100755 index 00000000..892c1bac --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_element.yml @@ -0,0 +1,77 @@ + +- name: Record Element-Web variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Element Settings' + with_dict: + 'matrix_client_element_enabled': '{{ matrix_client_element_enabled }}' + 'matrix_client_element_jitsi_preferredDomain': '{{ matrix_client_element_jitsi_preferredDomain }}' + 'matrix_client_element_brand': '{{ matrix_client_element_brand }}' + 'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}' + 'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}' + 'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}" + +- name: Set fact for 'https' string + set_fact: + https_string: "https" + +- name: Record Element-Web Background variable locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Element Settings' + with_dict: + 'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl }}' + when: (https_string in matrix_client_element_branding_welcomeBackgroundUrl) and ( matrix_client_element_branding_welcomeBackgroundUrl|length > 0 ) + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure Element' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_element.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json' + +- name: Copy new 'Configure Element' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json' + dest: '/matrix/awx/configure_element.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Element' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Element" + description: "Configure Element client via survey." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-client-element" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + diff --git a/roles/matrix-awx/tasks/set_variables_jitsi.yml b/roles/matrix-awx/tasks/set_variables_jitsi.yml new file mode 100755 index 00000000..e35beab7 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_jitsi.yml @@ -0,0 +1,58 @@ + +- name: Record Jitsi variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Jitsi Settings' + with_dict: + 'matrix_jitsi_enabled': '{{ matrix_jitsi_enabled }}' + 'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure Jitsi' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_jitsi.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json' + +- name: Copy new 'Configure Jitsi' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json' + dest: '/matrix/awx/configure_jitsi.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Jitsi' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Jitsi" + description: "Configure Jitsi conferencing settings." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-jitsi" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_jitsi.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml new file mode 100755 index 00000000..256a2410 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -0,0 +1,130 @@ + +- name: Record ma1sd variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# ma1sd Settings' + with_dict: + 'matrix_ma1sd_enabled': '{{ matrix_ma1sd_enabled }}' + +- name: Disable REST auth (matrix-corporal/ma1sd) if using internal auth + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Extension' + with_dict: + 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false' + when: ext_matrix_ma1sd_auth_store == 'Synapse Internal' + +- name: Enable REST auth if using external LDAP/AD with ma1sd + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Extension' + with_dict: + 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true' + 'matrix_synapse_ext_password_provider_rest_auth_endpoint': 'http://matrix-ma1sd:8090' + when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + +- name: Strip header from ma1sd configuration extension if using internal auth + set_fact: + ext_matrix_ma1sd_configuration_extension_yaml_parsed: "{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | reject('search', '^matrix_client_element_configuration_extension_json:') | list }}" + when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + +- name: Remove entire ma1sd configuration extension + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: '^.*\n' + after: '# Start ma1sd Extension' + before: '# End ma1sd Extension' + +- name: Replace conjoined ma1sd configuration extension limiters + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: '^# Start ma1sd Extension# End ma1sd Extension' + replace: '# Start ma1sd Extension\n# End ma1sd Extension' + +- name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + line: "matrix_ma1sd_configuration_extension_yaml: |" + insertafter: '# Start ma1sd Extension' + when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + +- name: Set ma1sd configuration extension if using external LDAP/AD with ma1sd + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertbefore: '# End ma1sd Extension' + line: '{{ item }}' + with_items: "{{ ext_matrix_ma1sd_configuration_extension_yaml_parsed }}" + when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + +- name: Record ma1sd Custom variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertbefore: '# Custom Settings' + with_dict: + 'ext_matrix_ma1sd_auth_store': '{{ ext_matrix_ma1sd_auth_store }}' + 'ext_matrix_ma1sd_configuration_extension_yaml': '{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure ma1sd' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_ma1sd.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json' + +- name: Copy new 'Configure ma1sd' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json' + dest: '/matrix/awx/configure_ma1sd.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure ma1sd (Advanced)' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure ma1sd (Advanced)" + description: "Configure Jitsi conferencing settings." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-ma1sd" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_ma1sd.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + +# ^ This playbook isn't executing so the survey isn't being updated! :P + diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml new file mode 100755 index 00000000..979190ce --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -0,0 +1,223 @@ + +- name: Record Synapse variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Settings' + with_dict: + 'matrix_synapse_allow_public_rooms_over_federation': '{{ matrix_synapse_allow_public_rooms_over_federation }}' + 'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}' + 'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}' + 'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}' + 'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}' + 'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}' + 'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}' + 'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}' + +- name: Empty Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if raw inputs empty + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^matrix_synapse_auto_join_rooms: .*$" + replace: "matrix_synapse_auto_join_rooms: []" + when: matrix_synapse_auto_join_rooms_raw|length == 0 + +- name: If the raw inputs is not empty start constructing parsed auto_join_rooms list + set_fact: + matrix_synapse_auto_join_rooms_array: |- + {{ matrix_synapse_auto_join_rooms_raw.splitlines() | to_json }} + when: matrix_synapse_auto_join_rooms_raw|length > 0 + +- name: Record Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if it's not blank + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Settings' + with_dict: + "matrix_synapse_auto_join_rooms": "{{ matrix_synapse_auto_join_rooms_array }}" + when: matrix_synapse_auto_join_rooms_raw|length > 0 + +- name: Record Synapse Shared Secret if it's defined + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Settings' + with_dict: + 'matrix_synapse_registration_shared_secret': '{{ matrix_synapse_registration_shared_secret }}' + when: matrix_synapse_registration_shared_secret|length > 0 + +- name: Record registations_require_3pid extra variable if true + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "{{ item }}:" + line: "{{ item }}" + insertbefore: '# End Synapse Extension' + with_items: + - " registrations_require_3pid:" + - " - email" + when: ext_registrations_require_3pid|bool + +- name: Remove registrations_require_3pid extra variable if false + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "{{ item }}:" + line: "{{ item }}" + insertbefore: '# End Synapse Extension' + state: absent + with_items: + - " registrations_require_3pid:" + - " - email" + when: not ext_registrations_require_3pid|bool + +- name: Remove URL Languages + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: '^(?!.*\bemail\b) - [a-zA-Z\-]{2,5}\n' + after: ' url_preview_accept_language:' + before: '# End Synapse Extension' + +- name: Set URL languages default if raw inputs empty + set_fact: + ext_url_preview_accept_language_default: 'en' + when: ext_url_preview_accept_language_raw|length == 0 + +- name: Set URL languages default if raw inputs not empty + set_fact: + ext_url_preview_accept_language_default: "{{ ext_url_preview_accept_language_raw }}" + when: ext_url_preview_accept_language_raw|length > 0 + +- name: Set URL languages if raw inputs empty + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: '^ url_preview_accept_language:' + line: " - {{ ext_url_preview_accept_language_default }}" + when: ext_url_preview_accept_language_raw|length == 0 + +- name: Set URL languages if raw inputs not empty + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: '^ url_preview_accept_language:' + line: " - {{ item }}" + with_items: "{{ ext_url_preview_accept_language_raw.splitlines() }}" + when: ext_url_preview_accept_language_raw|length > 0 + +- name: Remove Federation Whitelisting 1 + delegate_to: 127.0.0.1 + replace: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: '^ - [a-z0-9]+\.[a-z0-9.]+\n' + after: ' federation_domain_whitelist:' + before: '# End Synapse Extension' + +- name: Remove Federation Whitelisting 2 + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + line: " federation_domain_whitelist:" + state: absent + +- name: Set Federation Whitelisting 1 + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: '^matrix_synapse_configuration_extension_yaml: \|' + line: " federation_domain_whitelist:" + when: ext_federation_whitelist_raw|length > 0 + +- name: Set Federation Whitelisting 2 + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + insertafter: '^ federation_domain_whitelist:' + line: " - {{ item }}" + with_items: "{{ ext_federation_whitelist_raw.splitlines() }}" + when: ext_federation_whitelist_raw|length > 0 + +- name: Record Synapse Custom variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertbefore: '# Custom Settings' + with_dict: + 'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}' + 'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}' + +- name: Set ext_recaptcha_public_key to a 'public-key' if undefined + set_fact: ext_recaptcha_public_key="public-key" + when: (ext_recaptcha_public_key is not defined) or (ext_recaptcha_public_key|length == 0) + +- name: Set ext_recaptcha_private_key to a 'private-key' if undefined + set_fact: ext_recaptcha_private_key="private-key" + when: (ext_recaptcha_private_key is not defined) or (ext_recaptcha_private_key|length == 0) + +- name: Record Synapse Extension variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertbefore: '# End Synapse Extension' + with_dict: + ' enable_registration_captcha': '{{ ext_enable_registration_captcha }}' + ' recaptcha_public_key': '{{ ext_recaptcha_public_key }}' + ' recaptcha_private_key': '{{ ext_recaptcha_private_key }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure Synapse' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_synapse.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//configure_synapse.json' + +- name: Copy new 'Configure Synapse' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json' + dest: '/matrix/awx/configure_synapse.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Synapse' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Synapse" + description: "Configure Synapse (homeserver) settings." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-synapse" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + diff --git a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml new file mode 100644 index 00000000..30cf12b4 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml @@ -0,0 +1,58 @@ + +- name: Record Synapse Admin variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Synapse Admin Settings' + with_dict: + 'matrix_synapse_admin_enabled': '{{ matrix_synapse_admin_enabled }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Configure Synapse Admin' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_synapse_admin.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json' + +- name: Copy new 'Configure Synapse Admin' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json' + dest: '/matrix/awx/configure_synapse_admin.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Synapse Admin' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Synapse Admin" + description: "Configure 'Synapse Admin', a moderation tool to help you manage your server." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-all" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_synapse_admin.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + + diff --git a/roles/matrix-awx/templates/sftp/ssh_sftp.service b/roles/matrix-awx/templates/sftp/ssh_sftp.service new file mode 100755 index 00000000..cfbcbf97 --- /dev/null +++ b/roles/matrix-awx/templates/sftp/ssh_sftp.service @@ -0,0 +1,23 @@ +[Unit] +Description=OpenBSD Secure Shell server +Documentation=man:sshd(8) man:sshd_config(5) +After=network.target auditd.service +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run + +[Service] +EnvironmentFile=-/etc/default/ssh +ExecStartPre=/usr/sbin/sshd -t +ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_sftp_config $SSHD_OPTS +ExecReload=/usr/sbin/sshd -t +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartPreventExitStatus=255 +Type=notify +RuntimeDirectory=sshd +RuntimeDirectoryMode=0755 + +[Install] +WantedBy=multi-user.target +Alias=sshd_sftp.service + diff --git a/roles/matrix-awx/templates/sftp/sshd_sftp_config b/roles/matrix-awx/templates/sftp/sshd_sftp_config new file mode 100755 index 00000000..a607595a --- /dev/null +++ b/roles/matrix-awx/templates/sftp/sshd_sftp_config @@ -0,0 +1,33 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Port 2222 +PermitRootLogin no +PasswordAuthentication yes +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding yes +PrintMotd no + +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp internal-sftp + +Match User sftp + ChrootDirectory /chroot + PermitTunnel no + X11Forwarding no + AllowTcpForwarding no + ForceCommand internal-sftp + + diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml new file mode 100644 index 00000000..0be0cae6 --- /dev/null +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -0,0 +1,20 @@ +--- + +- name: Create user account + command: | + /usr/local/bin/matrix-synapse-register-user janitor '{{ matrix_awx_janitor_user_password }}' 1 + register: cmd + when: not matrix_awx_janitor_user_created|bool + no_log: True + +- name: Update AWX janitor user created variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: 'AWX Settings' + with_dict: + 'matrix_awx_janitor_user_created': 'true' + when: not matrix_awx_janitor_user_created|bool + diff --git a/roles/matrix-common-after/tasks/main.yml b/roles/matrix-common-after/tasks/main.yml index d77d56a1..b4503ae1 100644 --- a/roles/matrix-common-after/tasks/main.yml +++ b/roles/matrix-common-after/tasks/main.yml @@ -1,3 +1,4 @@ + - import_tasks: "{{ role_path }}/tasks/start.yml" when: run_start|bool tags: @@ -11,7 +12,14 @@ - import_tasks: "{{ role_path }}/tasks/dump_runtime_results.yml" tags: - always + +- import_tasks: "{{ role_path }}/tasks/awx_post.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always - import_tasks: "{{ role_path }}/tasks/run_docker_prune.yml" tags: - run-docker-prune + + diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 old mode 100644 new mode 100755 index bd3070ac..90ad6a3f --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -33,7 +33,12 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \ {% endif %} --mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + {% if matrix_awx_enabled|bool == false or matrix_nginx_proxy_base_domain_homepage_enabled %} --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \ + {% endif %} + {% if matrix_awx_enabled and matrix_nginx_proxy_base_domain_homepage_enabled|bool == false %} + --mount type=bind,src=/chroot/website,dst=/nginx-data/matrix-domain,ro \ + {% endif %} --mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ {% if matrix_ssl_retrieval_method != 'none' %} --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ diff --git a/setup.yml b/setup.yml index d9f25ecf..66f7dd2e 100755 --- a/setup.yml +++ b/setup.yml @@ -7,6 +7,7 @@ - roles/matrix-synapse/vars/workers.yml roles: + - matrix-awx - matrix-base - matrix-dynamic-dns - matrix-mailer From 25e136ee0a9d058963951cfa448873022876a543 Mon Sep 17 00:00:00 2001 From: Germain Date: Sat, 20 Feb 2021 15:45:25 +0000 Subject: [PATCH 1963/2384] Update Telegram bridge setup link Change markdown to use link instead of tags for Telegram App setup --- docs/configuring-playbook-bridge-mautrix-telegram.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 693c8168..bfdc6fc5 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -4,7 +4,7 @@ The playbook can install and configure [mautrix-telegram](https://github.com/tul See the project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you. -You'll need to obtain API keys from `https://my.telegram.org/apps` and then use the following playbook configuration: +You'll need to obtain API keys from [https://my.telegram.org/apps](https://my.telegram.org/apps) and then use the following playbook configuration: ```yaml matrix_mautrix_telegram_enabled: true From 2f887f292c85dddfc7530d8bfb50adc45ee1f328 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Sat, 20 Feb 2021 19:08:28 +0200 Subject: [PATCH 1964/2384] added "matrix_%SERVICE%_version" variable to all roles, use it in "matrix_%SERVICE%_docker_image" var (preserving backward-compatibility) --- roles/matrix-bot-matrix-reminder-bot/defaults/main.yml | 4 ++-- roles/matrix-bridge-appservice-discord/defaults/main.yml | 3 ++- roles/matrix-bridge-appservice-irc/defaults/main.yml | 3 ++- roles/matrix-bridge-appservice-slack/defaults/main.yml | 3 ++- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 3 ++- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 3 ++- roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 3 ++- roles/matrix-bridge-mautrix-instagram/defaults/main.yml | 5 +++-- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 6 ++++-- roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 3 ++- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-discord/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-steam/defaults/main.yml | 3 ++- roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml | 3 ++- roles/matrix-bridge-sms/defaults/main.yml | 3 ++- roles/matrix-client-element/defaults/main.yml | 3 ++- roles/matrix-corporal/defaults/main.yml | 3 ++- roles/matrix-coturn/defaults/main.yml | 3 ++- roles/matrix-dimension/defaults/main.yml | 3 ++- roles/matrix-dynamic-dns/defaults/main.yml | 4 +++- roles/matrix-email2matrix/defaults/main.yml | 3 ++- roles/matrix-etherpad/defaults/main.yml | 3 ++- roles/matrix-grafana/defaults/main.yml | 3 ++- roles/matrix-jitsi/defaults/main.yml | 3 ++- roles/matrix-mailer/defaults/main.yml | 3 ++- roles/matrix-nginx-proxy/defaults/main.yml | 3 ++- roles/matrix-prometheus-node-exporter/defaults/main.yml | 3 ++- roles/matrix-prometheus/defaults/main.yml | 3 ++- roles/matrix-redis/defaults/main.yml | 3 ++- roles/matrix-synapse-admin/defaults/main.yml | 3 ++- roles/matrix-synapse/defaults/main.yml | 4 +++- 35 files changed, 75 insertions(+), 38 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index c3deb2f2..dd18579c 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -2,8 +2,8 @@ # See: https://github.com/anoadragon453/matrix-reminder-bot matrix_bot_matrix_reminder_bot_enabled: true - -matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:release-v0.2.0" +matrix_bot_matrix_reminder_bot_version: release-v0.2.0 +matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot" diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index c7cdddb6..360963bb 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -3,7 +3,8 @@ matrix_appservice_discord_enabled: true -matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:v1.0.0" +matrix_appservice_discord_version: v1.0.0 +matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}" matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index ead4e8de..fbfb6fcd 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,8 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.23.0" +matrix_appservice_irc_version: release-0.23.0 +matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 997cfa5e..1169de4f 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -7,7 +7,8 @@ matrix_appservice_slack_container_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" -matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0" +matrix_appservice_slack_version: release-1.5.0 +matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index e668f918..215afc05 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -3,7 +3,8 @@ matrix_appservice_webhooks_enabled: true -matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:latest" +matrix_appservice_webhooks_version: latest +matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index acd3ee58..7c6b58ca 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -6,8 +6,9 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" +matrix_mautrix_facebook_version: latest # See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest" +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 0ed519cd..a029b9e8 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -6,8 +6,9 @@ matrix_mautrix_hangouts_enabled: true matrix_mautrix_hangouts_container_image_self_build: false matrix_mautrix_hangouts_container_image_self_build_repo: "https://github.com/tulir/mautrix-hangouts.git" +matrix_mautrix_hangouts_version: latest # See: https://mau.dev/tulir/mautrix-hangouts/container_registry -matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:latest" +matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:{{ matrix_mautrix_hangouts_version }}" matrix_mautrix_hangouts_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_hangouts_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index 411ec7ed..449ab7ce 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -6,8 +6,9 @@ matrix_mautrix_instagram_enabled: true matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/tulir/mautrix-instagram.git" +matrix_mautrix_instagram_version: latest # See: https://mau.dev/tulir/mautrix-instagram/container_registry -matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:latest" +matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_instagram_docker_image_force_pull: "{{ matrix_mautrix_instagram_docker_image.endswith(':latest') }}" @@ -34,7 +35,7 @@ matrix_mautrix_instagram_homeserver_token: '' # Database-related configuration fields. -# +# # To use Postgres: # - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables matrix_mautrix_instagram_database_engine: 'postgres' diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index aaa0a166..50240548 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -3,11 +3,13 @@ matrix_mautrix_signal_enabled: true +matrix_mautrix_signal_version: latest +matrix_mautrix_signal_daemon_version: latest # See: https://mau.dev/tulir/mautrix-signal/container_registry -matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest" +matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" -matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest" +matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index b1f1b8fc..2d5b5264 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -7,8 +7,9 @@ matrix_mautrix_telegram_container_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" +matrix_mautrix_telegram_version: v0.9.0 # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 581d47de..bfc91177 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -3,8 +3,9 @@ matrix_mautrix_whatsapp_enabled: true +matrix_mautrix_whatsapp_version: latest # See: https://mau.dev/tulir/mautrix-whatsapp/container_registry -matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:latest" +matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_force_pull: "{{ matrix_mautrix_whatsapp_docker_image.endswith(':latest') }}" matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 25f6ae06..252fb9e1 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_discord_container_image_self_build_repo: "https://github.com/ma # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_discord_container_http_host_bind_port: '' -matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:latest" +matrix_mx_puppet_discord_version: latest +matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:{{ matrix_mx_puppet_discord_version }}" matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index c0bafcf0..eeede72e 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_groupme_container_image_self_build_repo: "https://gitlab.com/ro # Takes an ":" or "" value (e.g. "127.0.0.1:8437"), or empty string to not expose. matrix_mx_puppet_groupme_container_http_host_bind_port: '' -matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:latest" +matrix_mx_puppet_groupme_version: latest +matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:{{ matrix_mx_puppet_groupme_version }}" matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index 4c9fbd98..b14ed0f8 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -6,7 +6,8 @@ matrix_mx_puppet_instagram_enabled: true matrix_mx_puppet_instagram_container_image_self_build: false matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-instagram.git" -matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:latest" +matrix_mx_puppet_instagram_version: latest +matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:{{ matrix_mx_puppet_instagram_version }}" matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 53c8e379..c68c4160 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -6,7 +6,8 @@ matrix_mx_puppet_skype_enabled: true matrix_mx_puppet_skype_container_image_self_build: false matrix_mx_puppet_skype_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-skype.git" -matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:latest" +matrix_mx_puppet_skype_version: latest +matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:{{ matrix_mx_puppet_skype_version }}" matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index b1fb7487..c5b046f4 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_slack_container_image_self_build_repo: "https://github.com/Soru # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_slack_container_http_host_bind_port: '' -matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:latest" +matrix_mx_puppet_slack_version: latest +matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:{{ matrix_mx_puppet_slack_version }}" matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index c3ac977e..aee4da2c 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_steam_container_image_self_build_repo: "https://github.com/icew # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_steam_container_http_host_bind_port: '' -matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:latest" +matrix_mx_puppet_steam_version: latest +matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:{{ matrix_mx_puppet_steam_version }}" matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index d8582e53..a8b811d8 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_twitter_container_image_self_build_repo: "https://github.com/So # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_twitter_container_http_host_bind_port: '' -matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:latest" +matrix_mx_puppet_twitter_version: latest +matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:{{ matrix_mx_puppet_twitter_version }}" matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 3c6b4c61..0382a2b2 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,8 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.5" +matrix_sms_bridge_version: 0.5.5 +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index db2e7945..fc6f30f9 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,8 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21" +matrix_client_element_version: v1.7.21 +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 4b4c46c9..c35e4b22 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,9 +22,10 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] +matrix_corporal_version: 2.1.0 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" -matrix_corporal_docker_image_tag: "2.1.0" +matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 8e781306..4f27e0d9 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -3,7 +3,8 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git" -matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2" +matrix_coturn_version: 4.5.2 +matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 8a691946..e4ded37a 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -12,7 +12,8 @@ matrix_dimension_widgets_allow_self_signed_ssl_certificates: false matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" -matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:latest" +matrix_dimension_version: latest +matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:{{ matrix_dimension_version }}" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # List of systemd services that matrix-dimension.service depends on. diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index b33961c1..1ec681da 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -4,8 +4,10 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' +matrix_dynamic_dns_version: v3.9.1-ls45 + # The docker container to use when in mode -matrix_dynamic_dns_docker_image: '{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:v3.9.1-ls45' +matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else 'docker.io/' }}" diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml index 7917decf..b5593882 100644 --- a/roles/matrix-email2matrix/defaults/main.yml +++ b/roles/matrix-email2matrix/defaults/main.yml @@ -3,7 +3,8 @@ matrix_email2matrix_enabled: true matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" -matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:1.0.1" +matrix_email2matrix_version: 1.0.1 +matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:{{ matrix_email2matrix_version }}" matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 7c63fe03..3ad16c51 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -2,7 +2,8 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" -matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:1.8.7" +matrix_etherpad_version: 1.8.7 +matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:{{ matrix_etherpad_version }}" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" # List of systemd services that matrix-etherpad.service depends on. diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 00ed947e..876e5f6f 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,8 @@ matrix_grafana_enabled: false -matrix_grafana_docker_image: "docker.io/grafana/grafana:7.4.0" +matrix_grafana_version: 7.4.0 +matrix_grafana_docker_image: "docker.io/grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" # Not conditional, because when someone disables metrics diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 028d9c19..b7434dd3 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -52,7 +52,8 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_container_image_tag: "stable-5142" +matrix_jitsi_version: stable-5142 +matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 18608ef4..4c29f47a 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,8 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1" +matrix_mailer_version: 4.93-r1 +matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index d46d5480..1b139183 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,9 +1,10 @@ matrix_nginx_proxy_enabled: true +matrix_nginx_proxy_version: 1.19.6-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine" +matrix_nginx_proxy_docker_image: "docker.io/nginx:{{ matrix_nginx_proxy_version }}" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 29dce364..47611f7c 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,8 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:v1.1.0" +matrix_prometheus_node_exporter_version: v1.1.0 +matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 56018ba6..123418d4 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,8 @@ matrix_prometheus_enabled: false -matrix_prometheus_docker_image: "docker.io/prom/prometheus:v2.24.1" +matrix_prometheus_version: v2.24.1 +matrix_prometheus_docker_image: "docker.io/prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index 74728d87..a512618c 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -5,7 +5,8 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_docker_image_v6: "docker.io/redis:6.0.10-alpine" +matrix_redis_version: 6.0.10-alpine +matrix_redis_docker_image_v6: "docker.io/redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index ce0ccd39..1534bc82 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,8 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.7.0" +matrix_synapse_admin_version: 0.7.0 +matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5da48c08..2435e9c2 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,7 +15,9 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_docker_image_tag: "{{ 'v1.27.0' if matrix_architecture in ['arm32', 'amd64'] else 'v1.26.0' }}" +matrix_synapse_version: v1.27.0 +matrix_synapse_version_arm64: v1.26.0 +matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 77ab0d3e98222622e88c3beadae3d28fae3ff9e2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 21 Feb 2021 11:14:40 +0200 Subject: [PATCH 1965/2384] Do not delete Prometheus/Grafana Docker images Same reasoning as in 1cd251ed7840 --- roles/matrix-grafana/tasks/setup.yml | 13 ++++--------- .../matrix-prometheus-node-exporter/tasks/setup.yml | 6 ------ roles/matrix-prometheus/tasks/setup_uninstall.yml | 6 ------ 3 files changed, 4 insertions(+), 21 deletions(-) diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml index 581e6617..c2eea348 100644 --- a/roles/matrix-grafana/tasks/setup.yml +++ b/roles/matrix-grafana/tasks/setup.yml @@ -28,7 +28,7 @@ - "{{ matrix_grafana_config_path }}/dashboards" - "{{ matrix_grafana_data_path }}" when: matrix_grafana_enabled|bool - + - name: Ensure grafana.ini present template: src: "{{ role_path }}/templates/grafana.ini.j2" @@ -37,7 +37,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" when: matrix_grafana_enabled|bool - + - name: Ensure provisioning/datasources/default.yaml present template: src: "{{ role_path }}/templates/datasources.yaml.j2" @@ -46,7 +46,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" when: matrix_grafana_enabled|bool - + - name: Ensure provisioning/dashboards/default.yaml present template: src: "{{ role_path }}/templates/dashboards.yaml.j2" @@ -55,7 +55,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" when: matrix_grafana_enabled|bool - + - name: Ensure dashboard(s) downloaded get_url: url: "{{ item }}" @@ -108,8 +108,3 @@ daemon_reload: yes when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" -- name: Ensure matrix-grafana Docker image doesn't exist - docker_image: - name: "{{ matrix_grafana_docker_image }}" - state: absent - when: "not matrix_grafana_enabled|bool" diff --git a/roles/matrix-prometheus-node-exporter/tasks/setup.yml b/roles/matrix-prometheus-node-exporter/tasks/setup.yml index 6f03fbaa..34086e6c 100644 --- a/roles/matrix-prometheus-node-exporter/tasks/setup.yml +++ b/roles/matrix-prometheus-node-exporter/tasks/setup.yml @@ -52,9 +52,3 @@ service: daemon_reload: yes when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" - -- name: Ensure matrix-prometheus-node-exporter Docker image doesn't exist - docker_image: - name: "{{ matrix_prometheus_node_exporter_docker_image }}" - state: absent - when: "not matrix_prometheus_node_exporter_enabled|bool" diff --git a/roles/matrix-prometheus/tasks/setup_uninstall.yml b/roles/matrix-prometheus/tasks/setup_uninstall.yml index 0a4a8cb6..dd46a222 100644 --- a/roles/matrix-prometheus/tasks/setup_uninstall.yml +++ b/roles/matrix-prometheus/tasks/setup_uninstall.yml @@ -23,9 +23,3 @@ service: daemon_reload: yes when: "matrix_prometheus_service_stat.stat.exists|bool" - -- name: Ensure matrix-prometheus Docker image doesn't exist - docker_image: - name: "{{ matrix_prometheus_docker_image }}" - state: absent - when: "not matrix_prometheus_enabled|bool" From 6768bdcf81be431f1e72ca0cb66dc65550f83bf8 Mon Sep 17 00:00:00 2001 From: Germain Date: Sun, 21 Feb 2021 11:57:05 +0000 Subject: [PATCH 1966/2384] Update lower power config example All other examples show the config to lower the memory usage on the server --- docs/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.md b/docs/faq.md index a6782231..beb009ac 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -289,7 +289,7 @@ matrix_mailer_enabled: false # You can also disable this to save more RAM, # at the expense of audio/video calls being unreliable. -matrix_coturn_enabled: true +matrix_coturn_enabled: false # This makes Synapse not keep track of who is online/offline. # From 53869ac14abcf78d360c7bf8071ad7044494c7d2 Mon Sep 17 00:00:00 2001 From: Marc Leuser Date: Sun, 21 Feb 2021 21:38:20 +0100 Subject: [PATCH 1967/2384] recommend a better way of backing up postgres don't spawn an extra container run pg_dumpall within matrix-postgres instead, ensures correct version store under /matrix so a backup of the folder will contain a DB dump use absolute paths just in case something in the ENV is messed up --- docs/maintenance-postgres.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 50f5a55d..a8eb6edf 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -51,15 +51,12 @@ ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-vacuum,start To make a back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server: ```bash -docker run \ ---rm \ ---log-driver=none \ ---network=matrix \ +/usr/bin/docker exec \ --env-file=/matrix/postgres/env-postgres-psql \ -docker.io/postgres:13.1-alpine \ -pg_dumpall -h matrix-postgres \ +matrix-postgres \ +/usr/local/bin/pg_dumpall -h matrix-postgres \ | gzip -c \ -> /postgres.sql.gz +> /matrix/postgres.sql.gz ``` If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because the credentials file (`/matrix/postgres/env-postgres-psql`) is not available. From ca223559107b20a747f0cda926605d1b4356c0f9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 22 Feb 2021 08:36:42 +0200 Subject: [PATCH 1968/2384] Update backup docs a bit --- docs/maintenance-postgres.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index a8eb6edf..acbea54c 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -59,9 +59,7 @@ matrix-postgres \ > /matrix/postgres.sql.gz ``` -If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because the credentials file (`/matrix/postgres/env-postgres-psql`) is not available. - -If your server is on the ARM32 [architecture](alternative-architectures.md), you may need to remove the `-alpine` suffix from the image name in the command above. +If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because neither the credentials file (`/matrix/postgres/env-postgres-psql`), nor the `matrix-postgres` container is available. Restoring a backup made this way can be done by [importing it](importing-postgres.md). From 2b96fb0cf1b5c52d2a5fe3dbc60943dfb3774df7 Mon Sep 17 00:00:00 2001 From: tctovsli Date: Mon, 22 Feb 2021 10:32:02 +0100 Subject: [PATCH 1969/2384] Added paragraph about updating DNS to get stats This document didn't describe that it is necessary to have a DNS-entry for stats sub-domain. --- docs/configuring-playbook-prometheus-grafana.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index a10497cc..98d1f604 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -4,6 +4,8 @@ It can be useful to have some (visual) insight into the performance of your home You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): +Remember to add `stats.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. + ```yaml matrix_prometheus_enabled: true From 8f7f45d6e4588d377c1cbc51b366d6886a1eec15 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 22 Feb 2021 13:03:09 +0200 Subject: [PATCH 1970/2384] Revert "trust the reverse proxy by default" This reverts commit fd3d48bb6d7f1e1584d2e7d1ba20580be1d103f4. Normally this environment variable gets referred to from `settings.json.docker`, but we have our own full configuration, which hardcodes `"trustProxy": true`, thus making this useless. This has been pointed out here: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/fd3d48bb6d7f1e1584d2e7d1ba20580be1d103f4#commitcomment-47403097 --- roles/matrix-etherpad/defaults/main.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 3ad16c51..27589b2a 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -23,12 +23,7 @@ matrix_etherpad_user_gid: '5001' matrix_etherpad_container_http_host_bind_port: '' # A list of extra arguments to pass to the container -# -# We assume that a reverse proxy is used and tell the container to trust it -# Details: https://github.com/ether/etherpad-lite/blob/develop/doc/docker.md -matrix_etherpad_container_extra_arguments: [ - '--env TRUST_PROXY=true' -] +matrix_etherpad_container_extra_arguments: [] matrix_etherpad_public_endpoint: '/etherpad' From f9a0ec6fd109b93b3e0c9e128d58d0812925c920 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Feb 2021 13:17:52 +0200 Subject: [PATCH 1971/2384] Fix some bridges failing when Synapse workers enabled Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/904 --- roles/matrix-bridge-mautrix-instagram/defaults/main.yml | 2 +- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index 449ab7ce..936df4c5 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_instagram_config_path: "{{ matrix_mautrix_instagram_base_path }}/ matrix_mautrix_instagram_data_path: "{{ matrix_mautrix_instagram_base_path }}/data" matrix_mautrix_instagram_docker_src_files_path: "{{ matrix_mautrix_instagram_base_path }}/docker-src" -matrix_mautrix_instagram_homeserver_address: 'http://matrix-synapse:8008' +matrix_mautrix_instagram_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_instagram_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29330' diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index bfc91177..b3aee68a 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -12,7 +12,7 @@ matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp matrix_mautrix_whatsapp_config_path: "{{ matrix_mautrix_whatsapp_base_path }}/config" matrix_mautrix_whatsapp_data_path: "{{ matrix_mautrix_whatsapp_base_path }}/data" -matrix_mautrix_whatsapp_homeserver_address: "http://matrix-synapse:8008" +matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}" matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080" diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index eeede72e..53676e83 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -23,7 +23,7 @@ matrix_mx_puppet_groupme_docker_src_files_path: "{{ matrix_mx_puppet_groupme_bas matrix_mx_puppet_groupme_appservice_port: "8437" -matrix_mx_puppet_groupme_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_groupme_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mx_puppet_groupme_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_groupme_appservice_address: 'http://matrix-mx-puppet-groupme:{{ matrix_mx_puppet_groupme_appservice_port }}' From 2ef1d9c537c1b2292385c932182e9eb908e75acd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Feb 2021 07:59:14 +0200 Subject: [PATCH 1972/2384] Make healthchecks work for Synapse worker containers Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456 --- .../synapse/systemd/matrix-synapse-worker.service.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 0f5e7be2..ee858183 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -22,6 +22,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ + {% if matrix_synapse_worker_details.port != 0 %} + --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ + {% else %} + --no-healthcheck \ + {% endif %} {% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %} {% if matrix_synapse_worker_details.port != 0 %} -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.port }}:{{ matrix_synapse_worker_details.port }} \ From 1ef683d366f5721f502539b0449e64daf2579d9a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Feb 2021 08:17:53 +0200 Subject: [PATCH 1973/2384] Make nginx proxy config (when disabled) obey matrix_federation_public_port People who were disabling matrix-nginx-proxy (in favor of their own nginx webserver) and also overriding `matrix_federation_public_port`, found that the generated nginx configuration still hardcoded `8448`, which forced their nginx server to use that, regardless of the fact that `matrix_federation_public_port` was pointing elsewhere. We now allow for the in-container federation port to be configurable, and also automatically wire things properly. --- group_vars/matrix_servers | 5 ++++- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++++ .../templates/nginx/conf.d/matrix-domain.conf.j2 | 6 +++--- .../templates/systemd/matrix-nginx-proxy.service.j2 | 2 +- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 07900778..13172a63 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1074,6 +1074,9 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1 matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. +matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" + matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}" # This used to be hooked to `matrix_synapse_metrics_enabled`, but we don't do it anymore. @@ -1224,7 +1227,7 @@ matrix_postgres_additional_databases: | 'username': matrix_mautrix_instagram_database_username, 'password': matrix_mautrix_instagram_database_password, }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == 'matrix-postgres') else []) - + + + ([{ 'name': matrix_mautrix_signal_database_name, 'username': matrix_mautrix_signal_database_username, diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 1b139183..a4fbd002 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -111,6 +111,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" +# The port name used for federation in the nginx configuration. +# This is not necessarily the port that it's actually on, +# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container. +matrix_nginx_proxy_proxy_matrix_federation_port: 8448 # Controls whether proxying the dimension domain should be done. matrix_nginx_proxy_proxy_dimension_enabled: false diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 2ab78a1b..41497416 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -199,10 +199,10 @@ server { #} server { {% if matrix_nginx_proxy_https_enabled %} - listen 8448 ssl http2; - listen [::]:8448 ssl http2; + listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; + listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; {% else %} - listen 8448; + listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }}; {% endif %} server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index bd3070ac..38bc64a8 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -30,7 +30,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ -p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \ {% endif %} {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %} - -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \ + -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \ {% endif %} --mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \ From ae091d7b2da1a5b3260b1e810a73c16e0c868f17 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Feb 2021 13:40:35 +0200 Subject: [PATCH 1974/2384] Upgrade Synapse (v1.27.0 -> v1.28.0) --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 28 +++++++++++++------ roles/matrix-synapse/vars/workers.yml | 13 +++++++-- 3 files changed, 31 insertions(+), 12 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 2435e9c2..a0d2474d 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,7 +15,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.27.0 +matrix_synapse_version: v1.28.0 matrix_synapse_version_arm64: v1.26.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 99169b8a..09e11f7b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -141,6 +141,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # - '100.64.0.0/10' # - '192.0.0.0/24' # - '169.254.0.0/16' +# - '192.88.99.0/24' # - '198.18.0.0/15' # - '192.0.2.0/24' # - '198.51.100.0/24' @@ -149,6 +150,9 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # - '::1/128' # - 'fe80::/10' # - 'fc00::/7' +# - '2001:db8::/32' +# - 'ff00::/8' +# - 'fec0::/10' # List of IP address CIDR ranges that should be allowed for federation, # identity servers, push servers, and for checking key validity for @@ -993,6 +997,7 @@ url_preview_ip_range_blacklist: - '100.64.0.0/10' - '192.0.0.0/24' - '169.254.0.0/16' + - '192.88.99.0/24' - '198.18.0.0/15' - '192.0.2.0/24' - '198.51.100.0/24' @@ -1001,6 +1006,9 @@ url_preview_ip_range_blacklist: - '::1/128' - 'fe80::/10' - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' # List of IP address CIDR ranges that the URL preview spider is allowed # to access even if they are specified in url_preview_ip_range_blacklist. @@ -1327,6 +1335,8 @@ account_threepid_delegates: # By default, any room aliases included in this list will be created # as a publicly joinable room when the first user registers for the # homeserver. This behaviour can be customised with the settings below. +# If the room already exists, make certain it is a publicly joinable +# room. The join rule of the room must be set to 'public'. # #auto_join_rooms: # - "#example:example.com" @@ -1869,9 +1879,9 @@ oidc_providers: # user_mapping_provider: # config: # subject_claim: "id" - # localpart_template: "{ user.login }" - # display_name_template: "{ user.name }" - # email_template: "{ user.email }" + # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" + # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" + # email_template: "{% raw %}{{ user.email }}{% endraw %}" # For use with Keycloak # @@ -1898,8 +1908,8 @@ oidc_providers: # user_mapping_provider: # config: # subject_claim: "id" - # localpart_template: "{ user.login }" - # display_name_template: "{ user.name }" + # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" + # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" # Enable Central Authentication Service (CAS) for registration and login. @@ -2227,11 +2237,11 @@ password_config: #require_uppercase: true ui_auth: - # The number of milliseconds to allow a user-interactive authentication - # session to be active. + # The amount of time to allow a user-interactive authentication session + # to be active. # # This defaults to 0, meaning the user is queried for their credentials - # before every action, but this can be overridden to alow a single + # before every action, but this can be overridden to allow a single # validation to be re-used. This weakens the protections afforded by # the user-interactive authentication process, by allowing for multiple # (and potentially different) operations to use the same validation session. @@ -2239,7 +2249,7 @@ ui_auth: # Uncomment below to allow for credential validation to last for 15 # seconds. # - #session_timeout: 15000 + #session_timeout: "15s" {% if matrix_synapse_email_enabled %} diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 3adfd9c3..14b75a92 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -107,7 +107,8 @@ matrix_synapse_workers_generic_worker_endpoints: # Ensure that all SSO logins go to a single process. # For multiple workers not handling the SSO endpoints properly, see - # [#7530](https://github.com/matrix-org/synapse/issues/7530). + # [#7530](https://github.com/matrix-org/synapse/issues/7530) and + # [#9427](https://github.com/matrix-org/synapse/issues/9427). # Note that a HTTP listener with `client` and `federation` resources must be # configured in the `worker_listeners` option in the worker config. @@ -203,7 +204,15 @@ matrix_synapse_workers_generic_worker_endpoints: # REST endpoints itself, but you should set `start_pushers: False` in the # shared configuration file to stop the main synapse sending push notifications. - # Note this worker cannot be load-balanced: only one instance should be active. + # To run multiple instances at once the `pusher_instances` option should list all + # pusher instances by their worker name, e.g.: + + # ```yaml + # pusher_instances: + # - pusher_worker1 + # - pusher_worker2 + # ``` + # ] # appservice worker (no API endpoints) [ From ccf591587456070d099b4455d5f957911b64a4b9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Feb 2021 19:09:46 +0200 Subject: [PATCH 1975/2384] Upgrade Synapse for ARM64 (v1.26.0 -> v1.28.0) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a0d2474d..9086884b 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. matrix_synapse_version: v1.28.0 -matrix_synapse_version_arm64: v1.26.0 +matrix_synapse_version_arm64: v1.28.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 6baa91dd9fea14a1cd9ba204d98835fb6d43465a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Feb 2021 13:37:51 +0200 Subject: [PATCH 1976/2384] Do not delete matrix-ssl-lets-encrypt-certificates-renew only to recreate it later This seems to have been added to the list of "deprecated files to remove" by mistake. --- roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index f0b14327..5bf9102d 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -11,7 +11,6 @@ - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" - "/etc/cron.d/matrix-ssl-lets-encrypt" - - "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" # # Tasks related to setting up Let's Encrypt's management of certificates From f4930d789eb7ebc6a04dace7e2cb09731c32da6e Mon Sep 17 00:00:00 2001 From: Hardy Erlinger Date: Sat, 27 Feb 2021 21:11:22 +0100 Subject: [PATCH 1977/2384] Run Let's Encrypt renewal checks daily instead of weekly. This ensures more timely updates of certifcates. --- .../templates/systemd/matrix-coturn-reload.timer.j2 | 4 ++-- .../matrix-ssl-lets-encrypt-certificates-renew.timer.j2 | 4 ++-- .../templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 index 622cd80a..52894541 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 @@ -3,8 +3,8 @@ Description=Reloads matrix-coturn periodically so that new SSL certificates can [Timer] Unit=matrix-coturn-reload.service -OnCalendar=Sunday *-*-* 13:00:00 -RandomizedDelaySec=3h +OnCalendar=*-*-* 06:30:00 +RandomizedDelaySec=1h [Install] WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 index 91b13b29..b1e1c21e 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 @@ -3,8 +3,8 @@ Description=Renews Let's Encrypt SSL certificates periodically [Timer] Unit=matrix-ssl-lets-encrypt-certificates-renew.service -OnCalendar=Sunday *-*-* 05:00:00 -RandomizedDelaySec=3h +OnCalendar=*-*-* 04:00:00 +RandomizedDelaySec=2h [Install] WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 index 73c1848e..09cb6dad 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 @@ -3,8 +3,8 @@ Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates [Timer] Unit=matrix-ssl-nginx-proxy-reload.service -OnCalendar=Sunday *-*-* 13:00:00 -RandomizedDelaySec=3h +OnCalendar=*-*-* 06:30:00 +RandomizedDelaySec=1h [Install] WantedBy=timers.target From 33ec5710d9bfa2a4b4f2c299242dbf72d100ce8b Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 28 Feb 2021 22:21:40 +0800 Subject: [PATCH 1978/2384] 0.2.1 revision --- docs/configuring-awx-system.md | 43 +++++ ...guring-playbook-bridge-mautrix-telegram.md | 2 +- ...configuring-playbook-prometheus-grafana.md | 2 + docs/faq.md | 2 +- docs/maintenance-postgres.md | 15 +- group_vars/matrix_servers | 21 ++- .../configure_website_access_backup.json.j2 | 30 ---- .../configure_website_access_export.json.j2 | 54 ++++++ roles/matrix-awx/tasks/create_user.yml | 2 +- ...ml => customise_website_access_export.yml} | 165 +++++++++++++----- .../tasks/load_matrix_variables.yml | 2 +- roles/matrix-awx/tasks/main.yml | 4 +- .../templates/sftp/ssh_sftp.service | 23 --- .../templates/sftp/sshd_sftp_config | 33 ---- .../defaults/main.yml | 4 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 7 +- .../defaults/main.yml | 6 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 5 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 5 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 3 +- .../defaults/main.yml | 3 +- roles/matrix-bridge-sms/defaults/main.yml | 3 +- roles/matrix-client-element/defaults/main.yml | 3 +- roles/matrix-common-after/tasks/awx_post.yml | 2 +- roles/matrix-corporal/defaults/main.yml | 3 +- roles/matrix-coturn/defaults/main.yml | 3 +- .../systemd/matrix-coturn-reload.timer.j2 | 4 +- roles/matrix-dimension/defaults/main.yml | 3 +- roles/matrix-dynamic-dns/defaults/main.yml | 4 +- roles/matrix-email2matrix/defaults/main.yml | 3 +- roles/matrix-etherpad/defaults/main.yml | 10 +- roles/matrix-grafana/defaults/main.yml | 3 +- roles/matrix-grafana/tasks/setup.yml | 13 +- roles/matrix-jitsi/defaults/main.yml | 3 +- roles/matrix-mailer/defaults/main.yml | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 8 +- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 1 - .../nginx/conf.d/matrix-domain.conf.j2 | 6 +- .../systemd/matrix-nginx-proxy.service.j2 | 9 +- ...l-lets-encrypt-certificates-renew.timer.j2 | 4 +- .../matrix-ssl-nginx-proxy-reload.timer.j2 | 4 +- .../defaults/main.yml | 3 +- .../tasks/setup.yml | 6 - roles/matrix-prometheus/defaults/main.yml | 3 +- .../tasks/setup_uninstall.yml | 6 - roles/matrix-redis/defaults/main.yml | 3 +- roles/matrix-synapse-admin/defaults/main.yml | 3 +- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 28 ++- .../systemd/matrix-synapse-worker.service.j2 | 5 + roles/matrix-synapse/vars/workers.yml | 13 +- 62 files changed, 383 insertions(+), 247 deletions(-) create mode 100644 docs/configuring-awx-system.md delete mode 100755 roles/matrix-awx/surveys/configure_website_access_backup.json.j2 create mode 100755 roles/matrix-awx/surveys/configure_website_access_export.json.j2 rename roles/matrix-awx/tasks/{customise_website_access_backup.yml => customise_website_access_export.yml} (52%) delete mode 100755 roles/matrix-awx/templates/sftp/ssh_sftp.service delete mode 100755 roles/matrix-awx/templates/sftp/sshd_sftp_config diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md new file mode 100644 index 00000000..2bc2699b --- /dev/null +++ b/docs/configuring-awx-system.md @@ -0,0 +1,43 @@ +# Configuring AWX System (optional) + +An AWX setup for managing multiple Matrix servers. + +This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers. + +Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context. + +The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server. + +Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy). + +Warning: This project is currently alpha quality and should only be run by the brave. + + +## Other Required Playbooks + +The following repositories allow you to copy and use this setup: + +[Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) - Creates and configures the AWX system for you. + +[Ansible Create Delete Subscription Membership](https://gitlab.com/GoMatrixHosting/ansible-create-delete-subscription-membership) - Used by the AWX system to create memberships and subscriptions. + +[Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server. + +## Testing Fork For This Playbook + +Updates to this section are trailed here: + +[GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy) + + +## Does I need an AWX setup to use this? How do I configure it? + +Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository. + + +## Does I need a front-end WordPress site? And a DigitalOcean account? + +You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context. + +You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers. + diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 693c8168..bfdc6fc5 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -4,7 +4,7 @@ The playbook can install and configure [mautrix-telegram](https://github.com/tul See the project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you. -You'll need to obtain API keys from `https://my.telegram.org/apps` and then use the following playbook configuration: +You'll need to obtain API keys from [https://my.telegram.org/apps](https://my.telegram.org/apps) and then use the following playbook configuration: ```yaml matrix_mautrix_telegram_enabled: true diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index a10497cc..98d1f604 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -4,6 +4,8 @@ It can be useful to have some (visual) insight into the performance of your home You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): +Remember to add `stats.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. + ```yaml matrix_prometheus_enabled: true diff --git a/docs/faq.md b/docs/faq.md index a6782231..beb009ac 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -289,7 +289,7 @@ matrix_mailer_enabled: false # You can also disable this to save more RAM, # at the expense of audio/video calls being unreliable. -matrix_coturn_enabled: true +matrix_coturn_enabled: false # This makes Synapse not keep track of who is online/offline. # diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 50f5a55d..acbea54c 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -51,20 +51,15 @@ ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-vacuum,start To make a back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server: ```bash -docker run \ ---rm \ ---log-driver=none \ ---network=matrix \ +/usr/bin/docker exec \ --env-file=/matrix/postgres/env-postgres-psql \ -docker.io/postgres:13.1-alpine \ -pg_dumpall -h matrix-postgres \ +matrix-postgres \ +/usr/local/bin/pg_dumpall -h matrix-postgres \ | gzip -c \ -> /postgres.sql.gz +> /matrix/postgres.sql.gz ``` -If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because the credentials file (`/matrix/postgres/env-postgres-psql`) is not available. - -If your server is on the ARM32 [architecture](alternative-architectures.md), you may need to remove the `-alpine` suffix from the image name in the command above. +If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because neither the credentials file (`/matrix/postgres/env-postgres-psql`), nor the `matrix-postgres` container is available. Restoring a backup made this way can be done by [importing it](importing-postgres.md). diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 07900778..2841bccc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -29,6 +29,22 @@ matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix ###################################################################### +###################################################################### +# +# matrix-awx +# +###################################################################### + +matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}" +matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}" + +###################################################################### +# +# /matrix-awx +# +###################################################################### + + ###################################################################### # # matrix-bridge-appservice-discord @@ -1074,6 +1090,9 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1 matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. +matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" + matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}" # This used to be hooked to `matrix_synapse_metrics_enabled`, but we don't do it anymore. @@ -1224,7 +1243,7 @@ matrix_postgres_additional_databases: | 'username': matrix_mautrix_instagram_database_username, 'password': matrix_mautrix_instagram_database_password, }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == 'matrix-postgres') else []) - + + + ([{ 'name': matrix_mautrix_signal_database_name, 'username': matrix_mautrix_signal_database_username, diff --git a/roles/matrix-awx/surveys/configure_website_access_backup.json.j2 b/roles/matrix-awx/surveys/configure_website_access_backup.json.j2 deleted file mode 100755 index 990e11f1..00000000 --- a/roles/matrix-awx/surveys/configure_website_access_backup.json.j2 +++ /dev/null @@ -1,30 +0,0 @@ -{ - "name": "Configure Website Access Backup", - "description": "Configure base domain website settings and access the services backup.", - "spec": [ - { - "question_name": "Customise Base Domain Website", - "question_description": "Set if you want to adjust the base domain website using SFTP.", - "required": true, - "min": null, - "max": null, - "default": "{{ customise_base_domain_website|string|lower }}", - "choices": "true\nfalse", - "new_question": true, - "variable": "customise_base_domain_website", - "type": "multiplechoice" - }, - { - "question_name": "SFTP Password", - "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as download the latest copy of your services backup. If empty the password won't be updated. WARNING: You must set a strong and unique password here.", - "required": false, - "min": 0, - "max": 64, - "default": "{{ sftp_password }}", - "choices": "", - "new_question": true, - "variable": "sftp_password", - "type": "password" - } - ] -} diff --git a/roles/matrix-awx/surveys/configure_website_access_export.json.j2 b/roles/matrix-awx/surveys/configure_website_access_export.json.j2 new file mode 100755 index 00000000..2b3e1637 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_website_access_export.json.j2 @@ -0,0 +1,54 @@ +{ + "name": "Configure Website Access Backup", + "description": "Configure base domain website settings and access the services backup.", + "spec": [ + { + "question_name": "Customise Base Domain Website", + "question_description": "Set if you want to adjust the base domain website using SFTP.", + "required": true, + "min": null, + "max": null, + "default": "{{ customise_base_domain_website | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "customise_base_domain_website", + "type": "multiplechoice" + }, + { + "question_name": "SFTP Authorisation Method", + "question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.", + "required": true, + "min": null, + "max": null, + "default": "{{ sftp_auth_method | string }}", + "choices": "Disabled\nPassword\nSSH Key", + "new_question": true, + "variable": "sftp_auth_method", + "type": "multiplechoice" + }, + { + "question_name": "SFTP Password", + "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 64, + "default": "{{ sftp_password }}", + "choices": "", + "new_question": true, + "variable": "sftp_password", + "type": "password" + }, + { + "question_name": "SFTP Public SSH Key (More Secure)", + "question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.", + "required": false, + "min": 0, + "max": 16384, + "default": "{{ sftp_public_key }}", + "choices": "", + "new_question": true, + "variable": "sftp_public_key", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/tasks/create_user.yml b/roles/matrix-awx/tasks/create_user.yml index 9d0027a1..0993d61f 100755 --- a/roles/matrix-awx/tasks/create_user.yml +++ b/roles/matrix-awx/tasks/create_user.yml @@ -20,7 +20,7 @@ - name: Create user account command: | - /usr/local/bin/matrix-synapse-register-user {{ new_username }} '{{ new_password }}' {{ admin_bool }} + /usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }} register: cmd - name: Result diff --git a/roles/matrix-awx/tasks/customise_website_access_backup.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml similarity index 52% rename from roles/matrix-awx/tasks/customise_website_access_backup.yml rename to roles/matrix-awx/tasks/customise_website_access_export.yml index f0252f38..4b775105 100755 --- a/roles/matrix-awx/tasks/customise_website_access_backup.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -21,17 +21,20 @@ with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' when: customise_base_domain_website|bool == true - -- name: Record 'Customise Website + Access Backup' variables locally on AWX + +- name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 lineinfile: path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# AWX Settings' + insertafter: '# Custom Settings' with_dict: 'customise_base_domain_website': '{{ customise_base_domain_website }}' - + 'sftp_auth_method': '"{{ sftp_auth_method }}"' + 'sftp_password': '"{{ sftp_password }}"' + 'sftp_public_key': '"{{ sftp_public_key }}"' + - name: Copy new 'matrix_vars.yml' to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' @@ -41,17 +44,18 @@ - name: Reload vars in matrix_vars.yml include_vars: file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True -- name: Save new 'Customise Website + Access Backup' survey.json to the AWX tower, template +- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: - src: './roles/matrix-awx/surveys/configure_website_access_backup.json.j2' - dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json' + src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' -- name: Copy new 'Customise Website + Access Backup' survey.json to target machine +- name: Copy new 'Customise Website + Access Export' survey.json to target machine copy: - src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json' - dest: '/matrix/awx/configure_website_access_backup.json' + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' + dest: '/matrix/awx/configure_website_access_export.json' mode: '0660' - name: Collect AWX admin token the hard way! @@ -61,11 +65,11 @@ register: tower_token no_log: True -- name: Recreate 'Customise Base Domain Website' job template +- name: Recreate 'Customise Base Domain Export' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: - name: "{{ matrix_domain }} - 1 - Configure Website + Access Backup" - description: "Configure base domain website settings and access the services backup." + name: "{{ matrix_domain }} - 1 - Configure Website + Access Export" + description: "Configure base domain website settings and access the servers export." extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" job_type: run job_tags: "start,setup-nginx-proxy" @@ -74,7 +78,7 @@ playbook: setup.yml credential: "{{ member_id }} - AWX SSH Key" survey_enabled: true - survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json') }}" + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}" become_enabled: yes state: present verbosity: 1 @@ -82,40 +86,32 @@ tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes -# Copied over from provision stage - -- name: Copy ssh_sftp.service file - copy: - src: './roles/matrix-awx/templates/sftp/ssh_sftp.service' - dest: '/lib/systemd/system/ssh_sftp.service' - mode: 0644 - -- name: Copy sshd config file - copy: - src: './roles/matrix-awx/templates/sftp/sshd_sftp_config' - dest: '/etc/ssh/sshd_sftp_config' - mode: 0644 - - name: Ensure group "sftp" exists group: name: sftp state: present -- name: If user defines sftp_password, enable account / set password on 'stfp' account. +- name: If user doesn't define a sftp_password, create a disabled 'sftp' account user: name: sftp - comment: SFTP user to set custom web files + comment: SFTP user to set custom web files and access servers export shell: /bin/false - home: /home/sftp/ + home: /home/sftp group: sftp - password: "{{ sftp_password | password_hash('sha512') }}" + password: '*' update_password: always - when: (sftp_password is defined) and (sftp_password|length > 0) + when: sftp_password|length == 0 -# would be safer if it generated the password for you! - -- name: Setup SFTP users default root path - shell: sudo usermod -d / sftp +- name: If user defines sftp_password, enable account and set password on 'stfp' account + user: + name: sftp + comment: SFTP user to set custom web files and access servers export + shell: /bin/false + home: /home/sftp + group: sftp + password: "{{ sftp_password | password_hash('sha512') }}" + update_password: always + when: sftp_password|length > 0 - name: adding existing user 'sftp' to group matrix user: @@ -131,7 +127,7 @@ group: root mode: '1755' -- name: Create the rw /chroot/website directory if it doesn't exist. +- name: Ensure /chroot/website location exists. file: path: /chroot/website state: directory @@ -139,21 +135,96 @@ group: matrix mode: '0574' -- name: Ensure /chroot/backup/ location exists +- name: Ensure /chroot/export location exists file: - path: /chroot/backup + path: /chroot/export state: directory owner: sftp group: sftp mode: '0700' -- name: Enable service ssh_sftp.service - service: - name: ssh_sftp.service - enabled: yes +- name: Ensure /home/sftp/.ssh location exists + file: + path: /home/sftp/.ssh + state: directory + owner: sftp + group: sftp + mode: '0700' + +- name: Ensure /home/sftp/authorized_keys exists + file: + path: /home/sftp/.ssh/authorized_keys + state: touch + owner: sftp + group: sftp + mode: '0644' + +- name: Clear authorized_keys file + shell: echo "" > /home/sftp/.ssh/authorized_keys -- name: Start service ssh_sftp.service +- name: Insert public SSH key into authorized_keys file + lineinfile: + path: /home/sftp/.ssh/authorized_keys + line: "{{ sftp_public_key }}" + owner: sftp + group: sftp + mode: '0644' + when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key") + +- name: Alter SSH Subsystem State 1 + lineinfile: + path: /etc/ssh/sshd_config + line: "Subsystem sftp /usr/lib/openssh/sftp-server" + state: absent + +- name: Alter SSH Subsystem State 2 + lineinfile: + path: /etc/ssh/sshd_config + insertafter: "^# override default of no subsystems" + line: "Subsystem sftp internal-sftp" + +- name: Add SSH Match User section for disabled auth + blockinfile: + path: /etc/ssh/sshd_config + state: absent + block: | + Match User sftp + ChrootDirectory /chroot + PermitTunnel no + X11Forwarding no + AllowTcpForwarding no + PasswordAuthentication yes + AuthorizedKeysFile /home/sftp/.ssh/authorized_keys + when: sftp_auth_method == "Disabled" + +- name: Add SSH Match User section for password auth + blockinfile: + path: /etc/ssh/sshd_config + state: present + block: | + Match User sftp + ChrootDirectory /chroot + PermitTunnel no + X11Forwarding no + AllowTcpForwarding no + PasswordAuthentication yes + when: sftp_auth_method == "Password" + +- name: Add SSH Match User section for publickey auth + blockinfile: + path: /etc/ssh/sshd_config + state: present + block: | + Match User sftp + ChrootDirectory /chroot + PermitTunnel no + X11Forwarding no + AllowTcpForwarding no + AuthorizedKeysFile /home/sftp/.ssh/authorized_keys + when: sftp_auth_method == "SSH Key" + +- name: Restart service ssh.service service: - name: ssh_sftp.service - state: started + name: ssh.service + state: restarted diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml index 388f901d..0174e0e6 100755 --- a/roles/matrix-awx/tasks/load_matrix_variables.yml +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -2,5 +2,5 @@ - name: Include vars in matrix_vars.yml include_vars: file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' -# no_log: True + no_log: True diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 81852d61..46aa0d45 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -23,8 +23,8 @@ tags: - import-awx -# Configure SFTP so user can upload a static website -- import_tasks: "{{ role_path }}/tasks/customise_website_access_backup.yml" +# Configure SFTP so user can upload a static website or access the servers export +- import_tasks: "{{ role_path }}/tasks/customise_website_access_export.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-nginx-proxy diff --git a/roles/matrix-awx/templates/sftp/ssh_sftp.service b/roles/matrix-awx/templates/sftp/ssh_sftp.service deleted file mode 100755 index cfbcbf97..00000000 --- a/roles/matrix-awx/templates/sftp/ssh_sftp.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=OpenBSD Secure Shell server -Documentation=man:sshd(8) man:sshd_config(5) -After=network.target auditd.service -ConditionPathExists=!/etc/ssh/sshd_not_to_be_run - -[Service] -EnvironmentFile=-/etc/default/ssh -ExecStartPre=/usr/sbin/sshd -t -ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_sftp_config $SSHD_OPTS -ExecReload=/usr/sbin/sshd -t -ExecReload=/bin/kill -HUP $MAINPID -KillMode=process -Restart=on-failure -RestartPreventExitStatus=255 -Type=notify -RuntimeDirectory=sshd -RuntimeDirectoryMode=0755 - -[Install] -WantedBy=multi-user.target -Alias=sshd_sftp.service - diff --git a/roles/matrix-awx/templates/sftp/sshd_sftp_config b/roles/matrix-awx/templates/sftp/sshd_sftp_config deleted file mode 100755 index a607595a..00000000 --- a/roles/matrix-awx/templates/sftp/sshd_sftp_config +++ /dev/null @@ -1,33 +0,0 @@ -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -Port 2222 -PermitRootLogin no -PasswordAuthentication yes -ChallengeResponseAuthentication no -UsePAM yes -X11Forwarding yes -PrintMotd no - -AcceptEnv LANG LC_* - -# override default of no subsystems -Subsystem sftp internal-sftp - -Match User sftp - ChrootDirectory /chroot - PermitTunnel no - X11Forwarding no - AllowTcpForwarding no - ForceCommand internal-sftp - - diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index c3deb2f2..dd18579c 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -2,8 +2,8 @@ # See: https://github.com/anoadragon453/matrix-reminder-bot matrix_bot_matrix_reminder_bot_enabled: true - -matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:release-v0.2.0" +matrix_bot_matrix_reminder_bot_version: release-v0.2.0 +matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot" diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index c7cdddb6..360963bb 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -3,7 +3,8 @@ matrix_appservice_discord_enabled: true -matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:v1.0.0" +matrix_appservice_discord_version: v1.0.0 +matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}" matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index ead4e8de..fbfb6fcd 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,8 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.23.0" +matrix_appservice_irc_version: release-0.23.0 +matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 997cfa5e..1169de4f 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -7,7 +7,8 @@ matrix_appservice_slack_container_self_build: false matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" -matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0" +matrix_appservice_slack_version: release-1.5.0 +matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index e668f918..215afc05 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -3,7 +3,8 @@ matrix_appservice_webhooks_enabled: true -matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:latest" +matrix_appservice_webhooks_version: latest +matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index acd3ee58..7c6b58ca 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -6,8 +6,9 @@ matrix_mautrix_facebook_enabled: true matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" +matrix_mautrix_facebook_version: latest # See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest" +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 0ed519cd..a029b9e8 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -6,8 +6,9 @@ matrix_mautrix_hangouts_enabled: true matrix_mautrix_hangouts_container_image_self_build: false matrix_mautrix_hangouts_container_image_self_build_repo: "https://github.com/tulir/mautrix-hangouts.git" +matrix_mautrix_hangouts_version: latest # See: https://mau.dev/tulir/mautrix-hangouts/container_registry -matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:latest" +matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:{{ matrix_mautrix_hangouts_version }}" matrix_mautrix_hangouts_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_hangouts_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index 411ec7ed..936df4c5 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -6,8 +6,9 @@ matrix_mautrix_instagram_enabled: true matrix_mautrix_instagram_container_image_self_build: false matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/tulir/mautrix-instagram.git" +matrix_mautrix_instagram_version: latest # See: https://mau.dev/tulir/mautrix-instagram/container_registry -matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:latest" +matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:{{ matrix_mautrix_instagram_version }}" matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_instagram_docker_image_force_pull: "{{ matrix_mautrix_instagram_docker_image.endswith(':latest') }}" @@ -16,7 +17,7 @@ matrix_mautrix_instagram_config_path: "{{ matrix_mautrix_instagram_base_path }}/ matrix_mautrix_instagram_data_path: "{{ matrix_mautrix_instagram_base_path }}/data" matrix_mautrix_instagram_docker_src_files_path: "{{ matrix_mautrix_instagram_base_path }}/docker-src" -matrix_mautrix_instagram_homeserver_address: 'http://matrix-synapse:8008' +matrix_mautrix_instagram_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_instagram_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29330' @@ -34,7 +35,7 @@ matrix_mautrix_instagram_homeserver_token: '' # Database-related configuration fields. -# +# # To use Postgres: # - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables matrix_mautrix_instagram_database_engine: 'postgres' diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index aaa0a166..50240548 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -3,11 +3,13 @@ matrix_mautrix_signal_enabled: true +matrix_mautrix_signal_version: latest +matrix_mautrix_signal_daemon_version: latest # See: https://mau.dev/tulir/mautrix-signal/container_registry -matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest" +matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" -matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest" +matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index b1f1b8fc..2d5b5264 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -7,8 +7,9 @@ matrix_mautrix_telegram_container_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" +matrix_mautrix_telegram_version: v0.9.0 # See: https://mau.dev/tulir/mautrix-telegram/container_registry -matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0" +matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:{{ matrix_mautrix_telegram_version }}" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram" diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 581d47de..b3aee68a 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -3,15 +3,16 @@ matrix_mautrix_whatsapp_enabled: true +matrix_mautrix_whatsapp_version: latest # See: https://mau.dev/tulir/mautrix-whatsapp/container_registry -matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:latest" +matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_force_pull: "{{ matrix_mautrix_whatsapp_docker_image.endswith(':latest') }}" matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" matrix_mautrix_whatsapp_config_path: "{{ matrix_mautrix_whatsapp_base_path }}/config" matrix_mautrix_whatsapp_data_path: "{{ matrix_mautrix_whatsapp_base_path }}/data" -matrix_mautrix_whatsapp_homeserver_address: "http://matrix-synapse:8008" +matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}" matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080" diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 25f6ae06..252fb9e1 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_discord_container_image_self_build_repo: "https://github.com/ma # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_discord_container_http_host_bind_port: '' -matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:latest" +matrix_mx_puppet_discord_version: latest +matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:{{ matrix_mx_puppet_discord_version }}" matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index c0bafcf0..53676e83 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_groupme_container_image_self_build_repo: "https://gitlab.com/ro # Takes an ":" or "" value (e.g. "127.0.0.1:8437"), or empty string to not expose. matrix_mx_puppet_groupme_container_http_host_bind_port: '' -matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:latest" +matrix_mx_puppet_groupme_version: latest +matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:{{ matrix_mx_puppet_groupme_version }}" matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}" @@ -22,7 +23,7 @@ matrix_mx_puppet_groupme_docker_src_files_path: "{{ matrix_mx_puppet_groupme_bas matrix_mx_puppet_groupme_appservice_port: "8437" -matrix_mx_puppet_groupme_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_groupme_homeserver_address: "{{ matrix_homeserver_container_url }}" matrix_mx_puppet_groupme_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_groupme_appservice_address: 'http://matrix-mx-puppet-groupme:{{ matrix_mx_puppet_groupme_appservice_port }}' diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index 4c9fbd98..b14ed0f8 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -6,7 +6,8 @@ matrix_mx_puppet_instagram_enabled: true matrix_mx_puppet_instagram_container_image_self_build: false matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-instagram.git" -matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:latest" +matrix_mx_puppet_instagram_version: latest +matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:{{ matrix_mx_puppet_instagram_version }}" matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 53c8e379..c68c4160 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -6,7 +6,8 @@ matrix_mx_puppet_skype_enabled: true matrix_mx_puppet_skype_container_image_self_build: false matrix_mx_puppet_skype_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-skype.git" -matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:latest" +matrix_mx_puppet_skype_version: latest +matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:{{ matrix_mx_puppet_skype_version }}" matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index b1fb7487..c5b046f4 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_slack_container_image_self_build_repo: "https://github.com/Soru # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_slack_container_http_host_bind_port: '' -matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:latest" +matrix_mx_puppet_slack_version: latest +matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:{{ matrix_mx_puppet_slack_version }}" matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index c3ac977e..aee4da2c 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_steam_container_image_self_build_repo: "https://github.com/icew # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_steam_container_http_host_bind_port: '' -matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:latest" +matrix_mx_puppet_steam_version: latest +matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:{{ matrix_mx_puppet_steam_version }}" matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index d8582e53..a8b811d8 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -11,7 +11,8 @@ matrix_mx_puppet_twitter_container_image_self_build_repo: "https://github.com/So # Takes an ":" or "" value (e.g. "127.0.0.1:8432"), or empty string to not expose. matrix_mx_puppet_twitter_container_http_host_bind_port: '' -matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:latest" +matrix_mx_puppet_twitter_version: latest +matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:{{ matrix_mx_puppet_twitter_version }}" matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else 'docker.io/' }}" matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 3c6b4c61..0382a2b2 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,8 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.5" +matrix_sms_bridge_version: 0.5.5 +matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index db2e7945..fc6f30f9 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,8 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21" +matrix_client_element_version: v1.7.21 +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 0be0cae6..6497acf7 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -2,7 +2,7 @@ - name: Create user account command: | - /usr/local/bin/matrix-synapse-register-user janitor '{{ matrix_awx_janitor_user_password }}' 1 + /usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1 register: cmd when: not matrix_awx_janitor_user_created|bool no_log: True diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 4b4c46c9..c35e4b22 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,9 +22,10 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] +matrix_corporal_version: 2.1.0 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" -matrix_corporal_docker_image_tag: "2.1.0" +matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 8e781306..4f27e0d9 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -3,7 +3,8 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git" -matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2" +matrix_coturn_version: 4.5.2 +matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 index 622cd80a..52894541 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 @@ -3,8 +3,8 @@ Description=Reloads matrix-coturn periodically so that new SSL certificates can [Timer] Unit=matrix-coturn-reload.service -OnCalendar=Sunday *-*-* 13:00:00 -RandomizedDelaySec=3h +OnCalendar=*-*-* 06:30:00 +RandomizedDelaySec=1h [Install] WantedBy=timers.target diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 8a691946..e4ded37a 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -12,7 +12,8 @@ matrix_dimension_widgets_allow_self_signed_ssl_certificates: false matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" -matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:latest" +matrix_dimension_version: latest +matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:{{ matrix_dimension_version }}" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # List of systemd services that matrix-dimension.service depends on. diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index b33961c1..1ec681da 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -4,8 +4,10 @@ matrix_dynamic_dns_enabled: true # The dynamic dns daemon interval matrix_dynamic_dns_daemon_interval: '300' +matrix_dynamic_dns_version: v3.9.1-ls45 + # The docker container to use when in mode -matrix_dynamic_dns_docker_image: '{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:v3.9.1-ls45' +matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else 'docker.io/' }}" diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml index 7917decf..b5593882 100644 --- a/roles/matrix-email2matrix/defaults/main.yml +++ b/roles/matrix-email2matrix/defaults/main.yml @@ -3,7 +3,8 @@ matrix_email2matrix_enabled: true matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" -matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:1.0.1" +matrix_email2matrix_version: 1.0.1 +matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:{{ matrix_email2matrix_version }}" matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 7c63fe03..27589b2a 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -2,7 +2,8 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" -matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:1.8.7" +matrix_etherpad_version: 1.8.7 +matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:{{ matrix_etherpad_version }}" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" # List of systemd services that matrix-etherpad.service depends on. @@ -22,12 +23,7 @@ matrix_etherpad_user_gid: '5001' matrix_etherpad_container_http_host_bind_port: '' # A list of extra arguments to pass to the container -# -# We assume that a reverse proxy is used and tell the container to trust it -# Details: https://github.com/ether/etherpad-lite/blob/develop/doc/docker.md -matrix_etherpad_container_extra_arguments: [ - '--env TRUST_PROXY=true' -] +matrix_etherpad_container_extra_arguments: [] matrix_etherpad_public_endpoint: '/etherpad' diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 00ed947e..876e5f6f 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,8 @@ matrix_grafana_enabled: false -matrix_grafana_docker_image: "docker.io/grafana/grafana:7.4.0" +matrix_grafana_version: 7.4.0 +matrix_grafana_docker_image: "docker.io/grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" # Not conditional, because when someone disables metrics diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml index 581e6617..c2eea348 100644 --- a/roles/matrix-grafana/tasks/setup.yml +++ b/roles/matrix-grafana/tasks/setup.yml @@ -28,7 +28,7 @@ - "{{ matrix_grafana_config_path }}/dashboards" - "{{ matrix_grafana_data_path }}" when: matrix_grafana_enabled|bool - + - name: Ensure grafana.ini present template: src: "{{ role_path }}/templates/grafana.ini.j2" @@ -37,7 +37,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" when: matrix_grafana_enabled|bool - + - name: Ensure provisioning/datasources/default.yaml present template: src: "{{ role_path }}/templates/datasources.yaml.j2" @@ -46,7 +46,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" when: matrix_grafana_enabled|bool - + - name: Ensure provisioning/dashboards/default.yaml present template: src: "{{ role_path }}/templates/dashboards.yaml.j2" @@ -55,7 +55,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" when: matrix_grafana_enabled|bool - + - name: Ensure dashboard(s) downloaded get_url: url: "{{ item }}" @@ -108,8 +108,3 @@ daemon_reload: yes when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" -- name: Ensure matrix-grafana Docker image doesn't exist - docker_image: - name: "{{ matrix_grafana_docker_image }}" - state: absent - when: "not matrix_grafana_enabled|bool" diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 028d9c19..b7434dd3 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -52,7 +52,8 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_container_image_tag: "stable-5142" +matrix_jitsi_version: stable-5142 +matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 18608ef4..4c29f47a 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,8 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1" +matrix_mailer_version: 4.93-r1 +matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index d46d5480..ff550533 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,13 +1,15 @@ matrix_nginx_proxy_enabled: true +matrix_nginx_proxy_version: 1.19.6-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine" +matrix_nginx_proxy_docker_image: "docker.io/nginx:{{ matrix_nginx_proxy_version }}" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" +matrix_nginx_proxy_data_path_in_container: "/nginx-data" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" # List of systemd services that matrix-nginx-proxy.service depends on @@ -110,6 +112,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" +# The port name used for federation in the nginx configuration. +# This is not necessarily the port that it's actually on, +# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container. +matrix_nginx_proxy_proxy_matrix_federation_port: 8448 # Controls whether proxying the dimension domain should be done. matrix_nginx_proxy_proxy_dimension_enabled: false diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index f0b14327..5bf9102d 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -11,7 +11,6 @@ - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" - "/etc/cron.d/matrix-ssl-lets-encrypt" - - "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" # # Tasks related to setting up Let's Encrypt's management of certificates diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 2ab78a1b..41497416 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -199,10 +199,10 @@ server { #} server { {% if matrix_nginx_proxy_https_enabled %} - listen 8448 ssl http2; - listen [::]:8448 ssl http2; + listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; + listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; {% else %} - listen 8448; + listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }}; {% endif %} server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 90ad6a3f..c4000fa9 100755 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -30,15 +30,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ -p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \ {% endif %} {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %} - -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \ + -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \ {% endif %} --mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ - {% if matrix_awx_enabled|bool == false or matrix_nginx_proxy_base_domain_homepage_enabled %} - --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \ - {% endif %} - {% if matrix_awx_enabled and matrix_nginx_proxy_base_domain_homepage_enabled|bool == false %} - --mount type=bind,src=/chroot/website,dst=/nginx-data/matrix-domain,ro \ - {% endif %} + --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \ --mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ {% if matrix_ssl_retrieval_method != 'none' %} --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 index 91b13b29..b1e1c21e 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 @@ -3,8 +3,8 @@ Description=Renews Let's Encrypt SSL certificates periodically [Timer] Unit=matrix-ssl-lets-encrypt-certificates-renew.service -OnCalendar=Sunday *-*-* 05:00:00 -RandomizedDelaySec=3h +OnCalendar=*-*-* 04:00:00 +RandomizedDelaySec=2h [Install] WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 index 73c1848e..09cb6dad 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 @@ -3,8 +3,8 @@ Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates [Timer] Unit=matrix-ssl-nginx-proxy-reload.service -OnCalendar=Sunday *-*-* 13:00:00 -RandomizedDelaySec=3h +OnCalendar=*-*-* 06:30:00 +RandomizedDelaySec=1h [Install] WantedBy=timers.target diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 29dce364..47611f7c 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,8 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:v1.1.0" +matrix_prometheus_node_exporter_version: v1.1.0 +matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-prometheus-node-exporter/tasks/setup.yml b/roles/matrix-prometheus-node-exporter/tasks/setup.yml index 6f03fbaa..34086e6c 100644 --- a/roles/matrix-prometheus-node-exporter/tasks/setup.yml +++ b/roles/matrix-prometheus-node-exporter/tasks/setup.yml @@ -52,9 +52,3 @@ service: daemon_reload: yes when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" - -- name: Ensure matrix-prometheus-node-exporter Docker image doesn't exist - docker_image: - name: "{{ matrix_prometheus_node_exporter_docker_image }}" - state: absent - when: "not matrix_prometheus_node_exporter_enabled|bool" diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 56018ba6..123418d4 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,8 @@ matrix_prometheus_enabled: false -matrix_prometheus_docker_image: "docker.io/prom/prometheus:v2.24.1" +matrix_prometheus_version: v2.24.1 +matrix_prometheus_docker_image: "docker.io/prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" diff --git a/roles/matrix-prometheus/tasks/setup_uninstall.yml b/roles/matrix-prometheus/tasks/setup_uninstall.yml index 0a4a8cb6..dd46a222 100644 --- a/roles/matrix-prometheus/tasks/setup_uninstall.yml +++ b/roles/matrix-prometheus/tasks/setup_uninstall.yml @@ -23,9 +23,3 @@ service: daemon_reload: yes when: "matrix_prometheus_service_stat.stat.exists|bool" - -- name: Ensure matrix-prometheus Docker image doesn't exist - docker_image: - name: "{{ matrix_prometheus_docker_image }}" - state: absent - when: "not matrix_prometheus_enabled|bool" diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index 74728d87..a512618c 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -5,7 +5,8 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_docker_image_v6: "docker.io/redis:6.0.10-alpine" +matrix_redis_version: 6.0.10-alpine +matrix_redis_docker_image_v6: "docker.io/redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index ce0ccd39..1534bc82 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,8 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.7.0" +matrix_synapse_admin_version: 0.7.0 +matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5da48c08..9086884b 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,7 +15,9 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_docker_image_tag: "{{ 'v1.27.0' if matrix_architecture in ['arm32', 'amd64'] else 'v1.26.0' }}" +matrix_synapse_version: v1.28.0 +matrix_synapse_version_arm64: v1.28.0 +matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 99169b8a..09e11f7b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -141,6 +141,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # - '100.64.0.0/10' # - '192.0.0.0/24' # - '169.254.0.0/16' +# - '192.88.99.0/24' # - '198.18.0.0/15' # - '192.0.2.0/24' # - '198.51.100.0/24' @@ -149,6 +150,9 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # - '::1/128' # - 'fe80::/10' # - 'fc00::/7' +# - '2001:db8::/32' +# - 'ff00::/8' +# - 'fec0::/10' # List of IP address CIDR ranges that should be allowed for federation, # identity servers, push servers, and for checking key validity for @@ -993,6 +997,7 @@ url_preview_ip_range_blacklist: - '100.64.0.0/10' - '192.0.0.0/24' - '169.254.0.0/16' + - '192.88.99.0/24' - '198.18.0.0/15' - '192.0.2.0/24' - '198.51.100.0/24' @@ -1001,6 +1006,9 @@ url_preview_ip_range_blacklist: - '::1/128' - 'fe80::/10' - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' # List of IP address CIDR ranges that the URL preview spider is allowed # to access even if they are specified in url_preview_ip_range_blacklist. @@ -1327,6 +1335,8 @@ account_threepid_delegates: # By default, any room aliases included in this list will be created # as a publicly joinable room when the first user registers for the # homeserver. This behaviour can be customised with the settings below. +# If the room already exists, make certain it is a publicly joinable +# room. The join rule of the room must be set to 'public'. # #auto_join_rooms: # - "#example:example.com" @@ -1869,9 +1879,9 @@ oidc_providers: # user_mapping_provider: # config: # subject_claim: "id" - # localpart_template: "{ user.login }" - # display_name_template: "{ user.name }" - # email_template: "{ user.email }" + # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" + # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" + # email_template: "{% raw %}{{ user.email }}{% endraw %}" # For use with Keycloak # @@ -1898,8 +1908,8 @@ oidc_providers: # user_mapping_provider: # config: # subject_claim: "id" - # localpart_template: "{ user.login }" - # display_name_template: "{ user.name }" + # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" + # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" # Enable Central Authentication Service (CAS) for registration and login. @@ -2227,11 +2237,11 @@ password_config: #require_uppercase: true ui_auth: - # The number of milliseconds to allow a user-interactive authentication - # session to be active. + # The amount of time to allow a user-interactive authentication session + # to be active. # # This defaults to 0, meaning the user is queried for their credentials - # before every action, but this can be overridden to alow a single + # before every action, but this can be overridden to allow a single # validation to be re-used. This weakens the protections afforded by # the user-interactive authentication process, by allowing for multiple # (and potentially different) operations to use the same validation session. @@ -2239,7 +2249,7 @@ ui_auth: # Uncomment below to allow for credential validation to last for 15 # seconds. # - #session_timeout: 15000 + #session_timeout: "15s" {% if matrix_synapse_email_enabled %} diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 0f5e7be2..ee858183 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -22,6 +22,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ + {% if matrix_synapse_worker_details.port != 0 %} + --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ + {% else %} + --no-healthcheck \ + {% endif %} {% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %} {% if matrix_synapse_worker_details.port != 0 %} -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.port }}:{{ matrix_synapse_worker_details.port }} \ diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 3adfd9c3..14b75a92 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -107,7 +107,8 @@ matrix_synapse_workers_generic_worker_endpoints: # Ensure that all SSO logins go to a single process. # For multiple workers not handling the SSO endpoints properly, see - # [#7530](https://github.com/matrix-org/synapse/issues/7530). + # [#7530](https://github.com/matrix-org/synapse/issues/7530) and + # [#9427](https://github.com/matrix-org/synapse/issues/9427). # Note that a HTTP listener with `client` and `federation` resources must be # configured in the `worker_listeners` option in the worker config. @@ -203,7 +204,15 @@ matrix_synapse_workers_generic_worker_endpoints: # REST endpoints itself, but you should set `start_pushers: False` in the # shared configuration file to stop the main synapse sending push notifications. - # Note this worker cannot be load-balanced: only one instance should be active. + # To run multiple instances at once the `pusher_instances` option should list all + # pusher instances by their worker name, e.g.: + + # ```yaml + # pusher_instances: + # - pusher_worker1 + # - pusher_worker2 + # ``` + # ] # appservice worker (no API endpoints) [ From fef6d5762642777778fc630bf6590755140e21c1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 Feb 2021 18:42:09 +0200 Subject: [PATCH 1979/2384] Remove alembic migrations for mautrix-facebook They're gone now: https://github.com/tulir/mautrix-facebook/commit/b8ce80e476ac49c8b4d538321b74fe2b014d6460 --- .../systemd/matrix-mautrix-facebook.service.j2 | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index acd2c885..f3af4b9f 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -16,20 +16,6 @@ Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' -# This bridge uses another mechanism for migrations now (migrations happen automatically during regular startup), -# so going forward, running this alembic stuff will not necessary. -# People who are upgrading from an older version of the bridge should go through this migration -# first though, so we're keeping it around for now. -ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - -v {{ matrix_mautrix_facebook_config_path }}:/config:z \ - -v {{ matrix_mautrix_facebook_data_path }}:/data:z \ - {{ matrix_mautrix_facebook_docker_image }} \ - alembic -x config=/config/config.yaml upgrade head - # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 From c527f2930e758b0a392519d1785d170f3f1874eb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Mar 2021 15:53:54 +0200 Subject: [PATCH 1980/2384] Upgrade Element (1.7.21 -> 1.7.22) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index fc6f30f9..634c0894 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.21 +matrix_client_element_version: v1.7.22 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From a25b8135b8adab3adac78a49d43c2c25ae3faa95 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Mar 2021 20:27:45 +0200 Subject: [PATCH 1981/2384] Fix point overlap between matrix-domain and Jitsi Mostly affects people who disable the integrated `matrix-nginx-proxy`. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456 and more specifically 4d62a75f6f46becb0ece. --- examples/caddy2/Caddyfile | 12 ++++++------ group_vars/matrix_servers | 4 ++-- roles/matrix-jitsi/defaults/main.yml | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index d13b9788..8999f299 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -101,7 +101,7 @@ element.DOMAIN.tld { # creates letsencrypt certificate # tls your@email.com - + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -128,10 +128,10 @@ element.DOMAIN.tld { } #dimension.DOMAIN.tld { -# +# # # creates letsencrypt certificate # # tls your@email.com -# +# # header { # # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -160,7 +160,7 @@ element.DOMAIN.tld { #jitsi.DOMAIN.tld { -# +# # creates letsencrypt certificate # tls your@email.com # @@ -193,7 +193,7 @@ element.DOMAIN.tld { # handle { # encode zstd gzip # -# reverse_proxy 127.0.0.1:12080 { +# reverse_proxy 127.0.0.1:13080 { # header_up X-Forwarded-Port {http.request.port} # header_up X-Forwarded-Proto {http.request.scheme} # header_up X-Forwarded-TlsProto {tls_protocol} @@ -201,4 +201,4 @@ element.DOMAIN.tld { # header_up X-Forwarded-HttpsProto {proto} # } # } -#} \ No newline at end of file +#} diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 13172a63..3cd906e8 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -905,9 +905,9 @@ matrix_jitsi_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Jitsi HTTP port to the local host. -matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12080' }}" +matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13080' }}" -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12090' }}" +matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}" matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index b7434dd3..16206840 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -73,7 +73,7 @@ matrix_jitsi_etherpad_enabled: false # Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). # -# Takes an ":" or "" value (e.g. "127.0.0.1:12080"), or empty string to not expose. +# Takes an ":" or "" value (e.g. "127.0.0.1:13080"), or empty string to not expose. matrix_jitsi_web_container_http_host_bind_port: '' # A list of extra arguments to pass to the container diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index eb3d67b1..a20d8a73 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -17,7 +17,7 @@ proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:12080; + proxy_pass http://127.0.0.1:13080; {% endif %} proxy_set_header Host $host; @@ -32,7 +32,7 @@ proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:12090; + proxy_pass http://127.0.0.1:13090; {% endif %} proxy_set_header Host $host; From 009efdad4944a32f88ed754c8095617a9d473af9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 Mar 2021 07:59:59 +0200 Subject: [PATCH 1982/2384] Fix matrix.DOMAIN/_synapse/metrics exposing This is something that got lost during https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456 and more specifically 4d62a75f6f46becb0ece. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/914 --- roles/matrix-nginx-proxy/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a4fbd002..720d9150 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -193,6 +193,8 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else []) + (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) + + + (['/_synapse/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else []) }} # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. From 31d2e013f72053f0248db69e51a7c56227cfcaf2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 Mar 2021 08:02:31 +0200 Subject: [PATCH 1983/2384] Fix typo --- docs/configuring-playbook-prometheus-grafana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 98d1f604..310eac6a 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -59,7 +59,7 @@ Name | Description `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) -## More inforation +## More information - [Understanding Synapse Performance Issues Through Grafana Graphs](https://github.com/matrix-org/synapse/wiki/Understanding-Synapse-Performance-Issues-Through-Grafana-Graphs) at the Synapse Github Wiki - [The Prometheus scraping rules](https://github.com/matrix-org/synapse/tree/master/contrib/prometheus) (we use v2) From 0de0716527923731e7fc474d3d184eeb7590b37d Mon Sep 17 00:00:00 2001 From: SierraKiloBravo Date: Tue, 2 Mar 2021 11:30:09 +0100 Subject: [PATCH 1984/2384] Added nginx proxy worker configuration to template and defaults --- roles/matrix-nginx-proxy/defaults/main.yml | 6 ++++++ roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 | 5 ++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 720d9150..3234a44c 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -364,3 +364,9 @@ matrix_nginx_proxy_synapse_generic_worker_federation_locations: [] matrix_nginx_proxy_synapse_media_repository_locations: [] matrix_nginx_proxy_synapse_user_dir_locations: [] matrix_nginx_proxy_synapse_frontend_proxy_locations: [] + +# The amount of worker processes and connections +# Consider increasing these when you are expecting high amounts of traffic +# http://nginx.org/en/docs/ngx_core_module.html#worker_connections +matrix_nginx_proxy_worker_processes: 1 +matrix_nginx_proxy_worker_connections: 1024 diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index facb0901..c35f9b24 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -8,14 +8,13 @@ # - various temp paths are changed to `/tmp`, so that a non-root user can write to them # - the `user` directive was removed, as we don't want nginx to switch users -worker_processes 1; - +worker_processes {{ matrix_nginx_proxy_worker_processes }}; error_log /var/log/nginx/error.log warn; pid /tmp/nginx.pid; events { - worker_connections 1024; + worker_connections {{ matrix_nginx_proxy_worker_connections }}; } From 7d1522d884e52c50724edb8a953d4b62b6d29342 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 Mar 2021 13:28:59 +0200 Subject: [PATCH 1985/2384] Add Ko-fi donation link --- .github/FUNDING.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index bc3c8e75..6e7102bf 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -2,3 +2,5 @@ # https://liberapay.com/s.pantaleev/ liberapay: s.pantaleev +# https://ko-fi.com/spantaleev +ko_fi: spantaleev From be23249f4b32383d6bb1c6d81e742a4bc3a9c108 Mon Sep 17 00:00:00 2001 From: Markus Ullmann Date: Tue, 2 Mar 2021 20:07:59 +0100 Subject: [PATCH 1986/2384] Adjust wait timeout During first setup postgres takes its time to get up and running, resulting in "postgres in startup" exceptions from synapse if you run without additional services that come in between. Hence suggesting increasing the time a bit to avoid having an error which heals itself and thus is hard to spot for newcomers. --- roles/matrix-common-after/tasks/start.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index b1477cf6..300de94c 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -30,7 +30,7 @@ # as we may run into systemd's automatic restart logic retrying the service. - name: Wait a bit, so that services can start (or fail) wait_for: - timeout: 5 + timeout: 15 delegate_to: 127.0.0.1 become: false From 88d59f97c21eee0b6233d790f76b1be26cc7d5b3 Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Sat, 6 Mar 2021 11:43:59 +0100 Subject: [PATCH 1987/2384] - --- .../tasks/build_database_list.yml | 350 +++++++++--------- 1 file changed, 175 insertions(+), 175 deletions(-) diff --git a/roles/matrix-postgres-backup/tasks/build_database_list.yml b/roles/matrix-postgres-backup/tasks/build_database_list.yml index 9937c4d0..e1be70a0 100644 --- a/roles/matrix-postgres-backup/tasks/build_database_list.yml +++ b/roles/matrix-postgres-backup/tasks/build_database_list.yml @@ -1,176 +1,176 @@ - ---- - -# Detect wich databases have to backuped -# Default value is the "matrix_postgres_db_name" -# has to be extended for each service using a seperate db in postgres -# - name: Check if matrix_reminder_bot uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_bot_matrix_reminder_bot_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_bot_matrix_reminder_bot_database_engine == 'postgres' - -# - name: Check if matrix_appservice_discord uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_discord_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_appservice_discord_database_engine == 'postgres' - -# - name: Check if matrix_appservice_irc uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_irc_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_appservice_irc_database_engine == 'postgres' - -# - name: Check if matrix_appservice_slack_database uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_slack_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_appservice_slack_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_facebook uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_facebook_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_facebook_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_hangouts uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_hangouts_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_hangouts_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_signal uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_signal_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_signal_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_telegram uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_telegram_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_telegram_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_whatsapp uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_whatsapp_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_whatsapp_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_discord uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_discord_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_discord_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_instagram uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_instagram_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_instagram_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_skype uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_skype_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_skype_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_slack uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_slack_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_slack_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_steam uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_steam_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_steam_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_twitter uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_twitter_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_twitter_database_engine == 'postgres' - -# - name: Check if matrix_dimension uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_dimension_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_dimension_database_engine == 'postgres' - -# - name: Check if matrix_etherpad uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_etherpad_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_etherpad_database_engine == 'postgres' - -# - name: Check if matrix_ma1sd uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_ma1sd_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_ma1sd_database_engine == 'postgres' - -# - name: Check if matrix_registration uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_registration_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_registration_database_engine == 'postgres' - -#- name: Build list of all databases to backup - part 1 -# set_fact: -# matrix_postgres_backup_db_list: '{% if item.enabled %}{% if matrix_postgres_backup_db_list=="" %}{{item.dbname}}{% else %}{{ matrix_postgres_backup_db_list }},{{item.dbname}}{% endif %}{% else %}{% endif %}' -# loop: -# - { enabled: '{{matrix_postgres_backup_matrix_reminder_bot_enabled|bool}}' , dbname: '{{ matrix_bot_matrix_reminder_bot_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_appservice_discord_enabled|bool}}' , dbname: '{{ matrix_appservice_discord_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_appservice_irc_enabled|bool}}' , dbname: '{{ matrix_appservice_irc_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_appservice_slack_enabled|bool}}' , dbname: '{{ matrix_appservice_slack_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_facebook_enabled|bool}}' , dbname: '{{ matrix_mautrix_facebook_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_hangouts_enabled|bool}}' , dbname: '{{ matrix_mautrix_hangouts_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_signal_enabled|bool}}' , dbname: '{{ matrix_mautrix_signal_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_telegram_enabled|bool}}' , dbname: '{{ matrix_mautrix_telegram_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_whatsapp_enabled|bool}}' , dbname: '{{ matrix_mautrix_whatsapp_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_instagram_enabled|bool}}' , dbname: '{{ matrix_postgres_backup_matrix_mx_puppet_instagram_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_skype_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_skype_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_slack_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_slack_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_steam_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_steam_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_twitter_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_twitter_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_dimension_enabled|bool}}' , dbname: '{{ matrix_dimension_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_etherpad_enabled|bool}}' , dbname: '{{ matrix_etherpad_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_ma1sd_enabled|bool}}' , dbname: '{{ matrix_ma1sd_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_registration_enabled|bool}}' , dbname: '{{ matrix_registration_database_engine }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_synapse_enabled|bool}}' , dbname: '{{ matrix_postgres_db_name }}' } - -- name: Build list of all databases to backup - part 2 - set_fact: - matrix_postgres_backup_db_list_prepare: "{% set res = [ ] %}{% for db in matrix_postgres_backup_db_dict %}{% if db.enabled %}{% set ignored = res.append(db.dbname) %}{% endif %}{% endfor %}{{ res }}" - -- name: Build list of all databases to backup - part 1 - set_fact: - matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list_prepare | join(',') }}" - -- name: Going to backup the following list of databases - debug: - msg: "{{ matrix_postgres_backup_db_list }}" - when: matrix_postgres_backup_enabled|bool + +--- + +# Detect wich databases have to backuped +# Default value is the "matrix_postgres_db_name" +# has to be extended for each service using a seperate db in postgres +# - name: Check if matrix_reminder_bot uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_bot_matrix_reminder_bot_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_bot_matrix_reminder_bot_database_engine == 'postgres' + +# - name: Check if matrix_appservice_discord uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_discord_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_appservice_discord_database_engine == 'postgres' + +# - name: Check if matrix_appservice_irc uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_irc_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_appservice_irc_database_engine == 'postgres' + +# - name: Check if matrix_appservice_slack_database uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_slack_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_appservice_slack_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_facebook uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_facebook_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_facebook_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_hangouts uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_hangouts_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_hangouts_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_signal uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_signal_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_signal_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_telegram uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_telegram_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_telegram_database_engine == 'postgres' + +# - name: Check if matrix_mautrix_whatsapp uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_whatsapp_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mautrix_whatsapp_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_discord uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_discord_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_discord_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_instagram uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_instagram_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_instagram_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_skype uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_skype_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_skype_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_slack uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_slack_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_slack_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_steam uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_steam_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_steam_database_engine == 'postgres' + +# - name: Check if matrix_mx_puppet_twitter uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_twitter_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_mx_puppet_twitter_database_engine == 'postgres' + +# - name: Check if matrix_dimension uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_dimension_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_dimension_database_engine == 'postgres' + +# - name: Check if matrix_etherpad uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_etherpad_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_etherpad_database_engine == 'postgres' + +# - name: Check if matrix_ma1sd uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_ma1sd_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_ma1sd_database_engine == 'postgres' + +# - name: Check if matrix_registration uses postgres database +# set_fact: +# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_registration_database_name }}" +# when: +# - matrix_postgres_backup_enabled|bool +# - matrix_registration_database_engine == 'postgres' + +#- name: Build list of all databases to backup - part 1 +# set_fact: +# matrix_postgres_backup_db_list: '{% if item.enabled %}{% if matrix_postgres_backup_db_list=="" %}{{item.dbname}}{% else %}{{ matrix_postgres_backup_db_list }},{{item.dbname}}{% endif %}{% else %}{% endif %}' +# loop: +# - { enabled: '{{matrix_postgres_backup_matrix_reminder_bot_enabled|bool}}' , dbname: '{{ matrix_bot_matrix_reminder_bot_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_appservice_discord_enabled|bool}}' , dbname: '{{ matrix_appservice_discord_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_appservice_irc_enabled|bool}}' , dbname: '{{ matrix_appservice_irc_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_appservice_slack_enabled|bool}}' , dbname: '{{ matrix_appservice_slack_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_facebook_enabled|bool}}' , dbname: '{{ matrix_mautrix_facebook_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_hangouts_enabled|bool}}' , dbname: '{{ matrix_mautrix_hangouts_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_signal_enabled|bool}}' , dbname: '{{ matrix_mautrix_signal_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_telegram_enabled|bool}}' , dbname: '{{ matrix_mautrix_telegram_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_whatsapp_enabled|bool}}' , dbname: '{{ matrix_mautrix_whatsapp_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_instagram_enabled|bool}}' , dbname: '{{ matrix_postgres_backup_matrix_mx_puppet_instagram_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_skype_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_skype_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_slack_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_slack_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_steam_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_steam_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_twitter_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_twitter_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_dimension_enabled|bool}}' , dbname: '{{ matrix_dimension_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_etherpad_enabled|bool}}' , dbname: '{{ matrix_etherpad_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_ma1sd_enabled|bool}}' , dbname: '{{ matrix_ma1sd_database_name }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_registration_enabled|bool}}' , dbname: '{{ matrix_registration_database_engine }}' } +# - { enabled: '{{matrix_postgres_backup_matrix_synapse_enabled|bool}}' , dbname: '{{ matrix_postgres_db_name }}' } + +- name: Build list of all databases to backup - part 2 + set_fact: + matrix_postgres_backup_db_list_prepare: "{% set res = [ ] %}{% for db in matrix_postgres_backup_db_dict %}{% if db.enabled %}{% set ignored = res.append(db.dbname) %}{% endif %}{% endfor %}{{ res }}" + +- name: Build list of all databases to backup - part 1 + set_fact: + matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list_prepare | join(',') }}" + +- name: Going to backup the following list of databases + debug: + msg: "{{ matrix_postgres_backup_db_list }}" + when: matrix_postgres_backup_enabled|bool \ No newline at end of file From df5cbcc2e18f6c039179cdae9bb5a0ce6e712213 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 6 Mar 2021 12:35:12 -0600 Subject: [PATCH 1988/2384] Make steps in configuring-playbook.md numbered instead of bullet points which make it more difficult to tell whether or not you completed all of the steps --- docs/configuring-playbook.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 34c52efc..1c836786 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -8,15 +8,15 @@ To configure the playbook, you need to have done the following things: You can then follow these steps inside the playbook directory: -- create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) +1. create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) -- copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) +1. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) -- edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. +1. edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. -- copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) +1. copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) -- edit the inventory hosts file (`inventory/hosts`) to your liking +1. edit the inventory hosts file (`inventory/hosts`) to your liking For a basic Matrix installation, that's all you need. From f0698ee6414d5006e6d904a96c1f6927a8efb124 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Mar 2021 17:10:10 +0200 Subject: [PATCH 1989/2384] Do not overwrite X-Forwarded-For when reverse-proxying to Synapse We have a flow like this: 1. matrix.DOMAIN vhost (matrix-domain.conf) 2. matrix-synapse vhost (matrix-synapse.conf); or matrix-corporal container, if enabled 3. (optional) matrix-synapse vhost (matrix-synapse.conf), if matrix-corporal enabled 4. matrix-synapse container We are setting `X-Forwarded-For` correctly in step #1, but were overwriting it in step #2 with something inaccurate. Not doing anything in step #2 is better than doing the wrong thing. It's probably best if we append another reverse-proxy address there though, although what we're doing now (with this patch) seems to yield the correct result (when matrix-corporal is not enabled). When matrix-corporal is enabled, we still seem to do the wrong thing for some reason. It's something to be fixed later on. --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 7041468e..4a3a355d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -79,7 +79,6 @@ server { location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% endif %} @@ -90,7 +89,6 @@ server { location ~ {{ location }} { proxy_pass http://media_repository_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; @@ -106,7 +104,6 @@ server { location ~ {{ location }} { proxy_pass http://user_dir_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% endif %} @@ -117,7 +114,6 @@ server { location ~ {{ location }} { proxy_pass http://frontend_proxy_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% if matrix_nginx_proxy_synapse_presence_disabled %} @@ -125,7 +121,6 @@ server { location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { proxy_pass http://frontend_proxy_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endif %} {% endif %} @@ -150,7 +145,6 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} auth_basic "protected"; @@ -172,7 +166,6 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; @@ -199,7 +192,6 @@ server { location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% endif %} @@ -209,7 +201,6 @@ server { location ~ {{ location }} { proxy_pass http://media_repository_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; @@ -231,7 +222,6 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; From 9b72384df7a7663079b41ad17768ff9e9b4b9320 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Mar 2021 17:19:01 +0200 Subject: [PATCH 1990/2384] Upgrade Synapse (1.28.0 -> 1.29.0) --- .../nginx/conf.d/matrix-domain.conf.j2 | 4 ++ roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 56 ++++++++++++++----- 3 files changed, 49 insertions(+), 15 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 41497416..9d582618 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -47,6 +47,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; } {% endif %} @@ -64,6 +65,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; } {% endif %} @@ -98,6 +100,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; } {% endif %} @@ -122,6 +125,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 9086884b..9c8bfc69 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.28.0 -matrix_synapse_version_arm64: v1.28.0 +matrix_synapse_version: v1.29.0 +matrix_synapse_version_arm64: v1.29.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 09e11f7b..e03b3065 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -77,6 +77,14 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # #limit_profile_requests_to_users_who_share_rooms: true +# Uncomment to prevent a user's profile data from being retrieved and +# displayed in a room until they have joined it. By default, a user's +# profile data is included in an invite event, regardless of the values +# of the above two settings, and whether or not the users share a server. +# Defaults to 'true'. +# +#include_profile_data_on_invite: false + # If set to 'true', removes the need for authentication to access the server's # public rooms directory through the client API, meaning that anyone can # query the room directory. Defaults to 'false'. @@ -725,6 +733,12 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # - matrix.org # - example.com +# Uncomment to disable profile lookup over federation. By default, the +# Federation API allows other homeservers to obtain profile data of any user +# on this homeserver. Defaults to 'true'. +# +#allow_profile_lookup_over_federation: false + ## Caching ## @@ -2578,19 +2592,35 @@ enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} # User Directory configuration # -# 'enabled' defines whether users can search the user directory. If -# false then empty responses are returned to all queries. Defaults to -# true. -# -# 'search_all_users' defines whether to search all users visible to your HS -# when searching the user directory, rather than limiting to users visible -# in public rooms. Defaults to false. If you set it True, you'll have to -# rebuild the user_directory search indexes, see -# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md -# -#user_directory: -# enabled: true -# search_all_users: false +user_directory: + # Defines whether users can search the user directory. If false then + # empty responses are returned to all queries. Defaults to true. + # + # Uncomment to disable the user directory. + # + #enabled: false + + # Defines whether to search all users visible to your HS when searching + # the user directory, rather than limiting to users visible in public + # rooms. Defaults to false. + # + # If you set it true, you'll have to rebuild the user_directory search + # indexes, see: + # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md + # + # Uncomment to return search results containing all known users, even if that + # user does not share a room with the requester. + # + #search_all_users: true + + # Defines whether to prefer local users in search query results. + # If True, local users are more likely to appear above remote users + # when searching the user directory. Defaults to false. + # + # Uncomment to prefer local over remote users in user directory search + # results. + # + #prefer_local_users: true # User Consent configuration From 51e25474843c9ac572016e9d53d87537695e1a51 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Thu, 11 Mar 2021 19:23:01 +0100 Subject: [PATCH 1991/2384] Added support for the Go-NEB bot --- docs/configuring-dns.md | 3 + docs/configuring-playbook-bot-go-neb.md | 218 +++++++++++++++++ group_vars/matrix_servers | 24 ++ roles/matrix-base/defaults/main.yml | 3 + roles/matrix-bot-go-neb/defaults/main.yml | 225 ++++++++++++++++++ roles/matrix-bot-go-neb/tasks/init.yml | 3 + roles/matrix-bot-go-neb/tasks/main.yml | 21 ++ .../matrix-bot-go-neb/tasks/setup_install.yml | 50 ++++ .../tasks/setup_uninstall.yml | 35 +++ .../tasks/validate_config.yml | 13 + .../templates/config.yaml.j2 | 44 ++++ .../systemd/matrix-bot-go-neb.service.j2 | 46 ++++ roles/matrix-nginx-proxy/defaults/main.yml | 7 + .../tasks/setup_nginx_proxy.yml | 13 + .../nginx/conf.d/matrix-bot-go-neb.conf.j2 | 77 ++++++ setup.yml | 1 + 16 files changed, 783 insertions(+) create mode 100644 docs/configuring-playbook-bot-go-neb.md create mode 100644 roles/matrix-bot-go-neb/defaults/main.yml create mode 100644 roles/matrix-bot-go-neb/tasks/init.yml create mode 100644 roles/matrix-bot-go-neb/tasks/main.yml create mode 100644 roles/matrix-bot-go-neb/tasks/setup_install.yml create mode 100644 roles/matrix-bot-go-neb/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bot-go-neb/tasks/validate_config.yml create mode 100644 roles/matrix-bot-go-neb/templates/config.yaml.j2 create mode 100644 roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index c25b079e..a3815953 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -34,6 +34,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `dimension` (*) | - | - | - | `matrix.` | | CNAME | `jitsi` (*) | - | - | - | `matrix.` | | CNAME | `stats` (*) | - | - | - | `matrix.` | +| CNAME | `goneb` (*) | - | - | - | `matrix.` | ## Subdomains setup @@ -48,6 +49,8 @@ The `jitsi.` subdomain may be necessary, because this playbook coul The `stats.` subdomain may be necessary, because this playbook could install [Grafana](https://grafana.com/) and setup performance metrics for you. Grafana installation is disabled by default, it is not a core required component. To learn how to install it, see our [metrics and graphs guide](configuring-playbook-prometheus-grafana.md). If you do not wish to set up Grafana, feel free to skip the `stats.` DNS record. It is possible to install Prometheus without installing Grafana, this would also not require the `stats.` subdomain. +The `goneb.` subdomain may be necessary, because this playbook could install the [Go-NEB](https://github.com/matrix-org/go-neb) bot. The installation of Go-NEB is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Go-NEB guide](configuring-playbook-bot-go-neb.md). If you do not wish to set up Go-NEB, feel free to skip the `goneb.` DNS record. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md new file mode 100644 index 00000000..d91dafa6 --- /dev/null +++ b/docs/configuring-playbook-bot-go-neb.md @@ -0,0 +1,218 @@ +# Setting up Go-NEB (optional) + +The playbook can install and configure [Go-NEB](https://github.com/matrix-org/go-neb) for you. + +Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. + +See the project's [documentation](https://github.com/matrix-org/go-neb) to learn what it does and why it might be useful to you. + + +## Registering the bot users + +The playbook does not automatically create users for you. The bot requires at least 1 access token to be able to connect to your homeserver. + +You **need to register the bot user manually** before setting up the bot. + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + +If you use curl, you can immediatly copy/paste the access token into the configuration file. + +``` +curl -X POST --header 'Content-Type: application/json' -d '{ + "identifier": { "type": "m.id.user", "user": "bot.go-neb" }, + "password": "a strong password", + "type": "m.login.password" +}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' +``` + +You can use also use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + +And then log in via element, but doing so might lead to decryption problems. That warning comes from [here](https://github.com/matrix-org/go-neb#quick-start) + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +matrix_bot_go_neb_enabled: true + +# You need at least 1 client. +matrix_bot_go_neb_clients: + - UserID: "@goneb:localhost" + AccessToken: "MDASDASJDIASDJASDAFGFRGER" + DeviceID: "DEVICE1" + HomeserverURL: "{{ matrix_homeserver_container_url }}" + Sync: true + AutoJoinRooms: true + DisplayName: "Go-NEB!" + AcceptVerificationFromUsers: [":localhost:8008"] + + - UserID: "@another_goneb:localhost" + AccessToken: "MDASDASJDIASDJASDAFGFRGER" + DeviceID: "DEVICE2" + HomeserverURL: "{{ matrix_homeserver_container_url }}" + Sync: false + AutoJoinRooms: false + DisplayName: "Go-NEB!" + AcceptVerificationFromUsers: ["^@admin:localhost:8008$"] + +# Optional, for use with the github_cmd, github_webhooks or jira services +matrix_bot_go_neb_realms: + - ID: "github_realm" + Type: "github" + Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs + +# Optional. The list of *authenticated* sessions which Go-NEB is aware of. +matrix_bot_go_neb_sessions: + - SessionID: "your_github_session" + RealmID: "github_realm" + UserID: "@YOUR_USER_ID:localhost" # This needs to be the username of the person that's allowed to use the !github commands + Config: + # Populate these fields by generating a "Personal Access Token" on github.com + AccessToken: "YOUR_GITHUB_ACCESS_TOKEN" + Scopes: "admin:org_hook,admin:repo_hook,repo,user" + +# The list of services which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureService for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest +# You need at least 1 service. +matrix_bot_go_neb_services: + - ID: "echo_service" + Type: "echo" + UserID: "@goneb:localhost" + Config: {} + +# Can be obtained from https://developers.giphy.com/dashboard/ + - ID: "giphy_service" + Type: "giphy" + UserID: "@goneb:localhost" # requires a Syncing client + Config: + api_key: "qwg4672vsuyfsfe" + use_downsized: false + +# This service has been dead for over a year :/ + - ID: "guggy_service" + Type: "guggy" + UserID: "@goneb:localhost" # requires a Syncing client + Config: + api_key: "2356saaqfhgfe" + +# API Key via https://developers.google.com/custom-search/v1/introduction +# CX via http://www.google.com/cse/manage/all +# https://stackoverflow.com/questions/6562125/getting-a-cx-id-for-custom-search-google-api-python +# 'Search the entire web' and 'Image search' enabled for best results + - ID: "google_service" + Type: "google" + UserID: "@goneb:localhost" # requires a Syncing client + Config: + api_key: "AIzaSyA4FD39m9" + cx: "AIASDFWSRRtrtr" + +# Get a key via https://api.imgur.com/oauth2/addclient +# Select "oauth2 without callback url" and use the clientid as api_key value + - ID: "imgur_service" + Type: "imgur" + UserID: "@imgur:localhost" # requires a Syncing client + Config: + api_key: "AIzaSyA4FD39m9" + + - ID: "wikipedia_service" + Type: "wikipedia" + UserID: "@goneb:localhost" # requires a Syncing client + Config: + + - ID: "rss_service" + Type: "rssbot" + UserID: "@another_goneb:localhost" + Config: + feeds: + "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60": + rooms: ["!qmElAGdFYCHoCJuaNt:localhost"] + must_include: + author: + - author1 + description: + - lorem + - ipsum + must_not_include: + title: + - Lorem + - Ipsum + + - ID: "github_cmd_service" + Type: "github" + UserID: "@goneb:localhost" # requires a Syncing client + Config: + RealmID: "github_realm" + + # Make sure your BASE_URL can be accessed by Github! + - ID: "github_webhook_service" + Type: "github-webhook" + UserID: "@another_goneb:localhost" + Config: + RealmID: "github_realm" + ClientUserID: "@YOUR_USER_ID:localhost" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. + Rooms: + "!someroom:id": + Repos: + "matrix-org/synapse": + Events: ["push", "issues"] + "matrix-org/dendron": + Events: ["pull_request"] + "!anotherroom:id": + Repos: + "matrix-org/synapse": + Events: ["push", "issues"] + "matrix-org/dendron": + Events: ["pull_request"] + + - ID: "slackapi_service" + Type: "slackapi" + UserID: "@slackapi:localhost" + Config: + Hooks: + "hook1": + RoomID: "!someroom:id" + MessageType: "m.text" # default is m.text + + - ID: "alertmanager_service" + Type: "alertmanager" + UserID: "@alertmanager:localhost" + Config: + # This is for information purposes only. It should point to Go-NEB path as follows: + # `/services/hooks/` + # Where in this case "service ID" is "alertmanager_service" + # Make sure your BASE_URL can be accessed by the Alertmanager instance! + webhook_url: "http://localhost/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U" + # Each room will get the notification with the alert rendered with the given template + rooms: + "!someroomid:domain.tld": + text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" + html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" + msg_type: "m.text" # Must be either `m.text` or `m.notice` +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +To use the bot, invite it to any existing Matrix room (`/invite @whatever_you_chose:DOMAIN` where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain, make sure you have permission from the room owner if that's not you). + +Basic usage is like this: `!echo hi` or `!imgur puppies` or `!giphy matrix` + +If you enabled the github_cmd service you can get the supported commands via `!github help` + +You can also refer to the upstream [Documentation](https://github.com/matrix-org/go-neb). diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3cd906e8..88e16d2a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -729,6 +729,27 @@ matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_se ###################################################################### +###################################################################### +# +# matrix-bot-go-neb +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_go_neb_enabled: false + +matrix_bot_go_neb_systemd_required_services_list: | + {{ + ['docker.service'] + }} + +###################################################################### +# +# /matrix-bot-go-neb +# +###################################################################### + + ###################################################################### # # matrix-corporal @@ -1053,6 +1074,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" @@ -1123,6 +1145,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) + + ([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else []) + ([matrix_server_fqn_grafana] if matrix_grafana_enabled else []) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 39a8cffc..5f1cf433 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -18,6 +18,9 @@ matrix_server_fqn_element: "element.{{ matrix_domain }}" # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" +# For use with Go-NEB! (github callback url for example) +matrix_server_fqn_bot_go_neb: "goneb.{{ matrix_domain }}" + # This is where you access Jitsi. matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml new file mode 100644 index 00000000..98478ce8 --- /dev/null +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -0,0 +1,225 @@ +# Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. +# See: https://github.com/matrix-org/go-neb + +matrix_bot_go_neb_enabled: false +matrix_bot_go_neb_version: latest +matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}" +matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}" + +matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb" +matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config" +matrix_bot_go_neb_config_path_in_container: "/config/config.yaml" +matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data" +matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store" + +# A list of extra arguments to pass to the container +matrix_bot_go_neb_container_extra_arguments: [] + +# List of systemd services that matrix-bot-go-neb.service depends on +matrix_bot_go_neb_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-go-neb.service wants +matrix_bot_go_neb_systemd_wanted_services_list: [] + +# Database-related configuration fields. +# +# MUST be "sqlite3". No other type is supported. +matrix_bot_go_neb_database_engine: 'sqlite3' + +matrix_bot_go_neb_sqlite_database_path_local: "{{ matrix_bot_go_neb_data_path }}/bot.db" +matrix_bot_go_neb_sqlite_database_path_in_container: "/data/bot.db" + +matrix_bot_go_neb_storage_database: "{{ + { + 'sqlite3': (matrix_bot_go_neb_sqlite_database_path_in_container + '?_busy_timeout=5000'), + }[matrix_bot_go_neb_database_engine] +}}" + +# The bot's username(s). These users need to be created manually beforehand. +# The access tokens that the bot uses to authenticate. +# Generate one as described in +# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-dimension.md#access-token +# via curl. With the element method, you might run into decryption problems (see https://github.com/matrix-org/go-neb#quick-start) +matrix_bot_go_neb_clients: {} +# - UserID: "@goneb:localhost" +# AccessToken: "MDASDASJDIASDJASDAFGFRGER" +# DeviceID: "DEVICE1" +# HomeserverURL: "http://localhost:8008" +# Sync: true +# AutoJoinRooms: true +# DisplayName: "Go-NEB!" +# AcceptVerificationFromUsers: [":localhost:8008"] +# +# - UserID: "@another_goneb:localhost" +# AccessToken: "MDASDASJDIASDJASDAFGFRGER" +# DeviceID: "DEVICE2" +# HomeserverURL: "http://localhost:8008" +# Sync: false +# AutoJoinRooms: false +# DisplayName: "Go-NEB!" +# AcceptVerificationFromUsers: ["^@admin:localhost:8008$"] + +# The list of realms which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureAuthRealm for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest +matrix_bot_go_neb_realms: {} +# - ID: "github_realm" +# Type: "github" +# Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs + +# The list of *authenticated* sessions which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# The full list of options are shown below: there is no single HTTP endpoint +# which maps to this section. +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session +matrix_bot_go_neb_sessions: {} +# - SessionID: "your_github_session" +# RealmID: "github_realm" +# UserID: "@YOUR_USER_ID:localhost" # This needs to be the username of the person that's allowed to use the !github commands +# Config: +# # Populate these fields by generating a "Personal Access Token" on github.com +# AccessToken: "YOUR_GITHUB_ACCESS_TOKEN" +# Scopes: "admin:org_hook,admin:repo_hook,repo,user" + +# The list of services which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureService for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest +matrix_bot_go_neb_services: {} +# - ID: "echo_service" +# Type: "echo" +# UserID: "@goneb:localhost" +# Config: {} + +## Can be obtained from https://developers.giphy.com/dashboard/ +# - ID: "giphy_service" +# Type: "giphy" +# UserID: "@goneb:localhost" # requires a Syncing client +# Config: +# api_key: "qwg4672vsuyfsfe" +# use_downsized: false +# +## This service has been dead for over a year :/ +# - ID: "guggy_service" +# Type: "guggy" +# UserID: "@goneb:localhost" # requires a Syncing client +# Config: +# api_key: "2356saaqfhgfe" +# +## API Key via https://developers.google.com/custom-search/v1/introduction +## CX via http://www.google.com/cse/manage/all +## https://stackoverflow.com/questions/6562125/getting-a-cx-id-for-custom-search-google-api-python +## 'Search the entire web' and 'Image search' enabled for best results +# - ID: "google_service" +# Type: "google" +# UserID: "@goneb:localhost" # requires a Syncing client +# Config: +# api_key: "AIzaSyA4FD39m9" +# cx: "AIASDFWSRRtrtr" +# +## Get a key via https://api.imgur.com/oauth2/addclient +## Select "oauth2 without callback url" and use the clientid as api_key value +# - ID: "imgur_service" +# Type: "imgur" +# UserID: "@imgur:localhost" # requires a Syncing client +# Config: +# api_key: "AIzaSyA4FD39m9" +# +# - ID: "wikipedia_service" +# Type: "wikipedia" +# UserID: "@goneb:localhost" # requires a Syncing client +# Config: +# +# - ID: "rss_service" +# Type: "rssbot" +# UserID: "@another_goneb:localhost" +# Config: +# feeds: +# "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60": +# rooms: ["!qmElAGdFYCHoCJuaNt:localhost"] +# must_include: +# author: +# - author1 +# description: +# - lorem +# - ipsum +# must_not_include: +# title: +# - Lorem +# - Ipsum +# +# - ID: "github_cmd_service" +# Type: "github" +# UserID: "@goneb:localhost" # requires a Syncing client +# Config: +# RealmID: "github_realm" +# +# # Make sure your BASE_URL can be accessed by Github! +# - ID: "github_webhook_service" +# Type: "github-webhook" +# UserID: "@another_goneb:localhost" +# Config: +# RealmID: "github_realm" +# ClientUserID: "@YOUR_USER_ID:localhost" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. +# Rooms: +# "!someroom:id": +# Repos: +# "matrix-org/synapse": +# Events: ["push", "issues"] +# "matrix-org/dendron": +# Events: ["pull_request"] +# "!anotherroom:id": +# Repos: +# "matrix-org/synapse": +# Events: ["push", "issues"] +# "matrix-org/dendron": +# Events: ["pull_request"] +# +# - ID: "slackapi_service" +# Type: "slackapi" +# UserID: "@slackapi:localhost" +# Config: +# Hooks: +# "hook1": +# RoomID: "!someroom:id" +# MessageType: "m.text" # default is m.text +# +# - ID: "alertmanager_service" +# Type: "alertmanager" +# UserID: "@alertmanager:localhost" +# Config: +# # This is for information purposes only. It should point to Go-NEB path as follows: +# # `/services/hooks/` +# # Where in this case "service ID" is "alertmanager_service" +# # Make sure your BASE_URL can be accessed by the Alertmanager instance! +# webhook_url: "http://localhost/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U" +# # Each room will get the notification with the alert rendered with the given template +# rooms: +# "!someroomid:domain.tld": +# text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" +# html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" +# msg_type: "m.text" # Must be either `m.text` or `m.notice` + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_bot_go_neb_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_bot_go_neb_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_bot_go_neb_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_go_neb_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_go_neb_configuration_yaml`. + +matrix_bot_go_neb_configuration_extension: "{{ matrix_bot_go_neb_configuration_extension_yaml|from_yaml if matrix_bot_go_neb_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_bot_go_neb_configuration_yaml`. +matrix_bot_go_neb_configuration: "{{ matrix_bot_go_neb_configuration_yaml|from_yaml|combine(matrix_bot_go_neb_configuration_extension, recursive=True) }}" + diff --git a/roles/matrix-bot-go-neb/tasks/init.yml b/roles/matrix-bot-go-neb/tasks/init.yml new file mode 100644 index 00000000..169f5978 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-go-neb.service'] }}" + when: matrix_bot_go_neb_enabled|bool diff --git a/roles/matrix-bot-go-neb/tasks/main.yml b/roles/matrix-bot-go-neb/tasks/main.yml new file mode 100644 index 00000000..1a4fe70a --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_bot_go_neb_enabled|bool" + tags: + - setup-all + - setup-bot-go-neb + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_bot_go_neb_enabled|bool" + tags: + - setup-all + - setup-bot-go-neb + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_bot_go_neb_enabled|bool" + tags: + - setup-all + - setup-bot-go-neb diff --git a/roles/matrix-bot-go-neb/tasks/setup_install.yml b/roles/matrix-bot-go-neb/tasks/setup_install.yml new file mode 100644 index 00000000..e26be080 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/setup_install.yml @@ -0,0 +1,50 @@ +--- + +- set_fact: + matrix_bot_go_neb_requires_restart: false + +- name: Ensure go-neb paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_bot_go_neb_config_path }}", when: true } + - { path: "{{ matrix_bot_go_neb_data_path }}", when: true } + - { path: "{{ matrix_bot_go_neb_data_store_path }}", when: true } + when: "item.when|bool" + +- name: Ensure go-neb image is pulled + docker_image: + name: "{{ matrix_bot_go_neb_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}" + +- name: Ensure go-neb config installed + copy: + content: "{{ matrix_bot_go_neb_configuration|to_nice_yaml }}" + dest: "{{ matrix_bot_go_neb_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-bot-go-neb.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" + mode: 0644 + register: matrix_bot_go_neb_systemd_service_result + +- name: Ensure systemd reloaded after matrix-bot-go-neb.service installation + service: + daemon_reload: yes + when: "matrix_bot_go_neb_systemd_service_result.changed|bool" + +- name: Ensure matrix-bot-go-neb.service restarted, if necessary + service: + name: "matrix-bot-go-neb.service" + state: restarted + when: "matrix_bot_go_neb_requires_restart|bool" diff --git a/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml new file mode 100644 index 00000000..49ad1fe7 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-go-neb service + stat: + path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" + register: matrix_bot_go_neb_service_stat + +- name: Ensure matrix-go-neb is stopped + service: + name: matrix-bot-go-neb + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_bot_go_neb_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-go-neb.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" + state: absent + when: "matrix_bot_go_neb_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-bot-go-neb.service removal + service: + daemon_reload: yes + when: "matrix_bot_go_neb_service_stat.stat.exists|bool" + +- name: Ensure Matrix go-neb paths don't exist + file: + path: "{{ matrix_bot_go_neb_base_path }}" + state: absent + +- name: Ensure go-neb Docker image doesn't exist + docker_image: + name: "{{ matrix_bot_go_neb_docker_image }}" + state: absent diff --git a/roles/matrix-bot-go-neb/tasks/validate_config.yml b/roles/matrix-bot-go-neb/tasks/validate_config.yml new file mode 100644 index 00000000..7b292250 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/validate_config.yml @@ -0,0 +1,13 @@ +--- + +- name: Fail if there's not at least 1 client + fail: + msg: >- + You need at least 1 client in the matrix_bot_go_neb_clients block. + when: matrix_bot_go_neb_clients is not defined or matrix_bot_go_neb_clients[0] is not defined + +- name: Fail if there's not at least 1 service + fail: + msg: >- + You need at least 1 service in the matrix_bot_go_neb_services block. + when: matrix_bot_go_neb_services is not defined or matrix_bot_go_neb_services[0] is not defined diff --git a/roles/matrix-bot-go-neb/templates/config.yaml.j2 b/roles/matrix-bot-go-neb/templates/config.yaml.j2 new file mode 100644 index 00000000..4dfa18ca --- /dev/null +++ b/roles/matrix-bot-go-neb/templates/config.yaml.j2 @@ -0,0 +1,44 @@ +# Go-NEB Configuration File +# +# This file provides an alternative way to configure Go-NEB which does not involve HTTP APIs. +# +# This file can be supplied to go-neb by the environment variable `CONFIG_FILE=config.yaml`. +# It will force Go-NEB to operate in "config" mode. This means: +# - Go-NEB will ONLY use the data contained inside this file. +# - All of Go-NEB's /admin HTTP listeners will be disabled. You will be unable to add new services at runtime. +# - The environment variable `DATABASE_URL` will be ignored and an in-memory database will be used instead. +# +# This file is broken down into 4 sections which matches the following HTTP APIs: +# - /configureClient +# - /configureAuthRealm +# - /configureService +# - /requestAuthSession (redirects not supported) + +# The list of clients which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureClient for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ClientConfig +clients: + {{ matrix_bot_go_neb_clients }} + +# The list of realms which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureAuthRealm for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest +realms: + {{ matrix_bot_go_neb_realms }} + +# The list of *authenticated* sessions which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# The full list of options are shown below: there is no single HTTP endpoint +# which maps to this section. +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session +sessions: + {{ matrix_bot_go_neb_sessions }} + +# The list of services which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureService for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest +services: + {{ matrix_bot_go_neb_services }} diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 new file mode 100644 index 00000000..4ae19d5b --- /dev/null +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix reminder bot +{% for service in matrix_bot_go_neb_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_go_neb_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + -e 'BIND_ADDRESS=:4050' \ + -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ + -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ + -e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \ + -e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \ + --mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \ + --entrypoint=/bin/sh \ + {% for arg in matrix_bot_go_neb_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_go_neb_docker_image }} \ + -c "go-neb /config/config.yaml" + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-go-neb + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3234a44c..3178fece 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -120,6 +120,10 @@ matrix_nginx_proxy_proxy_matrix_federation_port: 8448 matrix_nginx_proxy_proxy_dimension_enabled: false matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" +# Controls whether proxying the goneb domain should be done. +matrix_nginx_proxy_proxy_bot_go_neb_enabled: false +matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" + # Controls whether proxying the jitsi domain should be done. matrix_nginx_proxy_proxy_jitsi_enabled: false matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" @@ -236,6 +240,9 @@ matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf). +matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf). matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 233fe4a9..c7e15c95 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -79,6 +79,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_dimension_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for goneb domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for jitsi domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2" @@ -196,6 +203,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 new file mode 100644 index 00000000..3c3231f4 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -0,0 +1,77 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; +{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-bot-go-neb:4050"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:4050; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/setup.yml b/setup.yml index d9f25ecf..0414b1cc 100755 --- a/setup.yml +++ b/setup.yml @@ -32,6 +32,7 @@ - matrix-bridge-mx-puppet-instagram - matrix-bridge-sms - matrix-bot-matrix-reminder-bot + - matrix-bot-go-neb - matrix-synapse - matrix-synapse-admin - matrix-prometheus-node-exporter From 7d1d3b47bc1135311f253106b3dc73b6e53e64e7 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Fri, 12 Mar 2021 10:31:08 +0100 Subject: [PATCH 1992/2384] Fix the description on the service file --- .../templates/systemd/matrix-bot-go-neb.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index 4ae19d5b..27cfcdcc 100644 --- a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -1,6 +1,6 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix reminder bot +Description=Matrix Go-NEB bot {% for service in matrix_bot_go_neb_systemd_required_services_list %} Requires={{ service }} After={{ service }} From ce14e3e8af7fbd884c4b7ab1b40b7e662a31548d Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Fri, 12 Mar 2021 11:03:13 +0100 Subject: [PATCH 1993/2384] Enable the bot in the role and disable it in the group_vars --- roles/matrix-bot-go-neb/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml index 98478ce8..a448c2c5 100644 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -1,7 +1,7 @@ # Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. # See: https://github.com/matrix-org/go-neb -matrix_bot_go_neb_enabled: false +matrix_bot_go_neb_enabled: true matrix_bot_go_neb_version: latest matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}" matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}" From 20c6bd686e5200d5a6b42b6d24b7edde385861e3 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Fri, 12 Mar 2021 11:10:00 +0100 Subject: [PATCH 1994/2384] Added the matrix_bot_go_neb_container_http_host_bind_port variable to allow the container to expose its listen port --- group_vars/matrix_servers | 2 ++ roles/matrix-bot-go-neb/defaults/main.yml | 5 +++++ .../templates/systemd/matrix-bot-go-neb.service.j2 | 3 +++ 3 files changed, 10 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 88e16d2a..a40c83ad 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -743,6 +743,8 @@ matrix_bot_go_neb_systemd_required_services_list: | ['docker.service'] }} +matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:4050' }}" + ###################################################################### # # /matrix-bot-go-neb diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml index a448c2c5..0a934811 100644 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -12,6 +12,11 @@ matrix_bot_go_neb_config_path_in_container: "/config/config.yaml" matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data" matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store" +# Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:4050"), or empty string to not expose. +matrix_bot_go_neb_container_http_host_bind_port: '' + # A list of extra arguments to pass to the container matrix_bot_go_neb_container_extra_arguments: [] diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index 27cfcdcc..cb529848 100644 --- a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -22,6 +22,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ --cap-drop=ALL \ --read-only \ --network={{ matrix_docker_network }} \ + {% if matrix_bot_go_neb_container_http_host_bind_port %} + -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ + {% endif %} -e 'BIND_ADDRESS=:4050' \ -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ From aaf93cb9fdacb138e1c02d5df31697651f1225d3 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Fri, 12 Mar 2021 11:11:10 +0100 Subject: [PATCH 1995/2384] Fix indentation spaces to tabs --- .../templates/systemd/matrix-bot-go-neb.service.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 index cb529848..eabf1137 100644 --- a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -22,9 +22,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ --cap-drop=ALL \ --read-only \ --network={{ matrix_docker_network }} \ - {% if matrix_bot_go_neb_container_http_host_bind_port %} - -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ - {% endif %} + {% if matrix_bot_go_neb_container_http_host_bind_port %} + -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ + {% endif %} -e 'BIND_ADDRESS=:4050' \ -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ From 49028f1b0588bf5aefdd2985e5749958b043b4b7 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Fri, 12 Mar 2021 14:55:57 +0100 Subject: [PATCH 1996/2384] Added |to_json to the config.yaml template --- roles/matrix-bot-go-neb/templates/config.yaml.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bot-go-neb/templates/config.yaml.j2 b/roles/matrix-bot-go-neb/templates/config.yaml.j2 index 4dfa18ca..c72dbf8d 100644 --- a/roles/matrix-bot-go-neb/templates/config.yaml.j2 +++ b/roles/matrix-bot-go-neb/templates/config.yaml.j2 @@ -19,14 +19,14 @@ # See the docs for /configureClient for the full list of options: # https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ClientConfig clients: - {{ matrix_bot_go_neb_clients }} + {{ matrix_bot_go_neb_clients|to_json }} # The list of realms which Go-NEB is aware of. # Delete or modify this list as appropriate. # See the docs for /configureAuthRealm for the full list of options: # https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest realms: - {{ matrix_bot_go_neb_realms }} + {{ matrix_bot_go_neb_realms|to_json }} # The list of *authenticated* sessions which Go-NEB is aware of. # Delete or modify this list as appropriate. @@ -34,11 +34,11 @@ realms: # which maps to this section. # https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session sessions: - {{ matrix_bot_go_neb_sessions }} + {{ matrix_bot_go_neb_sessions|to_json }} # The list of services which Go-NEB is aware of. # Delete or modify this list as appropriate. # See the docs for /configureService for the full list of options: # https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest services: - {{ matrix_bot_go_neb_services }} + {{ matrix_bot_go_neb_services|to_json }} From 9689948e7340f1f33f45a4d5bd727191c6fc8839 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Fri, 12 Mar 2021 14:59:42 +0100 Subject: [PATCH 1997/2384] Use the matrix_domain var for the AcceptVerificationFromUsers field --- roles/matrix-bot-go-neb/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml index 0a934811..1dbfab7b 100644 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -53,7 +53,7 @@ matrix_bot_go_neb_clients: {} # Sync: true # AutoJoinRooms: true # DisplayName: "Go-NEB!" -# AcceptVerificationFromUsers: [":localhost:8008"] +# AcceptVerificationFromUsers: [":{{ matrix_domain }}"] # # - UserID: "@another_goneb:localhost" # AccessToken: "MDASDASJDIASDJASDAFGFRGER" @@ -62,7 +62,7 @@ matrix_bot_go_neb_clients: {} # Sync: false # AutoJoinRooms: false # DisplayName: "Go-NEB!" -# AcceptVerificationFromUsers: ["^@admin:localhost:8008$"] +# AcceptVerificationFromUsers: ["^@admin:{{ matrix_domain }}"] # The list of realms which Go-NEB is aware of. # Delete or modify this list as appropriate. From a640d8f9a6f2a862e42a5653d6c64a3ca6348989 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Fri, 12 Mar 2021 15:36:13 +0100 Subject: [PATCH 1998/2384] Remove hard coded references to homeserver and matrix domain --- roles/matrix-bot-go-neb/defaults/main.yml | 34 +++++++++++------------ 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml index 1dbfab7b..516ab83e 100644 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -46,19 +46,19 @@ matrix_bot_go_neb_storage_database: "{{ # https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-dimension.md#access-token # via curl. With the element method, you might run into decryption problems (see https://github.com/matrix-org/go-neb#quick-start) matrix_bot_go_neb_clients: {} -# - UserID: "@goneb:localhost" +# - UserID: "@goneb:{{ matrix_domain }}" # AccessToken: "MDASDASJDIASDJASDAFGFRGER" # DeviceID: "DEVICE1" -# HomeserverURL: "http://localhost:8008" +# HomeserverURL: "{{ matrix_homeserver_container_url }}" # Sync: true # AutoJoinRooms: true # DisplayName: "Go-NEB!" # AcceptVerificationFromUsers: [":{{ matrix_domain }}"] # -# - UserID: "@another_goneb:localhost" +# - UserID: "@another_goneb:{{ matrix_domain }}" # AccessToken: "MDASDASJDIASDJASDAFGFRGER" # DeviceID: "DEVICE2" -# HomeserverURL: "http://localhost:8008" +# HomeserverURL: "{{ matrix_homeserver_container_url }}" # Sync: false # AutoJoinRooms: false # DisplayName: "Go-NEB!" @@ -81,7 +81,7 @@ matrix_bot_go_neb_realms: {} matrix_bot_go_neb_sessions: {} # - SessionID: "your_github_session" # RealmID: "github_realm" -# UserID: "@YOUR_USER_ID:localhost" # This needs to be the username of the person that's allowed to use the !github commands +# UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands # Config: # # Populate these fields by generating a "Personal Access Token" on github.com # AccessToken: "YOUR_GITHUB_ACCESS_TOKEN" @@ -94,13 +94,13 @@ matrix_bot_go_neb_sessions: {} matrix_bot_go_neb_services: {} # - ID: "echo_service" # Type: "echo" -# UserID: "@goneb:localhost" +# UserID: "@goneb:{{ matrix_domain }}" # Config: {} ## Can be obtained from https://developers.giphy.com/dashboard/ # - ID: "giphy_service" # Type: "giphy" -# UserID: "@goneb:localhost" # requires a Syncing client +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client # Config: # api_key: "qwg4672vsuyfsfe" # use_downsized: false @@ -108,7 +108,7 @@ matrix_bot_go_neb_services: {} ## This service has been dead for over a year :/ # - ID: "guggy_service" # Type: "guggy" -# UserID: "@goneb:localhost" # requires a Syncing client +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client # Config: # api_key: "2356saaqfhgfe" # @@ -118,7 +118,7 @@ matrix_bot_go_neb_services: {} ## 'Search the entire web' and 'Image search' enabled for best results # - ID: "google_service" # Type: "google" -# UserID: "@goneb:localhost" # requires a Syncing client +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client # Config: # api_key: "AIzaSyA4FD39m9" # cx: "AIASDFWSRRtrtr" @@ -127,18 +127,18 @@ matrix_bot_go_neb_services: {} ## Select "oauth2 without callback url" and use the clientid as api_key value # - ID: "imgur_service" # Type: "imgur" -# UserID: "@imgur:localhost" # requires a Syncing client +# UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client # Config: # api_key: "AIzaSyA4FD39m9" # # - ID: "wikipedia_service" # Type: "wikipedia" -# UserID: "@goneb:localhost" # requires a Syncing client +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client # Config: # # - ID: "rss_service" # Type: "rssbot" -# UserID: "@another_goneb:localhost" +# UserID: "@another_goneb:{{ matrix_domain }}" # Config: # feeds: # "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60": @@ -156,17 +156,17 @@ matrix_bot_go_neb_services: {} # # - ID: "github_cmd_service" # Type: "github" -# UserID: "@goneb:localhost" # requires a Syncing client +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client # Config: # RealmID: "github_realm" # # # Make sure your BASE_URL can be accessed by Github! # - ID: "github_webhook_service" # Type: "github-webhook" -# UserID: "@another_goneb:localhost" +# UserID: "@another_goneb:{{ matrix_domain }}" # Config: # RealmID: "github_realm" -# ClientUserID: "@YOUR_USER_ID:localhost" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. +# ClientUserID: "@YOUR_USER_ID:{{ matrix_domain }}" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. # Rooms: # "!someroom:id": # Repos: @@ -183,7 +183,7 @@ matrix_bot_go_neb_services: {} # # - ID: "slackapi_service" # Type: "slackapi" -# UserID: "@slackapi:localhost" +# UserID: "@slackapi:{{ matrix_domain }}" # Config: # Hooks: # "hook1": @@ -192,7 +192,7 @@ matrix_bot_go_neb_services: {} # # - ID: "alertmanager_service" # Type: "alertmanager" -# UserID: "@alertmanager:localhost" +# UserID: "@alertmanager:{{ matrix_domain }}" # Config: # # This is for information purposes only. It should point to Go-NEB path as follows: # # `/services/hooks/` From 86cf5d8c74a246613b256f564cb452dc63c784c2 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Fri, 12 Mar 2021 15:57:23 +0100 Subject: [PATCH 1999/2384] api_key doesn't seem to work for the imgur service, using client_id works --- roles/matrix-bot-go-neb/defaults/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml index 516ab83e..758f9f01 100644 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -124,12 +124,13 @@ matrix_bot_go_neb_services: {} # cx: "AIASDFWSRRtrtr" # ## Get a key via https://api.imgur.com/oauth2/addclient -## Select "oauth2 without callback url" and use the clientid as api_key value +## Select "oauth2 without callback url" # - ID: "imgur_service" # Type: "imgur" # UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client # Config: -# api_key: "AIzaSyA4FD39m9" +# client_id: "AIzaSyA4FD39m9" +# client_secret: "somesecret" # # - ID: "wikipedia_service" # Type: "wikipedia" From 7d6bf446a33377c2c1badef31cc797794096ef63 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Fri, 12 Mar 2021 16:57:49 +0100 Subject: [PATCH 2000/2384] Added a link to the doc in the README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 463a1504..dde8d924 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation +- (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation + - (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation - (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation From 52fe8a05b022592bc062984939be60567d5878c2 Mon Sep 17 00:00:00 2001 From: Pablo Montepagano Date: Sun, 14 Mar 2021 00:39:44 -0300 Subject: [PATCH 2001/2384] Adding vars to synapse for private servers. --- roles/matrix-synapse/defaults/main.yml | 20 +++++++++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 6 +++--- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 9c8bfc69..d9139da1 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -181,6 +181,26 @@ matrix_synapse_allow_public_rooms_without_auth: false # For private servers, you most likely wish to forbid it. matrix_synapse_allow_public_rooms_over_federation: false +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, so this setting is of limited value if federation is enabled on +# the server. +matrix_synapse_require_auth_for_profile_requests: false + +# Set to true to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false + +# Set to false to prevent a user's profile data from being retrieved and +# displayed in a room until they have joined it. By default, a user's +# profile data is included in an invite event, regardless of the values +# of the above two settings, and whether or not the users share a server. +# Defaults to 'true'. +matrix_synapse_include_profile_data_on_invite: true + # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e03b3065..63e497d0 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -68,14 +68,14 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # API, so this setting is of limited value if federation is enabled on # the server. # -#require_auth_for_profile_requests: true +require_auth_for_profile_requests: {{ matrix_synapse_require_auth_for_profile_requests|to_json }} # Uncomment to require a user to share a room with another user in order # to retrieve their profile information. Only checked on Client-Server # requests. Profile requests from other servers should be checked by the # requesting server. Defaults to 'false'. # -#limit_profile_requests_to_users_who_share_rooms: true +limit_profile_requests_to_users_who_share_rooms: {{ matrix_synapse_limit_profile_requests_to_users_who_share_rooms|to_json }} # Uncomment to prevent a user's profile data from being retrieved and # displayed in a room until they have joined it. By default, a user's @@ -83,7 +83,7 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # of the above two settings, and whether or not the users share a server. # Defaults to 'true'. # -#include_profile_data_on_invite: false +include_profile_data_on_invite: {{ matrix_synapse_include_profile_data_on_invite|to_json }} # If set to 'true', removes the need for authentication to access the server's # public rooms directory through the client API, meaning that anyone can From 5a1f3b7d6764cc75185c744472bb1f4255d2c7d4 Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 14 Mar 2021 14:35:38 +0800 Subject: [PATCH 2002/2384] GMH v0.3.0 --- .../matrix-awx/surveys/backup_server.json.j2 | 19 +++++ .../surveys/configure_element.json.j2 | 2 +- .../surveys/configure_jitsi.json.j2 | 2 +- roles/matrix-awx/tasks/backup_server.yml | 69 +++++++++++++++++++ roles/matrix-awx/tasks/import_awx.yml | 6 +- roles/matrix-awx/tasks/main.yml | 6 ++ 6 files changed, 100 insertions(+), 4 deletions(-) create mode 100644 roles/matrix-awx/surveys/backup_server.json.j2 create mode 100644 roles/matrix-awx/tasks/backup_server.yml diff --git a/roles/matrix-awx/surveys/backup_server.json.j2 b/roles/matrix-awx/surveys/backup_server.json.j2 new file mode 100644 index 00000000..232d1968 --- /dev/null +++ b/roles/matrix-awx/surveys/backup_server.json.j2 @@ -0,0 +1,19 @@ +{ + "name": "Backup Server", + "description": "", + "spec": [ + { + "question_name": "Enable Backup", + "question_description": "Set if remote backup is enabled or not. If enabled a daily backup of your server will be sent to the backup server located in {{ backup_server_location }}.", + "required": true, + "min": null, + "max": null, + "default": "{{ matrix_awx_backup_enabled | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_awx_backup_enabled", + "type": "multiplechoice" + } + ] +} + diff --git a/roles/matrix-awx/surveys/configure_element.json.j2 b/roles/matrix-awx/surveys/configure_element.json.j2 index 121682f6..0ff02288 100755 --- a/roles/matrix-awx/surveys/configure_element.json.j2 +++ b/roles/matrix-awx/surveys/configure_element.json.j2 @@ -63,7 +63,7 @@ "type": "multiplechoice" }, { - "question_name": "Set Element Subdomain.", + "question_name": "Set Element Subdomain", "question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.", "required": false, "min": 0, diff --git a/roles/matrix-awx/surveys/configure_jitsi.json.j2 b/roles/matrix-awx/surveys/configure_jitsi.json.j2 index 87537f20..2eb0579b 100755 --- a/roles/matrix-awx/surveys/configure_jitsi.json.j2 +++ b/roles/matrix-awx/surveys/configure_jitsi.json.j2 @@ -15,7 +15,7 @@ "type": "multiplechoice" }, { - "question_name": "Set Default Language.", + "question_name": "Set Default Language", "question_description": "2 digit 639-1 language code to adjust the language of the web client. For a list of possible codes see: https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes", "required": false, "min": 0, diff --git a/roles/matrix-awx/tasks/backup_server.yml b/roles/matrix-awx/tasks/backup_server.yml new file mode 100644 index 00000000..556c4497 --- /dev/null +++ b/roles/matrix-awx/tasks/backup_server.yml @@ -0,0 +1,69 @@ + +- name: Record Backup Server variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# AWX Settings' + with_dict: + 'matrix_awx_backup_enabled': '{{ matrix_awx_backup_enabled }}' + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + +- name: Save new 'Backup Server' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/backup_server.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json' + +- name: Copy new 'Backup Server' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json' + dest: '/matrix/awx/backup_server.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Backup Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Backup Server" + description: "Performs a backup of the entire service to a remote location." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "backup-server" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + +- name: Perform the borg backup + command: borgmatic + when: matrix_awx_backup_enabled|bool + +- name: Set boolean value to exit playbook + set_fact: + end_playbook: true + +- name: End playbook if this task list is called. + meta: end_play + when: end_playbook is defined and end_playbook|bool + diff --git a/roles/matrix-awx/tasks/import_awx.yml b/roles/matrix-awx/tasks/import_awx.yml index 8879cf1c..0100a5d0 100644 --- a/roles/matrix-awx/tasks/import_awx.yml +++ b/roles/matrix-awx/tasks/import_awx.yml @@ -1,12 +1,14 @@ - name: Ensure /matrix/awx is empty shell: rm -r /matrix/awx/* + ignore_errors: yes - name: Ensure /matrix/synapse is empty shell: rm -r /matrix/synapse/* + ignore_errors: yes -- name: Extract from /chroot/backup - shell: tar -xvzf /chroot/backup/matrix.tar.gz -C /matrix/ +- name: Extract from /chroot/export + shell: tar -xvzf /chroot/export/matrix.tar.gz -C /matrix/ - name: Ensure correct ownership of /matrix/awx shell: chown -R matrix:matrix /matrix/awx diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 46aa0d45..f7f5bf1f 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -5,6 +5,12 @@ tags: - always +# Perform a backup of the server +- import_tasks: "{{ role_path }}/tasks/backup_server.yml" + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - backup-server + # Create a user account if called - import_tasks: "{{ role_path }}/tasks/create_user.yml" when: run_setup|bool and matrix_awx_enabled|bool From bfe0ca6cf816191ff7e80a445288834215f0f8b5 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Mon, 15 Mar 2021 13:04:31 +0100 Subject: [PATCH 2003/2384] Update docs, remove hard coded matrix_domain --- docs/configuring-playbook-bot-go-neb.md | 41 +++++++++++++------------ 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index d91dafa6..478a9b4d 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -42,23 +42,23 @@ matrix_bot_go_neb_enabled: true # You need at least 1 client. matrix_bot_go_neb_clients: - - UserID: "@goneb:localhost" + - UserID: "@goneb:{{ matrix_domain }}" AccessToken: "MDASDASJDIASDJASDAFGFRGER" DeviceID: "DEVICE1" HomeserverURL: "{{ matrix_homeserver_container_url }}" Sync: true AutoJoinRooms: true DisplayName: "Go-NEB!" - AcceptVerificationFromUsers: [":localhost:8008"] + AcceptVerificationFromUsers: [":{{ matrix_domain }}"] - - UserID: "@another_goneb:localhost" + - UserID: "@another_goneb:{{ matrix_domain }}" AccessToken: "MDASDASJDIASDJASDAFGFRGER" DeviceID: "DEVICE2" HomeserverURL: "{{ matrix_homeserver_container_url }}" Sync: false AutoJoinRooms: false DisplayName: "Go-NEB!" - AcceptVerificationFromUsers: ["^@admin:localhost:8008$"] + AcceptVerificationFromUsers: ["^@admin:{{ matrix_domain }}"] # Optional, for use with the github_cmd, github_webhooks or jira services matrix_bot_go_neb_realms: @@ -70,7 +70,7 @@ matrix_bot_go_neb_realms: matrix_bot_go_neb_sessions: - SessionID: "your_github_session" RealmID: "github_realm" - UserID: "@YOUR_USER_ID:localhost" # This needs to be the username of the person that's allowed to use the !github commands + UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands Config: # Populate these fields by generating a "Personal Access Token" on github.com AccessToken: "YOUR_GITHUB_ACCESS_TOKEN" @@ -84,13 +84,13 @@ matrix_bot_go_neb_sessions: matrix_bot_go_neb_services: - ID: "echo_service" Type: "echo" - UserID: "@goneb:localhost" + UserID: "@goneb:{{ matrix_domain }}" Config: {} # Can be obtained from https://developers.giphy.com/dashboard/ - ID: "giphy_service" Type: "giphy" - UserID: "@goneb:localhost" # requires a Syncing client + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client Config: api_key: "qwg4672vsuyfsfe" use_downsized: false @@ -98,7 +98,7 @@ matrix_bot_go_neb_services: # This service has been dead for over a year :/ - ID: "guggy_service" Type: "guggy" - UserID: "@goneb:localhost" # requires a Syncing client + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client Config: api_key: "2356saaqfhgfe" @@ -108,31 +108,32 @@ matrix_bot_go_neb_services: # 'Search the entire web' and 'Image search' enabled for best results - ID: "google_service" Type: "google" - UserID: "@goneb:localhost" # requires a Syncing client + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client Config: api_key: "AIzaSyA4FD39m9" cx: "AIASDFWSRRtrtr" # Get a key via https://api.imgur.com/oauth2/addclient -# Select "oauth2 without callback url" and use the clientid as api_key value +# Select "oauth2 without callback url" - ID: "imgur_service" Type: "imgur" - UserID: "@imgur:localhost" # requires a Syncing client + UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client Config: - api_key: "AIzaSyA4FD39m9" + client_id: "AIzaSyA4FD39m9" + client_secret: "AIzaSyA4FD39m9" - ID: "wikipedia_service" Type: "wikipedia" - UserID: "@goneb:localhost" # requires a Syncing client + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client Config: - ID: "rss_service" Type: "rssbot" - UserID: "@another_goneb:localhost" + UserID: "@another_goneb:{{ matrix_domain }}" Config: feeds: "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60": - rooms: ["!qmElAGdFYCHoCJuaNt:localhost"] + rooms: ["!qmElAGdFYCHoCJuaNt:{{ matrix_domain }}"] must_include: author: - author1 @@ -146,17 +147,17 @@ matrix_bot_go_neb_services: - ID: "github_cmd_service" Type: "github" - UserID: "@goneb:localhost" # requires a Syncing client + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client Config: RealmID: "github_realm" # Make sure your BASE_URL can be accessed by Github! - ID: "github_webhook_service" Type: "github-webhook" - UserID: "@another_goneb:localhost" + UserID: "@another_goneb:{{ matrix_domain }}" Config: RealmID: "github_realm" - ClientUserID: "@YOUR_USER_ID:localhost" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. + ClientUserID: "@YOUR_USER_ID:{{ matrix_domain }}" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. Rooms: "!someroom:id": Repos: @@ -173,7 +174,7 @@ matrix_bot_go_neb_services: - ID: "slackapi_service" Type: "slackapi" - UserID: "@slackapi:localhost" + UserID: "@slackapi:{{ matrix_domain }}" Config: Hooks: "hook1": @@ -182,7 +183,7 @@ matrix_bot_go_neb_services: - ID: "alertmanager_service" Type: "alertmanager" - UserID: "@alertmanager:localhost" + UserID: "@alertmanager:{{ matrix_domain }}" Config: # This is for information purposes only. It should point to Go-NEB path as follows: # `/services/hooks/` From 9f95cef49499e333c961905f7c936f971ae65a6e Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Mon, 15 Mar 2021 13:08:59 +0100 Subject: [PATCH 2004/2384] Change value of client_secret to avoid confusion --- docs/configuring-playbook-bot-go-neb.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index 478a9b4d..56bc4e89 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -120,7 +120,7 @@ matrix_bot_go_neb_services: UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client Config: client_id: "AIzaSyA4FD39m9" - client_secret: "AIzaSyA4FD39m9" + client_secret: "somesecret" - ID: "wikipedia_service" Type: "wikipedia" From 28c255539c1d51cc236e256cbf64b78538925e5b Mon Sep 17 00:00:00 2001 From: Alexandros Afentoulis Date: Mon, 15 Mar 2021 11:22:37 +0200 Subject: [PATCH 2005/2384] matrix-nginx-proxy: specify Origin header, comply with CORS Self-checks against the .well-known URIs look for the HTTP header "Access-Control-Allow-Origin" indicating that the remode endpoint supports CORS. But the remote server is not required to include said header in the response if the HTTP request does not include the "Origin" header. This is in accordance with the specification [1] stating: 'A CORS request is an HTTP request that includes an "Origin" header.' This is in fact true for Gitlab pages hosting and that's why the issue was identified. Let's specify "Origin" header in the respective uri tasks performing the HTTP request and ensure a CORS request. [1] https://fetch.spec.whatwg.org/#http-requests --- roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml index 2cf1ef06..6f831a29 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -12,6 +12,8 @@ follow_redirects: none return_content: true validate_certs: "{{ well_known_file_check.validate_certs }}" + headers: + Origin: example.com check_mode: no register: result_well_known_matrix ignore_errors: true @@ -40,6 +42,8 @@ follow_redirects: "{{ well_known_file_check.follow_redirects }}" return_content: true validate_certs: "{{ well_known_file_check.validate_certs }}" + headers: + Origin: example.com check_mode: no register: result_well_known_identity ignore_errors: true From 15fc7ac007669defa113635147d36b5bc043162b Mon Sep 17 00:00:00 2001 From: rakshazi Date: Mon, 15 Mar 2021 17:55:27 +0200 Subject: [PATCH 2006/2384] Updated Element 1.22 -> 1.23 --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 634c0894..1b45306e 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.22 +matrix_client_element_version: v1.7.23 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 38b3fbd6f9ae84d6edc7d8ebec144453775aca0b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Mar 2021 07:49:43 +0200 Subject: [PATCH 2007/2384] Mention DNS setup This may be especially helpful to existing playbook users who happen to find themselves installing Go-NEB later on. --- docs/configuring-playbook-bot-go-neb.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index 56bc4e89..db682bd2 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -201,6 +201,8 @@ matrix_bot_go_neb_services: ## Installing +Don't forget to add `goneb.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. + After configuring the playbook, run the [installation](installing.md) command again: ``` From 6cbfee539cda91528b67147db69933b6a9cbf5d3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Mar 2021 07:54:26 +0200 Subject: [PATCH 2008/2384] Announce Go-NEB support --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook.md | 2 ++ docs/container-images.md | 2 ++ 3 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 329b2ea8..aeff7b0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2021-03-16 + +## Go-NEB support + +Thanks to [Zir0h](https://github.com/Zir0h), the playbook can now install and configure the [Go-NEB](https://github.com/matrix-org/go-neb) bot. + +Additional details are available in [Setting up Go-NEB](docs/configuring-playbook-bot-go-neb.md). + + # 2021-02-19 ## GroupMe bridging support via mx-puppet-groupme diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 1c836786..a25f8585 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -130,3 +130,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Bots - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) (optional) + +- [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index a5e304f4..5bccc2d4 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -88,6 +88,8 @@ These services are not part of our default installation, but can be enabled by [ - [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional) +- [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) - the [Go-NEB](https://github.com/matrix-org/go-neb) bot (optional) + - [awesometechnologies/synapse-admin](https://hub.docker.com/r/awesometechnologies/synapse-admin) - the [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) web UI tool for administrating users and rooms on your Matrix server (optional) - [prom/prometheus](https://hub.docker.com/r/prom/prometheus/) - [Prometheus](https://github.com/prometheus/prometheus/) is a systems and service monitoring system From b46ef46663041ee65f380a926f3b6d519c06c901 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Mar 2021 08:02:20 +0200 Subject: [PATCH 2009/2384] Do not mention login before registration --- docs/configuring-playbook-bot-go-neb.md | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index db682bd2..ab84e017 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -7,7 +7,7 @@ Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the ori See the project's [documentation](https://github.com/matrix-org/go-neb) to learn what it does and why it might be useful to you. -## Registering the bot users +## Registering the bot user The playbook does not automatically create users for you. The bot requires at least 1 access token to be able to connect to your homeserver. @@ -15,7 +15,16 @@ You **need to register the bot user manually** before setting up the bot. Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. -If you use curl, you can immediatly copy/paste the access token into the configuration file. +You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + + +## Getting an access token + +If you use curl, you can get an access token like this: ``` curl -X POST --header 'Content-Type: application/json' -d '{ @@ -25,13 +34,8 @@ curl -X POST --header 'Content-Type: application/json' -d '{ }' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' ``` -You can use also use the playbook to [register a new user](registering-users.md): - -``` -ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user -``` +Alternatively, you can use a full-featured client (such as Element) to log in and get the access token from there (note: don't log out from the client as that will invalidate the token), but doing so might lead to decryption problems. That warning comes from [here](https://github.com/matrix-org/go-neb#quick-start). -And then log in via element, but doing so might lead to decryption problems. That warning comes from [here](https://github.com/matrix-org/go-neb#quick-start) ## Adjusting the playbook configuration @@ -41,6 +45,7 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. matrix_bot_go_neb_enabled: true # You need at least 1 client. +# Use the access token you obtained in the step above. matrix_bot_go_neb_clients: - UserID: "@goneb:{{ matrix_domain }}" AccessToken: "MDASDASJDIASDJASDAFGFRGER" From c890e351fcce6b389f80ab501a82ef9c25f0aec3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 Mar 2021 09:56:29 +0200 Subject: [PATCH 2010/2384] Remove some whitespace --- roles/matrix-awx/tasks/backup_server.yml | 5 ++--- roles/matrix-awx/tasks/create_user.yml | 6 +++--- .../tasks/customise_website_access_export.yml | 7 +++---- .../tasks/load_matrix_variables.yml | 1 - roles/matrix-awx/tasks/main.yml | 7 +++---- roles/matrix-awx/tasks/self_check.yml | 13 ++++++------- .../tasks/set_variables_corporal.yml | 19 +++++++++---------- .../tasks/set_variables_element.yml | 3 +-- .../matrix-awx/tasks/set_variables_jitsi.yml | 1 - .../matrix-awx/tasks/set_variables_ma1sd.yml | 7 +++---- .../tasks/set_variables_synapse.yml | 5 ++--- .../tasks/set_variables_synapse_admin.yml | 2 -- 12 files changed, 32 insertions(+), 44 deletions(-) diff --git a/roles/matrix-awx/tasks/backup_server.yml b/roles/matrix-awx/tasks/backup_server.yml index 556c4497..2459fc8a 100644 --- a/roles/matrix-awx/tasks/backup_server.yml +++ b/roles/matrix-awx/tasks/backup_server.yml @@ -33,7 +33,7 @@ curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' register: tower_token no_log: True - + - name: Recreate 'Backup Server' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -62,8 +62,7 @@ - name: Set boolean value to exit playbook set_fact: end_playbook: true - + - name: End playbook if this task list is called. meta: end_play when: end_playbook is defined and end_playbook|bool - diff --git a/roles/matrix-awx/tasks/create_user.yml b/roles/matrix-awx/tasks/create_user.yml index 0993d61f..13a30596 100755 --- a/roles/matrix-awx/tasks/create_user.yml +++ b/roles/matrix-awx/tasks/create_user.yml @@ -10,10 +10,10 @@ when: admin_access == 'false' - name: Examine if server admin set - set_fact: + set_fact: admin_bool: 1 when: admin_access == 'true' - + - name: Set boolean value to exit playbook set_fact: end_playbook: true @@ -25,7 +25,7 @@ - name: Result debug: msg="{{ cmd.stdout }}" - + - name: End playbook if this task list is called. meta: end_play when: end_playbook is defined and end_playbook|bool diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml index 4b775105..40ae1bfd 100755 --- a/roles/matrix-awx/tasks/customise_website_access_export.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -21,7 +21,7 @@ with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' when: customise_base_domain_website|bool == true - + - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 lineinfile: @@ -34,7 +34,7 @@ 'sftp_auth_method': '"{{ sftp_auth_method }}"' 'sftp_password': '"{{ sftp_password }}"' 'sftp_public_key': '"{{ sftp_public_key }}"' - + - name: Copy new 'matrix_vars.yml' to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' @@ -170,7 +170,7 @@ group: sftp mode: '0644' when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key") - + - name: Alter SSH Subsystem State 1 lineinfile: path: /etc/ssh/sshd_config @@ -227,4 +227,3 @@ service: name: ssh.service state: restarted - diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml index 0174e0e6..ff0986d7 100755 --- a/roles/matrix-awx/tasks/load_matrix_variables.yml +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -3,4 +3,3 @@ include_vars: file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' no_log: True - diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index f7f5bf1f..4c2c5285 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -16,7 +16,7 @@ when: run_setup|bool and matrix_awx_enabled|bool tags: - create-user - + # Perform extra self-check functions - import_tasks: "{{ role_path }}/tasks/self_check.yml" when: run_setup|bool and matrix_awx_enabled|bool @@ -58,12 +58,12 @@ when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-ma1sd - + # Additional playbook to set the variable file during Corporal configuration - import_tasks: "{{ role_path }}/tasks/set_variables_corporal.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - - setup-corporal + - setup-corporal # Additional playbook to set the variable file during Synapse Admin configuration - import_tasks: "{{ role_path }}/tasks/set_variables_synapse_admin.yml" @@ -76,4 +76,3 @@ when: run_setup|bool and matrix_awx_enabled|bool tags: - always - diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml index 977293d0..8d647574 100644 --- a/roles/matrix-awx/tasks/self_check.yml +++ b/roles/matrix-awx/tasks/self_check.yml @@ -1,21 +1,21 @@ - name: Install prerequisite apt packages on target apt: - name: + name: - sysstat state: present - + - name: Install prerequisite yum packages on AWX delegate_to: 127.0.0.1 yum: - name: + name: - bind-utils state: present - + - name: Install prerequisite pip packages on AWX delegate_to: 127.0.0.1 pip: - name: + name: - dnspython state: present @@ -23,7 +23,7 @@ shell: iostat -c register: cpu_usage_stat no_log: True - + - name: Print CPU usage statistics debug: msg: "{{ cpu_usage_stat.stdout.split('\n') }}" @@ -91,4 +91,3 @@ debug: msg: "{{ docker_stats.stdout.split('\n') }}" when: docker_stats is defined - diff --git a/roles/matrix-awx/tasks/set_variables_corporal.yml b/roles/matrix-awx/tasks/set_variables_corporal.yml index efc44a42..d8ac038d 100755 --- a/roles/matrix-awx/tasks/set_variables_corporal.yml +++ b/roles/matrix-awx/tasks/set_variables_corporal.yml @@ -8,7 +8,7 @@ insertafter: '# Corporal Settings' with_dict: 'matrix_corporal_enabled': '{{ matrix_corporal_enabled }}' - + - name: Enable Shared Secret Auth if Corporal enabled delegate_to: 127.0.0.1 lineinfile: @@ -19,7 +19,7 @@ with_dict: 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'true' when: matrix_corporal_enabled|bool - + - name: Disable Shared Secret Auth if Corporal disabled delegate_to: 127.0.0.1 lineinfile: @@ -30,7 +30,7 @@ with_dict: 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'false' when: not matrix_corporal_enabled|bool - + - name: Enable Rest Auth Endpoint if Corporal enabled delegate_to: 127.0.0.1 lineinfile: @@ -97,7 +97,7 @@ "Type": "static_file", "Path": "/etc/matrix-corporal/corporal-policy.json" } - when: matrix_corporal_policy_provider_mode == "Simple Static File" + when: matrix_corporal_policy_provider_mode == "Simple Static File" - name: Touch the /matrix/corporal/ directory file: @@ -130,7 +130,7 @@ owner: matrix group: matrix mode: '660' - + - name: Touch the last-policy.json file to ensure it exists file: path: "/matrix/corporal/config/last-policy.json" @@ -138,7 +138,7 @@ owner: matrix group: matrix mode: '660' - + - name: Record 'Simple Static File' configuration content in corporal-policy.json copy: content: "{{ matrix_corporal_simple_static_config | string }}" @@ -211,16 +211,16 @@ src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json' dest: '/matrix/awx/configure_corporal.json' mode: '0660' - + - debug: msg: "matrix_corporal_matrix_homeserver_api_endpoint: {{ matrix_corporal_matrix_homeserver_api_endpoint }}" - + - debug: msg: "matrix_corporal_matrix_auth_shared_secret: {{ matrix_corporal_matrix_auth_shared_secret }}" - debug: msg: "matrix_corporal_http_gateway_internal_rest_auth_enabled: {{ matrix_corporal_http_gateway_internal_rest_auth_enabled }}" - + - debug: msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}" @@ -251,4 +251,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - diff --git a/roles/matrix-awx/tasks/set_variables_element.yml b/roles/matrix-awx/tasks/set_variables_element.yml index 892c1bac..a21a9dd8 100755 --- a/roles/matrix-awx/tasks/set_variables_element.yml +++ b/roles/matrix-awx/tasks/set_variables_element.yml @@ -53,7 +53,7 @@ curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' register: tower_token no_log: True - + - name: Recreate 'Configure Element' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -74,4 +74,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - diff --git a/roles/matrix-awx/tasks/set_variables_jitsi.yml b/roles/matrix-awx/tasks/set_variables_jitsi.yml index e35beab7..4a871a18 100755 --- a/roles/matrix-awx/tasks/set_variables_jitsi.yml +++ b/roles/matrix-awx/tasks/set_variables_jitsi.yml @@ -55,4 +55,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml index 256a2410..32dadc0a 100755 --- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -44,14 +44,14 @@ regexp: '^.*\n' after: '# Start ma1sd Extension' before: '# End ma1sd Extension' - + - name: Replace conjoined ma1sd configuration extension limiters delegate_to: 127.0.0.1 replace: path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' regexp: '^# Start ma1sd Extension# End ma1sd Extension' replace: '# Start ma1sd Extension\n# End ma1sd Extension' - + - name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd delegate_to: 127.0.0.1 lineinfile: @@ -125,6 +125,5 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - -# ^ This playbook isn't executing so the survey isn't being updated! :P +# ^ This playbook isn't executing so the survey isn't being updated! :P diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index 979190ce..a8cc418b 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -15,7 +15,7 @@ 'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}' 'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}' 'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}' - + - name: Empty Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if raw inputs empty delegate_to: 127.0.0.1 replace: @@ -143,7 +143,7 @@ line: " - {{ item }}" with_items: "{{ ext_federation_whitelist_raw.splitlines() }}" when: ext_federation_whitelist_raw|length > 0 - + - name: Record Synapse Custom variables locally on AWX delegate_to: 127.0.0.1 lineinfile: @@ -220,4 +220,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - diff --git a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml index 30cf12b4..42084ad7 100644 --- a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml @@ -54,5 +54,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - - From d61236213ede5dac8a5c40424ee0eebf245c93c0 Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Tue, 16 Mar 2021 09:59:18 +0100 Subject: [PATCH 2011/2384] - Fixed typo --- docs/configuring-playbook-postgres-backup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md index 282700c4..56992917 100644 --- a/docs/configuring-playbook-postgres-backup.md +++ b/docs/configuring-playbook-postgres-backup.md @@ -6,7 +6,7 @@ The playbook can install and configure [docker-postgres-backup-local](https://gi | Name | Default value | Description | | :-------------------------------- | :--------------------------- | :--------------------------------------------------------------- | -|matrix_postgres_backaup_enabled|false|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| +|matrix_postgres_backup_enabled|false|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| |matrix_postgres_backup_schedule| '@daily' |Cron-schedule specifying the interval between postgres backups.| |matrix_postgres_backup_keep_days|"7"|Number of daily backups to keep| |matrix_postgres_backup_keep_weeks|"4"|Number of weekly backups to keep| From 1e45eeab7b35fc495a151ce0d8c39fdf5444148e Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Tue, 16 Mar 2021 10:05:07 +0100 Subject: [PATCH 2012/2384] - fixed typo --- roles/matrix-postgres-backup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index d01534d0..c1ee08bb 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -1,4 +1,4 @@ -matrix_postgres_backaup_enabled: false +matrix_postgres_backup_enabled: false matrix_postgres_connection_hostname: "matrix-postgres" matrix_postgres_connection_port: 5432 From ecc6bdb3ca1e479243634665babbed4341615e3a Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Tue, 16 Mar 2021 10:18:26 +0100 Subject: [PATCH 2013/2384] - changed variables names to use role specific one and redefine them using group_vars/matrix_servers --- group_vars/matrix_servers | 17 +++++++++++++++++ roles/matrix-postgres-backup/defaults/main.yml | 8 ++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5d76a60c..2718937c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1407,3 +1407,20 @@ matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | # /matrix-registration # ###################################################################### + +###################################################################### +# +# matrix-postgres-backup +# +###################################################################### + +matrix_postgres_backup_connection_hostname: "{{ matrix_postgres_connection_hostname }}" +matrix_postgres_backup_connection_port: "{{ matrix_postgres_connection_port }}" +matrix_postgres_backup_connection_username: "{{ matrix_postgres_connection_username }}" +matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_password }}" + +###################################################################### +# +# /matrix-postgres-backup +# +###################################################################### \ No newline at end of file diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index c1ee08bb..f0407286 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -1,9 +1,9 @@ matrix_postgres_backup_enabled: false -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_port: 5432 -matrix_postgres_connection_username: "matrix" -matrix_postgres_connection_password: "" +matrix_postgres_backup_connection_hostname: "matrix-postgres" +matrix_postgres_backup_connection_port: 5432 +matrix_postgres_backup_connection_username: "matrix" +matrix_postgres_backup_connection_password: "" matrix_postgres_backup_extra_opts: "-Z9 --schema=public --blobs" matrix_postgres_backup_schedule: "@daily" From 604ffe7d7920307719c21b97cf7f75911a54b296 Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Tue, 16 Mar 2021 10:24:47 +0100 Subject: [PATCH 2014/2384] - adapted validate_config.yml to use the renamed variables --- .../tasks/validate_config.yml | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/roles/matrix-postgres-backup/tasks/validate_config.yml b/roles/matrix-postgres-backup/tasks/validate_config.yml index 91d1783b..bc788db7 100644 --- a/roles/matrix-postgres-backup/tasks/validate_config.yml +++ b/roles/matrix-postgres-backup/tasks/validate_config.yml @@ -1,25 +1,15 @@ --- -# This is separate (from the other required variables below), -# because we'd like to have a friendlier message for our existing users. -- name: Fail if matrix_postgres_connection_password not defined - fail: - msg: >- - The playbook no longer has a default Postgres password defined in the `matrix_postgres_connection_password` variable, among lots of other Postgres changes. - You need to perform multiple manual steps to resolve this. - See our changelog for more details: - https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-postgres-changes-that-require-manual-intervention - when: "matrix_postgres_connection_password == ''" - - name: Fail if required Postgres settings not defined fail: msg: >- You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" with_items: - - "matrix_postgres_connection_hostname" - - "matrix_postgres_connection_username" - - "matrix_postgres_connection_password" + - "matrix_postgres_backup_connection_hostname" + - "matrix_postgres_backup_connection_username" + - "matrix_postgres_backup_connection_password" + - "matrix_postgres_backup_connection_port" - "matrix_postgres_backup_schedule" - "matrix_postgres_backup_keep_days" - "matrix_postgres_backup_keep_weeks" From 43f7d9afb69be1a10b7e1bedf4fc119226b547ec Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Tue, 16 Mar 2021 10:49:04 +0100 Subject: [PATCH 2015/2384] - removed dynamic building of the postgres db list an reused matrix_postgres_additional_databases in group_vars/matrix_servers as source for the list - adjusted env-postgres-backup.j2 to use the new role specific variables --- group_vars/matrix_servers | 2 + .../matrix-postgres-backup/defaults/main.yml | 104 +----------------- .../tasks/setup_postgres_backup.yml | 5 - .../tasks/validate_config.yml | 1 + .../templates/env-postgres-backup.j2 | 8 +- 5 files changed, 9 insertions(+), 111 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2718937c..ec6d726e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1419,6 +1419,8 @@ matrix_postgres_backup_connection_port: "{{ matrix_postgres_connection_port }}" matrix_postgres_backup_connection_username: "{{ matrix_postgres_connection_username }}" matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_password }}" +matrix_postgres_backup_db_list: "{{ matrix_postgres_additional_databases|map(attribute='name')|join(', ') }}" + ###################################################################### # # /matrix-postgres-backup diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index f0407286..27ef1fd3 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -5,6 +5,8 @@ matrix_postgres_backup_connection_port: 5432 matrix_postgres_backup_connection_username: "matrix" matrix_postgres_backup_connection_password: "" +matrix_postgres_backup_db_list: "" + matrix_postgres_backup_extra_opts: "-Z9 --schema=public --blobs" matrix_postgres_backup_schedule: "@daily" matrix_postgres_backup_keep_days: "7" @@ -17,108 +19,6 @@ matrix_postgres_backup_path: "{{ matrix_base_data_path }}/postgres-backup" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -# uses sqlite per default -matrix_postgres_backup_matrix_reminder_bot_enabled: false -matrix_bot_matrix_reminder_bot_database_name: 'matrix_reminder_bot' - -# uses sqlite per default -matrix_postgres_backup_matrix_appservice_discord_enabled: false -matrix_appservice_discord_database_name: 'matrix_appservice_discord' - -# uses nedb per default -matrix_postgres_backup_matrix_appservice_irc_enabled: false -matrix_appservice_irc_database_name: 'matrix_appservice_irc' - -# uses nedb per default -matrix_postgres_backup_matrix_appservice_slack_enabled: false -matrix_appservice_slack_database_name: 'matrix_appservice_slack' - -# uses postgres per default -matrix_postgres_backup_matrix_mautrix_facebook_enabled: false -matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' - -# uses sqlite per default -matrix_postgres_backup_matrix_mautrix_hangouts_enabled: false -matrix_mautrix_hangouts_database_name: 'matrix_mautrix_hangouts' - -# uses postgres per default -matrix_postgres_backup_matrix_mautrix_signal_enabled: false -matrix_mautrix_signal_database_name: 'matrix_mautrix_signal' - -# uses sqlite per default -matrix_postgres_backup_matrix_mautrix_telegram_enabled: false -matrix_mautrix_telegram_database_name: 'matrix_mautrix_telegram' - -# uses sqlite per default -matrix_postgres_backup_matrix_mautrix_whatsapp_enabled: false -matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp' - -# uses sqlite per default -matrix_postgres_backup_matrix_mx_puppet_discord_enabled: false -matrix_mx_puppet_discord_database_name: 'matrix_mx_puppet_discord' - -# uses sqlite per default -matrix_postgres_backup_matrix_mx_puppet_instagram_enabled: false -matrix_postgres_backup_matrix_mx_puppet_instagram_name: 'matrix_mx_puppet_instagram' - -# uses sqlite per default -matrix_postgres_backup_matrix_mx_puppet_skype_enabled: false -matrix_mx_puppet_skype_database_name: 'matrix_mx_puppet_skype' - -# uses sqlite per default -matrix_postgres_backup_matrix_mx_puppet_slack_enabled: false -matrix_mx_puppet_slack_database_name: 'matrix_mx_puppet_slack' - -# uses sqlite per default -matrix_postgres_backup_matrix_mx_puppet_steam_enabled: false -matrix_mx_puppet_steam_database_name: 'matrix_mx_puppet_steam' - -# uses sqlite per default -matrix_postgres_backup_matrix_mx_puppet_twitter_enabled: false -matrix_mx_puppet_twitter_database_name: 'matrix_mx_puppet_twitter' - -# uses sqlite per default -matrix_postgres_backup_matrix_dimension_enabled: false -matrix_dimension_database_name: 'matrix_dimension' - -# uses sqlite per default -matrix_postgres_backup_matrix_etherpad_enabled: false -matrix_etherpad_database_name: 'matrix_etherpad' - -# uses sqlite per default -matrix_postgres_backup_matrix_ma1sd_enabled: false -matrix_ma1sd_database_name: 'matrix_ma1sd' - -# uses sqlite per default -matrix_postgres_backup_matrix_registration_enabled: false -matrix_registration_database_engine: 'matrix_registration' - -# uses postgres per default -matrix_postgres_backup_matrix_synapse_enabled: true -matrix_postgres_db_name: 'matrix' - -matrix_postgres_backup_db_dict: - - { enabled: '{{matrix_postgres_backup_matrix_reminder_bot_enabled|bool}}' , dbname: '{{ matrix_bot_matrix_reminder_bot_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_appservice_discord_enabled|bool}}' , dbname: '{{ matrix_appservice_discord_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_appservice_irc_enabled|bool}}' , dbname: '{{ matrix_appservice_irc_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_appservice_slack_enabled|bool}}' , dbname: '{{ matrix_appservice_slack_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mautrix_facebook_enabled|bool}}' , dbname: '{{ matrix_mautrix_facebook_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mautrix_hangouts_enabled|bool}}' , dbname: '{{ matrix_mautrix_hangouts_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mautrix_signal_enabled|bool}}' , dbname: '{{ matrix_mautrix_signal_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mautrix_telegram_enabled|bool}}' , dbname: '{{ matrix_mautrix_telegram_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mautrix_whatsapp_enabled|bool}}' , dbname: '{{ matrix_mautrix_whatsapp_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_instagram_enabled|bool}}' , dbname: '{{ matrix_postgres_backup_matrix_mx_puppet_instagram_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_skype_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_skype_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_slack_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_slack_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_steam_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_steam_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_twitter_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_twitter_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_dimension_enabled|bool}}' , dbname: '{{ matrix_dimension_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_etherpad_enabled|bool}}' , dbname: '{{ matrix_etherpad_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_ma1sd_enabled|bool}}' , dbname: '{{ matrix_ma1sd_database_name }}' } - - { enabled: '{{matrix_postgres_backup_matrix_registration_enabled|bool}}' , dbname: '{{ matrix_registration_database_engine }}' } - - { enabled: '{{matrix_postgres_backup_matrix_synapse_enabled|bool}}' , dbname: '{{ matrix_postgres_db_name }}' } - - matrix_postgres_backup_architecture: amd64 # matrix_postgres_docker_image_suffix controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. diff --git a/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml index dc6e68c4..640d4f14 100644 --- a/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml +++ b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml @@ -3,7 +3,6 @@ # # Tasks related to setting up an internal postgres server # - - import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml" when: matrix_postgres_enabled|bool @@ -34,10 +33,6 @@ - "{{ matrix_postgres_backup_path }}" when: matrix_postgres_backup_enabled|bool -#Build database list to backup -- import_tasks: "{{ role_path }}/tasks/build_database_list.yml" - when: matrix_postgres_backup_enabled|bool - - name: Ensure Postgres environment variables file created template: src: "{{ role_path }}/templates/{{ item }}.j2" diff --git a/roles/matrix-postgres-backup/tasks/validate_config.yml b/roles/matrix-postgres-backup/tasks/validate_config.yml index bc788db7..4cebdbcf 100644 --- a/roles/matrix-postgres-backup/tasks/validate_config.yml +++ b/roles/matrix-postgres-backup/tasks/validate_config.yml @@ -15,3 +15,4 @@ - "matrix_postgres_backup_keep_weeks" - "matrix_postgres_backup_keep_months" - "matrix_postgres_backup_path" + - "matrix_postgres_backup_db_list" diff --git a/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 index 1d617fd3..c532e960 100644 --- a/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 +++ b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 @@ -1,7 +1,7 @@ #jinja2: lstrip_blocks: "True" -POSTGRES_USER={{ matrix_postgres_connection_username }} -POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} -POSTGRES_HOST={{ matrix_postgres_connection_hostname }} +POSTGRES_USER={{ matrix_postgres_backup_connection_username }} +POSTGRES_PASSWORD={{ matrix_postgres_backup_connection_password }} +POSTGRES_HOST={{ matrix_postgres_backup_connection_hostname }} POSTGRES_DB={{ matrix_postgres_backup_db_list }} POSTGRES_EXTRA_OPTS={{ matrix_postgres_backup_extra_opts }} SCHEDULE={{ matrix_postgres_backup_schedule }} @@ -9,4 +9,4 @@ BACKUP_KEEP_DAYS={{ matrix_postgres_backup_keep_days }} BACKUP_KEEP_WEEKS={{ matrix_postgres_backup_keep_weeks }} BACKUP_KEEP_MONTHS={{ matrix_postgres_backup_keep_months }} HEALTHCHECK_PORT={{ matrix_postgres_backup_healthcheck_port }} -POSTGRES_PORT={{ matrix_postgres_connection_port }} \ No newline at end of file +POSTGRES_PORT={{ matrix_postgres_backup_connection_port }} \ No newline at end of file From 11cd1cb0fae76b3e87f6f4a6d0ea423a013c5b43 Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Tue, 16 Mar 2021 11:40:16 +0100 Subject: [PATCH 2016/2384] - removed matrix_postgres_backup_db_list variable - add matrix_postgres_backup_databases to be build on top of matrix_postgres_additional_databases - POSTGRES_DB is now directly set from matrix_postgres_backup_databases while building the templates/env-postgres-backup.j2 --- group_vars/matrix_servers | 12 +++++++++++- roles/matrix-postgres-backup/defaults/main.yml | 3 +-- .../matrix-postgres-backup/tasks/validate_config.yml | 2 +- .../templates/env-postgres-backup.j2 | 2 +- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ec6d726e..b632b0d7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1419,7 +1419,17 @@ matrix_postgres_backup_connection_port: "{{ matrix_postgres_connection_port }}" matrix_postgres_backup_connection_username: "{{ matrix_postgres_connection_username }}" matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_password }}" -matrix_postgres_backup_db_list: "{{ matrix_postgres_additional_databases|map(attribute='name')|join(', ') }}" +# the default matrix synapse databse is not always part of the matrix_postgres_additional_databases variable thus we have to add it if the default database is used +matrix_postgres_backup_databases: | + {{ + ([{ + 'name': matrix_synapse_database_database, + 'username': matrix_synapse_database_user, + 'password': matrix_synapse_database_password, + }] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + + + matrix_postgres_additional_databases + }} ###################################################################### # diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index 27ef1fd3..cfa690a3 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -5,8 +5,6 @@ matrix_postgres_backup_connection_port: 5432 matrix_postgres_backup_connection_username: "matrix" matrix_postgres_backup_connection_password: "" -matrix_postgres_backup_db_list: "" - matrix_postgres_backup_extra_opts: "-Z9 --schema=public --blobs" matrix_postgres_backup_schedule: "@daily" matrix_postgres_backup_keep_days: "7" @@ -15,6 +13,7 @@ matrix_postgres_backup_keep_months: "12" matrix_postgres_backup_healthcheck_port: "8080" matrix_postgres_backup_db_list: "" matrix_postgres_backup_path: "{{ matrix_base_data_path }}/postgres-backup" +matrix_postgres_backup_databases: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" diff --git a/roles/matrix-postgres-backup/tasks/validate_config.yml b/roles/matrix-postgres-backup/tasks/validate_config.yml index 4cebdbcf..fda9b919 100644 --- a/roles/matrix-postgres-backup/tasks/validate_config.yml +++ b/roles/matrix-postgres-backup/tasks/validate_config.yml @@ -15,4 +15,4 @@ - "matrix_postgres_backup_keep_weeks" - "matrix_postgres_backup_keep_months" - "matrix_postgres_backup_path" - - "matrix_postgres_backup_db_list" + - "matrix_postgres_backup_databases" diff --git a/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 index c532e960..979d3762 100644 --- a/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 +++ b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 @@ -2,7 +2,7 @@ POSTGRES_USER={{ matrix_postgres_backup_connection_username }} POSTGRES_PASSWORD={{ matrix_postgres_backup_connection_password }} POSTGRES_HOST={{ matrix_postgres_backup_connection_hostname }} -POSTGRES_DB={{ matrix_postgres_backup_db_list }} +POSTGRES_DB={{ matrix_postgres_backup_databases|map(attribute='name')|join(', ') }} POSTGRES_EXTRA_OPTS={{ matrix_postgres_backup_extra_opts }} SCHEDULE={{ matrix_postgres_backup_schedule }} BACKUP_KEEP_DAYS={{ matrix_postgres_backup_keep_days }} From 76fbc59b6139c99ac267d747fff8a8f678dc0981 Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Tue, 16 Mar 2021 11:50:01 +0100 Subject: [PATCH 2017/2384] - adapted documentation - removed build_database_list.yml --- docs/configuring-playbook-postgres-backup.md | 20 -- .../tasks/build_database_list.yml | 176 ------------------ 2 files changed, 196 deletions(-) delete mode 100644 roles/matrix-postgres-backup/tasks/build_database_list.yml diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md index 56992917..7be0064f 100644 --- a/docs/configuring-playbook-postgres-backup.md +++ b/docs/configuring-playbook-postgres-backup.md @@ -12,26 +12,6 @@ The playbook can install and configure [docker-postgres-backup-local](https://gi |matrix_postgres_backup_keep_weeks|"4"|Number of weekly backups to keep| |matrix_postgres_backup_keep_months|"12"|Number of monthly backups to keep| |matrix_postgres_backup_path | "{{ matrix_base_data_path }}/postgres-backup" | Storagepath for the database backups| -|matrix_postgres_backup_matrix_reminder_bot_enabled| false | Set to true to backup matrix_reminder_bot database. Per default matrix-reminder-bot uses an sqlite database. Only use this if you are using a postgres database for matrix-reminder-bot. | -|matrix_postgres_backup_matrix_appservice_discord_enabled| false | Set to true to backup matrix_appservice_discord database. Per default matrix_appservice_discord uses an sqlite database. Only use this if you are using a postgres database for matrix_appservice_discord. | -|matrix_postgres_backup_matrix_appservice_irc_enabled| false | Set to true to backup matrix_appservice_irc database. Per default matrix_appservice_irc uses an nedb database. Only use this if you are using a postgres database for matrix_appservice_irc. | -|matrix_postgres_backup_matrix_appservice_slack_enabled| false | Set to true to backup matrix_appservice_slack database. Per default matrix_appservice_slack uses an nedb database. Only use this if you are using a postgres database for matrix_appservice_slack. | -|matrix_postgres_backup_matrix_mautrix_facebook_enabled| false | Set to true to backup matrix_mautrix_facebook database. Per default matrix_mautrix_facebook uses an postgresned database. | -|matrix_postgres_backup_matrix_mautrix_hangouts_enabled| false | Set to true to backup _matrix_mautrix_hangouts database. Per default _matrix_mautrix_hangouts uses an sqlite database. Only use this if you are using a postgres database for _matrix_mautrix_hangouts. | -|matrix_postgres_backup_matrix_mautrix_signal_enabled| false | Set to true to backup matrix_mautrix_signal database. Per default matrix_mautrix_signal uses an postgres database. | -|matrix_postgres_backup_matrix_mautrix_telegram_enabled| false | Set to true to backup matrix_mautrix_telegram database. Per default matrix_mautrix_telegram uses an sqlite database. Only use this if you are using a postgres database for matrix_mautrix_telegram. | -|matrix_postgres_backup_matrix_mautrix_whatsapp_enabled| false | Set to true to backup matrix_mautrix_whatsapp database. Per default matrix_mautrix_whatsapp uses an sqlite database. Only use this if you are using a postgres database for matrix_mautrix_whatsapp. | -|matrix_postgres_backup_matrix_mx_puppet_discord_enabled| false | Set to true to backup matrix_mx_puppet_discord database. Per default matrix_mx_puppet_discord uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_discord. | -|matrix_postgres_backup_matrix_mx_puppet_instagram_enabled| false | Set to true to backup matrix_mx_puppet_instagram database. Per default matrix_mx_puppet_instagram uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_instagram. | -|matrix_postgres_backup_matrix_mx_puppet_skype_enabled| false | Set to true to backup matrix_mx_puppet_skype database. Per default matrix_mx_puppet_skype uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_skype. | -|matrix_postgres_backup_matrix_mx_puppet_slack_enabled| false | Set to true to backup matrix_mx_puppet_slack database. Per default matrix_mx_puppet_slack uses an sqlite database. Only use this if you -|matrix_postgres_backup_matrix_mx_puppet_steam_enabled| false | Set to true to backup matrix_mx_puppet_steam database. Per default matrix_mx_puppet_steam uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_steam. | -|matrix_postgres_backup_matrix_mx_puppet_twitter_enabled| false | Set to true to backup matrix_mx_puppet_twitter database. Per default matrix_mx_puppet_twitter uses an sqlite database. Only use this if you are using a postgres database for matrix_mx_puppet_twitter. | -|matrix_postgres_backup_matrix_dimension_enabled| false | Set to true to backup matrix_dimension database. Per default matrix_dimension uses an sqlite database. Only use this if you are using a postgres database for matrix_dimension. | -|matrix_postgres_backup_matrix_etherpad_enabled| false | Set to true to backup matrix_etherpad database. Per default matrix_etherpad uses an sqlite database. Only use this if you are using a postgres database for matrix_etherpad. | -|matrix_postgres_backup_matrix_ma1sd_enabled| false | Set to true to backup matrix_ma1sd database. Per default matrix_ma1sd uses an sqlite database. Only use this if you are using a postgres database for matrix_ma1sd. | -|matrix_postgres_backup_matrix_registration_enabled| false | Set to true to backup matrix_registration database. Per default matrix_registration uses an sqlite database. Only use this if you are using a postgres database for matrix_registration. | -|matrix_postgres_backup_matrix_synapse_enabled| true | Set to false to disabble backup of matrix_synapse database. | ## Installing diff --git a/roles/matrix-postgres-backup/tasks/build_database_list.yml b/roles/matrix-postgres-backup/tasks/build_database_list.yml deleted file mode 100644 index e1be70a0..00000000 --- a/roles/matrix-postgres-backup/tasks/build_database_list.yml +++ /dev/null @@ -1,176 +0,0 @@ - ---- - -# Detect wich databases have to backuped -# Default value is the "matrix_postgres_db_name" -# has to be extended for each service using a seperate db in postgres -# - name: Check if matrix_reminder_bot uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_bot_matrix_reminder_bot_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_bot_matrix_reminder_bot_database_engine == 'postgres' - -# - name: Check if matrix_appservice_discord uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_discord_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_appservice_discord_database_engine == 'postgres' - -# - name: Check if matrix_appservice_irc uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_irc_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_appservice_irc_database_engine == 'postgres' - -# - name: Check if matrix_appservice_slack_database uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_appservice_slack_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_appservice_slack_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_facebook uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_facebook_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_facebook_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_hangouts uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_hangouts_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_hangouts_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_signal uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_signal_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_signal_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_telegram uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_telegram_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_telegram_database_engine == 'postgres' - -# - name: Check if matrix_mautrix_whatsapp uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mautrix_whatsapp_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mautrix_whatsapp_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_discord uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_discord_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_discord_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_instagram uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_instagram_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_instagram_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_skype uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_skype_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_skype_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_slack uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_slack_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_slack_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_steam uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_steam_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_steam_database_engine == 'postgres' - -# - name: Check if matrix_mx_puppet_twitter uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_mx_puppet_twitter_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_mx_puppet_twitter_database_engine == 'postgres' - -# - name: Check if matrix_dimension uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_dimension_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_dimension_database_engine == 'postgres' - -# - name: Check if matrix_etherpad uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_etherpad_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_etherpad_database_engine == 'postgres' - -# - name: Check if matrix_ma1sd uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_ma1sd_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_ma1sd_database_engine == 'postgres' - -# - name: Check if matrix_registration uses postgres database -# set_fact: -# matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list }},{{ matrix_registration_database_name }}" -# when: -# - matrix_postgres_backup_enabled|bool -# - matrix_registration_database_engine == 'postgres' - -#- name: Build list of all databases to backup - part 1 -# set_fact: -# matrix_postgres_backup_db_list: '{% if item.enabled %}{% if matrix_postgres_backup_db_list=="" %}{{item.dbname}}{% else %}{{ matrix_postgres_backup_db_list }},{{item.dbname}}{% endif %}{% else %}{% endif %}' -# loop: -# - { enabled: '{{matrix_postgres_backup_matrix_reminder_bot_enabled|bool}}' , dbname: '{{ matrix_bot_matrix_reminder_bot_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_appservice_discord_enabled|bool}}' , dbname: '{{ matrix_appservice_discord_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_appservice_irc_enabled|bool}}' , dbname: '{{ matrix_appservice_irc_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_appservice_slack_enabled|bool}}' , dbname: '{{ matrix_appservice_slack_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_facebook_enabled|bool}}' , dbname: '{{ matrix_mautrix_facebook_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_hangouts_enabled|bool}}' , dbname: '{{ matrix_mautrix_hangouts_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_signal_enabled|bool}}' , dbname: '{{ matrix_mautrix_signal_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_telegram_enabled|bool}}' , dbname: '{{ matrix_mautrix_telegram_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mautrix_whatsapp_enabled|bool}}' , dbname: '{{ matrix_mautrix_whatsapp_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_instagram_enabled|bool}}' , dbname: '{{ matrix_postgres_backup_matrix_mx_puppet_instagram_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_skype_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_skype_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_slack_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_slack_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_steam_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_steam_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_mx_puppet_twitter_enabled|bool}}' , dbname: '{{ matrix_mx_puppet_twitter_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_dimension_enabled|bool}}' , dbname: '{{ matrix_dimension_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_etherpad_enabled|bool}}' , dbname: '{{ matrix_etherpad_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_ma1sd_enabled|bool}}' , dbname: '{{ matrix_ma1sd_database_name }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_registration_enabled|bool}}' , dbname: '{{ matrix_registration_database_engine }}' } -# - { enabled: '{{matrix_postgres_backup_matrix_synapse_enabled|bool}}' , dbname: '{{ matrix_postgres_db_name }}' } - -- name: Build list of all databases to backup - part 2 - set_fact: - matrix_postgres_backup_db_list_prepare: "{% set res = [ ] %}{% for db in matrix_postgres_backup_db_dict %}{% if db.enabled %}{% set ignored = res.append(db.dbname) %}{% endif %}{% endfor %}{{ res }}" - -- name: Build list of all databases to backup - part 1 - set_fact: - matrix_postgres_backup_db_list: "{{ matrix_postgres_backup_db_list_prepare | join(',') }}" - -- name: Going to backup the following list of databases - debug: - msg: "{{ matrix_postgres_backup_db_list }}" - when: matrix_postgres_backup_enabled|bool - \ No newline at end of file From 571b70a1f453cd40b8df81bf7f8747b1b4257c69 Mon Sep 17 00:00:00 2001 From: Michael Date: Tue, 16 Mar 2021 21:37:19 +0800 Subject: [PATCH 2018/2384] fix for running outside of AWX --- roles/matrix-awx/tasks/main.yml | 35 ++++++++++++++++----------------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index f7f5bf1f..20ce2d8e 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -1,79 +1,78 @@ # Load initial hosting and organisation variables from AWX volume -- import_tasks: "{{ role_path }}/tasks/load_hosting_and_org_variables.yml" +- include_tasks: "{{ role_path }}/tasks/load_hosting_and_org_variables.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - always # Perform a backup of the server -- import_tasks: "{{ role_path }}/tasks/backup_server.yml" +- include_tasks: "{{ role_path }}/tasks/backup_server.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - backup-server # Create a user account if called -- import_tasks: "{{ role_path }}/tasks/create_user.yml" +- include_tasks: "{{ role_path }}/tasks/create_user.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - create-user - + # Perform extra self-check functions -- import_tasks: "{{ role_path }}/tasks/self_check.yml" +- include_tasks: "{{ role_path }}/tasks/self_check.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - self-check # Import configs, media repo from /chroot/backup import -- import_tasks: "{{ role_path }}/tasks/import_awx.yml" +- include_tasks: "{{ role_path }}/tasks/import_awx.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - import-awx # Configure SFTP so user can upload a static website or access the servers export -- import_tasks: "{{ role_path }}/tasks/customise_website_access_export.yml" +- include_tasks: "{{ role_path }}/tasks/customise_website_access_export.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-nginx-proxy # Additional playbook to set the variable file during Element configuration -- import_tasks: "{{ role_path }}/tasks/set_variables_element.yml" +- include_tasks: "{{ role_path }}/tasks/set_variables_element.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-client-element # Additional playbook to set the variable file during Synapse configuration -- import_tasks: "{{ role_path }}/tasks/set_variables_synapse.yml" +- include_tasks: "{{ role_path }}/tasks/set_variables_synapse.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-synapse # Additional playbook to set the variable file during Jitsi configuration -- import_tasks: "{{ role_path }}/tasks/set_variables_jitsi.yml" +- include_tasks: "{{ role_path }}/tasks/set_variables_jitsi.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-jitsi # Additional playbook to set the variable file during Ma1sd configuration -- import_tasks: "{{ role_path }}/tasks/set_variables_ma1sd.yml" +- include_tasks: "{{ role_path }}/tasks/set_variables_ma1sd.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-ma1sd - + # Additional playbook to set the variable file during Corporal configuration -- import_tasks: "{{ role_path }}/tasks/set_variables_corporal.yml" +- include_tasks: "{{ role_path }}/tasks/set_variables_corporal.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - - setup-corporal + - setup-corporal # Additional playbook to set the variable file during Synapse Admin configuration -- import_tasks: "{{ role_path }}/tasks/set_variables_synapse_admin.yml" +- include_tasks: "{{ role_path }}/tasks/set_variables_synapse_admin.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - - setup-all + - setup-synapse-admin # Load newly formed matrix variables from tower volume -- import_tasks: "{{ role_path }}/tasks/load_matrix_variables.yml" +- include_tasks: "{{ role_path }}/tasks/load_matrix_variables.yml" when: run_setup|bool and matrix_awx_enabled|bool tags: - always - From 5a6bdb0c3d64d8c214304c902e9229eeb13b6cca Mon Sep 17 00:00:00 2001 From: Michael Date: Tue, 16 Mar 2021 21:52:26 +0800 Subject: [PATCH 2019/2384] merge upstream --- CHANGELOG.md | 9 + README.md | 2 + docs/configuring-dns.md | 3 + docs/configuring-playbook-bot-go-neb.md | 226 +++++++++++++++++ ...configuring-playbook-prometheus-grafana.md | 2 +- docs/configuring-playbook.md | 12 +- docs/container-images.md | 2 + examples/caddy2/Caddyfile | 12 +- group_vars/matrix_servers | 30 ++- roles/matrix-awx/tasks/backup_server.yml | 5 +- roles/matrix-awx/tasks/create_user.yml | 6 +- .../tasks/customise_website_access_export.yml | 7 +- .../tasks/load_matrix_variables.yml | 1 - roles/matrix-awx/tasks/self_check.yml | 13 +- .../tasks/set_variables_corporal.yml | 19 +- .../tasks/set_variables_element.yml | 3 +- .../matrix-awx/tasks/set_variables_jitsi.yml | 1 - .../matrix-awx/tasks/set_variables_ma1sd.yml | 7 +- .../tasks/set_variables_synapse.yml | 5 +- .../tasks/set_variables_synapse_admin.yml | 2 - roles/matrix-base/defaults/main.yml | 3 + roles/matrix-bot-go-neb/defaults/main.yml | 231 ++++++++++++++++++ roles/matrix-bot-go-neb/tasks/init.yml | 3 + roles/matrix-bot-go-neb/tasks/main.yml | 21 ++ .../matrix-bot-go-neb/tasks/setup_install.yml | 50 ++++ .../tasks/setup_uninstall.yml | 35 +++ .../tasks/validate_config.yml | 13 + .../templates/config.yaml.j2 | 44 ++++ .../systemd/matrix-bot-go-neb.service.j2 | 49 ++++ .../matrix-mautrix-facebook.service.j2 | 14 -- roles/matrix-client-element/defaults/main.yml | 2 +- roles/matrix-common-after/tasks/start.yml | 2 +- roles/matrix-jitsi/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 15 ++ .../tasks/self_check_well_known_file.yml | 4 + .../tasks/setup_nginx_proxy.yml | 13 + .../nginx/conf.d/matrix-bot-go-neb.conf.j2 | 77 ++++++ .../nginx/conf.d/matrix-domain.conf.j2 | 4 + .../nginx/conf.d/matrix-jitsi.conf.j2 | 4 +- .../nginx/conf.d/matrix-synapse.conf.j2 | 10 - .../templates/nginx/nginx.conf.j2 | 5 +- roles/matrix-synapse/defaults/main.yml | 24 +- .../templates/synapse/homeserver.yaml.j2 | 60 +++-- setup.yml | 1 + 44 files changed, 950 insertions(+), 103 deletions(-) create mode 100644 docs/configuring-playbook-bot-go-neb.md create mode 100644 roles/matrix-bot-go-neb/defaults/main.yml create mode 100644 roles/matrix-bot-go-neb/tasks/init.yml create mode 100644 roles/matrix-bot-go-neb/tasks/main.yml create mode 100644 roles/matrix-bot-go-neb/tasks/setup_install.yml create mode 100644 roles/matrix-bot-go-neb/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bot-go-neb/tasks/validate_config.yml create mode 100644 roles/matrix-bot-go-neb/templates/config.yaml.j2 create mode 100644 roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 329b2ea8..aeff7b0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2021-03-16 + +## Go-NEB support + +Thanks to [Zir0h](https://github.com/Zir0h), the playbook can now install and configure the [Go-NEB](https://github.com/matrix-org/go-neb) bot. + +Additional details are available in [Setting up Go-NEB](docs/configuring-playbook-bot-go-neb.md). + + # 2021-02-19 ## GroupMe bridging support via mx-puppet-groupme diff --git a/README.md b/README.md index 463a1504..dde8d924 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation +- (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation + - (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation - (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index c25b079e..a3815953 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -34,6 +34,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `dimension` (*) | - | - | - | `matrix.` | | CNAME | `jitsi` (*) | - | - | - | `matrix.` | | CNAME | `stats` (*) | - | - | - | `matrix.` | +| CNAME | `goneb` (*) | - | - | - | `matrix.` | ## Subdomains setup @@ -48,6 +49,8 @@ The `jitsi.` subdomain may be necessary, because this playbook coul The `stats.` subdomain may be necessary, because this playbook could install [Grafana](https://grafana.com/) and setup performance metrics for you. Grafana installation is disabled by default, it is not a core required component. To learn how to install it, see our [metrics and graphs guide](configuring-playbook-prometheus-grafana.md). If you do not wish to set up Grafana, feel free to skip the `stats.` DNS record. It is possible to install Prometheus without installing Grafana, this would also not require the `stats.` subdomain. +The `goneb.` subdomain may be necessary, because this playbook could install the [Go-NEB](https://github.com/matrix-org/go-neb) bot. The installation of Go-NEB is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Go-NEB guide](configuring-playbook-bot-go-neb.md). If you do not wish to set up Go-NEB, feel free to skip the `goneb.` DNS record. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md new file mode 100644 index 00000000..ab84e017 --- /dev/null +++ b/docs/configuring-playbook-bot-go-neb.md @@ -0,0 +1,226 @@ +# Setting up Go-NEB (optional) + +The playbook can install and configure [Go-NEB](https://github.com/matrix-org/go-neb) for you. + +Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. + +See the project's [documentation](https://github.com/matrix-org/go-neb) to learn what it does and why it might be useful to you. + + +## Registering the bot user + +The playbook does not automatically create users for you. The bot requires at least 1 access token to be able to connect to your homeserver. + +You **need to register the bot user manually** before setting up the bot. + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + +You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + + +## Getting an access token + +If you use curl, you can get an access token like this: + +``` +curl -X POST --header 'Content-Type: application/json' -d '{ + "identifier": { "type": "m.id.user", "user": "bot.go-neb" }, + "password": "a strong password", + "type": "m.login.password" +}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' +``` + +Alternatively, you can use a full-featured client (such as Element) to log in and get the access token from there (note: don't log out from the client as that will invalidate the token), but doing so might lead to decryption problems. That warning comes from [here](https://github.com/matrix-org/go-neb#quick-start). + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +matrix_bot_go_neb_enabled: true + +# You need at least 1 client. +# Use the access token you obtained in the step above. +matrix_bot_go_neb_clients: + - UserID: "@goneb:{{ matrix_domain }}" + AccessToken: "MDASDASJDIASDJASDAFGFRGER" + DeviceID: "DEVICE1" + HomeserverURL: "{{ matrix_homeserver_container_url }}" + Sync: true + AutoJoinRooms: true + DisplayName: "Go-NEB!" + AcceptVerificationFromUsers: [":{{ matrix_domain }}"] + + - UserID: "@another_goneb:{{ matrix_domain }}" + AccessToken: "MDASDASJDIASDJASDAFGFRGER" + DeviceID: "DEVICE2" + HomeserverURL: "{{ matrix_homeserver_container_url }}" + Sync: false + AutoJoinRooms: false + DisplayName: "Go-NEB!" + AcceptVerificationFromUsers: ["^@admin:{{ matrix_domain }}"] + +# Optional, for use with the github_cmd, github_webhooks or jira services +matrix_bot_go_neb_realms: + - ID: "github_realm" + Type: "github" + Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs + +# Optional. The list of *authenticated* sessions which Go-NEB is aware of. +matrix_bot_go_neb_sessions: + - SessionID: "your_github_session" + RealmID: "github_realm" + UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands + Config: + # Populate these fields by generating a "Personal Access Token" on github.com + AccessToken: "YOUR_GITHUB_ACCESS_TOKEN" + Scopes: "admin:org_hook,admin:repo_hook,repo,user" + +# The list of services which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureService for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest +# You need at least 1 service. +matrix_bot_go_neb_services: + - ID: "echo_service" + Type: "echo" + UserID: "@goneb:{{ matrix_domain }}" + Config: {} + +# Can be obtained from https://developers.giphy.com/dashboard/ + - ID: "giphy_service" + Type: "giphy" + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client + Config: + api_key: "qwg4672vsuyfsfe" + use_downsized: false + +# This service has been dead for over a year :/ + - ID: "guggy_service" + Type: "guggy" + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client + Config: + api_key: "2356saaqfhgfe" + +# API Key via https://developers.google.com/custom-search/v1/introduction +# CX via http://www.google.com/cse/manage/all +# https://stackoverflow.com/questions/6562125/getting-a-cx-id-for-custom-search-google-api-python +# 'Search the entire web' and 'Image search' enabled for best results + - ID: "google_service" + Type: "google" + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client + Config: + api_key: "AIzaSyA4FD39m9" + cx: "AIASDFWSRRtrtr" + +# Get a key via https://api.imgur.com/oauth2/addclient +# Select "oauth2 without callback url" + - ID: "imgur_service" + Type: "imgur" + UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client + Config: + client_id: "AIzaSyA4FD39m9" + client_secret: "somesecret" + + - ID: "wikipedia_service" + Type: "wikipedia" + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client + Config: + + - ID: "rss_service" + Type: "rssbot" + UserID: "@another_goneb:{{ matrix_domain }}" + Config: + feeds: + "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60": + rooms: ["!qmElAGdFYCHoCJuaNt:{{ matrix_domain }}"] + must_include: + author: + - author1 + description: + - lorem + - ipsum + must_not_include: + title: + - Lorem + - Ipsum + + - ID: "github_cmd_service" + Type: "github" + UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client + Config: + RealmID: "github_realm" + + # Make sure your BASE_URL can be accessed by Github! + - ID: "github_webhook_service" + Type: "github-webhook" + UserID: "@another_goneb:{{ matrix_domain }}" + Config: + RealmID: "github_realm" + ClientUserID: "@YOUR_USER_ID:{{ matrix_domain }}" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. + Rooms: + "!someroom:id": + Repos: + "matrix-org/synapse": + Events: ["push", "issues"] + "matrix-org/dendron": + Events: ["pull_request"] + "!anotherroom:id": + Repos: + "matrix-org/synapse": + Events: ["push", "issues"] + "matrix-org/dendron": + Events: ["pull_request"] + + - ID: "slackapi_service" + Type: "slackapi" + UserID: "@slackapi:{{ matrix_domain }}" + Config: + Hooks: + "hook1": + RoomID: "!someroom:id" + MessageType: "m.text" # default is m.text + + - ID: "alertmanager_service" + Type: "alertmanager" + UserID: "@alertmanager:{{ matrix_domain }}" + Config: + # This is for information purposes only. It should point to Go-NEB path as follows: + # `/services/hooks/` + # Where in this case "service ID" is "alertmanager_service" + # Make sure your BASE_URL can be accessed by the Alertmanager instance! + webhook_url: "http://localhost/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U" + # Each room will get the notification with the alert rendered with the given template + rooms: + "!someroomid:domain.tld": + text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" + html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" + msg_type: "m.text" # Must be either `m.text` or `m.notice` +``` + + +## Installing + +Don't forget to add `goneb.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +To use the bot, invite it to any existing Matrix room (`/invite @whatever_you_chose:DOMAIN` where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain, make sure you have permission from the room owner if that's not you). + +Basic usage is like this: `!echo hi` or `!imgur puppies` or `!giphy matrix` + +If you enabled the github_cmd service you can get the supported commands via `!github help` + +You can also refer to the upstream [Documentation](https://github.com/matrix-org/go-neb). diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 98d1f604..310eac6a 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -59,7 +59,7 @@ Name | Description `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) -## More inforation +## More information - [Understanding Synapse Performance Issues Through Grafana Graphs](https://github.com/matrix-org/synapse/wiki/Understanding-Synapse-Performance-Issues-Through-Grafana-Graphs) at the Synapse Github Wiki - [The Prometheus scraping rules](https://github.com/matrix-org/synapse/tree/master/contrib/prometheus) (we use v2) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 34c52efc..a25f8585 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -8,15 +8,15 @@ To configure the playbook, you need to have done the following things: You can then follow these steps inside the playbook directory: -- create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) +1. create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) -- copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) +1. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) -- edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. +1. edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. -- copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) +1. copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`) -- edit the inventory hosts file (`inventory/hosts`) to your liking +1. edit the inventory hosts file (`inventory/hosts`) to your liking For a basic Matrix installation, that's all you need. @@ -130,3 +130,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Bots - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) (optional) + +- [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index a5e304f4..5bccc2d4 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -88,6 +88,8 @@ These services are not part of our default installation, but can be enabled by [ - [anoa/matrix-reminder-bot](https://hub.docker.com/r/anoa/matrix-reminder-bot) - the [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) bot for one-off & recurring reminders and alarms (optional) +- [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) - the [Go-NEB](https://github.com/matrix-org/go-neb) bot (optional) + - [awesometechnologies/synapse-admin](https://hub.docker.com/r/awesometechnologies/synapse-admin) - the [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) web UI tool for administrating users and rooms on your Matrix server (optional) - [prom/prometheus](https://hub.docker.com/r/prom/prometheus/) - [Prometheus](https://github.com/prometheus/prometheus/) is a systems and service monitoring system diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index d13b9788..8999f299 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -101,7 +101,7 @@ element.DOMAIN.tld { # creates letsencrypt certificate # tls your@email.com - + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -128,10 +128,10 @@ element.DOMAIN.tld { } #dimension.DOMAIN.tld { -# +# # # creates letsencrypt certificate # # tls your@email.com -# +# # header { # # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -160,7 +160,7 @@ element.DOMAIN.tld { #jitsi.DOMAIN.tld { -# +# # creates letsencrypt certificate # tls your@email.com # @@ -193,7 +193,7 @@ element.DOMAIN.tld { # handle { # encode zstd gzip # -# reverse_proxy 127.0.0.1:12080 { +# reverse_proxy 127.0.0.1:13080 { # header_up X-Forwarded-Port {http.request.port} # header_up X-Forwarded-Proto {http.request.scheme} # header_up X-Forwarded-TlsProto {tls_protocol} @@ -201,4 +201,4 @@ element.DOMAIN.tld { # header_up X-Forwarded-HttpsProto {proto} # } # } -#} \ No newline at end of file +#} diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2841bccc..c9cc6ad0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -745,6 +745,29 @@ matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_se ###################################################################### +###################################################################### +# +# matrix-bot-go-neb +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_go_neb_enabled: false + +matrix_bot_go_neb_systemd_required_services_list: | + {{ + ['docker.service'] + }} + +matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:4050' }}" + +###################################################################### +# +# /matrix-bot-go-neb +# +###################################################################### + + ###################################################################### # # matrix-corporal @@ -921,9 +944,9 @@ matrix_jitsi_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Jitsi HTTP port to the local host. -matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12080' }}" +matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13080' }}" -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:12090' }}" +matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}" matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" @@ -1069,6 +1092,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" @@ -1139,6 +1163,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) + + ([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else []) + ([matrix_server_fqn_grafana] if matrix_grafana_enabled else []) diff --git a/roles/matrix-awx/tasks/backup_server.yml b/roles/matrix-awx/tasks/backup_server.yml index 556c4497..2459fc8a 100644 --- a/roles/matrix-awx/tasks/backup_server.yml +++ b/roles/matrix-awx/tasks/backup_server.yml @@ -33,7 +33,7 @@ curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' register: tower_token no_log: True - + - name: Recreate 'Backup Server' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -62,8 +62,7 @@ - name: Set boolean value to exit playbook set_fact: end_playbook: true - + - name: End playbook if this task list is called. meta: end_play when: end_playbook is defined and end_playbook|bool - diff --git a/roles/matrix-awx/tasks/create_user.yml b/roles/matrix-awx/tasks/create_user.yml index 0993d61f..13a30596 100755 --- a/roles/matrix-awx/tasks/create_user.yml +++ b/roles/matrix-awx/tasks/create_user.yml @@ -10,10 +10,10 @@ when: admin_access == 'false' - name: Examine if server admin set - set_fact: + set_fact: admin_bool: 1 when: admin_access == 'true' - + - name: Set boolean value to exit playbook set_fact: end_playbook: true @@ -25,7 +25,7 @@ - name: Result debug: msg="{{ cmd.stdout }}" - + - name: End playbook if this task list is called. meta: end_play when: end_playbook is defined and end_playbook|bool diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml index 4b775105..40ae1bfd 100755 --- a/roles/matrix-awx/tasks/customise_website_access_export.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -21,7 +21,7 @@ with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' when: customise_base_domain_website|bool == true - + - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 lineinfile: @@ -34,7 +34,7 @@ 'sftp_auth_method': '"{{ sftp_auth_method }}"' 'sftp_password': '"{{ sftp_password }}"' 'sftp_public_key': '"{{ sftp_public_key }}"' - + - name: Copy new 'matrix_vars.yml' to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' @@ -170,7 +170,7 @@ group: sftp mode: '0644' when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key") - + - name: Alter SSH Subsystem State 1 lineinfile: path: /etc/ssh/sshd_config @@ -227,4 +227,3 @@ service: name: ssh.service state: restarted - diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml index 0174e0e6..ff0986d7 100755 --- a/roles/matrix-awx/tasks/load_matrix_variables.yml +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -3,4 +3,3 @@ include_vars: file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' no_log: True - diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml index 977293d0..8d647574 100644 --- a/roles/matrix-awx/tasks/self_check.yml +++ b/roles/matrix-awx/tasks/self_check.yml @@ -1,21 +1,21 @@ - name: Install prerequisite apt packages on target apt: - name: + name: - sysstat state: present - + - name: Install prerequisite yum packages on AWX delegate_to: 127.0.0.1 yum: - name: + name: - bind-utils state: present - + - name: Install prerequisite pip packages on AWX delegate_to: 127.0.0.1 pip: - name: + name: - dnspython state: present @@ -23,7 +23,7 @@ shell: iostat -c register: cpu_usage_stat no_log: True - + - name: Print CPU usage statistics debug: msg: "{{ cpu_usage_stat.stdout.split('\n') }}" @@ -91,4 +91,3 @@ debug: msg: "{{ docker_stats.stdout.split('\n') }}" when: docker_stats is defined - diff --git a/roles/matrix-awx/tasks/set_variables_corporal.yml b/roles/matrix-awx/tasks/set_variables_corporal.yml index efc44a42..d8ac038d 100755 --- a/roles/matrix-awx/tasks/set_variables_corporal.yml +++ b/roles/matrix-awx/tasks/set_variables_corporal.yml @@ -8,7 +8,7 @@ insertafter: '# Corporal Settings' with_dict: 'matrix_corporal_enabled': '{{ matrix_corporal_enabled }}' - + - name: Enable Shared Secret Auth if Corporal enabled delegate_to: 127.0.0.1 lineinfile: @@ -19,7 +19,7 @@ with_dict: 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'true' when: matrix_corporal_enabled|bool - + - name: Disable Shared Secret Auth if Corporal disabled delegate_to: 127.0.0.1 lineinfile: @@ -30,7 +30,7 @@ with_dict: 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'false' when: not matrix_corporal_enabled|bool - + - name: Enable Rest Auth Endpoint if Corporal enabled delegate_to: 127.0.0.1 lineinfile: @@ -97,7 +97,7 @@ "Type": "static_file", "Path": "/etc/matrix-corporal/corporal-policy.json" } - when: matrix_corporal_policy_provider_mode == "Simple Static File" + when: matrix_corporal_policy_provider_mode == "Simple Static File" - name: Touch the /matrix/corporal/ directory file: @@ -130,7 +130,7 @@ owner: matrix group: matrix mode: '660' - + - name: Touch the last-policy.json file to ensure it exists file: path: "/matrix/corporal/config/last-policy.json" @@ -138,7 +138,7 @@ owner: matrix group: matrix mode: '660' - + - name: Record 'Simple Static File' configuration content in corporal-policy.json copy: content: "{{ matrix_corporal_simple_static_config | string }}" @@ -211,16 +211,16 @@ src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_corporal.json' dest: '/matrix/awx/configure_corporal.json' mode: '0660' - + - debug: msg: "matrix_corporal_matrix_homeserver_api_endpoint: {{ matrix_corporal_matrix_homeserver_api_endpoint }}" - + - debug: msg: "matrix_corporal_matrix_auth_shared_secret: {{ matrix_corporal_matrix_auth_shared_secret }}" - debug: msg: "matrix_corporal_http_gateway_internal_rest_auth_enabled: {{ matrix_corporal_http_gateway_internal_rest_auth_enabled }}" - + - debug: msg: "matrix_corporal_matrix_registration_shared_secret: {{ matrix_corporal_matrix_registration_shared_secret }}" @@ -251,4 +251,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - diff --git a/roles/matrix-awx/tasks/set_variables_element.yml b/roles/matrix-awx/tasks/set_variables_element.yml index 892c1bac..a21a9dd8 100755 --- a/roles/matrix-awx/tasks/set_variables_element.yml +++ b/roles/matrix-awx/tasks/set_variables_element.yml @@ -53,7 +53,7 @@ curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' register: tower_token no_log: True - + - name: Recreate 'Configure Element' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: @@ -74,4 +74,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - diff --git a/roles/matrix-awx/tasks/set_variables_jitsi.yml b/roles/matrix-awx/tasks/set_variables_jitsi.yml index e35beab7..4a871a18 100755 --- a/roles/matrix-awx/tasks/set_variables_jitsi.yml +++ b/roles/matrix-awx/tasks/set_variables_jitsi.yml @@ -55,4 +55,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml index 256a2410..32dadc0a 100755 --- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -44,14 +44,14 @@ regexp: '^.*\n' after: '# Start ma1sd Extension' before: '# End ma1sd Extension' - + - name: Replace conjoined ma1sd configuration extension limiters delegate_to: 127.0.0.1 replace: path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' regexp: '^# Start ma1sd Extension# End ma1sd Extension' replace: '# Start ma1sd Extension\n# End ma1sd Extension' - + - name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd delegate_to: 127.0.0.1 lineinfile: @@ -125,6 +125,5 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - -# ^ This playbook isn't executing so the survey isn't being updated! :P +# ^ This playbook isn't executing so the survey isn't being updated! :P diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index 979190ce..a8cc418b 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -15,7 +15,7 @@ 'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}' 'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}' 'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}' - + - name: Empty Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if raw inputs empty delegate_to: 127.0.0.1 replace: @@ -143,7 +143,7 @@ line: " - {{ item }}" with_items: "{{ ext_federation_whitelist_raw.splitlines() }}" when: ext_federation_whitelist_raw|length > 0 - + - name: Record Synapse Custom variables locally on AWX delegate_to: 127.0.0.1 lineinfile: @@ -220,4 +220,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - diff --git a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml index 30cf12b4..42084ad7 100644 --- a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml @@ -54,5 +54,3 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - - diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 39a8cffc..5f1cf433 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -18,6 +18,9 @@ matrix_server_fqn_element: "element.{{ matrix_domain }}" # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" +# For use with Go-NEB! (github callback url for example) +matrix_server_fqn_bot_go_neb: "goneb.{{ matrix_domain }}" + # This is where you access Jitsi. matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml new file mode 100644 index 00000000..758f9f01 --- /dev/null +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -0,0 +1,231 @@ +# Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. +# See: https://github.com/matrix-org/go-neb + +matrix_bot_go_neb_enabled: true +matrix_bot_go_neb_version: latest +matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}" +matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}" + +matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb" +matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config" +matrix_bot_go_neb_config_path_in_container: "/config/config.yaml" +matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data" +matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store" + +# Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:4050"), or empty string to not expose. +matrix_bot_go_neb_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_bot_go_neb_container_extra_arguments: [] + +# List of systemd services that matrix-bot-go-neb.service depends on +matrix_bot_go_neb_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-go-neb.service wants +matrix_bot_go_neb_systemd_wanted_services_list: [] + +# Database-related configuration fields. +# +# MUST be "sqlite3". No other type is supported. +matrix_bot_go_neb_database_engine: 'sqlite3' + +matrix_bot_go_neb_sqlite_database_path_local: "{{ matrix_bot_go_neb_data_path }}/bot.db" +matrix_bot_go_neb_sqlite_database_path_in_container: "/data/bot.db" + +matrix_bot_go_neb_storage_database: "{{ + { + 'sqlite3': (matrix_bot_go_neb_sqlite_database_path_in_container + '?_busy_timeout=5000'), + }[matrix_bot_go_neb_database_engine] +}}" + +# The bot's username(s). These users need to be created manually beforehand. +# The access tokens that the bot uses to authenticate. +# Generate one as described in +# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-dimension.md#access-token +# via curl. With the element method, you might run into decryption problems (see https://github.com/matrix-org/go-neb#quick-start) +matrix_bot_go_neb_clients: {} +# - UserID: "@goneb:{{ matrix_domain }}" +# AccessToken: "MDASDASJDIASDJASDAFGFRGER" +# DeviceID: "DEVICE1" +# HomeserverURL: "{{ matrix_homeserver_container_url }}" +# Sync: true +# AutoJoinRooms: true +# DisplayName: "Go-NEB!" +# AcceptVerificationFromUsers: [":{{ matrix_domain }}"] +# +# - UserID: "@another_goneb:{{ matrix_domain }}" +# AccessToken: "MDASDASJDIASDJASDAFGFRGER" +# DeviceID: "DEVICE2" +# HomeserverURL: "{{ matrix_homeserver_container_url }}" +# Sync: false +# AutoJoinRooms: false +# DisplayName: "Go-NEB!" +# AcceptVerificationFromUsers: ["^@admin:{{ matrix_domain }}"] + +# The list of realms which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureAuthRealm for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest +matrix_bot_go_neb_realms: {} +# - ID: "github_realm" +# Type: "github" +# Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs + +# The list of *authenticated* sessions which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# The full list of options are shown below: there is no single HTTP endpoint +# which maps to this section. +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session +matrix_bot_go_neb_sessions: {} +# - SessionID: "your_github_session" +# RealmID: "github_realm" +# UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands +# Config: +# # Populate these fields by generating a "Personal Access Token" on github.com +# AccessToken: "YOUR_GITHUB_ACCESS_TOKEN" +# Scopes: "admin:org_hook,admin:repo_hook,repo,user" + +# The list of services which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureService for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest +matrix_bot_go_neb_services: {} +# - ID: "echo_service" +# Type: "echo" +# UserID: "@goneb:{{ matrix_domain }}" +# Config: {} + +## Can be obtained from https://developers.giphy.com/dashboard/ +# - ID: "giphy_service" +# Type: "giphy" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# api_key: "qwg4672vsuyfsfe" +# use_downsized: false +# +## This service has been dead for over a year :/ +# - ID: "guggy_service" +# Type: "guggy" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# api_key: "2356saaqfhgfe" +# +## API Key via https://developers.google.com/custom-search/v1/introduction +## CX via http://www.google.com/cse/manage/all +## https://stackoverflow.com/questions/6562125/getting-a-cx-id-for-custom-search-google-api-python +## 'Search the entire web' and 'Image search' enabled for best results +# - ID: "google_service" +# Type: "google" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# api_key: "AIzaSyA4FD39m9" +# cx: "AIASDFWSRRtrtr" +# +## Get a key via https://api.imgur.com/oauth2/addclient +## Select "oauth2 without callback url" +# - ID: "imgur_service" +# Type: "imgur" +# UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client +# Config: +# client_id: "AIzaSyA4FD39m9" +# client_secret: "somesecret" +# +# - ID: "wikipedia_service" +# Type: "wikipedia" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# +# - ID: "rss_service" +# Type: "rssbot" +# UserID: "@another_goneb:{{ matrix_domain }}" +# Config: +# feeds: +# "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60": +# rooms: ["!qmElAGdFYCHoCJuaNt:localhost"] +# must_include: +# author: +# - author1 +# description: +# - lorem +# - ipsum +# must_not_include: +# title: +# - Lorem +# - Ipsum +# +# - ID: "github_cmd_service" +# Type: "github" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# RealmID: "github_realm" +# +# # Make sure your BASE_URL can be accessed by Github! +# - ID: "github_webhook_service" +# Type: "github-webhook" +# UserID: "@another_goneb:{{ matrix_domain }}" +# Config: +# RealmID: "github_realm" +# ClientUserID: "@YOUR_USER_ID:{{ matrix_domain }}" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. +# Rooms: +# "!someroom:id": +# Repos: +# "matrix-org/synapse": +# Events: ["push", "issues"] +# "matrix-org/dendron": +# Events: ["pull_request"] +# "!anotherroom:id": +# Repos: +# "matrix-org/synapse": +# Events: ["push", "issues"] +# "matrix-org/dendron": +# Events: ["pull_request"] +# +# - ID: "slackapi_service" +# Type: "slackapi" +# UserID: "@slackapi:{{ matrix_domain }}" +# Config: +# Hooks: +# "hook1": +# RoomID: "!someroom:id" +# MessageType: "m.text" # default is m.text +# +# - ID: "alertmanager_service" +# Type: "alertmanager" +# UserID: "@alertmanager:{{ matrix_domain }}" +# Config: +# # This is for information purposes only. It should point to Go-NEB path as follows: +# # `/services/hooks/` +# # Where in this case "service ID" is "alertmanager_service" +# # Make sure your BASE_URL can be accessed by the Alertmanager instance! +# webhook_url: "http://localhost/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U" +# # Each room will get the notification with the alert rendered with the given template +# rooms: +# "!someroomid:domain.tld": +# text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" +# html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" +# msg_type: "m.text" # Must be either `m.text` or `m.notice` + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_bot_go_neb_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_bot_go_neb_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_bot_go_neb_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_go_neb_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_go_neb_configuration_yaml`. + +matrix_bot_go_neb_configuration_extension: "{{ matrix_bot_go_neb_configuration_extension_yaml|from_yaml if matrix_bot_go_neb_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_bot_go_neb_configuration_yaml`. +matrix_bot_go_neb_configuration: "{{ matrix_bot_go_neb_configuration_yaml|from_yaml|combine(matrix_bot_go_neb_configuration_extension, recursive=True) }}" + diff --git a/roles/matrix-bot-go-neb/tasks/init.yml b/roles/matrix-bot-go-neb/tasks/init.yml new file mode 100644 index 00000000..169f5978 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-go-neb.service'] }}" + when: matrix_bot_go_neb_enabled|bool diff --git a/roles/matrix-bot-go-neb/tasks/main.yml b/roles/matrix-bot-go-neb/tasks/main.yml new file mode 100644 index 00000000..1a4fe70a --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_bot_go_neb_enabled|bool" + tags: + - setup-all + - setup-bot-go-neb + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_bot_go_neb_enabled|bool" + tags: + - setup-all + - setup-bot-go-neb + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_bot_go_neb_enabled|bool" + tags: + - setup-all + - setup-bot-go-neb diff --git a/roles/matrix-bot-go-neb/tasks/setup_install.yml b/roles/matrix-bot-go-neb/tasks/setup_install.yml new file mode 100644 index 00000000..e26be080 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/setup_install.yml @@ -0,0 +1,50 @@ +--- + +- set_fact: + matrix_bot_go_neb_requires_restart: false + +- name: Ensure go-neb paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_bot_go_neb_config_path }}", when: true } + - { path: "{{ matrix_bot_go_neb_data_path }}", when: true } + - { path: "{{ matrix_bot_go_neb_data_store_path }}", when: true } + when: "item.when|bool" + +- name: Ensure go-neb image is pulled + docker_image: + name: "{{ matrix_bot_go_neb_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}" + +- name: Ensure go-neb config installed + copy: + content: "{{ matrix_bot_go_neb_configuration|to_nice_yaml }}" + dest: "{{ matrix_bot_go_neb_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-bot-go-neb.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" + mode: 0644 + register: matrix_bot_go_neb_systemd_service_result + +- name: Ensure systemd reloaded after matrix-bot-go-neb.service installation + service: + daemon_reload: yes + when: "matrix_bot_go_neb_systemd_service_result.changed|bool" + +- name: Ensure matrix-bot-go-neb.service restarted, if necessary + service: + name: "matrix-bot-go-neb.service" + state: restarted + when: "matrix_bot_go_neb_requires_restart|bool" diff --git a/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml new file mode 100644 index 00000000..49ad1fe7 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-go-neb service + stat: + path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" + register: matrix_bot_go_neb_service_stat + +- name: Ensure matrix-go-neb is stopped + service: + name: matrix-bot-go-neb + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_bot_go_neb_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-go-neb.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" + state: absent + when: "matrix_bot_go_neb_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-bot-go-neb.service removal + service: + daemon_reload: yes + when: "matrix_bot_go_neb_service_stat.stat.exists|bool" + +- name: Ensure Matrix go-neb paths don't exist + file: + path: "{{ matrix_bot_go_neb_base_path }}" + state: absent + +- name: Ensure go-neb Docker image doesn't exist + docker_image: + name: "{{ matrix_bot_go_neb_docker_image }}" + state: absent diff --git a/roles/matrix-bot-go-neb/tasks/validate_config.yml b/roles/matrix-bot-go-neb/tasks/validate_config.yml new file mode 100644 index 00000000..7b292250 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/validate_config.yml @@ -0,0 +1,13 @@ +--- + +- name: Fail if there's not at least 1 client + fail: + msg: >- + You need at least 1 client in the matrix_bot_go_neb_clients block. + when: matrix_bot_go_neb_clients is not defined or matrix_bot_go_neb_clients[0] is not defined + +- name: Fail if there's not at least 1 service + fail: + msg: >- + You need at least 1 service in the matrix_bot_go_neb_services block. + when: matrix_bot_go_neb_services is not defined or matrix_bot_go_neb_services[0] is not defined diff --git a/roles/matrix-bot-go-neb/templates/config.yaml.j2 b/roles/matrix-bot-go-neb/templates/config.yaml.j2 new file mode 100644 index 00000000..c72dbf8d --- /dev/null +++ b/roles/matrix-bot-go-neb/templates/config.yaml.j2 @@ -0,0 +1,44 @@ +# Go-NEB Configuration File +# +# This file provides an alternative way to configure Go-NEB which does not involve HTTP APIs. +# +# This file can be supplied to go-neb by the environment variable `CONFIG_FILE=config.yaml`. +# It will force Go-NEB to operate in "config" mode. This means: +# - Go-NEB will ONLY use the data contained inside this file. +# - All of Go-NEB's /admin HTTP listeners will be disabled. You will be unable to add new services at runtime. +# - The environment variable `DATABASE_URL` will be ignored and an in-memory database will be used instead. +# +# This file is broken down into 4 sections which matches the following HTTP APIs: +# - /configureClient +# - /configureAuthRealm +# - /configureService +# - /requestAuthSession (redirects not supported) + +# The list of clients which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureClient for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ClientConfig +clients: + {{ matrix_bot_go_neb_clients|to_json }} + +# The list of realms which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureAuthRealm for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest +realms: + {{ matrix_bot_go_neb_realms|to_json }} + +# The list of *authenticated* sessions which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# The full list of options are shown below: there is no single HTTP endpoint +# which maps to this section. +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session +sessions: + {{ matrix_bot_go_neb_sessions|to_json }} + +# The list of services which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureService for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest +services: + {{ matrix_bot_go_neb_services|to_json }} diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 new file mode 100644 index 00000000..eabf1137 --- /dev/null +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -0,0 +1,49 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Go-NEB bot +{% for service in matrix_bot_go_neb_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_go_neb_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_bot_go_neb_container_http_host_bind_port %} + -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ + {% endif %} + -e 'BIND_ADDRESS=:4050' \ + -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ + -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ + -e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \ + -e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \ + --mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \ + --entrypoint=/bin/sh \ + {% for arg in matrix_bot_go_neb_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_go_neb_docker_image }} \ + -c "go-neb /config/config.yaml" + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-go-neb + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index acd2c885..f3af4b9f 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -16,20 +16,6 @@ Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-facebook 2>/dev/null' ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null' -# This bridge uses another mechanism for migrations now (migrations happen automatically during regular startup), -# so going forward, running this alembic stuff will not necessary. -# People who are upgrading from an older version of the bridge should go through this migration -# first though, so we're keeping it around for now. -ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - -v {{ matrix_mautrix_facebook_config_path }}:/config:z \ - -v {{ matrix_mautrix_facebook_data_path }}:/data:z \ - {{ matrix_mautrix_facebook_docker_image }} \ - alembic -x config=/config/config.yaml upgrade head - # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index fc6f30f9..1b45306e 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.21 +matrix_client_element_version: v1.7.23 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index b1477cf6..300de94c 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -30,7 +30,7 @@ # as we may run into systemd's automatic restart logic retrying the service. - name: Wait a bit, so that services can start (or fail) wait_for: - timeout: 5 + timeout: 15 delegate_to: 127.0.0.1 become: false diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index b7434dd3..16206840 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -73,7 +73,7 @@ matrix_jitsi_etherpad_enabled: false # Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). # -# Takes an ":" or "" value (e.g. "127.0.0.1:12080"), or empty string to not expose. +# Takes an ":" or "" value (e.g. "127.0.0.1:13080"), or empty string to not expose. matrix_jitsi_web_container_http_host_bind_port: '' # A list of extra arguments to pass to the container diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index ff550533..c1538c75 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -121,6 +121,10 @@ matrix_nginx_proxy_proxy_matrix_federation_port: 8448 matrix_nginx_proxy_proxy_dimension_enabled: false matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" +# Controls whether proxying the goneb domain should be done. +matrix_nginx_proxy_proxy_bot_go_neb_enabled: false +matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" + # Controls whether proxying the jitsi domain should be done. matrix_nginx_proxy_proxy_jitsi_enabled: false matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" @@ -194,6 +198,8 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else []) + (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) + + + (['/_synapse/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else []) }} # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. @@ -235,6 +241,9 @@ matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf). +matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf). matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] @@ -363,3 +372,9 @@ matrix_nginx_proxy_synapse_generic_worker_federation_locations: [] matrix_nginx_proxy_synapse_media_repository_locations: [] matrix_nginx_proxy_synapse_user_dir_locations: [] matrix_nginx_proxy_synapse_frontend_proxy_locations: [] + +# The amount of worker processes and connections +# Consider increasing these when you are expecting high amounts of traffic +# http://nginx.org/en/docs/ngx_core_module.html#worker_connections +matrix_nginx_proxy_worker_processes: 1 +matrix_nginx_proxy_worker_connections: 1024 diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml index 2cf1ef06..6f831a29 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -12,6 +12,8 @@ follow_redirects: none return_content: true validate_certs: "{{ well_known_file_check.validate_certs }}" + headers: + Origin: example.com check_mode: no register: result_well_known_matrix ignore_errors: true @@ -40,6 +42,8 @@ follow_redirects: "{{ well_known_file_check.follow_redirects }}" return_content: true validate_certs: "{{ well_known_file_check.validate_certs }}" + headers: + Origin: example.com check_mode: no register: result_well_known_identity ignore_errors: true diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 233fe4a9..c7e15c95 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -79,6 +79,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_dimension_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for goneb domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for jitsi domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2" @@ -196,6 +203,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 new file mode 100644 index 00000000..3c3231f4 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -0,0 +1,77 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; +{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-bot-go-neb:4050"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:4050; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 41497416..9d582618 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -47,6 +47,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; } {% endif %} @@ -64,6 +65,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; } {% endif %} @@ -98,6 +100,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; } {% endif %} @@ -122,6 +125,7 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index eb3d67b1..a20d8a73 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -17,7 +17,7 @@ proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:12080; + proxy_pass http://127.0.0.1:13080; {% endif %} proxy_set_header Host $host; @@ -32,7 +32,7 @@ proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:12090; + proxy_pass http://127.0.0.1:13090; {% endif %} proxy_set_header Host $host; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 7041468e..4a3a355d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -79,7 +79,6 @@ server { location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% endif %} @@ -90,7 +89,6 @@ server { location ~ {{ location }} { proxy_pass http://media_repository_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; @@ -106,7 +104,6 @@ server { location ~ {{ location }} { proxy_pass http://user_dir_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% endif %} @@ -117,7 +114,6 @@ server { location ~ {{ location }} { proxy_pass http://frontend_proxy_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% if matrix_nginx_proxy_synapse_presence_disabled %} @@ -125,7 +121,6 @@ server { location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { proxy_pass http://frontend_proxy_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endif %} {% endif %} @@ -150,7 +145,6 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} auth_basic "protected"; @@ -172,7 +166,6 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; @@ -199,7 +192,6 @@ server { location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% endif %} @@ -209,7 +201,6 @@ server { location ~ {{ location }} { proxy_pass http://media_repository_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; @@ -231,7 +222,6 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index facb0901..c35f9b24 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -8,14 +8,13 @@ # - various temp paths are changed to `/tmp`, so that a non-root user can write to them # - the `user` directive was removed, as we don't want nginx to switch users -worker_processes 1; - +worker_processes {{ matrix_nginx_proxy_worker_processes }}; error_log /var/log/nginx/error.log warn; pid /tmp/nginx.pid; events { - worker_connections 1024; + worker_connections {{ matrix_nginx_proxy_worker_connections }}; } diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 9086884b..d9139da1 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.28.0 -matrix_synapse_version_arm64: v1.28.0 +matrix_synapse_version: v1.29.0 +matrix_synapse_version_arm64: v1.29.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -181,6 +181,26 @@ matrix_synapse_allow_public_rooms_without_auth: false # For private servers, you most likely wish to forbid it. matrix_synapse_allow_public_rooms_over_federation: false +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, so this setting is of limited value if federation is enabled on +# the server. +matrix_synapse_require_auth_for_profile_requests: false + +# Set to true to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false + +# Set to false to prevent a user's profile data from being retrieved and +# displayed in a room until they have joined it. By default, a user's +# profile data is included in an invite event, regardless of the values +# of the above two settings, and whether or not the users share a server. +# Defaults to 'true'. +matrix_synapse_include_profile_data_on_invite: true + # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 09e11f7b..63e497d0 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -68,14 +68,22 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # API, so this setting is of limited value if federation is enabled on # the server. # -#require_auth_for_profile_requests: true +require_auth_for_profile_requests: {{ matrix_synapse_require_auth_for_profile_requests|to_json }} # Uncomment to require a user to share a room with another user in order # to retrieve their profile information. Only checked on Client-Server # requests. Profile requests from other servers should be checked by the # requesting server. Defaults to 'false'. # -#limit_profile_requests_to_users_who_share_rooms: true +limit_profile_requests_to_users_who_share_rooms: {{ matrix_synapse_limit_profile_requests_to_users_who_share_rooms|to_json }} + +# Uncomment to prevent a user's profile data from being retrieved and +# displayed in a room until they have joined it. By default, a user's +# profile data is included in an invite event, regardless of the values +# of the above two settings, and whether or not the users share a server. +# Defaults to 'true'. +# +include_profile_data_on_invite: {{ matrix_synapse_include_profile_data_on_invite|to_json }} # If set to 'true', removes the need for authentication to access the server's # public rooms directory through the client API, meaning that anyone can @@ -725,6 +733,12 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # - matrix.org # - example.com +# Uncomment to disable profile lookup over federation. By default, the +# Federation API allows other homeservers to obtain profile data of any user +# on this homeserver. Defaults to 'true'. +# +#allow_profile_lookup_over_federation: false + ## Caching ## @@ -2578,19 +2592,35 @@ enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} # User Directory configuration # -# 'enabled' defines whether users can search the user directory. If -# false then empty responses are returned to all queries. Defaults to -# true. -# -# 'search_all_users' defines whether to search all users visible to your HS -# when searching the user directory, rather than limiting to users visible -# in public rooms. Defaults to false. If you set it True, you'll have to -# rebuild the user_directory search indexes, see -# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md -# -#user_directory: -# enabled: true -# search_all_users: false +user_directory: + # Defines whether users can search the user directory. If false then + # empty responses are returned to all queries. Defaults to true. + # + # Uncomment to disable the user directory. + # + #enabled: false + + # Defines whether to search all users visible to your HS when searching + # the user directory, rather than limiting to users visible in public + # rooms. Defaults to false. + # + # If you set it true, you'll have to rebuild the user_directory search + # indexes, see: + # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md + # + # Uncomment to return search results containing all known users, even if that + # user does not share a room with the requester. + # + #search_all_users: true + + # Defines whether to prefer local users in search query results. + # If True, local users are more likely to appear above remote users + # when searching the user directory. Defaults to false. + # + # Uncomment to prefer local over remote users in user directory search + # results. + # + #prefer_local_users: true # User Consent configuration diff --git a/setup.yml b/setup.yml index 66f7dd2e..c87354be 100755 --- a/setup.yml +++ b/setup.yml @@ -33,6 +33,7 @@ - matrix-bridge-mx-puppet-instagram - matrix-bridge-sms - matrix-bot-matrix-reminder-bot + - matrix-bot-go-neb - matrix-synapse - matrix-synapse-admin - matrix-prometheus-node-exporter From 27416607d9bf0a1b5cb21f15234391b7d6b50208 Mon Sep 17 00:00:00 2001 From: Yannick Goossens Date: Tue, 16 Mar 2021 16:38:59 +0100 Subject: [PATCH 2020/2384] Another field with 'invalid input syntax for type smallint' --- roles/matrix-dimension/tasks/setup_install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-dimension/tasks/setup_install.yml b/roles/matrix-dimension/tasks/setup_install.yml index 26a75bcb..804be88d 100644 --- a/roles/matrix-dimension/tasks/setup_install.yml +++ b/roles/matrix-dimension/tasks/setup_install.yml @@ -40,6 +40,7 @@ - {'table': 'dimension_sticker_packs', 'column': 'isPublic', 'default': ''} - {'table': 'dimension_slack_bridges', 'column': 'isEnabled', 'default': ''} - {'table': 'dimension_neb_integrations', 'column': 'isPublic', 'default': ''} + - {'table': 'dimension_neb_integrations', 'column': 'isEnabled', 'default': ''} - {'table': 'dimension_irc_bridges', 'column': 'isEnabled', 'default': ''} - {'table': 'dimension_irc_bridge_networks', 'column': 'isEnabled', 'default': ''} - {'table': 'dimension_gitter_bridges', 'column': 'isEnabled', 'default': ''} From 60aa40845f9e054974a0178b4f00fc0c3622a610 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Tue, 16 Mar 2021 18:51:05 +0100 Subject: [PATCH 2021/2384] Upgrade Etherpad (1.8.7 -> 1.8.12) --- roles/matrix-etherpad/defaults/main.yml | 2 +- roles/matrix-etherpad/templates/settings.json.j2 | 3 +++ .../templates/systemd/matrix-etherpad.service.j2 | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 27589b2a..90883310 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -2,7 +2,7 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" -matrix_etherpad_version: 1.8.7 +matrix_etherpad_version: 1.8.12 matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:{{ matrix_etherpad_version }}" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 index b3b87f43..377bad98 100644 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -42,6 +42,9 @@ "percentageToScrollWhenUserPressesArrowUp": 0 }, "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], + "socketIo": { + "maxHttpBufferSize": 10000 + }, "loadTest": false, "importExportRateLimiting": { "windowMs": 90000, diff --git a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 index b8a26664..b579036b 100644 --- a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 @@ -29,7 +29,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \ {{ arg }} \ {% endfor %} {{ matrix_etherpad_docker_image }} \ - node --experimental-worker /opt/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js \ + node --experimental-worker src/node/server.js \ --settings /data/settings.json --credentials /data/credentials.json \ --sessionkey /data/sessionkey.json --apikey /data/apijey.json From 466827139a32efe3fdb8261bb1e56a225cff15b0 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 17 Mar 2021 00:54:00 -0500 Subject: [PATCH 2022/2384] Also check if matrix_ssl_lets_encrypt_support_email is blank --- roles/matrix-nginx-proxy/tasks/validate_config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 3197bd97..9661ae5e 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -40,8 +40,8 @@ - name: Fail if required variables are undefined fail: - msg: "Detected an undefined required variable" + msg: "The `{{ item }}` variable must be defined and have a non-null value" with_items: - "matrix_ssl_lets_encrypt_support_email" - when: "vars[item] is none" + when: "vars[item] == '' or vars[item] is none" when: "matrix_ssl_retrieval_method == 'lets-encrypt'" From 2d7e7680e565eadc226dbb6375ed869cca141290 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Wed, 17 Mar 2021 12:36:45 +0100 Subject: [PATCH 2023/2384] matrix.{{ matrix_domain }} -> {{ matrix_server_fqn_matrix }} --- roles/matrix-awx/surveys/configure_synapse_admin.json.j2 | 2 +- roles/matrix-bridge-appservice-slack/defaults/main.yml | 2 +- roles/matrix-bridge-appservice-webhooks/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 b/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 index f5a740aa..e1f6dc12 100644 --- a/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 @@ -4,7 +4,7 @@ "spec": [ { "question_name": "Enable Synapse Admin", - "question_description": "Set if Synapse Admin is enabled or not. If enabled you can access it at https://matrix.{{ matrix_domain }}/synapse-admin.", + "question_description": "Set if Synapse Admin is enabled or not. If enabled you can access it at https://{{ matrix_server_fqn_matrix }}/synapse-admin.", "required": false, "min": null, "max": null, diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 1169de4f..a0032a0d 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -32,7 +32,7 @@ matrix_appservice_slack_slack_port: 9003 # Takes an ":" or "" value (e.g. "127.0.0.1:9999"), or empty string to not expose. matrix_appservice_slack_container_http_host_bind_port: '' -matrix_appservice_slack_homeserver_media_url: "matrix.{{ matrix_domain }}" +matrix_appservice_slack_homeserver_media_url: "{{ matrix_server_fqn_matrix }}" matrix_appservice_slack_homeserver_url: "http://matrix-synapse:8008" matrix_appservice_slack_homeserver_domain: "{{ matrix_domain }}" matrix_appservice_slack_appservice_url: 'http://matrix-appservice-slack' diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 215afc05..82e0925c 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -28,7 +28,7 @@ matrix_appservice_webhooks_matrix_port: 6789 # Takes an ":" or "" value (e.g. "127.0.0.1:9999"), or empty string to not expose. matrix_appservice_webhooks_container_http_host_bind_port: '' -matrix_appservice_webhooks_homeserver_media_url: "matrix.{{ matrix_domain }}" +matrix_appservice_webhooks_homeserver_media_url: "{{ matrix_server_fqn_matrix }}" matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:8008" matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}" matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks' From 07fb05a4ab9c1dabca2f8c1f76e6625e2841809d Mon Sep 17 00:00:00 2001 From: chagai95 <31655082+chagai95@users.noreply.github.com> Date: Wed, 17 Mar 2021 20:29:17 +0100 Subject: [PATCH 2024/2384] fix typo ot -> to --- docs/maintenance-migrating.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index 71a38e58..d6380b99 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,6 +1,6 @@ # Migrating to new server -1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading ot less downtime +1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading to less downtime 2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` 3. Copy directory `/matrix` from the old server to the new server. Make sure to preserve ownership and permissions (use `cp -p` or `rsync -ar`)! 4. Make sure your DNS records are adjusted to point to the new server's IP address From 32b3650c1245ec5854fbdb52965cda19a8ab0ace Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Wed, 17 Mar 2021 18:51:10 -0500 Subject: [PATCH 2025/2384] Set X-Forwarded-Proto on federation requests --- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 9d582618..1d2470a9 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -241,6 +241,7 @@ server { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; From a5ee39266c29c6784175e76b796702fd3fc9a2e8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Mar 2021 08:16:59 +0200 Subject: [PATCH 2026/2384] Go through start.py when launching Synapse This allows us to benefit from helpful things it does for us, like enabling jemalloc: https://github.com/matrix-org/synapse/pull/8553 We weren't going through `start.py` before, because it was causing some conflict with our `docker run --user=...` stuff, but it doesn't seem to be a problem anymore. Having done this, we won't need to do things like https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/941 anymore. --- .../templates/synapse/systemd/matrix-synapse-worker.service.j2 | 3 +-- .../templates/synapse/systemd/matrix-synapse.service.j2 | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index ee858183..43dc42d1 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -18,7 +18,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --entrypoint=python \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ @@ -44,7 +43,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor {{ arg }} \ {% endfor %} {{ matrix_synapse_docker_image }} \ - -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} + run -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 5f69e315..cd3a2f3d 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -34,7 +34,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ - --entrypoint=python \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ @@ -62,7 +61,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {{ arg }} \ {% endfor %} {{ matrix_synapse_docker_image }} \ - -m synapse.app.homeserver -c /data/homeserver.yaml + run -m synapse.app.homeserver -c /data/homeserver.yaml ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' From f99dcd611fadce7d20a3a804b4aac49d2d3781e2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 19 Mar 2021 16:44:10 +0200 Subject: [PATCH 2027/2384] Pass proper UID/GID to Synapse Fixes a regression caused by a5ee39266c29c6. If the user id and group id were different than 991:991 (which used to be a hardcoded default for us long ago), there was a mismatch between what Synapse was trying to use (991:991) and what it was actually started with (in `--user=..`). It was then trying to change ownership, which was failing. This was mostly affecting newer installations which were not using the 991:991 defaults we had long ago (since a1c5a197a93d410). --- .../templates/synapse/systemd/matrix-synapse-worker.service.j2 | 2 ++ .../templates/synapse/systemd/matrix-synapse.service.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 index 43dc42d1..6c90c9a3 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -17,6 +17,8 @@ ExecStartPre={{ matrix_host_command_sleep }} 5 ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -e UID={{ matrix_user_uid }} \ + -e GID={{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index cd3a2f3d..2fbaac7b 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -33,6 +33,8 @@ ExecStartPre={{ matrix_host_command_sleep }} 3 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --env=UID={{ matrix_user_uid }} \ + --env=GID={{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ From 1e54b1d1a5fca731ef7fcf1271c06bc2b2b069ea Mon Sep 17 00:00:00 2001 From: Michael Date: Sat, 20 Mar 2021 17:21:02 +0800 Subject: [PATCH 2028/2384] merge upstream --- .../surveys/configure_synapse.json.j2 | 2 +- .../tasks/load_hosting_and_org_variables.yml | 18 ++--- .../tasks/load_matrix_variables.yml | 10 +-- roles/matrix-awx/tasks/main.yml | 65 +++++++++++++++---- .../tasks/set_variables_synapse.yml | 10 +++ 5 files changed, 79 insertions(+), 26 deletions(-) diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index 32d54646..8d3b5daf 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -119,7 +119,7 @@ "default": "{{ matrix_synapse_max_upload_size_mb }}", "choices": "", "new_question": true, - "variable": "matrix_synapse_max_upload_size_mb", + "variable": "matrix_synapse_max_upload_size_mb_raw", "type": "text" }, { diff --git a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml index 6789431a..529a65fc 100644 --- a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml +++ b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml @@ -1,10 +1,12 @@ -- name: Include vars in organisation.yml - include_vars: - file: '/var/lib/awx/projects/clients/{{ member_id }}/organisation.yml' - no_log: True +- tags: always + block: + - name: Include vars in organisation.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/organisation.yml' + no_log: True -- name: Include vars in hosting_vars.yml - include_vars: - file: '/var/lib/awx/projects/hosting/hosting_vars.yml' - no_log: True + - name: Include vars in hosting_vars.yml + include_vars: + file: '/var/lib/awx/projects/hosting/hosting_vars.yml' + no_log: True diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml index ff0986d7..ba7de3e9 100755 --- a/roles/matrix-awx/tasks/load_matrix_variables.yml +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -1,5 +1,7 @@ -- name: Include vars in matrix_vars.yml - include_vars: - file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - no_log: True +- tags: always + block: + - name: Include vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 20ce2d8e..4965ae39 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -1,78 +1,117 @@ # Load initial hosting and organisation variables from AWX volume -- include_tasks: "{{ role_path }}/tasks/load_hosting_and_org_variables.yml" +- include_tasks: + file: "load_hosting_and_org_variables.yml" + apply: + tags: always when: run_setup|bool and matrix_awx_enabled|bool tags: - always # Perform a backup of the server -- include_tasks: "{{ role_path }}/tasks/backup_server.yml" +- include_tasks: + file: "backup_server.yml" + apply: + tags: backup-server when: run_setup|bool and matrix_awx_enabled|bool tags: - backup-server # Create a user account if called -- include_tasks: "{{ role_path }}/tasks/create_user.yml" +- include_tasks: + file: "create_user.yml" + apply: + tags: create-user when: run_setup|bool and matrix_awx_enabled|bool tags: - create-user # Perform extra self-check functions -- include_tasks: "{{ role_path }}/tasks/self_check.yml" +- include_tasks: + file: "self_check.yml" + apply: + tags: self-check when: run_setup|bool and matrix_awx_enabled|bool tags: - self-check # Import configs, media repo from /chroot/backup import -- include_tasks: "{{ role_path }}/tasks/import_awx.yml" +- include_tasks: + file: "import_awx.yml" + apply: + tags: import-awx when: run_setup|bool and matrix_awx_enabled|bool tags: - import-awx # Configure SFTP so user can upload a static website or access the servers export -- include_tasks: "{{ role_path }}/tasks/customise_website_access_export.yml" +- include_tasks: + file: "customise_website_access_export.yml" + apply: + tags: setup-nginx-proxy when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-nginx-proxy # Additional playbook to set the variable file during Element configuration -- include_tasks: "{{ role_path }}/tasks/set_variables_element.yml" +- include_tasks: + file: "set_variables_element.yml" + apply: + tags: setup-client-element when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-client-element # Additional playbook to set the variable file during Synapse configuration -- include_tasks: "{{ role_path }}/tasks/set_variables_synapse.yml" +- include_tasks: + file: "set_variables_synapse.yml" + apply: + tags: setup-synapse when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-synapse # Additional playbook to set the variable file during Jitsi configuration -- include_tasks: "{{ role_path }}/tasks/set_variables_jitsi.yml" +- include_tasks: + file: "set_variables_jitsi.yml" + apply: + tags: setup-jitsi when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-jitsi # Additional playbook to set the variable file during Ma1sd configuration -- include_tasks: "{{ role_path }}/tasks/set_variables_ma1sd.yml" +- include_tasks: + file: "set_variables_ma1sd.yml" + apply: + tags: setup-ma1sd when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-ma1sd # Additional playbook to set the variable file during Corporal configuration -- include_tasks: "{{ role_path }}/tasks/set_variables_corporal.yml" +- include_tasks: + file: "set_variables_corporal.yml" + apply: + tags: setup-corporal when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-corporal # Additional playbook to set the variable file during Synapse Admin configuration -- include_tasks: "{{ role_path }}/tasks/set_variables_synapse_admin.yml" +- include_tasks: + file: "set_variables_synapse_admin.yml" + apply: + tags: setup-synapse-admin when: run_setup|bool and matrix_awx_enabled|bool tags: - setup-synapse-admin # Load newly formed matrix variables from tower volume -- include_tasks: "{{ role_path }}/tasks/load_matrix_variables.yml" +- include_tasks: + file: "load_matrix_variables.yml" + apply: + tags: always when: run_setup|bool and matrix_awx_enabled|bool tags: - always diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index a8cc418b..ef7c70ef 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -1,4 +1,14 @@ +- name: Limit max upload size to 100MB part 1 + set_fact: + matrix_synapse_max_upload_size_mb: "100" + when: matrix_synapse_max_upload_size_mb_raw|int >= 100 + +- name: Limit max upload size to 100MB part 2 + set_fact: + matrix_synapse_max_upload_size_mb: "{{ matrix_synapse_max_upload_size_mb_raw }}" + when: matrix_synapse_max_upload_size_mb_raw|int < 100 + - name: Record Synapse variables locally on AWX delegate_to: 127.0.0.1 lineinfile: From af240aef3727496c77ce9106639ee545995c077f Mon Sep 17 00:00:00 2001 From: Michael Date: Sat, 20 Mar 2021 17:35:30 +0800 Subject: [PATCH 2029/2384] remove sections from task list that arent needed --- .../tasks/load_hosting_and_org_variables.yml | 18 ++++++++---------- .../matrix-awx/tasks/load_matrix_variables.yml | 10 ++++------ 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml index 529a65fc..6789431a 100644 --- a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml +++ b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml @@ -1,12 +1,10 @@ -- tags: always - block: - - name: Include vars in organisation.yml - include_vars: - file: '/var/lib/awx/projects/clients/{{ member_id }}/organisation.yml' - no_log: True +- name: Include vars in organisation.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/organisation.yml' + no_log: True - - name: Include vars in hosting_vars.yml - include_vars: - file: '/var/lib/awx/projects/hosting/hosting_vars.yml' - no_log: True +- name: Include vars in hosting_vars.yml + include_vars: + file: '/var/lib/awx/projects/hosting/hosting_vars.yml' + no_log: True diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml index ba7de3e9..ff0986d7 100755 --- a/roles/matrix-awx/tasks/load_matrix_variables.yml +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -1,7 +1,5 @@ -- tags: always - block: - - name: Include vars in matrix_vars.yml - include_vars: - file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - no_log: True +- name: Include vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True From 9a0222fa4742054338778037909f8fa5dc35e10f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Mar 2021 13:31:34 +0200 Subject: [PATCH 2030/2384] Add Sygnal support Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683 --- CHANGELOG.md | 12 + README.md | 2 + docs/configuring-dns.md | 3 + docs/configuring-playbook-sygnal.md | 71 +++++ docs/configuring-playbook.md | 5 + docs/container-images.md | 2 + group_vars/matrix_servers | 35 +++ roles/matrix-base/defaults/main.yml | 3 + roles/matrix-nginx-proxy/defaults/main.yml | 7 + .../tasks/setup_nginx_proxy.yml | 13 + .../nginx/conf.d/matrix-sygnal.conf.j2 | 79 +++++ roles/matrix-sygnal/defaults/main.yml | 95 ++++++ roles/matrix-sygnal/tasks/init.yml | 3 + roles/matrix-sygnal/tasks/main.yml | 21 ++ roles/matrix-sygnal/tasks/setup_install.yml | 73 +++++ roles/matrix-sygnal/tasks/setup_uninstall.yml | 35 +++ roles/matrix-sygnal/tasks/validate_config.yml | 7 + roles/matrix-sygnal/templates/sygnal.yaml.j2 | 288 ++++++++++++++++++ .../systemd/matrix-sygnal.service.j2 | 42 +++ setup.yml | 1 + 20 files changed, 797 insertions(+) create mode 100644 docs/configuring-playbook-sygnal.md create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 create mode 100644 roles/matrix-sygnal/defaults/main.yml create mode 100644 roles/matrix-sygnal/tasks/init.yml create mode 100644 roles/matrix-sygnal/tasks/main.yml create mode 100644 roles/matrix-sygnal/tasks/setup_install.yml create mode 100644 roles/matrix-sygnal/tasks/setup_uninstall.yml create mode 100644 roles/matrix-sygnal/tasks/validate_config.yml create mode 100644 roles/matrix-sygnal/templates/sygnal.yaml.j2 create mode 100644 roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index aeff7b0c..36790dce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ + +# 2021-03-20 + +## Sygnal push gateway support + +The playbook can now install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you. + +This is only useful to people who develop/build their own Matrix client applications. + +Additional details are available in our [Setting up Sygnal](docs/configuring-playbook-sygnal.md) docs. + + # 2021-03-16 ## Go-NEB support diff --git a/README.md b/README.md index dde8d924..9a272687 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation +- (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index a3815953..82bef8a2 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -35,6 +35,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `jitsi` (*) | - | - | - | `matrix.` | | CNAME | `stats` (*) | - | - | - | `matrix.` | | CNAME | `goneb` (*) | - | - | - | `matrix.` | +| CNAME | `sygnal` (*) | - | - | - | `matrix.` | ## Subdomains setup @@ -51,6 +52,8 @@ The `stats.` subdomain may be necessary, because this playbook coul The `goneb.` subdomain may be necessary, because this playbook could install the [Go-NEB](https://github.com/matrix-org/go-neb) bot. The installation of Go-NEB is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Go-NEB guide](configuring-playbook-bot-go-neb.md). If you do not wish to set up Go-NEB, feel free to skip the `goneb.` DNS record. +The `sygnal.` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.` DNS record. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-sygnal.md b/docs/configuring-playbook-sygnal.md new file mode 100644 index 00000000..b8dc11f0 --- /dev/null +++ b/docs/configuring-playbook-sygnal.md @@ -0,0 +1,71 @@ +# Setting up Sygnal (optional) + +The playbook can install and configure the [Sygnal](https://github.com/matrix-org/sygnal) push gateway for you. + +See the project's [documentation](https://github.com/matrix-org/sygnal) to learn what it does and why it might be useful to you. + +**Note**: most people don't need to install their own gateway. As Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) documentation says: + +> It is not feasible to allow end-users to configure their own Sygnal instance, because the Sygnal instance needs the appropriate FCM or APNs secrets that belong to the application. + +This optional playbook component is only useful to people who develop/build their own Matrix client applications themselves. + + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +matrix_sygnal_enabled: true + +# You need at least 1 app defined. +# The configuration below is incomplete. Read more below. +matrix_sygnal_apps: + com.example.myapp.ios: + type: apns + keyfile: /data/my_key.p8 + # .. more configuration .. + com.example.myapp.android: + type: gcm + api_key: your_api_key_for_gcm + # .. more configuration .. + +matrix_aux_file_definitions: + - dest: "{{ matrix_sygnal_data_path }}/my_key.p8" + content: | + some + content + here + mode: '0600' + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" +``` + +For a more complete example of available fields and values they can take, see `roles/matrix-sygnal/templates/sygnal.yaml.j2` (or the [upstream `sygnal.yaml.sample` configuration file](https://github.com/matrix-org/sygnal/blob/master/sygnal.yaml.sample)). + +Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easier, as it only requires that you provide some config values. + +To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files. +To do that, the above example configuration: + +- makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`. + +- references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container) + + +## Installing + +Don't forget to add `sygnal.` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook. + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +To make use of your Sygnal installation, you'd need to build your own Matrix client application, which uses the same API keys (for [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/)) and certificates (for [APNS](https://developer.apple.com/notifications/)) and is also pointed to `https://sygnal.DOMAIN` as the configured push server. + +Refer to Sygnal's [Notes for application developers](https://github.com/matrix-org/sygnal/blob/master/docs/applications.md) document. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index a25f8585..721735d5 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -132,3 +132,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) (optional) - [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (optional) + + +### Other specialized services + +- [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index 5bccc2d4..ee9cbd3c 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -97,3 +97,5 @@ These services are not part of our default installation, but can be enabled by [ - [prom/node-exporter](https://hub.docker.com/r/prom/node-exporter/) - [Prometheus Node Exporter](https://github.com/prometheus/node_exporter/) is an addon for Prometheus that gathers standard system metrics - [grafana/grafana](https://hub.docker.com/r/grafana/grafana/) - [Grafana](https://github.com/grafana/grafana/) is a graphing tool that works well with the above two images. Our playbook also adds two dashboards for [Synapse](https://github.com/matrix-org/synapse/tree/master/contrib/grafana) and [Node Exporter](https://github.com/rfrail3/grafana-dashboards) + +- [matrixdotorg/sygnal](https://hub.docker.com/r/matrixdotorg/sygnal/) - [Sygnal](https://github.com/matrix-org/sygnal) is a reference Push Gateway for Matrix diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c9cc6ad0..a6c433cb 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1095,6 +1095,7 @@ matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" +matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -1169,6 +1170,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_server_fqn_grafana] if matrix_grafana_enabled else []) + + ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else []) + + ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) + matrix_ssl_additional_domains_to_obtain_certificates_for @@ -1341,6 +1344,12 @@ matrix_postgres_additional_databases: | 'username': matrix_etherpad_database_username, 'password': matrix_etherpad_database_password, }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == 'matrix-postgres') else []) + + + ([{ + 'name': matrix_sygnal_database_name, + 'username': matrix_sygnal_database_username, + 'password': matrix_sygnal_database_password, + }] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else []) }} matrix_postgres_import_roles_to_ignore: | @@ -1365,6 +1374,32 @@ matrix_postgres_import_databases_to_ignore: | +###################################################################### +# +# matrix-sygnal +# +###################################################################### + +# Most people don't need their own push-server, because they also need their own app to utilize it from. +matrix_sygnal_enabled: false + +# If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. +matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" + +matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}" + +# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +matrix_sygnal_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" +matrix_sygnal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sygnal') | to_uuid }}" + +###################################################################### +# +# /matrix-sygnal +# +###################################################################### + + + ###################################################################### # # matrix-redis diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 5f1cf433..d1d3bf27 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -27,6 +27,9 @@ matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}" # This is where you access Grafana. matrix_server_fqn_grafana: "stats.{{ matrix_domain }}" +# This is where you access the Sygnal push gateway. +matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}" + matrix_federation_public_port: 8448 # The architecture that your server runs. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index c1538c75..3770bfb1 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -133,6 +133,10 @@ matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" matrix_nginx_proxy_proxy_grafana_enabled: false matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" +# Controls whether proxying the sygnal domain should be done. +matrix_nginx_proxy_proxy_sygnal_enabled: false +matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" + # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" @@ -250,6 +254,9 @@ matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf). matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf). +matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index c7e15c95..7534d28c 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -100,6 +100,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_grafana_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_sygnal_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for Matrix domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2" @@ -221,6 +228,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool" + - name: Ensure Matrix nginx-proxy homepage for base domain deleted file: path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 new file mode 100644 index 00000000..e4712657 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -0,0 +1,79 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; +{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-sygnal:6000"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:6000; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml new file mode 100644 index 00000000..50e0e26e --- /dev/null +++ b/roles/matrix-sygnal/defaults/main.yml @@ -0,0 +1,95 @@ +# Sygnal is a reference Push Gateway for Matrix. +# To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app. +# Learn more here: https://github.com/matrix-org/sygnal +matrix_sygnal_enabled: false + +matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" +matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" +matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" + +matrix_sygnal_version: v0.9.0 +matrix_sygnal_docker_image: "docker.io/matrixdotorg/sygnal:{{ matrix_sygnal_version }}" +matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" + +# List of systemd services that matrix-sygnal.service depends on. +matrix_sygnal_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-sygnal.service wants +matrix_sygnal_systemd_wanted_services_list: [] + +# Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:6000"), or empty string to not expose. +matrix_sygnal_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_sygnal_container_extra_arguments: [] + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_sygnal_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_sygnal_postgres_*` variables +matrix_sygnal_database_engine: 'sqlite' + +matrix_sygnal_sqlite_database_path_local: "{{ matrix_sygnal_data_path }}/sygnal.db" +matrix_sygnal_sqlite_database_path_in_container: "/data/sygnal.db" + +matrix_sygnal_database_username: 'matrix_sygnal' +matrix_sygnal_database_password: 'some-password' +matrix_sygnal_database_hostname: 'matrix-postgres' +matrix_sygnal_database_port: 5432 +matrix_sygnal_database_name: 'matrix_sygnal' + +matrix_sygnal_database_connection_string: 'postgres://{{ matrix_sygnal_database_username }}:{{ matrix_sygnal_database_password }}@{{ matrix_sygnal_database_hostname }}:{{ matrix_sygnal_database_port }}/{{ matrix_sygnal_database_name }}' + +# A map (dictionary) of apps instances that this server works with. +# +# Example configuration: +# +# matrix_sygnal_apps: +# com.example.myapp.ios: +# type: apns +# # .. more configuration .. +# com.example.myapp.android: +# type: gcm +# api_key: your_api_key_for_gcm +# # .. more configuration .. +# +# The APNS configuration needs to reference some certificate files. +# One can put these in the `matrix_sygnal_data_path` directory (`/matrix/sygnal/data`), mounted to `/data` in the container. +# The `matrix_sygnal_apps` paths need to use the in-container path (`/data`). +# To install these files via the playbook, one can use the `matrix-aux` role. +# Examples and more details are available in `docs/configuring-playbook-sygnal.md`. +matrix_sygnal_apps: [] + +matrix_sygnal_metrics_prometheus_enabled: false + +# Default Sygnal configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_sygnal_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_sygnal_configuration_yaml: "{{ lookup('template', 'templates/sygnal.yaml.j2') }}" + +matrix_sygnal_configuration_extension_yaml: | + # Your custom YAML configuration for Sygnal goes here. + # This configuration extends the default starting configuration (`matrix_sygnal_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_sygnal_configuration_yaml`. + # + # Example configuration extension follows: + # metrics: + # opentracing: + # enabled: true + +matrix_sygnal_configuration_extension: "{{ matrix_sygnal_configuration_extension_yaml|from_yaml if matrix_sygnal_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final sygnal configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_sygnal_configuration_yaml`. +matrix_sygnal_configuration: "{{ matrix_sygnal_configuration_yaml|from_yaml|combine(matrix_sygnal_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-sygnal/tasks/init.yml b/roles/matrix-sygnal/tasks/init.yml new file mode 100644 index 00000000..559a3681 --- /dev/null +++ b/roles/matrix-sygnal/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sygnal.service'] }}" + when: matrix_sygnal_enabled|bool diff --git a/roles/matrix-sygnal/tasks/main.yml b/roles/matrix-sygnal/tasks/main.yml new file mode 100644 index 00000000..c00862a4 --- /dev/null +++ b/roles/matrix-sygnal/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-sygnal + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: run_setup|bool and matrix_sygnal_enabled|bool + tags: + - setup-all + - setup-sygnal + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: run_setup|bool and not matrix_sygnal_enabled|bool + tags: + - setup-all + - setup-sygnal diff --git a/roles/matrix-sygnal/tasks/setup_install.yml b/roles/matrix-sygnal/tasks/setup_install.yml new file mode 100644 index 00000000..afac61c4 --- /dev/null +++ b/roles/matrix-sygnal/tasks/setup_install.yml @@ -0,0 +1,73 @@ +--- + +- set_fact: + matrix_sygnal_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_sygnal_sqlite_database_path_local }}" + register: matrix_sygnal_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_sygnal_sqlite_database_path_local }}" + dst: "{{ matrix_sygnal_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_sygnal_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-sygnal.service'] + pgloader_options: ['--with "quote identifiers"'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_sygnal_requires_restart: true + when: "matrix_sygnal_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_sygnal_database_engine == 'postgres'" + +- name: Ensure Sygnal image is pulled + docker_image: + name: "{{ matrix_sygnal_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" + +- name: Ensure Sygnal paths exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_sygnal_base_path }}" + - "{{ matrix_sygnal_config_path }}" + - "{{ matrix_sygnal_data_path }}" + +- name: Ensure Sygnal config installed + copy: + content: "{{ matrix_sygnal_configuration|to_nice_yaml }}" + dest: "{{ matrix_sygnal_config_path }}/sygnal.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-sygnal.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-sygnal.service" + mode: 0644 + register: matrix_sygnal_systemd_service_result + +- name: Ensure systemd reloaded after matrix-sygnal.service installation + service: + daemon_reload: yes + when: "matrix_sygnal_systemd_service_result.changed|bool" + +- name: Ensure matrix-sygnal.service restarted, if necessary + service: + name: "matrix-sygnal.service" + state: restarted + when: "matrix_sygnal_requires_restart|bool" diff --git a/roles/matrix-sygnal/tasks/setup_uninstall.yml b/roles/matrix-sygnal/tasks/setup_uninstall.yml new file mode 100644 index 00000000..dc50078c --- /dev/null +++ b/roles/matrix-sygnal/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-sygnal service + stat: + path: "{{ matrix_systemd_path }}/matrix-sygnal.service" + register: matrix_sygnal_service_stat + +- name: Ensure matrix-sygnal is stopped + service: + name: matrix-sygnal + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_sygnal_service_stat.stat.exists|bool" + +- name: Ensure matrix-sygnal.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-sygnal.service" + state: absent + when: "matrix_sygnal_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-sygnal.service removal + service: + daemon_reload: yes + when: "matrix_sygnal_service_stat.stat.exists|bool" + +- name: Ensure Sygnal base directory doesn't exist + file: + path: "{{ matrix_sygnal_base_path }}" + state: absent + +- name: Ensure Sygnal Docker image doesn't exist + docker_image: + name: "{{ matrix_sygnal_docker_image }}" + state: absent diff --git a/roles/matrix-sygnal/tasks/validate_config.yml b/roles/matrix-sygnal/tasks/validate_config.yml new file mode 100644 index 00000000..c503e47b --- /dev/null +++ b/roles/matrix-sygnal/tasks/validate_config.yml @@ -0,0 +1,7 @@ +- name: Fail if no Sygnal apps defined + fail: + msg: >- + Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` + with_items: + - "matrix_sygnal_access_token" + when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0" diff --git a/roles/matrix-sygnal/templates/sygnal.yaml.j2 b/roles/matrix-sygnal/templates/sygnal.yaml.j2 new file mode 100644 index 00000000..bb8c521d --- /dev/null +++ b/roles/matrix-sygnal/templates/sygnal.yaml.j2 @@ -0,0 +1,288 @@ +## +# This is a configuration for Sygnal, the reference Push Gateway for Matrix +# See: matrix.org +## + +# The 'database' setting defines the database that sygnal uses to store all of +# its data. +# +# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or +# 'psycopg2' (for PostgreSQL). +# +# 'args' gives options which are passed through to the database engine, +# except for options starting 'cp_', which are used to configure the Twisted +# connection pool. For a reference to valid arguments, see: +# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect +# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS +# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ +# +# +# Example SQLite configuration: +# +#database: +# name: sqlite3 +# args: +# dbfile: /path/to/database.db +# +# +# Example Postgres configuration: +# +#database: +# name: psycopg2 +# args: +# host: localhost +# database: sygnal +# user: sygnal +# password: pass +# cp_min: 1 +# cp_max: 5 +# +{% if matrix_sygnal_database_engine == 'sqlite' %} +database: + name: sqlite3 + args: + dbfile: {{ matrix_sygnal_sqlite_database_path_in_container|to_json }} +{% else %} +database: + name: psycopg2 + args: + host: {{ matrix_sygnal_database_hostname|to_json }} + database: {{ matrix_sygnal_database_name|to_json }} + user: {{ matrix_sygnal_database_username|to_json }} + password: {{ matrix_sygnal_database_password|to_json }} + cp_min: 1 + cp_max: 5 +{% endif %} + +## Logging # +# +log: + # Specify a Python logging 'dictConfig', as described at: + # https://docs.python.org/3.7/library/logging.config.html#logging.config.dictConfig + # + setup: + version: 1 + formatters: + normal: + format: "%(asctime)s [%(process)d] %(levelname)-5s %(name)s %(message)s" + handlers: + # This handler prints to Standard Error + # + stderr: + class: "logging.StreamHandler" + formatter: "normal" + stream: "ext://sys.stderr" + + # This handler prints to Standard Output. + # + stdout: + class: "logging.StreamHandler" + formatter: "normal" + stream: "ext://sys.stdout" + + # This handler demonstrates logging to a text file on the filesystem. + # You can use logrotate(8) to perform log rotation. + # + #file: + # class: "logging.handlers.WatchedFileHandler" + # formatter: "normal" + # filename: "./sygnal.log" + loggers: + # sygnal.access contains the access logging lines. + # Comment out this section if you don't want to give access logging + # any special treatment. + # + sygnal.access: + propagate: false + handlers: ["stdout"] + level: "INFO" + + # sygnal contains log lines from Sygnal itself. + # You can comment out this section to fall back to the root logger. + # + sygnal: + propagate: false + handlers: ["stderr"] + + root: + # Specify the handler(s) to send log messages to. + handlers: ["stderr"] + level: "INFO" + + disable_existing_loggers: false + + + access: + # Specify whether or not to trust the IP address in the `X-Forwarded-For` + # header. In general, you want to enable this if and only if you are using a + # reverse proxy which is configured to emit it. + # + x_forwarded_for: true + +## HTTP Server (Matrix Push Gateway API) # +# +http: + # Specify a list of interface addresses to bind to. + # + # This example listens on the IPv4 loopback device: + #bind_addresses: ['127.0.0.1'] + # This example listens on all IPv4 interfaces: + #bind_addresses: ['0.0.0.0'] + # This example listens on all IPv4 and IPv6 interfaces: + #bind_addresses: ['0.0.0.0', '::'] + bind_addresses: ['::'] + + # Specify the port number to listen on. + # + port: 6000 + +## Proxying for outgoing connections # +# +# Specify the URL of a proxy to use for outgoing traffic +# (e.g. to Apple & Google) if desired. +# Currently only HTTP proxies with CONNECT capability are supported. +# +# If you do not specify a value, the `HTTPS_PROXY` environment variable will +# be used if present. Otherwise, no proxy will be used. +# +# Default is unspecified. +# +#proxy: 'http://user:secret@prox:8080' + +## Metrics # +# +metrics: + ## Prometheus # + # + prometheus: + # Specify whether or not to enable Prometheus. + # + enabled: false + + # Specify an address for the Prometheus HTTP Server to listen on. + # + address: '0.0.0.0' + + # Specify a port for the Prometheus HTTP Server to listen on. + # + port: 8000 + + ## OpenTracing # + # + opentracing: + # Specify whether or not to enable OpenTracing. + # + enabled: false + + # Specify an implementation of OpenTracing to use. Currently only 'jaeger' + # is supported. + # + implementation: jaeger + + # Specify the service name to be reported to the tracer. + # + service_name: sygnal + + # Specify configuration values to pass to jaeger_client. + # + jaeger: + sampler: + type: 'const' + param: 1 +# local_agent: +# reporting_host: '127.0.0.1' +# reporting_port: + logging: true + + ## Sentry # + # + sentry: + # Specify whether or not to enable Sentry. + # + enabled: false + + # Specify your Sentry DSN if you enable Sentry + # + #dsn: "https://@sentry.example.org/" + +## Pushkins/Apps # +# +# Add a section for every push application here. +# Specify the pushkey for the application and also the type. +# For the type, you may specify a fully-qualified Python classname if desired. +# +#apps: + # This is an example APNs push configuration + # + #com.example.myapp.ios: + # type: apns + # + # # Authentication + # # + # # Two methods of authentication to APNs are currently supported. + # # + # # You can authenticate using a key: + # keyfile: my_key.p8 + # key_id: MY_KEY_ID + # team_id: MY_TEAM_ID + # topic: MY_TOPIC + # + # # Or, a certificate can be used instead: + # certfile: com.example.myApp_prod_APNS.pem + # + # # This is the maximum number of in-flight requests *for this pushkin* + # # before additional notifications will be failed. + # # (This is a robustness measure to prevent one pushkin stacking up with + # # queued requests and saturating the inbound connection queue of a load + # # balancer or reverse proxy). + # # Defaults to 512 if unset. + # # + # #inflight_request_limit: 512 + # + # # Specifies whether to use the production or sandbox APNs server. Note that + # # sandbox tokens should only be used with the sandbox server and vice versa. + # # + # # Valid options are: + # # * production + # # * sandbox + # # + # # The default is 'production'. Uncomment to use the sandbox instance. + # #platform: sandbox + + # This is an example GCM/FCM push configuration. + # + #com.example.myapp.android: + # type: gcm + # api_key: your_api_key_for_gcm + # + # # This is the maximum number of connections to GCM servers at any one time + # # the default is 20. + # #max_connections: 20 + # + # # This is the maximum number of in-flight requests *for this pushkin* + # # before additional notifications will be failed. + # # (This is a robustness measure to prevent one pushkin stacking up with + # # queued requests and saturating the inbound connection queue of a load + # # balancer or reverse proxy). + # # Defaults to 512 if unset. + # # + # #inflight_request_limit: 512 + # + # # This allows you to specify additional options to send to Firebase. + # # + # # Of particular interest, admins who wish to support iOS apps using Firebase + # # probably wish to set content_available, and may need to set mutable_content. + # # (content_available allows your iOS app to be woken up by data messages, + # # and mutable_content allows your notification to be modified by a + # # Notification Service app extension). + # # + # # See https://firebase.google.com/docs/cloud-messaging/http-server-ref + # # for the exhaustive list of valid options. + # # + # # Do not specify `data`, `priority`, `to` or `registration_ids` as they may + # # be overwritten or lead to an invalid request. + # # + # #fcm_options: + # # content_available: true + # # mutable_content: true +apps: {{ matrix_sygnal_apps|to_json }} diff --git a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 new file mode 100644 index 00000000..019ab40c --- /dev/null +++ b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Sygnal +{% for service in matrix_sygnal_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sygnal_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --env=SYGNAL_CONF=/config/sygnal.yaml \ + --network={{ matrix_docker_network }} \ + {% if matrix_sygnal_container_http_host_bind_port %} + -p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \ + {% endif %} + --mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \ + {% for arg in matrix_sygnal_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_sygnal_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sygnal + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index c87354be..c4a203cc 100755 --- a/setup.yml +++ b/setup.yml @@ -46,6 +46,7 @@ - matrix-dimension - matrix-etherpad - matrix-email2matrix + - matrix-sygnal - matrix-nginx-proxy - matrix-coturn - matrix-aux From b824522b331b7c40628702a405720dad66538e70 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Mar 2021 13:34:22 +0200 Subject: [PATCH 2031/2384] Remove unnecessary with_items statement --- roles/matrix-sygnal/tasks/validate_config.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-sygnal/tasks/validate_config.yml b/roles/matrix-sygnal/tasks/validate_config.yml index c503e47b..1cf8357e 100644 --- a/roles/matrix-sygnal/tasks/validate_config.yml +++ b/roles/matrix-sygnal/tasks/validate_config.yml @@ -2,6 +2,4 @@ fail: msg: >- Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` - with_items: - - "matrix_sygnal_access_token" when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0" From 2737ebc29000568f72fc68986c16a4e404633e09 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 20 Mar 2021 13:38:27 +0200 Subject: [PATCH 2032/2384] Complain if people try to use matrix-sygnal on non-amd64 --- roles/matrix-sygnal/tasks/validate_config.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/matrix-sygnal/tasks/validate_config.yml b/roles/matrix-sygnal/tasks/validate_config.yml index 1cf8357e..efd64104 100644 --- a/roles/matrix-sygnal/tasks/validate_config.yml +++ b/roles/matrix-sygnal/tasks/validate_config.yml @@ -3,3 +3,11 @@ msg: >- Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0" + +- name: Fail if running on a non-supported architecture + fail: + msg: >- + Sygnal can only be used on the amd64 architecture for now. + Only amd64 container images are pushed for the `docker.io/matrixdotorg/sygnal` container image. + Either use a different image (by redefining `matrix_sygnal_docker_image`) or consider contributing self-building support to this role. + when: "matrix_sygnal_enabled and matrix_architecture != 'amd64' and matrix_sygnal_docker_image.startswith('docker.io/matrixdotorg/sygnal')" From 54fe59f05cbabe34df8b7bc18e1465c941b26073 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Mon, 22 Mar 2021 12:37:35 +0100 Subject: [PATCH 2033/2384] Update IRC appservice --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index fbfb6fcd..b8a17972 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.23.0 +matrix_appservice_irc_version: release-0.25.0 matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 74106f2a80615cd9c1b9e72d8644ea2028abd9a0 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Mon, 22 Mar 2021 14:03:42 +0000 Subject: [PATCH 2034/2384] Updated synapse 1.29.0 -> 1.30.0 --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d9139da1..7ece0fbf 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,7 +15,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.29.0 +matrix_synapse_version: v1.30.0 matrix_synapse_version_arm64: v1.29.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From ffe649a2405a25aabda0fbc03e666c83527b8bdd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 22 Mar 2021 16:41:43 +0200 Subject: [PATCH 2035/2384] Update homeserver.yaml to keep up with Synapse v1.30.0 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/958 --- .../templates/synapse/homeserver.yaml.j2 | 67 +++++++++++++------ 1 file changed, 45 insertions(+), 22 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 63e497d0..075685c4 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -65,8 +65,7 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to # 'false'. Note that profile data is also available via the federation -# API, so this setting is of limited value if federation is enabled on -# the server. +# API, unless allow_profile_lookup_over_federation is set to false. # require_auth_for_profile_requests: {{ matrix_synapse_require_auth_for_profile_requests|to_json }} @@ -1777,10 +1776,14 @@ saml2_config: # offer the user a choice of login mechanisms. # # idp_icon: An optional icon for this identity provider, which is presented -# by identity picker pages. If given, must be an MXC URI of the format -# mxc:///. (An easy way to obtain such an MXC URI -# is to upload an image to an (unencrypted) room and then copy the "url" -# from the source of the event.) +# by clients and Synapse's own IdP picker page. If given, must be an +# MXC URI of the format mxc:///. (An easy way to +# obtain such an MXC URI is to upload an image to an (unencrypted) room +# and then copy the "url" from the source of the event.) +# +# idp_brand: An optional brand for this identity provider, allowing clients +# to style the login flow according to the identity provider in question. +# See the spec for possible options here. # # discover: set to 'false' to disable the use of the OIDC discovery mechanism # to discover endpoints. Defaults to true. @@ -1790,7 +1793,26 @@ saml2_config: # # client_id: Required. oauth2 client id to use. # -# client_secret: Required. oauth2 client secret to use. +# client_secret: oauth2 client secret to use. May be omitted if +# client_secret_jwt_key is given, or if client_auth_method is 'none'. +# +# client_secret_jwt_key: Alternative to client_secret: details of a key used +# to create a JSON Web Token to be used as an OAuth2 client secret. If +# given, must be a dictionary with the following properties: +# +# key: a pem-encoded signing key. Must be a suitable key for the +# algorithm specified. Required unless 'key_file' is given. +# +# key_file: the path to file containing a pem-encoded signing key file. +# Required unless 'key' is given. +# +# jwt_header: a dictionary giving properties to include in the JWT +# header. Must include the key 'alg', giving the algorithm used to +# sign the JWT, such as "ES256", using the JWA identifiers in +# RFC7518. +# +# jwt_payload: an optional dictionary giving properties to include in +# the JWT payload. Normally this should include an 'iss' key. # # client_auth_method: auth method to use when exchanging the token. Valid # values are 'client_secret_basic' (default), 'client_secret_post' and @@ -1910,7 +1932,7 @@ oidc_providers: # #- idp_id: github # idp_name: Github - # idp_brand: org.matrix.github + # idp_brand: github # discover: false # issuer: "https://github.com/" # client_id: "your-client-id" # TO BE FILLED @@ -1922,8 +1944,8 @@ oidc_providers: # user_mapping_provider: # config: # subject_claim: "id" - # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" - # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" + # localpart_template: "{{ user.login }}" + # display_name_template: "{{ user.name }}" # Enable Central Authentication Service (CAS) for registration and login. @@ -2675,19 +2697,20 @@ user_directory: -# Local statistics collection. Used in populating the room directory. -# -# 'bucket_size' controls how large each statistics timeslice is. It can -# be defined in a human readable short form -- e.g. "1d", "1y". -# -# 'retention' controls how long historical statistics will be kept for. -# It can be defined in a human readable short form -- e.g. "1d", "1y". -# +# Settings for local room and user statistics collection. See +# docs/room_and_user_statistics.md. # -#stats: -# enabled: true -# bucket_size: 1d -# retention: 1y +stats: + # Uncomment the following to disable room and user statistics. Note that doing + # so may cause certain features (such as the room directory) not to work + # correctly. + # + #enabled: false + + # The size of each timeslice in the room_stats_historical and + # user_stats_historical tables, as a time period. Defaults to "1d". + # + #bucket_size: 1h # Server Notices room configuration From 6a3433fbad0fec15064b514bab393b67be98e450 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 22 Mar 2021 16:42:07 +0200 Subject: [PATCH 2036/2384] Update Synapse for ARM64 (1.29.0 -> 1.30.0) Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/958 --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 7ece0fbf..b4622478 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. matrix_synapse_version: v1.30.0 -matrix_synapse_version_arm64: v1.29.0 +matrix_synapse_version_arm64: v1.30.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From d09609daa800537c49f530227d9dfb4469629ff3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 22 Mar 2021 17:13:10 +0200 Subject: [PATCH 2037/2384] Fix Jinja2 syntax error Fixes a regression introduced in ffe649a2405a25 --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 075685c4..4be50524 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1944,8 +1944,8 @@ oidc_providers: # user_mapping_provider: # config: # subject_claim: "id" - # localpart_template: "{{ user.login }}" - # display_name_template: "{{ user.name }}" + # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" + # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" # Enable Central Authentication Service (CAS) for registration and login. From 06c74728eb54d864855713cf2fab77cab3f20ffb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Mar 2021 10:28:32 +0200 Subject: [PATCH 2038/2384] Move matrix_nginx_proxy_proxy_synapse_federation_api_enabled definition to the role This variable was previously undefined in the role and was only getting defined via `group_vars/matrix_servers`. We now properly initialize it (and its good default value) in the role itself. --- group_vars/matrix_servers | 1 - roles/matrix-nginx-proxy/defaults/main.yml | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a6c433cb..cbd18faa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1113,7 +1113,6 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1 # Settings controlling matrix-synapse-proxy.conf matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}" -matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3770bfb1..ef431b72 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -104,6 +104,10 @@ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain } # Controls whether proxying the Synapse domain should be done. matrix_nginx_proxy_proxy_synapse_enabled: false matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" +matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# The addresses where the Federation API is, when using Synapse. +matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048" # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false @@ -220,10 +224,6 @@ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (mat matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" -# The addresses where the Federation API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048" - # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" From bab8b950ca6f1ced159a35a810cca646d9f5cf6d Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 23 Mar 2021 22:46:08 -0500 Subject: [PATCH 2039/2384] Add mjolnir --- README.md | 2 + docs/configuring-playbook-bot-mjolnir.md | 70 ++++++++ docs/container-images.md | 2 + group_vars/matrix_servers | 23 +++ roles/matrix-bot-mjolnir/defaults/main.yml | 52 ++++++ roles/matrix-bot-mjolnir/tasks/init.yml | 3 + roles/matrix-bot-mjolnir/tasks/main.yml | 21 +++ .../tasks/setup_install.yml | 50 ++++++ .../tasks/setup_uninstall.yml | 35 ++++ .../tasks/validate_config.yml | 9 + .../templates/production.yaml.j2 | 162 ++++++++++++++++++ .../systemd/matrix-bot-mjolnir.service.j2 | 39 +++++ setup.yml | 1 + 13 files changed, 469 insertions(+) create mode 100644 docs/configuring-playbook-bot-mjolnir.md create mode 100644 roles/matrix-bot-mjolnir/defaults/main.yml create mode 100644 roles/matrix-bot-mjolnir/tasks/init.yml create mode 100644 roles/matrix-bot-mjolnir/tasks/main.yml create mode 100644 roles/matrix-bot-mjolnir/tasks/setup_install.yml create mode 100644 roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bot-mjolnir/tasks/validate_config.yml create mode 100644 roles/matrix-bot-mjolnir/templates/production.yaml.j2 create mode 100644 roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 diff --git a/README.md b/README.md index 9a272687..301e7f05 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation +- (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation + - (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation - (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md new file mode 100644 index 00000000..d58e2312 --- /dev/null +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -0,0 +1,70 @@ +# Setting up Mjolnir (optional) + +The playbook can install and configure [Mjolnir](https://github.com/matrix-org/mjolnir) for you. + +Mjolnir is a moderation tool for Matrix. + +See the project's [documentation](https://github.com/matrix-org/mjolnir) to learn what it does and why it might be useful to you. + + +## Registering the bot user + +The playbook does not automatically create users for you. The bot requires at least 1 access token to be able to connect to your homeserver. + +You **need to register the bot user manually** before setting up the bot. + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + +You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.mjolnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + + +## Getting an access token + +If you use curl, you can get an access token like this: + +``` +curl -X POST --header 'Content-Type: application/json' -d '{ + "identifier": { "type": "m.id.user", "user": "bot.mjolnir" }, + "password": "PASSWORD_FOR_THE_BOT", + "type": "m.login.password" +}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' +``` + +Alternatively, you can use a full-featured client (such as Element) to log in and get the access token from there (note: don't log out from the client as that will invalidate the token), but doing so might lead to decryption problems. That warning comes from [here](https://github.com/matrix-org/go-neb#quick-start). + + +## Make sure account is free from rate limiting + +TODO + +``` +insert into ratelimit_override values ("@bot.mjolnir:DOMAIN", 0, 0); +``` + +## Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +```yaml +TODO +``` + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +TODO + +You can also refer to the upstream [documentation](https://github.com/matrix-org/mjolnir). diff --git a/docs/container-images.md b/docs/container-images.md index ee9cbd3c..7cc7c2f6 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -90,6 +90,8 @@ These services are not part of our default installation, but can be enabled by [ - [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) - the [Go-NEB](https://github.com/matrix-org/go-neb) bot (optional) +- [matrixdotorg/mjolnir](https://hub.docker.com/r/matrixdotorg/mjolnir) - the [mjolnir](https://github.com/matrix-org/mjolnir) moderation bot (optional) + - [awesometechnologies/synapse-admin](https://hub.docker.com/r/awesometechnologies/synapse-admin) - the [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin) web UI tool for administrating users and rooms on your Matrix server (optional) - [prom/prometheus](https://hub.docker.com/r/prom/prometheus/) - [Prometheus](https://github.com/prometheus/prometheus/) is a systems and service monitoring system diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a6c433cb..63089030 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -768,6 +768,29 @@ matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en ###################################################################### +###################################################################### +# +# matrix-bot-mjolnir +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_mjolnir_enabled: false + +matrix_bot_mjolnir_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +###################################################################### +# +# /matrix-bot-mjolnir +# +###################################################################### + + ###################################################################### # # matrix-corporal diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml new file mode 100644 index 00000000..e7b54364 --- /dev/null +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -0,0 +1,52 @@ +# A moderation tool for Matrix +# See: https://github.com/matrix-org/mjolnir + +matrix_bot_mjolnir_enabled: true +matrix_bot_mjolnir_version: "v0.1.17" +matrix_bot_mjolnir_docker_image: "docker.io/matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" +matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" + +matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" +matrix_bot_mjolnir_config_path: "{{ matrix_bot_mjolnir_base_path }}/config" +matrix_bot_mjolnir_data_path: "{{ matrix_bot_mjolnir_base_path }}/data" + +# A list of extra arguments to pass to the container +matrix_bot_mjolnir_container_extra_arguments: [] + +# List of systemd services that matrix-bot-mjolnir.service depends on +matrix_bot_mjolnir_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-mjolnir.service wants +matrix_bot_mjolnir_systemd_wanted_services_list: [] + +# The access token for the bot user +matrix_bot_mjolnir_access_token: "" + +# The room ID where people can use the bot. The bot has no access controls, so +# anyone in this room can use the bot - secure your room! +# This should be a room alias or room ID - not a matrix.to URL. +# Note: Mjolnir is fairly verbose - expect a lot of messages from it. +matrix_bot_mjolnir_management_room: "" + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_bot_mjolnir_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_bot_mjolnir_configuration_yaml: "{{ lookup('template', 'templates/production.yaml.j2') }}" + +matrix_bot_mjolnir_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_mjolnir_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_mjolnir_configuration_yaml`. + +matrix_bot_mjolnir_configuration_extension: "{{ matrix_bot_mjolnir_configuration_extension_yaml|from_yaml if matrix_bot_mjolnir_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_bot_mjolnir_configuration_yaml`. +matrix_bot_mjolnir_configuration: "{{ matrix_bot_mjolnir_configuration_yaml|from_yaml|combine(matrix_bot_mjolnir_configuration_extension, recursive=True) }}" + diff --git a/roles/matrix-bot-mjolnir/tasks/init.yml b/roles/matrix-bot-mjolnir/tasks/init.yml new file mode 100644 index 00000000..d54684d2 --- /dev/null +++ b/roles/matrix-bot-mjolnir/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-mjolnir.service'] }}" + when: matrix_bot_mjolnir_enabled|bool diff --git a/roles/matrix-bot-mjolnir/tasks/main.yml b/roles/matrix-bot-mjolnir/tasks/main.yml new file mode 100644 index 00000000..eada8de5 --- /dev/null +++ b/roles/matrix-bot-mjolnir/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_bot_mjolnir_enabled|bool" + tags: + - setup-all + - setup-bot-mjolnir + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_bot_mjolnir_enabled|bool" + tags: + - setup-all + - setup-bot-mjolnir + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_bot_mjolnir_enabled|bool" + tags: + - setup-all + - setup-bot-mjolnir diff --git a/roles/matrix-bot-mjolnir/tasks/setup_install.yml b/roles/matrix-bot-mjolnir/tasks/setup_install.yml new file mode 100644 index 00000000..4c18bf6a --- /dev/null +++ b/roles/matrix-bot-mjolnir/tasks/setup_install.yml @@ -0,0 +1,50 @@ +--- + +- set_fact: + matrix_bot_mjolnir_requires_restart: false + +- name: Ensure matrix-bot-mjolnir paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_bot_mjolnir_base_path }}", when: true } + - { path: "{{ matrix_bot_mjolnir_config_path }}", when: true } + - { path: "{{ matrix_bot_mjolnir_data_path }}", when: true } + when: "item.when|bool" + +- name: Ensure mjolnir image is pulled + docker_image: + name: "{{ matrix_bot_mjolnir_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_mjolnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_mjolnir_docker_image_force_pull }}" + +- name: Ensure matrix-bot-mjolnir config installed + copy: + content: "{{ matrix_bot_mjolnir_configuration|to_nice_yaml }}" + dest: "{{ matrix_bot_mjolnir_config_path }}/production.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-bot-mjolnir.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-bot-mjolnir.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-bot-mjolnir.service" + mode: 0644 + register: matrix_bot_mjolnir_systemd_service_result + +- name: Ensure systemd reloaded after matrix-bot-mjolnir.service installation + service: + daemon_reload: yes + when: "matrix_bot_mjolnir_systemd_service_result.changed|bool" + +- name: Ensure matrix-bot-mjolnir.service restarted, if necessary + service: + name: "matrix-bot-mjolnir.service" + state: restarted + when: "matrix_bot_mjolnir_requires_restart|bool" diff --git a/roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml b/roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml new file mode 100644 index 00000000..7127543e --- /dev/null +++ b/roles/matrix-bot-mjolnir/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-bot-mjolnir service + stat: + path: "{{ matrix_systemd_path }}/matrix-bot-mjolnir.service" + register: matrix_bot_mjolnir_service_stat + +- name: Ensure matrix-bot-mjolnir is stopped + service: + name: matrix-bot-mjolnir + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_bot_mjolnir_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-mjolnir.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-bot-mjolnir.service" + state: absent + when: "matrix_bot_mjolnir_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-bot-mjolnir.service removal + service: + daemon_reload: yes + when: "matrix_bot_mjolnir_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-mjolnir paths don't exist + file: + path: "{{ matrix_bot_mjolnir_base_path }}" + state: absent + +- name: Ensure mjolnir Docker image doesn't exist + docker_image: + name: "{{ matrix_bot_mjolnir_docker_image }}" + state: absent diff --git a/roles/matrix-bot-mjolnir/tasks/validate_config.yml b/roles/matrix-bot-mjolnir/tasks/validate_config.yml new file mode 100644 index 00000000..cb961baf --- /dev/null +++ b/roles/matrix-bot-mjolnir/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required variables are undefined + fail: + msg: "The `{{ item }}` variable must be defined and have a non-null value." + with_items: + - "matrix_bot_mjolnir_access_token" + - "matrix_bot_mjolnir_management_room" + when: "vars[item] == '' or vars[item] is none" diff --git a/roles/matrix-bot-mjolnir/templates/production.yaml.j2 b/roles/matrix-bot-mjolnir/templates/production.yaml.j2 new file mode 100644 index 00000000..e5eb3aea --- /dev/null +++ b/roles/matrix-bot-mjolnir/templates/production.yaml.j2 @@ -0,0 +1,162 @@ +# Where the homeserver is located (client-server URL). This should point at +# pantalaimon if you're using that. +homeserverUrl: "{{ matrix_homeserver_url }}" + +# The access token for the bot to use. Do not populate if using Pantalaimon. +accessToken: "{{ matrix_bot_mjolnir_access_token }}" + +# Pantalaimon options (https://github.com/matrix-org/pantalaimon) +#pantalaimon: +# # If true, accessToken above is ignored and the username/password below will be +# # used instead. The access token of the bot will be stored in the dataPath. +# use: false +# +# # The username to login with. +# username: mjolnir +# +# # The password to login with. Can be removed after the bot has logged in once and +# # stored the access token. +# password: your_password + +# The directory the bot should store various bits of information in +dataPath: "/data" + +# If true (the default), only users in the `managementRoom` can invite the bot +# to new rooms. +autojoinOnlyIfManager: true + +# If `autojoinOnlyIfManager` is false, only the members in this group can invite +# the bot to new rooms. +#acceptInvitesFromGroup: '+example:example.org' + +# If the bot is invited to a room and it won't accept the invite (due to the +# conditions above), report it to the management room. Defaults to disabled (no +# reporting). +recordIgnoredInvites: false + +# The room ID where people can use the bot. The bot has no access controls, so +# anyone in this room can use the bot - secure your room! +# This should be a room alias or room ID - not a matrix.to URL. +# Note: Mjolnir is fairly verbose - expect a lot of messages from it. +managementRoom: "{{ matrix_bot_mjolnir_management_room }}" + +# Set to false to make the management room a bit quieter. +verboseLogging: false + +# The log level for the logs themselves. One of DEBUG, INFO, WARN, and ERROR. +# This should be at INFO or DEBUG in order to get support for Mjolnir problems. +logLevel: "INFO" + +# Set to false to disable synchronizing the ban lists on startup. If true, this +# is the same as running !mjolnir sync immediately after startup. +syncOnStartup: true + +# Set to false to prevent Mjolnir from checking its permissions on startup. This +# is recommended to be left as "true" to catch room permission problems (state +# resets, etc) before Mjolnir is needed. +verifyPermissionsOnStartup: true + +# If true, Mjolnir won't actually ban users or apply server ACLs, but will +# think it has. This is useful to see what it does in a scenario where the +# bot might not be trusted fully, yet. Default false (do bans/ACLs). +noop: false + +# Set to true to use /joined_members instead of /state to figure out who is +# in the room. Using /state is preferred because it means that users are +# banned when they are invited instead of just when they join, though if your +# server struggles with /state requests then set this to true. +fasterMembershipChecks: false + +# A case-insensitive list of ban reasons to automatically redact a user's +# messages for. Typically this is useful to avoid having to type two commands +# to the bot. Use asterisks to represent globs (ie: "spam*testing" would match +# "spam for testing" as well as "spamtesting"). +automaticallyRedactForReasons: + - "spam" + - "advertising" + +# A list of rooms to protect (matrix.to URLs) +#protectedRooms: +# - "https://matrix.to/#/#yourroom:example.org" + +# Set this option to true to protect every room the bot is joined to. Note that +# this effectively makes the protectedRooms and associated commands useless because +# the bot by nature must be joined to the room to protect it. +# +# Note: the management room is *excluded* from this condition. Add it to the +# protected rooms to protect it. +# +# Note: ban list rooms the bot is watching but didn't create will not be protected. +# Manually add these rooms to the protected rooms list if you want them protected. +protectAllJoinedRooms: false + +# Misc options for command handling and commands +commands: + # If true, Mjolnir will respond to commands like !help and !ban instead of + # requiring a prefix. This is useful if Mjolnir is the only bot running in + # your management room. + # + # Note that Mjolnir can be pinged by display name instead of having to use + # the !mjolnir prefix. For example, "my_moderator_bot: ban @spammer:example.org" + # will ban a user. + allowNoPrefix: false + + # In addition to the bot's display name, !mjolnir, and optionally no prefix + # above, the bot will respond to these names. The items here can be used either + # as display names or prefixed with exclamation points. + additionalPrefixes: + - "mjolnir_bot" + + # If true, ban commands that use wildcard characters require confirmation with + # an extra `--force` argument + confirmWildcardBan: true + +# Configuration specific to certain toggleable protections +#protections: +# # Configuration for the wordlist plugin, which can ban users based if they say certain +# # blocked words shortly after joining. +# wordlist: +# # A list of words which should be monitored by the bot. These will match if any part +# # of the word is present in the message in any case. e.g. "hello" also matches +# # "HEllO". Additionally, regular expressions can be used. +# words: +# - "CaSe" +# - "InSeNsAtIve" +# - "WoRd" +# - "LiSt" +# +# # How long after a user joins the server should the bot monitor their messages. After +# # this time, users can say words from the wordlist without being banned automatically. +# # Set to zero to disable (users will always be banned if they say a bad word) +# minutesBeforeTrusting: 20 + +# Options for monitoring the health of the bot +health: + # healthz options. These options are best for use in container environments + # like Kubernetes to detect how healthy the service is. The bot will report + # that it is unhealthy until it is able to process user requests. Typically + # this means that it'll flag itself as unhealthy for a number of minutes + # before saying "Now monitoring rooms" and flagging itself healthy. + # + # Health is flagged through HTTP status codes, defined below. + healthz: + # Whether the healthz integration should be enabled (default false) + enabled: false + + # The port to expose the webserver on. Defaults to 8080. + port: 8080 + + # The address to listen for requests on. Defaults to all addresses. + address: "0.0.0.0" + + # The path to expose the monitoring endpoint at. Defaults to `/healthz` + endpoint: "/healthz" + + # The HTTP status code which reports that the bot is healthy/ready to + # process requests. Typically this should not be changed. Defaults to + # 200. + healthyStatus: 200 + + # The HTTP status code which reports that the bot is not healthy/ready. + # Defaults to 418. + unhealthyStatus: 418 diff --git a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 new file mode 100644 index 00000000..c2294daa --- /dev/null +++ b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -0,0 +1,39 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mjolnir bot +{% for service in matrix_bot_mjolnir_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_mjolnir_systemd_required_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-mjolnir \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + --mount type=bind,src={{ matrix_bot_mjolnir_config_path }},dst=/data/config,ro \ + --mount type=bind,src={{ matrix_bot_mjolnir_data_path }},dst=/data \ + {% for arg in matrix_bot_mjolnir_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_mjolnir_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-mjolnir + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index c4a203cc..683f1955 100755 --- a/setup.yml +++ b/setup.yml @@ -34,6 +34,7 @@ - matrix-bridge-sms - matrix-bot-matrix-reminder-bot - matrix-bot-go-neb + - matrix-bot-mjolnir - matrix-synapse - matrix-synapse-admin - matrix-prometheus-node-exporter From c6fb7acf5fdaf986a9f8e73dce21bce0d0dd476c Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 23 Mar 2021 23:05:48 -0500 Subject: [PATCH 2040/2384] Make ma1sd's SRV record optional --- docs/configuring-dns.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 82bef8a2..285ded42 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -15,22 +15,22 @@ As we discuss in [Server Delegation](howto-server-delegation.md), there are 2 di This playbook mostly discusses the well-known file method, because it's easier to manage with regard to certificates. If you decide to go with the alternative method ([Server Delegation via a DNS SRV record (advanced)](howto-server-delegation.md#server-delegation-via-a-dns-srv-record-advanced)), please be aware that the general flow that this playbook guides you through may not match what you need to do. -## Required DNS settings for services enabled by default +## DNS settings for services enabled by default | Type | Host | Priority | Weight | Port | Target | | ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- | | A | `matrix` | - | - | - | `matrix-server-IP` | | CNAME | `element` | - | - | - | `matrix.` | -| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | Be mindful as to how long it will take for the DNS records to propagate. If you are using Cloudflare DNS, make sure to disable the proxy and set all records to `DNS only`. Otherwise, fetching certificates will fail. -## Required DNS settings for optional services +## DNS settings for optional services/features | Type | Host | Priority | Weight | Port | Target | | ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- | +| SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | | CNAME | `dimension` (*) | - | - | - | `matrix.` | | CNAME | `jitsi` (*) | - | - | - | `matrix.` | | CNAME | `stats` (*) | - | - | - | `matrix.` | @@ -41,7 +41,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco As the table above illustrates, you need to create 2 subdomains (`matrix.` and `element.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine). -The `element.` subdomain is necessary, because this playbook installs the [Element](https://github.com/vector-im/element-web) web client for you. +The `element.` subdomain may be necessary, because this playbook installs the [Element](https://github.com/vector-im/element-web) web client for you. If you'd rather instruct the playbook not to install Element (`matrix_client_element_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `element.` DNS record. The `dimension.` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.` DNS record. @@ -57,9 +57,12 @@ The `sygnal.` subdomain may be necessary, because this playbook cou ## `_matrix-identity._tcp` SRV record setup -To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: +To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) enable its federation features, set up an SRV record that looks like this: - Name: `_matrix-identity._tcp` (use this text as-is) - Content: `10 0 443 matrix.` (replace `` with your own) +This is an optional feature. See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record. + +Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation. When you're done with the DNS configuration and ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). From b89936afba9f922f83dfe771d725518bb1c6b35f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Mar 2021 13:59:46 +0200 Subject: [PATCH 2041/2384] Make bridges depend on matrix-nginx-proxy We don't point them straight to Synapse anymore, but rather to matrix-nginx-proxy, which forwards to Synapse (or something else). --- group_vars/matrix_servers | 44 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cbd18faa..24fda5d5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -69,6 +69,8 @@ matrix_appservice_discord_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}" @@ -112,6 +114,8 @@ matrix_appservice_webhooks_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} ###################################################################### @@ -148,6 +152,8 @@ matrix_appservice_slack_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} # Postgres is the default, except if not using `matrix_postgres` (internal postgres) @@ -185,6 +191,8 @@ matrix_appservice_irc_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}" @@ -220,6 +228,8 @@ matrix_mautrix_facebook_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}" @@ -260,6 +270,8 @@ matrix_mautrix_hangouts_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}" @@ -299,6 +311,8 @@ matrix_mautrix_instagram_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mautrix_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.as.token') | to_uuid }}" @@ -338,6 +352,8 @@ matrix_mautrix_signal_systemd_required_services_list: | + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + + ['matrix-mautrix-signal-daemon.service'] }} @@ -380,6 +396,8 @@ matrix_mautrix_telegram_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}" @@ -418,6 +436,8 @@ matrix_mautrix_whatsapp_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" @@ -450,6 +470,8 @@ matrix_sms_bridge_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}" @@ -480,6 +502,8 @@ matrix_mx_puppet_skype_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}" @@ -517,6 +541,8 @@ matrix_mx_puppet_slack_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}" @@ -553,6 +579,8 @@ matrix_mx_puppet_twitter_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}" @@ -592,6 +620,8 @@ matrix_mx_puppet_instagram_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}" @@ -628,6 +658,8 @@ matrix_mx_puppet_discord_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}" @@ -664,6 +696,8 @@ matrix_mx_puppet_steam_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}" @@ -700,6 +734,8 @@ matrix_mx_puppet_groupme_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}" @@ -732,6 +768,10 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | ['docker.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} # Postgres is the default, except if not using `matrix_postgres` (internal postgres) @@ -757,6 +797,10 @@ matrix_bot_go_neb_enabled: false matrix_bot_go_neb_systemd_required_services_list: | {{ ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:4050' }}" From 5a4ea5f866cc8680b58975c933907df12e91cdf1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Mar 2021 14:02:53 +0200 Subject: [PATCH 2042/2384] Make AWX enabling/disabling consistent with other playbook roles That is: - enabled in the role by default - disabled in the compilation (playbook), if considered an optional component --- group_vars/matrix_servers | 3 +++ roles/matrix-awx/defaults/main.yml | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 24fda5d5..b135cfcb 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -35,6 +35,9 @@ matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix # ###################################################################### +# We don't enable AWX support by default. +matrix_awx_enabled: false + matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}" matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}" diff --git a/roles/matrix-awx/defaults/main.yml b/roles/matrix-awx/defaults/main.yml index 9394ecab..fb9f56ae 100755 --- a/roles/matrix-awx/defaults/main.yml +++ b/roles/matrix-awx/defaults/main.yml @@ -1,2 +1 @@ - -matrix_awx_enabled: false +matrix_awx_enabled: true From 97d8527e00312fd90f3d744305e4edaebd145a64 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Wed, 24 Mar 2021 09:42:08 -0500 Subject: [PATCH 2043/2384] Update nginx (1.19.6 -> 1.19.8) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index ef431b72..004a1ec1 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.19.6-alpine +matrix_nginx_proxy_version: 1.19.8-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From 5b7dbe82750d53e653fba072f6d258d367fb2dcc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Mar 2021 08:51:15 +0200 Subject: [PATCH 2044/2384] Make matrix-synapse wanted by matrix-nginx-proxy only if enabled --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b135cfcb..d5b7e9c0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1191,7 +1191,7 @@ matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers matrix_nginx_proxy_systemd_wanted_services_list: | {{ - (['matrix-synapse.service']) + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + From efbeb428577d7dc69573b41169bdd20811e876ad Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Mar 2021 09:02:32 +0200 Subject: [PATCH 2045/2384] Fix YAML indentation in docs --- docs/configuring-playbook-sygnal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-sygnal.md b/docs/configuring-playbook-sygnal.md index b8dc11f0..3eb626eb 100644 --- a/docs/configuring-playbook-sygnal.md +++ b/docs/configuring-playbook-sygnal.md @@ -23,7 +23,7 @@ matrix_sygnal_enabled: true matrix_sygnal_apps: com.example.myapp.ios: type: apns - keyfile: /data/my_key.p8 + keyfile: /data/my_key.p8 # .. more configuration .. com.example.myapp.android: type: gcm From 59ac8a59210814ecd2834b4603ae61cfc91ff413 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Mar 2021 11:56:34 +0200 Subject: [PATCH 2046/2384] Make Dimension require matrix-nginx-proxy, if enabled Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/966 --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d5b7e9c0..81ddc219 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -911,6 +911,8 @@ matrix_dimension_systemd_required_services_list: | ['docker.service'] + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} # Postgres is the default, except if not using `matrix_postgres` (internal postgres) From dbae18fd6aafc2781c8b58d25b11174832d23846 Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Thu, 25 Mar 2021 18:49:43 +0100 Subject: [PATCH 2047/2384] feat: push ephemeral events to appservices This adds https://github.com/matrix-org/matrix-doc/pull/2409 to the appservice registrations, enabling synapse to push EDUs to appservices. --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 1 + roles/matrix-bridge-mautrix-hangouts/defaults/main.yml | 1 + roles/matrix-bridge-mautrix-instagram/defaults/main.yml | 1 + .../matrix-bridge-mautrix-signal/templates/registration.yaml.j2 | 1 + roles/matrix-bridge-mautrix-telegram/defaults/main.yml | 1 + roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 1 + roles/matrix-bridge-mx-puppet-discord/defaults/main.yml | 1 + roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml | 1 + roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml | 1 + roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 1 + roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 1 + roles/matrix-bridge-mx-puppet-steam/defaults/main.yml | 1 + roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml | 1 + 13 files changed, 13 insertions(+) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 7c6b58ca..71a225f7 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -110,5 +110,6 @@ matrix_mautrix_facebook_registration_yaml: | # See https://github.com/tulir/mautrix-signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }} rate_limited: false + de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index a029b9e8..48b66b8d 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -110,5 +110,6 @@ matrix_mautrix_hangouts_registration_yaml: | # See https://github.com/tulir/mautrix-signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_hangouts_appservice_bot_username }} rate_limited: false + de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_hangouts_registration: "{{ matrix_mautrix_hangouts_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index 936df4c5..5204386d 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -100,5 +100,6 @@ matrix_mautrix_instagram_registration_yaml: | # See https://github.com/tulir/mautrix-signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_instagram_appservice_bot_username }} rate_limited: false + de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 index 6891c2b5..54df82da 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2 @@ -15,3 +15,4 @@ url: {{ matrix_mautrix_signal_appservice_address }} # See https://github.com/tulir/mautrix-signal/issues/43 sender_localpart: _bot_{{ matrix_mautrix_signal_appservice_bot_username }} rate_limited: false +de.sorunome.msc2409.push_ephemeral: true diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 2d5b5264..e4c7696a 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -121,5 +121,6 @@ matrix_mautrix_telegram_registration_yaml: | sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }} url: {{ matrix_mautrix_telegram_appservice_address }} rate_limited: false + de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index b3aee68a..f8ae7d87 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -105,5 +105,6 @@ matrix_mautrix_whatsapp_registration_yaml: | exclusive: true - exclusive: true regex: '^@{{ matrix_mautrix_whatsapp_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_whatsapp_homeserver_domain|regex_escape }}$' + de.sorunome.msc2409.push_ephemeral: true matrix_mautrix_whatsapp_registration: "{{ matrix_mautrix_whatsapp_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 252fb9e1..34a8ee36 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -108,5 +108,6 @@ matrix_mx_puppet_discord_registration_yaml: | rate_limited: false sender_localpart: _discordpuppet_bot url: {{ matrix_mx_puppet_discord_appservice_address }} + de.sorunome.msc2409.push_ephemeral: true matrix_mx_puppet_discord_registration: "{{ matrix_mx_puppet_discord_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index 53676e83..cfc2aa0d 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -107,5 +107,6 @@ matrix_mx_puppet_groupme_registration_yaml: | rate_limited: false sender_localpart: _groupmepuppet_bot url: {{ matrix_mx_puppet_groupme_appservice_address }} + de.sorunome.msc2409.push_ephemeral: true matrix_mx_puppet_groupme_registration: "{{ matrix_mx_puppet_groupme_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index b14ed0f8..24377fb3 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -98,5 +98,6 @@ matrix_mx_puppet_instagram_registration_yaml: | rate_limited: false sender_localpart: _instagrampuppet_bot url: {{ matrix_mx_puppet_instagram_appservice_address }} + de.sorunome.msc2409.push_ephemeral: true matrix_mx_puppet_instagram_registration: "{{ matrix_mx_puppet_instagram_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index c68c4160..0f603df0 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -106,5 +106,6 @@ matrix_mx_puppet_skype_registration_yaml: | rate_limited: false sender_localpart: _skypepuppet_bot url: {{ matrix_mx_puppet_skype_appservice_address }} + de.sorunome.msc2409.push_ephemeral: true matrix_mx_puppet_skype_registration: "{{ matrix_mx_puppet_skype_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index c5b046f4..32df7236 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -110,5 +110,6 @@ matrix_mx_puppet_slack_registration_yaml: | rate_limited: false sender_localpart: _slackpuppet_bot url: {{ matrix_mx_puppet_slack_appservice_address }} + de.sorunome.msc2409.push_ephemeral: true matrix_mx_puppet_slack_registration: "{{ matrix_mx_puppet_slack_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index aee4da2c..7123e040 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -107,5 +107,6 @@ matrix_mx_puppet_steam_registration_yaml: | rate_limited: false sender_localpart: _steampuppet_bot url: {{ matrix_mx_puppet_steam_appservice_address }} + de.sorunome.msc2409.push_ephemeral: true matrix_mx_puppet_steam_registration: "{{ matrix_mx_puppet_steam_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index a8b811d8..c10f521d 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -117,5 +117,6 @@ matrix_mx_puppet_twitter_registration_yaml: | rate_limited: false sender_localpart: "{{ matrix_mx_puppet_twitter_bot_localpart }}" url: {{ matrix_mx_puppet_twitter_appservice_address }} + de.sorunome.msc2409.push_ephemeral: true matrix_mx_puppet_twitter_registration: "{{ matrix_mx_puppet_twitter_registration_yaml|from_yaml }}" From 94487dc6a725ac7b51f9d2f1c905c716229a150c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Mar 2021 15:37:11 +0200 Subject: [PATCH 2048/2384] Upgrade Synapse for amd64 (1.30.0 -> 1.30.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index b4622478..32463639 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,7 +15,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.30.0 +matrix_synapse_version: v1.30.1 matrix_synapse_version_arm64: v1.30.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 49868db3dec30e2aabf20b84c6cca9cdd85be462 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 26 Mar 2021 16:48:15 +0200 Subject: [PATCH 2049/2384] Upgrade Synapse for ARM64 (1.30.0 -> 1.30.1) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 32463639..daa335b6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. matrix_synapse_version: v1.30.1 -matrix_synapse_version_arm64: v1.30.0 +matrix_synapse_version_arm64: v1.30.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 77d598b31506a2137569dc9dced9a335cca013e5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 Mar 2021 12:10:22 +0300 Subject: [PATCH 2050/2384] Fix Go-NEB variable definitions using the wrong type Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/969 --- roles/matrix-bot-go-neb/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml index 758f9f01..4dd4f1f6 100644 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -45,7 +45,7 @@ matrix_bot_go_neb_storage_database: "{{ # Generate one as described in # https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-dimension.md#access-token # via curl. With the element method, you might run into decryption problems (see https://github.com/matrix-org/go-neb#quick-start) -matrix_bot_go_neb_clients: {} +matrix_bot_go_neb_clients: [] # - UserID: "@goneb:{{ matrix_domain }}" # AccessToken: "MDASDASJDIASDJASDAFGFRGER" # DeviceID: "DEVICE1" @@ -68,7 +68,7 @@ matrix_bot_go_neb_clients: {} # Delete or modify this list as appropriate. # See the docs for /configureAuthRealm for the full list of options: # https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest -matrix_bot_go_neb_realms: {} +matrix_bot_go_neb_realms: [] # - ID: "github_realm" # Type: "github" # Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs @@ -78,7 +78,7 @@ matrix_bot_go_neb_realms: {} # The full list of options are shown below: there is no single HTTP endpoint # which maps to this section. # https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session -matrix_bot_go_neb_sessions: {} +matrix_bot_go_neb_sessions: [] # - SessionID: "your_github_session" # RealmID: "github_realm" # UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands @@ -91,7 +91,7 @@ matrix_bot_go_neb_sessions: {} # Delete or modify this list as appropriate. # See the docs for /configureService for the full list of options: # https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest -matrix_bot_go_neb_services: {} +matrix_bot_go_neb_services: [] # - ID: "echo_service" # Type: "echo" # UserID: "@goneb:{{ matrix_domain }}" From 179b416ed5d1139d3e14464e46ee1d5e90ae645f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Mar 2021 09:24:35 +0300 Subject: [PATCH 2051/2384] Fix variable name typo Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/970 --- roles/matrix-jitsi/defaults/main.yml | 2 +- roles/matrix-jitsi/tasks/validate_config.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 16206840..6d14a823 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -100,7 +100,7 @@ matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" matrix_jitsi_web_interface_config_provider_name: "Jitsi" matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false -matrix_jisti_web_interface_config_show_deep_linking_image: false +matrix_jitsi_web_interface_config_show_deep_linking_image: false # Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web. # This configuration gets appended to the final interface configuration that Jitsi Web uses. diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index bd939d3a..cc8a4b22 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -40,3 +40,4 @@ - {'old': 'matrix_jitsi_web_config_start_with_video_muted', 'new': ''} - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} + - {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'} From 9409588513df3f071390513835fce2ddbac12bdf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Mar 2021 10:59:57 +0300 Subject: [PATCH 2052/2384] Fix variable name typo (take 2) Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/970 --- roles/matrix-jitsi/templates/web/interface_config.js.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 index a12ca973..08ac02fe 100644 --- a/roles/matrix-jitsi/templates/web/interface_config.js.j2 +++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2 @@ -177,7 +177,7 @@ var interfaceConfig = { */ SHOW_CHROME_EXTENSION_BANNER: false, - SHOW_DEEP_LINKING_IMAGE: {{ matrix_jisti_web_interface_config_show_deep_linking_image|to_json }}, + SHOW_DEEP_LINKING_IMAGE: {{ matrix_jitsi_web_interface_config_show_deep_linking_image|to_json }}, SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }}, SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }}, SHOW_PROMOTIONAL_CLOSE_PAGE: false, From 59699e0d988d717c00f40027d6e3cf3a08b604c0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Mar 2021 12:35:02 +0300 Subject: [PATCH 2053/2384] Try to make Dimension wait for Synapse Some people have reported Dimension failing to contact matrix-nginx-proxy/Synapse on startup. This attempts to delay Dimension startup some more. --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 81ddc219..c5011c86 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -912,6 +912,8 @@ matrix_dimension_systemd_required_services_list: | + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} From 5e1cf7f8b95d1fe1df60c24b084d36eaacfa3f6a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 29 Mar 2021 17:58:02 +0300 Subject: [PATCH 2054/2384] Upgrade Element (1.7.23 -> 1.7.24) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 1b45306e..337c48d1 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.23 +matrix_client_element_version: v1.7.24 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 93960b70bec2582bf972cdc90b4af2c5317c1a01 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 Mar 2021 11:24:04 +0300 Subject: [PATCH 2055/2384] Do not fail if `_matrix-identity` DNS SRV record missing Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/963 This also simplifies Prerequisites, which is great. It'd be nice if we were doing these checks in some optional manner and reporting them as helpful messages (using `matrix_playbook_runtime_results`), but that's more complicated. I'd rather drop these checks completely. --- docs/prerequisites.md | 2 - roles/matrix-base/tasks/main.yml | 7 -- roles/matrix-base/tasks/self_check_dns.yml | 23 ------- .../matrix-base/tasks/self_check_dns_srv.yml | 68 ------------------- 4 files changed, 100 deletions(-) delete mode 100644 roles/matrix-base/tasks/self_check_dns.yml delete mode 100644 roles/matrix-base/tasks/self_check_dns_srv.yml diff --git a/docs/prerequisites.md b/docs/prerequisites.md index e678a0bd..8b7e9d00 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -20,8 +20,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. -- Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. - - An HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). - Properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)). diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index a1bb6754..4af3564c 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -32,10 +32,3 @@ - setup-ma1sd - setup-synapse - setup-nginx-proxy - -- import_tasks: "{{ role_path }}/tasks/self_check_dns.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check|bool - tags: - - self-check diff --git a/roles/matrix-base/tasks/self_check_dns.yml b/roles/matrix-base/tasks/self_check_dns.yml deleted file mode 100644 index 57c07b2b..00000000 --- a/roles/matrix-base/tasks/self_check_dns.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- set_fact: - dns_srv_record_checks: [] - -- block: - - set_fact: - dns_srv_record_check_ma1sd: - service_and_protocol: "_matrix-identity._tcp" - domain: "{{ (matrix_domain + '.') }}" - expected_target: "{{ (matrix_server_fqn_matrix + '.') }}" - expected_port: 443 - - - name: Determine domains that we require certificates for (ma1sd) - set_fact: - dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_ma1sd] }}" - when: matrix_ma1sd_enabled|bool - -- name: Perform DNS SRV checks - include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml" - with_items: "{{ dns_srv_record_checks }}" - loop_control: - loop_var: dns_srv_record_check diff --git a/roles/matrix-base/tasks/self_check_dns_srv.yml b/roles/matrix-base/tasks/self_check_dns_srv.yml deleted file mode 100644 index 559d9dba..00000000 --- a/roles/matrix-base/tasks/self_check_dns_srv.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- - -# This requires the dnspython library which is usually unavailable. -- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using Ansible dig lookup - set_fact: - lookup_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}" - register: result_lookup_dig_srv - ignore_errors: true - -- name: Fail if DNS SRV check via Ansible dig lookup failed for non-dependency reason - fail: - msg: "DNS SRV record check via Ansible dig lookup plugin (which uses the dnspython package) failed. Error is: {{ result_lookup_dig_srv.msg }}" - when: "result_lookup_dig_srv.failed and 'dnspython' not in result_lookup_dig_srv.msg" - -# Fallback to using the dig CLI tool if dnspython was unavailable. -- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using dig CLI tool - shell: - cmd: "dig -t srv {{ (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain)|quote }}" - register: result_cli_dig_srv - changed_when: false - ignore_errors: true - when: "lookup_dig_srv is not defined" - -- name: Fail if dig CLI used and failed - fail: - msg: >- - Failed performing DNS SRV record check. - You neither have the `dnspython` Python package, nor the `dig` program installed locally. - You need to install one of those, so we could perform a DNS SRV record check. - Full error from trying to run `dig`: {{ result_cli_dig_srv }} - when: "lookup_dig_srv is not defined and result_cli_dig_srv.stderr != ''" - -# Some DNS servers may respond with '' (stands for "No Answer"). -# Most usually, a missing record would yield a 'NXDOMAIN' response. -# In any case, we consider any non-mapping response to mean "missing record". -- name: Fail if DNS SRV record missing (Ansible dig lookup) - fail: - msg: >- - It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). - See the 'Configuring DNS' documentation for this playbook. - when: "lookup_dig_srv is defined and lookup_dig_srv is not mapping" - -- name: Fail if DNS SRV record incorrect (Ansible dig lookup) - fail: - msg: >- - It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. - Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). - Found it pointing to `{{ lookup_dig_srv.target }}` (port {{ lookup_dig_srv.port }}). - See the 'Configuring DNS' documentation for this playbook. - when: "lookup_dig_srv is defined and (lookup_dig_srv.target != dns_srv_record_check.expected_target or lookup_dig_srv.port != dns_srv_record_check.expected_port)" - -# We expect an answer like this: -# ;; ANSWER SECTION: -# _matrix._tcp.DOMAIN. 10800 IN SRV 10 0 8448 matrix.DOMAIN. -- name: Fail if DNS SRV record missing or incorrect (dig CLI tool) - fail: - msg: >- - It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. - Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). - See the 'Configuring DNS' documentation for this playbook. - Full response from the `dig` lookup was: {{ result_cli_dig_srv }} - when: "lookup_dig_srv is not defined and (dns_srv_record_check.expected_port|string + ' ' + dns_srv_record_check.expected_target) not in result_cli_dig_srv.stdout" - -- name: Report correct DNS SRV record - debug: - msg: >- - The DNS SRV record for `{{ dns_srv_record_check.service_and_protocol }}` on `{{ dns_srv_record_check.domain }}` - points to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}), as expected. From 3a772f2f657ccd921e644798638810f6d8e3108f Mon Sep 17 00:00:00 2001 From: Christoph Johannes Kleine Date: Tue, 30 Mar 2021 14:11:20 +0200 Subject: [PATCH 2056/2384] matrix-nginx-proxy: add custom nginx options to nginx.conf.j2 --- roles/matrix-nginx-proxy/defaults/main.yml | 9 +++++++++ roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 | 7 ++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 004a1ec1..6cb507af 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -227,9 +227,18 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_s # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" +# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). +# for big matrixservers to enlarge the number of open files to prevent timeouts +# matrix_nginx_proxy_proxy_additional_server_configuration_blocks: +# - 'worker_rlimit_nofile 30000;' +matrix_nginx_proxy_proxy_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). +matrix_nginx_proxy_proxy_event_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index c35f9b24..e905e30a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -11,10 +11,15 @@ worker_processes {{ matrix_nginx_proxy_worker_processes }}; error_log /var/log/nginx/error.log warn; pid /tmp/nginx.pid; - +{% for configuration_block in matrix_nginx_proxy_proxy_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} events { worker_connections {{ matrix_nginx_proxy_worker_connections }}; +{% for configuration_block in matrix_nginx_proxy_proxy_event_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} } From 8ba1105010b44c569956aa7bd99f8d7d6700cd76 Mon Sep 17 00:00:00 2001 From: Christoph Johannes Kleine Date: Tue, 30 Mar 2021 15:59:10 +0200 Subject: [PATCH 2057/2384] rename variable --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 6cb507af..770468d0 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -229,9 +229,9 @@ matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_f # A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). # for big matrixservers to enlarge the number of open files to prevent timeouts -# matrix_nginx_proxy_proxy_additional_server_configuration_blocks: +# matrix_nginx_proxy_proxy_additional_configuration_blocks: # - 'worker_rlimit_nofile 30000;' -matrix_nginx_proxy_proxy_additional_server_configuration_blocks: [] +matrix_nginx_proxy_proxy_additional_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] From fcd66b2889865ba384fd07bf674102e952a3900b Mon Sep 17 00:00:00 2001 From: Christoph Johannes Kleine Date: Tue, 30 Mar 2021 16:41:32 +0200 Subject: [PATCH 2058/2384] rename variables --- roles/matrix-nginx-proxy/defaults/main.yml | 6 +++--- roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 770468d0..440f7a32 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -233,12 +233,12 @@ matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_f # - 'worker_rlimit_nofile 30000;' matrix_nginx_proxy_proxy_additional_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). +matrix_nginx_proxy_proxy_event_additional_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] -# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). -matrix_nginx_proxy_proxy_event_additional_server_configuration_blocks: [] - # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index e905e30a..dae83ab9 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -11,13 +11,13 @@ worker_processes {{ matrix_nginx_proxy_worker_processes }}; error_log /var/log/nginx/error.log warn; pid /tmp/nginx.pid; -{% for configuration_block in matrix_nginx_proxy_proxy_additional_server_configuration_blocks %} +{% for configuration_block in matrix_nginx_proxy_proxy_additional_configuration_blocks %} {{- configuration_block }} {% endfor %} events { worker_connections {{ matrix_nginx_proxy_worker_connections }}; -{% for configuration_block in matrix_nginx_proxy_proxy_event_additional_server_configuration_blocks %} +{% for configuration_block in matrix_nginx_proxy_proxy_event_additional_configuration_blocks %} {{- configuration_block }} {% endfor %} } From 0b5e9036939b1d3a386c377d170c54bd19147699 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Wed, 31 Mar 2021 02:51:23 +0200 Subject: [PATCH 2059/2384] Updates to mautrix-signal config See these last commits: tulir/mautrix-signal@4fc34330c1f6947aece67863b0d04da34c776f80 tulir/mautrix-signal@64bc5c36a509ba435a0b01cf44afb1b5d2642efd tulir/mautrix-signal@ddda1666d41d28750cc59d070e4388b24add6ad9 --- .../templates/config.yaml.j2 | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index dc2cff36..ca5060a7 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -28,6 +28,11 @@ appservice: # The full URI to the database. Only Postgres is currently supported. database: {{ matrix_mautrix_signal_database_connection_string }} + # Additional arguments for asyncpg.create_pool() + # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool + database_opts: + min_size: 5 + max_size: 10 # Provisioning API part of the web server for automated portal creation and fetching information. # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). @@ -88,9 +93,11 @@ bridge: # available variable in displayname_preference. The variables in displayname_preference # can also be used here directly. displayname_template: "{displayname} (Signal)" - # Whether or not contact list displaynames should be used. - # Using this isn't recommended on multi-user instances. - allow_contact_list_name_updates: false + # Possible values: disallow, allow, prefer + # + # Multi-user instances are recommended to disallow contact list names, as otherwise there can + # be conflicts between names from different users' contact lists. + contact_list_names: disallow # Available variables: full_name, first_name, last_name, phone, uuid displayname_preference: - full_name @@ -123,11 +130,8 @@ bridge: # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. federate_rooms: true - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. - # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. + # End-to-bridge encryption support options. You must install the e2be optional dependency for + # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption encryption: # Allow encryption, work in group chat rooms with e2ee enabled allow: false From 1ecee625d51797d265729f251a95febb8ec8ebc1 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 17:07:24 -0500 Subject: [PATCH 2060/2384] Depend on more services, add a delay --- group_vars/matrix_servers | 4 ++++ .../templates/systemd/matrix-bot-mjolnir.service.j2 | 3 +++ 2 files changed, 7 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 63089030..6b1d413e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -782,6 +782,10 @@ matrix_bot_mjolnir_systemd_required_services_list: | ['docker.service'] + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} ###################################################################### diff --git a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 index c2294daa..0b018f25 100644 --- a/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 +++ b/roles/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -16,6 +16,9 @@ Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null' ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null' +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-mjolnir \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ From b5fb98dd284a8559da874b063a2130f18fd9f9c7 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 17:55:46 -0500 Subject: [PATCH 2061/2384] Write some docs --- docs/configuring-playbook-bot-mjolnir.md | 78 ++++++++++++++++++------ docs/configuring-playbook.md | 2 + 2 files changed, 63 insertions(+), 17 deletions(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index d58e2312..ee12249a 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -1,15 +1,15 @@ # Setting up Mjolnir (optional) -The playbook can install and configure [Mjolnir](https://github.com/matrix-org/mjolnir) for you. - -Mjolnir is a moderation tool for Matrix. +The playbook can install and configure the [Mjolnir](https://github.com/matrix-org/mjolnir) moderation bot for you. See the project's [documentation](https://github.com/matrix-org/mjolnir) to learn what it does and why it might be useful to you. +Note: the playbook does not currently support the Mjolnir Synapse module. The playbook does support another antispam module, see [Setting up Synapse Simple Antispam](docs/configuring-playbook-synapse-simple-antispam.md). + -## Registering the bot user +## 1. Registering the bot user -The playbook does not automatically create users for you. The bot requires at least 1 access token to be able to connect to your homeserver. +The playbook does not automatically create users for you. The bot requires an access token to be able to connect to your homeserver. You **need to register the bot user manually** before setting up the bot. @@ -21,8 +21,7 @@ You can use the playbook to [register a new user](registering-users.md): ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.mjolnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user ``` - -## Getting an access token +## 2. Get an access token If you use curl, you can get an access token like this: @@ -34,29 +33,60 @@ curl -X POST --header 'Content-Type: application/json' -d '{ }' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' ``` -Alternatively, you can use a full-featured client (such as Element) to log in and get the access token from there (note: don't log out from the client as that will invalidate the token), but doing so might lead to decryption problems. That warning comes from [here](https://github.com/matrix-org/go-neb#quick-start). +Alternatively, you can use a full-featured client (such as Element) to log in and get the access token from there (note: don't log out from the client as that will invalidate the token). + + +## 3. Make sure the account is free from rate limiting + +You will need to prevent Synapse from rate limiting the bot's account is not rate limited by Synapse. This is not an optional step. If you do not do this step mjolnir will crash. [Currently there is no Synapse config option for this](https://github.com/matrix-org/synapse/issues/6286) so you have to manually edit the Synapse database. Manually editing the Synapse database is rarely a good idea but in this case it is required. Please ask for help if you are uncomfortable with these steps. + +1. Copy the statement below into a text editor. + + ``` + INSERT INTO ratelimit_override VALUES ("@bot.mjolnir:DOMAIN", 0, 0); + ``` + +1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. + +1. Get a database terminal by following these steps: [docs/maintenance-postgres.md#getting-a-database-terminal](docs/maintenance-postgres.md#getting-a-database-terminal) +1. Connect to Synapse's database by typing `\connect synapse` into the database terminal -## Make sure account is free from rate limiting +1. Paste in the `INSERT INTO` command that you edited and press enter. -TODO +You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this: ``` -insert into ratelimit_override values ("@bot.mjolnir:DOMAIN", 0, 0); + user_id | messages_per_second | burst_count +-----------------------+---------------------+------------- + @bot.mjolnir:raim.ist | 0 | 0` ``` +then you did it correctly. -## Adjusting the playbook configuration +## 5. Create a management room + +Using your own account, create a new room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. + +Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element you can do this by going to the room's settings, clicking Advanced, and then coping the internal room ID. The room ID will look something like `!QvgVuKq0ha8glOLGMG:DOMAIN`. + +## 4. Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): +You must replace `ACCESS_TOKEN_FROM_STEP_2_GOES_HERE` and `ROOM_ID_FROM_STEP_5_GOES_HERE` with the your own values. + ```yaml -TODO +matrix_bot_mjolnir_enabled: true + +matrix_bot_mjolnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE" + +matrix_bot_mjolnir_management_room: "ROOM_ID_FROM_STEP_5_GOES_HERE" ``` -## Installing +## 5. Installing -After configuring the playbook, run the [installation](installing.md) command again: +After configuring the playbook, run the [installation](installing.md) command: ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start @@ -65,6 +95,20 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -TODO +You can refer to the upstream [documentation](https://github.com/matrix-org/mjolnir) for additional ways to use and configure mjolnir. Check out their [quickstart guide](https://github.com/matrix-org/mjolnir#quickstart-guide) for some basic commands you can give to the bot. + +You can configure additional options by adding the `matrix_bot_mjolnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. + +For example to change mjolnir's `recordIgnoredInvites` option to `true` you would add the following to your `vars.yml` file. -You can also refer to the upstream [documentation](https://github.com/matrix-org/mjolnir). +```yaml +matrix_bot_mjolnir_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_mjolnir_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_mjolnir_configuration_yaml`. + recordIgnoredInvites: true +``` diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 721735d5..9e9c442d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -85,6 +85,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) +- [Setting up Mjolnir](configuring-playbook-bot-mjolnir) (optional, advanced) + ### Bridging other networks From c43bd412ddf6746426dbba9e46719fc7a2ecddf1 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 18:08:08 -0500 Subject: [PATCH 2062/2384] Upgrade synapse-simple-antispam (0.0.1 -> 0.0.3) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index b4622478..cb891819 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -501,7 +501,7 @@ matrix_synapse_ext_password_provider_ldap_filter: "" # See: https://github.com/t2bot/synapse-simple-antispam matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam" -matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "f058d9ce2c7d4195ae461dcdd02df11a2d06a36b" +matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] matrix_s3_media_store_enabled: false From 219c2fdb12a772937cdd9857e14559bb333415a3 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 18:11:05 -0500 Subject: [PATCH 2063/2384] Fix paths --- docs/configuring-playbook-bot-mjolnir.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index ee12249a..3703ba7a 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -4,7 +4,7 @@ The playbook can install and configure the [Mjolnir](https://github.com/matrix-o See the project's [documentation](https://github.com/matrix-org/mjolnir) to learn what it does and why it might be useful to you. -Note: the playbook does not currently support the Mjolnir Synapse module. The playbook does support another antispam module, see [Setting up Synapse Simple Antispam](docs/configuring-playbook-synapse-simple-antispam.md). +Note: the playbook does not currently support the Mjolnir Synapse module. The playbook does support another antispam module, see [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md). ## 1. Registering the bot user @@ -48,7 +48,7 @@ You will need to prevent Synapse from rate limiting the bot's account is not rat 1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. -1. Get a database terminal by following these steps: [docs/maintenance-postgres.md#getting-a-database-terminal](docs/maintenance-postgres.md#getting-a-database-terminal) +1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal) 1. Connect to Synapse's database by typing `\connect synapse` into the database terminal From 12a120e175a57d77ac50a0b1547e779d58bfd8a5 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 18:14:52 -0500 Subject: [PATCH 2064/2384] how do words good --- docs/configuring-playbook-bot-mjolnir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 3703ba7a..51a0af68 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -38,7 +38,7 @@ Alternatively, you can use a full-featured client (such as Element) to log in an ## 3. Make sure the account is free from rate limiting -You will need to prevent Synapse from rate limiting the bot's account is not rate limited by Synapse. This is not an optional step. If you do not do this step mjolnir will crash. [Currently there is no Synapse config option for this](https://github.com/matrix-org/synapse/issues/6286) so you have to manually edit the Synapse database. Manually editing the Synapse database is rarely a good idea but in this case it is required. Please ask for help if you are uncomfortable with these steps. +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step mjolnir will crash. [Currently there is no Synapse config option for this](https://github.com/matrix-org/synapse/issues/6286) so you have to manually edit the Synapse database. Manually editing the Synapse database is rarely a good idea but in this case it is required. Please ask for help if you are uncomfortable with these steps. 1. Copy the statement below into a text editor. From 11c93682dbcc279765ed043a144d6cf2b9780344 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 18:26:50 -0500 Subject: [PATCH 2065/2384] YOURDOMAIN -> DOMAIN --- docs/configuring-playbook-bot-mjolnir.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 51a0af68..033b883a 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -21,6 +21,7 @@ You can use the playbook to [register a new user](registering-users.md): ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.mjolnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user ``` + ## 2. Get an access token If you use curl, you can get an access token like this: @@ -30,7 +31,7 @@ curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user", "user": "bot.mjolnir" }, "password": "PASSWORD_FOR_THE_BOT", "type": "m.login.password" -}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login' +}' 'https://matrix.DOMAIN/_matrix/client/r0/login' ``` Alternatively, you can use a full-featured client (such as Element) to log in and get the access token from there (note: don't log out from the client as that will invalidate the token). @@ -38,7 +39,7 @@ Alternatively, you can use a full-featured client (such as Element) to log in an ## 3. Make sure the account is free from rate limiting -You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step mjolnir will crash. [Currently there is no Synapse config option for this](https://github.com/matrix-org/synapse/issues/6286) so you have to manually edit the Synapse database. Manually editing the Synapse database is rarely a good idea but in this case it is required. Please ask for help if you are uncomfortable with these steps. +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. [Currently there is no Synapse config option for this](https://github.com/matrix-org/synapse/issues/6286) so you have to manually edit the Synapse database. Manually editing the Synapse database is rarely a good idea but in this case it is required. Please ask for help if you are uncomfortable with these steps. 1. Copy the statement below into a text editor. @@ -63,12 +64,14 @@ You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the outp ``` then you did it correctly. + ## 5. Create a management room Using your own account, create a new room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element you can do this by going to the room's settings, clicking Advanced, and then coping the internal room ID. The room ID will look something like `!QvgVuKq0ha8glOLGMG:DOMAIN`. + ## 4. Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): From b084a35e9dd12d9d744f795f52234aeda9341e91 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 18:40:42 -0500 Subject: [PATCH 2066/2384] Add note about making bot a server admin --- docs/configuring-playbook-bot-mjolnir.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 033b883a..2b0f1ddc 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -21,6 +21,8 @@ You can use the playbook to [register a new user](registering-users.md): ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.mjolnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user ``` +If you would like Mjolnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. + ## 2. Get an access token From 81dddd2e2501018b1fea7b4d779c4b3c5dae317a Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 18:43:30 -0500 Subject: [PATCH 2067/2384] Upgrade Element (1.7.24 -> 1.7.24.1) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 337c48d1..b6c3ce98 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.24 +matrix_client_element_version: v1.7.24.1 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From f85054fd802ebbe4bcc48903e9dc8151ed7b5a66 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 19:10:53 -0500 Subject: [PATCH 2068/2384] Add some advice about making Synapse faster Also removes some duplicate table of contents entries in maintenance-synapse.md --- docs/maintenance-synapse.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index 143238c1..a1060498 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -6,13 +6,11 @@ Table of contents: - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api), for when you wish to delete in-use (but old) data from the Synapse database -- [Synapse maintenance](#synapse-maintenance) - - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api) - - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) - - [Browse and manipulate the database](#browse-and-manipulate-the-database) +- [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state) - [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands +- [Make Synapse faster](#make-synapse-faster) ## Purging old data with the Purge History API @@ -73,3 +71,11 @@ docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer You should then be able to browse the adminer database administration GUI at http://localhost:1799/ after entering your DB credentials (found in the `host_vars` or on the server in `{{matrix_synapse_config_dir_path}}/homeserver.yaml` under `database.args`) ⚠️ Be **very careful** with this, there is **no undo** for impromptu DB operations. + +## Make Synapse faster + +Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file. + +Tuning Synapse's cache factor can help reduce RAM usage. See the upstream documentation for more information on what value to set this to https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. + +See also [How do I optimize this setup for a low-power server?](faq.md#how-do-i-optimize-this-setup-for-a-low-power-server). From c86cc1138640689549470e8738eafda6386b9b5e Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 19:26:41 -0500 Subject: [PATCH 2069/2384] Add some advice about tuning PostgreSQL --- docs/maintenance-postgres.md | 41 ++++++++++++++++++++++++++++++++++++ docs/maintenance-synapse.md | 2 ++ 2 files changed, 43 insertions(+) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index acbea54c..d43a5dc7 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -12,6 +12,7 @@ Table of contents: - [Upgrading PostgreSQL](#upgrading-postgresql), for upgrading to new major versions of PostgreSQL. Such **manual upgrades are sometimes required**. +- [Tuning PostgreSQL](#tuning-postgresql) to make it run faster ## Getting a database terminal @@ -90,3 +91,43 @@ If you have plenty of space in `/tmp` and would rather avoid gzipping, you can e Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"` **All databases, roles, etc. on the Postgres server are migrated**. + + +## Tuning PostgreSQL + +PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `matrix_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. + +### Here are some examples: + +These are not recommended values and they may not work well for you. This is just to give you an idea of some of the options that can be set. If you are an experienced PostgreSQL admin feel free to update this documentation with better examples. + +Here is an example config for a small 2 core server with 4GB of RAM and SSD storage: +``` +matrix_postgres_process_extra_arguments: [ + "-c 'shared_buffers=128MB'", + "-c 'effective_cache_size=2304MB'", + "-c 'effective_io_concurrency=100'", + "-c 'random_page_cost=2.0'", + "-c 'min_wal_size=500MB'", +] +``` + +Here is an example config for a large 6 core server with 24GB of RAM: +``` +matrix_postgres_process_extra_arguments: [ + "-c max_connections=40", + "-c shared_buffers=1536MB", + "-c checkpoint_completion_target=0.7", + "-c wal_buffers=16MB", + "-c default_statistics_target=100", + "-c random_page_cost=1.1", + "-c effective_io_concurrency=100", + "-c work_mem=2621kB", + "-c min_wal_size=1GB", + "-c max_wal_size=4GB", + "-c max_worker_processes=6", + "-c max_parallel_workers_per_gather=3", + "-c max_parallel_workers=6", + "-c max_parallel_maintenance_workers=3", +] +``` diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index a1060498..dfdec72e 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -78,4 +78,6 @@ Synapse's presence feature which tracks which users are online and which are off Tuning Synapse's cache factor can help reduce RAM usage. See the upstream documentation for more information on what value to set this to https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. +Tuning your PostgreSQL database will also make Synapse run significantly faster. See [maintenance-postgres.md##tuning-postgresql](maintenance-postgres.md##tuning-postgresql). + See also [How do I optimize this setup for a low-power server?](faq.md#how-do-i-optimize-this-setup-for-a-low-power-server). From 598f00b335ead49d5b79eb500099ce87ecd7fb09 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Apr 2021 19:28:48 -0500 Subject: [PATCH 2070/2384] Nice link --- docs/maintenance-synapse.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index dfdec72e..7b7514a5 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -76,7 +76,7 @@ You should then be able to browse the adminer database administration GUI at htt Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file. -Tuning Synapse's cache factor can help reduce RAM usage. See the upstream documentation for more information on what value to set this to https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. +Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. Tuning your PostgreSQL database will also make Synapse run significantly faster. See [maintenance-postgres.md##tuning-postgresql](maintenance-postgres.md##tuning-postgresql). From 26d334dcb96dcba71e4034f68f40666a43de95ae Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 3 Apr 2021 01:12:06 -0500 Subject: [PATCH 2071/2384] Typo --- docs/configuring-playbook-bot-mjolnir.md | 2 +- docs/configuring-playbook.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 2b0f1ddc..e1c42097 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -21,7 +21,7 @@ You can use the playbook to [register a new user](registering-users.md): ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.mjolnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user ``` -If you would like Mjolnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. +If you would like Mjolnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. ## 2. Get an access token diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 9e9c442d..695eed65 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -85,7 +85,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) -- [Setting up Mjolnir](configuring-playbook-bot-mjolnir) (optional, advanced) +- [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) (optional, advanced) ### Bridging other networks From 28a6f8bd57cb006a3fb98884adbce97f986a0655 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 3 Apr 2021 10:52:35 +0300 Subject: [PATCH 2072/2384] Announce Mjolnir bot support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/962 --- CHANGELOG.md | 8 ++++++++ docs/configuring-playbook.md | 6 ++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 36790dce..fb55c7c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2021-04-03 + +## Mjolnir moderation tool (bot) support + +Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook can now install and configure the [Mjolnir](https://github.com/matrix-org/mjolnir) moderation tool (bot). + +Additional details are available in [Setting up Mjolnir](docs/configuring-playbook-bot-mjolnir.md). + # 2021-03-20 diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 695eed65..45293739 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -131,9 +131,11 @@ When you're done with all the configuration you'd like to do, continue with [Ins ### Bots -- [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) (optional) +- [Setting up matrix-reminder-bot](configuring-playbook-bot-matrix-reminder-bot.md) - a bot to remind you about stuff (optional) -- [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) (optional) +- [Setting up Go-NEB](configuring-playbook-bot-go-neb.md) - an extensible multifunctional bot (optional) + +- [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) ### Other specialized services From df31694d12b5c1f500e2d7836fab379f184bfce1 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 3 Apr 2021 03:18:54 -0500 Subject: [PATCH 2073/2384] Couple of additional tweaks to the mjolnir docs --- docs/configuring-playbook-bot-mjolnir.md | 16 +++++++++------- docs/configuring-playbook.md | 2 -- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index e1c42097..0a5860c1 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -7,7 +7,7 @@ See the project's [documentation](https://github.com/matrix-org/mjolnir) to lear Note: the playbook does not currently support the Mjolnir Synapse module. The playbook does support another antispam module, see [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md). -## 1. Registering the bot user +## 1. Register the bot account The playbook does not automatically create users for you. The bot requires an access token to be able to connect to your homeserver. @@ -67,29 +67,31 @@ You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the outp then you did it correctly. -## 5. Create a management room +## 4. Create a management room -Using your own account, create a new room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. +Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. Anyone in this room can control the bot so it is important that you only invite trusted users to this room. The room must be unencrypted since the playbook does not support installing Pantalaimon yet. Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element you can do this by going to the room's settings, clicking Advanced, and then coping the internal room ID. The room ID will look something like `!QvgVuKq0ha8glOLGMG:DOMAIN`. +Finally invite the `@bot.mjolnir:DOMAIN` account you created earlier into the room. -## 4. Adjusting the playbook configuration + +## 5. Adjusting the playbook configuration Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): -You must replace `ACCESS_TOKEN_FROM_STEP_2_GOES_HERE` and `ROOM_ID_FROM_STEP_5_GOES_HERE` with the your own values. +You must replace `ACCESS_TOKEN_FROM_STEP_2_GOES_HERE` and `ROOM_ID_FROM_STEP_4_GOES_HERE` with the your own values. ```yaml matrix_bot_mjolnir_enabled: true matrix_bot_mjolnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE" -matrix_bot_mjolnir_management_room: "ROOM_ID_FROM_STEP_5_GOES_HERE" +matrix_bot_mjolnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ``` -## 5. Installing +## 6. Installing After configuring the playbook, run the [installation](installing.md) command: diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 45293739..f6988930 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -85,8 +85,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) -- [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) (optional, advanced) - ### Bridging other networks From 504f1b644541e0fff1b719ee210dcde3cb970617 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 3 Apr 2021 16:41:10 -0500 Subject: [PATCH 2074/2384] Allow special characters in Grafana password --- docs/configuring-playbook-prometheus-grafana.md | 5 ++--- roles/matrix-grafana/templates/grafana.ini.j2 | 8 ++++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 310eac6a..4968c518 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -17,11 +17,10 @@ matrix_grafana_anonymous_access: false # This has no relation to your Matrix user id. It can be any username you'd like. # Changing the username subsequently won't work. -matrix_grafana_default_admin_user: some_username_chosen_by_you +matrix_grafana_default_admin_user: "some_username_chosen_by_you" -# Passwords containing special characters may be troublesome. # Changing the password subsequently won't work. -matrix_grafana_default_admin_password: some_strong_password_chosen_by_you +matrix_grafana_default_admin_password: "some_strong_password_chosen_by_you" ``` By default, a [Grafana](https://grafana.com/) web user-interface will be available at `https://stats.`. diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 694bf7d7..c7fe1d91 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -1,16 +1,16 @@ [security] # default admin user, created on startup -admin_user = {{ matrix_grafana_default_admin_user }} +admin_user = "{{ matrix_grafana_default_admin_user }}" -# default admin password, can be changed before first start of grafana, or in profile settings -admin_password = {{ matrix_grafana_default_admin_password }} +# default admin password, can be changed before first start of grafana, or in profile settings +admin_password = """{{ matrix_grafana_default_admin_password }}""" [auth.anonymous] # enable anonymous access enabled = {{ matrix_grafana_anonymous_access }} # specify organization name that should be used for unauthenticated users -org_name = {{ matrix_grafana_anonymous_access_org_name }} +org_name = "{{ matrix_grafana_anonymous_access_org_name }}" [dashboards] {% if matrix_synapse_metrics_enabled %} From 458c17b9d0d5365df6b077b9fbbd418e45b09d88 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 3 Apr 2021 16:41:30 -0500 Subject: [PATCH 2075/2384] Upgrade Grafana (7.4.0 -> 7.5.2) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 876e5f6f..dd4c2753 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.4.0 +matrix_grafana_version: 7.5.2 matrix_grafana_docker_image: "docker.io/grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From fbe22289bd4da6246cb2d00f002d03da25b6fa05 Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 4 Apr 2021 11:41:06 +0800 Subject: [PATCH 2076/2384] merge with upstream and testing branch --- docs/configuring-awx-system.md | 2 +- .../matrix-awx/surveys/backup_server.json.j2 | 2 +- .../surveys/configure_dimension.json.j2 | 30 +++++ .../surveys/configure_synapse.json.j2 | 24 ++-- roles/matrix-awx/tasks/backup_server.yml | 31 +++-- .../tasks/cache_matrix_variables.yml | 12 ++ .../tasks/customise_website_access_export.yml | 23 ++-- .../tasks/load_hosting_and_org_variables.yml | 1 + .../tasks/load_matrix_variables.yml | 14 ++- roles/matrix-awx/tasks/main.yml | 28 ++++- roles/matrix-awx/tasks/self_check.yml | 12 ++ .../tasks/set_variables_corporal.yml | 54 ++++----- .../tasks/set_variables_dimension.yml | 109 ++++++++++++++++++ .../tasks/set_variables_element.yml | 18 +-- .../matrix-awx/tasks/set_variables_jitsi.yml | 10 +- .../matrix-awx/tasks/set_variables_ma1sd.yml | 31 ++--- .../tasks/set_variables_synapse.yml | 54 ++++----- .../tasks/set_variables_synapse_admin.yml | 10 +- roles/matrix-common-after/tasks/awx_post.yml | 19 ++- 19 files changed, 333 insertions(+), 151 deletions(-) create mode 100644 roles/matrix-awx/surveys/configure_dimension.json.j2 create mode 100644 roles/matrix-awx/tasks/cache_matrix_variables.yml create mode 100644 roles/matrix-awx/tasks/set_variables_dimension.yml diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index 2bc2699b..f391a457 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -19,7 +19,7 @@ The following repositories allow you to copy and use this setup: [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) - Creates and configures the AWX system for you. -[Ansible Create Delete Subscription Membership](https://gitlab.com/GoMatrixHosting/ansible-create-delete-subscription-membership) - Used by the AWX system to create memberships and subscriptions. +[Ansible Create Delete Subscription Membership](https://gitlab.com/GoMatrixHosting/ansible-create-delete-subscription-membership) - Used by the AWX system to create memberships and subscriptions. Also includes other administrative playbooks for updates, backups and restoring servers. [Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server. diff --git a/roles/matrix-awx/surveys/backup_server.json.j2 b/roles/matrix-awx/surveys/backup_server.json.j2 index 232d1968..9b9cddbd 100644 --- a/roles/matrix-awx/surveys/backup_server.json.j2 +++ b/roles/matrix-awx/surveys/backup_server.json.j2 @@ -5,7 +5,7 @@ { "question_name": "Enable Backup", "question_description": "Set if remote backup is enabled or not. If enabled a daily backup of your server will be sent to the backup server located in {{ backup_server_location }}.", - "required": true, + "required": false, "min": null, "max": null, "default": "{{ matrix_awx_backup_enabled | string | lower }}", diff --git a/roles/matrix-awx/surveys/configure_dimension.json.j2 b/roles/matrix-awx/surveys/configure_dimension.json.j2 new file mode 100644 index 00000000..3acbaaaf --- /dev/null +++ b/roles/matrix-awx/surveys/configure_dimension.json.j2 @@ -0,0 +1,30 @@ +{ + "name": "Configure Dimension", + "description": "", + "spec": [ + { + "question_name": "Enable Dimension", + "question_description": "Enables the Dimension integration server, before doing this you need to create a CNAME record for 'dimension.{{ matrix_domain }}' that points to 'matrix.{{ matrix_domain }}'.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_dimension_enabled | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_dimension_enabled", + "type": "multiplechoice" + }, + { + "question_name": "Dimension Users", + "question_description": "Here you can list the user accounts that will be able to configure Dimension. Entries must be seperated with newlines and must be a complete Matrix ID. For example: '@dimension:{{ matrix_domain }}'", + "required": false, + "min": 0, + "max": 65536, + "default": {{ ext_dimension_users_raw_final | to_json }}, + "choices": "", + "new_question": true, + "variable": "ext_dimension_users_raw", + "type": "textarea" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index 8d3b5daf..e3fca6a2 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -8,7 +8,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_enable_registration|string|lower }}", + "default": "{{ matrix_synapse_enable_registration | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "matrix_synapse_enable_registration", @@ -20,7 +20,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_federation_enabled|string|lower }}", + "default": "{{ matrix_synapse_federation_enabled | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "matrix_synapse_federation_enabled", @@ -32,7 +32,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_allow_public_rooms_over_federation|string|lower }}", + "default": "{{ matrix_synapse_allow_public_rooms_over_federation | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "matrix_synapse_allow_public_rooms_over_federation", @@ -44,7 +44,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_enable_group_creation|string|lower }}", + "default": "{{ matrix_synapse_enable_group_creation | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "matrix_synapse_enable_group_creation", @@ -56,7 +56,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_use_presence|string|lower }}", + "default": "{{ matrix_synapse_use_presence | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "matrix_synapse_use_presence", @@ -68,7 +68,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_url_preview_enabled|string|lower }}", + "default": "{{ matrix_synapse_url_preview_enabled | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "matrix_synapse_url_preview_enabled", @@ -80,7 +80,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_allow_guest_access|string|lower }}", + "default": "{{ matrix_synapse_allow_guest_access | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "matrix_synapse_allow_guest_access", @@ -92,7 +92,7 @@ "required": false, "min": null, "max": null, - "default": "{{ ext_registrations_require_3pid|string|lower }}", + "default": "{{ ext_registrations_require_3pid | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "ext_registrations_require_3pid", @@ -128,7 +128,7 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_url_preview_accept_language_default|to_json }}, + "default": {{ ext_url_preview_accept_language_default | to_json }}, "choices": "", "new_question": true, "variable": "ext_url_preview_accept_language_raw", @@ -140,7 +140,7 @@ "required": false, "min": 0, "max": 65536, - "default": {{ ext_federation_whitelist_raw|to_json }}, + "default": {{ ext_federation_whitelist_raw | to_json }}, "choices": "", "new_question": true, "variable": "ext_federation_whitelist_raw", @@ -152,7 +152,7 @@ "required": false, "min": 0, "max": 65536, - "default": {{ matrix_synapse_auto_join_rooms_raw|to_json }}, + "default": {{ matrix_synapse_auto_join_rooms_raw | to_json }}, "choices": "", "new_question": true, "variable": "matrix_synapse_auto_join_rooms_raw", @@ -164,7 +164,7 @@ "required": false, "min": null, "max": null, - "default": "{{ ext_enable_registration_captcha|string|lower }}", + "default": "{{ ext_enable_registration_captcha | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "ext_enable_registration_captcha", diff --git a/roles/matrix-awx/tasks/backup_server.yml b/roles/matrix-awx/tasks/backup_server.yml index 2459fc8a..a82f46b0 100644 --- a/roles/matrix-awx/tasks/backup_server.yml +++ b/roles/matrix-awx/tasks/backup_server.yml @@ -5,27 +5,24 @@ path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# AWX Settings' + insertafter: '# AWX Settings Start' with_dict: 'matrix_awx_backup_enabled': '{{ matrix_awx_backup_enabled }}' - -- name: Copy new 'matrix_vars.yml' to target machine - copy: - src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - dest: '/matrix/awx/matrix_vars.yml' - mode: '0660' + tags: use-survey - name: Save new 'Backup Server' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: src: 'roles/matrix-awx/surveys/backup_server.json.j2' dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json' + tags: use-survey - name: Copy new 'Backup Server' survey.json to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/backup_server.json' dest: '/matrix/awx/backup_server.json' mode: '0660' + tags: use-survey - name: Collect AWX admin token the hard way! delegate_to: 127.0.0.1 @@ -33,6 +30,7 @@ curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' register: tower_token no_log: True + tags: use-survey - name: Recreate 'Backup Server' job template delegate_to: 127.0.0.1 @@ -41,7 +39,7 @@ description: "Performs a backup of the entire service to a remote location." extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" job_type: run - job_tags: "backup-server" + job_tags: "backup-server,use-survey" inventory: "{{ member_id }}" project: "{{ member_id }} - Matrix Docker Ansible Deploy" playbook: setup.yml @@ -54,6 +52,23 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes + tags: use-survey + +- name: Run export.sh if this job template is run by the client + command: /bin/sh /root/export.sh + tags: use-survey + +- name: Include vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' + tags: use-survey - name: Perform the borg backup command: borgmatic diff --git a/roles/matrix-awx/tasks/cache_matrix_variables.yml b/roles/matrix-awx/tasks/cache_matrix_variables.yml new file mode 100644 index 00000000..a34b3792 --- /dev/null +++ b/roles/matrix-awx/tasks/cache_matrix_variables.yml @@ -0,0 +1,12 @@ + +- name: Collect current datetime + set_fact: + awx_datetime: "{{ lookup('pipe', 'date +%Y-%m-%d_%H:%M') }}" + +- name: Create cached matrix_vars.yml file location + set_fact: + awx_cached_matrix_vars: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars_{{ awx_datetime }}.yml' + +- name: Create cached matrix_vars.yml + delegate_to: 127.0.0.1 + shell: "cp /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml {{ awx_cached_matrix_vars }}" diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml index 40ae1bfd..580d8bc9 100755 --- a/roles/matrix-awx/tasks/customise_website_access_export.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -1,12 +1,11 @@ - - name: Enable index.html creation if user doesn't wish to customise base domain delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Base Domain Settings' + insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'true' when: customise_base_domain_website|bool == false @@ -14,10 +13,10 @@ - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Base Domain Settings' + insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' when: customise_base_domain_website|bool == true @@ -25,27 +24,23 @@ - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Custom Settings' + insertafter: '# Custom Settings Start' with_dict: 'customise_base_domain_website': '{{ customise_base_domain_website }}' 'sftp_auth_method': '"{{ sftp_auth_method }}"' 'sftp_password': '"{{ sftp_password }}"' 'sftp_public_key': '"{{ sftp_public_key }}"' -- name: Copy new 'matrix_vars.yml' to target machine - copy: - src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - dest: '/matrix/awx/matrix_vars.yml' - mode: '0660' - - name: Reload vars in matrix_vars.yml include_vars: - file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + file: '{{ awx_cached_matrix_vars }}' no_log: True +# ^ Is this even needed? + - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: diff --git a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml index 6789431a..ea866254 100644 --- a/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml +++ b/roles/matrix-awx/tasks/load_hosting_and_org_variables.yml @@ -8,3 +8,4 @@ include_vars: file: '/var/lib/awx/projects/hosting/hosting_vars.yml' no_log: True + diff --git a/roles/matrix-awx/tasks/load_matrix_variables.yml b/roles/matrix-awx/tasks/load_matrix_variables.yml index ff0986d7..2a9f9a0d 100755 --- a/roles/matrix-awx/tasks/load_matrix_variables.yml +++ b/roles/matrix-awx/tasks/load_matrix_variables.yml @@ -1,5 +1,15 @@ -- name: Include vars in matrix_vars.yml +- name: Include new vars in matrix_vars.yml include_vars: - file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + file: '{{ awx_cached_matrix_vars }}' no_log: True + +- name: If include_vars succeeds overwrite the old matrix_vars.yml + delegate_to: 127.0.0.1 + shell: "cp {{ awx_cached_matrix_vars }} /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml && rm {{ awx_cached_matrix_vars }}" + +- name: Copy new 'matrix_vars.yml' to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + dest: '/matrix/awx/matrix_vars.yml' + mode: '0660' diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 4965ae39..2f8c6df2 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -26,6 +26,15 @@ tags: - create-user +# Import configs, media repo from /chroot/backup import +- include_tasks: + file: "import_awx.yml" + apply: + tags: import-awx + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - import-awx + # Perform extra self-check functions - include_tasks: file: "self_check.yml" @@ -35,14 +44,14 @@ tags: - self-check -# Import configs, media repo from /chroot/backup import +# Create caches matrix_vars.yml file - include_tasks: - file: "import_awx.yml" + file: "cache_matrix_variables.yml" apply: - tags: import-awx + tags: always when: run_setup|bool and matrix_awx_enabled|bool tags: - - import-awx + - always # Configure SFTP so user can upload a static website or access the servers export - include_tasks: @@ -98,6 +107,15 @@ tags: - setup-corporal +# Additional playbook to set the variable file during Dimension configuration +- include_tasks: + file: "set_variables_dimension.yml" + apply: + tags: setup-dimension + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-dimension + # Additional playbook to set the variable file during Synapse Admin configuration - include_tasks: file: "set_variables_synapse_admin.yml" @@ -107,7 +125,7 @@ tags: - setup-synapse-admin -# Load newly formed matrix variables from tower volume +# Load newly formed matrix variables from AWX volume - include_tasks: file: "load_matrix_variables.yml" apply: diff --git a/roles/matrix-awx/tasks/self_check.yml b/roles/matrix-awx/tasks/self_check.yml index 8d647574..edf6b8b3 100644 --- a/roles/matrix-awx/tasks/self_check.yml +++ b/roles/matrix-awx/tasks/self_check.yml @@ -3,6 +3,7 @@ apt: name: - sysstat + - curl state: present - name: Install prerequisite yum packages on AWX @@ -19,6 +20,17 @@ - dnspython state: present +- name: Calculate MAU value + shell: | + curl -s localhost:9000 | grep "^synapse_admin_mau_current " + register: mau_stat + no_log: True + +- name: Print MAU value + debug: + msg: "{{ mau_stat.stdout.split('\n') }}" + when: mau_stat is defined + - name: Calculate CPU usage statistics shell: iostat -c register: cpu_usage_stat diff --git a/roles/matrix-awx/tasks/set_variables_corporal.yml b/roles/matrix-awx/tasks/set_variables_corporal.yml index d8ac038d..6ae187c7 100755 --- a/roles/matrix-awx/tasks/set_variables_corporal.yml +++ b/roles/matrix-awx/tasks/set_variables_corporal.yml @@ -2,20 +2,20 @@ - name: Record Corporal Enabled/Disabled variable delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Corporal Settings' + insertafter: '# Corporal Settings Start' with_dict: 'matrix_corporal_enabled': '{{ matrix_corporal_enabled }}' - name: Enable Shared Secret Auth if Corporal enabled delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Shared Secret Auth Settings' + insertafter: '# Shared Secret Auth Settings Start' with_dict: 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'true' when: matrix_corporal_enabled|bool @@ -23,10 +23,10 @@ - name: Disable Shared Secret Auth if Corporal disabled delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Shared Secret Auth Settings' + insertafter: '# Shared Secret Auth Settings Start' with_dict: 'matrix_synapse_ext_password_provider_shared_secret_auth_enabled': 'false' when: not matrix_corporal_enabled|bool @@ -34,10 +34,10 @@ - name: Enable Rest Auth Endpoint if Corporal enabled delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Synapse Extension' + insertafter: '# Synapse Extension Start' with_dict: 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true' when: matrix_corporal_enabled|bool @@ -45,10 +45,10 @@ - name: Disable Rest Auth Endpoint if Corporal disabled delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Synapse Extension' + insertafter: '# Synapse Extension Start' with_dict: 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false' when: not matrix_corporal_enabled|bool @@ -56,10 +56,10 @@ - name: Disable Corporal API if Simple Static File mode selected delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Corporal Settings' + insertafter: '# Corporal Settings Start' with_dict: 'matrix_corporal_http_api_enabled': 'false' when: (matrix_corporal_policy_provider_mode == "Simple Static File") or (not matrix_corporal_enabled|bool) @@ -67,10 +67,10 @@ - name: Enable Corporal API if Push/Pull mode delected delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Corporal Settings' + insertafter: '# Corporal Settings Start' with_dict: 'matrix_corporal_http_api_enabled': 'true' when: (matrix_corporal_policy_provider_mode != "Simple Static File") and (matrix_corporal_enabled|bool) @@ -78,10 +78,10 @@ - name: Record Corporal API Access Token if it's defined delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Corporal Settings' + insertafter: '# Corporal Settings Start' with_dict: 'matrix_corporal_http_api_auth_token': '{{ matrix_corporal_http_api_auth_token }}' when: matrix_corporal_http_api_auth_token|length > 0 @@ -89,8 +89,8 @@ - name: Record 'Simple Static File' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 blockinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - insertafter: "# Corporal Policy Provider Settings" + path: '{{ awx_cached_matrix_vars }}' + insertafter: "# Corporal Policy Provider Settings Start" block: | matrix_corporal_policy_provider_config: | { @@ -151,8 +151,8 @@ - name: Record 'HTTP Pull Mode' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 blockinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - insertafter: "# Corporal Policy Provider Settings" + path: '{{ awx_cached_matrix_vars }}' + insertafter: "# Corporal Policy Provider Settings Start" block: | matrix_corporal_policy_provider_config: | { @@ -168,8 +168,8 @@ - name: Record 'HTTP Push Mode' configuration variables in matrix_vars.yml delegate_to: 127.0.0.1 blockinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - insertafter: "# Corporal Policy Provider Settings" + path: '{{ awx_cached_matrix_vars }}' + insertafter: "# Corporal Policy Provider Settings Start" block: | matrix_corporal_policy_provider_config: | { @@ -181,7 +181,7 @@ - name: Lower RateLimit if set to 'Normal' delegate_to: 127.0.0.1 replace: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' replace: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' when: matrix_corporal_raise_ratelimits == "Normal" @@ -189,17 +189,11 @@ - name: Raise RateLimit if set to 'Raised' delegate_to: 127.0.0.1 replace: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: ' address:\n per_second: 0.17\n burst_count: 3\n account:\n per_second: 0.17\n burst_count: 3' replace: ' address:\n per_second: 50\n burst_count: 300\n account:\n per_second: 0.17\n burst_count: 300' when: matrix_corporal_raise_ratelimits == "Raised" -- name: Copy new 'matrix_vars.yml' to target machine - copy: - src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - dest: '/matrix/awx/matrix_vars.yml' - mode: '0664' - - name: Save new 'Configure Corporal' survey.json to the AWX tower delegate_to: 127.0.0.1 template: diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml new file mode 100644 index 00000000..2d5eb619 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -0,0 +1,109 @@ + +- name: Include vars in matrix_vars.yml + include_vars: + file: '{{ awx_cached_matrix_vars }}' + no_log: True + +- name: Install jq on remote machine + apt: + name: jq + state: present + +- name: Collect access token of Dimension user + shell: | + curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ matrix_awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//' + register: dimension_user_access_token + +- name: Record Synapse variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Dimension Settings Start' + with_dict: + 'matrix_dimension_enabled': '{{ matrix_dimension_enabled }}' + 'matrix_dimension_access_token': '"{{ dimension_user_access_token.stdout }}"' + +- name: Set final users list if users are defined + set_fact: + ext_dimension_users_raw_final: "{{ ext_dimension_users_raw }}" + when: ext_dimension_users_raw|length > 0 + +- name: Set final users list if no users are defined + set_fact: + ext_dimension_users_raw_final: '@dimension:{{ matrix_domain }}' + when: ext_dimension_users_raw|length == 0 + +- name: Remove Dimension Users + delegate_to: 127.0.0.1 + replace: + path: '{{ awx_cached_matrix_vars }}' + regexp: '^ - .*\n' + after: 'matrix_dimension_admins:' + before: '# Dimension Settings End' + +- name: Set Dimension Users Header + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + insertbefore: '# Dimension Settings End' + line: "matrix_dimension_admins:" + +- name: Set Dimension Users + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + insertafter: '^matrix_dimension_admins:' + line: ' - "{{ item }}"' + with_items: "{{ ext_dimension_users_raw_final.splitlines() }}" + +- name: Record Dimension Custom variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Custom Settings Start' + with_dict: + 'ext_dimension_users_raw': '{{ ext_dimension_users_raw.splitlines() | to_json }}' + +- name: Save new 'Configure Dimension' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_dimension.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}//configure_dimension.json' + +- name: Copy new 'Configure Dimension' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_dimension.json' + dest: '/matrix/awx/configure_dimension.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Dimension' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Dimension" + description: "Configure Dimension, the self-hosted integrations server." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-all,setup-dimension" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_dimension.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_element.yml b/roles/matrix-awx/tasks/set_variables_element.yml index a21a9dd8..a0e41770 100755 --- a/roles/matrix-awx/tasks/set_variables_element.yml +++ b/roles/matrix-awx/tasks/set_variables_element.yml @@ -2,10 +2,10 @@ - name: Record Element-Web variables locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Element Settings' + insertafter: '# Element Settings Start' with_dict: 'matrix_client_element_enabled': '{{ matrix_client_element_enabled }}' 'matrix_client_element_jitsi_preferredDomain': '{{ matrix_client_element_jitsi_preferredDomain }}' @@ -16,24 +16,18 @@ - name: Set fact for 'https' string set_fact: - https_string: "https" + awx_https_string: "https" - name: Record Element-Web Background variable locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Element Settings' + insertafter: '# Element Settings Start' with_dict: 'matrix_client_element_branding_welcomeBackgroundUrl': '{{ matrix_client_element_branding_welcomeBackgroundUrl }}' - when: (https_string in matrix_client_element_branding_welcomeBackgroundUrl) and ( matrix_client_element_branding_welcomeBackgroundUrl|length > 0 ) - -- name: Copy new 'matrix_vars.yml' to target machine - copy: - src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - dest: '/matrix/awx/matrix_vars.yml' - mode: '0660' + when: (awx_https_string in matrix_client_element_branding_welcomeBackgroundUrl) and ( matrix_client_element_branding_welcomeBackgroundUrl|length > 0 ) - name: Save new 'Configure Element' survey.json to the AWX tower, template delegate_to: 127.0.0.1 diff --git a/roles/matrix-awx/tasks/set_variables_jitsi.yml b/roles/matrix-awx/tasks/set_variables_jitsi.yml index 4a871a18..9c610685 100755 --- a/roles/matrix-awx/tasks/set_variables_jitsi.yml +++ b/roles/matrix-awx/tasks/set_variables_jitsi.yml @@ -2,20 +2,14 @@ - name: Record Jitsi variables locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Jitsi Settings' + insertafter: '# Jitsi Settings Start' with_dict: 'matrix_jitsi_enabled': '{{ matrix_jitsi_enabled }}' 'matrix_jitsi_web_config_defaultLanguage': '{{ matrix_jitsi_web_config_defaultLanguage }}' -- name: Copy new 'matrix_vars.yml' to target machine - copy: - src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - dest: '/matrix/awx/matrix_vars.yml' - mode: '0660' - - name: Save new 'Configure Jitsi' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml index 32dadc0a..853d8c09 100755 --- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -2,20 +2,20 @@ - name: Record ma1sd variables locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# ma1sd Settings' + insertafter: '# ma1sd Settings Start' with_dict: 'matrix_ma1sd_enabled': '{{ matrix_ma1sd_enabled }}' - name: Disable REST auth (matrix-corporal/ma1sd) if using internal auth delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Synapse Extension' + insertafter: '# Synapse Extension Start' with_dict: 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'false' when: ext_matrix_ma1sd_auth_store == 'Synapse Internal' @@ -23,10 +23,10 @@ - name: Enable REST auth if using external LDAP/AD with ma1sd delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Synapse Extension' + insertafter: '# Synapse Extension Start' with_dict: 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true' 'matrix_synapse_ext_password_provider_rest_auth_endpoint': 'http://matrix-ma1sd:8090' @@ -40,7 +40,7 @@ - name: Remove entire ma1sd configuration extension delegate_to: 127.0.0.1 replace: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: '^.*\n' after: '# Start ma1sd Extension' before: '# End ma1sd Extension' @@ -48,14 +48,14 @@ - name: Replace conjoined ma1sd configuration extension limiters delegate_to: 127.0.0.1 replace: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: '^# Start ma1sd Extension# End ma1sd Extension' replace: '# Start ma1sd Extension\n# End ma1sd Extension' - name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' line: "matrix_ma1sd_configuration_extension_yaml: |" insertafter: '# Start ma1sd Extension' when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' @@ -63,7 +63,7 @@ - name: Set ma1sd configuration extension if using external LDAP/AD with ma1sd delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' insertbefore: '# End ma1sd Extension' line: '{{ item }}' with_items: "{{ ext_matrix_ma1sd_configuration_extension_yaml_parsed }}" @@ -72,20 +72,14 @@ - name: Record ma1sd Custom variables locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertbefore: '# Custom Settings' + insertbefore: '# Custom Settings Start' with_dict: 'ext_matrix_ma1sd_auth_store': '{{ ext_matrix_ma1sd_auth_store }}' 'ext_matrix_ma1sd_configuration_extension_yaml': '{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}' -- name: Copy new 'matrix_vars.yml' to target machine - copy: - src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - dest: '/matrix/awx/matrix_vars.yml' - mode: '0660' - - name: Save new 'Configure ma1sd' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: @@ -126,4 +120,3 @@ tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes -# ^ This playbook isn't executing so the survey isn't being updated! :P diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index ef7c70ef..e481d399 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -12,10 +12,10 @@ - name: Record Synapse variables locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Synapse Settings' + insertafter: '# Synapse Settings Start' with_dict: 'matrix_synapse_allow_public_rooms_over_federation': '{{ matrix_synapse_allow_public_rooms_over_federation }}' 'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}' @@ -29,7 +29,7 @@ - name: Empty Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if raw inputs empty delegate_to: 127.0.0.1 replace: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^matrix_synapse_auto_join_rooms: .*$" replace: "matrix_synapse_auto_join_rooms: []" when: matrix_synapse_auto_join_rooms_raw|length == 0 @@ -43,10 +43,10 @@ - name: Record Synapse variable 'matrix_synapse_auto_join_rooms' locally on AWX, if it's not blank delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Synapse Settings' + insertafter: '# Synapse Settings Start' with_dict: "matrix_synapse_auto_join_rooms": "{{ matrix_synapse_auto_join_rooms_array }}" when: matrix_synapse_auto_join_rooms_raw|length > 0 @@ -54,10 +54,10 @@ - name: Record Synapse Shared Secret if it's defined delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Synapse Settings' + insertafter: '# Synapse Settings Start' with_dict: 'matrix_synapse_registration_shared_secret': '{{ matrix_synapse_registration_shared_secret }}' when: matrix_synapse_registration_shared_secret|length > 0 @@ -65,10 +65,10 @@ - name: Record registations_require_3pid extra variable if true delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "{{ item }}:" line: "{{ item }}" - insertbefore: '# End Synapse Extension' + insertbefore: '# Synapse Extension End' with_items: - " registrations_require_3pid:" - " - email" @@ -77,10 +77,10 @@ - name: Remove registrations_require_3pid extra variable if false delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "{{ item }}:" line: "{{ item }}" - insertbefore: '# End Synapse Extension' + insertbefore: '# Synapse Extension End' state: absent with_items: - " registrations_require_3pid:" @@ -90,10 +90,10 @@ - name: Remove URL Languages delegate_to: 127.0.0.1 replace: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: '^(?!.*\bemail\b) - [a-zA-Z\-]{2,5}\n' after: ' url_preview_accept_language:' - before: '# End Synapse Extension' + before: '# Synapse Extension End' - name: Set URL languages default if raw inputs empty set_fact: @@ -108,7 +108,7 @@ - name: Set URL languages if raw inputs empty delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' insertafter: '^ url_preview_accept_language:' line: " - {{ ext_url_preview_accept_language_default }}" when: ext_url_preview_accept_language_raw|length == 0 @@ -116,7 +116,7 @@ - name: Set URL languages if raw inputs not empty delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' insertafter: '^ url_preview_accept_language:' line: " - {{ item }}" with_items: "{{ ext_url_preview_accept_language_raw.splitlines() }}" @@ -125,22 +125,22 @@ - name: Remove Federation Whitelisting 1 delegate_to: 127.0.0.1 replace: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: '^ - [a-z0-9]+\.[a-z0-9.]+\n' after: ' federation_domain_whitelist:' - before: '# End Synapse Extension' + before: '# Synapse Extension End' - name: Remove Federation Whitelisting 2 delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' line: " federation_domain_whitelist:" state: absent - name: Set Federation Whitelisting 1 delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' insertafter: '^matrix_synapse_configuration_extension_yaml: \|' line: " federation_domain_whitelist:" when: ext_federation_whitelist_raw|length > 0 @@ -148,7 +148,7 @@ - name: Set Federation Whitelisting 2 delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' insertafter: '^ federation_domain_whitelist:' line: " - {{ item }}" with_items: "{{ ext_federation_whitelist_raw.splitlines() }}" @@ -157,10 +157,10 @@ - name: Record Synapse Custom variables locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertbefore: '# Custom Settings' + insertafter: '# Custom Settings Start' with_dict: 'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}' 'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}' @@ -176,21 +176,15 @@ - name: Record Synapse Extension variables locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertbefore: '# End Synapse Extension' + insertbefore: '# Synapse Extension End' with_dict: ' enable_registration_captcha': '{{ ext_enable_registration_captcha }}' ' recaptcha_public_key': '{{ ext_recaptcha_public_key }}' ' recaptcha_private_key': '{{ ext_recaptcha_private_key }}' -- name: Copy new 'matrix_vars.yml' to target machine - copy: - src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - dest: '/matrix/awx/matrix_vars.yml' - mode: '0660' - - name: Save new 'Configure Synapse' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: diff --git a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml index 42084ad7..fa922de4 100644 --- a/roles/matrix-awx/tasks/set_variables_synapse_admin.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse_admin.yml @@ -2,19 +2,13 @@ - name: Record Synapse Admin variables locally on AWX delegate_to: 127.0.0.1 lineinfile: - path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + path: '{{ awx_cached_matrix_vars }}' regexp: "^#? *{{ item.key | regex_escape() }}:" line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Synapse Admin Settings' + insertafter: '# Synapse Admin Settings Start' with_dict: 'matrix_synapse_admin_enabled': '{{ matrix_synapse_admin_enabled }}' -- name: Copy new 'matrix_vars.yml' to target machine - copy: - src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' - dest: '/matrix/awx/matrix_vars.yml' - mode: '0660' - - name: Save new 'Configure Synapse Admin' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 6497acf7..568ccd23 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -1,6 +1,6 @@ --- -- name: Create user account +- name: Create user account @janitor command: | /usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1 register: cmd @@ -18,3 +18,20 @@ 'matrix_awx_janitor_user_created': 'true' when: not matrix_awx_janitor_user_created|bool +- name: Create user account @dimension + command: | + /usr/local/bin/matrix-synapse-register-user dimension {{ matrix_awx_dimension_user_password | quote }} 0 + register: cmd + when: not matrix_awx_dimension_user_created|bool + no_log: True + +- name: Update AWX dimension user created variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: 'AWX Settings' + with_dict: + 'matrix_awx_dimension_user_created': 'true' + when: not matrix_awx_dimension_user_created|bool From 814bdf5a88139e2c209f4c0aad21d9cf2131d410 Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 4 Apr 2021 11:52:26 +0800 Subject: [PATCH 2077/2384] update spelling --- roles/matrix-awx/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 2f8c6df2..24c93b49 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -44,7 +44,7 @@ tags: - self-check -# Create caches matrix_vars.yml file +# Create cached matrix_vars.yml file - include_tasks: file: "cache_matrix_variables.yml" apply: From f41bfb69d204b0e3c522ca7e0a242d86d0866b80 Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 4 Apr 2021 12:01:53 +0800 Subject: [PATCH 2078/2384] update survey template formatting --- roles/matrix-awx/surveys/configure_ma1sd.json.j2 | 2 +- roles/matrix-awx/surveys/configure_synapse_admin.json.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 index ad2110a0..e3c1d448 100644 --- a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 +++ b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 @@ -8,7 +8,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_ma1sd_enabled|string|lower }}", + "default": "{{ matrix_ma1sd_enabled | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "matrix_ma1sd_enabled", diff --git a/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 b/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 index e1f6dc12..8845b83a 100644 --- a/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse_admin.json.j2 @@ -8,7 +8,7 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_admin_enabled|string|lower }}", + "default": "{{ matrix_synapse_admin_enabled | string | lower }}", "choices": "true\nfalse", "new_question": true, "variable": "matrix_synapse_admin_enabled", From 2178f3612f372fe420e6649dd95da6f45195db8c Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Mon, 5 Apr 2021 09:05:41 +0200 Subject: [PATCH 2079/2384] - matrix_postgres_backup_databases now uses more simple structure --- group_vars/matrix_servers | 10 ++++------ roles/matrix-postgres-backup/defaults/main.yml | 3 +-- .../templates/env-postgres-backup.j2 | 2 +- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b632b0d7..ec999333 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1422,13 +1422,11 @@ matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_passw # the default matrix synapse databse is not always part of the matrix_postgres_additional_databases variable thus we have to add it if the default database is used matrix_postgres_backup_databases: | {{ - ([{ - 'name': matrix_synapse_database_database, - 'username': matrix_synapse_database_user, - 'password': matrix_synapse_database_password, - }] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + ([ + matrix_synapse_database_database, + ] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + - matrix_postgres_additional_databases + matrix_postgres_additional_databases|map(attribute='name') }} ###################################################################### diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index cfa690a3..2f3dbc9e 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -11,9 +11,8 @@ matrix_postgres_backup_keep_days: "7" matrix_postgres_backup_keep_weeks: "4" matrix_postgres_backup_keep_months: "12" matrix_postgres_backup_healthcheck_port: "8080" -matrix_postgres_backup_db_list: "" +matrix_postgres_backup_databases: [] matrix_postgres_backup_path: "{{ matrix_base_data_path }}/postgres-backup" -matrix_postgres_backup_databases: "" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" diff --git a/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 index 979d3762..5a3a1ffd 100644 --- a/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 +++ b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 @@ -2,7 +2,7 @@ POSTGRES_USER={{ matrix_postgres_backup_connection_username }} POSTGRES_PASSWORD={{ matrix_postgres_backup_connection_password }} POSTGRES_HOST={{ matrix_postgres_backup_connection_hostname }} -POSTGRES_DB={{ matrix_postgres_backup_databases|map(attribute='name')|join(', ') }} +POSTGRES_DB={{ matrix_postgres_backup_databases|join(', ') }} POSTGRES_EXTRA_OPTS={{ matrix_postgres_backup_extra_opts }} SCHEDULE={{ matrix_postgres_backup_schedule }} BACKUP_KEEP_DAYS={{ matrix_postgres_backup_keep_days }} From 14b8e3a3abf9280fc2d00a86d4e6956fe64d0e37 Mon Sep 17 00:00:00 2001 From: foxcris <361299+foxcris@users.noreply.github.com> Date: Mon, 5 Apr 2021 09:31:32 +0200 Subject: [PATCH 2080/2384] - fixed error with generator function --- group_vars/matrix_servers | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ec999333..293907f7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1422,11 +1422,11 @@ matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_passw # the default matrix synapse databse is not always part of the matrix_postgres_additional_databases variable thus we have to add it if the default database is used matrix_postgres_backup_databases: | {{ - ([ - matrix_synapse_database_database, - ] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + (([{ + 'name': matrix_synapse_database_database + }] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + - matrix_postgres_additional_databases|map(attribute='name') + matrix_postgres_additional_databases)|map(attribute='name')|list }} ###################################################################### From 37c089bb96b6fbf09989ee29ab478e60e7018ec6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Apr 2021 11:13:45 +0300 Subject: [PATCH 2081/2384] Minor docs improvements --- docs/configuring-playbook-postgres-backup.md | 24 ++++++++++++++------ docs/maintenance-postgres.md | 4 +++- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md index 7be0064f..2b58b1aa 100644 --- a/docs/configuring-playbook-postgres-backup.md +++ b/docs/configuring-playbook-postgres-backup.md @@ -4,14 +4,24 @@ The playbook can install and configure [docker-postgres-backup-local](https://gi ## Adjusting the playbook configuration +Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable Postgres backup: + +```yaml +matrix_postgres_backup_enabled: true +``` + +Refer to the table below for additional configuration variables and their default values. + + | Name | Default value | Description | | :-------------------------------- | :--------------------------- | :--------------------------------------------------------------- | -|matrix_postgres_backup_enabled|false|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| -|matrix_postgres_backup_schedule| '@daily' |Cron-schedule specifying the interval between postgres backups.| -|matrix_postgres_backup_keep_days|"7"|Number of daily backups to keep| -|matrix_postgres_backup_keep_weeks|"4"|Number of weekly backups to keep| -|matrix_postgres_backup_keep_months|"12"|Number of monthly backups to keep| -|matrix_postgres_backup_path | "{{ matrix_base_data_path }}/postgres-backup" | Storagepath for the database backups| +|`matrix_postgres_backup_enabled`|`false`|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| +|`matrix_postgres_backup_schedule`| `'@daily'` |Cron-schedule specifying the interval between postgres backups.| +|`matrix_postgres_backup_keep_days`|`"7"`|Number of daily backups to keep| +|`matrix_postgres_backup_keep_weeks`|`"4"`|Number of weekly backups to keep| +|`matrix_postgres_backup_keep_months`|`"12"`|Number of monthly backups to keep| +|`matrix_postgres_backup_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Storagepath for the database backups| + ## Installing @@ -19,4 +29,4 @@ After configuring the playbook, run the [installation](installing.md) command ag ``` ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start -``` \ No newline at end of file +``` diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index d43a5dc7..9b748d28 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -49,7 +49,9 @@ ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-vacuum,start ## Backing up PostgreSQL -To make a back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server: +To automatically make Postgres database backups on a fixed schedule, see [Setting up postgres backup](configuring-playbook-postgres-backup.md). + +To make a one off back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server: ```bash /usr/bin/docker exec \ From 6526087c146c61e9f75ef6b22ca9421d8bbebca8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Apr 2021 11:16:44 +0300 Subject: [PATCH 2082/2384] Announce automated local Postgres backup support --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb55c7c2..326c2103 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +# 2021-04-05 + +## Automated local Postgres backup support + +Thanks to [foxcris](https://github.com/foxcris), the playbook can now make automated local Postgres backups on a fixed schedule using [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local). + +Additional details are available in [Setting up postgres backup](docs/configuring-playbook-postgres-backup.md). + + + # 2021-04-03 ## Mjolnir moderation tool (bot) support From 298556e02e12e51c72a1a67e3af83343e49d2b97 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Apr 2021 11:22:26 +0300 Subject: [PATCH 2083/2384] Fix undefined matrix_postgres_backup_detected_version_corresponding_docker_image .. and prevent variable name overlap with `matrix-postgres` for the other variables as well. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/868 --- .../util/detect_existing_postgres_version.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml index da15a287..87a81f74 100644 --- a/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml +++ b/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml @@ -5,52 +5,52 @@ - name: Initialize Postgres version determination variables (default to empty) set_fact: - matrix_postgres_detection_pg_version_path: "{{ matrix_postgres_data_path }}/PG_VERSION" - matrix_postgres_detected_existing: false - matrix_postgres_detected_version: "" - matrix_postgres_detected_version_corresponding_docker_image: "" + matrix_postgres_backup_detection_pg_version_path: "{{ matrix_postgres_data_path }}/PG_VERSION" + matrix_postgres_backup_detected_existing: false + matrix_postgres_backup_detected_version: "" + matrix_postgres_backup_detected_version_corresponding_docker_image: "" - name: Determine existing Postgres version (check PG_VERSION file) stat: - path: "{{ matrix_postgres_detection_pg_version_path }}" + path: "{{ matrix_postgres_backup_detection_pg_version_path }}" register: result_pg_version_stat - set_fact: - matrix_postgres_detected_existing: true + matrix_postgres_backup_detected_existing: true when: "result_pg_version_stat.stat.exists" - name: Determine existing Postgres version (read PG_VERSION file) slurp: - src: "{{ matrix_postgres_detection_pg_version_path }}" + src: "{{ matrix_postgres_backup_detection_pg_version_path }}" register: result_pg_version - when: matrix_postgres_detected_existing|bool + when: matrix_postgres_backup_detected_existing|bool - name: Determine existing Postgres version (make sense of PG_VERSION file) set_fact: - matrix_postgres_detected_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" - when: matrix_postgres_detected_existing|bool + matrix_postgres_backup_detected_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" + when: matrix_postgres_backup_detected_existing|bool - name: Determine corresponding Docker image to detected version (assume default of latest) set_fact: matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_latest }}" - when: "matrix_postgres_detected_version != ''" + when: "matrix_postgres_backup_detected_version != ''" - name: Determine corresponding Docker image to detected version (use 9.x, if detected) set_fact: matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v9 }}" - when: "matrix_postgres_detected_version.startswith('9.')" + when: "matrix_postgres_backup_detected_version.startswith('9.')" - name: Determine corresponding Docker image to detected version (use 10.x, if detected) set_fact: matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v10 }}" - when: "matrix_postgres_detected_version == '10' or matrix_postgres_detected_version.startswith('10.')" + when: "matrix_postgres_backup_detected_version == '10' or matrix_postgres_backup_detected_version.startswith('10.')" - name: Determine corresponding Docker image to detected version (use 11.x, if detected) set_fact: matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v11 }}" - when: "matrix_postgres_detected_version == '11' or matrix_postgres_detected_version.startswith('11.')" + when: "matrix_postgres_backup_detected_version == '11' or matrix_postgres_backup_detected_version.startswith('11.')" - name: Determine corresponding Docker image to detected version (use 12.x, if detected) set_fact: matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v12 }}" - when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" + when: "matrix_postgres_backup_detected_version == '12' or matrix_postgres_backup_detected_version.startswith('12.')" From 1b55766927137f702e56c34b6d47fd66f744247f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Apr 2021 11:32:19 +0300 Subject: [PATCH 2084/2384] Do not redefine matrix-postgres role vars in matrix-postgres-backup Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/868 --- group_vars/matrix_servers | 4 +++- roles/matrix-postgres-backup/defaults/main.yml | 8 +++++--- roles/matrix-postgres-backup/tasks/main.yml | 2 +- .../tasks/setup_postgres_backup.yml | 4 ++-- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index bda429dc..06282dfa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1786,6 +1786,8 @@ matrix_postgres_backup_connection_port: "{{ matrix_postgres_connection_port }}" matrix_postgres_backup_connection_username: "{{ matrix_postgres_connection_username }}" matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_password }}" +matrix_postgres_backup_postgres_data_path: "{{ matrix_postgres_data_path if matrix_postgres_enabled else '' }}" + # the default matrix synapse databse is not always part of the matrix_postgres_additional_databases variable thus we have to add it if the default database is used matrix_postgres_backup_databases: | {{ @@ -1800,4 +1802,4 @@ matrix_postgres_backup_databases: | # # /matrix-postgres-backup # -###################################################################### \ No newline at end of file +###################################################################### diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index 2f3dbc9e..cc2107f7 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -14,8 +14,10 @@ matrix_postgres_backup_healthcheck_port: "8080" matrix_postgres_backup_databases: [] matrix_postgres_backup_path: "{{ matrix_base_data_path }}/postgres-backup" -matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" -matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" +# Specifies where the Postgres data is. +# We use this to autodetect the Postgres version during playbook runtime (by parsing the `PG_VERSION` file contained there). +# You can leave this empty to prevent auto-detection. +matrix_postgres_backup_postgres_data_path: "" matrix_postgres_backup_architecture: amd64 @@ -35,4 +37,4 @@ matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_im # This variable is assigned at runtime. Overriding its value has no effect. matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}' -matrix_postgres_backup_docker_image_force_pull: "{{ matrix_postgres_backup_docker_image_to_use.endswith(':latest') }}" \ No newline at end of file +matrix_postgres_backup_docker_image_force_pull: "{{ matrix_postgres_backup_docker_image_to_use.endswith(':latest') }}" diff --git a/roles/matrix-postgres-backup/tasks/main.yml b/roles/matrix-postgres-backup/tasks/main.yml index f819b8e9..40f4a8bf 100644 --- a/roles/matrix-postgres-backup/tasks/main.yml +++ b/roles/matrix-postgres-backup/tasks/main.yml @@ -14,4 +14,4 @@ when: run_setup|bool tags: - setup-all - - setup-postgres-backup \ No newline at end of file + - setup-postgres-backup diff --git a/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml index 640d4f14..9761088d 100644 --- a/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml +++ b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml @@ -4,14 +4,14 @@ # Tasks related to setting up an internal postgres server # - import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml" - when: matrix_postgres_enabled|bool + when: 'matrix_postgres_backup_enabled|bool and matrix_postgres_backup_postgres_data_path != ""' # If we have found an existing version (installed from before), we use its corresponding Docker image. # If not, we install using the latest Postgres. # # Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). - set_fact: - matrix_postgres_backup_docker_image_to_use: "{{ matrix_postgres_backup_docker_image_latest if matrix_postgres_backup_detected_version_corresponding_docker_image == '' else matrix_postgres_backup_detected_version_corresponding_docker_image }}" + matrix_postgres_backup_docker_image_to_use: "{{ matrix_postgres_backup_docker_image_latest if matrix_postgres_backup_detected_version_corresponding_docker_image|default('') == '' else matrix_postgres_backup_detected_version_corresponding_docker_image }}" when: matrix_postgres_backup_enabled|bool - name: Ensure postgres backup Docker image is pulled From 832e191ab8b20ed2a1b0e5cdae9c9b6c8ba1e560 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Apr 2021 11:32:46 +0300 Subject: [PATCH 2085/2384] Fix incorrect variable usage in when statement Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/868 --- roles/matrix-postgres-backup/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-postgres-backup/tasks/main.yml b/roles/matrix-postgres-backup/tasks/main.yml index 40f4a8bf..19e3db5b 100644 --- a/roles/matrix-postgres-backup/tasks/main.yml +++ b/roles/matrix-postgres-backup/tasks/main.yml @@ -5,7 +5,7 @@ - always - import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_postgres_enabled|bool" + when: "run_setup|bool and matrix_postgres_backup_enabled|bool" tags: - setup-all - setup-postgres-backup From c386e8e9dba0e754106ab2ef4348b40c797e32c4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 5 Apr 2021 11:38:23 +0300 Subject: [PATCH 2086/2384] Use integers for some variables Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/868 --- docs/configuring-playbook-postgres-backup.md | 6 +++--- roles/matrix-postgres-backup/defaults/main.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md index 2b58b1aa..2d878c11 100644 --- a/docs/configuring-playbook-postgres-backup.md +++ b/docs/configuring-playbook-postgres-backup.md @@ -17,9 +17,9 @@ Refer to the table below for additional configuration variables and their defaul | :-------------------------------- | :--------------------------- | :--------------------------------------------------------------- | |`matrix_postgres_backup_enabled`|`false`|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| |`matrix_postgres_backup_schedule`| `'@daily'` |Cron-schedule specifying the interval between postgres backups.| -|`matrix_postgres_backup_keep_days`|`"7"`|Number of daily backups to keep| -|`matrix_postgres_backup_keep_weeks`|`"4"`|Number of weekly backups to keep| -|`matrix_postgres_backup_keep_months`|`"12"`|Number of monthly backups to keep| +|`matrix_postgres_backup_keep_days`|`7`|Number of daily backups to keep| +|`matrix_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep| +|`matrix_postgres_backup_keep_months`|`12`|Number of monthly backups to keep| |`matrix_postgres_backup_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Storagepath for the database backups| diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index cc2107f7..d34e95a2 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -7,9 +7,9 @@ matrix_postgres_backup_connection_password: "" matrix_postgres_backup_extra_opts: "-Z9 --schema=public --blobs" matrix_postgres_backup_schedule: "@daily" -matrix_postgres_backup_keep_days: "7" -matrix_postgres_backup_keep_weeks: "4" -matrix_postgres_backup_keep_months: "12" +matrix_postgres_backup_keep_days: 7 +matrix_postgres_backup_keep_weeks: 4 +matrix_postgres_backup_keep_months: 12 matrix_postgres_backup_healthcheck_port: "8080" matrix_postgres_backup_databases: [] matrix_postgres_backup_path: "{{ matrix_base_data_path }}/postgres-backup" From a1a0d9160410ec3e1a9fe66ad3cafb533cb6fa65 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Apr 2021 12:23:43 +0300 Subject: [PATCH 2087/2384] Make prometheus-node-exporter not overlap with Synapse metrics port This was causing a port conflict when `matrix_nginx_proxy_enabled: false`. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/983 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 06282dfa..abb12a12 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1677,7 +1677,7 @@ matrix_prometheus_node_exporter_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Prometheus' HTTP port to the local host. -matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9100' }}" +matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}" ###################################################################### # From 3f426de5996bed4f587a27ad46ec4613cc6c81f0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Apr 2021 16:00:10 +0300 Subject: [PATCH 2088/2384] Upgrade Synapse (1.30.1 -> 1.31.0) --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 56 +++++++++---------- roles/matrix-synapse/vars/workers.yml | 5 +- 3 files changed, 28 insertions(+), 35 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a68def4b..155fd5f5 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,7 +15,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.30.1 +matrix_synapse_version: v1.31.0 matrix_synapse_version_arm64: v1.30.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4be50524..ace2dd45 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -869,10 +869,10 @@ rc_admin_redaction: {{ matrix_synapse_rc_admin_redaction|to_json }} #rc_joins: # local: # per_second: 0.1 -# burst_count: 3 +# burst_count: 10 # remote: # per_second: 0.01 -# burst_count: 3 +# burst_count: 10 rc_joins: {{ matrix_synapse_rc_joins|to_json }} # #rc_3pid_validation: @@ -1772,6 +1772,9 @@ saml2_config: # Note that, if this is changed, users authenticating via that provider # will no longer be recognised as the same user! # +# (Use "oidc" here if you are migrating from an old "oidc_config" +# configuration.) +# # idp_name: A user-facing name for this identity provider, which is used to # offer the user a choice of login mechanisms. # @@ -1887,6 +1890,24 @@ saml2_config: # which is set to the claims returned by the UserInfo Endpoint and/or # in the ID Token. # +# It is possible to configure Synapse to only allow logins if certain attributes +# match particular values in the OIDC userinfo. The requirements can be listed under +# `attribute_requirements` as shown below. All of the listed attributes must +# match for the login to be permitted. Additional attributes can be added to +# userinfo by expanding the `scopes` section of the OIDC config to retrieve +# additional information from the OIDC provider. +# +# If the OIDC claim is a list, then the attribute must match any value in the list. +# Otherwise, it must exactly match the value of the claim. Using the example +# below, the `family_name` claim MUST be "Stephensson", but the `groups` +# claim MUST contain "admin". +# +# attribute_requirements: +# - attribute: family_name +# value: "Stephensson" +# - attribute: groups +# value: "admin" +# # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md # for information on how to configure these options. # @@ -1918,34 +1939,9 @@ oidc_providers: # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" # email_template: "{% raw %}{{ user.email }}{% endraw %}" - - # For use with Keycloak - # - #- idp_id: keycloak - # idp_name: Keycloak - # issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name" - # client_id: "synapse" - # client_secret: "copy secret generated in Keycloak UI" - # scopes: ["openid", "profile"] - - # For use with Github - # - #- idp_id: github - # idp_name: Github - # idp_brand: github - # discover: false - # issuer: "https://github.com/" - # client_id: "your-client-id" # TO BE FILLED - # client_secret: "your-client-secret" # TO BE FILLED - # authorization_endpoint: "https://github.com/login/oauth/authorize" - # token_endpoint: "https://github.com/login/oauth/access_token" - # userinfo_endpoint: "https://api.github.com/user" - # scopes: ["read:user"] - # user_mapping_provider: - # config: - # subject_claim: "id" - # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" - # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" + # attribute_requirements: + # - attribute: userGroup + # value: "synapseUsers" # Enable Central Authentication Service (CAS) for registration and login. diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 14b75a92..c989fb5b 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -55,9 +55,6 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|unstable)/login$ - ^/_matrix/client/(r0|unstable)/register$ - # FIXME: possible bug with SSO and multiple generic workers - # see https://github.com/matrix-org/synapse/issues/7530 - # ^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$ # Event sending requests - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact @@ -107,7 +104,7 @@ matrix_synapse_workers_generic_worker_endpoints: # Ensure that all SSO logins go to a single process. # For multiple workers not handling the SSO endpoints properly, see - # [#7530](https://github.com/matrix-org/synapse/issues/7530) and + # [#7530](https://github.com/matrix-org/synapse/issues/7530) and # [#9427](https://github.com/matrix-org/synapse/issues/9427). # Note that a HTTP listener with `client` and `federation` resources must be From 4830b7d830513cfcfe31daa182c756d4d21d2189 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Apr 2021 17:22:25 +0300 Subject: [PATCH 2089/2384] Upgrade Synapse for ARM64 (1.30.1 -> 1.31.0) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 155fd5f5..bb76821e 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. matrix_synapse_version: v1.31.0 -matrix_synapse_version_arm64: v1.30.1 +matrix_synapse_version_arm64: v1.31.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 3e119e483e6811a841c5dabc8607e86dc1d49e58 Mon Sep 17 00:00:00 2001 From: Marcus Date: Wed, 7 Apr 2021 21:34:16 +0200 Subject: [PATCH 2090/2384] Update init.yml fix nginx boot loop --- .../matrix-bridge-appservice-webhooks/tasks/init.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index 53e2cce8..a42e14c9 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -44,16 +44,19 @@ - name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy set_fact: matrix_appservice_webhooks_matrix_nginx_proxy_configuration: | - location {{ matrix_appservice_webhooks_public_endpoint }}/ { {% if matrix_nginx_proxy_enabled|default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} + location ~ ^{{ matrix_appservice_webhooks_public_endpoint }}/(.*)$ { resolver 127.0.0.11 valid=5s; - proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}/; + set $backend "matrix-appservice-webhooks:{{ matrix_appservice_webhooks_matrix_port }}"; + proxy_pass http://$backend/$1; + } {% else %} - {# Generic configuration for use outside of our container setup #} + {# Generic configuration for use outside of our container setup #} + location {{ matrix_appservice_webhooks_public_endpoint }}/ { proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/; - {% endif %} } + {% endif %} - name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy set_fact: From 3e11ee158e89b12b9d43fcd5afa7e03513a7e1e0 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 8 Apr 2021 13:32:44 -0500 Subject: [PATCH 2091/2384] Fix step 3 of Mjolnir instructions --- docs/configuring-playbook-bot-mjolnir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 0a5860c1..1b0241e1 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -46,7 +46,7 @@ You will need to prevent Synapse from rate limiting the bot's account. This is n 1. Copy the statement below into a text editor. ``` - INSERT INTO ratelimit_override VALUES ("@bot.mjolnir:DOMAIN", 0, 0); + INSERT INTO ratelimit_override VALUES ('@bot.mjolnir:DOMAIN', 0, 0); ``` 1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. From 3d2142f88bb26ea613ebc6b35c824cfc69086069 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 10 Apr 2021 16:14:32 -0500 Subject: [PATCH 2092/2384] Add sanity check for server architecture --- roles/matrix-base/tasks/sanity_check.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index c31d9137..265dc282 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -52,3 +52,10 @@ when: - ansible_distribution == 'Archlinux' - ansible_python.version.major != 3 + +- name: Fail if architecture is set incorrectly + fail: + msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." + when: (ansible_architecture == "x86_64" and matrix_architecture != "amd64") or + (ansible_architecture == "aarch64" and matrix_architecture != "arm64") or + (ansible_architecture.startswith("armv") and matrix_architecture != "arm32") From f52a8b6484cd61c9b3660e747dd0709814fa8032 Mon Sep 17 00:00:00 2001 From: Ahmad Haghighi Date: Sat, 10 Apr 2021 22:43:56 +0430 Subject: [PATCH 2093/2384] use custom docker registry --- group_vars/matrix_servers | 1 + .../matrix-bot-matrix-reminder-bot/defaults/main.yml | 2 +- roles/matrix-bot-mjolnir/defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- .../matrix-bridge-appservice-slack/defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../matrix-bridge-mx-puppet-skype/defaults/main.yml | 2 +- .../matrix-bridge-mx-puppet-slack/defaults/main.yml | 2 +- .../matrix-bridge-mx-puppet-steam/defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- roles/matrix-bridge-sms/defaults/main.yml | 2 +- roles/matrix-client-element/defaults/main.yml | 2 +- roles/matrix-corporal/defaults/main.yml | 2 +- roles/matrix-coturn/defaults/main.yml | 2 +- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-dynamic-dns/defaults/main.yml | 2 +- roles/matrix-email2matrix/defaults/main.yml | 2 +- roles/matrix-etherpad/defaults/main.yml | 2 +- roles/matrix-grafana/defaults/main.yml | 2 +- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-mailer/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- roles/matrix-postgres-backup/defaults/main.yml | 10 +++++----- roles/matrix-postgres/defaults/main.yml | 12 ++++++------ .../defaults/main.yml | 2 +- roles/matrix-prometheus/defaults/main.yml | 2 +- roles/matrix-redis/defaults/main.yml | 2 +- roles/matrix-registration/defaults/main.yml | 2 +- roles/matrix-sygnal/defaults/main.yml | 2 +- roles/matrix-synapse-admin/defaults/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 2 +- 36 files changed, 49 insertions(+), 48 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index abb12a12..f3c94110 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -9,6 +9,7 @@ # You can also override ANY variable (seen here or in any given role), # by re-defining it in your own configuration file (`inventory/host_vars/matrix.`). +matrix_global_registry: "docker.io/" ###################################################################### # diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index dd18579c..cc4fc59a 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_matrix_reminder_bot_enabled: true matrix_bot_matrix_reminder_bot_version: release-v0.2.0 -matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" +matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_global_registry }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot" diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index e7b54364..4c7027a2 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_mjolnir_enabled: true matrix_bot_mjolnir_version: "v0.1.17" -matrix_bot_mjolnir_docker_image: "docker.io/matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" +matrix_bot_mjolnir_docker_image: "{{ matrix_global_registry }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 360963bb..4c9a8acf 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -4,7 +4,7 @@ matrix_appservice_discord_enabled: true matrix_appservice_discord_version: v1.0.0 -matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}" +matrix_appservice_discord_docker_image: "{{ matrix_global_registry }}halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}" matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index b8a17972..87e4857f 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appserv matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" matrix_appservice_irc_version: release-0.25.0 -matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" +matrix_appservice_irc_docker_image: "{{ matrix_global_registry }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index a0032a0d..2dd3e858 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appse matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" matrix_appservice_slack_version: release-1.5.0 -matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" +matrix_appservice_slack_docker_image: "{{ matrix_global_registry }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 82e0925c..7a455c6a 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -4,7 +4,7 @@ matrix_appservice_webhooks_enabled: true matrix_appservice_webhooks_version: latest -matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_docker_image: "{{ matrix_global_registry }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 34a8ee36..f81f262c 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_discord_container_http_host_bind_port: '' matrix_mx_puppet_discord_version: latest matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:{{ matrix_mx_puppet_discord_version }}" -matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else matrix_global_registry }}" matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}" matrix_mx_puppet_discord_base_path: "{{ matrix_base_data_path }}/mx-puppet-discord" diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index cfc2aa0d..589da301 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_groupme_container_http_host_bind_port: '' matrix_mx_puppet_groupme_version: latest matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:{{ matrix_mx_puppet_groupme_version }}" -matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else matrix_global_registry }}" matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}" matrix_mx_puppet_groupme_base_path: "{{ matrix_base_data_path }}/mx-puppet-groupme" diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index 24377fb3..bb74b5f0 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/ matrix_mx_puppet_instagram_version: latest matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:{{ matrix_mx_puppet_instagram_version }}" -matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else matrix_global_registry }}" matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}" matrix_mx_puppet_instagram_base_path: "{{ matrix_base_data_path }}/mx-puppet-instagram" diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 0f603df0..88cd79e5 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mx_puppet_skype_container_image_self_build_repo: "https://github.com/Soru matrix_mx_puppet_skype_version: latest matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:{{ matrix_mx_puppet_skype_version }}" -matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else matrix_global_registry }}" matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" matrix_mx_puppet_skype_base_path: "{{ matrix_base_data_path }}/mx-puppet-skype" diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 32df7236..cb2144dc 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_slack_container_http_host_bind_port: '' matrix_mx_puppet_slack_version: latest matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:{{ matrix_mx_puppet_slack_version }}" -matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else matrix_global_registry }}" matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" matrix_mx_puppet_slack_base_path: "{{ matrix_base_data_path }}/mx-puppet-slack" diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index 7123e040..ca94b57c 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_steam_container_http_host_bind_port: '' matrix_mx_puppet_steam_version: latest matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:{{ matrix_mx_puppet_steam_version }}" -matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else matrix_global_registry }}" matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}" matrix_mx_puppet_steam_base_path: "{{ matrix_base_data_path }}/mx-puppet-steam" diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index c10f521d..d130e2c2 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: '' matrix_mx_puppet_twitter_version: latest matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:{{ matrix_mx_puppet_twitter_version }}" -matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else matrix_global_registry }}" matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}" matrix_mx_puppet_twitter_base_path: "{{ matrix_base_data_path }}/mx-puppet-twitter" diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 0382a2b2..66b9ef87 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -4,7 +4,7 @@ matrix_sms_bridge_enabled: true matrix_sms_bridge_version: 0.5.5 -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" +matrix_sms_bridge_docker_image: "{{ matrix_global_registry }}folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index b6c3ce98..eb99d773 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto matrix_client_element_version: v1.7.24.1 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" -matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" +matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_global_registry }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index c35e4b22..4f315e90 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_version: 2.1.0 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" -matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" +matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_global_registry }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 4f27e0d9..c7242008 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentist matrix_coturn_version: 4.5.2 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}" -matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}" +matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_global_registry }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" # The Docker network that Coturn would be put into. diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index e4ded37a..67a8a82d 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -13,7 +13,7 @@ matrix_dimension_widgets_allow_self_signed_ssl_certificates: false matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" matrix_dimension_version: latest -matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image: "{{ matrix_global_registry }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # List of systemd services that matrix-dimension.service depends on. diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index 1ec681da..a66ec0d3 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -9,7 +9,7 @@ matrix_dynamic_dns_version: v3.9.1-ls45 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" -matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else 'docker.io/' }}" +matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else matrix_global_registry }}" # The image to force pull matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml index b5593882..2cacd4ba 100644 --- a/roles/matrix-email2matrix/defaults/main.yml +++ b/roles/matrix-email2matrix/defaults/main.yml @@ -4,7 +4,7 @@ matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" matrix_email2matrix_version: 1.0.1 -matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:{{ matrix_email2matrix_version }}" +matrix_email2matrix_docker_image: "{{ matrix_global_registry }}devture/email2matrix:{{ matrix_email2matrix_version }}" matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 90883310..87f09c34 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -3,7 +3,7 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" matrix_etherpad_version: 1.8.12 -matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:{{ matrix_etherpad_version }}" +matrix_etherpad_docker_image: "{{ matrix_global_registry }}etherpad/etherpad:{{ matrix_etherpad_version }}" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" # List of systemd services that matrix-etherpad.service depends on. diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index dd4c2753..c33c4e23 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -4,7 +4,7 @@ matrix_grafana_enabled: false matrix_grafana_version: 7.5.2 -matrix_grafana_docker_image: "docker.io/grafana/grafana:{{ matrix_grafana_version }}" +matrix_grafana_docker_image: "{{ matrix_global_registry }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" # Not conditional, because when someone disables metrics diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 6d14a823..aac7a3a2 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -55,7 +55,7 @@ matrix_jitsi_enable_lobby: false matrix_jitsi_version: stable-5142 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility -matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_web_docker_image: "{{ matrix_global_registry }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -163,7 +163,7 @@ matrix_jitsi_web_custom_config_extension: '' matrix_jitsi_web_environment_variables_extension: '' -matrix_jitsi_prosody_docker_image: "docker.io/jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_prosody_docker_image: "{{ matrix_global_registry }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -177,7 +177,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "docker.io/jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jicofo_docker_image: "{{ matrix_global_registry }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -194,7 +194,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "docker.io/jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jvb_docker_image: "{{ matrix_global_registry }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 62828d95..65524b24 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -12,7 +12,7 @@ matrix_ma1sd_architecture: "amd64" matrix_ma1sd_version: "2.4.0" matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" -matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else 'docker.io/' }}" +matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_global_registry }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 4c29f47a..d48691ed 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image matrix_mailer_version: 4.93-r1 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" -matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}" +matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_global_registry }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" # The user/group that the container runs with. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 440f7a32..56b91a6b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -4,7 +4,7 @@ matrix_nginx_proxy_version: 1.19.8-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "docker.io/nginx:{{ matrix_nginx_proxy_version }}" +matrix_nginx_proxy_docker_image: "{{ matrix_global_registry }}nginx:{{ matrix_nginx_proxy_version }}" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" @@ -354,7 +354,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.11.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_global_registry }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.11.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index d34e95a2..ebbd8257 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -27,11 +27,11 @@ matrix_postgres_backup_architecture: amd64 # > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault matrix_postgres_backup_docker_image_suffix: "{{ '-alpine' if matrix_postgres_backup_architecture in ['amd64', 'arm64'] else '' }}" -matrix_postgres_backup_docker_image_v9: "docker.io/prodrigestivill/postgres-backup-local:9.6{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_v10: "docker.io/prodrigestivill/postgres-backup-local:10{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_v11: "docker.io/prodrigestivill/postgres-backup-local:11{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_v12: "docker.io/prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_v13: "docker.io/prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v9: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:9.6{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v10: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:10{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v11: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:11{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v12: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v13: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 8e1d2a8e..ffff102a 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -17,11 +17,11 @@ matrix_postgres_architecture: amd64 # > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" -matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "docker.io/postgres:10.16{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "docker.io/postgres:11.11{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "docker.io/postgres:12.6{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "docker.io/postgres:13.2{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v9: "{{ matrix_global_registry }}postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "{{ matrix_global_registry }}postgres:10.16{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "{{ matrix_global_registry }}postgres:11.11{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "{{ matrix_global_registry }}postgres:12.6{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "{{ matrix_global_registry }}postgres:13.2{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. @@ -90,6 +90,6 @@ matrix_postgres_pgloader_container_image_self_build_src_path: "{{ matrix_postgre # We use illagrenan/pgloader, instead of the more official dimitri/pgloader image, # because the official one only provides a `latest` tag. matrix_postgres_pgloader_docker_image: "{{ matrix_postgres_pgloader_docker_image_name_prefix }}illagrenan/pgloader:{{ matrix_postgres_pgloader_docker_image_tag }}" -matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else 'docker.io/' }}" +matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else matrix_global_registry }}" matrix_postgres_pgloader_docker_image_tag: "3.6.2" matrix_postgres_pgloader_docker_image_force_pull: "{{ matrix_postgres_pgloader_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 47611f7c..a9ea9faf 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -4,7 +4,7 @@ matrix_prometheus_node_exporter_enabled: false matrix_prometheus_node_exporter_version: v1.1.0 -matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" +matrix_prometheus_node_exporter_docker_image: "{{ matrix_global_registry }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 123418d4..c4a1a9cb 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -4,7 +4,7 @@ matrix_prometheus_enabled: false matrix_prometheus_version: v2.24.1 -matrix_prometheus_docker_image: "docker.io/prom/prometheus:{{ matrix_prometheus_version }}" +matrix_prometheus_docker_image: "{{ matrix_global_registry }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index a512618c..e2bd678c 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -6,7 +6,7 @@ matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" matrix_redis_version: 6.0.10-alpine -matrix_redis_docker_image_v6: "docker.io/redis:{{ matrix_redis_version }}" +matrix_redis_docker_image_v6: "{{ matrix_global_registry }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index 065e0c48..403600db 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -15,7 +15,7 @@ matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/ matrix_registration_version: "v0.7.2" matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}zeratax/matrix-registration:{{ matrix_registration_version }}" -matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else 'docker.io/' }}" +matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else matrix_global_registry }}" matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml index 50e0e26e..27c69592 100644 --- a/roles/matrix-sygnal/defaults/main.yml +++ b/roles/matrix-sygnal/defaults/main.yml @@ -8,7 +8,7 @@ matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" matrix_sygnal_version: v0.9.0 -matrix_sygnal_docker_image: "docker.io/matrixdotorg/sygnal:{{ matrix_sygnal_version }}" +matrix_sygnal_docker_image: "{{ matrix_global_registry }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" # List of systemd services that matrix-sygnal.service depends on. diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 1534bc82..05c4541e 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -10,7 +10,7 @@ matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse matrix_synapse_admin_version: 0.7.0 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" -matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}" +matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_global_registry }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index bb76821e..49bc7a1c 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_container_image_self_build: false matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git" matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" -matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}" +matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_global_registry }}" # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. From e335f3fc77ada47f63ae17d4f8991d483b6930f0 Mon Sep 17 00:00:00 2001 From: Ahmad Haghighi Date: Mon, 12 Apr 2021 17:09:16 +0430 Subject: [PATCH 2094/2384] rename matrix_global_registry to matrix_container_global_registry_prefix related to #990 Signed-off-by: Ahmad Haghighi --- .../matrix-bot-matrix-reminder-bot/defaults/main.yml | 2 +- roles/matrix-bot-mjolnir/defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- .../matrix-bridge-appservice-slack/defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../matrix-bridge-mx-puppet-skype/defaults/main.yml | 2 +- .../matrix-bridge-mx-puppet-slack/defaults/main.yml | 2 +- .../matrix-bridge-mx-puppet-steam/defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- roles/matrix-bridge-sms/defaults/main.yml | 2 +- roles/matrix-client-element/defaults/main.yml | 2 +- roles/matrix-corporal/defaults/main.yml | 2 +- roles/matrix-coturn/defaults/main.yml | 2 +- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-dynamic-dns/defaults/main.yml | 2 +- roles/matrix-email2matrix/defaults/main.yml | 2 +- roles/matrix-etherpad/defaults/main.yml | 2 +- roles/matrix-grafana/defaults/main.yml | 2 +- roles/matrix-jitsi/defaults/main.yml | 8 ++++---- roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-mailer/defaults/main.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- roles/matrix-postgres-backup/defaults/main.yml | 10 +++++----- roles/matrix-postgres/defaults/main.yml | 12 ++++++------ .../defaults/main.yml | 2 +- roles/matrix-prometheus/defaults/main.yml | 2 +- roles/matrix-redis/defaults/main.yml | 2 +- roles/matrix-registration/defaults/main.yml | 2 +- roles/matrix-sygnal/defaults/main.yml | 2 +- roles/matrix-synapse-admin/defaults/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 2 +- 35 files changed, 48 insertions(+), 48 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index cc4fc59a..775dadcc 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_matrix_reminder_bot_enabled: true matrix_bot_matrix_reminder_bot_version: release-v0.2.0 -matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_global_registry }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" +matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot" diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index 4c7027a2..f97e997c 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_mjolnir_enabled: true matrix_bot_mjolnir_version: "v0.1.17" -matrix_bot_mjolnir_docker_image: "{{ matrix_global_registry }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" +matrix_bot_mjolnir_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 4c9a8acf..9b9284dc 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -4,7 +4,7 @@ matrix_appservice_discord_enabled: true matrix_appservice_discord_version: v1.0.0 -matrix_appservice_discord_docker_image: "{{ matrix_global_registry }}halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}" +matrix_appservice_discord_docker_image: "{{ matrix_container_global_registry_prefix }}halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}" matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 87e4857f..410299b7 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appserv matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" matrix_appservice_irc_version: release-0.25.0 -matrix_appservice_irc_docker_image: "{{ matrix_global_registry }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" +matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 2dd3e858..bb801273 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appse matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" matrix_appservice_slack_version: release-1.5.0 -matrix_appservice_slack_docker_image: "{{ matrix_global_registry }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" +matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 7a455c6a..7f26ea58 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -4,7 +4,7 @@ matrix_appservice_webhooks_enabled: true matrix_appservice_webhooks_version: latest -matrix_appservice_webhooks_docker_image: "{{ matrix_global_registry }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index f81f262c..7e99c9b2 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_discord_container_http_host_bind_port: '' matrix_mx_puppet_discord_version: latest matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:{{ matrix_mx_puppet_discord_version }}" -matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else matrix_global_registry }}" +matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}" matrix_mx_puppet_discord_base_path: "{{ matrix_base_data_path }}/mx-puppet-discord" diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index 589da301..898768bf 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_groupme_container_http_host_bind_port: '' matrix_mx_puppet_groupme_version: latest matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:{{ matrix_mx_puppet_groupme_version }}" -matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else matrix_global_registry }}" +matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}" matrix_mx_puppet_groupme_base_path: "{{ matrix_base_data_path }}/mx-puppet-groupme" diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index bb74b5f0..27210360 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/ matrix_mx_puppet_instagram_version: latest matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:{{ matrix_mx_puppet_instagram_version }}" -matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else matrix_global_registry }}" +matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}" matrix_mx_puppet_instagram_base_path: "{{ matrix_base_data_path }}/mx-puppet-instagram" diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 88cd79e5..8dcb2faf 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mx_puppet_skype_container_image_self_build_repo: "https://github.com/Soru matrix_mx_puppet_skype_version: latest matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:{{ matrix_mx_puppet_skype_version }}" -matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else matrix_global_registry }}" +matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" matrix_mx_puppet_skype_base_path: "{{ matrix_base_data_path }}/mx-puppet-skype" diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index cb2144dc..65b295c9 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_slack_container_http_host_bind_port: '' matrix_mx_puppet_slack_version: latest matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:{{ matrix_mx_puppet_slack_version }}" -matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else matrix_global_registry }}" +matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" matrix_mx_puppet_slack_base_path: "{{ matrix_base_data_path }}/mx-puppet-slack" diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index ca94b57c..e4df90a5 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_steam_container_http_host_bind_port: '' matrix_mx_puppet_steam_version: latest matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:{{ matrix_mx_puppet_steam_version }}" -matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else matrix_global_registry }}" +matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}" matrix_mx_puppet_steam_base_path: "{{ matrix_base_data_path }}/mx-puppet-steam" diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index d130e2c2..0e37d51f 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: '' matrix_mx_puppet_twitter_version: latest matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:{{ matrix_mx_puppet_twitter_version }}" -matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else matrix_global_registry }}" +matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}" matrix_mx_puppet_twitter_base_path: "{{ matrix_base_data_path }}/mx-puppet-twitter" diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 66b9ef87..0ae0ed4d 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -4,7 +4,7 @@ matrix_sms_bridge_enabled: true matrix_sms_bridge_version: 0.5.5 -matrix_sms_bridge_docker_image: "{{ matrix_global_registry }}folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" +matrix_sms_bridge_docker_image: "{{ matrix_container_global_registry_prefix }}folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index eb99d773..6434b966 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto matrix_client_element_version: v1.7.24.1 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" -matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_global_registry }}" +matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 4f315e90..05af8046 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_version: 2.1.0 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" -matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_global_registry }}" +matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index c7242008..9eccfde2 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentist matrix_coturn_version: 4.5.2 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}" -matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_global_registry }}" +matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" # The Docker network that Coturn would be put into. diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index 67a8a82d..f7a84ca1 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -13,7 +13,7 @@ matrix_dimension_widgets_allow_self_signed_ssl_certificates: false matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" matrix_dimension_version: latest -matrix_dimension_docker_image: "{{ matrix_global_registry }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # List of systemd services that matrix-dimension.service depends on. diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index a66ec0d3..3411d0f8 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -9,7 +9,7 @@ matrix_dynamic_dns_version: v3.9.1-ls45 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" -matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else matrix_global_registry }}" +matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else matrix_container_global_registry_prefix }}" # The image to force pull matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml index 2cacd4ba..e6bfa0fe 100644 --- a/roles/matrix-email2matrix/defaults/main.yml +++ b/roles/matrix-email2matrix/defaults/main.yml @@ -4,7 +4,7 @@ matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" matrix_email2matrix_version: 1.0.1 -matrix_email2matrix_docker_image: "{{ matrix_global_registry }}devture/email2matrix:{{ matrix_email2matrix_version }}" +matrix_email2matrix_docker_image: "{{ matrix_container_global_registry_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}" matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 87f09c34..45f8f8b2 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -3,7 +3,7 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" matrix_etherpad_version: 1.8.12 -matrix_etherpad_docker_image: "{{ matrix_global_registry }}etherpad/etherpad:{{ matrix_etherpad_version }}" +matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" # List of systemd services that matrix-etherpad.service depends on. diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index c33c4e23..f358608b 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -4,7 +4,7 @@ matrix_grafana_enabled: false matrix_grafana_version: 7.5.2 -matrix_grafana_docker_image: "{{ matrix_global_registry }}grafana/grafana:{{ matrix_grafana_version }}" +matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" # Not conditional, because when someone disables metrics diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index aac7a3a2..850c456e 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -55,7 +55,7 @@ matrix_jitsi_enable_lobby: false matrix_jitsi_version: stable-5142 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility -matrix_jitsi_web_docker_image: "{{ matrix_global_registry }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -163,7 +163,7 @@ matrix_jitsi_web_custom_config_extension: '' matrix_jitsi_web_environment_variables_extension: '' -matrix_jitsi_prosody_docker_image: "{{ matrix_global_registry }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_prosody_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -177,7 +177,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "{{ matrix_global_registry }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -194,7 +194,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "{{ matrix_global_registry }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 65524b24..7ab0d15e 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -12,7 +12,7 @@ matrix_ma1sd_architecture: "amd64" matrix_ma1sd_version: "2.4.0" matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" -matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_global_registry }}" +matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index d48691ed..f5eaf726 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image matrix_mailer_version: 4.93-r1 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" -matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_global_registry }}" +matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" # The user/group that the container runs with. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 56b91a6b..d0a910ca 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -4,7 +4,7 @@ matrix_nginx_proxy_version: 1.19.8-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "{{ matrix_global_registry }}nginx:{{ matrix_nginx_proxy_version }}" +matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" @@ -354,7 +354,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_global_registry }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.11.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.11.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml index ebbd8257..522764ac 100644 --- a/roles/matrix-postgres-backup/defaults/main.yml +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -27,11 +27,11 @@ matrix_postgres_backup_architecture: amd64 # > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault matrix_postgres_backup_docker_image_suffix: "{{ '-alpine' if matrix_postgres_backup_architecture in ['amd64', 'arm64'] else '' }}" -matrix_postgres_backup_docker_image_v9: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:9.6{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_v10: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:10{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_v11: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:11{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_v12: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" -matrix_postgres_backup_docker_image_v13: "{{ matrix_global_registry }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v9: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:9.6{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v10: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:10{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:11{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index ffff102a..72e42021 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -17,11 +17,11 @@ matrix_postgres_architecture: amd64 # > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" -matrix_postgres_docker_image_v9: "{{ matrix_global_registry }}postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "{{ matrix_global_registry }}postgres:10.16{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "{{ matrix_global_registry }}postgres:11.11{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "{{ matrix_global_registry }}postgres:12.6{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "{{ matrix_global_registry }}postgres:13.2{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.16{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.11{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.6{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.2{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. @@ -90,6 +90,6 @@ matrix_postgres_pgloader_container_image_self_build_src_path: "{{ matrix_postgre # We use illagrenan/pgloader, instead of the more official dimitri/pgloader image, # because the official one only provides a `latest` tag. matrix_postgres_pgloader_docker_image: "{{ matrix_postgres_pgloader_docker_image_name_prefix }}illagrenan/pgloader:{{ matrix_postgres_pgloader_docker_image_tag }}" -matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else matrix_global_registry }}" +matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_postgres_pgloader_docker_image_tag: "3.6.2" matrix_postgres_pgloader_docker_image_force_pull: "{{ matrix_postgres_pgloader_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index a9ea9faf..e4bf7cf7 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -4,7 +4,7 @@ matrix_prometheus_node_exporter_enabled: false matrix_prometheus_node_exporter_version: v1.1.0 -matrix_prometheus_node_exporter_docker_image: "{{ matrix_global_registry }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" +matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index c4a1a9cb..3c4acc85 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -4,7 +4,7 @@ matrix_prometheus_enabled: false matrix_prometheus_version: v2.24.1 -matrix_prometheus_docker_image: "{{ matrix_global_registry }}prom/prometheus:{{ matrix_prometheus_version }}" +matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index e2bd678c..e33e7493 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -6,7 +6,7 @@ matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" matrix_redis_version: 6.0.10-alpine -matrix_redis_docker_image_v6: "{{ matrix_global_registry }}redis:{{ matrix_redis_version }}" +matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index 403600db..e03891b2 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -15,7 +15,7 @@ matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/ matrix_registration_version: "v0.7.2" matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}zeratax/matrix-registration:{{ matrix_registration_version }}" -matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else matrix_global_registry }}" +matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml index 27c69592..476ac2ad 100644 --- a/roles/matrix-sygnal/defaults/main.yml +++ b/roles/matrix-sygnal/defaults/main.yml @@ -8,7 +8,7 @@ matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" matrix_sygnal_version: v0.9.0 -matrix_sygnal_docker_image: "{{ matrix_global_registry }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" +matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" # List of systemd services that matrix-sygnal.service depends on. diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 05c4541e..c7f128e3 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -10,7 +10,7 @@ matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse matrix_synapse_admin_version: 0.7.0 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" -matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_global_registry }}" +matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 49bc7a1c..f441ac40 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_container_image_self_build: false matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git" matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" -matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_global_registry }}" +matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. From 126fbbc0cc55898ff1912fe7f189be0dc12b8a63 Mon Sep 17 00:00:00 2001 From: Ahmad Haghighi Date: Mon, 12 Apr 2021 17:20:05 +0430 Subject: [PATCH 2095/2384] fix typo --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f3c94110..fb007d92 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -9,7 +9,7 @@ # You can also override ANY variable (seen here or in any given role), # by re-defining it in your own configuration file (`inventory/host_vars/matrix.`). -matrix_global_registry: "docker.io/" +matrix_container_global_registry_prefix: "docker.io/" ###################################################################### # From 4f8e1bd43ae63968e84348492231d74c8a0e9082 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Mon, 12 Apr 2021 18:04:56 +0000 Subject: [PATCH 2096/2384] Updated Element Web 1.7.24.1 -> 1.7.25 --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 6434b966..c14b5ecd 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.24.1 +matrix_client_element_version: v1.7.25 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 316d7d815ac98255d6e049414cefe7d80c6f162c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 13 Apr 2021 10:52:38 +0300 Subject: [PATCH 2097/2384] Add FAQ entry about debugging SSL certificate renewal troubles --- docs/faq.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/faq.md b/docs/faq.md index beb009ac..84089b5e 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -458,3 +458,18 @@ If your server's IP address has changed, you may need to [set up DNS](configurin When you [perform a major Postgres upgrade](maintenance-postgres.md#upgrading-postgresql), we save the the old data files in `/matrix/postgres/data-auto-upgrade-backup`, just so you could easily restore them should something have gone wrong. After verifying that everything still works after the Postgres upgrade, you can safely delete `/matrix/postgres/data-auto-upgrade-backup` + +### How do I debug or force SSL certificate renewal? + +SSL certificate renewal normally happens automatically via [systemd timers](https://wiki.archlinux.org/index.php/Systemd/Timers). + +If you're having trouble with SSL certificate renewal, you can inspect the renewal logs using: + +- `journalctl -fu matrix-ssl-lets-encrypt-certificates-renew.service` +- *or* by looking at the log files in `/matrix/ssl/log/` + +To trigger renewal, run: `systemctl start matrix-ssl-lets-encrypt-certificates-renew.service`. You can then take a look at the logs again. + +If you're using the integrated webserver (`matrix-nginx-proxy`), you can reload it manually like this: `systemctl reload matrix-nginx-proxy`. Reloading also happens periodically via a systemd timer. + +If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (`matrix-nginx-proxy`) you may also need to reload/restart it, to make it pick up the renewed SSL certificate files. From 931452bb0656f8a4d49c18e136ec9971aa30be68 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 14 Apr 2021 08:57:01 +0300 Subject: [PATCH 2098/2384] Upgrade exim (4.93 -> 4.94) --- roles/matrix-mailer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index f5eaf726..62ec9186 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.93-r1 +matrix_mailer_version: 4.94-r0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" From c7c137df744a717cb0e12743ed925c56b3f456bf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 14 Apr 2021 13:24:41 +0300 Subject: [PATCH 2099/2384] Upgrade nginx and certbot --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index d0a910ca..b814f7c9 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.19.8-alpine +matrix_nginx_proxy_version: 1.19.10-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but @@ -354,7 +354,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.11.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.14.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From 89cb5a3d7a0b160b78a8bd477c1a47415c41d7ca Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Thu, 15 Apr 2021 17:07:03 +0800 Subject: [PATCH 2100/2384] GMH v0.4.2 update --- CHANGELOG.md | 10 ++ docs/configuring-playbook-bot-mjolnir.md | 2 +- docs/configuring-playbook-postgres-backup.md | 32 ++++++ ...configuring-playbook-prometheus-grafana.md | 5 +- docs/faq.md | 15 +++ docs/maintenance-postgres.md | 4 +- group_vars/matrix_servers | 32 +++++- roles/matrix-awx/tasks/main.yml | 9 ++ roles/matrix-awx/tasks/purge_media_local.yml | 13 +++ roles/matrix-awx/tasks/purge_media_main.yml | 94 ++++++++++++++++ roles/matrix-awx/tasks/purge_media_remote.yml | 13 +++ roles/matrix-base/tasks/sanity_check.yml | 7 ++ .../defaults/main.yml | 2 +- roles/matrix-bot-mjolnir/defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../tasks/init.yml | 11 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- .../defaults/main.yml | 2 +- roles/matrix-bridge-sms/defaults/main.yml | 2 +- roles/matrix-client-element/defaults/main.yml | 4 +- roles/matrix-corporal/defaults/main.yml | 2 +- roles/matrix-coturn/defaults/main.yml | 2 +- roles/matrix-dimension/defaults/main.yml | 2 +- roles/matrix-dynamic-dns/defaults/main.yml | 2 +- roles/matrix-email2matrix/defaults/main.yml | 2 +- roles/matrix-etherpad/defaults/main.yml | 2 +- roles/matrix-grafana/defaults/main.yml | 4 +- roles/matrix-grafana/templates/grafana.ini.j2 | 8 +- roles/matrix-jitsi/defaults/main.yml | 8 +- roles/matrix-ma1sd/defaults/main.yml | 2 +- roles/matrix-mailer/defaults/main.yml | 4 +- roles/matrix-nginx-proxy/defaults/main.yml | 6 +- .../matrix-postgres-backup/defaults/main.yml | 40 +++++++ roles/matrix-postgres-backup/tasks/init.yml | 3 + roles/matrix-postgres-backup/tasks/main.yml | 17 +++ .../tasks/setup_postgres_backup.yml | 103 ++++++++++++++++++ .../util/detect_existing_postgres_version.yml | 56 ++++++++++ .../tasks/validate_config.yml | 18 +++ .../templates/env-postgres-backup.j2 | 12 ++ .../systemd/matrix-postgres-backup.service.j2 | 31 ++++++ roles/matrix-postgres/defaults/main.yml | 12 +- .../defaults/main.yml | 2 +- roles/matrix-prometheus/defaults/main.yml | 2 +- roles/matrix-redis/defaults/main.yml | 2 +- roles/matrix-registration/defaults/main.yml | 2 +- roles/matrix-sygnal/defaults/main.yml | 2 +- roles/matrix-synapse-admin/defaults/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 6 +- .../templates/synapse/homeserver.yaml.j2 | 56 +++++----- roles/matrix-synapse/vars/workers.yml | 5 +- setup.yml | 2 + 59 files changed, 599 insertions(+), 97 deletions(-) create mode 100644 docs/configuring-playbook-postgres-backup.md create mode 100644 roles/matrix-awx/tasks/purge_media_local.yml create mode 100644 roles/matrix-awx/tasks/purge_media_main.yml create mode 100644 roles/matrix-awx/tasks/purge_media_remote.yml create mode 100644 roles/matrix-postgres-backup/defaults/main.yml create mode 100644 roles/matrix-postgres-backup/tasks/init.yml create mode 100644 roles/matrix-postgres-backup/tasks/main.yml create mode 100644 roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml create mode 100644 roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml create mode 100644 roles/matrix-postgres-backup/tasks/validate_config.yml create mode 100644 roles/matrix-postgres-backup/templates/env-postgres-backup.j2 create mode 100644 roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index fb55c7c2..326c2103 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +# 2021-04-05 + +## Automated local Postgres backup support + +Thanks to [foxcris](https://github.com/foxcris), the playbook can now make automated local Postgres backups on a fixed schedule using [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local). + +Additional details are available in [Setting up postgres backup](docs/configuring-playbook-postgres-backup.md). + + + # 2021-04-03 ## Mjolnir moderation tool (bot) support diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 0a5860c1..1b0241e1 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -46,7 +46,7 @@ You will need to prevent Synapse from rate limiting the bot's account. This is n 1. Copy the statement below into a text editor. ``` - INSERT INTO ratelimit_override VALUES ("@bot.mjolnir:DOMAIN", 0, 0); + INSERT INTO ratelimit_override VALUES ('@bot.mjolnir:DOMAIN', 0, 0); ``` 1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. diff --git a/docs/configuring-playbook-postgres-backup.md b/docs/configuring-playbook-postgres-backup.md new file mode 100644 index 00000000..2d878c11 --- /dev/null +++ b/docs/configuring-playbook-postgres-backup.md @@ -0,0 +1,32 @@ +# Setting up postgres backup (optional) + +The playbook can install and configure [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) for you. + +## Adjusting the playbook configuration + +Minimal working configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`) to enable Postgres backup: + +```yaml +matrix_postgres_backup_enabled: true +``` + +Refer to the table below for additional configuration variables and their default values. + + +| Name | Default value | Description | +| :-------------------------------- | :--------------------------- | :--------------------------------------------------------------- | +|`matrix_postgres_backup_enabled`|`false`|Set to true to use [docker-postgres-backup-local](https://github.com/prodrigestivill/docker-postgres-backup-local) to create automatic database backups| +|`matrix_postgres_backup_schedule`| `'@daily'` |Cron-schedule specifying the interval between postgres backups.| +|`matrix_postgres_backup_keep_days`|`7`|Number of daily backups to keep| +|`matrix_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep| +|`matrix_postgres_backup_keep_months`|`12`|Number of monthly backups to keep| +|`matrix_postgres_backup_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Storagepath for the database backups| + + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 310eac6a..4968c518 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -17,11 +17,10 @@ matrix_grafana_anonymous_access: false # This has no relation to your Matrix user id. It can be any username you'd like. # Changing the username subsequently won't work. -matrix_grafana_default_admin_user: some_username_chosen_by_you +matrix_grafana_default_admin_user: "some_username_chosen_by_you" -# Passwords containing special characters may be troublesome. # Changing the password subsequently won't work. -matrix_grafana_default_admin_password: some_strong_password_chosen_by_you +matrix_grafana_default_admin_password: "some_strong_password_chosen_by_you" ``` By default, a [Grafana](https://grafana.com/) web user-interface will be available at `https://stats.`. diff --git a/docs/faq.md b/docs/faq.md index beb009ac..84089b5e 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -458,3 +458,18 @@ If your server's IP address has changed, you may need to [set up DNS](configurin When you [perform a major Postgres upgrade](maintenance-postgres.md#upgrading-postgresql), we save the the old data files in `/matrix/postgres/data-auto-upgrade-backup`, just so you could easily restore them should something have gone wrong. After verifying that everything still works after the Postgres upgrade, you can safely delete `/matrix/postgres/data-auto-upgrade-backup` + +### How do I debug or force SSL certificate renewal? + +SSL certificate renewal normally happens automatically via [systemd timers](https://wiki.archlinux.org/index.php/Systemd/Timers). + +If you're having trouble with SSL certificate renewal, you can inspect the renewal logs using: + +- `journalctl -fu matrix-ssl-lets-encrypt-certificates-renew.service` +- *or* by looking at the log files in `/matrix/ssl/log/` + +To trigger renewal, run: `systemctl start matrix-ssl-lets-encrypt-certificates-renew.service`. You can then take a look at the logs again. + +If you're using the integrated webserver (`matrix-nginx-proxy`), you can reload it manually like this: `systemctl reload matrix-nginx-proxy`. Reloading also happens periodically via a systemd timer. + +If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (`matrix-nginx-proxy`) you may also need to reload/restart it, to make it pick up the renewed SSL certificate files. diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index d43a5dc7..9b748d28 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -49,7 +49,9 @@ ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-vacuum,start ## Backing up PostgreSQL -To make a back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server: +To automatically make Postgres database backups on a fixed schedule, see [Setting up postgres backup](configuring-playbook-postgres-backup.md). + +To make a one off back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server: ```bash /usr/bin/docker exec \ diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e1d1239c..fb007d92 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -9,6 +9,7 @@ # You can also override ANY variable (seen here or in any given role), # by re-defining it in your own configuration file (`inventory/host_vars/matrix.`). +matrix_container_global_registry_prefix: "docker.io/" ###################################################################### # @@ -1677,7 +1678,7 @@ matrix_prometheus_node_exporter_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Prometheus' HTTP port to the local host. -matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9100' }}" +matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}" ###################################################################### # @@ -1774,3 +1775,32 @@ matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | # /matrix-registration # ###################################################################### + +###################################################################### +# +# matrix-postgres-backup +# +###################################################################### + +matrix_postgres_backup_connection_hostname: "{{ matrix_postgres_connection_hostname }}" +matrix_postgres_backup_connection_port: "{{ matrix_postgres_connection_port }}" +matrix_postgres_backup_connection_username: "{{ matrix_postgres_connection_username }}" +matrix_postgres_backup_connection_password: "{{ matrix_postgres_connection_password }}" + +matrix_postgres_backup_postgres_data_path: "{{ matrix_postgres_data_path if matrix_postgres_enabled else '' }}" + +# the default matrix synapse databse is not always part of the matrix_postgres_additional_databases variable thus we have to add it if the default database is used +matrix_postgres_backup_databases: | + {{ + (([{ + 'name': matrix_synapse_database_database + }] if (matrix_synapse_enabled and matrix_synapse_database_database == matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + + + matrix_postgres_additional_databases)|map(attribute='name')|list + }} + +###################################################################### +# +# /matrix-postgres-backup +# +###################################################################### diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 24c93b49..68d8153b 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -26,6 +26,15 @@ tags: - create-user +# Purge local/remote media if called +- include_tasks: + file: "purge_media_main.yml" + apply: + tags: purge-media + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - purge-media + # Import configs, media repo from /chroot/backup import - include_tasks: file: "import_awx.yml" diff --git a/roles/matrix-awx/tasks/purge_media_local.yml b/roles/matrix-awx/tasks/purge_media_local.yml new file mode 100644 index 00000000..434c974b --- /dev/null +++ b/roles/matrix-awx/tasks/purge_media_local.yml @@ -0,0 +1,13 @@ + +- name: Collect epoche time from date + shell: | + date -d '{{ item }}' +"%s" + register: epoche_time + +- name: Purge local media to specific date + shell: | + curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}' + +- name: Pause for 5 seconds to let Synapse breathe + pause: + seconds: 5 diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml new file mode 100644 index 00000000..fba0a000 --- /dev/null +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -0,0 +1,94 @@ + +- name: Ensure dateutils and curl is installed in AWX + delegate_to: 127.0.0.1 + yum: + name: dateutils + state: latest + +- name: Include vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True + +- name: Ensure curl and jq intalled on target machine + apt: + pkg: + - curl + - jq + state: present + +- name: Collect access token for janitor user + shell: | + curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "https://matrix.{{ matrix_domain }}/_matrix/client/r0/login" | jq '.access_token' + register: janitors_token + +- name: Generate list of dates to purge to + delegate_to: 127.0.0.1 + shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}" + register: purge_dates + +- name: Calculate initial size of local media repository + shell: du -sh /matrix/synapse/storage/media-store/local* + register: local_media_size_before + when: matrix_purge_media_type == "Local Media" + ignore_errors: yes + no_log: True + +- name: Calculate initial size of remote media repository + shell: du -sh /matrix/synapse/storage/media-store/remote* + register: remote_media_size_before + when: matrix_purge_media_type == "Remote Media" + ignore_errors: yes + no_log: True + +- name: Purge local media with loop + include_tasks: purge_media_local.yml + loop: "{{ purge_dates.stdout_lines | flatten(levels=1) }}" + when: matrix_purge_media_type == "Local Media" + +- name: Purge remote media with loop + include_tasks: purge_media_remote.yml + loop: "{{ purge_dates.stdout_lines | flatten(levels=1) }}" + when: matrix_purge_media_type == "Remote Media" + +- name: Calculate final size of local media repository + shell: du -sh /matrix/synapse/storage/media-store/local* + register: local_media_size_after + when: matrix_purge_media_type == "Local Media" + ignore_errors: yes + no_log: True + +- name: Calculate final size of remote media repository + shell: du -sh /matrix/synapse/storage/media-store/remote* + register: remote_media_size_after + when: matrix_purge_media_type == "Remote Media" + ignore_errors: yes + no_log: True + +- name: Print size of local media repository before purge + debug: + msg: "{{ local_media_size_before.stdout.split('\n') }}" + when: matrix_purge_media_type == "Local Media" + +- name: Print size of local media repository after purge + debug: + msg: "{{ local_media_size_after.stdout.split('\n') }}" + when: matrix_purge_media_type == "Local Media" + +- name: Print size of remote media repository before purge + debug: + msg: "{{ remote_media_size_before.stdout.split('\n') }}" + when: matrix_purge_media_type == "Remote Media" + +- name: Print size of remote media repository after purge + debug: + msg: "{{ remote_media_size_after.stdout.split('\n') }}" + when: matrix_purge_media_type == "Remote Media" + +- name: Set boolean value to exit playbook + set_fact: + end_playbook: true + +- name: End playbook early if this task is called. + meta: end_play + when: end_playbook is defined and end_playbook|bool diff --git a/roles/matrix-awx/tasks/purge_media_remote.yml b/roles/matrix-awx/tasks/purge_media_remote.yml new file mode 100644 index 00000000..2a408eb9 --- /dev/null +++ b/roles/matrix-awx/tasks/purge_media_remote.yml @@ -0,0 +1,13 @@ + +- name: Collect epoche time from date + shell: | + date -d '{{ item }}' +"%s" + register: epoche_time + +- name: Purge local media to specific date + shell: | + curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}' + +- name: Pause for 5 seconds to let Synapse breathe + pause: + seconds: 5 diff --git a/roles/matrix-base/tasks/sanity_check.yml b/roles/matrix-base/tasks/sanity_check.yml index c31d9137..265dc282 100644 --- a/roles/matrix-base/tasks/sanity_check.yml +++ b/roles/matrix-base/tasks/sanity_check.yml @@ -52,3 +52,10 @@ when: - ansible_distribution == 'Archlinux' - ansible_python.version.major != 3 + +- name: Fail if architecture is set incorrectly + fail: + msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." + when: (ansible_architecture == "x86_64" and matrix_architecture != "amd64") or + (ansible_architecture == "aarch64" and matrix_architecture != "arm64") or + (ansible_architecture.startswith("armv") and matrix_architecture != "arm32") diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index dd18579c..775dadcc 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_matrix_reminder_bot_enabled: true matrix_bot_matrix_reminder_bot_version: release-v0.2.0 -matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" +matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot" diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index e7b54364..f97e997c 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -3,7 +3,7 @@ matrix_bot_mjolnir_enabled: true matrix_bot_mjolnir_version: "v0.1.17" -matrix_bot_mjolnir_docker_image: "docker.io/matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" +matrix_bot_mjolnir_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index 360963bb..9b9284dc 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -4,7 +4,7 @@ matrix_appservice_discord_enabled: true matrix_appservice_discord_version: v1.0.0 -matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}" +matrix_appservice_discord_docker_image: "{{ matrix_container_global_registry_prefix }}halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}" matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}" matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord" diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index b8a17972..410299b7 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appserv matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" matrix_appservice_irc_version: release-0.25.0 -matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" +matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index a0032a0d..bb801273 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -8,7 +8,7 @@ matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appse matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" matrix_appservice_slack_version: release-1.5.0 -matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" +matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack" diff --git a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml index 82e0925c..7f26ea58 100644 --- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml +++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml @@ -4,7 +4,7 @@ matrix_appservice_webhooks_enabled: true matrix_appservice_webhooks_version: latest -matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" +matrix_appservice_webhooks_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}" matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}" matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks" diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index 53e2cce8..a42e14c9 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -44,16 +44,19 @@ - name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy set_fact: matrix_appservice_webhooks_matrix_nginx_proxy_configuration: | - location {{ matrix_appservice_webhooks_public_endpoint }}/ { {% if matrix_nginx_proxy_enabled|default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} + location ~ ^{{ matrix_appservice_webhooks_public_endpoint }}/(.*)$ { resolver 127.0.0.11 valid=5s; - proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}/; + set $backend "matrix-appservice-webhooks:{{ matrix_appservice_webhooks_matrix_port }}"; + proxy_pass http://$backend/$1; + } {% else %} - {# Generic configuration for use outside of our container setup #} + {# Generic configuration for use outside of our container setup #} + location {{ matrix_appservice_webhooks_public_endpoint }}/ { proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/; - {% endif %} } + {% endif %} - name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy set_fact: diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 34a8ee36..7e99c9b2 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_discord_container_http_host_bind_port: '' matrix_mx_puppet_discord_version: latest matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:{{ matrix_mx_puppet_discord_version }}" -matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}" matrix_mx_puppet_discord_base_path: "{{ matrix_base_data_path }}/mx-puppet-discord" diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index cfc2aa0d..898768bf 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_groupme_container_http_host_bind_port: '' matrix_mx_puppet_groupme_version: latest matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:{{ matrix_mx_puppet_groupme_version }}" -matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}" matrix_mx_puppet_groupme_base_path: "{{ matrix_base_data_path }}/mx-puppet-groupme" diff --git a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml index 24377fb3..27210360 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/ matrix_mx_puppet_instagram_version: latest matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:{{ matrix_mx_puppet_instagram_version }}" -matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}" matrix_mx_puppet_instagram_base_path: "{{ matrix_base_data_path }}/mx-puppet-instagram" diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 0f603df0..8dcb2faf 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -8,7 +8,7 @@ matrix_mx_puppet_skype_container_image_self_build_repo: "https://github.com/Soru matrix_mx_puppet_skype_version: latest matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:{{ matrix_mx_puppet_skype_version }}" -matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" matrix_mx_puppet_skype_base_path: "{{ matrix_base_data_path }}/mx-puppet-skype" diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 32df7236..65b295c9 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_slack_container_http_host_bind_port: '' matrix_mx_puppet_slack_version: latest matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:{{ matrix_mx_puppet_slack_version }}" -matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}" matrix_mx_puppet_slack_base_path: "{{ matrix_base_data_path }}/mx-puppet-slack" diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index 7123e040..e4df90a5 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_steam_container_http_host_bind_port: '' matrix_mx_puppet_steam_version: latest matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:{{ matrix_mx_puppet_steam_version }}" -matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}" matrix_mx_puppet_steam_base_path: "{{ matrix_base_data_path }}/mx-puppet-steam" diff --git a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml index c10f521d..0e37d51f 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: '' matrix_mx_puppet_twitter_version: latest matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:{{ matrix_mx_puppet_twitter_version }}" -matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else 'docker.io/' }}" +matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}" matrix_mx_puppet_twitter_base_path: "{{ matrix_base_data_path }}/mx-puppet-twitter" diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 0382a2b2..0ae0ed4d 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -4,7 +4,7 @@ matrix_sms_bridge_enabled: true matrix_sms_bridge_version: 0.5.5 -matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" +matrix_sms_bridge_docker_image: "{{ matrix_container_global_registry_prefix }}folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index b6c3ce98..c14b5ecd 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,9 +3,9 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.24.1 +matrix_client_element_version: v1.7.25 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" -matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" +matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index c35e4b22..05af8046 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_version: 2.1.0 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" -matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" +matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 4f27e0d9..9eccfde2 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentist matrix_coturn_version: 4.5.2 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}" -matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}" +matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" # The Docker network that Coturn would be put into. diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index e4ded37a..f7a84ca1 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -13,7 +13,7 @@ matrix_dimension_widgets_allow_self_signed_ssl_certificates: false matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension" matrix_dimension_version: latest -matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:{{ matrix_dimension_version }}" +matrix_dimension_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}" matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}" # List of systemd services that matrix-dimension.service depends on. diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml index 1ec681da..3411d0f8 100644 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -9,7 +9,7 @@ matrix_dynamic_dns_version: v3.9.1-ls45 # The docker container to use when in mode matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" -matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else 'docker.io/' }}" +matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else matrix_container_global_registry_prefix }}" # The image to force pull matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml index b5593882..e6bfa0fe 100644 --- a/roles/matrix-email2matrix/defaults/main.yml +++ b/roles/matrix-email2matrix/defaults/main.yml @@ -4,7 +4,7 @@ matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" matrix_email2matrix_version: 1.0.1 -matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:{{ matrix_email2matrix_version }}" +matrix_email2matrix_docker_image: "{{ matrix_container_global_registry_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}" matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 90883310..45f8f8b2 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -3,7 +3,7 @@ matrix_etherpad_enabled: false matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" matrix_etherpad_version: 1.8.12 -matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:{{ matrix_etherpad_version }}" +matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" # List of systemd services that matrix-etherpad.service depends on. diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 876e5f6f..f358608b 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,8 +3,8 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.4.0 -matrix_grafana_docker_image: "docker.io/grafana/grafana:{{ matrix_grafana_version }}" +matrix_grafana_version: 7.5.2 +matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" # Not conditional, because when someone disables metrics diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 694bf7d7..c7fe1d91 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -1,16 +1,16 @@ [security] # default admin user, created on startup -admin_user = {{ matrix_grafana_default_admin_user }} +admin_user = "{{ matrix_grafana_default_admin_user }}" -# default admin password, can be changed before first start of grafana, or in profile settings -admin_password = {{ matrix_grafana_default_admin_password }} +# default admin password, can be changed before first start of grafana, or in profile settings +admin_password = """{{ matrix_grafana_default_admin_password }}""" [auth.anonymous] # enable anonymous access enabled = {{ matrix_grafana_anonymous_access }} # specify organization name that should be used for unauthenticated users -org_name = {{ matrix_grafana_anonymous_access_org_name }} +org_name = "{{ matrix_grafana_anonymous_access_org_name }}" [dashboards] {% if matrix_synapse_metrics_enabled %} diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 6d14a823..850c456e 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -55,7 +55,7 @@ matrix_jitsi_enable_lobby: false matrix_jitsi_version: stable-5142 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility -matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -163,7 +163,7 @@ matrix_jitsi_web_custom_config_extension: '' matrix_jitsi_web_environment_variables_extension: '' -matrix_jitsi_prosody_docker_image: "docker.io/jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_prosody_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -177,7 +177,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "docker.io/jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -194,7 +194,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: '' -matrix_jitsi_jvb_docker_image: "docker.io/jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 62828d95..7ab0d15e 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -12,7 +12,7 @@ matrix_ma1sd_architecture: "amd64" matrix_ma1sd_version: "2.4.0" matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" -matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else 'docker.io/' }}" +matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 4c29f47a..62ec9186 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,9 +7,9 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.93-r1 +matrix_mailer_version: 4.94-r0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" -matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}" +matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" # The user/group that the container runs with. diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 440f7a32..b814f7c9 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,10 +1,10 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.19.8-alpine +matrix_nginx_proxy_version: 1.19.10-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "docker.io/nginx:{{ matrix_nginx_proxy_version }}" +matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" @@ -354,7 +354,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.11.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.14.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ diff --git a/roles/matrix-postgres-backup/defaults/main.yml b/roles/matrix-postgres-backup/defaults/main.yml new file mode 100644 index 00000000..522764ac --- /dev/null +++ b/roles/matrix-postgres-backup/defaults/main.yml @@ -0,0 +1,40 @@ +matrix_postgres_backup_enabled: false + +matrix_postgres_backup_connection_hostname: "matrix-postgres" +matrix_postgres_backup_connection_port: 5432 +matrix_postgres_backup_connection_username: "matrix" +matrix_postgres_backup_connection_password: "" + +matrix_postgres_backup_extra_opts: "-Z9 --schema=public --blobs" +matrix_postgres_backup_schedule: "@daily" +matrix_postgres_backup_keep_days: 7 +matrix_postgres_backup_keep_weeks: 4 +matrix_postgres_backup_keep_months: 12 +matrix_postgres_backup_healthcheck_port: "8080" +matrix_postgres_backup_databases: [] +matrix_postgres_backup_path: "{{ matrix_base_data_path }}/postgres-backup" + +# Specifies where the Postgres data is. +# We use this to autodetect the Postgres version during playbook runtime (by parsing the `PG_VERSION` file contained there). +# You can leave this empty to prevent auto-detection. +matrix_postgres_backup_postgres_data_path: "" + +matrix_postgres_backup_architecture: amd64 + +# matrix_postgres_docker_image_suffix controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. +# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). +# On ARM32, `-alpine` images fail with the following error: +# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault +matrix_postgres_backup_docker_image_suffix: "{{ '-alpine' if matrix_postgres_backup_architecture in ['amd64', 'arm64'] else '' }}" + +matrix_postgres_backup_docker_image_v9: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:9.6{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v10: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:10{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:11{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}" +matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}" + +# This variable is assigned at runtime. Overriding its value has no effect. +matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}' + +matrix_postgres_backup_docker_image_force_pull: "{{ matrix_postgres_backup_docker_image_to_use.endswith(':latest') }}" diff --git a/roles/matrix-postgres-backup/tasks/init.yml b/roles/matrix-postgres-backup/tasks/init.yml new file mode 100644 index 00000000..c6a9bd7e --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres-backup.service'] }}" + when: matrix_postgres_backup_enabled|bool diff --git a/roles/matrix-postgres-backup/tasks/main.yml b/roles/matrix-postgres-backup/tasks/main.yml new file mode 100644 index 00000000..19e3db5b --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_postgres_backup_enabled|bool" + tags: + - setup-all + - setup-postgres-backup + +- import_tasks: "{{ role_path }}/tasks/setup_postgres_backup.yml" + when: run_setup|bool + tags: + - setup-all + - setup-postgres-backup diff --git a/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml new file mode 100644 index 00000000..9761088d --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/setup_postgres_backup.yml @@ -0,0 +1,103 @@ +--- + +# +# Tasks related to setting up an internal postgres server +# +- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml" + when: 'matrix_postgres_backup_enabled|bool and matrix_postgres_backup_postgres_data_path != ""' + +# If we have found an existing version (installed from before), we use its corresponding Docker image. +# If not, we install using the latest Postgres. +# +# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). +- set_fact: + matrix_postgres_backup_docker_image_to_use: "{{ matrix_postgres_backup_docker_image_latest if matrix_postgres_backup_detected_version_corresponding_docker_image|default('') == '' else matrix_postgres_backup_detected_version_corresponding_docker_image }}" + when: matrix_postgres_backup_enabled|bool + +- name: Ensure postgres backup Docker image is pulled + docker_image: + name: "{{ matrix_postgres_backup_docker_image_to_use }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_postgres_backup_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_backup_docker_image_force_pull }}" + when: matrix_postgres_backup_enabled|bool + +- name: Ensure Postgres backup paths exist + file: + path: "{{ item }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_postgres_backup_path }}" + when: matrix_postgres_backup_enabled|bool + +- name: Ensure Postgres environment variables file created + template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_postgres_backup_path }}/{{ item }}" + mode: 0640 + with_items: + - "env-postgres-backup" + when: matrix_postgres_backup_enabled|bool + +- name: Ensure matrix-postgres-backup.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-postgres-backup.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-postgres-backup.service" + mode: 0644 + register: matrix_postgres_backup_systemd_service_result + when: matrix_postgres_backup_enabled|bool + +- name: Ensure systemd reloaded after matrix-postgres-backup.service installation + service: + daemon_reload: yes + when: "matrix_postgres_backup_enabled|bool and matrix_postgres_backup_systemd_service_result.changed" + +# +# Tasks related to getting rid of the internal postgres backup server (if it was previously enabled) +# + +- name: Check existence of matrix-postgres-backup service + stat: + path: "{{ matrix_systemd_path }}/matrix-postgres-backup.service" + register: matrix_postgres_backup_service_stat + when: "not matrix_postgres_backup_enabled|bool" + +- name: Ensure matrix-postgres-backup is stopped + service: + name: matrix-postgres-backup + state: stopped + daemon_reload: yes + when: "not matrix_postgres_backup_enabled|bool and matrix_postgres_backup_service_stat.stat.exists" + +- name: Ensure matrix-postgres-backup.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-postgres-backup.service" + state: absent + when: "not matrix_postgres_backup_enabled|bool and matrix_postgres_backup_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-postgres-backup.service removal + service: + daemon_reload: yes + when: "not matrix_postgres_backup_enabled|bool and matrix_postgres_backup_service_stat.stat.exists" + +- name: Check existence of matrix-postgres-backup backup path + stat: + path: "{{ matrix_postgres_backup_path }}" + register: matrix_postgres_backup_path_stat + when: "not matrix_postgres_backup_enabled|bool" + +# We just want to notify the user. Deleting data is too destructive. +- name: Inject warning if matrix-postgres backup data remains + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: You are not using the local backup service to backup the PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_backup_path }}`. Feel free to delete it." + ] + }} + when: "not matrix_postgres_backup_enabled|bool and matrix_postgres_backup_path_stat.stat.exists" diff --git a/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml new file mode 100644 index 00000000..87a81f74 --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/util/detect_existing_postgres_version.yml @@ -0,0 +1,56 @@ +--- + +# This utility aims to determine if there is some existing Postgres version in use or not. +# If there is, it also tries to detect the Docker image that corresponds to that version. + +- name: Initialize Postgres version determination variables (default to empty) + set_fact: + matrix_postgres_backup_detection_pg_version_path: "{{ matrix_postgres_data_path }}/PG_VERSION" + matrix_postgres_backup_detected_existing: false + matrix_postgres_backup_detected_version: "" + matrix_postgres_backup_detected_version_corresponding_docker_image: "" + +- name: Determine existing Postgres version (check PG_VERSION file) + stat: + path: "{{ matrix_postgres_backup_detection_pg_version_path }}" + register: result_pg_version_stat + +- set_fact: + matrix_postgres_backup_detected_existing: true + when: "result_pg_version_stat.stat.exists" + +- name: Determine existing Postgres version (read PG_VERSION file) + slurp: + src: "{{ matrix_postgres_backup_detection_pg_version_path }}" + register: result_pg_version + when: matrix_postgres_backup_detected_existing|bool + +- name: Determine existing Postgres version (make sense of PG_VERSION file) + set_fact: + matrix_postgres_backup_detected_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" + when: matrix_postgres_backup_detected_existing|bool + +- name: Determine corresponding Docker image to detected version (assume default of latest) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_latest }}" + when: "matrix_postgres_backup_detected_version != ''" + +- name: Determine corresponding Docker image to detected version (use 9.x, if detected) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v9 }}" + when: "matrix_postgres_backup_detected_version.startswith('9.')" + +- name: Determine corresponding Docker image to detected version (use 10.x, if detected) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v10 }}" + when: "matrix_postgres_backup_detected_version == '10' or matrix_postgres_backup_detected_version.startswith('10.')" + +- name: Determine corresponding Docker image to detected version (use 11.x, if detected) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v11 }}" + when: "matrix_postgres_backup_detected_version == '11' or matrix_postgres_backup_detected_version.startswith('11.')" + +- name: Determine corresponding Docker image to detected version (use 12.x, if detected) + set_fact: + matrix_postgres_backup_detected_version_corresponding_docker_image: "{{ matrix_postgres_backup_docker_image_v12 }}" + when: "matrix_postgres_backup_detected_version == '12' or matrix_postgres_backup_detected_version.startswith('12.')" diff --git a/roles/matrix-postgres-backup/tasks/validate_config.yml b/roles/matrix-postgres-backup/tasks/validate_config.yml new file mode 100644 index 00000000..fda9b919 --- /dev/null +++ b/roles/matrix-postgres-backup/tasks/validate_config.yml @@ -0,0 +1,18 @@ +--- + +- name: Fail if required Postgres settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_postgres_backup_connection_hostname" + - "matrix_postgres_backup_connection_username" + - "matrix_postgres_backup_connection_password" + - "matrix_postgres_backup_connection_port" + - "matrix_postgres_backup_schedule" + - "matrix_postgres_backup_keep_days" + - "matrix_postgres_backup_keep_weeks" + - "matrix_postgres_backup_keep_months" + - "matrix_postgres_backup_path" + - "matrix_postgres_backup_databases" diff --git a/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 new file mode 100644 index 00000000..5a3a1ffd --- /dev/null +++ b/roles/matrix-postgres-backup/templates/env-postgres-backup.j2 @@ -0,0 +1,12 @@ +#jinja2: lstrip_blocks: "True" +POSTGRES_USER={{ matrix_postgres_backup_connection_username }} +POSTGRES_PASSWORD={{ matrix_postgres_backup_connection_password }} +POSTGRES_HOST={{ matrix_postgres_backup_connection_hostname }} +POSTGRES_DB={{ matrix_postgres_backup_databases|join(', ') }} +POSTGRES_EXTRA_OPTS={{ matrix_postgres_backup_extra_opts }} +SCHEDULE={{ matrix_postgres_backup_schedule }} +BACKUP_KEEP_DAYS={{ matrix_postgres_backup_keep_days }} +BACKUP_KEEP_WEEKS={{ matrix_postgres_backup_keep_weeks }} +BACKUP_KEEP_MONTHS={{ matrix_postgres_backup_keep_months }} +HEALTHCHECK_PORT={{ matrix_postgres_backup_healthcheck_port }} +POSTGRES_PORT={{ matrix_postgres_backup_connection_port }} \ No newline at end of file diff --git a/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 new file mode 100644 index 00000000..97c9ae7f --- /dev/null +++ b/roles/matrix-postgres-backup/templates/systemd/matrix-postgres-backup.service.j2 @@ -0,0 +1,31 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Automatic Backup of Matrix Postgres server +After=docker.service +Requires=docker.service +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} stop matrix-postgres-backup +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres-backup \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_postgres_backup_path }}/env-postgres-backup \ + --mount type=bind,src={{ matrix_postgres_backup_path }},dst=/backups \ + {{ matrix_postgres_backup_docker_image_to_use }} + +ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres-backup +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres-backup 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-postgres-backup + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 8e1d2a8e..72e42021 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -17,11 +17,11 @@ matrix_postgres_architecture: amd64 # > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" -matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "docker.io/postgres:10.16{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "docker.io/postgres:11.11{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "docker.io/postgres:12.6{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "docker.io/postgres:13.2{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.16{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.11{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.6{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.2{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. @@ -90,6 +90,6 @@ matrix_postgres_pgloader_container_image_self_build_src_path: "{{ matrix_postgre # We use illagrenan/pgloader, instead of the more official dimitri/pgloader image, # because the official one only provides a `latest` tag. matrix_postgres_pgloader_docker_image: "{{ matrix_postgres_pgloader_docker_image_name_prefix }}illagrenan/pgloader:{{ matrix_postgres_pgloader_docker_image_tag }}" -matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else 'docker.io/' }}" +matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_postgres_pgloader_docker_image_tag: "3.6.2" matrix_postgres_pgloader_docker_image_force_pull: "{{ matrix_postgres_pgloader_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 47611f7c..e4bf7cf7 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -4,7 +4,7 @@ matrix_prometheus_node_exporter_enabled: false matrix_prometheus_node_exporter_version: v1.1.0 -matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" +matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 123418d4..3c4acc85 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -4,7 +4,7 @@ matrix_prometheus_enabled: false matrix_prometheus_version: v2.24.1 -matrix_prometheus_docker_image: "docker.io/prom/prometheus:{{ matrix_prometheus_version }}" +matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index a512618c..e33e7493 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -6,7 +6,7 @@ matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" matrix_redis_version: 6.0.10-alpine -matrix_redis_docker_image_v6: "docker.io/redis:{{ matrix_redis_version }}" +matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml index 065e0c48..e03891b2 100644 --- a/roles/matrix-registration/defaults/main.yml +++ b/roles/matrix-registration/defaults/main.yml @@ -15,7 +15,7 @@ matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/ matrix_registration_version: "v0.7.2" matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}zeratax/matrix-registration:{{ matrix_registration_version }}" -matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else 'docker.io/' }}" +matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml index 50e0e26e..476ac2ad 100644 --- a/roles/matrix-sygnal/defaults/main.yml +++ b/roles/matrix-sygnal/defaults/main.yml @@ -8,7 +8,7 @@ matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" matrix_sygnal_version: v0.9.0 -matrix_sygnal_docker_image: "docker.io/matrixdotorg/sygnal:{{ matrix_sygnal_version }}" +matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" # List of systemd services that matrix-sygnal.service depends on. diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 1534bc82..c7f128e3 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -10,7 +10,7 @@ matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse matrix_synapse_admin_version: 0.7.0 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" -matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}" +matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a68def4b..f441ac40 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -7,7 +7,7 @@ matrix_synapse_container_image_self_build: false matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git" matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" -matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}" +matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.30.1 -matrix_synapse_version_arm64: v1.30.1 +matrix_synapse_version: v1.31.0 +matrix_synapse_version_arm64: v1.31.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 4be50524..ace2dd45 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -869,10 +869,10 @@ rc_admin_redaction: {{ matrix_synapse_rc_admin_redaction|to_json }} #rc_joins: # local: # per_second: 0.1 -# burst_count: 3 +# burst_count: 10 # remote: # per_second: 0.01 -# burst_count: 3 +# burst_count: 10 rc_joins: {{ matrix_synapse_rc_joins|to_json }} # #rc_3pid_validation: @@ -1772,6 +1772,9 @@ saml2_config: # Note that, if this is changed, users authenticating via that provider # will no longer be recognised as the same user! # +# (Use "oidc" here if you are migrating from an old "oidc_config" +# configuration.) +# # idp_name: A user-facing name for this identity provider, which is used to # offer the user a choice of login mechanisms. # @@ -1887,6 +1890,24 @@ saml2_config: # which is set to the claims returned by the UserInfo Endpoint and/or # in the ID Token. # +# It is possible to configure Synapse to only allow logins if certain attributes +# match particular values in the OIDC userinfo. The requirements can be listed under +# `attribute_requirements` as shown below. All of the listed attributes must +# match for the login to be permitted. Additional attributes can be added to +# userinfo by expanding the `scopes` section of the OIDC config to retrieve +# additional information from the OIDC provider. +# +# If the OIDC claim is a list, then the attribute must match any value in the list. +# Otherwise, it must exactly match the value of the claim. Using the example +# below, the `family_name` claim MUST be "Stephensson", but the `groups` +# claim MUST contain "admin". +# +# attribute_requirements: +# - attribute: family_name +# value: "Stephensson" +# - attribute: groups +# value: "admin" +# # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md # for information on how to configure these options. # @@ -1918,34 +1939,9 @@ oidc_providers: # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" # email_template: "{% raw %}{{ user.email }}{% endraw %}" - - # For use with Keycloak - # - #- idp_id: keycloak - # idp_name: Keycloak - # issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name" - # client_id: "synapse" - # client_secret: "copy secret generated in Keycloak UI" - # scopes: ["openid", "profile"] - - # For use with Github - # - #- idp_id: github - # idp_name: Github - # idp_brand: github - # discover: false - # issuer: "https://github.com/" - # client_id: "your-client-id" # TO BE FILLED - # client_secret: "your-client-secret" # TO BE FILLED - # authorization_endpoint: "https://github.com/login/oauth/authorize" - # token_endpoint: "https://github.com/login/oauth/access_token" - # userinfo_endpoint: "https://api.github.com/user" - # scopes: ["read:user"] - # user_mapping_provider: - # config: - # subject_claim: "id" - # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" - # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" + # attribute_requirements: + # - attribute: userGroup + # value: "synapseUsers" # Enable Central Authentication Service (CAS) for registration and login. diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index 14b75a92..c989fb5b 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -55,9 +55,6 @@ matrix_synapse_workers_generic_worker_endpoints: # Registration/login requests - ^/_matrix/client/(api/v1|r0|unstable)/login$ - ^/_matrix/client/(r0|unstable)/register$ - # FIXME: possible bug with SSO and multiple generic workers - # see https://github.com/matrix-org/synapse/issues/7530 - # ^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$ # Event sending requests - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact @@ -107,7 +104,7 @@ matrix_synapse_workers_generic_worker_endpoints: # Ensure that all SSO logins go to a single process. # For multiple workers not handling the SSO endpoints properly, see - # [#7530](https://github.com/matrix-org/synapse/issues/7530) and + # [#7530](https://github.com/matrix-org/synapse/issues/7530) and # [#9427](https://github.com/matrix-org/synapse/issues/9427). # Note that a HTTP listener with `client` and `federation` resources must be diff --git a/setup.yml b/setup.yml index 683f1955..4e2879e5 100755 --- a/setup.yml +++ b/setup.yml @@ -51,4 +51,6 @@ - matrix-nginx-proxy - matrix-coturn - matrix-aux + - matrix-postgres-backup - matrix-common-after + From 540416e32df79d0550610455b622202d08d5bcf1 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 15 Apr 2021 19:25:23 +0530 Subject: [PATCH 2101/2384] Disable support for TLS 1.0 and TLS 1.1 These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1. --- roles/matrix-coturn/templates/turnserver.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 3fcf0b67..285320dc 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -16,6 +16,8 @@ no-cli {% if matrix_coturn_tls_enabled %} cert={{ matrix_coturn_tls_cert_path }} pkey={{ matrix_coturn_tls_key_path }} +no-tlsv1 +no-tlsv1_1 {% else %} no-tls no-dtls From fcb9e9618a30ebc8ff7ad7ddac202562beb8fa42 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 16 Apr 2021 09:29:32 +0300 Subject: [PATCH 2102/2384] Make Coturn TLSv1/v1.1 configurable Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999 --- CHANGELOG.md | 14 ++++++++++++++ roles/matrix-coturn/defaults/main.yml | 3 +++ roles/matrix-coturn/templates/turnserver.conf.j2 | 4 ++++ 3 files changed, 21 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 326c2103..37988c94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2021-04-16 + +## Disabling TLSv1 and TLSv1.1 for Coturn + +To improve security, we've [removed TLSv1 and TLSv1.1 support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999) from our default [Coturn](https://github.com/coturn/coturn) configuration. + +If you need to support old clients, you can re-enable both (or whichever one you need) with the following configuration: + +```yaml +matrix_coturn_tls_v1_enabled: true +matrix_coturn_tls_v1_1_enabled: true +``` + + # 2021-04-05 ## Automated local Postgres backup support diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 9eccfde2..63c4511f 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -73,3 +73,6 @@ matrix_coturn_total_quota: null matrix_coturn_tls_enabled: false matrix_coturn_tls_cert_path: ~ matrix_coturn_tls_key_path: ~ + +matrix_coturn_tls_v1_enabled: false +matrix_coturn_tls_v1_1_enabled: false diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 285320dc..ba662587 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -16,8 +16,12 @@ no-cli {% if matrix_coturn_tls_enabled %} cert={{ matrix_coturn_tls_cert_path }} pkey={{ matrix_coturn_tls_key_path }} +{% if not matrix_coturn_tls_v1_enabled %} no-tlsv1 +{% endif %} +{% if not matrix_coturn_tls_v1_1_enabled %} no-tlsv1_1 +{% endif %} {% else %} no-tls no-dtls From 5dc642ace12b3716c5f5cb6d4a07dcc9360b776f Mon Sep 17 00:00:00 2001 From: sakkiii Date: Fri, 16 Apr 2021 14:45:04 +0530 Subject: [PATCH 2103/2384] Nginx element web: XSS protection & nosniff header X-XSS-Protection: 1; mode=block; header, for basic XSS protection in legacy browsers. X-Content-Type-Options: nosniff header, to disable MIME sniffing --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index f56d7fd5..5643af72 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -6,6 +6,8 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From 83cc5c9e6a397f78cfa9077af8bc254d8e3e1b73 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 16 Apr 2021 09:17:04 -0500 Subject: [PATCH 2104/2384] Update prometheus node exporter (1.1.0 -> 1.1.2) --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index e4bf7cf7..f2eca52c 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_version: v1.1.0 +matrix_prometheus_node_exporter_version: v1.1.2 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" From 8a550ce67c619701cd14098ecfbd1b3431688541 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 16 Apr 2021 09:25:45 -0500 Subject: [PATCH 2105/2384] Update prometheus (2.24.1->2.26.0) --- roles/matrix-prometheus/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 3c4acc85..1c9bc144 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.24.1 +matrix_prometheus_version: v2.26.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" @@ -64,4 +64,3 @@ matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_e # Holds the final configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`. matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml|from_yaml|combine(matrix_prometheus_configuration_extension, recursive=True) }}" - From 68ca81c8c2a69350bee199bb38c35dbab1e999e5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 17 Apr 2021 11:41:49 +0300 Subject: [PATCH 2106/2384] Attempt to fix docker_network result discrepancy between Ansible versions Supposedly fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/907 --- roles/matrix-prometheus/tasks/setup_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/tasks/setup_install.yml b/roles/matrix-prometheus/tasks/setup_install.yml index 8aee5178..3d686798 100644 --- a/roles/matrix-prometheus/tasks/setup_install.yml +++ b/roles/matrix-prometheus/tasks/setup_install.yml @@ -30,8 +30,10 @@ driver: bridge register: matrix_docker_network_info + # The `matrix_docker_network_info.ansible_facts.docker_network` workaroudn is for Ansible <= 2.8. + # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/907 - set_fact: - matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] + matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network|default(matrix_docker_network_info.ansible_facts.docker_network).IPAM.Config[0].Gateway }}:9100"] when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" From 27377e099d6e786fed89d557d370748601f15c46 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 17 Apr 2021 17:31:14 +0530 Subject: [PATCH 2107/2384] updated matrix_grafana_docker_image to v7.5.4 Latest stable grafana version is [7.5.4 (2021-04-14)](https://github.com/grafana/grafana/releases/tag/v7.5.4) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index f358608b..f7ef84bb 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.2 +matrix_grafana_version: 7.5.4 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 05042f5ff164dc9eebea2746bbb1fd2e2afe6555 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 17 Apr 2021 21:03:05 +0530 Subject: [PATCH 2108/2384] Improve security grafana - duplicate X-Content-Type-Options - X-Frame-Options header - Referrer-Policy [Might consider adding variable] - Secure flag with cookies - matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) --- roles/matrix-grafana/defaults/main.yml | 6 ++++++ roles/matrix-grafana/templates/grafana.ini.j2 | 3 +++ .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 10 +++++++--- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index f358608b..c8d47d85 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -31,6 +31,12 @@ matrix_grafana_anonymous_access_org_name: 'Main Org.' matrix_grafana_default_admin_user: admin matrix_grafana_default_admin_password: admin +# Set to true to add the Content-Security-Policy header to your requests. +# CSP allows to control resources that the user agent can load and helps +# prevent XSS attacks. +# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) +matrix_grafana_content_security_policy: true + # A list of extra arguments to pass to the container matrix_grafana_container_extra_arguments: [] diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index c7fe1d91..38534bc3 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -5,6 +5,9 @@ admin_user = "{{ matrix_grafana_default_admin_user }}" # default admin password, can be changed before first start of grafana, or in profile settings admin_password = """{{ matrix_grafana_default_admin_password }}""" +# specify content_security_policy to add the Content-Security-Policy header to your requests +content_security_policy = "{{ matrix_grafana_content_security_policy }}" + [auth.anonymous] # enable anonymous access enabled = {{ matrix_grafana_anonymous_access }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 0e1f1c2d..cd86f090 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -3,9 +3,13 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + # duplicate X-Content-Type-Options & X-Frame-Options header + # Enabled by grafana by default + # add_header X-Content-Type-Options nosniff; + # add_header X-Frame-Options SAMEORIGIN; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + proxy_cookie_path / "/; HTTPOnly; Secure"; {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From 1958d0792d451cfe96bf889bec1d48bede2d92c0 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 17 Apr 2021 21:33:07 +0530 Subject: [PATCH 2109/2384] Update matrix-client-element.conf.j2 --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 5643af72..f56d7fd5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -6,8 +6,6 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From badd81e0ec95811ba98688ac185f4fb406c9c8e0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 17 Apr 2021 19:31:20 +0300 Subject: [PATCH 2110/2384] Revert "Attempt to fix docker_network result discrepancy between Ansible versions" This reverts commit 68ca81c8c2a69350bee199bb38c35dbab1e999e5. --- roles/matrix-prometheus/tasks/setup_install.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/matrix-prometheus/tasks/setup_install.yml b/roles/matrix-prometheus/tasks/setup_install.yml index 3d686798..8aee5178 100644 --- a/roles/matrix-prometheus/tasks/setup_install.yml +++ b/roles/matrix-prometheus/tasks/setup_install.yml @@ -30,10 +30,8 @@ driver: bridge register: matrix_docker_network_info - # The `matrix_docker_network_info.ansible_facts.docker_network` workaroudn is for Ansible <= 2.8. - # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/907 - set_fact: - matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network|default(matrix_docker_network_info.ansible_facts.docker_network).IPAM.Config[0].Gateway }}:9100"] + matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" From f04614a993c41890edb4a2dc30571445203781f4 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Sat, 17 Apr 2021 20:15:26 -0500 Subject: [PATCH 2111/2384] Fix prometheus network for ansible < 2.8 --- roles/matrix-prometheus/tasks/setup_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/tasks/setup_install.yml b/roles/matrix-prometheus/tasks/setup_install.yml index 8aee5178..df2fb687 100644 --- a/roles/matrix-prometheus/tasks/setup_install.yml +++ b/roles/matrix-prometheus/tasks/setup_install.yml @@ -30,8 +30,10 @@ driver: bridge register: matrix_docker_network_info + # The `matrix_docker_network_info.ansible_facts.docker_network` workaround is for Ansible < 2.8. + # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/907 - set_fact: - matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] + matrix_prometheus_scraper_node_targets: ["{{ (matrix_docker_network_info.network|default(matrix_docker_network_info.ansible_facts.docker_network)).IPAM.Config[0].Gateway }}:9100"] when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" From 2bf7c26cfafbb12251b2372aa4fa3e9ae2dadb62 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 18 Apr 2021 16:24:13 +0200 Subject: [PATCH 2112/2384] Don't expose nginx version with each response --- roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index dae83ab9..9ec7fa56 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -48,6 +48,8 @@ http { keepalive_timeout 65; + server_tokens off; + #gzip on; {# Map directive needed for proxied WebSocket upgrades #} map $http_upgrade $connection_upgrade { From d0cd709c08020e795bbd4cbfd23978179a53c9dd Mon Sep 17 00:00:00 2001 From: sak Date: Mon, 19 Apr 2021 15:15:59 +0530 Subject: [PATCH 2113/2384] security** node-exporter data & port publicly exposed --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- .../systemd/matrix-prometheus-node-exporter.service.j2 | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index f2eca52c..90f809f1 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -18,5 +18,5 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # -# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 93638c19..c9f752a7 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -22,9 +22,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -32,6 +29,12 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ + {{ matrix_prometheus_node_exporter_docker_image }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + --web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \ + {% else %} + --web.listen-address=localhost:9100 \ + {% endif %} --path.rootfs=/host ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' From 0f9a4557193d249e9ee746c98de6f2a6767d434c Mon Sep 17 00:00:00 2001 From: sak Date: Mon, 19 Apr 2021 15:24:36 +0530 Subject: [PATCH 2114/2384] Revert "security** node-exporter data & port publicly exposed" This reverts commit d0cd709c08020e795bbd4cbfd23978179a53c9dd. --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- .../systemd/matrix-prometheus-node-exporter.service.j2 | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 90f809f1..f2eca52c 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -18,5 +18,5 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # -# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index c9f752a7..93638c19 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -22,6 +22,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ + {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -29,12 +32,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ - {{ matrix_prometheus_node_exporter_docker_image }} \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - --web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \ - {% else %} - --web.listen-address=localhost:9100 \ - {% endif %} --path.rootfs=/host ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' From 88a30fb5ed4d2957fae09f8b0ca56daa003c9045 Mon Sep 17 00:00:00 2001 From: sak Date: Mon, 19 Apr 2021 15:35:23 +0530 Subject: [PATCH 2115/2384] security** node-exporter data & port publicly exposed --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- .../systemd/matrix-prometheus-node-exporter.service.j2 | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index f2eca52c..90f809f1 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -18,5 +18,5 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # -# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 93638c19..5a72d37a 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -22,9 +22,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -32,6 +29,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + --web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \ + {% else %} + --web.listen-address=localhost:9100 \ + {% endif %} --path.rootfs=/host ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' From 29177d492242a336cffd1f6a09ebd5b99ed47ced Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Mon, 19 Apr 2021 09:04:08 -0500 Subject: [PATCH 2116/2384] Switch to official coturn docker image --- roles/matrix-coturn/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 63c4511f..de5b7b91 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,10 +1,10 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git" +matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git" matrix_coturn_version: 4.5.2 -matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}" +matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 82f7e1c7c031773e24fb6ab2361ba318480c64c1 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Mon, 19 Apr 2021 09:05:04 -0500 Subject: [PATCH 2117/2384] Update docs --- docs/container-images.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/container-images.md b/docs/container-images.md index 7cc7c2f6..f2914488 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -11,7 +11,7 @@ These services are enabled and used by default, but you can turn them off, if yo - [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional) -- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) +- [coturn/coturn](https://hub.docker.com/r/coturn/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) - [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional) From 8da8979a24818293cf913104af115864a25f58e0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 19 Apr 2021 17:45:27 +0300 Subject: [PATCH 2118/2384] Do not override matrix_prometheus_node_exporter_container_http_host_bind_port when matrix-nginx-proxy disabled Not sure why this had been done in the first place. It doesn't make any sense. There's no relation between matrix-nginx-proxy and prometheus-node-exporter. --- group_vars/matrix_servers | 5 ----- 1 file changed, 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fb007d92..441cc162 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1675,11 +1675,6 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }} matrix_prometheus_node_exporter_enabled: false -# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# Prometheus' HTTP port to the local host. -matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}" - ###################################################################### # # /matrix-prometheus-node-exporter From b2ca1f282933feb771cf516dc63ca4cff52124fe Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Mon, 19 Apr 2021 10:16:26 -0500 Subject: [PATCH 2119/2384] Add capability required by new image --- roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 930db7c1..a39030af 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -17,6 +17,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --cap-add=NET_BIND_SERVICE \ --entrypoint=turnserver \ --read-only \ --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ From adcecaffaf5e532490b85096859f8adf136e1c62 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 19 Apr 2021 18:27:11 +0300 Subject: [PATCH 2120/2384] Fix connectivity between prometheus and prometheus-node-exporter Expected to have regressed after https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008 This patch comes with its own downsides (as described in the comments for matrix_prometheus_node_exporter_container_http_host_bind_port), but at least there's: - no security issue - metrics remain readable from matrix-prometheus (even if the network metrics are inaccurate) A better patch is certainly welcome. --- group_vars/matrix_servers | 1 + .../defaults/main.yml | 12 ++++++++++++ .../matrix-prometheus-node-exporter.service.j2 | 10 ++++------ .../matrix-prometheus/tasks/setup_install.yml | 18 ------------------ 4 files changed, 17 insertions(+), 24 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 441cc162..1f9d5926 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1701,6 +1701,7 @@ matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_me matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" +matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}" ###################################################################### # diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 90f809f1..492d48b1 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -19,4 +19,16 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # # Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# +# Official recommendations are to run this container with `--net=host`, +# but we don't do that, since it: +# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) +# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) +# +# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, +# but that's trickier to accomplish and won't necessarily work (hasn't been tested). +# +# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), +# because node-exporter can't see all interfaces, etc. +# For now, we'll live with that, until someone develops a better solution. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 5a72d37a..210a0d97 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -25,15 +25,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} - --net=host \ + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ + {% endif %} --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - --web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \ - {% else %} - --web.listen-address=localhost:9100 \ - {% endif %} --path.rootfs=/host ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' diff --git a/roles/matrix-prometheus/tasks/setup_install.yml b/roles/matrix-prometheus/tasks/setup_install.yml index df2fb687..15a69279 100644 --- a/roles/matrix-prometheus/tasks/setup_install.yml +++ b/roles/matrix-prometheus/tasks/setup_install.yml @@ -19,24 +19,6 @@ - "{{ matrix_prometheus_config_path }}" - "{{ matrix_prometheus_data_path }}" -- block: - # Well, this actually creates the network if it doesn't exist, but.. - # The network should have been created by `matrix-base` already. - # We don't rely on that other call and its result, because it runs - # on `--tags=setup-all`, but will get skipped during `--tags=setup-prometheus`. - - name: Fetch Matrix Docker network details - docker_network: - name: "{{ matrix_docker_network }}" - driver: bridge - register: matrix_docker_network_info - - # The `matrix_docker_network_info.ansible_facts.docker_network` workaround is for Ansible < 2.8. - # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/907 - - set_fact: - matrix_prometheus_scraper_node_targets: ["{{ (matrix_docker_network_info.network|default(matrix_docker_network_info.ansible_facts.docker_network)).IPAM.Config[0].Gateway }}:9100"] - when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" - - - name: Download synapse-v2.rules get_url: url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}" From f825c7c263782638d352ada58dff1d6b64033f64 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Apr 2021 17:47:34 +0300 Subject: [PATCH 2121/2384] Upgrade Synapse (1.31 -> 1.32) --- docs/faq.md | 2 +- docs/maintenance-synapse.md | 2 +- group_vars/matrix_servers | 12 ++-- roles/matrix-synapse/defaults/main.yml | 6 +- .../matrix-synapse/tasks/validate_config.yml | 1 + .../templates/synapse/homeserver.yaml.j2 | 58 +++++++++++++++---- 6 files changed, 59 insertions(+), 22 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 84089b5e..6c9eedc2 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -297,7 +297,7 @@ matrix_coturn_enabled: false # hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971). # # If your server does not federate with hundreds of others, enabling this doesn't hurt much. -matrix_synapse_use_presence: false +matrix_synapse_presence_enabled: false ``` You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms: diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index 7b7514a5..d6c4789d 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -74,7 +74,7 @@ You should then be able to browse the adminer database administration GUI at htt ## Make Synapse faster -Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file. +Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file. Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1f9d5926..9fec86e9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -64,7 +64,7 @@ matrix_appservice_discord_enabled: false matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. -matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}" +matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}" matrix_appservice_discord_systemd_required_services_list: | {{ @@ -188,7 +188,7 @@ matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_prox # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # IRC bridge presence, for performance reasons. -matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}" +matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled }}" matrix_appservice_irc_systemd_required_services_list: | {{ @@ -242,7 +242,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" +matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -325,7 +325,7 @@ matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" +matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -1211,7 +1211,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" -matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}" +matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" @@ -1527,7 +1527,7 @@ matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registrati matrix_client_element_enable_presence_by_hs_url: | {{ none - if matrix_synapse_use_presence + if matrix_synapse_presence_enabled else {matrix_client_element_default_hs_url: false} }} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f441ac40..63db510a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.31.0 -matrix_synapse_version_arm64: v1.31.0 +matrix_synapse_version: v1.32.0 +matrix_synapse_version_arm64: v1.32.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -170,7 +170,7 @@ matrix_synapse_report_stats: false # Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. # If users participate in large rooms with many other servers, # disabling this will decrease server load significantly. -matrix_synapse_use_presence: true +matrix_synapse_presence_enabled: true # Controls whether accessing the server's public rooms directory can be done without authentication. # For private servers, you most likely wish to require authentication, diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index f7631111..6dcb50ce 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -47,6 +47,7 @@ - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': ''} + - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'} - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml fail: diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ace2dd45..e951067a 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -58,9 +58,28 @@ public_baseurl: https://{{ matrix_server_fqn_matrix }}/ # #soft_file_limit: 0 -# Set to false to disable presence tracking on this homeserver. +# Presence tracking allows users to see the state (e.g online/offline) +# of other local and remote users. # -use_presence: {{ matrix_synapse_use_presence|to_json }} +presence: + # Uncomment to disable presence tracking on this homeserver. This option + # replaces the previous top-level 'use_presence' option. + # + enabled: {{ matrix_synapse_presence_enabled|to_json }} + + # Presence routers are third-party modules that can specify additional logic + # to where presence updates from users are routed. + # + presence_router: + # The custom module's class. Uncomment to use a custom presence router module. + # + #module: "my_custom_router.PresenceRouter" + + # Configuration options of the custom module. Refer to your module's + # documentation for available options. + # + #config: + # example_option: 'something' # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to @@ -1252,9 +1271,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json # #allowed_local_3pids: # - medium: email -# pattern: '.*@matrix\.org' +# pattern: '^[^@]+@matrix\.org$' # - medium: email -# pattern: '.*@vector\.im' +# pattern: '^[^@]+@vector\.im$' # - medium: msisdn # pattern: '\+44' {% if matrix_synapse_allowed_local_3pids|length > 0 %} @@ -1467,14 +1486,31 @@ report_stats: {{ matrix_synapse_report_stats|to_json }} ## API Configuration ## -# A list of event types that will be included in the room_invite_state +# Controls for the state that is shared with users who receive an invite +# to a room # -#room_invite_state_types: -# - "m.room.join_rules" -# - "m.room.canonical_alias" -# - "m.room.avatar" -# - "m.room.encryption" -# - "m.room.name" +room_prejoin_state: + # By default, the following state event types are shared with users who + # receive invites to the room: + # + # - m.room.join_rules + # - m.room.canonical_alias + # - m.room.avatar + # - m.room.encryption + # - m.room.name + # + # Uncomment the following to disable these defaults (so that only the event + # types listed in 'additional_event_types' are shared). Defaults to 'false'. + # + #disable_default_event_types: true + + # Additional state event types to share with users when they are invited + # to a room. + # + # By default, this list is empty (so only the default event types are shared). + # + #additional_event_types: + # - org.example.custom.event.type # A list of application service config files to use From bb64b806978dfddf1eec563cbe338ae6a7f85b35 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 20 Apr 2021 15:14:08 -0500 Subject: [PATCH 2122/2384] Upgrade synapse-admin (0.7.0 -> 0.7.2) --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index c7f128e3..402b8a1d 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.7.0 +matrix_synapse_admin_version: 0.7.2 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 9ee1d23afe71c463df86b192e8bf7e0cdf161fdc Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 20 Apr 2021 15:17:26 -0500 Subject: [PATCH 2123/2384] Update mautrix-facebook docs --- ...guring-playbook-bridge-mautrix-facebook.md | 29 +++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-facebook.md b/docs/configuring-playbook-bridge-mautrix-facebook.md index a228f7cb..d07873ae 100644 --- a/docs/configuring-playbook-bridge-mautrix-facebook.md +++ b/docs/configuring-playbook-bridge-mautrix-facebook.md @@ -2,16 +2,37 @@ The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you. -See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/tulir/mautrix-facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you. ```yaml matrix_mautrix_facebook_enabled: true ``` +There are some additional things you may wish to configure about the bridge before you continue. + +Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file: +```yaml +matrix_mautrix_facebook_configuration_extension_yaml: | + bridge: + encryption: + allow: true + default: true +``` + +If you would like to be able to administrate the bridge from your account it can be configured like this: +```yaml +matrix_mautrix_facebook_configuration_extension_yaml: | + bridge: + permissions: + '@YOUR_USERNAME:YOUR_DOMAIN': admin +``` + +You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure. + ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-facebook/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth @@ -42,9 +63,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). -Send `login YOUR_FACEBOOK_EMAIL_ADDRESS YOUR_FACEBOOK_PASSWORD` to the bridge bot to enable bridging for your Facebook/Messenger account. - -You can learn more here about authentication from the bridge's [official documentation on Authentication](https://github.com/tulir/mautrix-facebook/wiki/Authentication). +Send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account. You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/facebook/authentication.html). If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. From ca786cc3436dd624a18a8cba2e34cfd4fcdc7a53 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Apr 2021 23:40:55 +0300 Subject: [PATCH 2124/2384] Revert "Upgrade Synapse (1.31 -> 1.32)" This reverts commit f825c7c263782638d352ada58dff1d6b64033f64. Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1010 --- docs/faq.md | 2 +- docs/maintenance-synapse.md | 2 +- group_vars/matrix_servers | 12 ++-- roles/matrix-synapse/defaults/main.yml | 6 +- .../matrix-synapse/tasks/validate_config.yml | 1 - .../templates/synapse/homeserver.yaml.j2 | 58 ++++--------------- 6 files changed, 22 insertions(+), 59 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 6c9eedc2..84089b5e 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -297,7 +297,7 @@ matrix_coturn_enabled: false # hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971). # # If your server does not federate with hundreds of others, enabling this doesn't hurt much. -matrix_synapse_presence_enabled: false +matrix_synapse_use_presence: false ``` You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms: diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index d6c4789d..7b7514a5 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -74,7 +74,7 @@ You should then be able to browse the adminer database administration GUI at htt ## Make Synapse faster -Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file. +Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file. Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9fec86e9..1f9d5926 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -64,7 +64,7 @@ matrix_appservice_discord_enabled: false matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. -matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}" +matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}" matrix_appservice_discord_systemd_required_services_list: | {{ @@ -188,7 +188,7 @@ matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_prox # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # IRC bridge presence, for performance reasons. -matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled }}" +matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}" matrix_appservice_irc_systemd_required_services_list: | {{ @@ -242,7 +242,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" +matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -325,7 +325,7 @@ matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" +matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -1211,7 +1211,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" -matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" +matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" @@ -1527,7 +1527,7 @@ matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registrati matrix_client_element_enable_presence_by_hs_url: | {{ none - if matrix_synapse_presence_enabled + if matrix_synapse_use_presence else {matrix_client_element_default_hs_url: false} }} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 63db510a..f441ac40 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.32.0 -matrix_synapse_version_arm64: v1.32.0 +matrix_synapse_version: v1.31.0 +matrix_synapse_version_arm64: v1.31.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -170,7 +170,7 @@ matrix_synapse_report_stats: false # Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. # If users participate in large rooms with many other servers, # disabling this will decrease server load significantly. -matrix_synapse_presence_enabled: true +matrix_synapse_use_presence: true # Controls whether accessing the server's public rooms directory can be done without authentication. # For private servers, you most likely wish to require authentication, diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index 6dcb50ce..f7631111 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -47,7 +47,6 @@ - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': ''} - - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'} - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml fail: diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e951067a..ace2dd45 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -58,28 +58,9 @@ public_baseurl: https://{{ matrix_server_fqn_matrix }}/ # #soft_file_limit: 0 -# Presence tracking allows users to see the state (e.g online/offline) -# of other local and remote users. +# Set to false to disable presence tracking on this homeserver. # -presence: - # Uncomment to disable presence tracking on this homeserver. This option - # replaces the previous top-level 'use_presence' option. - # - enabled: {{ matrix_synapse_presence_enabled|to_json }} - - # Presence routers are third-party modules that can specify additional logic - # to where presence updates from users are routed. - # - presence_router: - # The custom module's class. Uncomment to use a custom presence router module. - # - #module: "my_custom_router.PresenceRouter" - - # Configuration options of the custom module. Refer to your module's - # documentation for available options. - # - #config: - # example_option: 'something' +use_presence: {{ matrix_synapse_use_presence|to_json }} # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to @@ -1271,9 +1252,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json # #allowed_local_3pids: # - medium: email -# pattern: '^[^@]+@matrix\.org$' +# pattern: '.*@matrix\.org' # - medium: email -# pattern: '^[^@]+@vector\.im$' +# pattern: '.*@vector\.im' # - medium: msisdn # pattern: '\+44' {% if matrix_synapse_allowed_local_3pids|length > 0 %} @@ -1486,31 +1467,14 @@ report_stats: {{ matrix_synapse_report_stats|to_json }} ## API Configuration ## -# Controls for the state that is shared with users who receive an invite -# to a room +# A list of event types that will be included in the room_invite_state # -room_prejoin_state: - # By default, the following state event types are shared with users who - # receive invites to the room: - # - # - m.room.join_rules - # - m.room.canonical_alias - # - m.room.avatar - # - m.room.encryption - # - m.room.name - # - # Uncomment the following to disable these defaults (so that only the event - # types listed in 'additional_event_types' are shared). Defaults to 'false'. - # - #disable_default_event_types: true - - # Additional state event types to share with users when they are invited - # to a room. - # - # By default, this list is empty (so only the default event types are shared). - # - #additional_event_types: - # - org.example.custom.event.type +#room_invite_state_types: +# - "m.room.join_rules" +# - "m.room.canonical_alias" +# - "m.room.avatar" +# - "m.room.encryption" +# - "m.room.name" # A list of application service config files to use From e00ef04b573173a28d835607bcf21078f7d304d4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Apr 2021 13:57:38 +0300 Subject: [PATCH 2125/2384] Add opt-out-of-FLoC headers by default --- roles/matrix-nginx-proxy/defaults/main.yml | 10 ++++++++++ .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 5 +++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 ++ .../nginx/conf.d/matrix-client-element.conf.j2 | 5 +++++ .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 5 +++++ .../templates/nginx/conf.d/matrix-domain.conf.j2 | 4 ++++ .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 6 ++++++ .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 5 +++++ .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 4 ++++ .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 ++ 10 files changed, 48 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index b814f7c9..26480bfb 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -239,6 +239,16 @@ matrix_nginx_proxy_proxy_event_additional_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +matrix_nginx_proxy_floc_optout_enabled: true + # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 227747a5..a2d59e86 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -5,6 +5,11 @@ gzip on; gzip_types text/plain application/json; + + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 3c3231f4..91cd9e41 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,8 +3,10 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index f56d7fd5..f3a537da 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -3,9 +3,14 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 038d3557..db93be48 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,8 +3,13 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 1d2470a9..703c490e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -17,6 +17,10 @@ gzip on; gzip_types text/plain application/json; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + location /.well-known/matrix { root {{ matrix_static_files_base_path }}; {# diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index cd86f090..c1978563 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -3,13 +3,19 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # duplicate X-Content-Type-Options & X-Frame-Options header # Enabled by grafana by default # add_header X-Content-Type-Options nosniff; # add_header X-Frame-Options SAMEORIGIN; add_header Referrer-Policy "strict-origin-when-cross-origin"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + proxy_cookie_path / "/; HTTPOnly; Secure"; + {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index a20d8a73..42d8451d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,8 +3,13 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a70dcea3..a69424f4 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -1,6 +1,10 @@ #jinja2: lstrip_blocks: "True" {% macro render_vhost_directives() %} + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index e4712657..ac0253d5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,9 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; + {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From d691cc09209bc54eb21f88f620f13e95225c2b21 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Apr 2021 13:59:20 +0300 Subject: [PATCH 2126/2384] Move variable definition a bit --- roles/matrix-nginx-proxy/defaults/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 26480bfb..fdb76a32 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -239,16 +239,6 @@ matrix_nginx_proxy_proxy_event_additional_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] -# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. -# -# Learn more about what it is here: -# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea -# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network -# - https://amifloced.org/ -# -# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. -matrix_nginx_proxy_floc_optout_enabled: true - # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] @@ -279,6 +269,16 @@ matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +matrix_nginx_proxy_floc_optout_enabled: true + # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # From c95ca4badcd53a9232dbf88fce8ca1c633feb3b8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Apr 2021 14:48:54 +0300 Subject: [PATCH 2127/2384] Do not ask everyone to whitelist Jitsi ports It's an optional service, so we shouldn't bother most people with it. --- docs/configuring-playbook-jitsi.md | 2 +- docs/prerequisites.md | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f72241e1..81ceb9fb 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -13,8 +13,8 @@ Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. You may also need to open the following ports to your server: -- `10000/udp` - RTP media over UDP - `4443/tcp` - RTP media fallback over TCP +- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). ## Installation diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 8b7e9d00..39b42ef1 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -34,7 +34,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - `5349/udp`: TURN over UDP (used by Coturn) - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - the range `49152-49172/udp`: TURN over UDP - - `4443/tcp`: Jitsi Harvester fallback - - `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). + - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 1fb54a37cba126235b1688bb5e96226a65b4fe80 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Apr 2021 18:47:15 +0300 Subject: [PATCH 2128/2384] Upgrade Synapse (1.31 -> 1.32.1) Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1010 --- docs/faq.md | 2 +- docs/maintenance-synapse.md | 2 +- group_vars/matrix_servers | 12 ++-- roles/matrix-synapse/defaults/main.yml | 6 +- .../matrix-synapse/tasks/validate_config.yml | 1 + .../templates/synapse/homeserver.yaml.j2 | 58 +++++++++++++++---- 6 files changed, 59 insertions(+), 22 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 84089b5e..6c9eedc2 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -297,7 +297,7 @@ matrix_coturn_enabled: false # hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971). # # If your server does not federate with hundreds of others, enabling this doesn't hurt much. -matrix_synapse_use_presence: false +matrix_synapse_presence_enabled: false ``` You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms: diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index 7b7514a5..d6c4789d 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -74,7 +74,7 @@ You should then be able to browse the adminer database administration GUI at htt ## Make Synapse faster -Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file. +Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file. Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1f9d5926..9fec86e9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -64,7 +64,7 @@ matrix_appservice_discord_enabled: false matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. -matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}" +matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}" matrix_appservice_discord_systemd_required_services_list: | {{ @@ -188,7 +188,7 @@ matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_prox # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # IRC bridge presence, for performance reasons. -matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}" +matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled }}" matrix_appservice_irc_systemd_required_services_list: | {{ @@ -242,7 +242,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" +matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -325,7 +325,7 @@ matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" +matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -1211,7 +1211,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" -matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}" +matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" @@ -1527,7 +1527,7 @@ matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registrati matrix_client_element_enable_presence_by_hs_url: | {{ none - if matrix_synapse_use_presence + if matrix_synapse_presence_enabled else {matrix_client_element_default_hs_url: false} }} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f441ac40..d410935f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.31.0 -matrix_synapse_version_arm64: v1.31.0 +matrix_synapse_version: v1.32.1 +matrix_synapse_version_arm64: v1.32.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -170,7 +170,7 @@ matrix_synapse_report_stats: false # Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. # If users participate in large rooms with many other servers, # disabling this will decrease server load significantly. -matrix_synapse_use_presence: true +matrix_synapse_presence_enabled: true # Controls whether accessing the server's public rooms directory can be done without authentication. # For private servers, you most likely wish to require authentication, diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index f7631111..6dcb50ce 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -47,6 +47,7 @@ - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': ''} + - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'} - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml fail: diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ace2dd45..e951067a 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -58,9 +58,28 @@ public_baseurl: https://{{ matrix_server_fqn_matrix }}/ # #soft_file_limit: 0 -# Set to false to disable presence tracking on this homeserver. +# Presence tracking allows users to see the state (e.g online/offline) +# of other local and remote users. # -use_presence: {{ matrix_synapse_use_presence|to_json }} +presence: + # Uncomment to disable presence tracking on this homeserver. This option + # replaces the previous top-level 'use_presence' option. + # + enabled: {{ matrix_synapse_presence_enabled|to_json }} + + # Presence routers are third-party modules that can specify additional logic + # to where presence updates from users are routed. + # + presence_router: + # The custom module's class. Uncomment to use a custom presence router module. + # + #module: "my_custom_router.PresenceRouter" + + # Configuration options of the custom module. Refer to your module's + # documentation for available options. + # + #config: + # example_option: 'something' # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to @@ -1252,9 +1271,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json # #allowed_local_3pids: # - medium: email -# pattern: '.*@matrix\.org' +# pattern: '^[^@]+@matrix\.org$' # - medium: email -# pattern: '.*@vector\.im' +# pattern: '^[^@]+@vector\.im$' # - medium: msisdn # pattern: '\+44' {% if matrix_synapse_allowed_local_3pids|length > 0 %} @@ -1467,14 +1486,31 @@ report_stats: {{ matrix_synapse_report_stats|to_json }} ## API Configuration ## -# A list of event types that will be included in the room_invite_state +# Controls for the state that is shared with users who receive an invite +# to a room # -#room_invite_state_types: -# - "m.room.join_rules" -# - "m.room.canonical_alias" -# - "m.room.avatar" -# - "m.room.encryption" -# - "m.room.name" +room_prejoin_state: + # By default, the following state event types are shared with users who + # receive invites to the room: + # + # - m.room.join_rules + # - m.room.canonical_alias + # - m.room.avatar + # - m.room.encryption + # - m.room.name + # + # Uncomment the following to disable these defaults (so that only the event + # types listed in 'additional_event_types' are shared). Defaults to 'false'. + # + #disable_default_event_types: true + + # Additional state event types to share with users when they are invited + # to a room. + # + # By default, this list is empty (so only the default event types are shared). + # + #additional_event_types: + # - org.example.custom.event.type # A list of application service config files to use From 378fabf1776b24d1361e4642bda409c76dc5d890 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Apr 2021 23:36:58 +0300 Subject: [PATCH 2129/2384] Revert "Upgrade Synapse (1.31 -> 1.32.1)" This reverts commit 1fb54a37cba126235b1688bb5e96226a65b4fe80. Seems like it's been pulled or something. It used to exist, but not anymore. Not sure what's going on. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1017 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1010 --- docs/faq.md | 2 +- docs/maintenance-synapse.md | 2 +- group_vars/matrix_servers | 12 ++-- roles/matrix-synapse/defaults/main.yml | 6 +- .../matrix-synapse/tasks/validate_config.yml | 1 - .../templates/synapse/homeserver.yaml.j2 | 58 ++++--------------- 6 files changed, 22 insertions(+), 59 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 6c9eedc2..84089b5e 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -297,7 +297,7 @@ matrix_coturn_enabled: false # hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971). # # If your server does not federate with hundreds of others, enabling this doesn't hurt much. -matrix_synapse_presence_enabled: false +matrix_synapse_use_presence: false ``` You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms: diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index d6c4789d..7b7514a5 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -74,7 +74,7 @@ You should then be able to browse the adminer database administration GUI at htt ## Make Synapse faster -Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file. +Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file. Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9fec86e9..1f9d5926 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -64,7 +64,7 @@ matrix_appservice_discord_enabled: false matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. -matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}" +matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}" matrix_appservice_discord_systemd_required_services_list: | {{ @@ -188,7 +188,7 @@ matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_prox # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # IRC bridge presence, for performance reasons. -matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled }}" +matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}" matrix_appservice_irc_systemd_required_services_list: | {{ @@ -242,7 +242,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" +matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -325,7 +325,7 @@ matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" +matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -1211,7 +1211,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" -matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" +matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" @@ -1527,7 +1527,7 @@ matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registrati matrix_client_element_enable_presence_by_hs_url: | {{ none - if matrix_synapse_presence_enabled + if matrix_synapse_use_presence else {matrix_client_element_default_hs_url: false} }} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d410935f..f441ac40 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.32.1 -matrix_synapse_version_arm64: v1.32.1 +matrix_synapse_version: v1.31.0 +matrix_synapse_version_arm64: v1.31.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -170,7 +170,7 @@ matrix_synapse_report_stats: false # Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. # If users participate in large rooms with many other servers, # disabling this will decrease server load significantly. -matrix_synapse_presence_enabled: true +matrix_synapse_use_presence: true # Controls whether accessing the server's public rooms directory can be done without authentication. # For private servers, you most likely wish to require authentication, diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index 6dcb50ce..f7631111 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -47,7 +47,6 @@ - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': ''} - - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'} - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml fail: diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e951067a..ace2dd45 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -58,28 +58,9 @@ public_baseurl: https://{{ matrix_server_fqn_matrix }}/ # #soft_file_limit: 0 -# Presence tracking allows users to see the state (e.g online/offline) -# of other local and remote users. +# Set to false to disable presence tracking on this homeserver. # -presence: - # Uncomment to disable presence tracking on this homeserver. This option - # replaces the previous top-level 'use_presence' option. - # - enabled: {{ matrix_synapse_presence_enabled|to_json }} - - # Presence routers are third-party modules that can specify additional logic - # to where presence updates from users are routed. - # - presence_router: - # The custom module's class. Uncomment to use a custom presence router module. - # - #module: "my_custom_router.PresenceRouter" - - # Configuration options of the custom module. Refer to your module's - # documentation for available options. - # - #config: - # example_option: 'something' +use_presence: {{ matrix_synapse_use_presence|to_json }} # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to @@ -1271,9 +1252,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json # #allowed_local_3pids: # - medium: email -# pattern: '^[^@]+@matrix\.org$' +# pattern: '.*@matrix\.org' # - medium: email -# pattern: '^[^@]+@vector\.im$' +# pattern: '.*@vector\.im' # - medium: msisdn # pattern: '\+44' {% if matrix_synapse_allowed_local_3pids|length > 0 %} @@ -1486,31 +1467,14 @@ report_stats: {{ matrix_synapse_report_stats|to_json }} ## API Configuration ## -# Controls for the state that is shared with users who receive an invite -# to a room +# A list of event types that will be included in the room_invite_state # -room_prejoin_state: - # By default, the following state event types are shared with users who - # receive invites to the room: - # - # - m.room.join_rules - # - m.room.canonical_alias - # - m.room.avatar - # - m.room.encryption - # - m.room.name - # - # Uncomment the following to disable these defaults (so that only the event - # types listed in 'additional_event_types' are shared). Defaults to 'false'. - # - #disable_default_event_types: true - - # Additional state event types to share with users when they are invited - # to a room. - # - # By default, this list is empty (so only the default event types are shared). - # - #additional_event_types: - # - org.example.custom.event.type +#room_invite_state_types: +# - "m.room.join_rules" +# - "m.room.canonical_alias" +# - "m.room.avatar" +# - "m.room.encryption" +# - "m.room.name" # A list of application service config files to use From 50d7209c5be829743655fdea0f773cd3dd04b04e Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Thu, 22 Apr 2021 11:45:59 +0800 Subject: [PATCH 2130/2384] GMH v04.3 --- CHANGELOG.md | 14 +++++++++ ...guring-playbook-bridge-mautrix-facebook.md | 29 +++++++++++++++---- docs/configuring-playbook-jitsi.md | 2 +- docs/container-images.md | 2 +- docs/prerequisites.md | 3 +- group_vars/matrix_servers | 6 +--- .../surveys/configure_synapse.json.j2 | 4 +-- roles/matrix-awx/tasks/main.yml | 9 ++++++ roles/matrix-awx/tasks/rename_variables.yml | 8 +++++ .../tasks/set_variables_synapse.yml | 2 +- roles/matrix-coturn/defaults/main.yml | 7 +++-- .../systemd/matrix-coturn.service.j2 | 1 + .../templates/turnserver.conf.j2 | 6 ++++ roles/matrix-grafana/defaults/main.yml | 8 ++++- roles/matrix-grafana/templates/grafana.ini.j2 | 3 ++ roles/matrix-nginx-proxy/defaults/main.yml | 10 +++++++ .../nginx/conf.d/matrix-base-domain.conf.j2 | 5 ++++ .../nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 ++ .../conf.d/matrix-client-element.conf.j2 | 5 ++++ .../nginx/conf.d/matrix-dimension.conf.j2 | 5 ++++ .../nginx/conf.d/matrix-domain.conf.j2 | 4 +++ .../nginx/conf.d/matrix-grafana.conf.j2 | 16 ++++++++-- .../nginx/conf.d/matrix-jitsi.conf.j2 | 5 ++++ .../nginx/conf.d/matrix-riot-web.conf.j2 | 4 +++ .../nginx/conf.d/matrix-sygnal.conf.j2 | 2 ++ .../templates/nginx/nginx.conf.j2 | 2 ++ .../defaults/main.yml | 16 ++++++++-- ...matrix-prometheus-node-exporter.service.j2 | 8 ++--- roles/matrix-prometheus/defaults/main.yml | 3 +- .../matrix-prometheus/tasks/setup_install.yml | 16 ---------- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 31 files changed, 161 insertions(+), 48 deletions(-) create mode 100644 roles/matrix-awx/tasks/rename_variables.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 326c2103..37988c94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2021-04-16 + +## Disabling TLSv1 and TLSv1.1 for Coturn + +To improve security, we've [removed TLSv1 and TLSv1.1 support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999) from our default [Coturn](https://github.com/coturn/coturn) configuration. + +If you need to support old clients, you can re-enable both (or whichever one you need) with the following configuration: + +```yaml +matrix_coturn_tls_v1_enabled: true +matrix_coturn_tls_v1_1_enabled: true +``` + + # 2021-04-05 ## Automated local Postgres backup support diff --git a/docs/configuring-playbook-bridge-mautrix-facebook.md b/docs/configuring-playbook-bridge-mautrix-facebook.md index a228f7cb..d07873ae 100644 --- a/docs/configuring-playbook-bridge-mautrix-facebook.md +++ b/docs/configuring-playbook-bridge-mautrix-facebook.md @@ -2,16 +2,37 @@ The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you. -See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/tulir/mautrix-facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you. ```yaml matrix_mautrix_facebook_enabled: true ``` +There are some additional things you may wish to configure about the bridge before you continue. + +Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file: +```yaml +matrix_mautrix_facebook_configuration_extension_yaml: | + bridge: + encryption: + allow: true + default: true +``` + +If you would like to be able to administrate the bridge from your account it can be configured like this: +```yaml +matrix_mautrix_facebook_configuration_extension_yaml: | + bridge: + permissions: + '@YOUR_USERNAME:YOUR_DOMAIN': admin +``` + +You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure. + ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-facebook/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth @@ -42,9 +63,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). -Send `login YOUR_FACEBOOK_EMAIL_ADDRESS YOUR_FACEBOOK_PASSWORD` to the bridge bot to enable bridging for your Facebook/Messenger account. - -You can learn more here about authentication from the bridge's [official documentation on Authentication](https://github.com/tulir/mautrix-facebook/wiki/Authentication). +Send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account. You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/facebook/authentication.html). If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f72241e1..81ceb9fb 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -13,8 +13,8 @@ Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. You may also need to open the following ports to your server: -- `10000/udp` - RTP media over UDP - `4443/tcp` - RTP media fallback over TCP +- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). ## Installation diff --git a/docs/container-images.md b/docs/container-images.md index 7cc7c2f6..f2914488 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -11,7 +11,7 @@ These services are enabled and used by default, but you can turn them off, if yo - [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional) -- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) +- [coturn/coturn](https://hub.docker.com/r/coturn/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) - [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 8b7e9d00..39b42ef1 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -34,7 +34,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - `5349/udp`: TURN over UDP (used by Coturn) - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - the range `49152-49172/udp`: TURN over UDP - - `4443/tcp`: Jitsi Harvester fallback - - `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). + - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fb007d92..1f9d5926 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1675,11 +1675,6 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }} matrix_prometheus_node_exporter_enabled: false -# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# Prometheus' HTTP port to the local host. -matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}" - ###################################################################### # # /matrix-prometheus-node-exporter @@ -1706,6 +1701,7 @@ matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_me matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" +matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}" ###################################################################### # diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index e3fca6a2..f8d725da 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -56,10 +56,10 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_use_presence | string | lower }}", + "default": "{{ matrix_synapse_presence_enabled | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "matrix_synapse_use_presence", + "variable": "matrix_synapse_presence_enabled", "type": "multiplechoice" }, { diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 68d8153b..58546d5b 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -8,6 +8,15 @@ tags: - always +# Renames the variables if needed +- include_tasks: + file: "rename_variables.yml" + apply: + tags: always + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + # Perform a backup of the server - include_tasks: file: "backup_server.yml" diff --git a/roles/matrix-awx/tasks/rename_variables.yml b/roles/matrix-awx/tasks/rename_variables.yml new file mode 100644 index 00000000..e8992bd8 --- /dev/null +++ b/roles/matrix-awx/tasks/rename_variables.yml @@ -0,0 +1,8 @@ + +- name: Rename synapse presence variable + delegate_to: 127.0.0.1 + replace: + path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" + regexp: 'matrix_synapse_use_presence' + replace: 'matrix_synapse_presence_enabled' + diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index e481d399..e1a7312c 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -21,7 +21,7 @@ 'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}' 'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}' 'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}' - 'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}' + 'matrix_synapse_presence_enabled': '{{ matrix_synapse_presence_enabled }}' 'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}' 'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}' 'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}' diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 9eccfde2..de5b7b91 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,10 +1,10 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git" +matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git" matrix_coturn_version: 4.5.2 -matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}" +matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" @@ -73,3 +73,6 @@ matrix_coturn_total_quota: null matrix_coturn_tls_enabled: false matrix_coturn_tls_cert_path: ~ matrix_coturn_tls_key_path: ~ + +matrix_coturn_tls_v1_enabled: false +matrix_coturn_tls_v1_1_enabled: false diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 930db7c1..a39030af 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -17,6 +17,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --cap-add=NET_BIND_SERVICE \ --entrypoint=turnserver \ --read-only \ --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 3fcf0b67..ba662587 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -16,6 +16,12 @@ no-cli {% if matrix_coturn_tls_enabled %} cert={{ matrix_coturn_tls_cert_path }} pkey={{ matrix_coturn_tls_key_path }} +{% if not matrix_coturn_tls_v1_enabled %} +no-tlsv1 +{% endif %} +{% if not matrix_coturn_tls_v1_1_enabled %} +no-tlsv1_1 +{% endif %} {% else %} no-tls no-dtls diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index f358608b..958d8ed2 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.2 +matrix_grafana_version: 7.5.4 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" @@ -31,6 +31,12 @@ matrix_grafana_anonymous_access_org_name: 'Main Org.' matrix_grafana_default_admin_user: admin matrix_grafana_default_admin_password: admin +# Set to true to add the Content-Security-Policy header to your requests. +# CSP allows to control resources that the user agent can load and helps +# prevent XSS attacks. +# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) +matrix_grafana_content_security_policy: true + # A list of extra arguments to pass to the container matrix_grafana_container_extra_arguments: [] diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index c7fe1d91..38534bc3 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -5,6 +5,9 @@ admin_user = "{{ matrix_grafana_default_admin_user }}" # default admin password, can be changed before first start of grafana, or in profile settings admin_password = """{{ matrix_grafana_default_admin_password }}""" +# specify content_security_policy to add the Content-Security-Policy header to your requests +content_security_policy = "{{ matrix_grafana_content_security_policy }}" + [auth.anonymous] # enable anonymous access enabled = {{ matrix_grafana_anonymous_access }} diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index b814f7c9..fdb76a32 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -269,6 +269,16 @@ matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +matrix_nginx_proxy_floc_optout_enabled: true + # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 227747a5..a2d59e86 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -5,6 +5,11 @@ gzip on; gzip_types text/plain application/json; + + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 3c3231f4..91cd9e41 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,8 +3,10 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index f56d7fd5..f3a537da 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -3,9 +3,14 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 038d3557..db93be48 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,8 +3,13 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 1d2470a9..703c490e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -17,6 +17,10 @@ gzip on; gzip_types text/plain application/json; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + location /.well-known/matrix { root {{ matrix_static_files_base_path }}; {# diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 0e1f1c2d..c1978563 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -3,9 +3,19 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + # duplicate X-Content-Type-Options & X-Frame-Options header + # Enabled by grafana by default + # add_header X-Content-Type-Options nosniff; + # add_header X-Frame-Options SAMEORIGIN; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + proxy_cookie_path / "/; HTTPOnly; Secure"; + {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index a20d8a73..42d8451d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,8 +3,13 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a70dcea3..a69424f4 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -1,6 +1,10 @@ #jinja2: lstrip_blocks: "True" {% macro render_vhost_directives() %} + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index e4712657..ac0253d5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,9 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; + {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index dae83ab9..9ec7fa56 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -48,6 +48,8 @@ http { keepalive_timeout 65; + server_tokens off; + #gzip on; {# Map directive needed for proxied WebSocket upgrades #} map $http_upgrade $connection_upgrade { diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index e4bf7cf7..492d48b1 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_version: v1.1.0 +matrix_prometheus_node_exporter_version: v1.1.2 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" @@ -18,5 +18,17 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # -# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# +# Official recommendations are to run this container with `--net=host`, +# but we don't do that, since it: +# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) +# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) +# +# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, +# but that's trickier to accomplish and won't necessarily work (hasn't been tested). +# +# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), +# because node-exporter can't see all interfaces, etc. +# For now, we'll live with that, until someone develops a better solution. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 93638c19..210a0d97 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -22,13 +22,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} - --net=host \ + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ + {% endif %} --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 3c4acc85..1c9bc144 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.24.1 +matrix_prometheus_version: v2.26.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" @@ -64,4 +64,3 @@ matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_e # Holds the final configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`. matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml|from_yaml|combine(matrix_prometheus_configuration_extension, recursive=True) }}" - diff --git a/roles/matrix-prometheus/tasks/setup_install.yml b/roles/matrix-prometheus/tasks/setup_install.yml index 8aee5178..15a69279 100644 --- a/roles/matrix-prometheus/tasks/setup_install.yml +++ b/roles/matrix-prometheus/tasks/setup_install.yml @@ -19,22 +19,6 @@ - "{{ matrix_prometheus_config_path }}" - "{{ matrix_prometheus_data_path }}" -- block: - # Well, this actually creates the network if it doesn't exist, but.. - # The network should have been created by `matrix-base` already. - # We don't rely on that other call and its result, because it runs - # on `--tags=setup-all`, but will get skipped during `--tags=setup-prometheus`. - - name: Fetch Matrix Docker network details - docker_network: - name: "{{ matrix_docker_network }}" - driver: bridge - register: matrix_docker_network_info - - - set_fact: - matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] - when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" - - - name: Download synapse-v2.rules get_url: url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}" diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index c7f128e3..402b8a1d 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.7.0 +matrix_synapse_admin_version: 0.7.2 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From e3fa3e12bc263d3bc39948e654c439a9f97e9e88 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 22 Apr 2021 14:22:07 +0300 Subject: [PATCH 2131/2384] Upgrade Synapse (1.31 -> 1.32.2) --- docs/faq.md | 2 +- docs/maintenance-synapse.md | 2 +- group_vars/matrix_servers | 12 ++-- roles/matrix-synapse/defaults/main.yml | 6 +- .../matrix-synapse/tasks/validate_config.yml | 1 + .../templates/synapse/homeserver.yaml.j2 | 58 +++++++++++++++---- 6 files changed, 59 insertions(+), 22 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 84089b5e..6c9eedc2 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -297,7 +297,7 @@ matrix_coturn_enabled: false # hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971). # # If your server does not federate with hundreds of others, enabling this doesn't hurt much. -matrix_synapse_use_presence: false +matrix_synapse_presence_enabled: false ``` You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms: diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index 7b7514a5..d6c4789d 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -74,7 +74,7 @@ You should then be able to browse the adminer database administration GUI at htt ## Make Synapse faster -Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file. +Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file. Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1f9d5926..9fec86e9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -64,7 +64,7 @@ matrix_appservice_discord_enabled: false matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. -matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}" +matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}" matrix_appservice_discord_systemd_required_services_list: | {{ @@ -188,7 +188,7 @@ matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_prox # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # IRC bridge presence, for performance reasons. -matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}" +matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled }}" matrix_appservice_irc_systemd_required_services_list: | {{ @@ -242,7 +242,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" +matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -325,7 +325,7 @@ matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" +matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}" # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain # and point them to a migration path. @@ -1211,7 +1211,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" -matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}" +matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" @@ -1527,7 +1527,7 @@ matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registrati matrix_client_element_enable_presence_by_hs_url: | {{ none - if matrix_synapse_use_presence + if matrix_synapse_presence_enabled else {matrix_client_element_default_hs_url: false} }} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f441ac40..d11a6735 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.31.0 -matrix_synapse_version_arm64: v1.31.0 +matrix_synapse_version: v1.32.2 +matrix_synapse_version_arm64: v1.32.2 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -170,7 +170,7 @@ matrix_synapse_report_stats: false # Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. # If users participate in large rooms with many other servers, # disabling this will decrease server load significantly. -matrix_synapse_use_presence: true +matrix_synapse_presence_enabled: true # Controls whether accessing the server's public rooms directory can be done without authentication. # For private servers, you most likely wish to require authentication, diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index f7631111..6dcb50ce 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -47,6 +47,7 @@ - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': ''} + - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'} - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml fail: diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ace2dd45..e951067a 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -58,9 +58,28 @@ public_baseurl: https://{{ matrix_server_fqn_matrix }}/ # #soft_file_limit: 0 -# Set to false to disable presence tracking on this homeserver. +# Presence tracking allows users to see the state (e.g online/offline) +# of other local and remote users. # -use_presence: {{ matrix_synapse_use_presence|to_json }} +presence: + # Uncomment to disable presence tracking on this homeserver. This option + # replaces the previous top-level 'use_presence' option. + # + enabled: {{ matrix_synapse_presence_enabled|to_json }} + + # Presence routers are third-party modules that can specify additional logic + # to where presence updates from users are routed. + # + presence_router: + # The custom module's class. Uncomment to use a custom presence router module. + # + #module: "my_custom_router.PresenceRouter" + + # Configuration options of the custom module. Refer to your module's + # documentation for available options. + # + #config: + # example_option: 'something' # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to @@ -1252,9 +1271,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json # #allowed_local_3pids: # - medium: email -# pattern: '.*@matrix\.org' +# pattern: '^[^@]+@matrix\.org$' # - medium: email -# pattern: '.*@vector\.im' +# pattern: '^[^@]+@vector\.im$' # - medium: msisdn # pattern: '\+44' {% if matrix_synapse_allowed_local_3pids|length > 0 %} @@ -1467,14 +1486,31 @@ report_stats: {{ matrix_synapse_report_stats|to_json }} ## API Configuration ## -# A list of event types that will be included in the room_invite_state +# Controls for the state that is shared with users who receive an invite +# to a room # -#room_invite_state_types: -# - "m.room.join_rules" -# - "m.room.canonical_alias" -# - "m.room.avatar" -# - "m.room.encryption" -# - "m.room.name" +room_prejoin_state: + # By default, the following state event types are shared with users who + # receive invites to the room: + # + # - m.room.join_rules + # - m.room.canonical_alias + # - m.room.avatar + # - m.room.encryption + # - m.room.name + # + # Uncomment the following to disable these defaults (so that only the event + # types listed in 'additional_event_types' are shared). Defaults to 'false'. + # + #disable_default_event_types: true + + # Additional state event types to share with users when they are invited + # to a room. + # + # By default, this list is empty (so only the default event types are shared). + # + #additional_event_types: + # - org.example.custom.event.type # A list of application service config files to use From 62c0587b6aaed84c43a0277c7e4303aa6108edfc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 22 Apr 2021 15:05:27 +0300 Subject: [PATCH 2132/2384] Use Alpine-based Coturn --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index de5b7b91..ea4786d8 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -4,7 +4,7 @@ matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git" matrix_coturn_version: 4.5.2 -matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}" +matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From f6b371164c630612084b58663b9fae5fef768967 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 23 Apr 2021 07:07:18 +0300 Subject: [PATCH 2133/2384] Remove useless variable --- roles/matrix-synapse/vars/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-synapse/vars/main.yml b/roles/matrix-synapse/vars/main.yml index 9c6d8ce4..5839aa81 100644 --- a/roles/matrix-synapse/vars/main.yml +++ b/roles/matrix-synapse/vars/main.yml @@ -6,7 +6,6 @@ matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn # Tells whether this role had executed or not. Toggled to `true` during runtime. matrix_synapse_role_executed: false -matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}" matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}" # A Synapse generic worker can handle both federation and client-server API endpoints. From 7cf2f352aaec3bb08991ae9221f5ba14ce81c87e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 23 Apr 2021 07:17:04 +0300 Subject: [PATCH 2134/2384] Add not about incompatibility between Synapse and Synapse Admin Related to https://github.com/Awesome-Technologies/synapse-admin/issues/132 --- docs/configuring-playbook-synapse-admin.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 68d70305..5b9519e2 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -6,6 +6,8 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you. +**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file). + ## Adjusting the playbook configuration From 29bba5161b49764c39189fb7a17e615c43a06d2b Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 24 Apr 2021 11:10:40 +0530 Subject: [PATCH 2135/2384] Element More security headers More Production ready nginx headers for Matrix client element. --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index f56d7fd5..269b2e09 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -3,9 +3,12 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'self'"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From 0ccf0fbf1cbcc6a50d4dc17473e9f91b2e262ef8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 24 Apr 2021 12:12:34 +0530 Subject: [PATCH 2136/2384] HSTS preload + X-XSS enables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **HSTS Preloading:** In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` **X-Xss-Protection:** `1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script. --- .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 3 ++- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 3 ++- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 3 ++- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 3c3231f4..24d3ce5d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block";; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 038d3557..6c5eff36 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index a20d8a73..aaad23b6 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index e4712657..9028e846 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,7 +3,8 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} From 389dc26615a78ed22dfc0fd15ccb15f533c442cc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 24 Apr 2021 11:52:45 +0300 Subject: [PATCH 2137/2384] Fix Synapse generic worker balancing Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022 --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 4a3a355d..db111090 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -11,7 +11,7 @@ upstream generic_worker_upstream { # ensures that requests from the same client will always be passed # to the same server (except when this server is unavailable) - ip_hash; + hash $http_x_forwarded_for; {% for worker in generic_workers %} {% if matrix_nginx_proxy_enabled %} From 40fe6bd5c110c60a82b39976125a9fec5d6ab448 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 24 Apr 2021 20:04:20 +0530 Subject: [PATCH 2138/2384] variable matrix_nginx_proxy_hsts_preload_enable added --- roles/matrix-nginx-proxy/defaults/main.yml | 11 +++++++++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 6 +++++- .../nginx/conf.d/matrix-client-element.conf.j2 | 6 +++++- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 6 +++++- .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 6 +++++- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 6 +++++- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 6 +++++- 7 files changed, 41 insertions(+), 6 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index fdb76a32..6ba6a98a 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -279,6 +279,17 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. matrix_nginx_proxy_floc_optout_enabled: true +# HSTS Preloading Enable +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be “preloaded” into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +matrix_nginx_proxy_hsts_preload_enable: false + # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 685601a4..d0b31797 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,7 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-XSS-Protection "1; mode=block";; add_header X-Content-Type-Options nosniff; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 0d97ddad..2859cbb5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -4,7 +4,11 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 48e50a6d..4c2f4ee0 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,7 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index c1978563..8feb99bd 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -4,7 +4,11 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} # duplicate X-Content-Type-Options & X-Frame-Options header # Enabled by grafana by default # add_header X-Content-Type-Options nosniff; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 21549e4d..82e07415 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,7 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index be902c95..2064fad8 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,7 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; From 689dcea77340934f42776a83c6d4f9836115b992 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 24 Apr 2021 20:31:25 +0300 Subject: [PATCH 2139/2384] Fix self-building for Coturn Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1023 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1009 --- roles/matrix-coturn/defaults/main.yml | 4 +++- roles/matrix-coturn/tasks/setup_install.yml | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index ea4786d8..624ab7d0 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,7 +1,9 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git" +matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" +matrix_coturn_container_image_self_build_repo_version: "upstream/{{ matrix_coturn_version }}" +matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" matrix_coturn_version: 4.5.2 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" diff --git a/roles/matrix-coturn/tasks/setup_install.yml b/roles/matrix-coturn/tasks/setup_install.yml index 2f3664f1..24f038db 100644 --- a/roles/matrix-coturn/tasks/setup_install.yml +++ b/roles/matrix-coturn/tasks/setup_install.yml @@ -30,7 +30,7 @@ git: repo: "{{ matrix_coturn_container_image_self_build_repo }}" dest: "{{ matrix_coturn_docker_src_files_path }}" - version: "{{ matrix_coturn_docker_image.split(':')[1] }}" + version: "{{ matrix_coturn_container_image_self_build_repo_version }}" force: "yes" register: matrix_coturn_git_pull_results @@ -40,7 +40,7 @@ source: build force_source: "{{ matrix_coturn_git_pull_results.changed }}" build: - dockerfile: Dockerfile + dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}" path: "{{ matrix_coturn_docker_src_files_path }}" pull: yes when: "matrix_coturn_container_image_self_build|bool" From a14bf6c2edbc3213d68b48008548ff71b1f18457 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Mon, 26 Apr 2021 20:00:32 +0800 Subject: [PATCH 2140/2384] GoMatrixHosting v0.4.4 update --- .../matrix-awx/surveys/access_export.json.j2 | 42 +++++++++++++ .../matrix-awx/surveys/backup_server.json.j2 | 2 +- .../surveys/configure_corporal.json.j2 | 2 +- .../surveys/configure_dimension.json.j2 | 2 +- .../surveys/configure_element.json.j2 | 4 +- .../surveys/configure_jitsi.json.j2 | 4 +- .../surveys/configure_ma1sd.json.j2 | 4 +- .../surveys/configure_synapse.json.j2 | 2 +- .../tasks/customise_website_access_export.yml | 61 +++++++++++++++++-- roles/matrix-awx/tasks/import_awx.yml | 5 -- .../tasks/set_variables_dimension.yml | 6 +- roles/matrix-common-after/tasks/awx_post.yml | 15 +++++ 12 files changed, 126 insertions(+), 23 deletions(-) create mode 100644 roles/matrix-awx/surveys/access_export.json.j2 diff --git a/roles/matrix-awx/surveys/access_export.json.j2 b/roles/matrix-awx/surveys/access_export.json.j2 new file mode 100644 index 00000000..c20a9749 --- /dev/null +++ b/roles/matrix-awx/surveys/access_export.json.j2 @@ -0,0 +1,42 @@ +{ + "name": "Access Export", + "description": "Access the services export.", + "spec": [ + { + "question_name": "SFTP Authorisation Method", + "question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.", + "required": true, + "min": null, + "max": null, + "default": "{{ sftp_auth_method | string }}", + "choices": "Disabled\nPassword\nSSH Key", + "new_question": true, + "variable": "sftp_auth_method", + "type": "multiplechoice" + }, + { + "question_name": "SFTP Password", + "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.", + "required": false, + "min": 0, + "max": 64, + "default": "{{ sftp_password }}", + "choices": "", + "new_question": true, + "variable": "sftp_password", + "type": "password" + }, + { + "question_name": "SFTP Public SSH Key (More Secure)", + "question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.", + "required": false, + "min": 0, + "max": 16384, + "default": "{{ sftp_public_key }}", + "choices": "", + "new_question": true, + "variable": "sftp_public_key", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/surveys/backup_server.json.j2 b/roles/matrix-awx/surveys/backup_server.json.j2 index 9b9cddbd..80782b74 100644 --- a/roles/matrix-awx/surveys/backup_server.json.j2 +++ b/roles/matrix-awx/surveys/backup_server.json.j2 @@ -1,6 +1,6 @@ { "name": "Backup Server", - "description": "", + "description": "Performs a backup of the entire service to a remote location.", "spec": [ { "question_name": "Enable Backup", diff --git a/roles/matrix-awx/surveys/configure_corporal.json.j2 b/roles/matrix-awx/surveys/configure_corporal.json.j2 index 4c4ead83..14e417ce 100755 --- a/roles/matrix-awx/surveys/configure_corporal.json.j2 +++ b/roles/matrix-awx/surveys/configure_corporal.json.j2 @@ -1,6 +1,6 @@ { "name": "Configure Matrix Corporal", - "description": "", + "description": "Configure Matrix Corporal, a tool that manages your Matrix server according to a configuration policy.", "spec": [ { "question_name": "Enable Corporal", diff --git a/roles/matrix-awx/surveys/configure_dimension.json.j2 b/roles/matrix-awx/surveys/configure_dimension.json.j2 index 3acbaaaf..2f39e80e 100644 --- a/roles/matrix-awx/surveys/configure_dimension.json.j2 +++ b/roles/matrix-awx/surveys/configure_dimension.json.j2 @@ -1,6 +1,6 @@ { "name": "Configure Dimension", - "description": "", + "description": "Configure Dimension, the self-hosted integrations server.", "spec": [ { "question_name": "Enable Dimension", diff --git a/roles/matrix-awx/surveys/configure_element.json.j2 b/roles/matrix-awx/surveys/configure_element.json.j2 index 0ff02288..02812fbc 100755 --- a/roles/matrix-awx/surveys/configure_element.json.j2 +++ b/roles/matrix-awx/surveys/configure_element.json.j2 @@ -1,6 +1,6 @@ { - "name": "", - "description": "", + "name": "Configure Element", + "description": "Configure Element web client, Element is the most developed Matrix client software.", "spec": [ { "question_name": "Enable Element-Web", diff --git a/roles/matrix-awx/surveys/configure_jitsi.json.j2 b/roles/matrix-awx/surveys/configure_jitsi.json.j2 index 2eb0579b..9cb3044d 100755 --- a/roles/matrix-awx/surveys/configure_jitsi.json.j2 +++ b/roles/matrix-awx/surveys/configure_jitsi.json.j2 @@ -1,6 +1,6 @@ { - "name": "", - "description": "", + "name": "Configure Jitsi", + "description": "Configure Jitsi conferencing settings.", "spec": [ { "question_name": "Enable Jitsi", diff --git a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 index e3c1d448..67c2c88d 100644 --- a/roles/matrix-awx/surveys/configure_ma1sd.json.j2 +++ b/roles/matrix-awx/surveys/configure_ma1sd.json.j2 @@ -1,6 +1,6 @@ { - "name": "", - "description": "", + "name": "Configure ma1sd", + "description": "Configure ma1sd settings, ma1sd is a self-hosted identity server for Matrix.", "spec": [ { "question_name": "Enable ma1sd", diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index f8d725da..22b80303 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -1,6 +1,6 @@ { "name": "Configure Synapse", - "description": "", + "description": "Configure Synapse settings. Synapse is the homeserver software that powers your Matrix instance.", "spec": [ { "question_name": "Enable Public Registration", diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml index 580d8bc9..b7e27e9d 100755 --- a/roles/matrix-awx/tasks/customise_website_access_export.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -8,7 +8,7 @@ insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'true' - when: customise_base_domain_website|bool == false + when: (customise_base_domain_website is defined) and not customise_base_domain_website|bool - name: Disable index.html creation to allow multi-file site if user does wish to customise base domain delegate_to: 127.0.0.1 @@ -19,7 +19,7 @@ insertafter: '# Base Domain Settings Start' with_dict: 'matrix_nginx_proxy_base_domain_homepage_enabled': 'false' - when: customise_base_domain_website|bool == true + when: (customise_base_domain_website is defined) and customise_base_domain_website|bool - name: Record custom 'Customise Website + Access Export' variables locally on AWX delegate_to: 127.0.0.1 @@ -29,29 +29,53 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Custom Settings Start' with_dict: - 'customise_base_domain_website': '{{ customise_base_domain_website }}' 'sftp_auth_method': '"{{ sftp_auth_method }}"' 'sftp_password': '"{{ sftp_password }}"' 'sftp_public_key': '"{{ sftp_public_key }}"' +- name: Record custom 'Customise Website + Access Export' variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Custom Settings Start' + with_dict: + 'customise_base_domain_website': '{{ customise_base_domain_website }}' + when: customise_base_domain_website is defined + - name: Reload vars in matrix_vars.yml include_vars: file: '{{ awx_cached_matrix_vars }}' no_log: True -# ^ Is this even needed? - - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2' dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' + when: customise_base_domain_website is defined - name: Copy new 'Customise Website + Access Export' survey.json to target machine copy: src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json' dest: '/matrix/awx/configure_website_access_export.json' mode: '0660' + when: customise_base_domain_website is defined + +- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: './roles/matrix-awx/surveys/access_export.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json' + when: customise_base_domain_website is undefined + +- name: Copy new 'Customise Website + Access Export' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json' + dest: '/matrix/awx/access_export.json' + mode: '0660' + when: customise_base_domain_website is undefined - name: Collect AWX admin token the hard way! delegate_to: 127.0.0.1 @@ -60,7 +84,7 @@ register: tower_token no_log: True -- name: Recreate 'Customise Base Domain Export' job template +- name: Recreate 'Configure Website + Access Export' job template delegate_to: 127.0.0.1 awx.awx.tower_job_template: name: "{{ matrix_domain }} - 1 - Configure Website + Access Export" @@ -80,6 +104,29 @@ tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes + when: customise_base_domain_website is defined + +- name: Recreate 'Access Export' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Access Export" + description: "Access the services export." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-nginx-proxy" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/access_export.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: customise_base_domain_website is undefined - name: Ensure group "sftp" exists group: @@ -113,6 +160,7 @@ name: sftp groups: matrix append: yes + when: customise_base_domain_website is defined - name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container) file: @@ -129,6 +177,7 @@ owner: matrix group: matrix mode: '0574' + when: customise_base_domain_website is defined - name: Ensure /chroot/export location exists file: diff --git a/roles/matrix-awx/tasks/import_awx.yml b/roles/matrix-awx/tasks/import_awx.yml index 0100a5d0..6017152f 100644 --- a/roles/matrix-awx/tasks/import_awx.yml +++ b/roles/matrix-awx/tasks/import_awx.yml @@ -16,8 +16,3 @@ - name: Ensure correct ownership of /matrix/synapse shell: chown -R matrix:matrix /matrix/synapse -- name: Fetch matrix_vars.yml file to AWX - fetch: - src: /matrix/awx/matrix_vars.yml - dest: /var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/ - flat: yes diff --git a/roles/matrix-awx/tasks/set_variables_dimension.yml b/roles/matrix-awx/tasks/set_variables_dimension.yml index 2d5eb619..53a4dbfc 100644 --- a/roles/matrix-awx/tasks/set_variables_dimension.yml +++ b/roles/matrix-awx/tasks/set_variables_dimension.yml @@ -4,9 +4,11 @@ file: '{{ awx_cached_matrix_vars }}' no_log: True -- name: Install jq on remote machine +- name: Install jq and curl on remote machine apt: - name: jq + name: + - jq + - curl state: present - name: Collect access token of Dimension user diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 568ccd23..cf843d24 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -35,3 +35,18 @@ with_dict: 'matrix_awx_dimension_user_created': 'true' when: not matrix_awx_dimension_user_created|bool + +- name: Ensure /chroot/website location has correct permissions + file: + path: /chroot/website + state: directory + owner: matrix + group: matrix + mode: '0574' + when: customise_base_domain_website is defined + +- name: Ensure erroneous /chroot/website/matrix-domain location doesn't exist + file: + path: /chroot/website/matrix-domain + state: absent + when: customise_base_domain_website is defined From 49cb2635a2642b7db61646b0f7fa55397711d617 Mon Sep 17 00:00:00 2001 From: benkuly <12199167+benkuly@users.noreply.github.com> Date: Tue, 27 Apr 2021 14:39:58 +0200 Subject: [PATCH 2141/2384] updated matrix-sms-bridge --- roles/matrix-bridge-sms/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-sms/defaults/main.yml b/roles/matrix-bridge-sms/defaults/main.yml index 0ae0ed4d..55f99101 100644 --- a/roles/matrix-bridge-sms/defaults/main.yml +++ b/roles/matrix-bridge-sms/defaults/main.yml @@ -3,7 +3,7 @@ matrix_sms_bridge_enabled: true -matrix_sms_bridge_version: 0.5.5 +matrix_sms_bridge_version: 0.5.7 matrix_sms_bridge_docker_image: "{{ matrix_container_global_registry_prefix }}folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}" matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge" From 2409c33ea2e5c8d7df483eb863d1aec5e503566d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Apr 2021 17:20:28 +0300 Subject: [PATCH 2142/2384] Upgrade Element (1.7.25 -> 1.7.26) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index c14b5ecd..8904c295 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.25 +matrix_client_element_version: v1.7.26 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 067b61e779a6895e5e4e5ca9772380b04cb5d2d5 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Thu, 29 Apr 2021 08:06:45 +0800 Subject: [PATCH 2143/2384] GoMatrixHosting v0.4.5 update --- docs/configuring-awx-system.md | 2 ++ roles/matrix-awx/tasks/purge_media_local.yml | 7 ++++++- roles/matrix-awx/tasks/purge_media_main.yml | 4 ++++ roles/matrix-awx/tasks/purge_media_remote.yml | 7 ++++++- 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index f391a457..3db40efa 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -34,6 +34,8 @@ Updates to this section are trailed here: Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository. +For simpler installation steps you can use to get started with this system, check out our minimal installation guide at '/doc/Installation_Minimal.md'. + ## Does I need a front-end WordPress site? And a DigitalOcean account? diff --git a/roles/matrix-awx/tasks/purge_media_local.yml b/roles/matrix-awx/tasks/purge_media_local.yml index 434c974b..fcb4770f 100644 --- a/roles/matrix-awx/tasks/purge_media_local.yml +++ b/roles/matrix-awx/tasks/purge_media_local.yml @@ -6,7 +6,12 @@ - name: Purge local media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}' + curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}' + register: purge_command + +- name: Print output of purge command + debug: + msg: "{{ purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index fba0a000..77a8fecc 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -21,6 +21,10 @@ shell: | curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "https://matrix.{{ matrix_domain }}/_matrix/client/r0/login" | jq '.access_token' register: janitors_token + +- name: Collect the internal IP of the matrix-synapse container + shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" + register: synapse_container_ip - name: Generate list of dates to purge to delegate_to: 127.0.0.1 diff --git a/roles/matrix-awx/tasks/purge_media_remote.yml b/roles/matrix-awx/tasks/purge_media_remote.yml index 2a408eb9..ce0a1c96 100644 --- a/roles/matrix-awx/tasks/purge_media_remote.yml +++ b/roles/matrix-awx/tasks/purge_media_remote.yml @@ -6,7 +6,12 @@ - name: Purge local media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout }}" 'https://matrix.{{ matrix_domain }}/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}' + curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}' + register: purge_command + +- name: Print output of purge command + debug: + msg: "{{ purge_command.stdout }}" - name: Pause for 5 seconds to let Synapse breathe pause: From bec5933db445772308cd932e7b019b902df2d5c5 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Mon, 3 May 2021 15:57:06 -0500 Subject: [PATCH 2144/2384] Update grafana (7.5.4 -> 7.5.5) --- roles/matrix-grafana/defaults/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 958d8ed2..60c9c7f2 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.4 +matrix_grafana_version: 7.5.5 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" @@ -50,5 +50,3 @@ matrix_grafana_systemd_wanted_services_list: [] # # Takes an ":" or "" value (e.g. "127.0.0.1:3000"), or empty string to not expose. matrix_grafana_container_http_host_bind_port: '' - - From cfaa3e598a8cd07a01bed614bdc2671901191934 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Mon, 3 May 2021 16:00:11 -0500 Subject: [PATCH 2145/2384] Update nginx (1.19.10 -> 1.20.0) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index fdb76a32..a7d9aeb2 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.19.10-alpine +matrix_nginx_proxy_version: 1.20.0-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From d4d1e2e922c4b67119c05f0071ac043fb7066e63 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 5 May 2021 19:18:12 +0300 Subject: [PATCH 2146/2384] Upgrade Synapse (1.32.2 -> 1.33.0) --- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 151 ++++++++++-------- 2 files changed, 88 insertions(+), 67 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d11a6735..571cea3b 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.32.2 -matrix_synapse_version_arm64: v1.32.2 +matrix_synapse_version: v1.33.0 +matrix_synapse_version_arm64: v1.33.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e951067a..df280dd5 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1178,69 +1178,6 @@ turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} # enable_registration: {{ matrix_synapse_enable_registration|to_json }} -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - #template_dir: "res/templates" - - # File within 'template_dir' giving the HTML to be displayed to the user after - # they successfully renewed their account. If not set, default text is used. - # - #account_renewed_html_path: "account_renewed.html" - - # File within 'template_dir' giving the HTML to be displayed when the user - # tries to renew an account with an invalid renewal token. If not set, - # default text is used. - # - #invalid_token_html_path: "invalid_token.html" - # Time that a user's session remains valid for, after they log in. # # Note that this is not currently compatible with guest logins. @@ -1445,13 +1382,97 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json #auto_join_rooms_for_guests: false +## Account Validity ## + +# Optional account validity configuration. This allows for accounts to be denied +# any request after a given period. +# +# Once this feature is enabled, Synapse will look for registered users without an +# expiration date at startup and will add one to every account it found using the +# current settings at that time. +# This means that, if a validity period is set, and Synapse is restarted (it will +# then derive an expiration date from the current validity period), and some time +# after that the validity period changes and Synapse is restarted, the users' +# expiration dates won't be updated unless their account is manually renewed. This +# date will be randomly selected within a range [now + period - d ; now + period], +# where d is equal to 10% of the validity period. +# +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + # The currently available templates are: + # + # * account_renewed.html: Displayed to the user after they have successfully + # renewed their account. + # + # * account_previously_renewed.html: Displayed to the user if they attempt to + # renew their account with a token that is valid, but that has already + # been used. In this case the account is not renewed again. + # + # * invalid_token.html: Displayed to the user when they try to renew an account + # with an unknown or invalid renewal token. + # + # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for + # default template contents. + # + # The file name of some of these templates can be configured below for legacy + # reasons. + # + #template_dir: "res/templates" + + # A custom file name for the 'account_renewed.html' template. + # + # If not set, the file is assumed to be named "account_renewed.html". + # + #account_renewed_html_path: "account_renewed.html" + + # A custom file name for the 'invalid_token.html' template. + # + # If not set, the file is assumed to be named "invalid_token.html". + # + #invalid_token_html_path: "invalid_token.html" + + ## Metrics ### # Enable collection and rendering of performance metrics # enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} - # Enable sentry integration # NOTE: While attempts are made to ensure that the logs don't contain # any sensitive information, this cannot be guaranteed. By enabling @@ -1892,7 +1913,7 @@ saml2_config: # sub-properties: # # module: The class name of a custom mapping module. Default is -# 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. +# 'synapse.handlers.oidc.JinjaOidcMappingProvider'. # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers # for information on implementing a custom mapping provider. # From 303de935d509bd2ada44f1a3a620d241ea61dbd8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 5 May 2021 22:12:56 +0530 Subject: [PATCH 2147/2384] grafana CSP backward compatible with older browsers --- roles/matrix-grafana/defaults/main.yml | 5 +++++ roles/matrix-grafana/templates/grafana.ini.j2 | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 60c9c7f2..4e5064ab 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -37,6 +37,11 @@ matrix_grafana_default_admin_password: admin # [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) matrix_grafana_content_security_policy: true +# specify content security policy template to customized template +# added 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers. +# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. +matrix_grafana_content_security_policy_customized: true + # A list of extra arguments to pass to the container matrix_grafana_container_extra_arguments: [] diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 38534bc3..f442ed47 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -8,6 +8,12 @@ admin_password = """{{ matrix_grafana_default_admin_password }}""" # specify content_security_policy to add the Content-Security-Policy header to your requests content_security_policy = "{{ matrix_grafana_content_security_policy }}" +# specify content security policy template to customized template +{% if matrix_synapse_metrics_enabled %} +content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" +{% else %} +{% endif %} + [auth.anonymous] # enable anonymous access enabled = {{ matrix_grafana_anonymous_access }} From 37de7fc96a32ef3fb58b5587acd6171a27bcb6e8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 5 May 2021 22:25:38 +0530 Subject: [PATCH 2148/2384] Updated Reference --- roles/matrix-grafana/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 4e5064ab..a5d60338 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -40,6 +40,8 @@ matrix_grafana_content_security_policy: true # specify content security policy template to customized template # added 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers. # added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. +# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) +# [Content Security Policy Reference](https://content-security-policy.com/script-src/) matrix_grafana_content_security_policy_customized: true # A list of extra arguments to pass to the container From 116bcaa13b171cc16adac089516f3e03d510675b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Wed, 5 May 2021 19:05:17 +0200 Subject: [PATCH 2149/2384] Update jitsi to stable-5765-1 Changelog: https://github.com/jitsi/docker-jitsi-meet/blob/stable-5765-1/CHANGELOG.md --- roles/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 850c456e..7dcff987 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -52,7 +52,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-5142 +matrix_jitsi_version: stable-5765-1 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From b10655ebb1b5c0d599727ca5373f5fbc193a0cc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Wed, 5 May 2021 19:07:17 +0200 Subject: [PATCH 2150/2384] Jitsi XMPP Websocket support Jitsi-meet enabled websockets by default, claiming better reliability. Matrix-nginx-proxy configuration has been set up according to the Prosody documentation: https://prosody.im/doc/websocket --- roles/matrix-jitsi/templates/prosody/env.j2 | 2 ++ .../nginx/conf.d/matrix-jitsi.conf.j2 | 21 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index a09fa0f8..0c977d45 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -3,6 +3,8 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }} ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +PUBLIC_URL={{ matrix_jitsi_web_public_url }} + LDAP_URL={{ matrix_jitsi_ldap_url }} LDAP_BASE={{ matrix_jitsi_ldap_base }} LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 42d8451d..0b44f44d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -49,6 +49,27 @@ tcp_nodelay on; } + + # XMPP websocket + location = /xmpp-websocket { + {% if matrix_nginx_proxy_enabled %} + resolver 127.0.0.11 valid=5s; + set $backend {{ matrix_jitsi_xmpp_bosh_url_base }}; + proxy_pass $backend/xmpp-websocket; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:5280; + {% endif %} + proxy_set_header Host $host; + + proxy_http_version 1.1; + proxy_read_timeout 900s; + proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + tcp_nodelay on; + } {% endmacro %} server { From 0d5fe2d9f71e17551b98a3c5d3bc30d88a595e4e Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 6 May 2021 12:38:40 +0530 Subject: [PATCH 2151/2384] Update roles/matrix-grafana/templates/grafana.ini.j2 Co-authored-by: Aaron Raimist --- roles/matrix-grafana/templates/grafana.ini.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index f442ed47..fb351fe9 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -9,7 +9,7 @@ admin_password = """{{ matrix_grafana_default_admin_password }}""" content_security_policy = "{{ matrix_grafana_content_security_policy }}" # specify content security policy template to customized template -{% if matrix_synapse_metrics_enabled %} +{% if matrix_grafana_content_security_policy_customized %} content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" {% else %} {% endif %} From 9174448e5ec12828a4cf0ff47a23a781524f4d0d Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 6 May 2021 12:46:17 +0530 Subject: [PATCH 2152/2384] get rid of this {% else %} --- roles/matrix-grafana/templates/grafana.ini.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index fb351fe9..42cfcb12 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -11,7 +11,6 @@ content_security_policy = "{{ matrix_grafana_content_security_policy }}" # specify content security policy template to customized template {% if matrix_grafana_content_security_policy_customized %} content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" -{% else %} {% endif %} [auth.anonymous] From 61220ea4875183c9ec40d61780fb317d29b1969c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 May 2021 20:47:09 +0300 Subject: [PATCH 2153/2384] Upgrade Synapse (1.33.0 -> 1.33.1) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 571cea3b..a6b035c0 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.33.0 -matrix_synapse_version_arm64: v1.33.0 +matrix_synapse_version: v1.33.1 +matrix_synapse_version_arm64: v1.33.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From cdaf4695c06ff1768384edbbd2668b21227b62f9 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 8 May 2021 15:07:54 -0500 Subject: [PATCH 2154/2384] Tweak maintenance-synapse.md --- docs/maintenance-synapse.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index d6c4789d..62bb8b16 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -14,11 +14,7 @@ Table of contents: ## Purging old data with the Purge History API -You can use the **Purge History API** to delete in-use (but old) data. - -**This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**. - -Synapse's [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) can be used to purge on a per-room basis. +You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**. To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element). Alternatively, you can log in and obtain a new access token like this: @@ -29,6 +25,8 @@ curl \ https://matrix.DOMAIN/_matrix/client/r0/login ``` +Synapse's Admin API is not exposed to the internet by default. To expose it you will need to add `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` to your `vars.yml` file. + Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions. After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql). @@ -36,7 +34,7 @@ After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintena ## Compressing state with rust-synapse-compress-state -[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse. +[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse. If your server participates in large rooms this is the most effective way to reduce the size of your database. This tool should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. @@ -54,7 +52,10 @@ After state compression, you may wish to run a [`FULL` Postgres `VACUUM`](./main ## Browse and manipulate the database -When the [matrix admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs. +When the [Synapse Admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs. + +Editing the database manually is not recommended or supported by the Synapse developers. If you are going to do so you should [make a database backup](./maintenance-postgres.md#backing-up-postgresql). + First, set up an SSH tunnel to your matrix server (skip if it is your local machine): ``` From 65035c62c1d8580abc7dd9899a412aa4cbb5686a Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 8 May 2021 15:16:31 -0500 Subject: [PATCH 2155/2384] Mention updating Nginx --- docs/configuring-playbook-own-webserver.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 915c2c37..8a827d0d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -55,6 +55,8 @@ Note that if your nginx version is old, it might not like our default choice of matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` +If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue. + ### Using your own external Apache webserver From a198b874553dba6a6663fb355b095e3b1f04f850 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 May 2021 10:05:10 +0300 Subject: [PATCH 2156/2384] Upgrade synapse-admin (0.7.2 -> 0.8.0) Related to https://github.com/Awesome-Technologies/synapse-admin/issues/132 --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 402b8a1d..612b33e3 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.7.2 +matrix_synapse_admin_version: 0.8.0 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 33f0074862093915dc004d09ea73f7fd6d3bc027 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 May 2021 11:23:08 +0300 Subject: [PATCH 2157/2384] Upgrade matrix-mailer (4.94-r0 -> 4.94.2-r0) Related to https://github.com/devture/exim-relay/issues/6 --- roles/matrix-mailer/defaults/main.yml | 2 +- roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 62ec9186..c1d2cc67 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94-r0 +matrix_mailer_version: 4.94.2-r0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index 14712935..bf5a2e42 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -18,7 +18,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ --cap-drop=ALL \ --read-only \ - --init \ --tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_mailer_base_path }}/env-mailer \ From 3dcc0069323b7fbe73094a7c7baa6158556653f4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 May 2021 11:35:53 +0300 Subject: [PATCH 2158/2384] Fix self-building for Coturn 689dcea773409 wasn't enough. The `upstream/..` tags are just upstream sources, without the alpine-based Dockerfile. We need to use the `docker/..` tags for that (or `master`) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1032 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1023 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1009 --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 624ab7d0..ad8735fe 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" -matrix_coturn_container_image_self_build_repo_version: "upstream/{{ matrix_coturn_version }}" +matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r0" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" matrix_coturn_version: 4.5.2 From 4e6f6e179b091102db847402f06d6fb5a8ab6c2a Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Mon, 10 May 2021 18:50:10 +0800 Subject: [PATCH 2159/2384] GMH 0.4.6 update --- docs/configuring-awx-system.md | 4 +- roles/matrix-awx/tasks/main.yml | 9 + .../tasks/purge_database_build_list.yml | 10 + .../tasks/purge_database_events.yml | 13 + .../matrix-awx/tasks/purge_database_main.yml | 234 ++++++++++++++++++ .../tasks/purge_database_no_local.yml | 13 + .../matrix-awx/tasks/purge_database_users.yml | 13 + roles/matrix-awx/tasks/purge_media_remote.yml | 2 +- roles/matrix-common-after/tasks/awx_post.yml | 18 ++ .../rust-synapse-compress-state/main.yml | 2 +- 10 files changed, 314 insertions(+), 4 deletions(-) create mode 100644 roles/matrix-awx/tasks/purge_database_build_list.yml create mode 100644 roles/matrix-awx/tasks/purge_database_events.yml create mode 100644 roles/matrix-awx/tasks/purge_database_main.yml create mode 100644 roles/matrix-awx/tasks/purge_database_no_local.yml create mode 100644 roles/matrix-awx/tasks/purge_database_users.yml diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index 3db40efa..a93980d5 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -32,9 +32,9 @@ Updates to this section are trailed here: ## Does I need an AWX setup to use this? How do I configure it? -Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository. +Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation.md). -For simpler installation steps you can use to get started with this system, check out our minimal installation guide at '/doc/Installation_Minimal.md'. +For simpler installation steps you can use to get started with this system, check out our [minimal installation guide at '/doc/Installation_Minimal.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal.md). ## Does I need a front-end WordPress site? And a DigitalOcean account? diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 58546d5b..abfef97c 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -44,6 +44,15 @@ tags: - purge-media +# Purge Synapse database if called +- include_tasks: + file: "purge_database_main.yml" + apply: + tags: purge-database + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - purge-database + # Import configs, media repo from /chroot/backup import - include_tasks: file: "import_awx.yml" diff --git a/roles/matrix-awx/tasks/purge_database_build_list.yml b/roles/matrix-awx/tasks/purge_database_build_list.yml new file mode 100644 index 00000000..1ea05b7f --- /dev/null +++ b/roles/matrix-awx/tasks/purge_database_build_list.yml @@ -0,0 +1,10 @@ + +- name: Collect entire room list into stdout + shell: | + curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms?from={{ item }}' + register: rooms_output + +- name: Print stdout to file + delegate_to: 127.0.0.1 + shell: | + echo '{{ rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json diff --git a/roles/matrix-awx/tasks/purge_database_events.yml b/roles/matrix-awx/tasks/purge_database_events.yml new file mode 100644 index 00000000..9e2ef9c2 --- /dev/null +++ b/roles/matrix-awx/tasks/purge_database_events.yml @@ -0,0 +1,13 @@ + +- name: Purge all rooms with more then N events + shell: | + curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ purge_epoche_time.stdout }}000 }' "{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" + register: purge_command + +- name: Print output of purge command + debug: + msg: "{{ purge_command.stdout }}" + +- name: Pause for 5 seconds to let Synapse breathe + pause: + seconds: 5 diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml new file mode 100644 index 00000000..ccd46c81 --- /dev/null +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -0,0 +1,234 @@ + +- name: Ensure dateutils and curl is installed in AWX + delegate_to: 127.0.0.1 + yum: + name: dateutils + state: latest + +- name: Ensure dateutils, curl and jq intalled on target machine + apt: + pkg: + - curl + - jq + state: present + +- name: Include vars in matrix_vars.yml + include_vars: + file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + no_log: True + +- name: Collect size of Synapse database + shell: du -sh /matrix/postgres/data + register: db_size_before_stat + no_log: True + +- name: Print before size of Synapse database + debug: + msg: "{{ db_size_before_stat.stdout.split('\n') }}" + when: db_size_before_stat is defined + +- name: Collect the internal IP of the matrix-synapse container + shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" + register: synapse_container_ip + +- name: Collect access token for janitor user + shell: | + curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + register: janitors_token + no_log: True + +- name: Collect total number of rooms + shell: | + curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms' | jq '.total_rooms' + when: purge_rooms|bool + register: rooms_total + +- name: Print total number of rooms + debug: + msg: '{{ rooms_total.stdout }}' + when: purge_rooms|bool + +- name: Calculate every 100 values for total number of rooms + delegate_to: 127.0.0.1 + shell: | + seq 0 100 {{ rooms_total.stdout }} + when: purge_rooms|bool + register: every_100_rooms + +- name: Ensure room_list_complete.json file exists + delegate_to: 127.0.0.1 + file: + path: /tmp/{{ subscription_id }}_room_list_complete.json + state: touch + when: purge_rooms|bool + +- name: Build file with total room list + include_tasks: purge_database_build_list.yml + loop: "{{ every_100_rooms.stdout_lines | flatten(levels=1) }}" + when: purge_rooms|bool + +- name: Generate list of rooms with no local users + delegate_to: 127.0.0.1 + shell: | + jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt + when: purge_rooms|bool + +- name: Count number of rooms with no local users + delegate_to: 127.0.0.1 + shell: | + wc -l /tmp/{{ subscription_id }}_room_list_no_local_users.txt | awk '{ print $1 }' + register: rooms_no_local_total + when: purge_rooms|bool + +- name: Setting host fact room_list_no_local_users + set_fact: + room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}" + no_log: True + when: purge_rooms|bool + +- name: Purge all rooms with no local users + include_tasks: purge_database_no_local.yml + loop: "{{ room_list_no_local_users.splitlines() | flatten(levels=1) }}" + when: purge_rooms|bool + +- name: Collect epoche time from date + delegate_to: 127.0.0.1 + shell: | + date -d '{{ purge_date }}' +"%s" + when: purge_rooms|bool + register: purge_epoche_time + +- name: Generate list of rooms with more then N users + delegate_to: 127.0.0.1 + shell: | + jq 'try .rooms[] | select(.joined_members > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt + when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + +- name: Count number of rooms with more then N users + delegate_to: 127.0.0.1 + shell: | + wc -l /tmp/{{ subscription_id }}_room_list_joined_members.txt | awk '{ print $1 }' + register: rooms_join_members_total + when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + +- name: Setting host fact room_list_joined_members + delegate_to: 127.0.0.1 + set_fact: + room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}" + when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + no_log: True + +- name: Purge all rooms with more then N users + include_tasks: purge_database_users.yml + loop: "{{ room_list_joined_members.splitlines() | flatten(levels=1) }}" + when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + +- name: Generate list of rooms with more then N events + delegate_to: 127.0.0.1 + shell: | + jq 'try .rooms[] | select(.state_events > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt + when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + +- name: Count number of rooms with more then N users + delegate_to: 127.0.0.1 + shell: | + wc -l /tmp/{{ subscription_id }}_room_list_state_events.txt | awk '{ print $1 }' + register: rooms_state_events_total + when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + +- name: Setting host fact room_list_state_events + delegate_to: 127.0.0.1 + set_fact: + room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}" + when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + no_log: True + +- name: Purge all rooms with more then N events + include_tasks: purge_database_events.yml + loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}" + when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Execute rust-synapse-compress-state job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_launch: + job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + tags: "rust-synapse-compress-state" + wait: yes + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + register: job + +- name: Stop Synapse service + shell: systemctl stop matrix-synapse.service + +- name: Re-index Synapse database + shell: docker exec -i matrix-postgres psql "host=127.0.0.1 port=5432 dbname=synapse user=synapse password={{ matrix_synapse_connection_password }}" -c 'REINDEX (VERBOSE) DATABASE synapse' + +- name: Execute run-postgres-vacuum job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_launch: + job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + tags: "run-postgres-vacuum,start" + wait: yes + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + register: job + +- name: Cleanup room_list files + delegate_to: 127.0.0.1 + shell: | + rm /tmp/{{ subscription_id }}_room_list* + when: purge_rooms|bool + ignore_errors: yes + +- name: Collect size of Synapse database + shell: du -sh /matrix/postgres/data + register: db_size_after_stat + no_log: True + +- name: Print total number of rooms processed + debug: + msg: '{{ rooms_total.stdout }}' + when: purge_rooms|bool + +- name: Print the number of rooms purged with no local users + debug: + msg: '{{ rooms_no_local_total.stdout }}' + when: purge_rooms|bool + +- name: Print the number of rooms purged with more then N users + debug: + msg: '{{ rooms_join_members_total.stdout }}' + when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + +- name: Print the number of rooms purged with more then N events + debug: + msg: '{{ rooms_state_events_total.stdout }}' + when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + +- name: Print before purge size of Synapse database + debug: + msg: "{{ db_size_before_stat.stdout.split('\n') }}" + when: db_size_before_stat is defined + +- name: Print after purge size of Synapse database + debug: + msg: "{{ db_size_after_stat.stdout.split('\n') }}" + when: db_size_after_stat is defined + +- name: Set boolean value to exit playbook + set_fact: + end_playbook: true + +- name: End playbook early if this task is called. + meta: end_play + when: end_playbook is defined and end_playbook|bool diff --git a/roles/matrix-awx/tasks/purge_database_no_local.yml b/roles/matrix-awx/tasks/purge_database_no_local.yml new file mode 100644 index 00000000..d94fd007 --- /dev/null +++ b/roles/matrix-awx/tasks/purge_database_no_local.yml @@ -0,0 +1,13 @@ + +- name: Purge all rooms with no local users + shell: | + curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "room_id": {{ item }} }' '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_room' + register: purge_command + +- name: Print output of purge command + debug: + msg: "{{ purge_command.stdout }}" + +- name: Pause for 5 seconds to let Synapse breathe + pause: + seconds: 5 diff --git a/roles/matrix-awx/tasks/purge_database_users.yml b/roles/matrix-awx/tasks/purge_database_users.yml new file mode 100644 index 00000000..302dffd8 --- /dev/null +++ b/roles/matrix-awx/tasks/purge_database_users.yml @@ -0,0 +1,13 @@ + +- name: Purge all rooms with more then N users + shell: | + curl --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" -X POST -H "Content-Type: application/json" -d '{ "delete_local_events": false, "purge_up_to_ts": {{ purge_epoche_time.stdout }}000 }' "{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_history/{{ item[1:-1] }}" + register: purge_command + +- name: Print output of purge command + debug: + msg: "{{ purge_command.stdout }}" + +- name: Pause for 5 seconds to let Synapse breathe + pause: + seconds: 5 diff --git a/roles/matrix-awx/tasks/purge_media_remote.yml b/roles/matrix-awx/tasks/purge_media_remote.yml index ce0a1c96..14f9c8d5 100644 --- a/roles/matrix-awx/tasks/purge_media_remote.yml +++ b/roles/matrix-awx/tasks/purge_media_remote.yml @@ -4,7 +4,7 @@ date -d '{{ item }}' +"%s" register: epoche_time -- name: Purge local media to specific date +- name: Purge remote media to specific date shell: | curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}' register: purge_command diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index cf843d24..08fd5450 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -35,7 +35,25 @@ with_dict: 'matrix_awx_dimension_user_created': 'true' when: not matrix_awx_dimension_user_created|bool + +- name: Create user account @mjolnir-bot + command: | + /usr/local/bin/matrix-synapse-register-user mjolnir-bot {{ matrix_awx_mjolnir-bot_user_password | quote }} 0 + register: cmd + when: not matrix_awx_dimension_user_created|bool + no_log: True +- name: Update AWX dimension user created variable + delegate_to: 127.0.0.1 + lineinfile: + path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: 'AWX Settings' + with_dict: + 'matrix_awx_mjolnir-bot_user_created': 'true' + when: not matrix_awx_dimension_user_created|bool + - name: Ensure /chroot/website location has correct permissions file: path: /chroot/website diff --git a/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml b/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml index 4ce02bc4..eef46cb3 100644 --- a/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml +++ b/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml @@ -10,7 +10,7 @@ - name: Set matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time, if not provided set_fact: - matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 15 + matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 180 when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time|default('') == ''" - name: Set matrix_synapse_rust_synapse_compress_state_compress_room_time, if not provided From f827a3cc463cb51f3a1a0837bd4c0f5b0550bd66 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Mon, 10 May 2021 18:54:25 +0800 Subject: [PATCH 2160/2384] GMH 0.4.6 update 2 --- docs/configuring-awx-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index a93980d5..cc90fb98 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -34,7 +34,7 @@ Updates to this section are trailed here: Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation.md). -For simpler installation steps you can use to get started with this system, check out our [minimal installation guide at '/doc/Installation_Minimal.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal.md). +For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal.md). ## Does I need a front-end WordPress site? And a DigitalOcean account? From f4657b2cdb53d3fc3082e0e5ce8310b15ec4727b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 May 2021 08:22:43 +0300 Subject: [PATCH 2161/2384] Upgrade Element (1.7.26 -> 1.7.27) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 8904c295..0d7e36d7 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.26 +matrix_client_element_version: v1.7.27 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From f03adc83f10b261450ded5c376628a6978f4efe3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 May 2021 08:50:00 +0300 Subject: [PATCH 2162/2384] Fix matrix_ma1sd_dns_overwrite_homeserver_client_value when not matrix_nginx_proxy_enabled Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1047 --- group_vars/matrix_servers | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9fec86e9..517e6922 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1113,7 +1113,9 @@ matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matr matrix_ma1sd_dns_overwrite_enabled: true matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}" +# The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case, +# but may be inaccurate if matrix-corporal is enabled. +matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ ('http://' + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container) if matrix_nginx_proxy_enabled else matrix_homeserver_container_url }}" # By default, we send mail through the `matrix-mailer` service. matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" From f70102e40c22b187ac884366fc4568a1c2c1254b Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 11 May 2021 13:55:13 +0800 Subject: [PATCH 2163/2384] no dashes in usernames --- roles/matrix-common-after/tasks/awx_post.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 08fd5450..921ad167 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -36,9 +36,9 @@ 'matrix_awx_dimension_user_created': 'true' when: not matrix_awx_dimension_user_created|bool -- name: Create user account @mjolnir-bot +- name: Create user account @mjolnir command: | - /usr/local/bin/matrix-synapse-register-user mjolnir-bot {{ matrix_awx_mjolnir-bot_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user mjolnir {{ matrix_awx_mjolnir-bot_user_password | quote }} 0 register: cmd when: not matrix_awx_dimension_user_created|bool no_log: True @@ -51,7 +51,7 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: 'AWX Settings' with_dict: - 'matrix_awx_mjolnir-bot_user_created': 'true' + 'matrix_awx_mjolnir_user_created': 'true' when: not matrix_awx_dimension_user_created|bool - name: Ensure /chroot/website location has correct permissions From 0adcef65e6f3f5d72b81a15ec672ee20e544cd2c Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 11 May 2021 13:58:42 +0800 Subject: [PATCH 2164/2384] fix conditional --- roles/matrix-common-after/tasks/awx_post.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 921ad167..16477d1e 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -40,7 +40,7 @@ command: | /usr/local/bin/matrix-synapse-register-user mjolnir {{ matrix_awx_mjolnir-bot_user_password | quote }} 0 register: cmd - when: not matrix_awx_dimension_user_created|bool + when: not matrix_awx_mjolnir_user_created|bool no_log: True - name: Update AWX dimension user created variable @@ -52,7 +52,7 @@ insertafter: 'AWX Settings' with_dict: 'matrix_awx_mjolnir_user_created': 'true' - when: not matrix_awx_dimension_user_created|bool + when: not matrix_awx_mjolnir_user_created|bool - name: Ensure /chroot/website location has correct permissions file: From 2b4bada72a1c322ec74fd506500815c87f5ebb72 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 11 May 2021 14:05:45 +0800 Subject: [PATCH 2165/2384] fix conditional --- roles/matrix-common-after/tasks/awx_post.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 16477d1e..1e194046 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -38,7 +38,7 @@ - name: Create user account @mjolnir command: | - /usr/local/bin/matrix-synapse-register-user mjolnir {{ matrix_awx_mjolnir-bot_user_password | quote }} 0 + /usr/local/bin/matrix-synapse-register-user mjolnir {{ matrix_awx_mjolnir_user_password | quote }} 0 register: cmd when: not matrix_awx_mjolnir_user_created|bool no_log: True From 8fc55b30c5e6f87ace69b8c61d09532d35569850 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Tue, 11 May 2021 19:06:30 +0530 Subject: [PATCH 2166/2384] Upgrade Synapse (1.33.1 -> 1.33.2) This release fixes a denial of service attack (CVE-2021-29471) against Synapse's push rules implementation. Server admins are encouraged to upgrade. Ref: https://github.com/matrix-org/synapse/releases/tag/v1.33.2 --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a6b035c0..39a88333 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.33.1 -matrix_synapse_version_arm64: v1.33.1 +matrix_synapse_version: v1.33.2 +matrix_synapse_version_arm64: v1.33.2 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 9121ef2604d0664f76c7ff2691fea7e0d475606b Mon Sep 17 00:00:00 2001 From: rakshazi Date: Tue, 11 May 2021 16:02:13 +0000 Subject: [PATCH 2167/2384] Added services built by community Hi, After discussion with Slavi ([link to private chat](https://matrix.to/#/!GWNJzoHiCybWdouIiP:etke.cc/$_XpK8-ucbWvxY667IVZ9ROZPqSVkG2UGglNagrbDQmw?via=etke.cc&via=devture.com)), we agreed on adding services that use matrix-docker-ansible-deploy as a core to list in README file. @GoMatrixHosting could you approve the description is correct, please? (Sorry, I just put what I know about your service) --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 301e7f05..3d6a92f1 100644 --- a/README.md +++ b/README.md @@ -129,3 +129,8 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) - Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) + +## Services by community + +- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintainance) and (optional) provide full-featured email service for your domain +- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). That service provides you a friendly interface to create your matrix homeserver on your domain From 8e6f1876f51f4eb2d4ade870df2681045c5410d9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 May 2021 19:25:12 +0300 Subject: [PATCH 2168/2384] Switch to :latest version of synapse-admin Related to https://github.com/Awesome-Technologies/synapse-admin/issues/132 We should switch back when >0.8.0 gets released. --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 612b33e3..dc4cc770 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.8.0 +matrix_synapse_admin_version: latest matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 8cace72d9538c8be1c34197567efae43ef0462ff Mon Sep 17 00:00:00 2001 From: rakshazi Date: Wed, 12 May 2021 10:40:48 +0300 Subject: [PATCH 2169/2384] Updated description with @GoMatrixHosting edits --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3d6a92f1..9876fcf9 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) -## Services by community +## Services by the community - [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintainance) and (optional) provide full-featured email service for your domain -- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). That service provides you a friendly interface to create your matrix homeserver on your domain +- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This AWX system can manage the updates, configuration, import and export, backups and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com). From f481b1a84bc3c1cd7873ce6ab8a2f394c0e1a2ad Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 12 May 2021 17:44:09 +0300 Subject: [PATCH 2170/2384] Upgrade matrix-mailer (4.94.2-r0 -> 4.94.2-r0-1) Related to https://github.com/devture/exim-relay/pull/9 --- roles/matrix-mailer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index c1d2cc67..1340cc70 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0 +matrix_mailer_version: 4.94.2-r0-1 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" From 226d6a6f037ef9dddb13484330f14722ec46e349 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Wed, 12 May 2021 19:52:23 +0000 Subject: [PATCH 2171/2384] Fixed typos in README Hi, I used [LanguageTool](https://languagetool.org) to fix typos in README --- README.md | 64 ++++++------------------------------------------------- 1 file changed, 7 insertions(+), 57 deletions(-) diff --git a/README.md b/README.md index 9876fcf9..0395ed84 100644 --- a/README.md +++ b/README.md @@ -12,125 +12,75 @@ We run all services in [Docker](https://www.docker.com/) containers (see [the co [Installation](docs/README.md) (upgrades) and some maintenance tasks are automated using [Ansible](https://www.ansible.com/) (see [our Ansible guide](docs/ansible.md)). - ## Supported services Using this playbook, you can get the following services configured on your server: - - (optional, default) a [Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network - - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) - - (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. - - (optional, default) a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls - - (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Element web UI - - (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default - -- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - +- (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - -- (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) - +- (optional, default) a [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) - (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module - - (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module - - (optional, advanced) the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider module - - (optional, advanced) the [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) spam checker module - - (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server - - (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) - -- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/) - +- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) - (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) - - (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) - - (optional) the [mautrix-instagram](https://github.com/tulir/mautrix-instagram) bridge for bridging your Matrix server to [Instagram](https://instagram.com/) - - (optional) the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) - - (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) - - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/) - - (optional) the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge for bridging your Matrix server to [Slack](https://slack.com/) - - (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) - - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation - - (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation - - (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation - - (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation - - (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation - - (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation - - (optional) the [mx-puppet-groupme](https://gitlab.com/robintown/mx-puppet-groupme) bridge for [GroupMe](https://groupme.com/) - see [docs/configuring-playbook-bridge-mx-puppet-groupme.md](docs/configuring-playbook-bridge-mx-puppet-groupme.md) for setup documentation - - (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation - - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - see [docs/configuring-playbook-email2matrix.md](docs/configuring-playbook-email2matrix.md) for setup documentation - - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients - see [docs/configuring-playbook-dimension.md](docs/configuring-playbook-dimension.md) for setup documentation - - (optional) [Etherpad](https://etherpad.org), an open source collaborative text editor - see [docs/configuring-playbook-etherpad.md](docs/configuring-playbook-etherpad.md) for setup documentation - - (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform - see [docs/configuring-playbook-jitsi.md](docs/configuring-playbook-jitsi.md) for setup documentation - - (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation - - (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation - - (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation - - (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation - - (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation - - (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation - - (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation -Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. +Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. You can always re-run the playbook later to add or remove components. - ## Installation To configure and install Matrix on your own server, follow the [README in the docs/ directory](docs/README.md). - ## Changes This playbook evolves over time, sometimes with backward-incompatible changes. - When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up with what's new. - ## Support - Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) - - IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) - -- Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) +- GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) ## Services by the community -- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintainance) and (optional) provide full-featured email service for your domain -- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This AWX system can manage the updates, configuration, import and export, backups and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com). +- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain +- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from DigitalOcean, or they can connect their on-premises server. This AWX system can manage the updates, configuration, import and export, backups, and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com). From d5cd3d443ded289a6d8e315e7e1406313a5c2e7d Mon Sep 17 00:00:00 2001 From: sakkiii Date: Fri, 14 May 2021 18:56:33 +0530 Subject: [PATCH 2172/2384] Update prometheus (2.26.0->2.27.0) --- roles/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 1c9bc144..02afd9e9 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.26.0 +matrix_prometheus_version: v2.27.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 4bd7d8b5e4918d8b97d33847243de237283e2f93 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Fri, 14 May 2021 18:59:21 +0530 Subject: [PATCH 2173/2384] Update grafana (7.5.5->7.5.6) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index a5d60338..290cbdcb 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.5 +matrix_grafana_version: 7.5.6 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From ca361af61633a3032c87b0d212c7ddf4bede341f Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 15 May 2021 04:23:36 -0500 Subject: [PATCH 2174/2384] Add Hydrogen --- group_vars/matrix_servers | 27 ++++ roles/matrix-base/defaults/main.yml | 3 + .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- .../tasks/init.yml | 2 +- roles/matrix-client-element/tasks/init.yml | 2 +- .../matrix-client-hydrogen/defaults/main.yml | 67 ++++++++++ roles/matrix-client-hydrogen/tasks/init.yml | 10 ++ roles/matrix-client-hydrogen/tasks/main.yml | 15 +++ .../tasks/self_check.yml | 22 ++++ roles/matrix-client-hydrogen/tasks/setup.yml | 119 ++++++++++++++++++ .../templates/config.json.j2 | 3 + .../templates/nginx.conf.j2 | 66 ++++++++++ .../systemd/matrix-client-hydrogen.service.j2 | 40 ++++++ roles/matrix-coturn/tasks/init.yml | 2 +- roles/matrix-ma1sd/tasks/init.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 7 ++ .../tasks/setup_nginx_proxy.yml | 7 ++ .../conf.d/matrix-client-hydrogen.conf.j2 | 84 +++++++++++++ roles/matrix-synapse/tasks/init.yml | 2 +- setup.yml | 1 + 27 files changed, 484 insertions(+), 13 deletions(-) create mode 100644 roles/matrix-client-hydrogen/defaults/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/init.yml create mode 100644 roles/matrix-client-hydrogen/tasks/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/self_check.yml create mode 100644 roles/matrix-client-hydrogen/tasks/setup.yml create mode 100644 roles/matrix-client-hydrogen/templates/config.json.j2 create mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 create mode 100644 roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 517e6922..f5ed72c7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1242,6 +1242,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_nginx_proxy_proxy_riot_compat_redirect_hostname] if matrix_nginx_proxy_proxy_riot_compat_redirect_enabled else []) + + ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) + + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) @@ -1545,6 +1547,31 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr +###################################################################### +# +# matrix-client-hydrogen +# +###################################################################### + +matrix_client_hydrogen_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the HTTP port to the local host. +matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}" + +matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" + +matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +###################################################################### +# +# /matrix-client-hydrogen +# +###################################################################### + + + ###################################################################### # # matrix-synapse diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index d1d3bf27..ef30ad67 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -15,6 +15,9 @@ matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" # This and the Matrix FQN (see above) are expected to be on the same server. matrix_server_fqn_element: "element.{{ matrix_domain }}" +# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default). +matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" + # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 9e127316..97b370d9 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mautrix_facebook_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 9209fa40..9824891b 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -62,7 +62,7 @@ when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index 2b407358..cd46d03d 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mautrix_instagram_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 4d8444e1..73f3507e 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mx_puppet_discord_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index 1f00e8a5..f2657d2a 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mx_puppet_groupme_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 605ea492..75ced0a2 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mx_puppet_skype_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 16afef20..68c305bb 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -63,7 +63,7 @@ when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index 9687944f..4c71ef85 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -16,7 +16,7 @@ when: matrix_mx_puppet_steam_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 86f30237..a048a002 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -63,7 +63,7 @@ when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index a42e3143..0fb47a8b 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -3,7 +3,7 @@ when: matrix_client_element_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build the Element image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml new file mode 100644 index 00000000..cf6e9a0c --- /dev/null +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -0,0 +1,67 @@ +matrix_client_hydrogen_enabled: true + +# as of 2021-05-15 the pre-built images were not working so self building is enabled by default +matrix_client_hydrogen_container_image_self_build: true +matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" + +matrix_client_hydrogen_version: v0.1.51 +matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" +matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" + +matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" +matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. +matrix_client_hydrogen_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_hydrogen_container_extra_arguments: [] + +# List of systemd services that matrix-client-hydrogen.service depends on +matrix_client_hydrogen_systemd_required_services_list: ['docker.service'] + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_hydrogen_self_check_validate_certificates: true + +# config.json +matrix_client_hydrogen_default_hs_url: "" + +# Default Hydrogen configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_hydrogen_configuration_default`. +# +# Example configuration extension follows: +# +# matrix_client_hydrogen_configuration_extension_json: | +# { +# "push": { +# "appId": "io.element.hydrogen.web", +# "gatewayUrl": "https://matrix.org", +# "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM" +# }, +# "defaultHomeServer": "matrix.org" +# } +matrix_client_hydrogen_configuration_extension_json: '{}' + +matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json|from_json if matrix_client_hydrogen_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final Hydrogen configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`. +matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default|combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml new file mode 100644 index 00000000..be72a983 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -0,0 +1,10 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" + when: matrix_client_hydrogen_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self building it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build the Hydrogen image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" diff --git a/roles/matrix-client-hydrogen/tasks/main.yml b/roles/matrix-client-hydrogen/tasks/main.yml new file mode 100644 index 00000000..6534db05 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_hydrogen_enabled|bool" + tags: + - setup-all + - setup-client-hydrogen + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: run_setup|bool + tags: + - setup-all + - setup-client-hydrogen diff --git a/roles/matrix-client-hydrogen/tasks/self_check.yml b/roles/matrix-client-hydrogen/tasks/self_check.yml new file mode 100644 index 00000000..c7407dcd --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}" + +- name: Check Hydrogen + uri: + url: "{{ matrix_client_hydrogen_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}" + register: matrix_client_hydrogen_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Hydrogen not working + fail: + msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" + when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result" + +- name: Report working Hydrogen + debug: + msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml new file mode 100644 index 00000000..3d9eea44 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -0,0 +1,119 @@ +--- + +# +# Tasks related to setting up Hydrogen +# + +- name: Ensure Hydrogen paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_hydrogen_data_path }}", when: true } + - { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" } + when: matrix_client_hydrogen_enabled|bool and item.when + +- name: Ensure Hydrogen Docker image is pulled + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}" + when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build + +- name: Ensure Hydrogen repository is present on self-build + git: + repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" + version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_client_hydrogen_git_pull_results + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen Docker image is built + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: build + force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_client_hydrogen_docker_src_files_path }}" + pull: yes + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen configuration installed + copy: + content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" + dest: "{{ matrix_client_hydrogen_data_path }}/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_client_hydrogen_enabled|bool + +- name: Ensure Hydrogen config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "matrix_client_hydrogen_enabled|bool and item.src is not none" + +- name: Ensure matrix-client-hydrogen.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + mode: 0644 + register: matrix_client_hydrogen_systemd_service_result + when: matrix_client_hydrogen_enabled|bool + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation + service: + daemon_reload: yes + when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed" + +# +# Tasks related to getting rid of Hydrogen (if it was previously enabled) +# + +- name: Check existence of matrix-client-hydrogen.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + register: matrix_client_hydrogen_service_stat + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure matrix-client-hydrogen is stopped + service: + name: matrix-client-hydrogen + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure matrix-client-hydrogen.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + state: absent + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal + service: + daemon_reload: yes + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure Hydrogen paths doesn't exist + file: + path: "{{ matrix_client_hydrogen_data_path }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure Hydrogen Docker image doesn't exist + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" diff --git a/roles/matrix-client-hydrogen/templates/config.json.j2 b/roles/matrix-client-hydrogen/templates/config.json.j2 new file mode 100644 index 00000000..62a849b0 --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/config.json.j2 @@ -0,0 +1,3 @@ +{ + "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url|string|to_json }} +} diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 new file mode 100644 index 00000000..fba16bbd --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 new file mode 100644 index 00000000..227d105b --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -0,0 +1,40 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Hydrogen Client +{% for service in matrix_client_hydrogen_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydrogen \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_hydrogen_container_http_host_bind_port %} + -p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/app/config.json,ro \ + {% for arg in matrix_client_hydrogen_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_hydrogen_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-hydrogen + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index be011b7f..17270162 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index 89283a1f..64f2781e 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -3,7 +3,7 @@ when: matrix_ma1sd_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a7d9aeb2..97ba7539 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -113,6 +113,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost: matrix_nginx_proxy_proxy_element_enabled: false matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" +# Controls whether proxying the Hydrogen domain should be done. +matrix_nginx_proxy_proxy_hydrogen_enabled: false +matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" + # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" @@ -251,6 +255,9 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 7534d28c..660f277c 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -72,6 +72,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for dimension domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 new file mode 100644 index 00000000..9224dd86 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -0,0 +1,84 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-hydrogen:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8768; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 04b8d2b8..51dd9906 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -19,7 +19,7 @@ when: matrix_s3_media_store_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/setup.yml b/setup.yml index 4e2879e5..add6aae8 100755 --- a/setup.yml +++ b/setup.yml @@ -42,6 +42,7 @@ - matrix-grafana - matrix-registration - matrix-client-element + - matrix-client-hydrogen - matrix-jitsi - matrix-ma1sd - matrix-dimension From c05021640d4d5ed462ec8b5546f52608ed2aeac1 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 15 May 2021 15:57:05 +0530 Subject: [PATCH 2175/2384] Enable OCSP Stapling --- roles/matrix-nginx-proxy/defaults/main.yml | 12 ++++++++++++ .../nginx/conf.d/matrix-base-domain.conf.j2 | 6 ++++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 6 ++++++ .../nginx/conf.d/matrix-client-element.conf.j2 | 6 ++++++ .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 6 ++++++ .../templates/nginx/conf.d/matrix-domain.conf.j2 | 6 ++++++ .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 7 +++++++ .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 6 ++++++ .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 6 ++++++ 9 files changed, 61 insertions(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a7d9aeb2..63f55562 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -279,6 +279,18 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. matrix_nginx_proxy_floc_optout_enabled: true +# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. +# OCSP stapling can provide a performance boost of up to 30% +# nginx web server supports OCSP stapling since version 1.3.7. +# +# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. +# +# Learn more about what it is here: +# - https://en.wikipedia.org/wiki/OCSP_stapling +# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ +# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ +matrix_nginx_proxy_ocsp_stapling_enabled: true + # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index a2d59e86..96bbd564 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -9,6 +9,12 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 91cd9e41..a2f92de5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -7,6 +7,12 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index f3a537da..60504daf 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -10,6 +10,12 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index db93be48..d26410ec 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -9,6 +9,12 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 703c490e..6a6f581f 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -20,6 +20,12 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} location /.well-known/matrix { root {{ matrix_static_files_base_path }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index c1978563..4143519c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -10,6 +10,13 @@ # add_header X-Content-Type-Options nosniff; # add_header X-Frame-Options SAMEORIGIN; add_header Referrer-Policy "strict-origin-when-cross-origin"; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 0b44f44d..17f1e966 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -9,6 +9,12 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a69424f4..b828299f 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -4,6 +4,12 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} From 0dd4459799d5de01e08a8636fb6d0709f449ab15 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 15 May 2021 16:01:49 +0530 Subject: [PATCH 2176/2384] matrix_nginx_proxy_ocsp_stapling_enabled variable added --- roles/matrix-nginx-proxy/defaults/main.yml | 24 +++++++++++----------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 63f55562..be15ff60 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -279,18 +279,6 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. matrix_nginx_proxy_floc_optout_enabled: true -# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. -# OCSP stapling can provide a performance boost of up to 30% -# nginx web server supports OCSP stapling since version 1.3.7. -# -# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. -# -# Learn more about what it is here: -# - https://en.wikipedia.org/wiki/OCSP_stapling -# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ -# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ -matrix_nginx_proxy_ocsp_stapling_enabled: true - # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # @@ -397,6 +385,18 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_pre_obtaining_required_service_name: ~ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 +# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. +# OCSP stapling can provide a performance boost of up to 30% +# nginx web server supports OCSP stapling since version 1.3.7. +# +# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. +# +# Learn more about what it is here: +# - https://en.wikipedia.org/wiki/OCSP_stapling +# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ +# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ +matrix_nginx_proxy_ocsp_stapling_enabled: true + # nginx status page configurations. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] From 2c3da6599b1f9b89f60766ff528b1fb6e82b9d19 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Sat, 15 May 2021 16:07:52 +0530 Subject: [PATCH 2177/2384] Added warning --- roles/matrix-nginx-proxy/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index be15ff60..b97692ba 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -390,6 +390,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # nginx web server supports OCSP stapling since version 1.3.7. # # *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. +# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling # # Learn more about what it is here: # - https://en.wikipedia.org/wiki/OCSP_stapling From e4dd933cf0f48a8722a43239b07a9335c85c4f14 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 May 2021 11:40:43 +0300 Subject: [PATCH 2178/2384] Make missing /_synapse/admin correctly return 404 responses Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058 We may try to capture such calls and return a friendlier response (HTML or JSON) saying "The Synapse Admin API is not enabled", but that may not be desirable. For now, we stick to what "upstream" recommends: "simply don't proxy these APIs", which should lead to the same kind of 404 that we have now. See here: https://github.com/matrix-org/synapse/blob/66609122260ad151359b9c0028634094cf51b5c5/docs/reverse_proxy.md#synapse-administration-endpoints --- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 703c490e..29af1560 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -136,7 +136,13 @@ proxy_max_temp_file_size 0; } - location / { + {# + We only handle the root URI for this redirect or homepage serving. + Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404, + instead of causing a redirect. + See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058 + #} + location ~* ^/$ { {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; {% else %} From d156c8caa239a9269112257a5fc1a42fd7a44efa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 May 2021 14:58:07 +0300 Subject: [PATCH 2179/2384] Upgrade Synapse (1.33.2 -> 1.34.0) --- roles/matrix-synapse/defaults/main.yml | 5 +++-- .../templates/synapse/homeserver.yaml.j2 | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 39a88333..d966665f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.33.2 -matrix_synapse_version_arm64: v1.33.2 +matrix_synapse_version: v1.34.0 +matrix_synapse_version_arm64: v1.34.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -454,6 +454,7 @@ matrix_synapse_sentry_dsn: "" # Postgres database information matrix_synapse_database_host: "matrix-postgres" +matrix_synapse_database_port: 5432 matrix_synapse_database_user: "synapse" matrix_synapse_database_password: "" matrix_synapse_database_database: "synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index df280dd5..22f5f1ea 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -128,6 +128,16 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # #gc_thresholds: [700, 10, 10] +# The minimum time in seconds between each GC for a generation, regardless of +# the GC thresholds. This ensures that we don't do GC too frequently. +# +# A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive +# generation 0 GCs, etc. +# +# Defaults to `[1s, 10s, 30s]`. +# +#gc_min_interval: [0.5s, 30s, 1m] + # Set the limit on the returned events in the timeline in the get # and sync operations. The default value is 100. -1 means no upper limit. # @@ -757,6 +767,12 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # #allow_profile_lookup_over_federation: false +# Uncomment to disable device display name lookup over federation. By default, the +# Federation API allows other homeservers to obtain device display names of any user +# on this homeserver. Defaults to 'true'. +# +#allow_device_name_lookup_over_federation: false + ## Caching ## @@ -813,6 +829,7 @@ database: password: {{ matrix_synapse_database_password|string|to_json }} database: "{{ matrix_synapse_database_database }}" host: "{{ matrix_synapse_database_host }}" + port: {{ matrix_synapse_database_port }} cp_min: 5 cp_max: 10 @@ -1519,6 +1536,7 @@ room_prejoin_state: # - m.room.avatar # - m.room.encryption # - m.room.name + # - m.room.create # # Uncomment the following to disable these defaults (so that only the event # types listed in 'additional_event_types' are shared). Defaults to 'false'. From 578754e60eb7f8122aefaac3e5a1cdf8d687ee44 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Mon, 17 May 2021 13:10:54 +0000 Subject: [PATCH 2180/2384] Bring back newlines --- README.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/README.md b/README.md index 0395ed84..f2f458c5 100644 --- a/README.md +++ b/README.md @@ -12,51 +12,95 @@ We run all services in [Docker](https://www.docker.com/) containers (see [the co [Installation](docs/README.md) (upgrades) and some maintenance tasks are automated using [Ansible](https://www.ansible.com/) (see [our Ansible guide](docs/ansible.md)). + ## Supported services Using this playbook, you can get the following services configured on your server: + - (optional, default) a [Synapse](https://github.com/matrix-org/synapse) homeserver - storing your data and managing your presence in the [Matrix](http://matrix.org/) network + - (optional) [Amazon S3](https://aws.amazon.com/s3/) storage for Synapse's content repository (`media_store`) files using [Goofys](https://github.com/kahing/goofys) + - (optional, default) [PostgreSQL](https://www.postgresql.org/) database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. + - (optional, default) a [coturn](https://github.com/coturn/coturn) STUN/TURN server for WebRTC audio/video calls + - (optional, default) free [Let's Encrypt](https://letsencrypt.org/) SSL certificate, which secures the connection to the Synapse server and the Element web UI + - (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default + - (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server + - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) + - (optional, default) a [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) + - (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module + - (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module + - (optional, advanced) the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider module + - (optional, advanced) the [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) spam checker module + - (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server + - (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) + - (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) + - (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) + - (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) + - (optional) the [mautrix-instagram](https://github.com/tulir/mautrix-instagram) bridge for bridging your Matrix server to [Instagram](https://instagram.com/) + - (optional) the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/) + - (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) + - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/) + - (optional) the [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) bridge for bridging your Matrix server to [Slack](https://slack.com/) + - (optional) the [matrix-appservice-webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) + - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation + - (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation + - (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation + - (optional) the [mx-puppet-instagram](https://github.com/Sorunome/mx-puppet-instagram) bridge for Instagram-DMs ([Instagram](https://www.instagram.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-instagram.md](docs/configuring-playbook-bridge-mx-puppet-instagram.md) for setup documentation + - (optional) the [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) bridge for Twitter-DMs ([Twitter](https://twitter.com/)) - see [docs/configuring-playbook-bridge-mx-puppet-twitter.md](docs/configuring-playbook-bridge-mx-puppet-twitter.md) for setup documentation + - (optional) the [mx-puppet-discord](https://github.com/matrix-discord/mx-puppet-discord) bridge for [Discord](https://discordapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-discord.md](docs/configuring-playbook-bridge-mx-puppet-discord.md) for setup documentation + - (optional) the [mx-puppet-groupme](https://gitlab.com/robintown/mx-puppet-groupme) bridge for [GroupMe](https://groupme.com/) - see [docs/configuring-playbook-bridge-mx-puppet-groupme.md](docs/configuring-playbook-bridge-mx-puppet-groupme.md) for setup documentation + - (optional) the [mx-puppet-steam](https://github.com/icewind1991/mx-puppet-steam) bridge for [Steam](https://steamapp.com/) - see [docs/configuring-playbook-bridge-mx-puppet-steam.md](docs/configuring-playbook-bridge-mx-puppet-steam.md) for setup documentation + - (optional) [Email2Matrix](https://github.com/devture/email2matrix) for relaying email messages to Matrix rooms - see [docs/configuring-playbook-email2matrix.md](docs/configuring-playbook-email2matrix.md) for setup documentation + - (optional) [Dimension](https://github.com/turt2live/matrix-dimension), an open source integrations manager for matrix clients - see [docs/configuring-playbook-dimension.md](docs/configuring-playbook-dimension.md) for setup documentation + - (optional) [Etherpad](https://etherpad.org), an open source collaborative text editor - see [docs/configuring-playbook-etherpad.md](docs/configuring-playbook-etherpad.md) for setup documentation + - (optional) [Jitsi](https://jitsi.org/), an open source video-conferencing platform - see [docs/configuring-playbook-jitsi.md](docs/configuring-playbook-jitsi.md) for setup documentation + - (optional) [matrix-reminder-bot](https://github.com/anoadragon453/matrix-reminder-bot) for scheduling one-off & recurring reminders and alarms - see [docs/configuring-playbook-bot-matrix-reminder-bot.md](docs/configuring-playbook-bot-matrix-reminder-bot.md) for setup documentation + - (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation + - (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation + - (optional) [synapse-admin](https://github.com/Awesome-Technologies/synapse-admin), a web UI tool for administrating users and rooms on your Matrix server - see [docs/configuring-playbook-synapse-admin.md](docs/configuring-playbook-synapse-admin.md) for setup documentation + - (optional) [matrix-registration](https://github.com/ZerataX/matrix-registration), a simple python application to have a token based matrix registration - see [docs/configuring-playbook-matrix-registration.md](docs/configuring-playbook-matrix-registration.md) for setup documentation + - (optional) the [Prometheus](https://prometheus.io) time-series database server, the Prometheus [node-exporter](https://prometheus.io/docs/guides/node-exporter/) host metrics exporter, and the [Grafana](https://grafana.com/) web UI - see [Enabling metrics and graphs (Prometheus, Grafana) for your Matrix server](docs/configuring-playbook-prometheus-grafana.md) for setup documentation + - (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. @@ -65,22 +109,30 @@ Basically, this playbook aims to get you up-and-running with all the necessities Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. You can always re-run the playbook later to add or remove components. + ## Installation To configure and install Matrix on your own server, follow the [README in the docs/ directory](docs/README.md). + ## Changes This playbook evolves over time, sometimes with backward-incompatible changes. + When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up with what's new. + ## Support - Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) + - IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) + - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) + ## Services by the community - [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain + - [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from DigitalOcean, or they can connect their on-premises server. This AWX system can manage the updates, configuration, import and export, backups, and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com). From 400371f6dd474344f7a5efffac1355ae507b80c0 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Mon, 17 May 2021 13:15:12 +0000 Subject: [PATCH 2181/2384] Updated Element version (1.7.27 -> 1.7.28) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 0d7e36d7..c2a546c6 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.27 +matrix_client_element_version: v1.7.28 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 8bf4c52838da146d3e2acb9ec8d1f10c72e5617f Mon Sep 17 00:00:00 2001 From: rakshazi Date: Mon, 17 May 2021 14:32:31 +0000 Subject: [PATCH 2182/2384] Fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f2f458c5..1ede6219 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) -- (optional, default) a [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) +- (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) - (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module From d31b55b2a79b583fae4def0bff3655df5edf17cd Mon Sep 17 00:00:00 2001 From: sakkiii Date: Tue, 18 May 2021 03:24:06 +0530 Subject: [PATCH 2183/2384] SSL-enabled block only --- .../nginx/conf.d/matrix-base-domain.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 12 ++++++------ .../nginx/conf.d/matrix-client-element.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-domain.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 12 ++++++------ .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 6 ++++++ 9 files changed, 54 insertions(+), 48 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 96bbd564..a8ea14c4 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -9,12 +9,6 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - - {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {{- configuration_block }} @@ -75,6 +69,12 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index a2f92de5..87f6a970 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -7,12 +7,6 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; - {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} - {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -80,6 +74,12 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 60504daf..087d2b61 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -10,12 +10,6 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - - {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} @@ -85,6 +79,12 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index d26410ec..b43e0370 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -9,12 +9,6 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - - {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {{- configuration_block }} @@ -83,6 +77,12 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 6a6f581f..6718e3c1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -20,12 +20,6 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - - {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} location /.well-known/matrix { root {{ matrix_static_files_base_path }}; @@ -201,6 +195,12 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 4143519c..29b33265 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -11,12 +11,6 @@ # add_header X-Frame-Options SAMEORIGIN; add_header Referrer-Policy "strict-origin-when-cross-origin"; - {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} - {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} @@ -91,6 +85,12 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 17f1e966..526061cc 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -9,12 +9,6 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - - {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {{- configuration_block }} @@ -125,6 +119,12 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index b828299f..4fbd6d9c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -4,12 +4,6 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - - {% if matrix_nginx_proxy_ocsp_stapling_enabled and matrix_ssl_retrieval_method in ["lets-encrypt", "manually-managed"] %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} @@ -68,6 +62,12 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index ac0253d5..64a704dc 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -76,6 +76,12 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + {{ render_vhost_directives() }} } {% endif %} From 57a6a98a505b7b3e0b82670d4f4726ba1991479a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 May 2021 07:58:47 +0300 Subject: [PATCH 2184/2384] Fix incorrect SSL certificate path Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057 --- .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 6 +++--- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 4 ++-- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 4 ++-- .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 6 +++--- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 4 ++-- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 4 ++-- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 4 ++-- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 87f6a970..74f80dce 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -77,7 +77,7 @@ server { {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 087d2b61..58aa414e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -82,9 +82,9 @@ server { {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} - + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + {% endif %} + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index b43e0370..03affa0b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -80,8 +80,8 @@ server { {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index b6e6f075..c8e13bd0 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -201,11 +201,11 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 29b33265..96608dac 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -10,7 +10,7 @@ # add_header X-Content-Type-Options nosniff; # add_header X-Frame-Options SAMEORIGIN; add_header Referrer-Policy "strict-origin-when-cross-origin"; - + {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} @@ -88,8 +88,8 @@ server { {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 526061cc..4f7b9704 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -122,8 +122,8 @@ server { {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 4fbd6d9c..9efe830d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -65,8 +65,8 @@ server { {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index 64a704dc..c8c2e13f 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -79,8 +79,8 @@ server { {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; + {% endif %} {{ render_vhost_directives() }} } From e6afa05f7b2ce0f1f3315a1baa632e5bca8a6e8f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 May 2021 08:15:02 +0300 Subject: [PATCH 2185/2384] Enable OCSP stapling for the federation port Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057 Not sure if this is beneficial though. --- roles/matrix-nginx-proxy/defaults/main.yml | 3 ++- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index b97692ba..6a4864b8 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -223,6 +223,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:1 matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" @@ -391,7 +392,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # # *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. # set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling -# +# # Learn more about what it is here: # - https://en.wikipedia.org/wiki/OCSP_stapling # - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index c8e13bd0..21b403c6 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -242,6 +242,12 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; + {% endif %} {% endif %} location / { From e9b878b9e93eb9d921a5d452f47169e53d60a196 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Tue, 18 May 2021 19:39:43 +0530 Subject: [PATCH 2186/2384] Optimize SSL session --- roles/matrix-nginx-proxy/defaults/main.yml | 28 +++++++++++++++++++ .../nginx/conf.d/matrix-base-domain.conf.j2 | 8 +++++- .../nginx/conf.d/matrix-bot-go-neb.conf.j2 | 6 ++++ .../conf.d/matrix-client-element.conf.j2 | 6 ++++ .../nginx/conf.d/matrix-dimension.conf.j2 | 6 ++++ .../nginx/conf.d/matrix-domain.conf.j2 | 12 ++++++++ .../nginx/conf.d/matrix-grafana.conf.j2 | 6 ++++ .../nginx/conf.d/matrix-jitsi.conf.j2 | 6 ++++ .../nginx/conf.d/matrix-riot-web.conf.j2 | 6 ++++ .../nginx/conf.d/matrix-sygnal.conf.j2 | 6 ++++ 10 files changed, 89 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 6a4864b8..dff749b3 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -386,6 +386,34 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_pre_obtaining_required_service_name: ~ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 +# Nginx Optimize SSL Session +# +# ssl_session_cache: +# - Creating a cache of TLS connection parameters reduces the number of handshakes +# and thus can improve the performance of application. +# - Default session cache is not optimal as it can be used by only one worker process +# and can cause memory fragmentation. It is much better to use shared cache. +# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html +# +# ssl_session_timeout: +# - Nginx by default it is set to 5 minutes which is very low. +# should be like 4h or 1d but will require you to increase the size of cache. +# - Learn More: +# https://github.com/certbot/certbot/issues/6903 +# https://github.com/mozilla/server-side-tls/issues/198 +# +# ssl_session_tickets: +# - In case of session tickets, information about session is given to the client. +# Enabling this improve performance also make Perfect Forward Secrecy useless. +# - If you would instead like to use ssl_session_tickets by yourself, you can set +# matrix_nginx_proxy_ssl_session_tickets_off false. +# - Learn More: https://github.com/mozilla/server-side-tls/issues/135 +# +# Presets are taken from Mozilla's Server Side TLS Recommended configurations +matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m" +matrix_nginx_proxy_ssl_session_timeout: "1d" +matrix_nginx_proxy_ssl_session_tickets_off: true + # OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. # OCSP stapling can provide a performance boost of up to 30% # nginx web server supports OCSP stapling since version 1.3.7. diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index a8ea14c4..55f5b266 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -74,7 +74,13 @@ server { ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 74f80dce..da3c7b1d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -79,6 +79,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 58aa414e..e79fb1fb 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -85,6 +85,12 @@ server { ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; {% endif %} + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 03affa0b..67161745 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -82,6 +82,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 21b403c6..fc0d54b5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -207,6 +207,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } @@ -248,6 +254,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {% endif %} location / { diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 96608dac..08df8050 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -90,6 +90,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 4f7b9704..0949cb26 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -124,6 +124,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 9efe830d..36a28039 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -67,6 +67,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index c8c2e13f..5482fa8e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -81,6 +81,12 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } From ee46fabdca3bcedf09f521d392df37c3440c0781 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 19 May 2021 08:39:28 +0300 Subject: [PATCH 2187/2384] Make waiting time for --tags=start configurable Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1062 --- roles/matrix-common-after/defaults/main.yml | 16 ++++++++++++++++ roles/matrix-common-after/tasks/start.yml | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-common-after/defaults/main.yml diff --git a/roles/matrix-common-after/defaults/main.yml b/roles/matrix-common-after/defaults/main.yml new file mode 100644 index 00000000..8112191a --- /dev/null +++ b/roles/matrix-common-after/defaults/main.yml @@ -0,0 +1,16 @@ +# Specifies how long to wait between starting systemd services and checking if they're started. +# +# A too low value may lead to a failure, as services may not have enough time to start and potentially fail. +# +# A value higher than 30 seconds (or any multiple of that) may also not work well, because a failing systemd service +# auto-restarts after 30 seconds (`RestartSec=30` in systemd service files). +# Checking if a service is running right after it had potentially restarted in such a way will lead us to +# thinking it's running, while it's merely starting again (and likely to fail again, given that it already did once). +# +# All of the services we manage are also started sequentially, which in itself can take a long time. +# There may be a ~10 second (or even larger) interval between starting the first service and starting the last one. +# This makes it even harder to pick a correct value. Such a 10 second gap and a waiting time of 20 seconds will +# put us right at the "dangerous" 30-second mark. +# +# We can try to measure this gap and adjust our waiting time accordingly, but we currently don't. +matrix_common_after_systemd_service_start_wait_for_timeout_seconds: 15 diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 300de94c..42cfe80c 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -30,7 +30,7 @@ # as we may run into systemd's automatic restart logic retrying the service. - name: Wait a bit, so that services can start (or fail) wait_for: - timeout: 15 + timeout: "{{ matrix_common_after_systemd_service_start_wait_for_timeout_seconds }}" delegate_to: 127.0.0.1 become: false From 21eb39f986a776b31fb14f42285e8f72e92e46d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 19 May 2021 08:46:13 +0300 Subject: [PATCH 2188/2384] Mention matrix_common_after_systemd_service_start_wait_for_timeout_seconds in failure message Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1062 --- roles/matrix-common-after/tasks/start.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 42cfe80c..64ab4d99 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -44,6 +44,9 @@ {{ item }} was not detected to be running. It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. + If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive. + You can consider raising the value of the `matrix_common_after_systemd_service_start_wait_for_timeout_seconds` variable. + See `roles/matrix-common-after/defaults/main.yml` for more details about that. with_items: "{{ matrix_systemd_services_list }}" when: - "item.endswith('.service') and (ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running')" From 544915ff760448e9b798d3059dfc96f402a2d3aa Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Wed, 12 May 2021 15:24:39 +0300 Subject: [PATCH 2189/2384] Add Heisenbridge --- README.md | 2 + ...onfiguring-playbook-bridge-heisenbridge.md | 34 +++++++++++++ docs/configuring-playbook.md | 2 + group_vars/matrix_servers | 26 ++++++++++ .../defaults/main.yml | 47 +++++++++++++++++ .../matrix-bridge-heisenbridge/tasks/init.yml | 24 +++++++++ .../matrix-bridge-heisenbridge/tasks/main.yml | 15 ++++++ .../tasks/setup_install.yml | 38 ++++++++++++++ .../tasks/setup_uninstall.yml | 24 +++++++++ .../systemd/matrix-heisenbridge.service.j2 | 50 +++++++++++++++++++ setup.yml | 1 + 11 files changed, 263 insertions(+) create mode 100644 docs/configuring-playbook-bridge-heisenbridge.md create mode 100644 roles/matrix-bridge-heisenbridge/defaults/main.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/init.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/main.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 diff --git a/README.md b/README.md index 1ede6219..beb938b4 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation +- (optional) the [Heisenbridge](https://github.com/hifi/heisenbridge) for bridging your Matrix server to IRC bouncer-style - see [docs/configuring-playbook-bridge-heisenbridge.md](docs/configuring-playbook-bridge-heisenbridge.md) for setup documentation + - (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation - (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation diff --git a/docs/configuring-playbook-bridge-heisenbridge.md b/docs/configuring-playbook-bridge-heisenbridge.md new file mode 100644 index 00000000..80a50698 --- /dev/null +++ b/docs/configuring-playbook-bridge-heisenbridge.md @@ -0,0 +1,34 @@ +# Setting up Heisenbridge (optional) + +The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style IRC bridge for you. + +See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. + +## Configuration + +Below are the common configuration options that you may want to set, exhaustive list is in [the bridge's defaults var file](../roles/matrix-bridge-heisenbridge/defaults/main.yml). + +At a minimum, you only need to enable the bridge to get it up and running (`inventory/host_vars/matrix.DOMAIN/vars.yml`): + +```yaml +matrix_heisenbridge_enabled: true + +# set owner (optional) +matrix_heisenbridge_owner: "@you:your-homeserver" + +# to enable identd on host port 113/TCP (optional) +matrix_heisenbridge_identd_enabled: true +``` + +That's it! A registration file is automatically generated during the setup phase. + +Setting the owner is optional as the first local user to DM `@heisenbridge:your-homeserver` will be made the owner. +If you are not using a local user you must set it as otherwise you can't DM it at all. + +## Usage + +After the bridge is successfully running just DM `@heisenbridge:your-homeserver` to start setting it up. +Help is available for all commands with the `-h` switch. +If the bridge ignores you and a DM is not accepted then the owner setting may be wrong. + +If you encounter issues or feel lost you can join the project room at [#heisenbridge:vi.fi](https://matrix.to/#/#heisenbridge:vi.fi) for help. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index f6988930..17f92575 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -126,6 +126,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix SMS bridging](configuring-playbook-bridge-matrix-bridge-sms.md) (optional) +- [Setting up Heisenbridge bouncer-style IRC bridging](configuring-playbook-bridge-heisenbridge.md) (optional) + ### Bots diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 517e6922..e5ce1027 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -488,6 +488,32 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas # ###################################################################### +###################################################################### +# +# matrix-bridge-heisenbridge +# +###################################################################### + +# We don't enable bridges by default. +matrix_heisenbridge_enabled: false + +matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" + +matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" + +matrix_heisenbridge_systemd_wanted_services_list: | + {{ + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +###################################################################### +# +# /matrix-bridge-heisenbridge +# +###################################################################### + ###################################################################### # # matrix-bridge-mx-puppet-skype diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml new file mode 100644 index 00000000..be95af8d --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -0,0 +1,47 @@ +# heisenbridge is a bouncer-style Matrix IRC bridge +# See: https://github.com/hifi/heisenbridge + +matrix_heisenbridge_enabled: true + +matrix_heisenbridge_version: latest +matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" +matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" + +# Set this to your Matrix ID if you want to enforce the owner, otherwise first _local_ user becomes one +matrix_heisenbridge_owner: "" + +# Enabling identd will bind to host port 113/TCP +matrix_heisenbridge_identd_enabled: false + +matrix_heisenbridge_base_path: "{{ matrix_base_data_path }}/heisenbridge" + +# A list of extra arguments to pass to the container +matrix_heisenbridge_container_extra_arguments: [] + +# List of systemd services that service depends on. +matrix_heisenbridge_systemd_required_services_list: ['docker.service'] + +# List of systemd services that service wants +matrix_heisenbridge_systemd_wanted_services_list: [] + +matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}" + +matrix_heisenbridge_appservice_token: '' +matrix_heisenbridge_homeserver_token: '' + +# Default registration file +matrix_heisenbridge_registration_yaml: + id: heisenbridge + url: http://matrix-heisenbridge:9898 + as_token: "{{ matrix_heisenbridge_appservice_token }}" + hs_token: "{{ matrix_heisenbridge_homeserver_token }}" + rate_limited: false + sender_localpart: heisenbridge + namespaces: + users: + - regex: '@hbirc_.*' + exclusive: true + aliases: [] + rooms: [] + +matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-heisenbridge/tasks/init.yml b/roles/matrix-bridge-heisenbridge/tasks/init.yml new file mode 100644 index 00000000..18e89b68 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/init.yml @@ -0,0 +1,24 @@ +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-heisenbridge role needs to execute before the matrix-synapse role. + when: "matrix_heisenbridge_enabled and matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-heisenbridge.service'] }}" + when: matrix_heisenbridge_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/heisenbridge-registration.yaml"] }} + when: matrix_heisenbridge_enabled|bool diff --git a/roles/matrix-bridge-heisenbridge/tasks/main.yml b/roles/matrix-bridge-heisenbridge/tasks/main.yml new file mode 100644 index 00000000..1358709d --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_heisenbridge_enabled|bool" + tags: + - setup-all + - setup-heisenbridge + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_heisenbridge_enabled|bool" + tags: + - setup-all + - setup-heisenbridge diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml new file mode 100644 index 00000000..03cf9ec3 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml @@ -0,0 +1,38 @@ +--- + +- name: Ensure heisenbridge image is pulled + docker_image: + name: "{{ matrix_heisenbridge_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_heisenbridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_heisenbridge_docker_image_force_pull }}" + +- name: Ensure heisenbridge paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_heisenbridge_base_path }}" + +- name: Ensure heisenbridge registration.yaml installed if provided + copy: + content: "{{ matrix_heisenbridge_registration|to_nice_yaml }}" + dest: "{{ matrix_heisenbridge_base_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-heisenbridge.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-heisenbridge.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + mode: 0644 + register: matrix_heisenbridge_systemd_service_result + +- name: Ensure systemd reloaded after matrix-heisenbridge.service installation + service: + daemon_reload: yes + when: matrix_heisenbridge_systemd_service_result.changed diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml new file mode 100644 index 00000000..d5526f8a --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-heisenbridge service + stat: + path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + register: matrix_heisenbridge_service_stat + +- name: Ensure matrix-heisenbridge is stopped + service: + name: heisenbridge + state: stopped + daemon_reload: yes + when: "matrix_heisenbridge_service_stat.stat.exists" + +- name: Ensure matrix-heisenbridge.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + state: absent + when: "matrix_heisenbridge_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-heisenbridge.service removal + service: + daemon_reload: yes + when: "matrix_heisenbridge_service_stat.stat.exists" diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 new file mode 100644 index 00000000..91ba39b3 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -0,0 +1,50 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=a bouncer-style Matrix IRC bridge +{% for service in matrix_heisenbridge_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_heisenbridge_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-heisenbridge + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_heisenbridge_identd_enabled %} + -p 113:113 \ + {% endif %} + -v {{ matrix_heisenbridge_base_path }}:/config:z \ + {% for arg in matrix_heisenbridge_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_heisenbridge_docker_image }} \ + {% if matrix_heisenbridge_identd_enabled %} + --identd \ + {% endif %} + {% if matrix_heisenbridge_owner %} + -o {{ matrix_heisenbridge_owner }} \ + {% endif %} + --config /config/registration.yaml \ + --listen-address 0.0.0.0 \ + --listen-port 9898 \ + {{ matrix_heisenbridge_homeserver_url }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-heisenbridge + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 4e2879e5..3af439f8 100755 --- a/setup.yml +++ b/setup.yml @@ -32,6 +32,7 @@ - matrix-bridge-mx-puppet-twitter - matrix-bridge-mx-puppet-instagram - matrix-bridge-sms + - matrix-bridge-heisenbridge - matrix-bot-matrix-reminder-bot - matrix-bot-go-neb - matrix-bot-mjolnir From 9e98450bba41522479289f583702ec2e2aa4128b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 19 May 2021 13:21:11 +0300 Subject: [PATCH 2190/2384] Announce Heisenbridge support --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 37988c94..337e961e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2021-05-19 + +## Heisenbridge support + +Thanks to [Toni Spets (hifi)](https://github.com/hifi), the playbook now supports bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) using yet another bridge (besides matrix-appservice-irc), called [Heisenbridge](https://github.com/hifi/heisenbridge). + +Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-bridge-heisenbridge.md). + + # 2021-04-16 ## Disabling TLSv1 and TLSv1.1 for Coturn From 3fae13762d1ce082d3692fda6634ab0ab3a9736c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 19 May 2021 13:32:05 +0300 Subject: [PATCH 2191/2384] Cross-link similar bridges --- docs/configuring-playbook-bridge-appservice-irc.md | 4 +++- docs/configuring-playbook-bridge-appservice-slack.md | 4 +++- docs/configuring-playbook-bridge-heisenbridge.md | 4 +++- docs/configuring-playbook-bridge-mx-puppet-slack.md | 2 ++ 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index a9403cb5..93e0fb36 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -1,6 +1,8 @@ # Setting up Appservice IRC (optional) -The playbook can install and configure [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) for you. +**Note**: bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) can also happen via the [Heisenbridge](configuring-playbook-bridge-heisenbridge.md) bridge supported by the playbook. + +The playbook can install and configure the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for you. See the project's [documentation](https://github.com/matrix-org/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index a409a050..7d45d34d 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -1,5 +1,7 @@ # Setting up Appservice Slack (optional) +**Note**: bridging to [Slack](https://slack.com) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) bridge supported by the playbook. + The playbook can install and configure [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) for you. See the project's [documentation](https://github.com/matrix-org/matrix-appservice-slack/blob/master/README.md) to learn what it does and why it might be useful to you. @@ -106,5 +108,5 @@ Check you logs, if they say something like `WARN SlackEventHandler Ignoring message from unrecognised slack channel id : %s (%s) ` -then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link +then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link your room multiple times without unlinking it after each failed attempt. diff --git a/docs/configuring-playbook-bridge-heisenbridge.md b/docs/configuring-playbook-bridge-heisenbridge.md index 80a50698..9cf016f2 100644 --- a/docs/configuring-playbook-bridge-heisenbridge.md +++ b/docs/configuring-playbook-bridge-heisenbridge.md @@ -1,6 +1,8 @@ # Setting up Heisenbridge (optional) -The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style IRC bridge for you. +**Note**: bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) can also happen via the [matrix-appservice-irc](configuring-playbook-bridge-appservice-irc.md) bridge supported by the playbook. + +The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) bridge for you. See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md index 1f20219f..61600c7a 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-slack.md +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -1,5 +1,7 @@ # Setting up MX Puppet Slack (optional) +**Note**: bridging to [Slack](https://slack.com) can also happen via the [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) bridge supported by the playbook. + The playbook can install and configure [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) for you. From 8529ca4c17190739791e34f21c70ea302f0b73c4 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 19 May 2021 22:30:03 +0530 Subject: [PATCH 2192/2384] Update grafana (7.5.6->7.5.7) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 290cbdcb..7c5c217c 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.6 +matrix_grafana_version: 7.5.7 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 3dcbed63537c270bbd1ace501f42f58b044d411d Mon Sep 17 00:00:00 2001 From: Tobias K <6317548+theCalcaholic@users.noreply.github.com> Date: Wed, 19 May 2021 19:52:58 +0200 Subject: [PATCH 2193/2384] roles/matrix-grafana: Set root_url in granafa.ini --- roles/matrix-grafana/templates/grafana.ini.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 42cfcb12..322762b4 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -1,3 +1,6 @@ +[server] +root_url = "https://{{ matrix_server_fqn_grafana }}" + [security] # default admin user, created on startup admin_user = "{{ matrix_grafana_default_admin_user }}" From 68aa5094cf29590055c69a8d912f0780db50f2bb Mon Sep 17 00:00:00 2001 From: Tobias K <6317548+theCalcaholic@users.noreply.github.com> Date: Wed, 19 May 2021 19:57:35 +0200 Subject: [PATCH 2194/2384] docs/configuring-playbook-prometheus-grafana.md: Add documentation on how to override the grafana fqn --- docs/configuring-playbook-prometheus-grafana.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 4968c518..88fe5b69 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -56,6 +56,7 @@ Name | Description `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) +`matrix_server_fqn_grafana`|Use this variable to override the Grafana web user-interface. ## More information From d3c7be177a851cf716c358ce176cd35e11fec8ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 19 May 2021 22:07:23 +0300 Subject: [PATCH 2195/2384] Improve wording --- docs/configuring-playbook-prometheus-grafana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 88fe5b69..dc1b7b4c 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -56,7 +56,7 @@ Name | Description `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) -`matrix_server_fqn_grafana`|Use this variable to override the Grafana web user-interface. +`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`). ## More information From 729f3488642dde5f6a928c3fe59376e990e77bbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Gir=C3=A3o?= Date: Wed, 19 May 2021 20:11:50 +0100 Subject: [PATCH 2196/2384] Fix typo in examples/caddy2 --- examples/caddy2/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index 022a4fec..fe8d5763 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -8,5 +8,5 @@ This directory contains sample files that show you how to do reverse-proxying us | ------------------ | -------- | | tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | | tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | -| Dimnension | To enable Dimension support uncomment the lines for Dimension and set your data | -| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | \ No newline at end of file +| Dimension | To enable Dimension support uncomment the lines for Dimension and set your data | +| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | From 15f4972dbfb266543c171295f9840da982233761 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 19 May 2021 22:24:56 +0300 Subject: [PATCH 2197/2384] Remove syntax-breaking pagination line Seems to have been added by mistake. --- examples/caddy2/Caddyfile | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 8999f299..c6d2841b 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -38,7 +38,6 @@ matrix.DOMAIN.tld { X-Frame-Options "DENY" # X-Robots-Tag X-Robots-Tag "noindex, noarchive, nofollow" - 167,9 79% } # Cache From 1ab507349c752042d26def3e95884f6df8886b74 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 20 May 2021 08:43:20 +0300 Subject: [PATCH 2198/2384] Fix self-building for various components on Ansible < 2.8 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 --- roles/matrix-bridge-appservice-irc/tasks/setup_install.yml | 5 +++-- roles/matrix-bridge-appservice-slack/tasks/setup_install.yml | 3 ++- roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml | 3 ++- roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml | 3 ++- .../matrix-bridge-mautrix-instagram/tasks/setup_install.yml | 3 ++- roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml | 5 +++-- .../matrix-bridge-mx-puppet-discord/tasks/setup_install.yml | 3 ++- .../matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml | 3 ++- .../tasks/setup_install.yml | 3 ++- roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 3 ++- roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml | 3 ++- roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml | 3 ++- .../matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml | 3 ++- roles/matrix-client-element/tasks/setup.yml | 3 ++- roles/matrix-corporal/tasks/setup_corporal.yml | 3 ++- roles/matrix-coturn/tasks/setup_install.yml | 3 ++- roles/matrix-dynamic-dns/tasks/install.yml | 3 ++- roles/matrix-mailer/tasks/setup_mailer.yml | 3 ++- roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml | 3 ++- roles/matrix-registration/tasks/setup_install.yml | 3 ++- roles/matrix-synapse-admin/tasks/setup.yml | 3 ++- roles/matrix-synapse/tasks/synapse/setup_install.yml | 3 ++- 22 files changed, 46 insertions(+), 24 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 09e1d4ba..75af882a 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -71,11 +71,12 @@ register: matrix_appservice_irc_git_pull_results when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool" -- name: Ensure matrix-appservice-irc Docker image is build +- name: Ensure matrix-appservice-irc Docker image is built docker_image: name: "{{ matrix_appservice_irc_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_appservice_irc_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_appservice_irc_docker_src_files_path }}" diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index 703d3fab..b170fcb8 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -51,7 +51,8 @@ docker_image: name: "{{ matrix_appservice_slack_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_appservice_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_appservice_slack_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 59998463..4cfbde9e 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -69,7 +69,8 @@ docker_image: name: "{{ matrix_mautrix_facebook_docker_image }}" source: build - force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 2ce8a441..14ae255f 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -68,7 +68,8 @@ docker_image: name: "{{ matrix_mautrix_hangouts_docker_image }}" source: build - force_source: "{{ matrix_mautrix_hangouts_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_hangouts_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml index b83deab3..60474230 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml @@ -44,7 +44,8 @@ docker_image: name: "{{ matrix_mautrix_instagram_docker_image }}" source: build - force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_instagram_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 04267161..704f0e26 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -64,11 +64,12 @@ register: matrix_mautrix_telegram_git_pull_results when: "matrix_mautrix_telegram_container_self_build|bool" -- name: Ensure matrix-mautrix-telegram Docker image is build +- name: Ensure matrix-mautrix-telegram Docker image is built docker_image: name: "{{ matrix_mautrix_telegram_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_mautrix_telegram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index c7865e98..f9985ed8 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_discord_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_discord_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_discord_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_discord_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 58fe9485..b1d5f0b5 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_groupme_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_groupme_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_groupme_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_groupme_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_groupme_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index 5701a916..cdbaa18e 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -69,7 +69,8 @@ docker_image: name: "{{ matrix_mx_puppet_instagram_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_instagram_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_instagram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 68a1d7f4..997a6317 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_skype_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_skype_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_skype_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index 04eab20a..d816ceeb 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -81,7 +81,8 @@ docker_image: name: "{{ matrix_mx_puppet_slack_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_slack_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 6b574656..3bcef36e 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_steam_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_steam_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_steam_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_steam_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_steam_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 1c48c030..5767ed17 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_twitter_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_twitter_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_twitter_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_twitter_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}" diff --git a/roles/matrix-client-element/tasks/setup.yml b/roles/matrix-client-element/tasks/setup.yml index c4ed0847..117a09f4 100644 --- a/roles/matrix-client-element/tasks/setup.yml +++ b/roles/matrix-client-element/tasks/setup.yml @@ -37,7 +37,8 @@ docker_image: name: "{{ matrix_client_element_docker_image }}" source: build - force_source: "{{ matrix_client_element_git_pull_results.changed }}" + force_source: "{{ matrix_client_element_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_element_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_client_element_docker_src_files_path }}" diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index 188f09bf..e668de27 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -30,7 +30,8 @@ docker_image: name: "{{ matrix_corporal_docker_image }}" source: build - force_source: "{{ matrix_corporal_git_pull_results.changed }}" + force_source: "{{ matrix_corporal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_corporal_git_pull_results.changed }}" build: dockerfile: etc/docker/Dockerfile path: "{{ matrix_corporal_container_src_files_path }}" diff --git a/roles/matrix-coturn/tasks/setup_install.yml b/roles/matrix-coturn/tasks/setup_install.yml index 24f038db..c31406b1 100644 --- a/roles/matrix-coturn/tasks/setup_install.yml +++ b/roles/matrix-coturn/tasks/setup_install.yml @@ -38,7 +38,8 @@ docker_image: name: "{{ matrix_coturn_docker_image }}" source: build - force_source: "{{ matrix_coturn_git_pull_results.changed }}" + force_source: "{{ matrix_coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_git_pull_results.changed }}" build: dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}" path: "{{ matrix_coturn_docker_src_files_path }}" diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml index e7b06d95..ac69ec89 100644 --- a/roles/matrix-dynamic-dns/tasks/install.yml +++ b/roles/matrix-dynamic-dns/tasks/install.yml @@ -33,7 +33,8 @@ docker_image: name: "{{ matrix_dynamic_dns_docker_image }}" source: build - force_source: "{{ matrix_dynamic_dns_git_pull_results.changed }}" + force_source: "{{ matrix_dynamic_dns_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_dynamic_dns_docker_src_files_path }}" diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index cb979080..251a52da 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -36,7 +36,8 @@ docker_image: name: "{{ matrix_mailer_docker_image }}" source: build - force_source: "{{ matrix_mailer_git_pull_results.changed }}" + force_source: "{{ matrix_mailer_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index d3429c97..cf595ade 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -61,7 +61,8 @@ docker_image: name: "{{ matrix_postgres_pgloader_docker_image }}" source: build - force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed }}" + force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" diff --git a/roles/matrix-registration/tasks/setup_install.yml b/roles/matrix-registration/tasks/setup_install.yml index 2b806fe0..0d7da9ce 100644 --- a/roles/matrix-registration/tasks/setup_install.yml +++ b/roles/matrix-registration/tasks/setup_install.yml @@ -66,7 +66,8 @@ docker_image: name: "{{ matrix_registration_docker_image }}" source: build - force_source: "{{ matrix_registration_git_pull_results.changed }}" + force_source: "{{ matrix_registration_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_registration_docker_src_files_path }}" diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index a96ec10f..002ff68d 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -24,7 +24,8 @@ docker_image: name: "{{ matrix_synapse_admin_docker_image }}" source: build - force_source: "{{ matrix_synapse_admin_git_pull_results.changed }}" + force_source: "{{ matrix_synapse_admin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index f1abcbcc..d4a7268f 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -31,7 +31,8 @@ docker_image: name: "{{ matrix_synapse_docker_image }}" source: build - force_source: "{{ matrix_synapse_git_pull_results.changed }}" + force_source: "{{ matrix_synapse_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_git_pull_results.changed }}" build: dockerfile: docker/Dockerfile path: "{{ matrix_synapse_docker_src_files_path }}" From fa31a1548b4c09f6cd12875489e226e829b513a5 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Fri, 21 May 2021 10:26:26 +0530 Subject: [PATCH 2199/2384] OCSP Stapling self-signed issue Fix https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 --- docs/configuring-playbook-ssl-certificates.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 1b5ea234..2e288cc8 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -43,6 +43,7 @@ With such a configuration, the playbook would expect you to drop the SSL certifi - `/live//fullchain.pem` - `/live//privkey.pem` +- `/live//chain.pem` where `` refers to the domains that you need (usually `matrix.` and `element.`). From 9a8a81fdb095de6664f513110fd4d1baeb1ea4ea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 08:35:19 +0300 Subject: [PATCH 2200/2384] Disable OCSP stapling when self-signed certificates are used Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 --- group_vars/matrix_servers | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e5ce1027..b4e5ac6e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1239,6 +1239,11 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +# OCSP stapling does not make sense when self-signed certificates are used. +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 +matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}" + matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" From 47b4608b96ddfb1b0069a0b2c21ae40531a40a63 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 11:15:05 +0300 Subject: [PATCH 2201/2384] Fail in a friendlier way when trying to self-build on Ansible <= 2.8 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 Related discussion here: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 --- roles/matrix-bridge-appservice-irc/tasks/init.yml | 7 +++++++ .../matrix-bridge-appservice-slack/tasks/init.yml | 7 +++++++ .../matrix-bridge-mautrix-facebook/tasks/init.yml | 7 +++++++ .../matrix-bridge-mautrix-hangouts/tasks/init.yml | 7 +++++++ .../matrix-bridge-mautrix-instagram/tasks/init.yml | 7 +++++++ .../matrix-bridge-mautrix-telegram/tasks/init.yml | 7 +++++++ .../matrix-bridge-mx-puppet-discord/tasks/init.yml | 7 +++++++ .../matrix-bridge-mx-puppet-groupme/tasks/init.yml | 7 +++++++ .../tasks/init.yml | 7 +++++++ roles/matrix-bridge-mx-puppet-skype/tasks/init.yml | 7 +++++++ roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 7 +++++++ roles/matrix-bridge-mx-puppet-steam/tasks/init.yml | 7 +++++++ .../matrix-bridge-mx-puppet-twitter/tasks/init.yml | 7 +++++++ roles/matrix-client-element/tasks/init.yml | 8 ++++---- roles/matrix-corporal/tasks/init.yml | 7 +++++++ roles/matrix-coturn/tasks/init.yml | 14 +++++++------- roles/matrix-dynamic-dns/tasks/init.yml | 7 +++++++ roles/matrix-ma1sd/tasks/init.yml | 14 +++++++------- roles/matrix-mailer/tasks/init.yml | 7 +++++++ roles/matrix-registration/tasks/init.yml | 7 +++++++ roles/matrix-synapse-admin/tasks/init.yml | 7 +++++++ roles/matrix-synapse/tasks/init.yml | 14 +++++++------- 22 files changed, 151 insertions(+), 25 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index ddf1b031..b9a58e00 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build" + # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. - name: Fail if matrix-synapse role already executed diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 045b6b73..6a1bf869 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build" + # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. - name: Fail if matrix-synapse role already executed diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 9e127316..84f1a6c0 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" when: matrix_mautrix_facebook_enabled|bool diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 9209fa40..a8c02703 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" when: matrix_mautrix_hangouts_enabled|bool diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index 2b407358..2aa58940 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" when: matrix_mautrix_instagram_enabled|bool diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index 721e98da..c8f7f895 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" when: matrix_mautrix_telegram_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 4d8444e1..c29fc6e5 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" when: matrix_mx_puppet_discord_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index 1f00e8a5..e2870d60 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" when: matrix_mx_puppet_groupme_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml index 0d319bc8..2ef99f02 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" when: matrix_mx_puppet_instagram_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 605ea492..e044881b 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}" when: matrix_mx_puppet_skype_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 16afef20..6e1b9a6a 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" when: matrix_mx_puppet_slack_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index 9687944f..d2e34b89 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" when: matrix_mx_puppet_steam_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 86f30237..e49439a5 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" when: matrix_mx_puppet_twitter_enabled|bool diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index a42e3143..102cae38 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -2,9 +2,9 @@ matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}" when: matrix_client_element_enabled|bool -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 fail: - msg: "To self build the Element image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build" diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index ffe5d5da..993ace81 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" when: matrix_corporal_enabled|bool diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index be011b7f..c645c06b 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" when: matrix_coturn_enabled|bool @@ -5,10 +12,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}" when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 1a0f1b3d..039b5b02 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" when: "matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index 89283a1f..f09cfcfd 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,10 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" when: matrix_ma1sd_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml index e48e2a85..5895343e 100644 --- a/roles/matrix-mailer/tasks/init.yml +++ b/roles/matrix-mailer/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" when: matrix_mailer_enabled|bool diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 158ad605..b58ba659 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" when: matrix_registration_enabled|bool diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index 36bdb611..7898dec9 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" when: matrix_synapse_admin_enabled|bool diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 04b8d2b8..16790664 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" + # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. - import_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" @@ -17,10 +24,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" From 9437f78c9e419c42cd0973ed4b1fc78598494b42 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 03:45:21 -0500 Subject: [PATCH 2202/2384] Build using custom config.json, add CSP, update to 0.1.53 --- group_vars/matrix_servers | 1 + .../matrix-client-hydrogen/defaults/main.yml | 5 +- roles/matrix-client-hydrogen/tasks/init.yml | 14 ++-- roles/matrix-client-hydrogen/tasks/setup.yml | 29 +++----- .../tasks/validate_config.yml | 9 +++ .../templates/nginx.conf.j2 | 66 ------------------- .../conf.d/matrix-client-hydrogen.conf.j2 | 2 + 7 files changed, 31 insertions(+), 95 deletions(-) create mode 100644 roles/matrix-client-hydrogen/tasks/validate_config.yml delete mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index f5ed72c7..d43fbb66 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1172,6 +1172,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" +matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index cf6e9a0c..f7a3059e 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -1,10 +1,11 @@ matrix_client_hydrogen_enabled: true -# as of 2021-05-15 the pre-built images were not working so self building is enabled by default +# Self building is used by default because the `config.json` file is only read at build time. +# The pre-built images also were not functional as of 2021-05-15. matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.1.51 +matrix_client_hydrogen_version: v0.1.53 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml index be72a983..1115f63d 100644 --- a/roles/matrix-client-hydrogen/tasks/init.yml +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -1,10 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" when: matrix_client_hydrogen_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build the Hydrogen image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml index 3d9eea44..cb1a6f2e 100644 --- a/roles/matrix-client-hydrogen/tasks/setup.yml +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -33,6 +33,15 @@ register: matrix_client_hydrogen_git_pull_results when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" +- name: Ensure Hydrogen configuration installed + copy: + content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_client_hydrogen_enabled|bool + - name: Ensure Hydrogen Docker image is built docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" @@ -44,26 +53,6 @@ pull: yes when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" -- name: Ensure Hydrogen configuration installed - copy: - content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" - dest: "{{ matrix_client_hydrogen_data_path }}/config.json" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_client_hydrogen_enabled|bool - -- name: Ensure Hydrogen config files installed - template: - src: "{{ item.src }}" - dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - when: "matrix_client_hydrogen_enabled|bool and item.src is not none" - - name: Ensure matrix-client-hydrogen.service installed template: src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" diff --git a/roles/matrix-client-hydrogen/tasks/validate_config.yml b/roles/matrix-client-hydrogen/tasks/validate_config.yml new file mode 100644 index 00000000..6d4b7d21 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required Hydrogen settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) to use Hydrogen. + when: "vars[item] == '' or vars[item] is none" + with_items: + - "matrix_client_hydrogen_default_hs_url" diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 deleted file mode 100644 index fba16bbd..00000000 --- a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 +++ /dev/null @@ -1,66 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# This is a custom nginx configuration file that we use in the container (instead of the default one), -# because it allows us to run nginx with a non-root user. -# -# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. -# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) -# -# The following changes have been done compared to a default nginx configuration file: -# - default server port is changed (80 -> 8080), so that a non-root user can bind it -# - various temp paths are changed to `/tmp`, so that a non-root user can write to them -# - the `user` directive was removed, as we don't want nginx to switch users - -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /tmp/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - proxy_temp_path /tmp/proxy_temp; - client_body_temp_path /tmp/client_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - server { - listen 8080; - server_name localhost; - - root /usr/share/nginx/html; - - location / { - index index.html index.htm; - } - - location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { - expires -1; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - } -} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index 9224dd86..782d9a28 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -7,6 +7,8 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} From 1633f61018d31a321e91779cdba5f6e79e938f4c Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 04:23:06 -0500 Subject: [PATCH 2203/2384] Only install config.json when self building --- roles/matrix-client-hydrogen/tasks/setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml index cb1a6f2e..d33cea70 100644 --- a/roles/matrix-client-hydrogen/tasks/setup.yml +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -40,7 +40,7 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_client_hydrogen_enabled|bool + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" - name: Ensure Hydrogen Docker image is built docker_image: From ac4ede20afcd89283618d1f764b463b314c4c9ab Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 04:43:04 -0500 Subject: [PATCH 2204/2384] Add docs --- README.md | 2 ++ docs/configuring-dns.md | 3 +++ docs/configuring-playbook-client-hydrogen.md | 21 +++++++++++++++++++ .../tasks/validate_config.yml | 2 +- 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 docs/configuring-playbook-client-hydrogen.md diff --git a/README.md b/README.md index beb938b4..8448680c 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation +- (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation + Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 285ded42..adff4e28 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -36,6 +36,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `stats` (*) | - | - | - | `matrix.` | | CNAME | `goneb` (*) | - | - | - | `matrix.` | | CNAME | `sygnal` (*) | - | - | - | `matrix.` | +| CNAME | `hydrogen` (*) | - | - | - | `matrix.` | ## Subdomains setup @@ -54,6 +55,8 @@ The `goneb.` subdomain may be necessary, because this playbook coul The `sygnal.` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.` DNS record. +The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `sygnal.` DNS record. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-client-hydrogen.md b/docs/configuring-playbook-client-hydrogen.md new file mode 100644 index 00000000..fda5aec3 --- /dev/null +++ b/docs/configuring-playbook-client-hydrogen.md @@ -0,0 +1,21 @@ +# Configuring Hydrogen (optional) + +This playbook can install the [Hydrogen](https://github.com/vector-im/hydrogen-web) Matrix web client for you. +Hydrogen is a lightweight web client that supports mobile and legacy web browsers. +Hydrogen can be installed alongside or instead of Element. + +If you'd like Hydrogen to be installed, add the following to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_hydrogen_enabled: true +``` + +You will also need to add a DNS record so that Hydrogen can be accessed. +By default Hydrogen will use https://hydrogen.DOMAIN so you will need to create an CNAME record +for `hydrogen`. See [docs/configuring-dns.md](docs/configuring-dns.md). + +If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): + +```yaml + matrix_server_fqn_hydrogen: "helium.{{ matrix_domain }}" +``` diff --git a/roles/matrix-client-hydrogen/tasks/validate_config.yml b/roles/matrix-client-hydrogen/tasks/validate_config.yml index 6d4b7d21..d3b9a709 100644 --- a/roles/matrix-client-hydrogen/tasks/validate_config.yml +++ b/roles/matrix-client-hydrogen/tasks/validate_config.yml @@ -4,6 +4,6 @@ fail: msg: > You need to define a required configuration setting (`{{ item }}`) to use Hydrogen. - when: "vars[item] == '' or vars[item] is none" + when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build|bool" with_items: - "matrix_client_hydrogen_default_hs_url" From b7142223844e97ff543b000840f164b1e11d03b5 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 04:45:40 -0500 Subject: [PATCH 2205/2384] typo --- docs/configuring-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index adff4e28..0016464f 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -55,7 +55,7 @@ The `goneb.` subdomain may be necessary, because this playbook coul The `sygnal.` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.` DNS record. -The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `sygnal.` DNS record. +The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.` DNS record. ## `_matrix-identity._tcp` SRV record setup From d0de21ab34e4a0624ce7209fe08e8927895d9d14 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 12:58:32 +0300 Subject: [PATCH 2206/2384] Delete Hydrogen nginx configuration file when disabled --- roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 660f277c..1d59f567 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -211,6 +211,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" From 6f802927453719c4d800e6a16203331aa21d77e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 13:40:37 +0300 Subject: [PATCH 2207/2384] Add OCSP stapling support and other SSL optimizations to Hydrogen vhost Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1061 and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057 --- .../nginx/conf.d/matrix-client-hydrogen.conf.j2 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index 782d9a28..5ad99603 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -81,6 +81,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} From c5d52d49da024909b05bb42a2a8b36a5d8cd31c0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 13:50:45 +0300 Subject: [PATCH 2208/2384] Announce Hydrogen support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1055 --- CHANGELOG.md | 11 +++++++++++ docs/configuring-playbook.md | 2 ++ 2 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 337e961e..6e8137f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2021-05-21 + +## Hydrogen support + +Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now supports [Hydrogen](https://github.com/vector-im/hydrogen-web) - a new lightweight matrix client with legacy and mobile browser support. + +By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the plabook. + +Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-client-hydrogen.md). + + # 2021-05-19 ## Heisenbridge support diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 17f92575..fae66dca 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -68,6 +68,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) +- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) + ### Authentication and user-related From 0a662dcbcd67c1e62e90f75fa47f0c310b43c19a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 13:52:07 +0300 Subject: [PATCH 2209/2384] Fix typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e8137f1..7d58ad67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now supports [Hydrogen](https://github.com/vector-im/hydrogen-web) - a new lightweight matrix client with legacy and mobile browser support. -By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the plabook. +By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the playbook. Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-client-hydrogen.md). From 55b92d5a1325e59968b8bb3265cd41a1e9456b43 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 13:52:33 +0300 Subject: [PATCH 2210/2384] Fix another typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d58ad67..8fd1c8d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now sup By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the playbook. -Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-client-hydrogen.md). +Additional details are available in [Setting up Hydrogen](docs/configuring-playbook-client-hydrogen.md). # 2021-05-19 From 7a086d7dd9fee8c449a3f8c48d232555646c88db Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 21 May 2021 14:01:01 +0300 Subject: [PATCH 2211/2384] Mention Hydrgeon in self-building.md Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1055 --- docs/self-building.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/self-building.md b/docs/self-building.md index 0d41e419..303344ac 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -14,6 +14,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-synapse` - `matrix-synapse-admin` - `matrix-client-element` +- `matrix-client-hydrogen` - `matrix-registration` - `matrix-coturn` - `matrix-corporal` From b2d0a8a5e5e854e1ee2b8261413ed0650bd21336 Mon Sep 17 00:00:00 2001 From: throwawayay Date: Fri, 21 May 2021 07:40:01 -0400 Subject: [PATCH 2212/2384] docs: update Configuring DNS in Hydrogen setup --- docs/configuring-playbook-client-hydrogen.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-client-hydrogen.md b/docs/configuring-playbook-client-hydrogen.md index fda5aec3..4b05240b 100644 --- a/docs/configuring-playbook-client-hydrogen.md +++ b/docs/configuring-playbook-client-hydrogen.md @@ -12,7 +12,7 @@ matrix_client_hydrogen_enabled: true You will also need to add a DNS record so that Hydrogen can be accessed. By default Hydrogen will use https://hydrogen.DOMAIN so you will need to create an CNAME record -for `hydrogen`. See [docs/configuring-dns.md](docs/configuring-dns.md). +for `hydrogen`. See [Configuring DNS](configuring-dns.md). If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): From 4a772e50f4fe02bc2041078bfe350510e8b5f52a Mon Sep 17 00:00:00 2001 From: ewang Date: Fri, 21 May 2021 15:26:06 +0200 Subject: [PATCH 2213/2384] Allow Jitsi XMPP webscoket support for users using own webserver. Added: - Conditional localhost Port bindings for Jitsi Prosody systemd template - Added variable to main.yml to allow overriding from vars.yml --- roles/matrix-jitsi/defaults/main.yml | 2 +- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 7dcff987..9d092b53 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -175,7 +175,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] # List of systemd services that matrix-jitsi-prosody.service depends on matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] - +matrix_jitsi_prosody_container_http_host_bind_port: '' matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index b3525a74..48036fb5 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,6 +16,9 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ + {% if matrix_jitsi_prosody_container_http_host_bind_port %} + -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:{{ matrix_jitsi_prosody_container_http_host_bind_port }} + {% endif %} --env-file={{ matrix_jitsi_prosody_base_path }}/env \ --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ From 3c0452ff5ad342b9f0a95fe2d1f22bd92e9c6203 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 21 May 2021 17:22:40 -0500 Subject: [PATCH 2214/2384] Remove unnecessary bind for config.json, use proper nginx.conf --- roles/matrix-client-hydrogen/tasks/setup.yml | 11 ++++ .../templates/nginx.conf.j2 | 66 +++++++++++++++++++ .../systemd/matrix-client-hydrogen.service.j2 | 1 - 3 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml index d33cea70..205fa3ce 100644 --- a/roles/matrix-client-hydrogen/tasks/setup.yml +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -42,6 +42,17 @@ group: "{{ matrix_user_groupname }}" when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" +- name: Ensure Hydrogen additional config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "matrix_client_hydrogen_enabled|bool and item.src is not none" + - name: Ensure Hydrogen Docker image is built docker_image: name: "{{ matrix_client_hydrogen_docker_image }}" diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 new file mode 100644 index 00000000..fba16bbd --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 index 227d105b..c85aeb97 100644 --- a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -24,7 +24,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydroge {% endif %} --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ - --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/config.json,dst=/app/config.json,ro \ {% for arg in matrix_client_hydrogen_container_extra_arguments %} {{ arg }} \ {% endfor %} From 1bb6ed97aeaad2f40d802a4fb06a50148aa7354d Mon Sep 17 00:00:00 2001 From: ewang Date: Sat, 22 May 2021 15:53:42 +0200 Subject: [PATCH 2215/2384] Make port bindings default for those disabling nginx proxy I changed the conditional statement in prosody systemd template to bind the localhost port by default if people have set ```matrix_nginx_proxy_enabled == false ```. Hopefully that should make it the default behaviour now. --- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 48036fb5..0d604e12 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,8 +16,8 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ - {% if matrix_jitsi_prosody_container_http_host_bind_port %} - -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:{{ matrix_jitsi_prosody_container_http_host_bind_port }} + {% if matrix_nginx_proxy_enabled == false %} + -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ {% endif %} --env-file={{ matrix_jitsi_prosody_base_path }}/env \ --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ From ef6a7e051c18d6fb465f1c3373e77c8e49eff56b Mon Sep 17 00:00:00 2001 From: Eagle-251 <70513930+Eagle-251@users.noreply.github.com> Date: Sat, 22 May 2021 15:55:50 +0200 Subject: [PATCH 2216/2384] Fix missing port binding. --- roles/matrix-jitsi/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 9d092b53..811df133 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -175,7 +175,9 @@ matrix_jitsi_prosody_container_extra_arguments: [] # List of systemd services that matrix-jitsi-prosody.service depends on matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_prosody_container_http_host_bind_port: '' + +# Neccessary Port binding for those disabling the integrated nginx proxy +matrix_jitsi_prosody_container_http_host_bind_port: 5280 matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" From 409cd2b9a36b384055226a0d274cba4ef81a458e Mon Sep 17 00:00:00 2001 From: ewang Date: Sun, 23 May 2021 14:06:18 +0200 Subject: [PATCH 2217/2384] Source port binding from group vars in line other components --- group_vars/matrix_servers | 2 ++ roles/matrix-jitsi/defaults/main.yml | 2 +- .../templates/prosody/matrix-jitsi-prosody.service.j2 | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e9be72ca..86f1d5a3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1053,6 +1053,8 @@ matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}" +matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" + matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 811df133..14545bc9 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -177,7 +177,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] # Neccessary Port binding for those disabling the integrated nginx proxy -matrix_jitsi_prosody_container_http_host_bind_port: 5280 +matrix_jitsi_prosody_container_http_host_bind_port: '' matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 0d604e12..4445e52b 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,7 +16,7 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ - {% if matrix_nginx_proxy_enabled == false %} + {% if matrix_jitsi_prosody_container_http_host_bind_port %} -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ {% endif %} --env-file={{ matrix_jitsi_prosody_base_path }}/env \ From 794035790c609c7e66d76b925df7581f0fc2b374 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sun, 23 May 2021 16:53:14 -0500 Subject: [PATCH 2218/2384] Remove synapse-admin incompatibility note --- docs/configuring-playbook-synapse-admin.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 5b9519e2..68d70305 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -6,8 +6,6 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you. -**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file). - ## Adjusting the playbook configuration From df2d91970d3c96425056acfa59ca988e02ac65a8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Mon, 24 May 2021 17:02:47 +0530 Subject: [PATCH 2219/2384] matrix_nginx_proxy_xss_protection --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++++ .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 8 ++++++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 4 +--- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 8 ++++++++ .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 8 ++++++++ .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 +- 9 files changed, 33 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3a6f943a..dd0fc21e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -290,6 +290,10 @@ matrix_nginx_proxy_floc_optout_enabled: true # - https://hstspreload.org/#opt-in matrix_nginx_proxy_hsts_preload_enable: false +# +# +matrix_nginx_proxy_xss_protection: "1; mode=block" + # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index a2d59e86..0a761236 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -9,6 +9,14 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index d0b31797..b3ef5980 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block";; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 2859cbb5..1e0ba2f1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -10,10 +10,8 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'self'"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 4c2f4ee0..3ccb3a13 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 703c490e..7713661e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -20,6 +20,14 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; location /.well-known/matrix { root {{ matrix_static_files_base_path }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index eed665a0..cf9ae712 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a69424f4..4e89521e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -4,6 +4,14 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index 2064fad8..ef600ab7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; From 7cc5328ede3bfeb892afba49c5ba0dc1990b1e6a Mon Sep 17 00:00:00 2001 From: sakkiii Date: Mon, 24 May 2021 17:20:54 +0530 Subject: [PATCH 2220/2384] Comments & Ref --- roles/matrix-nginx-proxy/defaults/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index dd0fc21e..0adf9c5f 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -290,8 +290,13 @@ matrix_nginx_proxy_floc_optout_enabled: true # - https://hstspreload.org/#opt-in matrix_nginx_proxy_hsts_preload_enable: false +# X-XSS-Protection Enable +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# Note: Not applicable for grafana # -# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected matrix_nginx_proxy_xss_protection: "1; mode=block" # Specifies the SSL configuration that should be used for the SSL protocols and ciphers From dcd5e5657d14e6e255b6dd31d7a74cd3dbfe78e1 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Mon, 24 May 2021 17:59:34 +0530 Subject: [PATCH 2221/2384] OCSP Stapling SSL manually-managed # chain.pem file is required for 'ssl_trusted_certificate` --- docs/configuring-playbook-ssl-certificates.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 1b5ea234..2e288cc8 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -43,6 +43,7 @@ With such a configuration, the playbook would expect you to drop the SSL certifi - `/live//fullchain.pem` - `/live//privkey.pem` +- `/live//chain.pem` where `` refers to the domains that you need (usually `matrix.` and `element.`). From 0648b1b618143e4fc8d90643a8e289ff4daedc3b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 24 May 2021 20:38:30 +0300 Subject: [PATCH 2222/2384] Upgrade Element (1.7.28 -> 1.7.29) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index c2a546c6..f0596d91 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.28 +matrix_client_element_version: v1.7.29 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 3436f9c10a0f59d5c8e8aec22bfca3058062224b Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 25 May 2021 00:56:59 +0530 Subject: [PATCH 2223/2384] rename to matrix_nginx_proxy_hsts_preload_enabled --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-grafana.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 0adf9c5f..bbbe1c3d 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -288,7 +288,7 @@ matrix_nginx_proxy_floc_optout_enabled: true # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in -matrix_nginx_proxy_hsts_preload_enable: false +matrix_nginx_proxy_hsts_preload_enabled: false # X-XSS-Protection Enable # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 0a761236..cc8b760d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -10,7 +10,7 @@ add_header Permissions-Policy interest-cohort=() always; {% endif %} - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index b3ef5980..88d2fcc8 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,7 +3,7 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 1e0ba2f1..ba46ecbe 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -4,7 +4,7 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 3ccb3a13..271627e7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,7 +3,7 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 7713661e..e1206e5a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -21,7 +21,7 @@ add_header Permissions-Policy interest-cohort=() always; {% endif %} - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 8feb99bd..a5e7c39e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -4,7 +4,7 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index cf9ae712..8531c5c8 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,7 +3,7 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 4e89521e..349b6314 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -5,7 +5,7 @@ add_header Permissions-Policy interest-cohort=() always; {% endif %} - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index ef600ab7..d7e14209 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,7 +3,7 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enable %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; From 4a4a7f136e5b1fb096804ec05343c8e9c5230fea Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 25 May 2021 11:42:51 +0530 Subject: [PATCH 2224/2384] changes added to hydrogen client --- .../templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index 5ad99603..d9a05926 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -4,10 +4,14 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; - add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "frame-ancestors 'none'"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; From 1ed0857019c85fc8ea55de6b18ab042e3839c1ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 May 2021 11:45:17 +0300 Subject: [PATCH 2225/2384] Fix syntax error Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1024 --- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index c46c5361..d153d5c2 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -4,13 +4,13 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif - + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} @@ -75,7 +75,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} From ee088d5d46c76f732eef6592116ad4c844ba8203 Mon Sep 17 00:00:00 2001 From: Ahmad Haghighi Date: Tue, 25 May 2021 13:14:28 +0430 Subject: [PATCH 2226/2384] Synapse LDAP auth: add support for Active Directory Signed-off-by: Ahmad Haghighi --- roles/matrix-synapse/defaults/main.yml | 2 ++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d966665f..89f0320a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -497,6 +497,8 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" +matrix_synapse_ext_password_provider_ldap_is_active_directory: false +matrix_synapse_ext_password_provider_ldap_default_domain: "" # Enable this to activate the Synapse Antispam spam-checker module. # See: https://github.com/t2bot/synapse-simple-antispam diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 22f5f1ea..66730d36 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2596,6 +2596,12 @@ password_providers: uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} + {% if matrix_synapse_ext_password_provider_ldap_is_active_directory %} + active_directory: true + {% endif %} + {% if matrix_synapse_ext_password_provider_ldap_default_domain != '' %} + default_domain: {{ matrix_synapse_ext_password_provider_ldap_default_domain|string|to_json }} + {% endif %} attributes: uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} From 209d59070e7ba6147c34242515418554028e787a Mon Sep 17 00:00:00 2001 From: Ahmad Haghighi Date: Tue, 25 May 2021 15:41:38 +0430 Subject: [PATCH 2227/2384] Avoiding if(s), fix #1083 Conversation: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1083#discussion_r638671860 Signed-off-by: Ahmad Haghighi --- roles/matrix-synapse/defaults/main.yml | 2 +- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 89f0320a..e112df5c 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -497,7 +497,7 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" -matrix_synapse_ext_password_provider_ldap_is_active_directory: false +matrix_synapse_ext_password_provider_ldap_active_directory: false matrix_synapse_ext_password_provider_ldap_default_domain: "" # Enable this to activate the Synapse Antispam spam-checker module. diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 66730d36..aa07ae5b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2596,12 +2596,8 @@ password_providers: uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} - {% if matrix_synapse_ext_password_provider_ldap_is_active_directory %} - active_directory: true - {% endif %} - {% if matrix_synapse_ext_password_provider_ldap_default_domain != '' %} + active_directory: {{ matrix_synapse_ext_password_provider_ldap_active_directory|to_json }} default_domain: {{ matrix_synapse_ext_password_provider_ldap_default_domain|string|to_json }} - {% endif %} attributes: uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} From 85777e8f966f491161c3cb1f9086e9f33e04fd3d Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 25 May 2021 21:08:00 +0800 Subject: [PATCH 2228/2384] merge with upstream --- CHANGELOG.md | 20 ++ README.md | 19 +- docs/configuring-awx-system.md | 5 +- docs/configuring-dns.md | 3 + ...figuring-playbook-bridge-appservice-irc.md | 4 +- ...guring-playbook-bridge-appservice-slack.md | 4 +- ...onfiguring-playbook-bridge-heisenbridge.md | 36 ++++ ...iguring-playbook-bridge-mx-puppet-slack.md | 2 + docs/configuring-playbook-client-hydrogen.md | 21 ++ ...configuring-playbook-prometheus-grafana.md | 1 + docs/configuring-playbook-ssl-certificates.md | 1 + docs/configuring-playbook-synapse-admin.md | 2 - docs/configuring-playbook.md | 4 + docs/self-building.md | 1 + examples/caddy2/Caddyfile | 1 - examples/caddy2/README.md | 4 +- group_vars/matrix_servers | 65 +++++- .../scripts/matrix_build_room_list.py | 28 +++ .../matrix-awx/tasks/purge_database_main.yml | 199 +++++++++++++----- roles/matrix-base/defaults/main.yml | 3 + .../tasks/init.yml | 7 + .../tasks/setup_install.yml | 5 +- .../tasks/init.yml | 7 + .../tasks/setup_install.yml | 3 +- .../defaults/main.yml | 47 +++++ .../matrix-bridge-heisenbridge/tasks/init.yml | 24 +++ .../matrix-bridge-heisenbridge/tasks/main.yml | 15 ++ .../tasks/setup_install.yml | 38 ++++ .../tasks/setup_uninstall.yml | 24 +++ .../systemd/matrix-heisenbridge.service.j2 | 50 +++++ .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 7 + .../tasks/setup_install.yml | 5 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 7 + .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- .../tasks/init.yml | 9 +- .../tasks/setup_install.yml | 3 +- roles/matrix-client-element/defaults/main.yml | 2 +- roles/matrix-client-element/tasks/init.yml | 8 +- roles/matrix-client-element/tasks/setup.yml | 3 +- .../matrix-client-hydrogen/defaults/main.yml | 68 ++++++ roles/matrix-client-hydrogen/tasks/init.yml | 10 + roles/matrix-client-hydrogen/tasks/main.yml | 15 ++ .../tasks/self_check.yml | 22 ++ roles/matrix-client-hydrogen/tasks/setup.yml | 119 +++++++++++ .../tasks/validate_config.yml | 9 + .../templates/config.json.j2 | 3 + .../templates/nginx.conf.j2 | 66 ++++++ .../systemd/matrix-client-hydrogen.service.j2 | 39 ++++ roles/matrix-common-after/defaults/main.yml | 16 ++ roles/matrix-common-after/tasks/start.yml | 5 +- roles/matrix-corporal/tasks/init.yml | 7 + .../matrix-corporal/tasks/setup_corporal.yml | 3 +- roles/matrix-coturn/tasks/init.yml | 14 +- roles/matrix-coturn/tasks/setup_install.yml | 3 +- roles/matrix-dynamic-dns/tasks/init.yml | 7 + roles/matrix-dynamic-dns/tasks/install.yml | 3 +- roles/matrix-grafana/defaults/main.yml | 2 +- roles/matrix-grafana/templates/grafana.ini.j2 | 3 + roles/matrix-jitsi/defaults/main.yml | 2 + .../prosody/matrix-jitsi-prosody.service.j2 | 3 + roles/matrix-ma1sd/tasks/init.yml | 14 +- roles/matrix-mailer/defaults/main.yml | 2 +- roles/matrix-mailer/tasks/init.yml | 7 + roles/matrix-mailer/tasks/setup_mailer.yml | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 49 +++++ .../tasks/setup_nginx_proxy.yml | 13 ++ .../nginx/conf.d/matrix-base-domain.conf.j2 | 12 ++ .../nginx/conf.d/matrix-bot-go-neb.conf.j2 | 12 ++ .../conf.d/matrix-client-element.conf.j2 | 12 ++ .../conf.d/matrix-client-hydrogen.conf.j2 | 98 +++++++++ .../nginx/conf.d/matrix-dimension.conf.j2 | 12 ++ .../nginx/conf.d/matrix-domain.conf.j2 | 32 ++- .../nginx/conf.d/matrix-grafana.conf.j2 | 13 ++ .../nginx/conf.d/matrix-jitsi.conf.j2 | 12 ++ .../nginx/conf.d/matrix-riot-web.conf.j2 | 12 ++ .../nginx/conf.d/matrix-sygnal.conf.j2 | 12 ++ .../tasks/util/migrate_db_to_postgres.yml | 3 +- roles/matrix-prometheus/defaults/main.yml | 2 +- roles/matrix-registration/tasks/init.yml | 7 + .../tasks/setup_install.yml | 3 +- roles/matrix-synapse-admin/defaults/main.yml | 2 +- roles/matrix-synapse-admin/tasks/init.yml | 7 + roles/matrix-synapse-admin/tasks/setup.yml | 3 +- roles/matrix-synapse/defaults/main.yml | 6 +- roles/matrix-synapse/tasks/init.yml | 14 +- .../rust-synapse-compress-state/main.yml | 2 +- .../tasks/synapse/setup_install.yml | 3 +- .../templates/synapse/homeserver.yaml.j2 | 18 ++ setup.yml | 2 + 105 files changed, 1451 insertions(+), 141 deletions(-) create mode 100644 docs/configuring-playbook-bridge-heisenbridge.md create mode 100644 docs/configuring-playbook-client-hydrogen.md create mode 100644 roles/matrix-awx/scripts/matrix_build_room_list.py create mode 100644 roles/matrix-bridge-heisenbridge/defaults/main.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/init.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/main.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 create mode 100644 roles/matrix-client-hydrogen/defaults/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/init.yml create mode 100644 roles/matrix-client-hydrogen/tasks/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/self_check.yml create mode 100644 roles/matrix-client-hydrogen/tasks/setup.yml create mode 100644 roles/matrix-client-hydrogen/tasks/validate_config.yml create mode 100644 roles/matrix-client-hydrogen/templates/config.json.j2 create mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 create mode 100644 roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 create mode 100644 roles/matrix-common-after/defaults/main.yml create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 37988c94..8fd1c8d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,23 @@ +# 2021-05-21 + +## Hydrogen support + +Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now supports [Hydrogen](https://github.com/vector-im/hydrogen-web) - a new lightweight matrix client with legacy and mobile browser support. + +By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the playbook. + +Additional details are available in [Setting up Hydrogen](docs/configuring-playbook-client-hydrogen.md). + + +# 2021-05-19 + +## Heisenbridge support + +Thanks to [Toni Spets (hifi)](https://github.com/hifi), the playbook now supports bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) using yet another bridge (besides matrix-appservice-irc), called [Heisenbridge](https://github.com/hifi/heisenbridge). + +Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-bridge-heisenbridge.md). + + # 2021-04-16 ## Disabling TLSv1 and TLSv1.1 for Coturn diff --git a/README.md b/README.md index 301e7f05..8448680c 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default -- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server +- (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) @@ -47,7 +47,7 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/) -- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/) +- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) - (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/) @@ -67,6 +67,8 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation +- (optional) the [Heisenbridge](https://github.com/hifi/heisenbridge) for bridging your Matrix server to IRC bouncer-style - see [docs/configuring-playbook-bridge-heisenbridge.md](docs/configuring-playbook-bridge-heisenbridge.md) for setup documentation + - (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation - (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation @@ -103,7 +105,9 @@ Using this playbook, you can get the following services configured on your serve - (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation -Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. +- (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation + +Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation. @@ -128,4 +132,11 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) -- Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) +- GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) + + +## Services by the community + +- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain + +- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from DigitalOcean, or they can connect their on-premises server. This AWX system can manage the updates, configuration, import and export, backups, and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com). diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index cc90fb98..1ab6950a 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -8,9 +8,7 @@ Members can be assigned a server from Digitalocean, or they can connect their ow The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server. -Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy). - -Warning: This project is currently alpha quality and should only be run by the brave. +This system can manage the updates, configuration, import and export, backups and monitoring on its own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy). ## Other Required Playbooks @@ -23,6 +21,7 @@ The following repositories allow you to copy and use this setup: [Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server. + ## Testing Fork For This Playbook Updates to this section are trailed here: diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 285ded42..0016464f 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -36,6 +36,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | CNAME | `stats` (*) | - | - | - | `matrix.` | | CNAME | `goneb` (*) | - | - | - | `matrix.` | | CNAME | `sygnal` (*) | - | - | - | `matrix.` | +| CNAME | `hydrogen` (*) | - | - | - | `matrix.` | ## Subdomains setup @@ -54,6 +55,8 @@ The `goneb.` subdomain may be necessary, because this playbook coul The `sygnal.` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.` DNS record. +The `hydrogen.` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.` DNS record. + ## `_matrix-identity._tcp` SRV record setup diff --git a/docs/configuring-playbook-bridge-appservice-irc.md b/docs/configuring-playbook-bridge-appservice-irc.md index a9403cb5..93e0fb36 100644 --- a/docs/configuring-playbook-bridge-appservice-irc.md +++ b/docs/configuring-playbook-bridge-appservice-irc.md @@ -1,6 +1,8 @@ # Setting up Appservice IRC (optional) -The playbook can install and configure [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) for you. +**Note**: bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) can also happen via the [Heisenbridge](configuring-playbook-bridge-heisenbridge.md) bridge supported by the playbook. + +The playbook can install and configure the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for you. See the project's [documentation](https://github.com/matrix-org/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you. diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index a409a050..7d45d34d 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -1,5 +1,7 @@ # Setting up Appservice Slack (optional) +**Note**: bridging to [Slack](https://slack.com) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) bridge supported by the playbook. + The playbook can install and configure [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) for you. See the project's [documentation](https://github.com/matrix-org/matrix-appservice-slack/blob/master/README.md) to learn what it does and why it might be useful to you. @@ -106,5 +108,5 @@ Check you logs, if they say something like `WARN SlackEventHandler Ignoring message from unrecognised slack channel id : %s (%s) ` -then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link +then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link your room multiple times without unlinking it after each failed attempt. diff --git a/docs/configuring-playbook-bridge-heisenbridge.md b/docs/configuring-playbook-bridge-heisenbridge.md new file mode 100644 index 00000000..9cf016f2 --- /dev/null +++ b/docs/configuring-playbook-bridge-heisenbridge.md @@ -0,0 +1,36 @@ +# Setting up Heisenbridge (optional) + +**Note**: bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) can also happen via the [matrix-appservice-irc](configuring-playbook-bridge-appservice-irc.md) bridge supported by the playbook. + +The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) bridge for you. + +See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. + +## Configuration + +Below are the common configuration options that you may want to set, exhaustive list is in [the bridge's defaults var file](../roles/matrix-bridge-heisenbridge/defaults/main.yml). + +At a minimum, you only need to enable the bridge to get it up and running (`inventory/host_vars/matrix.DOMAIN/vars.yml`): + +```yaml +matrix_heisenbridge_enabled: true + +# set owner (optional) +matrix_heisenbridge_owner: "@you:your-homeserver" + +# to enable identd on host port 113/TCP (optional) +matrix_heisenbridge_identd_enabled: true +``` + +That's it! A registration file is automatically generated during the setup phase. + +Setting the owner is optional as the first local user to DM `@heisenbridge:your-homeserver` will be made the owner. +If you are not using a local user you must set it as otherwise you can't DM it at all. + +## Usage + +After the bridge is successfully running just DM `@heisenbridge:your-homeserver` to start setting it up. +Help is available for all commands with the `-h` switch. +If the bridge ignores you and a DM is not accepted then the owner setting may be wrong. + +If you encounter issues or feel lost you can join the project room at [#heisenbridge:vi.fi](https://matrix.to/#/#heisenbridge:vi.fi) for help. diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md index 1f20219f..61600c7a 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-slack.md +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -1,5 +1,7 @@ # Setting up MX Puppet Slack (optional) +**Note**: bridging to [Slack](https://slack.com) can also happen via the [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) bridge supported by the playbook. + The playbook can install and configure [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) for you. diff --git a/docs/configuring-playbook-client-hydrogen.md b/docs/configuring-playbook-client-hydrogen.md new file mode 100644 index 00000000..4b05240b --- /dev/null +++ b/docs/configuring-playbook-client-hydrogen.md @@ -0,0 +1,21 @@ +# Configuring Hydrogen (optional) + +This playbook can install the [Hydrogen](https://github.com/vector-im/hydrogen-web) Matrix web client for you. +Hydrogen is a lightweight web client that supports mobile and legacy web browsers. +Hydrogen can be installed alongside or instead of Element. + +If you'd like Hydrogen to be installed, add the following to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_client_hydrogen_enabled: true +``` + +You will also need to add a DNS record so that Hydrogen can be accessed. +By default Hydrogen will use https://hydrogen.DOMAIN so you will need to create an CNAME record +for `hydrogen`. See [Configuring DNS](configuring-dns.md). + +If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain): + +```yaml + matrix_server_fqn_hydrogen: "helium.{{ matrix_domain }}" +``` diff --git a/docs/configuring-playbook-prometheus-grafana.md b/docs/configuring-playbook-prometheus-grafana.md index 4968c518..dc1b7b4c 100644 --- a/docs/configuring-playbook-prometheus-grafana.md +++ b/docs/configuring-playbook-prometheus-grafana.md @@ -56,6 +56,7 @@ Name | Description `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics` `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`) `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable) +`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`). ## More information diff --git a/docs/configuring-playbook-ssl-certificates.md b/docs/configuring-playbook-ssl-certificates.md index 1b5ea234..2e288cc8 100644 --- a/docs/configuring-playbook-ssl-certificates.md +++ b/docs/configuring-playbook-ssl-certificates.md @@ -43,6 +43,7 @@ With such a configuration, the playbook would expect you to drop the SSL certifi - `/live//fullchain.pem` - `/live//privkey.pem` +- `/live//chain.pem` where `` refers to the domains that you need (usually `matrix.` and `element.`). diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 5b9519e2..68d70305 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -6,8 +6,6 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you. -**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file). - ## Adjusting the playbook configuration diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index f6988930..fae66dca 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -68,6 +68,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) +- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) + ### Authentication and user-related @@ -126,6 +128,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix SMS bridging](configuring-playbook-bridge-matrix-bridge-sms.md) (optional) +- [Setting up Heisenbridge bouncer-style IRC bridging](configuring-playbook-bridge-heisenbridge.md) (optional) + ### Bots diff --git a/docs/self-building.md b/docs/self-building.md index 0d41e419..303344ac 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -14,6 +14,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-synapse` - `matrix-synapse-admin` - `matrix-client-element` +- `matrix-client-hydrogen` - `matrix-registration` - `matrix-coturn` - `matrix-corporal` diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 8999f299..c6d2841b 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -38,7 +38,6 @@ matrix.DOMAIN.tld { X-Frame-Options "DENY" # X-Robots-Tag X-Robots-Tag "noindex, noarchive, nofollow" - 167,9 79% } # Cache diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index 022a4fec..fe8d5763 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -8,5 +8,5 @@ This directory contains sample files that show you how to do reverse-proxying us | ------------------ | -------- | | tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | | tls | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls | -| Dimnension | To enable Dimension support uncomment the lines for Dimension and set your data | -| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | \ No newline at end of file +| Dimension | To enable Dimension support uncomment the lines for Dimension and set your data | +| Jitsi | To enable Jitsi support uncomment the lines for Jitsi and set your data | diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9fec86e9..86f1d5a3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -488,6 +488,32 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas # ###################################################################### +###################################################################### +# +# matrix-bridge-heisenbridge +# +###################################################################### + +# We don't enable bridges by default. +matrix_heisenbridge_enabled: false + +matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}" + +matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}" + +matrix_heisenbridge_systemd_wanted_services_list: | + {{ + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +###################################################################### +# +# /matrix-bridge-heisenbridge +# +###################################################################### + ###################################################################### # # matrix-bridge-mx-puppet-skype @@ -1027,6 +1053,8 @@ matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}" +matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" + matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}" matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}" @@ -1113,7 +1141,9 @@ matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matr matrix_ma1sd_dns_overwrite_enabled: true matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}" +# The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case, +# but may be inaccurate if matrix-corporal is enabled. +matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ ('http://' + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container) if matrix_nginx_proxy_enabled else matrix_homeserver_container_url }}" # By default, we send mail through the `matrix-mailer` service. matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" @@ -1170,6 +1200,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" +matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" @@ -1211,6 +1242,11 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +# OCSP stapling does not make sense when self-signed certificates are used. +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 +matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}" + matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}" matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" @@ -1240,6 +1276,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | + ([matrix_nginx_proxy_proxy_riot_compat_redirect_hostname] if matrix_nginx_proxy_proxy_riot_compat_redirect_enabled else []) + + ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) + + ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) + ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) @@ -1543,6 +1581,31 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr +###################################################################### +# +# matrix-client-hydrogen +# +###################################################################### + +matrix_client_hydrogen_enabled: false + +# Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose +# the HTTP port to the local host. +matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}" + +matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" + +matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + +###################################################################### +# +# /matrix-client-hydrogen +# +###################################################################### + + + ###################################################################### # # matrix-synapse diff --git a/roles/matrix-awx/scripts/matrix_build_room_list.py b/roles/matrix-awx/scripts/matrix_build_room_list.py new file mode 100644 index 00000000..3abfcd8c --- /dev/null +++ b/roles/matrix-awx/scripts/matrix_build_room_list.py @@ -0,0 +1,28 @@ + +import sys +import requests +import json + +janitor_token = sys.argv[1] +synapse_container_ip = sys.argv[2] + +# collect total amount of rooms + +rooms_raw_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms' +rooms_raw_header = {'Authorization': 'Bearer ' + janitor_token} +rooms_raw = requests.get(rooms_raw_url, headers=rooms_raw_header) +rooms_raw_python = json.loads(rooms_raw.text) +total_rooms = rooms_raw_python["total_rooms"] + +# build complete room list file + +room_list_file = open("/tmp/room_list_complete.json", "w") + +for i in range(0, total_rooms, 100): + rooms_inc_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms?from=' + str(i) + rooms_inc = requests.get(rooms_inc_url, headers=rooms_raw_header) + room_list_file.write(rooms_inc.text) + +room_list_file.close() + +print(total_rooms) diff --git a/roles/matrix-awx/tasks/purge_database_main.yml b/roles/matrix-awx/tasks/purge_database_main.yml index ccd46c81..76a437e1 100644 --- a/roles/matrix-awx/tasks/purge_database_main.yml +++ b/roles/matrix-awx/tasks/purge_database_main.yml @@ -17,136 +17,132 @@ file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' no_log: True -- name: Collect size of Synapse database +- name: Collect before shrink size of Synapse database shell: du -sh /matrix/postgres/data register: db_size_before_stat + when: (purge_mode.find("Perform final shrink") != -1) no_log: True -- name: Print before size of Synapse database - debug: - msg: "{{ db_size_before_stat.stdout.split('\n') }}" - when: db_size_before_stat is defined - - name: Collect the internal IP of the matrix-synapse container shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) register: synapse_container_ip - name: Collect access token for janitor user shell: | curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) register: janitors_token no_log: True -- name: Collect total number of rooms +- name: Copy build_room_list.py script to target machine + copy: + src: ./roles/matrix-awx/scripts/matrix_build_room_list.py + dest: /usr/local/bin/matrix_build_room_list.py + owner: matrix + group: matrix + mode: '0755' + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) + +- name: Run build_room_list.py script shell: | - curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms' | jq '.total_rooms' - when: purge_rooms|bool + runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ janitors_token.stdout[1:-1] }} {{ synapse_container_ip.stdout }} register: rooms_total + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) -- name: Print total number of rooms - debug: - msg: '{{ rooms_total.stdout }}' - when: purge_rooms|bool - -- name: Calculate every 100 values for total number of rooms - delegate_to: 127.0.0.1 - shell: | - seq 0 100 {{ rooms_total.stdout }} - when: purge_rooms|bool - register: every_100_rooms +- name: Fetch complete room list from target machine + fetch: + src: /tmp/room_list_complete.json + dest: "/tmp/{{ subscription_id }}_room_list_complete.json" + flat: yes + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) -- name: Ensure room_list_complete.json file exists - delegate_to: 127.0.0.1 +- name: Remove complete room list from target machine file: - path: /tmp/{{ subscription_id }}_room_list_complete.json - state: touch - when: purge_rooms|bool - -- name: Build file with total room list - include_tasks: purge_database_build_list.yml - loop: "{{ every_100_rooms.stdout_lines | flatten(levels=1) }}" - when: purge_rooms|bool + path: /tmp/room_list_complete.json + state: absent + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Generate list of rooms with no local users delegate_to: 127.0.0.1 shell: | jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Count number of rooms with no local users delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_no_local_users.txt | awk '{ print $1 }' register: rooms_no_local_total - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Setting host fact room_list_no_local_users set_fact: room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}" no_log: True - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Purge all rooms with no local users include_tasks: purge_database_no_local.yml loop: "{{ room_list_no_local_users.splitlines() | flatten(levels=1) }}" - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Collect epoche time from date delegate_to: 127.0.0.1 shell: | date -d '{{ purge_date }}' +"%s" - when: purge_rooms|bool + when: (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) register: purge_epoche_time - name: Generate list of rooms with more then N users delegate_to: 127.0.0.1 shell: | jq 'try .rooms[] | select(.joined_members > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users [slower]") != -1 - name: Count number of rooms with more then N users delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_joined_members.txt | awk '{ print $1 }' register: rooms_join_members_total - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users [slower]") != -1 - name: Setting host fact room_list_joined_members delegate_to: 127.0.0.1 set_fact: room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}" - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users [slower]") != -1 no_log: True - name: Purge all rooms with more then N users include_tasks: purge_database_users.yml loop: "{{ room_list_joined_members.splitlines() | flatten(levels=1) }}" - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users [slower]") != -1 - name: Generate list of rooms with more then N events delegate_to: 127.0.0.1 shell: | jq 'try .rooms[] | select(.state_events > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events [slower]") != -1 -- name: Count number of rooms with more then N users +- name: Count number of rooms with more then N events delegate_to: 127.0.0.1 shell: | wc -l /tmp/{{ subscription_id }}_room_list_state_events.txt | awk '{ print $1 }' register: rooms_state_events_total - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events [slower]") != -1 - name: Setting host fact room_list_state_events delegate_to: 127.0.0.1 set_fact: room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}" - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events [slower]") != -1 no_log: True - name: Purge all rooms with more then N events include_tasks: purge_database_events.yml loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}" - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events [slower]") != -1 - name: Collect AWX admin token the hard way! delegate_to: 127.0.0.1 @@ -155,75 +151,162 @@ register: tower_token no_log: True +- name: Adjust 'Deploy/Update a Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + description: "Creates a new matrix service with Spantaleev's playbooks" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "rust-synapse-compress-state" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + - name: Execute rust-synapse-compress-state job template delegate_to: 127.0.0.1 awx.awx.tower_job_launch: job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" - tags: "rust-synapse-compress-state" wait: yes tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - register: job + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) -- name: Stop Synapse service - shell: systemctl stop matrix-synapse.service +- name: Revert 'Deploy/Update a Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + description: "Creates a new matrix service with Spantaleev's playbooks" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "setup-all,start" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1) + +- name: Ensure matrix-synapse is stopped + service: + name: matrix-synapse + state: stopped + daemon_reload: yes + when: (purge_mode.find("Perform final shrink") != -1) - name: Re-index Synapse database shell: docker exec -i matrix-postgres psql "host=127.0.0.1 port=5432 dbname=synapse user=synapse password={{ matrix_synapse_connection_password }}" -c 'REINDEX (VERBOSE) DATABASE synapse' + when: (purge_mode.find("Perform final shrink") != -1) + +- name: Ensure matrix-synapse is started + service: + name: matrix-synapse + state: started + daemon_reload: yes + when: (purge_mode.find("Perform final shrink") != -1) + +- name: Adjust 'Deploy/Update a Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + description: "Creates a new matrix service with Spantaleev's playbooks" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "run-postgres-vacuum,start" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: (purge_mode.find("Perform final shrink") != -1) - name: Execute run-postgres-vacuum job template delegate_to: 127.0.0.1 awx.awx.tower_job_launch: job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server" - tags: "run-postgres-vacuum,start" wait: yes tower_host: "https://{{ tower_host }}" tower_oauthtoken: "{{ tower_token.stdout }}" validate_certs: yes - register: job + when: (purge_mode.find("Perform final shrink") != -1) + +- name: Revert 'Deploy/Update a Server' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 0 - Deploy/Update a Server" + description: "Creates a new matrix service with Spantaleev's playbooks" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "setup-all,start" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes + when: (purge_mode.find("Perform final shrink") != -1) - name: Cleanup room_list files delegate_to: 127.0.0.1 shell: | rm /tmp/{{ subscription_id }}_room_list* - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) ignore_errors: yes -- name: Collect size of Synapse database +- name: Collect after shrink size of Synapse database shell: du -sh /matrix/postgres/data register: db_size_after_stat + when: (purge_mode.find("Perform final shrink") != -1) no_log: True - name: Print total number of rooms processed debug: msg: '{{ rooms_total.stdout }}' - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Print the number of rooms purged with no local users debug: msg: '{{ rooms_no_local_total.stdout }}' - when: purge_rooms|bool + when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) - name: Print the number of rooms purged with more then N users debug: msg: '{{ rooms_join_members_total.stdout }}' - when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of users") != -1 - name: Print the number of rooms purged with more then N events debug: msg: '{{ rooms_state_events_total.stdout }}' - when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool) + when: purge_mode.find("Number of events") != -1 - name: Print before purge size of Synapse database debug: msg: "{{ db_size_before_stat.stdout.split('\n') }}" - when: db_size_before_stat is defined + when: (db_size_before_stat is defined) and (purge_mode.find("Perform final shrink") != -1) - name: Print after purge size of Synapse database debug: msg: "{{ db_size_after_stat.stdout.split('\n') }}" - when: db_size_after_stat is defined + when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1) - name: Set boolean value to exit playbook set_fact: diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index d1d3bf27..ef30ad67 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -15,6 +15,9 @@ matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" # This and the Matrix FQN (see above) are expected to be on the same server. matrix_server_fqn_element: "element.{{ matrix_domain }}" +# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default). +matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" + # This is where you access the Dimension. matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index ddf1b031..b9a58e00 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build" + # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. - name: Fail if matrix-synapse role already executed diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 09e1d4ba..75af882a 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -71,11 +71,12 @@ register: matrix_appservice_irc_git_pull_results when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool" -- name: Ensure matrix-appservice-irc Docker image is build +- name: Ensure matrix-appservice-irc Docker image is built docker_image: name: "{{ matrix_appservice_irc_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_appservice_irc_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_appservice_irc_docker_src_files_path }}" diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 045b6b73..6a1bf869 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build" + # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. - name: Fail if matrix-synapse role already executed diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index 703d3fab..b170fcb8 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -51,7 +51,8 @@ docker_image: name: "{{ matrix_appservice_slack_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_appservice_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_appservice_slack_docker_src_files_path }}" diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml new file mode 100644 index 00000000..be95af8d --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -0,0 +1,47 @@ +# heisenbridge is a bouncer-style Matrix IRC bridge +# See: https://github.com/hifi/heisenbridge + +matrix_heisenbridge_enabled: true + +matrix_heisenbridge_version: latest +matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" +matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" + +# Set this to your Matrix ID if you want to enforce the owner, otherwise first _local_ user becomes one +matrix_heisenbridge_owner: "" + +# Enabling identd will bind to host port 113/TCP +matrix_heisenbridge_identd_enabled: false + +matrix_heisenbridge_base_path: "{{ matrix_base_data_path }}/heisenbridge" + +# A list of extra arguments to pass to the container +matrix_heisenbridge_container_extra_arguments: [] + +# List of systemd services that service depends on. +matrix_heisenbridge_systemd_required_services_list: ['docker.service'] + +# List of systemd services that service wants +matrix_heisenbridge_systemd_wanted_services_list: [] + +matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}" + +matrix_heisenbridge_appservice_token: '' +matrix_heisenbridge_homeserver_token: '' + +# Default registration file +matrix_heisenbridge_registration_yaml: + id: heisenbridge + url: http://matrix-heisenbridge:9898 + as_token: "{{ matrix_heisenbridge_appservice_token }}" + hs_token: "{{ matrix_heisenbridge_homeserver_token }}" + rate_limited: false + sender_localpart: heisenbridge + namespaces: + users: + - regex: '@hbirc_.*' + exclusive: true + aliases: [] + rooms: [] + +matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-heisenbridge/tasks/init.yml b/roles/matrix-bridge-heisenbridge/tasks/init.yml new file mode 100644 index 00000000..18e89b68 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/init.yml @@ -0,0 +1,24 @@ +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-heisenbridge role needs to execute before the matrix-synapse role. + when: "matrix_heisenbridge_enabled and matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-heisenbridge.service'] }}" + when: matrix_heisenbridge_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/heisenbridge-registration.yaml"] }} + when: matrix_heisenbridge_enabled|bool diff --git a/roles/matrix-bridge-heisenbridge/tasks/main.yml b/roles/matrix-bridge-heisenbridge/tasks/main.yml new file mode 100644 index 00000000..1358709d --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_heisenbridge_enabled|bool" + tags: + - setup-all + - setup-heisenbridge + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_heisenbridge_enabled|bool" + tags: + - setup-all + - setup-heisenbridge diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml new file mode 100644 index 00000000..03cf9ec3 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml @@ -0,0 +1,38 @@ +--- + +- name: Ensure heisenbridge image is pulled + docker_image: + name: "{{ matrix_heisenbridge_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_heisenbridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_heisenbridge_docker_image_force_pull }}" + +- name: Ensure heisenbridge paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_heisenbridge_base_path }}" + +- name: Ensure heisenbridge registration.yaml installed if provided + copy: + content: "{{ matrix_heisenbridge_registration|to_nice_yaml }}" + dest: "{{ matrix_heisenbridge_base_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-heisenbridge.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-heisenbridge.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + mode: 0644 + register: matrix_heisenbridge_systemd_service_result + +- name: Ensure systemd reloaded after matrix-heisenbridge.service installation + service: + daemon_reload: yes + when: matrix_heisenbridge_systemd_service_result.changed diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml new file mode 100644 index 00000000..d5526f8a --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-heisenbridge service + stat: + path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + register: matrix_heisenbridge_service_stat + +- name: Ensure matrix-heisenbridge is stopped + service: + name: heisenbridge + state: stopped + daemon_reload: yes + when: "matrix_heisenbridge_service_stat.stat.exists" + +- name: Ensure matrix-heisenbridge.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + state: absent + when: "matrix_heisenbridge_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-heisenbridge.service removal + service: + daemon_reload: yes + when: "matrix_heisenbridge_service_stat.stat.exists" diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 new file mode 100644 index 00000000..91ba39b3 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -0,0 +1,50 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=a bouncer-style Matrix IRC bridge +{% for service in matrix_heisenbridge_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_heisenbridge_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-heisenbridge + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_heisenbridge_identd_enabled %} + -p 113:113 \ + {% endif %} + -v {{ matrix_heisenbridge_base_path }}:/config:z \ + {% for arg in matrix_heisenbridge_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_heisenbridge_docker_image }} \ + {% if matrix_heisenbridge_identd_enabled %} + --identd \ + {% endif %} + {% if matrix_heisenbridge_owner %} + -o {{ matrix_heisenbridge_owner }} \ + {% endif %} + --config /config/registration.yaml \ + --listen-address 0.0.0.0 \ + --listen-port 9898 \ + {{ matrix_heisenbridge_homeserver_url }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-heisenbridge + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 9e127316..83e54cb4 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" when: matrix_mautrix_facebook_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mautrix_facebook_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 59998463..4cfbde9e 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -69,7 +69,8 @@ docker_image: name: "{{ matrix_mautrix_facebook_docker_image }}" source: build - force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 9209fa40..07fb254d 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" when: matrix_mautrix_hangouts_enabled|bool @@ -62,7 +69,7 @@ when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 2ce8a441..14ae255f 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -68,7 +68,8 @@ docker_image: name: "{{ matrix_mautrix_hangouts_docker_image }}" source: build - force_source: "{{ matrix_mautrix_hangouts_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_hangouts_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index 2b407358..6944003e 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" when: matrix_mautrix_instagram_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mautrix_instagram_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml index b83deab3..60474230 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml @@ -44,7 +44,8 @@ docker_image: name: "{{ matrix_mautrix_instagram_docker_image }}" source: build - force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed }}" + force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_instagram_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index 721e98da..c8f7f895 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" when: matrix_mautrix_telegram_enabled|bool diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 04267161..704f0e26 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -64,11 +64,12 @@ register: matrix_mautrix_telegram_git_pull_results when: "matrix_mautrix_telegram_container_self_build|bool" -- name: Ensure matrix-mautrix-telegram Docker image is build +- name: Ensure matrix-mautrix-telegram Docker image is built docker_image: name: "{{ matrix_mautrix_telegram_docker_image }}" source: build - force_source: yes + force_source: "{{ matrix_mautrix_telegram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 4d8444e1..983e3895 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" when: matrix_mx_puppet_discord_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mx_puppet_discord_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml index c7865e98..f9985ed8 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_discord_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_discord_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_discord_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_discord_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index 1f00e8a5..eb598ecb 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" when: matrix_mx_puppet_groupme_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mx_puppet_groupme_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml index 58fe9485..b1d5f0b5 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_groupme_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_groupme_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_groupme_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_groupme_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_groupme_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml index 0d319bc8..2ef99f02 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" when: matrix_mx_puppet_instagram_enabled|bool diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml index 5701a916..cdbaa18e 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml @@ -69,7 +69,8 @@ docker_image: name: "{{ matrix_mx_puppet_instagram_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_instagram_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_instagram_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 605ea492..1bdc4c2b 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}" when: matrix_mx_puppet_skype_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mx_puppet_skype_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 68a1d7f4..997a6317 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_skype_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_skype_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_skype_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 16afef20..de3ffd7c 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" when: matrix_mx_puppet_slack_enabled|bool @@ -63,7 +70,7 @@ when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml index 04eab20a..d816ceeb 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml @@ -81,7 +81,8 @@ docker_image: name: "{{ matrix_mx_puppet_slack_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_slack_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index 9687944f..c7b3d67f 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" when: matrix_mx_puppet_steam_enabled|bool @@ -16,7 +23,7 @@ when: matrix_mx_puppet_steam_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml index 6b574656..3bcef36e 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_steam_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_steam_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_steam_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_steam_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_steam_docker_src_files_path }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 86f30237..94fafd90 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" when: matrix_mx_puppet_twitter_enabled|bool @@ -63,7 +70,7 @@ when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined" # ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here +# for self building it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml index 1c48c030..5767ed17 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml @@ -85,7 +85,8 @@ docker_image: name: "{{ matrix_mx_puppet_twitter_docker_image }}" source: build - force_source: "{{ matrix_mx_puppet_twitter_git_pull_results.changed }}" + force_source: "{{ matrix_mx_puppet_twitter_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_twitter_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}" diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 8904c295..f0596d91 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.26 +matrix_client_element_version: v1.7.29 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index a42e3143..102cae38 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -2,9 +2,9 @@ matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}" when: matrix_client_element_enabled|bool -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 fail: - msg: "To self build the Element image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build" diff --git a/roles/matrix-client-element/tasks/setup.yml b/roles/matrix-client-element/tasks/setup.yml index c4ed0847..117a09f4 100644 --- a/roles/matrix-client-element/tasks/setup.yml +++ b/roles/matrix-client-element/tasks/setup.yml @@ -37,7 +37,8 @@ docker_image: name: "{{ matrix_client_element_docker_image }}" source: build - force_source: "{{ matrix_client_element_git_pull_results.changed }}" + force_source: "{{ matrix_client_element_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_element_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_client_element_docker_src_files_path }}" diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml new file mode 100644 index 00000000..f7a3059e --- /dev/null +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -0,0 +1,68 @@ +matrix_client_hydrogen_enabled: true + +# Self building is used by default because the `config.json` file is only read at build time. +# The pre-built images also were not functional as of 2021-05-15. +matrix_client_hydrogen_container_image_self_build: true +matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" + +matrix_client_hydrogen_version: v0.1.53 +matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" +matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" + +matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" +matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. +matrix_client_hydrogen_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_hydrogen_container_extra_arguments: [] + +# List of systemd services that matrix-client-hydrogen.service depends on +matrix_client_hydrogen_systemd_required_services_list: ['docker.service'] + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_hydrogen_self_check_validate_certificates: true + +# config.json +matrix_client_hydrogen_default_hs_url: "" + +# Default Hydrogen configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_hydrogen_configuration_default`. +# +# Example configuration extension follows: +# +# matrix_client_hydrogen_configuration_extension_json: | +# { +# "push": { +# "appId": "io.element.hydrogen.web", +# "gatewayUrl": "https://matrix.org", +# "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM" +# }, +# "defaultHomeServer": "matrix.org" +# } +matrix_client_hydrogen_configuration_extension_json: '{}' + +matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json|from_json if matrix_client_hydrogen_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final Hydrogen configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`. +matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default|combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml new file mode 100644 index 00000000..1115f63d --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" + when: matrix_client_hydrogen_enabled|bool diff --git a/roles/matrix-client-hydrogen/tasks/main.yml b/roles/matrix-client-hydrogen/tasks/main.yml new file mode 100644 index 00000000..6534db05 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_hydrogen_enabled|bool" + tags: + - setup-all + - setup-client-hydrogen + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: run_setup|bool + tags: + - setup-all + - setup-client-hydrogen diff --git a/roles/matrix-client-hydrogen/tasks/self_check.yml b/roles/matrix-client-hydrogen/tasks/self_check.yml new file mode 100644 index 00000000..c7407dcd --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}" + +- name: Check Hydrogen + uri: + url: "{{ matrix_client_hydrogen_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}" + register: matrix_client_hydrogen_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Hydrogen not working + fail: + msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" + when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result" + +- name: Report working Hydrogen + debug: + msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml new file mode 100644 index 00000000..205fa3ce --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -0,0 +1,119 @@ +--- + +# +# Tasks related to setting up Hydrogen +# + +- name: Ensure Hydrogen paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_hydrogen_data_path }}", when: true } + - { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" } + when: matrix_client_hydrogen_enabled|bool and item.when + +- name: Ensure Hydrogen Docker image is pulled + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}" + when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build + +- name: Ensure Hydrogen repository is present on self-build + git: + repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" + version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_client_hydrogen_git_pull_results + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen configuration installed + copy: + content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen additional config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "matrix_client_hydrogen_enabled|bool and item.src is not none" + +- name: Ensure Hydrogen Docker image is built + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: build + force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_client_hydrogen_docker_src_files_path }}" + pull: yes + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure matrix-client-hydrogen.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + mode: 0644 + register: matrix_client_hydrogen_systemd_service_result + when: matrix_client_hydrogen_enabled|bool + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation + service: + daemon_reload: yes + when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed" + +# +# Tasks related to getting rid of Hydrogen (if it was previously enabled) +# + +- name: Check existence of matrix-client-hydrogen.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + register: matrix_client_hydrogen_service_stat + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure matrix-client-hydrogen is stopped + service: + name: matrix-client-hydrogen + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure matrix-client-hydrogen.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + state: absent + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal + service: + daemon_reload: yes + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure Hydrogen paths doesn't exist + file: + path: "{{ matrix_client_hydrogen_data_path }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure Hydrogen Docker image doesn't exist + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" diff --git a/roles/matrix-client-hydrogen/tasks/validate_config.yml b/roles/matrix-client-hydrogen/tasks/validate_config.yml new file mode 100644 index 00000000..d3b9a709 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required Hydrogen settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) to use Hydrogen. + when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build|bool" + with_items: + - "matrix_client_hydrogen_default_hs_url" diff --git a/roles/matrix-client-hydrogen/templates/config.json.j2 b/roles/matrix-client-hydrogen/templates/config.json.j2 new file mode 100644 index 00000000..62a849b0 --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/config.json.j2 @@ -0,0 +1,3 @@ +{ + "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url|string|to_json }} +} diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 new file mode 100644 index 00000000..fba16bbd --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 new file mode 100644 index 00000000..c85aeb97 --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -0,0 +1,39 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Hydrogen Client +{% for service in matrix_client_hydrogen_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydrogen \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_hydrogen_container_http_host_bind_port %} + -p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + {% for arg in matrix_client_hydrogen_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_hydrogen_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-hydrogen + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-common-after/defaults/main.yml b/roles/matrix-common-after/defaults/main.yml new file mode 100644 index 00000000..8112191a --- /dev/null +++ b/roles/matrix-common-after/defaults/main.yml @@ -0,0 +1,16 @@ +# Specifies how long to wait between starting systemd services and checking if they're started. +# +# A too low value may lead to a failure, as services may not have enough time to start and potentially fail. +# +# A value higher than 30 seconds (or any multiple of that) may also not work well, because a failing systemd service +# auto-restarts after 30 seconds (`RestartSec=30` in systemd service files). +# Checking if a service is running right after it had potentially restarted in such a way will lead us to +# thinking it's running, while it's merely starting again (and likely to fail again, given that it already did once). +# +# All of the services we manage are also started sequentially, which in itself can take a long time. +# There may be a ~10 second (or even larger) interval between starting the first service and starting the last one. +# This makes it even harder to pick a correct value. Such a 10 second gap and a waiting time of 20 seconds will +# put us right at the "dangerous" 30-second mark. +# +# We can try to measure this gap and adjust our waiting time accordingly, but we currently don't. +matrix_common_after_systemd_service_start_wait_for_timeout_seconds: 15 diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 300de94c..64ab4d99 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -30,7 +30,7 @@ # as we may run into systemd's automatic restart logic retrying the service. - name: Wait a bit, so that services can start (or fail) wait_for: - timeout: 15 + timeout: "{{ matrix_common_after_systemd_service_start_wait_for_timeout_seconds }}" delegate_to: 127.0.0.1 become: false @@ -44,6 +44,9 @@ {{ item }} was not detected to be running. It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. + If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive. + You can consider raising the value of the `matrix_common_after_systemd_service_start_wait_for_timeout_seconds` variable. + See `roles/matrix-common-after/defaults/main.yml` for more details about that. with_items: "{{ matrix_systemd_services_list }}" when: - "item.endswith('.service') and (ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running')" diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index ffe5d5da..993ace81 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" when: matrix_corporal_enabled|bool diff --git a/roles/matrix-corporal/tasks/setup_corporal.yml b/roles/matrix-corporal/tasks/setup_corporal.yml index 188f09bf..e668de27 100644 --- a/roles/matrix-corporal/tasks/setup_corporal.yml +++ b/roles/matrix-corporal/tasks/setup_corporal.yml @@ -30,7 +30,8 @@ docker_image: name: "{{ matrix_corporal_docker_image }}" source: build - force_source: "{{ matrix_corporal_git_pull_results.changed }}" + force_source: "{{ matrix_corporal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_corporal_git_pull_results.changed }}" build: dockerfile: etc/docker/Dockerfile path: "{{ matrix_corporal_container_src_files_path }}" diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index be011b7f..c645c06b 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" when: matrix_coturn_enabled|bool @@ -5,10 +12,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}" when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" diff --git a/roles/matrix-coturn/tasks/setup_install.yml b/roles/matrix-coturn/tasks/setup_install.yml index 24f038db..c31406b1 100644 --- a/roles/matrix-coturn/tasks/setup_install.yml +++ b/roles/matrix-coturn/tasks/setup_install.yml @@ -38,7 +38,8 @@ docker_image: name: "{{ matrix_coturn_docker_image }}" source: build - force_source: "{{ matrix_coturn_git_pull_results.changed }}" + force_source: "{{ matrix_coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_git_pull_results.changed }}" build: dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}" path: "{{ matrix_coturn_docker_src_files_path }}" diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 1a0f1b3d..039b5b02 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" when: "matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml index e7b06d95..ac69ec89 100644 --- a/roles/matrix-dynamic-dns/tasks/install.yml +++ b/roles/matrix-dynamic-dns/tasks/install.yml @@ -33,7 +33,8 @@ docker_image: name: "{{ matrix_dynamic_dns_docker_image }}" source: build - force_source: "{{ matrix_dynamic_dns_git_pull_results.changed }}" + force_source: "{{ matrix_dynamic_dns_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_dynamic_dns_docker_src_files_path }}" diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index a5d60338..7c5c217c 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.5 +matrix_grafana_version: 7.5.7 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 42cfcb12..322762b4 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -1,3 +1,6 @@ +[server] +root_url = "https://{{ matrix_server_fqn_grafana }}" + [security] # default admin user, created on startup admin_user = "{{ matrix_grafana_default_admin_user }}" diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 7dcff987..14545bc9 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -176,6 +176,8 @@ matrix_jitsi_prosody_container_extra_arguments: [] # List of systemd services that matrix-jitsi-prosody.service depends on matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] +# Neccessary Port binding for those disabling the integrated nginx proxy +matrix_jitsi_prosody_container_http_host_bind_port: '' matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index b3525a74..4445e52b 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,6 +16,9 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ + {% if matrix_jitsi_prosody_container_http_host_bind_port %} + -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ + {% endif %} --env-file={{ matrix_jitsi_prosody_base_path }}/env \ --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index 89283a1f..f09cfcfd 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,10 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" when: matrix_ma1sd_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index c1d2cc67..1340cc70 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0 +matrix_mailer_version: 4.94.2-r0-1 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml index e48e2a85..5895343e 100644 --- a/roles/matrix-mailer/tasks/init.yml +++ b/roles/matrix-mailer/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" when: matrix_mailer_enabled|bool diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml index cb979080..251a52da 100644 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -36,7 +36,8 @@ docker_image: name: "{{ matrix_mailer_docker_image }}" source: build - force_source: "{{ matrix_mailer_git_pull_results.changed }}" + force_source: "{{ matrix_mailer_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index a7d9aeb2..c0ee3b51 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -113,6 +113,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost: matrix_nginx_proxy_proxy_element_enabled: false matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" +# Controls whether proxying the Hydrogen domain should be done. +matrix_nginx_proxy_proxy_hydrogen_enabled: false +matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" + # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" @@ -223,6 +227,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:1 matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" @@ -251,6 +256,9 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] +# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] + # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] @@ -385,6 +393,47 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_pre_obtaining_required_service_name: ~ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 +# Nginx Optimize SSL Session +# +# ssl_session_cache: +# - Creating a cache of TLS connection parameters reduces the number of handshakes +# and thus can improve the performance of application. +# - Default session cache is not optimal as it can be used by only one worker process +# and can cause memory fragmentation. It is much better to use shared cache. +# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html +# +# ssl_session_timeout: +# - Nginx by default it is set to 5 minutes which is very low. +# should be like 4h or 1d but will require you to increase the size of cache. +# - Learn More: +# https://github.com/certbot/certbot/issues/6903 +# https://github.com/mozilla/server-side-tls/issues/198 +# +# ssl_session_tickets: +# - In case of session tickets, information about session is given to the client. +# Enabling this improve performance also make Perfect Forward Secrecy useless. +# - If you would instead like to use ssl_session_tickets by yourself, you can set +# matrix_nginx_proxy_ssl_session_tickets_off false. +# - Learn More: https://github.com/mozilla/server-side-tls/issues/135 +# +# Presets are taken from Mozilla's Server Side TLS Recommended configurations +matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m" +matrix_nginx_proxy_ssl_session_timeout: "1d" +matrix_nginx_proxy_ssl_session_tickets_off: true + +# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. +# OCSP stapling can provide a performance boost of up to 30% +# nginx web server supports OCSP stapling since version 1.3.7. +# +# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. +# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling +# +# Learn more about what it is here: +# - https://en.wikipedia.org/wiki/OCSP_stapling +# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ +# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ +matrix_nginx_proxy_ocsp_stapling_enabled: true + # nginx status page configurations. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 7534d28c..1d59f567 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -72,6 +72,13 @@ mode: 0644 when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool + - name: Ensure Matrix nginx-proxy configuration for dimension domain exists template: src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" @@ -204,6 +211,12 @@ state: absent when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool" +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" + - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted file: path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index a2d59e86..55f5b266 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -69,6 +69,18 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 91cd9e41..da3c7b1d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -74,6 +74,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index f3a537da..e79fb1fb 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -79,6 +79,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 new file mode 100644 index 00000000..5ad99603 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -0,0 +1,98 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-hydrogen:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8768; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index db93be48..67161745 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -77,6 +77,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 703c490e..fc0d54b5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -136,7 +136,13 @@ proxy_max_temp_file_size 0; } - location / { + {# + We only handle the root URI for this redirect or homepage serving. + Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404, + instead of causing a redirect. + See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058 + #} + location ~* ^/$ { {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; {% else %} @@ -196,6 +202,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} @@ -230,6 +248,18 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; {% endif %} location / { diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index c1978563..08df8050 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -10,6 +10,7 @@ # add_header X-Content-Type-Options nosniff; # add_header X-Frame-Options SAMEORIGIN; add_header Referrer-Policy "strict-origin-when-cross-origin"; + {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} @@ -84,6 +85,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 0b44f44d..0949cb26 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -119,6 +119,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a69424f4..36a28039 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -62,6 +62,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index ac0253d5..5482fa8e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -76,6 +76,18 @@ server { {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {{ render_vhost_directives() }} } {% endif %} diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml index d3429c97..cf595ade 100644 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -61,7 +61,8 @@ docker_image: name: "{{ matrix_postgres_pgloader_docker_image }}" source: build - force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed }}" + force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 1c9bc144..02afd9e9 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.26.0 +matrix_prometheus_version: v2.27.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index 158ad605..b58ba659 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" when: matrix_registration_enabled|bool diff --git a/roles/matrix-registration/tasks/setup_install.yml b/roles/matrix-registration/tasks/setup_install.yml index 2b806fe0..0d7da9ce 100644 --- a/roles/matrix-registration/tasks/setup_install.yml +++ b/roles/matrix-registration/tasks/setup_install.yml @@ -66,7 +66,8 @@ docker_image: name: "{{ matrix_registration_docker_image }}" source: build - force_source: "{{ matrix_registration_git_pull_results.changed }}" + force_source: "{{ matrix_registration_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_registration_docker_src_files_path }}" diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 612b33e3..dc4cc770 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.8.0 +matrix_synapse_admin_version: latest matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index 36bdb611..7898dec9 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" when: matrix_synapse_admin_enabled|bool diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml index a96ec10f..002ff68d 100644 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -24,7 +24,8 @@ docker_image: name: "{{ matrix_synapse_admin_docker_image }}" source: build - force_source: "{{ matrix_synapse_admin_git_pull_results.changed }}" + force_source: "{{ matrix_synapse_admin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_git_pull_results.changed }}" build: dockerfile: Dockerfile path: "{{ matrix_synapse_admin_docker_src_files_path }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index a6b035c0..4e53852a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.33.1 -matrix_synapse_version_arm64: v1.33.1 +matrix_synapse_version: v1.34.0 +matrix_synapse_version_arm64: v1.34.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" @@ -454,6 +454,7 @@ matrix_synapse_sentry_dsn: "" # Postgres database information matrix_synapse_database_host: "matrix-postgres" +matrix_synapse_database_port: 5432 matrix_synapse_database_user: "synapse" matrix_synapse_database_password: "" matrix_synapse_database_database: "synapse" @@ -586,3 +587,4 @@ matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extensi # Holds the final Synapse configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`. matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml|from_yaml|combine(matrix_synapse_configuration_extension, recursive=True) }}" + diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 04b8d2b8..16790664 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" + # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. - import_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" @@ -17,10 +24,3 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self buildig it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" diff --git a/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml b/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml index eef46cb3..106c59d5 100644 --- a/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml +++ b/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml @@ -10,7 +10,7 @@ - name: Set matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time, if not provided set_fact: - matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 180 + matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 300 when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time|default('') == ''" - name: Set matrix_synapse_rust_synapse_compress_state_compress_room_time, if not provided diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index f1abcbcc..d4a7268f 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -31,7 +31,8 @@ docker_image: name: "{{ matrix_synapse_docker_image }}" source: build - force_source: "{{ matrix_synapse_git_pull_results.changed }}" + force_source: "{{ matrix_synapse_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_git_pull_results.changed }}" build: dockerfile: docker/Dockerfile path: "{{ matrix_synapse_docker_src_files_path }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index df280dd5..22f5f1ea 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -128,6 +128,16 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # #gc_thresholds: [700, 10, 10] +# The minimum time in seconds between each GC for a generation, regardless of +# the GC thresholds. This ensures that we don't do GC too frequently. +# +# A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive +# generation 0 GCs, etc. +# +# Defaults to `[1s, 10s, 30s]`. +# +#gc_min_interval: [0.5s, 30s, 1m] + # Set the limit on the returned events in the timeline in the get # and sync operations. The default value is 100. -1 means no upper limit. # @@ -757,6 +767,12 @@ federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_js # #allow_profile_lookup_over_federation: false +# Uncomment to disable device display name lookup over federation. By default, the +# Federation API allows other homeservers to obtain device display names of any user +# on this homeserver. Defaults to 'true'. +# +#allow_device_name_lookup_over_federation: false + ## Caching ## @@ -813,6 +829,7 @@ database: password: {{ matrix_synapse_database_password|string|to_json }} database: "{{ matrix_synapse_database_database }}" host: "{{ matrix_synapse_database_host }}" + port: {{ matrix_synapse_database_port }} cp_min: 5 cp_max: 10 @@ -1519,6 +1536,7 @@ room_prejoin_state: # - m.room.avatar # - m.room.encryption # - m.room.name + # - m.room.create # # Uncomment the following to disable these defaults (so that only the event # types listed in 'additional_event_types' are shared). Defaults to 'false'. diff --git a/setup.yml b/setup.yml index 4e2879e5..9e3cd625 100755 --- a/setup.yml +++ b/setup.yml @@ -32,6 +32,7 @@ - matrix-bridge-mx-puppet-twitter - matrix-bridge-mx-puppet-instagram - matrix-bridge-sms + - matrix-bridge-heisenbridge - matrix-bot-matrix-reminder-bot - matrix-bot-go-neb - matrix-bot-mjolnir @@ -42,6 +43,7 @@ - matrix-grafana - matrix-registration - matrix-client-element + - matrix-client-hydrogen - matrix-jitsi - matrix-ma1sd - matrix-dimension From 36910348cfd2987657c0bfeb050521b4b78b536b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 25 May 2021 16:21:11 +0300 Subject: [PATCH 2229/2384] Switch synapse-admin to tagged release (0.8.1) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1084 --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index dc4cc770..069b6279 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: latest +matrix_synapse_admin_version: 0.8.1 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 6f40d783532c92403f022b4fc49a052cd2ca5ee8 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 25 May 2021 21:25:40 +0800 Subject: [PATCH 2230/2384] fix random edits to upstream --- .../nginx/conf.d/matrix-client-hydrogen.conf.j2 | 8 ++++++-- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 10 +++++++++- roles/matrix-synapse/defaults/main.yml | 1 - 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 index 5ad99603..d9a05926 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -4,10 +4,14 @@ gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; - add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "frame-ancestors 'none'"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 36a28039..d153d5c2 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -5,6 +5,14 @@ add_header Permissions-Policy interest-cohort=() always; {% endif %} + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -67,7 +75,7 @@ server { ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 4e53852a..d966665f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -587,4 +587,3 @@ matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extensi # Holds the final Synapse configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`. matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml|from_yaml|combine(matrix_synapse_configuration_extension, recursive=True) }}" - From 763952395b6eff3f70cd08fd3572f9eeeeac5ea6 Mon Sep 17 00:00:00 2001 From: BG Date: Tue, 25 May 2021 16:42:04 +0200 Subject: [PATCH 2231/2384] Adding mjolnir antispam synapse modul. --- roles/matrix-synapse/defaults/main.yml | 21 ++++++++ .../tasks/ext/mjolnir-antispam/setup.yml | 7 +++ .../ext/mjolnir-antispam/setup_install.yml | 52 +++++++++++++++++++ .../ext/mjolnir-antispam/setup_uninstall.yml | 6 +++ roles/matrix-synapse/tasks/ext/setup.yml | 2 + 5 files changed, 88 insertions(+) create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d966665f..c7f0a9f7 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -505,6 +505,27 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "htt matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] +# Enable this to activate the Mjolnir Antispam spam-checker module. +# See: https://github.com/matrix-org/mjolnir#synapse-module +matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir" +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "70f353fbbad0af469b1001080dea194d512b2815" +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true +# Flag messages sent by servers/users in the ban lists as spam. Currently +# this means that spammy messages will appear as empty to users. Default +# false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false +# Remove users from the user directory search by filtering matrix IDs and +# display names by the entries in the user ban list. Default false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false +# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir, +# this list cannot be room aliases or permalinks. This server is expected +# to already be joined to the room - Mjolnir will not automatically join +# these rooms. +# ["!roomid:example.org"] +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] + + matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml new file mode 100644 index 00000000..6c45f469 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" + when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" + when: "not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml new file mode 100644 index 00000000..a416e42b --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml @@ -0,0 +1,52 @@ +--- + +- name: Ensure git installed (RedHat) + yum: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'RedHat'" + +- name: Ensure git installed (Debian) + apt: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'Debian'" + +- name: Ensure git installed (Archlinux) + pacman: + name: + - git + state: present + update_cache: no + when: "ansible_distribution == 'Archlinux'" + +- name: Clone mjolnir-antispam git repository + git: + repo: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url }}" + version: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version }}" + dest: "{{ matrix_synapse_ext_path }}/mjolnir" + become: true + become_user: "{{ matrix_user_username }}" + +- set_fact: + matrix_synapse_spam_checker: > + {{ matrix_synapse_spam_checker }} + + + [{ + "module": "mjolnir.AntiSpam", + "config": { + "block_invites": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites }}, + "block_messages": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages }}, + "block_usernames": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames }}, + "ban_lists": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists }} + } + }] + + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/mjolnir/synapse_antispam/mjolnir,dst={{ matrix_synapse_in_container_python_packages_path }}/mjolnir,ro"] diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml new file mode 100644 index 00000000..d3c52e5f --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure mjolnir-antispam doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/mjolnir-antispam" + state: absent diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml index 5e06ea9d..31637fa9 100644 --- a/roles/matrix-synapse/tasks/ext/setup.yml +++ b/roles/matrix-synapse/tasks/ext/setup.yml @@ -7,3 +7,5 @@ - import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml" - import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup.yml" From 9a7eddd563e68b370432d7666fd53247f1356211 Mon Sep 17 00:00:00 2001 From: BG Date: Tue, 25 May 2021 16:59:49 +0200 Subject: [PATCH 2232/2384] Updating docs. --- docs/configuring-playbook-bot-mjolnir.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 1b0241e1..6dc4e3a6 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -90,8 +90,21 @@ matrix_bot_mjolnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE" matrix_bot_mjolnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ``` +## 6. Adding mjolnir synapse antispam module (optional) -## 6. Installing +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + + +```yaml +matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: true +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] +``` + + +## 7. Installing After configuring the playbook, run the [installation](installing.md) command: From 4ddd8bbb84844905d9ea0f43f267a40c52893642 Mon Sep 17 00:00:00 2001 From: rakshazi Date: Tue, 25 May 2021 17:06:39 +0000 Subject: [PATCH 2233/2384] Updated nginx-proxy (1.20.0 -> 1.21.0) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8dc8a259..3e79ab04 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.20.0-alpine +matrix_nginx_proxy_version: 1.21.0-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but From 719ecb03a80863dc4086a2e28983943d27da3c9f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 May 2021 09:55:31 +0300 Subject: [PATCH 2234/2384] Add note about pgtune.leopard.in.ua --- docs/maintenance-postgres.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 9b748d28..e2307f78 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -99,6 +99,8 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"` PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `matrix_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. +**Note**: the configuration generator at https://pgtune.leopard.in.ua/ adds spaces around the `=` sign, which is invalid. You'll need to remove it manually (`max_connections = 300` -> `max_connections=300`) + ### Here are some examples: These are not recommended values and they may not work well for you. This is just to give you an idea of some of the options that can be set. If you are an experienced PostgreSQL admin feel free to update this documentation with better examples. From f8ba97ac14362c40d4a40a9e6cd20159e7024672 Mon Sep 17 00:00:00 2001 From: BG Date: Wed, 26 May 2021 09:05:28 +0200 Subject: [PATCH 2235/2384] Removing antispam note. --- docs/configuring-playbook-bot-mjolnir.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 6dc4e3a6..5ddb2ad3 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -4,8 +4,6 @@ The playbook can install and configure the [Mjolnir](https://github.com/matrix-o See the project's [documentation](https://github.com/matrix-org/mjolnir) to learn what it does and why it might be useful to you. -Note: the playbook does not currently support the Mjolnir Synapse module. The playbook does support another antispam module, see [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md). - ## 1. Register the bot account From d61fe94bae2bbbd98220f6aed4a38996fd265574 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 May 2021 10:52:15 +0300 Subject: [PATCH 2236/2384] Fix incorrect path in Mjolnir uninstallation tasks --- .../tasks/ext/mjolnir-antispam/setup_uninstall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml index d3c52e5f..f8439a87 100644 --- a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml @@ -2,5 +2,5 @@ - name: Ensure mjolnir-antispam doesn't exist file: - path: "{{ matrix_synapse_ext_path }}/mjolnir-antispam" + path: "{{ matrix_synapse_ext_path }}/mjolnir" state: absent From af4bd50c2a7fe2ceab9e30842870b185ac665a1e Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Wed, 26 May 2021 11:04:47 +0200 Subject: [PATCH 2237/2384] Update IRC appservice --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 410299b7..bdf49f65 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.25.0 +matrix_appservice_irc_version: release-0.26.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 1b41e9c7dd07ebf3696d344c7c352ef95569a087 Mon Sep 17 00:00:00 2001 From: Wobbel The Bear Date: Wed, 26 May 2021 13:50:35 +0200 Subject: [PATCH 2238/2384] Update PostgreSQL Maintenance page Added a mid-sized VPS configuration with configuration changes to the PostgreSQL database config. Deleted single quotes in one of the examples to unify the examples --- docs/maintenance-postgres.md | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index e2307f78..52d2d9ee 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -108,11 +108,33 @@ These are not recommended values and they may not work well for you. This is jus Here is an example config for a small 2 core server with 4GB of RAM and SSD storage: ``` matrix_postgres_process_extra_arguments: [ - "-c 'shared_buffers=128MB'", - "-c 'effective_cache_size=2304MB'", - "-c 'effective_io_concurrency=100'", - "-c 'random_page_cost=2.0'", - "-c 'min_wal_size=500MB'", + "-c shared_buffers=128MB", + "-c effective_cache_size=2304MB", + "-c effective_io_concurrency=100", + "-c random_page_cost=2.0", + "-c min_wal_size=500MB", +] +``` + +Here is an example config for a 4 core server with 8GB of RAM on a Virtual Private Server (VPS); the paramters have been configured using https://pgtune.leopard.in.ua with the following setup: PostgreSQL version 12, OS Type: Linux, DB Type: Mixed type of application, Data Storage: SSD storage: +``` +matrix_postgres_process_extra_arguments: [ + "-c max_connections=100", + "-c shared_buffers=2GB", + "-c effective_cache_size=6GB", + "-c maintenance_work_mem=512MB", + "-c checkpoint_completion_target=0.9", + "-c wal_buffers=16MB", + "-c default_statistics_target=100", + "-c random_page_cost=1.1", + "-c effective_io_concurrency=200", + "-c work_mem=5242kB", + "-c min_wal_size=1GB", + "-c max_wal_size=4GB", + "-c max_worker_processes=4", + "-c max_parallel_workers_per_gather=2", + "-c max_parallel_workers=4", + "-c max_parallel_maintenance_workers=2", ] ``` From 8472848286483f2ba19e8b94ff1eb24febb8d61d Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Wed, 26 May 2021 16:30:08 +0200 Subject: [PATCH 2239/2384] Annotate server migration Annotate server migration with a note in regard to migration between different architectures and the need to dump/restore the database. --- docs/maintenance-migrating.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index d6380b99..1d12ef45 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,3 +1,8 @@ +> **Note**: This migration guide is applicable if you migrate from server to another that are of the same architecture, i.e. e.g. the servers both are amd64. +> +> In case that you migrate between two different architectures (e.g. amd64 --> arm64), simply copying the complete folder is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you would need to dump the database on your current server and import it properly on the new server. +> + # Migrating to new server 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading to less downtime From 54e1c67e53c2ddc12444c6a215f72dd1966dc526 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Wed, 26 May 2021 16:31:01 +0200 Subject: [PATCH 2240/2384] Update maintenance-migrating.md --- docs/maintenance-migrating.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index 1d12ef45..56cdea79 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,4 +1,4 @@ -> **Note**: This migration guide is applicable if you migrate from server to another that are of the same architecture, i.e. e.g. the servers both are amd64. +> **Note**: This migration guide is applicable if you migrate from server to another that are of the same cpu architecture, e.g. the servers both are amd64. > > In case that you migrate between two different architectures (e.g. amd64 --> arm64), simply copying the complete folder is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you would need to dump the database on your current server and import it properly on the new server. > From c791d1900ccb91d9ae7bcfccbeba2bd75bc84c23 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 May 2021 18:03:47 +0300 Subject: [PATCH 2241/2384] Improve wording --- docs/maintenance-migrating.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index 56cdea79..fd593691 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,7 +1,6 @@ -> **Note**: This migration guide is applicable if you migrate from server to another that are of the same cpu architecture, e.g. the servers both are amd64. -> -> In case that you migrate between two different architectures (e.g. amd64 --> arm64), simply copying the complete folder is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you would need to dump the database on your current server and import it properly on the new server. +> **Note**: This migration guide is applicable if you migrate from one server to another server having the same CPU architecture (e.g. both servers being `amd64`). > +> If you're trying to migrate between different architectures (e.g. `amd64` --> `arm64`), simply copying the complete `/matrix` directory is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you can use the guide below as a reference, but you would also need to dump the database on your current server and import it properly on the new server. See our [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) docs for help with PostgreSQL backup/restore. # Migrating to new server From a8dbd93f61eb227fb41ac4426a256918fe0c035d Mon Sep 17 00:00:00 2001 From: Jez Cope Date: Wed, 26 May 2021 20:41:52 +0100 Subject: [PATCH 2242/2384] Check irc service is present before stopping it --- .../tasks/migrate_nedb_to_postgres.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml index 3fab195a..6b39ac62 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml @@ -26,10 +26,16 @@ become: false when: "matrix_postgres_service_start_result.changed|bool" +- name: Check existence of matrix-appservice-irc service + stat: + path: "{{ matrix_systemd_path }}/matrix-appservice-irc.service" + register: matrix_appservice_irc_service_stat + - name: Ensure matrix-appservice-irc is stopped service: name: matrix-appservice-irc state: stopped + when: "matrix_appservice_irc_service_stat.stat.exists" - name: Import appservice-irc NeDB database into Postgres command: From 4e2780ff8858198704f73ca4bbd4a0325376bb2a Mon Sep 17 00:00:00 2001 From: Raymond Coetzee Date: Thu, 27 May 2021 20:13:29 +0100 Subject: [PATCH 2243/2384] Add support for a prometheus postgres exporter This commit introduces a new role that downloads and installs the prometheus community postgres exporter https://github.com/prometheus-community/postgres_exporter. A new credential is added to matrix_postgres_additional_databases that allows the exporter access to the database to gather statistics. A new dashboard was added to the grafana role, with some refactoring to enable the dashboard only if the new role is enabled. I've included some basic instructions for how to enable the role in the Docs section. In terms of testing, I've tested enabling the role, and disabling it to make sure it cleans up the container and systemd role. --- ...onfiguring-playbook-prometheus-postgres.md | 29 ++++++++++ group_vars/matrix_servers | 40 ++++++++++++++ roles/matrix-grafana/tasks/setup.yml | 2 +- .../defaults/main.yml | 49 +++++++++++++++++ .../tasks/init.yml | 5 ++ .../tasks/main.yml | 8 +++ .../tasks/setup.yml | 54 +++++++++++++++++++ ...ix-prometheus-postgres-exporter.service.j2 | 42 +++++++++++++++ .../templates/prometheus.yml.j2 | 6 +++ setup.yml | 4 +- 10 files changed, 236 insertions(+), 3 deletions(-) create mode 100644 docs/configuring-playbook-prometheus-postgres.md create mode 100644 roles/matrix-prometheus-postgres-exporter/defaults/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/init.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/setup.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 diff --git a/docs/configuring-playbook-prometheus-postgres.md b/docs/configuring-playbook-prometheus-postgres.md new file mode 100644 index 00000000..9a631296 --- /dev/null +++ b/docs/configuring-playbook-prometheus-postgres.md @@ -0,0 +1,29 @@ +# Enabling metrics and graphs for Postgres (optional) + +Expanding on the metrics exposed by the [syapse exporter and the node exporter](configuring-playbook-prometheus-grafana.md), the playbook enables the [postgres exporter](https://github.com/prometheus-community/postgres_exporter) that exposes more detailed information about what's happening on your postgres database. + +You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): + + +```yaml +matrix_prometheus_postgres_exporter_enabled: true + +# the role creates a postgres user as credential. You can configure these if required: +matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' +matrix_prometheus_postgres_exporter_database_password: 'some-password' + +``` + +## What does it do? + +Name | Description +-----|---------- +`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' +`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' +`matrix_prometheus_postgres_exporter_database_password`| The 'username' for the user that the exporter uses to connect to the database. + + +## More information + +- [The PostgresSQL dashboard](https://grafana.com/grafana/dashboards/9628) (generic postgres dashboard) + diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 86f1d5a3..96b933f3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1466,6 +1466,13 @@ matrix_postgres_additional_databases: | 'username': matrix_sygnal_database_username, 'password': matrix_sygnal_database_password, }] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else []) + + + ([{ + 'name': matrix_prometheus_postgres_exporter_database_name, + 'username': matrix_prometheus_postgres_exporter_database_username, + 'password': matrix_prometheus_postgres_exporter_database_password, + }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else []) + }} matrix_postgres_import_roles_to_ignore: | @@ -1766,6 +1773,10 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_i matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}" +matrix_prometheus_scraper_postgres_enabled: "{{ matrix_prometheus_postgres_exporter_enabled }}" +matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exporter:'+ matrix_prometheus_postgres_exporter_port|string] if matrix_prometheus_scraper_postgres_enabled else [] }}" + + ###################################################################### # # /matrix-prometheus @@ -1773,6 +1784,27 @@ matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:91 ###################################################################### +###################################################################### +# +# matrix-prometheus-postgres-exporter +# +###################################################################### + +matrix_prometheus_postgres_exporter_enabled: false +matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" + +matrix_prometheus_postgres_exporter_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + +###################################################################### +# +# /matrix-prometheus-postgres-exporter +# +###################################################################### ###################################################################### # @@ -1787,6 +1819,14 @@ matrix_grafana_enabled: false # Grafana's HTTP port to the local host. matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}" +matrix_grafana_dashboard_download_urls_all: | + {{ + matrix_grafana_dashboard_download_urls + + + (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) + }} + + ###################################################################### # # /matrix-grafana diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml index c2eea348..00d2e230 100644 --- a/roles/matrix-grafana/tasks/setup.yml +++ b/roles/matrix-grafana/tasks/setup.yml @@ -64,7 +64,7 @@ mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - with_items: "{{ matrix_grafana_dashboard_download_urls }}" + with_items: "{{ matrix_grafana_dashboard_download_urls_all }}" when: matrix_grafana_enabled|bool - name: Ensure matrix-grafana.service installed diff --git a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml new file mode 100644 index 00000000..8aca4576 --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -0,0 +1,49 @@ +# matrix-prometheus-postgres-exporter is an Prometheus exporter for postgres metrics +# See: https://github.com/prometheus-community/postgres_exporter + +matrix_prometheus_postgres_exporter_enabled: false + +matrix_prometheus_postgres_exporter_version: v0.9.0 +matrix_prometheus_postgres_exporter_port: 9187 + +matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" +matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_prometheus_postgres_exporter_container_extra_arguments: ["-e PG_EXPORTER_AUTO_DISCOVER_DATABASES=true", + "-e PG_EXPORTER_WEB_LISTEN_ADDRESS=\":{{matrix_prometheus_postgres_exporter_port}}\"", + "-e DATA_SOURCE_NAME=\"postgresql://{{matrix_prometheus_postgres_exporter_database_username}}:{{matrix_prometheus_postgres_exporter_database_password}}@{{matrix_prometheus_postgres_exporter_database_hostname}}:5432/{{matrix_prometheus_postgres_exporter_database_name}}?sslmode=disable\"" ] + +# List of systemd services that matrix-prometheus-postgres-exporter.service depends on +matrix_prometheus_postgres_exporter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus-postgres-exporter.service wants +matrix_prometheus_postgres_exporter_systemd_wanted_services_list: [] + +# details for connecting to the database +matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' +matrix_prometheus_postgres_exporter_database_password: 'some-password' +matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres' +matrix_prometheus_postgres_exporter_database_port: 5432 +matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter' + + +# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). +# +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# +# Official recommendations are to run this container with `--net=host`, +# but we don't do that, since it: +# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) +# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) +# +# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, +# but that's trickier to accomplish and won't necessarily work (hasn't been tested). +# +# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), +# because node-exporter can't see all interfaces, etc. +# For now, we'll live with that, until someone develops a better solution. +matrix_prometheus_postgres_exporter_container_http_host_bind_port: '' + +matrix_prometheus_postgres_exporter_dashboard_urls: +- "https://grafana.com/api/dashboards/9628/revisions/7/download" \ No newline at end of file diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/init.yml b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml new file mode 100644 index 00000000..2bd6904e --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}" + when: matrix_prometheus_postgres_exporter_enabled|bool + + diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml new file mode 100644 index 00000000..e3c364fa --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml @@ -0,0 +1,8 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml new file mode 100644 index 00000000..076ece1a --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml @@ -0,0 +1,54 @@ +--- + +# +# Tasks related to setting up matrix-prometheus-postgres-exporter +# + +- name: Ensure matrix-prometheus-postgres-exporter image is pulled + docker_image: + name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" + when: "matrix_prometheus_postgres_exporter_enabled|bool" + +- name: Ensure matrix-prometheus-postgres-exporter.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + mode: 0644 + register: matrix_prometheus_postgres_exporter_systemd_service_result + when: matrix_prometheus_postgres_exporter_enabled|bool + +- name: Ensure systemd reloaded after matrix-prometheus.service installation + service: + daemon_reload: yes + when: "matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-prometheus-postgres-exporter (if it was previously enabled) +# + +- name: Check existence of matrix-prometheus-postgres-exporter service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + register: matrix_prometheus_postgres_exporter_service_stat + +- name: Ensure matrix-prometheus-postgres-exporter is stopped + service: + name: matrix-prometheus-postgres-exporter + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + state: absent + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-prometheus-postgres-exporter.service removal + service: + daemon_reload: yes + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 new file mode 100644 index 00000000..b25cb5de --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-prometheus-postgres-exporter +{% for service in matrix_prometheus_postgres_exporter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_postgres_exporter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-postgres-exporter \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + {% for arg in matrix_prometheus_postgres_exporter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_postgres_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ + {% endif %} + --pid=host \ + {{ matrix_prometheus_postgres_exporter_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-prometheus-postgres-exporter + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 9502a08b..b3ee3b86 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -38,3 +38,9 @@ scrape_configs: static_configs: - targets: {{ matrix_prometheus_scraper_node_targets|to_json }} {% endif %} + + {% if matrix_prometheus_scraper_postgres_enabled %} + - job_name: postgres + static_configs: + - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} + {% endif %} \ No newline at end of file diff --git a/setup.yml b/setup.yml index 9e3cd625..142364c4 100755 --- a/setup.yml +++ b/setup.yml @@ -54,5 +54,5 @@ - matrix-coturn - matrix-aux - matrix-postgres-backup - - matrix-common-after - + - matrix-prometheus-postgres-exporter + - matrix-common-after \ No newline at end of file From cf1a9078b070d6bd9d1574e04cc530031aea4707 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Thu, 27 May 2021 15:21:47 -0500 Subject: [PATCH 2244/2384] Update IRC channel --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8448680c..096c04e3 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) -- IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) +- IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697) - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) From 28b8bb0bf1dd8ff2c95ba817ce6e172b59ea912c Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Fri, 28 May 2021 09:31:55 +0200 Subject: [PATCH 2245/2384] Minor correction --- docs/configuring-playbook-prometheus-postgres.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-prometheus-postgres.md b/docs/configuring-playbook-prometheus-postgres.md index 9a631296..34407aae 100644 --- a/docs/configuring-playbook-prometheus-postgres.md +++ b/docs/configuring-playbook-prometheus-postgres.md @@ -1,6 +1,6 @@ # Enabling metrics and graphs for Postgres (optional) -Expanding on the metrics exposed by the [syapse exporter and the node exporter](configuring-playbook-prometheus-grafana.md), the playbook enables the [postgres exporter](https://github.com/prometheus-community/postgres_exporter) that exposes more detailed information about what's happening on your postgres database. +Expanding on the metrics exposed by the [synapse exporter and the node exporter](configuring-playbook-prometheus-grafana.md), the playbook enables the [postgres exporter](https://github.com/prometheus-community/postgres_exporter) that exposes more detailed information about what's happening on your postgres database. You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): @@ -20,7 +20,7 @@ Name | Description -----|---------- `matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' `matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' -`matrix_prometheus_postgres_exporter_database_password`| The 'username' for the user that the exporter uses to connect to the database. +`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. ## More information From 4880dcceb0d91ef4c3f2b56c3ddb64c477e14f1f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 28 May 2021 11:14:01 +0300 Subject: [PATCH 2246/2384] Fix OCSP-stapling-related errors due to missing resolver Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057 --- roles/matrix-nginx-proxy/defaults/main.yml | 18 +++++++++++++++--- .../nginx/conf.d/matrix-base-domain.conf.j2 | 8 ++++---- .../templates/nginx/conf.d/nginx-http.conf.j2 | 5 +++++ 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3e79ab04..e7ee00a5 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -289,7 +289,7 @@ matrix_nginx_proxy_floc_optout_enabled: true # HSTS Preloading Enable # -# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and # indicates a willingness to be “preloaded” into browsers: # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` # For more information visit: @@ -357,6 +357,18 @@ matrix_nginx_proxy_self_check_validate_certificates: true # so we default to not following redirects as well. matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none +# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). +# +# Otherwise, we get warnings like this: +# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" +# +# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. +# +# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver. +# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people. +# It might also be that no such warnings occur when not running in a container. +matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}" + # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # @@ -416,7 +428,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # Nginx Optimize SSL Session # # ssl_session_cache: -# - Creating a cache of TLS connection parameters reduces the number of handshakes +# - Creating a cache of TLS connection parameters reduces the number of handshakes # and thus can improve the performance of application. # - Default session cache is not optimal as it can be used by only one worker process # and can cause memory fragmentation. It is much better to use shared cache. @@ -425,7 +437,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # ssl_session_timeout: # - Nginx by default it is set to 5 minutes which is very low. # should be like 4h or 1d but will require you to increase the size of cache. -# - Learn More: +# - Learn More: # https://github.com/certbot/certbot/issues/6903 # https://github.com/mozilla/server-side-tls/issues/198 # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 3b0f213d..37863d73 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -9,13 +9,13 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} @@ -77,13 +77,13 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 index 4811ac99..beea6afa 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 @@ -4,6 +4,11 @@ # # Thus, we ensure a larger bucket size value is used. server_names_hash_bucket_size 64; + +{% if matrix_nginx_proxy_http_level_resolver %} + resolver {{ matrix_nginx_proxy_http_level_resolver }}; +{% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From bee14550abb63b903026258e4188520f36ad81bb Mon Sep 17 00:00:00 2001 From: pushytoxin Date: Fri, 28 May 2021 07:56:46 +0200 Subject: [PATCH 2247/2384] Fix local/bin scripts autocompletion by adding rx perms to everyone It's mildly annoying when trying to execute these scripts while logged in as a regular user, as the missing execute permissions will hinder autocompletion even when trying to use with sudo. These shell scripts don't contain secrets, but may fail when ran by a regular user. The failure is due to the lack of access to the /matrix directory, and does not result in any damage. --- .../matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml | 2 +- roles/matrix-postgres/tasks/setup_postgres.yml | 6 +++--- roles/matrix-synapse/tasks/synapse/setup_install.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 5bf9102d..bfd25894 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -34,7 +34,7 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - mode: 0750 + mode: 0755 - name: Ensure SSL renewal systemd units installed template: diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index c072b2ea..4294bc11 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -77,14 +77,14 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: Ensure matrix-change-user-admin-status script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: (Migration) Ensure old matrix-make-user-admin script deleted @@ -97,7 +97,7 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: Ensure matrix-postgres.service installed diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index d4a7268f..b658cfff 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -106,4 +106,4 @@ template: src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user" - mode: 0750 + mode: 0755 From 897c9825172b6872126019202ed0113d0aca3ce4 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Sun, 30 May 2021 14:32:51 +0530 Subject: [PATCH 2248/2384] prometheus security update 2.27.1 --- roles/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 02afd9e9..6c0fef31 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.27.0 +matrix_prometheus_version: v2.27.1 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 3581e1b37b2a4c6d9d30333ba4f8fa18b3080586 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Mon, 31 May 2021 08:43:55 +0300 Subject: [PATCH 2249/2384] Heisenbridge identd on unprivileged port Fixes running the container as an unprivileged user. --- .../templates/systemd/matrix-heisenbridge.service.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 index 91ba39b3..e27b88f1 100644 --- a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -22,7 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_heisenbridge_identd_enabled %} - -p 113:113 \ + -p 113:13113 \ {% endif %} -v {{ matrix_heisenbridge_base_path }}:/config:z \ {% for arg in matrix_heisenbridge_container_extra_arguments %} @@ -31,6 +31,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ {{ matrix_heisenbridge_docker_image }} \ {% if matrix_heisenbridge_identd_enabled %} --identd \ + --identd-port 13113 \ {% endif %} {% if matrix_heisenbridge_owner %} -o {{ matrix_heisenbridge_owner }} \ From ad7bbd644259da36ba82ab89c97077f16f428393 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 1 Jun 2021 16:00:13 +0800 Subject: [PATCH 2250/2384] merge upstream --- README.md | 2 +- docs/configuring-playbook-bot-mjolnir.md | 17 ++++-- ...onfiguring-playbook-prometheus-postgres.md | 29 ++++++++++ docs/maintenance-migrating.md | 4 ++ docs/maintenance-postgres.md | 34 ++++++++++-- group_vars/matrix_servers | 40 ++++++++++++++ .../surveys/configure_element.json.j2 | 12 ----- .../configure_element_subdomain.json.j2 | 18 +++++++ .../surveys/configure_synapse.json.j2 | 2 +- roles/matrix-awx/tasks/main.yml | 9 ++++ .../tasks/set_variables_element.yml | 1 - .../tasks/set_variables_element_subdomain.yml | 49 +++++++++++++++++ .../tasks/set_variables_synapse.yml | 4 +- .../defaults/main.yml | 2 +- .../tasks/migrate_nedb_to_postgres.yml | 6 +++ .../systemd/matrix-heisenbridge.service.j2 | 3 +- roles/matrix-grafana/tasks/setup.yml | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 20 +++++-- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 2 +- .../nginx/conf.d/matrix-base-domain.conf.j2 | 8 +-- .../templates/nginx/conf.d/nginx-http.conf.j2 | 5 ++ .../matrix-postgres/tasks/setup_postgres.yml | 6 +-- .../defaults/main.yml | 49 +++++++++++++++++ .../tasks/init.yml | 5 ++ .../tasks/main.yml | 8 +++ .../tasks/setup.yml | 54 +++++++++++++++++++ ...ix-prometheus-postgres-exporter.service.j2 | 42 +++++++++++++++ roles/matrix-prometheus/defaults/main.yml | 2 +- .../templates/prometheus.yml.j2 | 6 +++ roles/matrix-synapse-admin/defaults/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 23 ++++++++ .../tasks/ext/mjolnir-antispam/setup.yml | 7 +++ .../ext/mjolnir-antispam/setup_install.yml | 52 ++++++++++++++++++ .../ext/mjolnir-antispam/setup_uninstall.yml | 6 +++ roles/matrix-synapse/tasks/ext/setup.yml | 2 + .../tasks/synapse/setup_install.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 2 + setup.yml | 4 +- 38 files changed, 496 insertions(+), 45 deletions(-) create mode 100644 docs/configuring-playbook-prometheus-postgres.md create mode 100644 roles/matrix-awx/surveys/configure_element_subdomain.json.j2 create mode 100644 roles/matrix-awx/tasks/set_variables_element_subdomain.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/defaults/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/init.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/setup.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml diff --git a/README.md b/README.md index 8448680c..096c04e3 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w - Matrix room: [#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) -- IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net) +- IRC channel: `#matrix-docker-ansible-deploy` on the [Libera Chat](https://libera.chat/) IRC network (irc.libera.chat:6697) - GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues) diff --git a/docs/configuring-playbook-bot-mjolnir.md b/docs/configuring-playbook-bot-mjolnir.md index 1b0241e1..5ddb2ad3 100644 --- a/docs/configuring-playbook-bot-mjolnir.md +++ b/docs/configuring-playbook-bot-mjolnir.md @@ -4,8 +4,6 @@ The playbook can install and configure the [Mjolnir](https://github.com/matrix-o See the project's [documentation](https://github.com/matrix-org/mjolnir) to learn what it does and why it might be useful to you. -Note: the playbook does not currently support the Mjolnir Synapse module. The playbook does support another antispam module, see [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md). - ## 1. Register the bot account @@ -90,8 +88,21 @@ matrix_bot_mjolnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE" matrix_bot_mjolnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ``` +## 6. Adding mjolnir synapse antispam module (optional) + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + + +```yaml +matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: true +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] +``` + -## 6. Installing +## 7. Installing After configuring the playbook, run the [installation](installing.md) command: diff --git a/docs/configuring-playbook-prometheus-postgres.md b/docs/configuring-playbook-prometheus-postgres.md new file mode 100644 index 00000000..34407aae --- /dev/null +++ b/docs/configuring-playbook-prometheus-postgres.md @@ -0,0 +1,29 @@ +# Enabling metrics and graphs for Postgres (optional) + +Expanding on the metrics exposed by the [synapse exporter and the node exporter](configuring-playbook-prometheus-grafana.md), the playbook enables the [postgres exporter](https://github.com/prometheus-community/postgres_exporter) that exposes more detailed information about what's happening on your postgres database. + +You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix./vars.yml`): + + +```yaml +matrix_prometheus_postgres_exporter_enabled: true + +# the role creates a postgres user as credential. You can configure these if required: +matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' +matrix_prometheus_postgres_exporter_database_password: 'some-password' + +``` + +## What does it do? + +Name | Description +-----|---------- +`matrix_prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false' +`matrix_prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter' +`matrix_prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. + + +## More information + +- [The PostgresSQL dashboard](https://grafana.com/grafana/dashboards/9628) (generic postgres dashboard) + diff --git a/docs/maintenance-migrating.md b/docs/maintenance-migrating.md index d6380b99..fd593691 100644 --- a/docs/maintenance-migrating.md +++ b/docs/maintenance-migrating.md @@ -1,3 +1,7 @@ +> **Note**: This migration guide is applicable if you migrate from one server to another server having the same CPU architecture (e.g. both servers being `amd64`). +> +> If you're trying to migrate between different architectures (e.g. `amd64` --> `arm64`), simply copying the complete `/matrix` directory is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you can use the guide below as a reference, but you would also need to dump the database on your current server and import it properly on the new server. See our [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) docs for help with PostgreSQL backup/restore. + # Migrating to new server 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading to less downtime diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 9b748d28..52d2d9ee 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -99,6 +99,8 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"` PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `matrix_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change. +**Note**: the configuration generator at https://pgtune.leopard.in.ua/ adds spaces around the `=` sign, which is invalid. You'll need to remove it manually (`max_connections = 300` -> `max_connections=300`) + ### Here are some examples: These are not recommended values and they may not work well for you. This is just to give you an idea of some of the options that can be set. If you are an experienced PostgreSQL admin feel free to update this documentation with better examples. @@ -106,11 +108,33 @@ These are not recommended values and they may not work well for you. This is jus Here is an example config for a small 2 core server with 4GB of RAM and SSD storage: ``` matrix_postgres_process_extra_arguments: [ - "-c 'shared_buffers=128MB'", - "-c 'effective_cache_size=2304MB'", - "-c 'effective_io_concurrency=100'", - "-c 'random_page_cost=2.0'", - "-c 'min_wal_size=500MB'", + "-c shared_buffers=128MB", + "-c effective_cache_size=2304MB", + "-c effective_io_concurrency=100", + "-c random_page_cost=2.0", + "-c min_wal_size=500MB", +] +``` + +Here is an example config for a 4 core server with 8GB of RAM on a Virtual Private Server (VPS); the paramters have been configured using https://pgtune.leopard.in.ua with the following setup: PostgreSQL version 12, OS Type: Linux, DB Type: Mixed type of application, Data Storage: SSD storage: +``` +matrix_postgres_process_extra_arguments: [ + "-c max_connections=100", + "-c shared_buffers=2GB", + "-c effective_cache_size=6GB", + "-c maintenance_work_mem=512MB", + "-c checkpoint_completion_target=0.9", + "-c wal_buffers=16MB", + "-c default_statistics_target=100", + "-c random_page_cost=1.1", + "-c effective_io_concurrency=200", + "-c work_mem=5242kB", + "-c min_wal_size=1GB", + "-c max_wal_size=4GB", + "-c max_worker_processes=4", + "-c max_parallel_workers_per_gather=2", + "-c max_parallel_workers=4", + "-c max_parallel_maintenance_workers=2", ] ``` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 86f1d5a3..96b933f3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1466,6 +1466,13 @@ matrix_postgres_additional_databases: | 'username': matrix_sygnal_database_username, 'password': matrix_sygnal_database_password, }] if (matrix_sygnal_enabled and matrix_sygnal_database_engine == 'postgres' and matrix_sygnal_database_hostname == 'matrix-postgres') else []) + + + ([{ + 'name': matrix_prometheus_postgres_exporter_database_name, + 'username': matrix_prometheus_postgres_exporter_database_username, + 'password': matrix_prometheus_postgres_exporter_database_password, + }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else []) + }} matrix_postgres_import_roles_to_ignore: | @@ -1766,6 +1773,10 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_i matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}" +matrix_prometheus_scraper_postgres_enabled: "{{ matrix_prometheus_postgres_exporter_enabled }}" +matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exporter:'+ matrix_prometheus_postgres_exporter_port|string] if matrix_prometheus_scraper_postgres_enabled else [] }}" + + ###################################################################### # # /matrix-prometheus @@ -1773,6 +1784,27 @@ matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:91 ###################################################################### +###################################################################### +# +# matrix-prometheus-postgres-exporter +# +###################################################################### + +matrix_prometheus_postgres_exporter_enabled: false +matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}" + +matrix_prometheus_postgres_exporter_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-postgres.service'] if matrix_postgres_enabled else []) + }} + +###################################################################### +# +# /matrix-prometheus-postgres-exporter +# +###################################################################### ###################################################################### # @@ -1787,6 +1819,14 @@ matrix_grafana_enabled: false # Grafana's HTTP port to the local host. matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}" +matrix_grafana_dashboard_download_urls_all: | + {{ + matrix_grafana_dashboard_download_urls + + + (matrix_prometheus_postgres_exporter_dashboard_urls if matrix_prometheus_postgres_exporter_enabled else []) + }} + + ###################################################################### # # /matrix-grafana diff --git a/roles/matrix-awx/surveys/configure_element.json.j2 b/roles/matrix-awx/surveys/configure_element.json.j2 index 02812fbc..d85a0ee5 100755 --- a/roles/matrix-awx/surveys/configure_element.json.j2 +++ b/roles/matrix-awx/surveys/configure_element.json.j2 @@ -61,18 +61,6 @@ "new_question": true, "variable": "matrix_client_element_registration_enabled", "type": "multiplechoice" - }, - { - "question_name": "Set Element Subdomain", - "question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.", - "required": false, - "min": 0, - "max": 2048, - "default": "{{ element_subdomain }}", - "choices": "", - "new_question": true, - "variable": "element_subdomain", - "type": "text" } ] } diff --git a/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 b/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 new file mode 100644 index 00000000..a355af23 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_element_subdomain.json.j2 @@ -0,0 +1,18 @@ +{ + "name": "Configure Element Subdomain", + "description": "Configure Element clients subdomain location. (Eg: 'element' for element.example.org)", + "spec": [ + { + "question_name": "Set Element Subdomain", + "question_description": "Sets the subdomain of the Element web-client, you should only specify the subdomain, not the base domain you've already set. (Eg: 'element' for element.example.org) Note that if you change this value you'll need to reconfigure your DNS.", + "required": false, + "min": 0, + "max": 2048, + "default": "{{ element_subdomain }}", + "choices": "", + "new_question": true, + "variable": "element_subdomain", + "type": "text" + } + ] +} diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index 22b80303..7089f7b3 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -107,7 +107,7 @@ "default": "", "choices": "", "new_question": true, - "variable": "matrix_synapse_registration_shared_secret", + "variable": "ext_matrix_synapse_registration_shared_secret", "type": "password" }, { diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index abfef97c..654cdf62 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -98,6 +98,15 @@ tags: - setup-client-element +# Additional playbook to set the variable file during Element configuration +- include_tasks: + file: "set_variables_element_subdomain.yml" + apply: + tags: setup-client-element-subdomain + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-client-element-subdomain + # Additional playbook to set the variable file during Synapse configuration - include_tasks: file: "set_variables_synapse.yml" diff --git a/roles/matrix-awx/tasks/set_variables_element.yml b/roles/matrix-awx/tasks/set_variables_element.yml index a0e41770..29aac37f 100755 --- a/roles/matrix-awx/tasks/set_variables_element.yml +++ b/roles/matrix-awx/tasks/set_variables_element.yml @@ -12,7 +12,6 @@ 'matrix_client_element_brand': '{{ matrix_client_element_brand }}' 'matrix_client_element_default_theme': '{{ matrix_client_element_default_theme }}' 'matrix_client_element_registration_enabled': '{{ matrix_client_element_registration_enabled }}' - 'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}" - name: Set fact for 'https' string set_fact: diff --git a/roles/matrix-awx/tasks/set_variables_element_subdomain.yml b/roles/matrix-awx/tasks/set_variables_element_subdomain.yml new file mode 100644 index 00000000..87259d0f --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_element_subdomain.yml @@ -0,0 +1,49 @@ + +- name: Record Element-Web variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Element Settings Start' + with_dict: + 'matrix_server_fqn_element': "{{ element_subdomain }}.{{ matrix_domain }}" + +- name: Save new 'Configure Element Subdomain' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_element_subdomain.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json' + +- name: Copy new 'Configure Element Subdomain' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json' + dest: '/matrix/awx/configure_element_subdomain.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Element Subdomain' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Element Subdomain" + description: "Configure Element clients subdomain location. (Eg: 'element' for element.example.org)" + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-all,setup-client-element-subdomain" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_element_subdomain.json') }}" + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index e1a7312c..6459f5a2 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -59,8 +59,8 @@ line: "{{ item.key }}: {{ item.value }}" insertafter: '# Synapse Settings Start' with_dict: - 'matrix_synapse_registration_shared_secret': '{{ matrix_synapse_registration_shared_secret }}' - when: matrix_synapse_registration_shared_secret|length > 0 + 'matrix_synapse_registration_shared_secret': '{{ ext_matrix_synapse_registration_shared_secret }}' + when: ext_matrix_synapse_registration_shared_secret|length > 0 - name: Record registations_require_3pid extra variable if true delegate_to: 127.0.0.1 diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 410299b7..bdf49f65 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.25.0 +matrix_appservice_irc_version: release-0.26.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml index 3fab195a..6b39ac62 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml @@ -26,10 +26,16 @@ become: false when: "matrix_postgres_service_start_result.changed|bool" +- name: Check existence of matrix-appservice-irc service + stat: + path: "{{ matrix_systemd_path }}/matrix-appservice-irc.service" + register: matrix_appservice_irc_service_stat + - name: Ensure matrix-appservice-irc is stopped service: name: matrix-appservice-irc state: stopped + when: "matrix_appservice_irc_service_stat.stat.exists" - name: Import appservice-irc NeDB database into Postgres command: diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 index 91ba39b3..e27b88f1 100644 --- a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -22,7 +22,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_heisenbridge_identd_enabled %} - -p 113:113 \ + -p 113:13113 \ {% endif %} -v {{ matrix_heisenbridge_base_path }}:/config:z \ {% for arg in matrix_heisenbridge_container_extra_arguments %} @@ -31,6 +31,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ {{ matrix_heisenbridge_docker_image }} \ {% if matrix_heisenbridge_identd_enabled %} --identd \ + --identd-port 13113 \ {% endif %} {% if matrix_heisenbridge_owner %} -o {{ matrix_heisenbridge_owner }} \ diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml index c2eea348..00d2e230 100644 --- a/roles/matrix-grafana/tasks/setup.yml +++ b/roles/matrix-grafana/tasks/setup.yml @@ -64,7 +64,7 @@ mode: 0440 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - with_items: "{{ matrix_grafana_dashboard_download_urls }}" + with_items: "{{ matrix_grafana_dashboard_download_urls_all }}" when: matrix_grafana_enabled|bool - name: Ensure matrix-grafana.service installed diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8dc8a259..e7ee00a5 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.20.0-alpine +matrix_nginx_proxy_version: 1.21.0-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but @@ -289,7 +289,7 @@ matrix_nginx_proxy_floc_optout_enabled: true # HSTS Preloading Enable # -# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and # indicates a willingness to be “preloaded” into browsers: # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` # For more information visit: @@ -357,6 +357,18 @@ matrix_nginx_proxy_self_check_validate_certificates: true # so we default to not following redirects as well. matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none +# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). +# +# Otherwise, we get warnings like this: +# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" +# +# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. +# +# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver. +# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people. +# It might also be that no such warnings occur when not running in a container. +matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}" + # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # @@ -416,7 +428,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # Nginx Optimize SSL Session # # ssl_session_cache: -# - Creating a cache of TLS connection parameters reduces the number of handshakes +# - Creating a cache of TLS connection parameters reduces the number of handshakes # and thus can improve the performance of application. # - Default session cache is not optimal as it can be used by only one worker process # and can cause memory fragmentation. It is much better to use shared cache. @@ -425,7 +437,7 @@ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # ssl_session_timeout: # - Nginx by default it is set to 5 minutes which is very low. # should be like 4h or 1d but will require you to increase the size of cache. -# - Learn More: +# - Learn More: # https://github.com/certbot/certbot/issues/6903 # https://github.com/mozilla/server-side-tls/issues/198 # diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 5bf9102d..bfd25894 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -34,7 +34,7 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - mode: 0750 + mode: 0755 - name: Ensure SSL renewal systemd units installed template: diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 3b0f213d..37863d73 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -9,13 +9,13 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} - + {% if matrix_nginx_proxy_hsts_preload_enabled %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} @@ -77,13 +77,13 @@ server { ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; {% endif %} - + {% if matrix_nginx_proxy_ssl_session_tickets_off %} ssl_session_tickets off; {% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 index 4811ac99..beea6afa 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 @@ -4,6 +4,11 @@ # # Thus, we ensure a larger bucket size value is used. server_names_hash_bucket_size 64; + +{% if matrix_nginx_proxy_http_level_resolver %} + resolver {{ matrix_nginx_proxy_http_level_resolver }}; +{% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index c072b2ea..4294bc11 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -77,14 +77,14 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: Ensure matrix-change-user-admin-status script created template: src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: (Migration) Ensure old matrix-make-user-admin script deleted @@ -97,7 +97,7 @@ template: src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash" - mode: 0750 + mode: 0755 when: matrix_postgres_enabled|bool - name: Ensure matrix-postgres.service installed diff --git a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml new file mode 100644 index 00000000..8aca4576 --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -0,0 +1,49 @@ +# matrix-prometheus-postgres-exporter is an Prometheus exporter for postgres metrics +# See: https://github.com/prometheus-community/postgres_exporter + +matrix_prometheus_postgres_exporter_enabled: false + +matrix_prometheus_postgres_exporter_version: v0.9.0 +matrix_prometheus_postgres_exporter_port: 9187 + +matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" +matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_prometheus_postgres_exporter_container_extra_arguments: ["-e PG_EXPORTER_AUTO_DISCOVER_DATABASES=true", + "-e PG_EXPORTER_WEB_LISTEN_ADDRESS=\":{{matrix_prometheus_postgres_exporter_port}}\"", + "-e DATA_SOURCE_NAME=\"postgresql://{{matrix_prometheus_postgres_exporter_database_username}}:{{matrix_prometheus_postgres_exporter_database_password}}@{{matrix_prometheus_postgres_exporter_database_hostname}}:5432/{{matrix_prometheus_postgres_exporter_database_name}}?sslmode=disable\"" ] + +# List of systemd services that matrix-prometheus-postgres-exporter.service depends on +matrix_prometheus_postgres_exporter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus-postgres-exporter.service wants +matrix_prometheus_postgres_exporter_systemd_wanted_services_list: [] + +# details for connecting to the database +matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' +matrix_prometheus_postgres_exporter_database_password: 'some-password' +matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres' +matrix_prometheus_postgres_exporter_database_port: 5432 +matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter' + + +# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). +# +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# +# Official recommendations are to run this container with `--net=host`, +# but we don't do that, since it: +# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) +# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) +# +# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, +# but that's trickier to accomplish and won't necessarily work (hasn't been tested). +# +# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), +# because node-exporter can't see all interfaces, etc. +# For now, we'll live with that, until someone develops a better solution. +matrix_prometheus_postgres_exporter_container_http_host_bind_port: '' + +matrix_prometheus_postgres_exporter_dashboard_urls: +- "https://grafana.com/api/dashboards/9628/revisions/7/download" \ No newline at end of file diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/init.yml b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml new file mode 100644 index 00000000..2bd6904e --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}" + when: matrix_prometheus_postgres_exporter_enabled|bool + + diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml new file mode 100644 index 00000000..e3c364fa --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml @@ -0,0 +1,8 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml new file mode 100644 index 00000000..076ece1a --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml @@ -0,0 +1,54 @@ +--- + +# +# Tasks related to setting up matrix-prometheus-postgres-exporter +# + +- name: Ensure matrix-prometheus-postgres-exporter image is pulled + docker_image: + name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" + when: "matrix_prometheus_postgres_exporter_enabled|bool" + +- name: Ensure matrix-prometheus-postgres-exporter.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + mode: 0644 + register: matrix_prometheus_postgres_exporter_systemd_service_result + when: matrix_prometheus_postgres_exporter_enabled|bool + +- name: Ensure systemd reloaded after matrix-prometheus.service installation + service: + daemon_reload: yes + when: "matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-prometheus-postgres-exporter (if it was previously enabled) +# + +- name: Check existence of matrix-prometheus-postgres-exporter service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + register: matrix_prometheus_postgres_exporter_service_stat + +- name: Ensure matrix-prometheus-postgres-exporter is stopped + service: + name: matrix-prometheus-postgres-exporter + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + state: absent + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-prometheus-postgres-exporter.service removal + service: + daemon_reload: yes + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 new file mode 100644 index 00000000..b25cb5de --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-prometheus-postgres-exporter +{% for service in matrix_prometheus_postgres_exporter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_postgres_exporter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-postgres-exporter \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + {% for arg in matrix_prometheus_postgres_exporter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_postgres_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ + {% endif %} + --pid=host \ + {{ matrix_prometheus_postgres_exporter_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-prometheus-postgres-exporter + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 02afd9e9..6c0fef31 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.27.0 +matrix_prometheus_version: v2.27.1 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 9502a08b..b3ee3b86 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -38,3 +38,9 @@ scrape_configs: static_configs: - targets: {{ matrix_prometheus_scraper_node_targets|to_json }} {% endif %} + + {% if matrix_prometheus_scraper_postgres_enabled %} + - job_name: postgres + static_configs: + - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} + {% endif %} \ No newline at end of file diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index dc4cc770..069b6279 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: latest +matrix_synapse_admin_version: 0.8.1 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d966665f..89d01bd0 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -497,6 +497,8 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" +matrix_synapse_ext_password_provider_ldap_active_directory: false +matrix_synapse_ext_password_provider_ldap_default_domain: "" # Enable this to activate the Synapse Antispam spam-checker module. # See: https://github.com/t2bot/synapse-simple-antispam @@ -505,6 +507,27 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "htt matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] +# Enable this to activate the Mjolnir Antispam spam-checker module. +# See: https://github.com/matrix-org/mjolnir#synapse-module +matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir" +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "70f353fbbad0af469b1001080dea194d512b2815" +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true +# Flag messages sent by servers/users in the ban lists as spam. Currently +# this means that spammy messages will appear as empty to users. Default +# false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false +# Remove users from the user directory search by filtering matrix IDs and +# display names by the entries in the user ban list. Default false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false +# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir, +# this list cannot be room aliases or permalinks. This server is expected +# to already be joined to the room - Mjolnir will not automatically join +# these rooms. +# ["!roomid:example.org"] +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] + + matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml new file mode 100644 index 00000000..6c45f469 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" + when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" + when: "not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml new file mode 100644 index 00000000..a416e42b --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml @@ -0,0 +1,52 @@ +--- + +- name: Ensure git installed (RedHat) + yum: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'RedHat'" + +- name: Ensure git installed (Debian) + apt: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'Debian'" + +- name: Ensure git installed (Archlinux) + pacman: + name: + - git + state: present + update_cache: no + when: "ansible_distribution == 'Archlinux'" + +- name: Clone mjolnir-antispam git repository + git: + repo: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url }}" + version: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version }}" + dest: "{{ matrix_synapse_ext_path }}/mjolnir" + become: true + become_user: "{{ matrix_user_username }}" + +- set_fact: + matrix_synapse_spam_checker: > + {{ matrix_synapse_spam_checker }} + + + [{ + "module": "mjolnir.AntiSpam", + "config": { + "block_invites": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites }}, + "block_messages": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages }}, + "block_usernames": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames }}, + "ban_lists": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists }} + } + }] + + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/mjolnir/synapse_antispam/mjolnir,dst={{ matrix_synapse_in_container_python_packages_path }}/mjolnir,ro"] diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml new file mode 100644 index 00000000..f8439a87 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure mjolnir-antispam doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/mjolnir" + state: absent diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml index 5e06ea9d..31637fa9 100644 --- a/roles/matrix-synapse/tasks/ext/setup.yml +++ b/roles/matrix-synapse/tasks/ext/setup.yml @@ -7,3 +7,5 @@ - import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml" - import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup.yml" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml index d4a7268f..b658cfff 100644 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -106,4 +106,4 @@ template: src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user" - mode: 0750 + mode: 0755 diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 22f5f1ea..aa07ae5b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2596,6 +2596,8 @@ password_providers: uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} + active_directory: {{ matrix_synapse_ext_password_provider_ldap_active_directory|to_json }} + default_domain: {{ matrix_synapse_ext_password_provider_ldap_default_domain|string|to_json }} attributes: uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} diff --git a/setup.yml b/setup.yml index 9e3cd625..142364c4 100755 --- a/setup.yml +++ b/setup.yml @@ -54,5 +54,5 @@ - matrix-coturn - matrix-aux - matrix-postgres-backup - - matrix-common-after - + - matrix-prometheus-postgres-exporter + - matrix-common-after \ No newline at end of file From b1f1c28ef085e63a600775ef5c475a24f065f200 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 1 Jun 2021 19:14:49 +0300 Subject: [PATCH 2251/2384] Upgrade Synapse (1.34.0 -> 1.35.0) --- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 63 +++++++++---------- 2 files changed, 32 insertions(+), 35 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 89d01bd0..5cfa5c5f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.34.0 -matrix_synapse_version_arm64: v1.34.0 +matrix_synapse_version: v1.35.0 +matrix_synapse_version_arm64: v1.35.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index aa07ae5b..734a7e90 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -705,33 +705,6 @@ acme: # #account_key_file: /data/acme_account.key -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -#tls_fingerprints: [{"sha256": ""}] - ## Federation ## @@ -2904,7 +2877,8 @@ opentracing: #enabled: true # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst + # See docs/opentracing.rst. + # # This is a list of regexes which are matched against the server_name of the # homeserver. # @@ -2913,19 +2887,26 @@ opentracing: #homeserver_whitelist: # - ".*" + # A list of the matrix IDs of users whose requests will always be traced, + # even if the tracing system would otherwise drop the traces due to + # probabilistic sampling. + # + # By default, the list is empty. + # + #force_tracing_for_users: + # - "@user1:server_name" + # - "@user2:server_name" + # Jaeger can be configured to sample traces at different rates. # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration mostly related to trace sampling which + # Jaeger's configuration is mostly related to trace sampling which # is documented here: - # https://www.jaegertracing.io/docs/1.13/sampling/. + # https://www.jaegertracing.io/docs/latest/sampling/. # #jaeger_config: # sampler: # type: const # param: 1 - - # Logging whether spans were started and reported - # # logging: # false @@ -2995,4 +2976,20 @@ redis: # password: {{ matrix_synapse_redis_password }} + +# Enable experimental features in Synapse. +# +# Experimental features might break or be removed without a deprecation +# period. +# +experimental_features: + # Support for Spaces (MSC1772), it enables the following: + # + # * The Spaces Summary API (MSC2946). + # * Restricting room membership based on space membership (MSC3083). + # + # Uncomment to disable support for Spaces. + #spaces_enabled: false + + # vim:ft=yaml From b772d113421c219e29933edf1c3d258f14c7463e Mon Sep 17 00:00:00 2001 From: hanthor Date: Wed, 2 Jun 2021 15:37:56 -0400 Subject: [PATCH 2252/2384] Update main.yml Update hydrogen-web version to v0.1.56 --- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index f7a3059e..12e62b8c 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.1.53 +matrix_client_hydrogen_version: v0.1.56 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From ab08a4f60e572de07e63b831c4a5d1afbf31f556 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 3 Jun 2021 16:27:04 +0300 Subject: [PATCH 2253/2384] Upgrade Synapse (1.35.0 -> 1.35.1) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 5cfa5c5f..bf2fcac6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.35.0 -matrix_synapse_version_arm64: v1.35.0 +matrix_synapse_version: v1.35.1 +matrix_synapse_version_arm64: v1.35.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 122a92fa1c66f7489dd32f86c70d95119c74ee29 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Fri, 4 Jun 2021 13:10:45 +0800 Subject: [PATCH 2254/2384] GoMatrixHosting v0.4.9 update --- docs/configuring-awx-system.md | 4 +- .../surveys/configure_email_relay.json.j2 | 19 ++++++ roles/matrix-awx/tasks/main.yml | 9 +++ .../matrix-awx/tasks/set_variables_mailer.yml | 50 +++++++++++++++ .../matrix-client-hydrogen/defaults/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 63 +++++++++---------- 7 files changed, 113 insertions(+), 38 deletions(-) create mode 100644 roles/matrix-awx/surveys/configure_email_relay.json.j2 create mode 100644 roles/matrix-awx/tasks/set_variables_mailer.yml diff --git a/docs/configuring-awx-system.md b/docs/configuring-awx-system.md index 1ab6950a..87ea228a 100644 --- a/docs/configuring-awx-system.md +++ b/docs/configuring-awx-system.md @@ -31,9 +31,9 @@ Updates to this section are trailed here: ## Does I need an AWX setup to use this? How do I configure it? -Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation.md). +Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in ['/docs/Installation_AWX.md' of that repository](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_AWX.md). -For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal.md). +For simpler installation steps you can use to get started with this system, check out our minimal installation guide at ['/doc/Installation_Minimal_AWX.md of that repository'](https://gitlab.com/GoMatrixHosting/create-awx-system/-/blob/master/docs/Installation_Minimal_AWX.md). ## Does I need a front-end WordPress site? And a DigitalOcean account? diff --git a/roles/matrix-awx/surveys/configure_email_relay.json.j2 b/roles/matrix-awx/surveys/configure_email_relay.json.j2 new file mode 100644 index 00000000..65c21a94 --- /dev/null +++ b/roles/matrix-awx/surveys/configure_email_relay.json.j2 @@ -0,0 +1,19 @@ +{ + "name": "Configure Email Relay", + "description": "Enable MailGun relay to increase verification email reliability.", + "spec": [ + { + "question_name": "Enable Email Relay", + "question_description": "Enables the MailGun email relay server, enabling this will increase the reliability of your email verification.", + "required": false, + "min": null, + "max": null, + "default": "{{ matrix_mailer_relay_use | string | lower }}", + "choices": "true\nfalse", + "new_question": true, + "variable": "matrix_mailer_relay_use", + "type": "multiplechoice" + } + ] +} + diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 654cdf62..beee918e 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -98,6 +98,15 @@ tags: - setup-client-element +# Additional playbook to set the variable file during Mailer configuration +- include_tasks: + file: "set_variables_mailer.yml" + apply: + tags: setup-mailer + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - setup-mailer + # Additional playbook to set the variable file during Element configuration - include_tasks: file: "set_variables_element_subdomain.yml" diff --git a/roles/matrix-awx/tasks/set_variables_mailer.yml b/roles/matrix-awx/tasks/set_variables_mailer.yml new file mode 100644 index 00000000..924454d6 --- /dev/null +++ b/roles/matrix-awx/tasks/set_variables_mailer.yml @@ -0,0 +1,50 @@ + +- name: Record Mailer variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Email Settings Start' + with_dict: + 'matrix_mailer_relay_use': '{{ matrix_mailer_relay_use }}' + +- name: Save new 'Configure Email Relay' survey.json to the AWX tower, template + delegate_to: 127.0.0.1 + template: + src: 'roles/matrix-awx/surveys/configure_email_relay.json.j2' + dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json' + +- name: Copy new 'Configure Email Relay' survey.json to target machine + copy: + src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json' + dest: '/matrix/awx/configure_email_relay.json' + mode: '0660' + +- name: Collect AWX admin token the hard way! + delegate_to: 127.0.0.1 + shell: | + curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g' + register: tower_token + no_log: True + +- name: Recreate 'Configure Email Relay' job template + delegate_to: 127.0.0.1 + awx.awx.tower_job_template: + name: "{{ matrix_domain }} - 1 - Configure Email Relay" + description: "Enable MailGun relay to increase verification email reliability." + extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}" + job_type: run + job_tags: "start,setup-mailer" + inventory: "{{ member_id }}" + project: "{{ member_id }} - Matrix Docker Ansible Deploy" + playbook: setup.yml + credential: "{{ member_id }} - AWX SSH Key" + survey_enabled: true + survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_email_relay.json') }}" + become_enabled: yes + state: present + verbosity: 1 + tower_host: "https://{{ tower_host }}" + tower_oauthtoken: "{{ tower_token.stdout }}" + validate_certs: yes diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index f7a3059e..12e62b8c 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.1.53 +matrix_client_hydrogen_version: v0.1.56 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 89d01bd0..bf2fcac6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.34.0 -matrix_synapse_version_arm64: v1.34.0 +matrix_synapse_version: v1.35.1 +matrix_synapse_version_arm64: v1.35.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index aa07ae5b..734a7e90 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -705,33 +705,6 @@ acme: # #account_key_file: /data/acme_account.key -# List of allowed TLS fingerprints for this server to publish along -# with the signing keys for this server. Other matrix servers that -# make HTTPS requests to this server will check that the TLS -# certificates returned by this server match one of the fingerprints. -# -# Synapse automatically adds the fingerprint of its own certificate -# to the list. So if federation traffic is handled directly by synapse -# then no modification to the list is required. -# -# If synapse is run behind a load balancer that handles the TLS then it -# will be necessary to add the fingerprints of the certificates used by -# the loadbalancers to this list if they are different to the one -# synapse is using. -# -# Homeservers are permitted to cache the list of TLS fingerprints -# returned in the key responses up to the "valid_until_ts" returned in -# key. It may be necessary to publish the fingerprints of a new -# certificate and wait until the "valid_until_ts" of the previous key -# responses have passed before deploying it. -# -# You can calculate a fingerprint from a given TLS listener via: -# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | -# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' -# or by checking matrix.org/federationtester/api/report?server_name=$host -# -#tls_fingerprints: [{"sha256": ""}] - ## Federation ## @@ -2904,7 +2877,8 @@ opentracing: #enabled: true # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst + # See docs/opentracing.rst. + # # This is a list of regexes which are matched against the server_name of the # homeserver. # @@ -2913,19 +2887,26 @@ opentracing: #homeserver_whitelist: # - ".*" + # A list of the matrix IDs of users whose requests will always be traced, + # even if the tracing system would otherwise drop the traces due to + # probabilistic sampling. + # + # By default, the list is empty. + # + #force_tracing_for_users: + # - "@user1:server_name" + # - "@user2:server_name" + # Jaeger can be configured to sample traces at different rates. # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration mostly related to trace sampling which + # Jaeger's configuration is mostly related to trace sampling which # is documented here: - # https://www.jaegertracing.io/docs/1.13/sampling/. + # https://www.jaegertracing.io/docs/latest/sampling/. # #jaeger_config: # sampler: # type: const # param: 1 - - # Logging whether spans were started and reported - # # logging: # false @@ -2995,4 +2976,20 @@ redis: # password: {{ matrix_synapse_redis_password }} + +# Enable experimental features in Synapse. +# +# Experimental features might break or be removed without a deprecation +# period. +# +experimental_features: + # Support for Spaces (MSC1772), it enables the following: + # + # * The Spaces Summary API (MSC2946). + # * Restricting room membership based on space membership (MSC3083). + # + # Uncomment to disable support for Spaces. + #spaces_enabled: false + + # vim:ft=yaml From 8cf3bdb7720d7b61fa32bc7e1290439c533fbe3a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 4 Jun 2021 09:32:22 +0300 Subject: [PATCH 2255/2384] Link to Heisenbridge demonstration video --- docs/configuring-playbook-bridge-heisenbridge.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-heisenbridge.md b/docs/configuring-playbook-bridge-heisenbridge.md index 9cf016f2..2c1b438f 100644 --- a/docs/configuring-playbook-bridge-heisenbridge.md +++ b/docs/configuring-playbook-bridge-heisenbridge.md @@ -4,7 +4,7 @@ The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) bridge for you. -See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. +See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you. You can also take a look at [this demonstration video](https://www.youtube.com/watch?v=nQk1Bp4tk4I). ## Configuration @@ -33,4 +33,6 @@ After the bridge is successfully running just DM `@heisenbridge:your-homeserver` Help is available for all commands with the `-h` switch. If the bridge ignores you and a DM is not accepted then the owner setting may be wrong. +You can also learn the basics by watching [this demonstration video](https://www.youtube.com/watch?v=nQk1Bp4tk4I). + If you encounter issues or feel lost you can join the project room at [#heisenbridge:vi.fi](https://matrix.to/#/#heisenbridge:vi.fi) for help. From 7f4e71b22a67a664f8a0f7f5a382daa2a03afe3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20K=C3=BChne?= Date: Sun, 6 Jun 2021 14:32:03 +0200 Subject: [PATCH 2256/2384] fix error when running with Ansible 2.7 in the hydrogen setup Without this the hydrogen task would fail for Ansible 2.7 even when hydrogen is not enabled. --- roles/matrix-client-hydrogen/tasks/init.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml index 1115f63d..8116a003 100644 --- a/roles/matrix-client-hydrogen/tasks/init.yml +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build and matrix_client_hydrogen_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" From 3c05cc04bc40bd167ae624aabc24fab114d49727 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Mon, 7 Jun 2021 10:41:18 +0200 Subject: [PATCH 2257/2384] Update IRC appservice --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index bdf49f65..ca8797b4 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.26.0 +matrix_appservice_irc_version: release-0.26.1 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From fa76c1ee5bdd09ecb8f272c23c1f77ad06756b85 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 8 Jun 2021 08:59:02 +0300 Subject: [PATCH 2258/2384] Do not run self-build Ansible version-check, if component not enabled Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1108 --- roles/matrix-bridge-appservice-irc/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-slack/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-facebook/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-instagram/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-telegram/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-discord/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-steam/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml | 2 +- roles/matrix-client-element/tasks/init.yml | 2 +- roles/matrix-corporal/tasks/init.yml | 2 +- roles/matrix-coturn/tasks/init.yml | 2 +- roles/matrix-dynamic-dns/tasks/init.yml | 2 +- roles/matrix-ma1sd/tasks/init.yml | 2 +- roles/matrix-mailer/tasks/init.yml | 2 +- roles/matrix-registration/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/init.yml | 2 +- roles/matrix-synapse/tasks/init.yml | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index b9a58e00..e1355796 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build and matrix_appservice_irc_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 6a1bf869..0584e624 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build and matrix_appservice_slack_enabled" # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. # We don't want to fail in such cases. diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index 83e54cb4..fdfdfdae 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 07fb254d..63a04618 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index 6944003e..c0b7da32 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build and matrix_mautrix_instagram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index c8f7f895..84ac86d0 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build and matrix_mautrix_telegram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 983e3895..33d35e60 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build and matrix_mx_puppet_discord_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index eb598ecb..4cd3c6b3 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build and matrix_mx_puppet_groupme_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml index 2ef99f02..a12885e7 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build and matrix_mx_puppet_instagram_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 1bdc4c2b..e8ed1a3a 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build and matrix_mx_puppet_skype_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index de3ffd7c..716cb351 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build and matrix_mx_puppet_slack_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index c7b3d67f..38d0f9a2 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build and matrix_mx_puppet_steam_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 94fafd90..f23a6a64 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build and matrix_mx_puppet_twitter_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index 102cae38..44fa1544 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -7,4 +7,4 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build and matrix_client_element_enabled" diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index 993ace81..e5062c27 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build and matrix_corporal_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index c645c06b..a7d8a343 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build and matrix_coturn_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 039b5b02..e7d33ff2 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build and matrix_dynamic_dns_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index f09cfcfd..04cc3a21 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build and matrix_ma1sd_enabled|bool" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml index 5895343e..d07380f0 100644 --- a/roles/matrix-mailer/tasks/init.yml +++ b/roles/matrix-mailer/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build and matrix_mailer_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index b58ba659..32a35c7d 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build and matrix_registration_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index 7898dec9..9e171015 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled" - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 16790664..bc23fc86 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -3,7 +3,7 @@ - name: Fail if trying to self-build on Ansible < 2.8 fail: msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled" # Unless `matrix_synapse_workers_enabled_list` is explicitly defined, # we'll generate it dynamically. From 77fd1bff2201267519d202400b302262f6ce68bb Mon Sep 17 00:00:00 2001 From: rakshazi Date: Tue, 8 Jun 2021 14:57:49 +0000 Subject: [PATCH 2259/2384] Update element 1.7.29 -> 1.7.30 --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index f0596d91..f836d4a4 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.29 +matrix_client_element_version: v1.7.30 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 1cc1202df2a10340a6c799c866cee57041520e46 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 8 Jun 2021 23:59:31 +0530 Subject: [PATCH 2260/2384] update coturn --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index ad8735fe..2539d8b1 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" -matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r0" +matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r1" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" matrix_coturn_version: 4.5.2 From 2d9ba823371fc82ec2bc4ed2a1e46b0978059621 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 9 Jun 2021 00:48:55 +0530 Subject: [PATCH 2261/2384] Update element 7.5.7 -> 8.0.0 --- roles/matrix-grafana/defaults/main.yml | 4 ++-- roles/matrix-grafana/templates/grafana.ini.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 7c5c217c..286922e8 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.7 +matrix_grafana_version: 8.0.0 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" @@ -38,11 +38,11 @@ matrix_grafana_default_admin_password: admin matrix_grafana_content_security_policy: true # specify content security policy template to customized template -# added 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers. # added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. # [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) # [Content Security Policy Reference](https://content-security-policy.com/script-src/) matrix_grafana_content_security_policy_customized: true +matrix_grafana_content_security_policy_template: "script-src 'self' 'unsafe-eval' 'unsafe-inline' http: https: 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';" # A list of extra arguments to pass to the container matrix_grafana_container_extra_arguments: [] diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 322762b4..8f4c88f0 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -13,7 +13,7 @@ content_security_policy = "{{ matrix_grafana_content_security_policy }}" # specify content security policy template to customized template {% if matrix_grafana_content_security_policy_customized %} -content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" +content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}""" {% endif %} [auth.anonymous] From be1d1d0b7c38b9081cc014ac012d985b9acb1b1a Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 9 Jun 2021 00:52:52 +0530 Subject: [PATCH 2262/2384] matrix_grafana_content_security_policy_customized default false --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 286922e8..a565edd0 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -41,7 +41,7 @@ matrix_grafana_content_security_policy: true # added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. # [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) # [Content Security Policy Reference](https://content-security-policy.com/script-src/) -matrix_grafana_content_security_policy_customized: true +matrix_grafana_content_security_policy_customized: false matrix_grafana_content_security_policy_template: "script-src 'self' 'unsafe-eval' 'unsafe-inline' http: https: 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';" # A list of extra arguments to pass to the container From 2886dc3939f6a163f9bc1b85c2ec95616baac5bf Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Tue, 8 Jun 2021 22:55:19 -0400 Subject: [PATCH 2263/2384] Add module configuration to jitsi-prosody env file --- roles/matrix-jitsi/templates/prosody/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index 0c977d45..38b2456c 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -25,7 +25,7 @@ XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_MODULES= +XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} XMPP_MUC_MODULES= XMPP_INTERNAL_MUC_MODULES= From 2e8a2bdf7d07b802f5f7a466788a659967f75e70 Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Tue, 8 Jun 2021 22:56:09 -0400 Subject: [PATCH 2264/2384] Add empty default for jitsi-prosody modules --- roles/matrix-jitsi/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 14545bc9..87d87706 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -39,6 +39,7 @@ matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280 matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi +matrix_jitsi_xmpp_modules: '' matrix_jitsi_recorder_domain: recorder.meet.jitsi From 963f38ee7b4fc62ed86a0fb176d2b716d2d543ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 10 Jun 2021 12:18:35 +0300 Subject: [PATCH 2265/2384] Upgrade certbot (v1.14.0 -> v1.16.0) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index e7ee00a5..e71a1038 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -404,7 +404,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.14.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.16.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From 1cf4d5ea7f8e3a836c72145dc7fedfba1b6b540d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 10 Jun 2021 12:25:55 +0300 Subject: [PATCH 2266/2384] Upgrade Redis (6.0.10 -> 6.2.4) --- roles/matrix-redis/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml index e33e7493..409c7926 100644 --- a/roles/matrix-redis/defaults/main.yml +++ b/roles/matrix-redis/defaults/main.yml @@ -5,7 +5,7 @@ matrix_redis_connection_password: "" matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" -matrix_redis_version: 6.0.10-alpine +matrix_redis_version: 6.2.4-alpine matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' From 72bc9b5cfc7641309dde3f22a3ccc2b0e8f955f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bla=C5=BE=20Toma=C5=BEi=C4=8D?= Date: Thu, 3 Jun 2021 18:57:58 +0200 Subject: [PATCH 2267/2384] Add support for CentOS (Stream) 8 --- roles/matrix-base/defaults/main.yml | 4 +- roles/matrix-base/tasks/server_base/setup.yml | 5 +- .../tasks/server_base/setup_centos8.yml | 47 +++++++++++++++++++ 3 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 roles/matrix-base/tasks/server_base/setup_centos8.yml diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index ef30ad67..86df4ad6 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -80,8 +80,8 @@ matrix_host_command_openssl: "/usr/bin/env openssl" matrix_host_command_systemctl: "/usr/bin/env systemctl" matrix_host_command_sh: "/usr/bin/env sh" -matrix_ntpd_package: "ntp" -matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" +matrix_ntpd_package: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else 'ntp' }}" +matrix_ntpd_service: "{{ 'systemd-timesyncd' if ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' else ('ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp') }}" matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" diff --git a/roles/matrix-base/tasks/server_base/setup.yml b/roles/matrix-base/tasks/server_base/setup.yml index 64f461ef..0869e501 100644 --- a/roles/matrix-base/tasks/server_base/setup.yml +++ b/roles/matrix-base/tasks/server_base/setup.yml @@ -1,7 +1,10 @@ --- - include_tasks: "{{ role_path }}/tasks/server_base/setup_centos.yml" - when: ansible_distribution == 'CentOS' + when: ansible_distribution == 'CentOS' and ansible_distribution_major_version < '8' + +- include_tasks: "{{ role_path }}/tasks/server_base/setup_centos8.yml" + when: ansible_distribution == 'CentOS' and ansible_distribution_major_version > '7' - block: # ansible_lsb is only available if lsb-release is installed. diff --git a/roles/matrix-base/tasks/server_base/setup_centos8.yml b/roles/matrix-base/tasks/server_base/setup_centos8.yml new file mode 100644 index 00000000..01666197 --- /dev/null +++ b/roles/matrix-base/tasks/server_base/setup_centos8.yml @@ -0,0 +1,47 @@ +--- + +- name: Ensure Docker repository is enabled + template: + src: "{{ role_path }}/files/yum.repos.d/{{ item }}" + dest: "/etc/yum.repos.d/{{ item }}" + owner: "root" + group: "root" + mode: 0644 + with_items: + - docker-ce.repo + when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' + +- name: Ensure Docker's RPM key is trusted + rpm_key: + state: present + key: https://download.docker.com/linux/centos/gpg + when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce' + +- name: Ensure EPEL is installed + yum: + name: + - epel-release + state: latest + update_cache: yes + +- name: Ensure yum packages are installed + yum: + name: + - "{{ matrix_ntpd_package }}" + - fuse + state: latest + update_cache: yes + +- name: Ensure Docker is installed + yum: + name: + - "{{ matrix_docker_package_name }}" + - python3-pip + state: latest + when: matrix_docker_installation_enabled|bool + +- name: Ensure Docker-Py is installed + pip: + name: docker-py + state: latest + when: matrix_docker_installation_enabled|bool \ No newline at end of file From 08d1a5c2e7d9e9f578784ba82ff4e33ff49d066b Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Mon, 14 Jun 2021 19:41:23 +0530 Subject: [PATCH 2268/2384] Update grafana 8.0.0 -> 8.0.2 --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index a565edd0..bfd67e96 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.0.0 +matrix_grafana_version: 8.0.2 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 4cd5835e1161d04018621d3f2dec85cbc7ae6c9f Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Mon, 14 Jun 2021 19:46:08 +0530 Subject: [PATCH 2269/2384] update hydrogen v0.1.56 -> v0.1.57 https://github.com/vector-im/hydrogen-web/releases/tag/v0.1.57 --- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index 12e62b8c..929565c5 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.1.56 +matrix_client_hydrogen_version: v0.1.57 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From 4fb1134ad120f0d141439ff78eb22cf945c8eff4 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Mon, 14 Jun 2021 22:36:49 +0800 Subject: [PATCH 2270/2384] GoMatrixHosting v0.5.0 --- roles/matrix-awx/tasks/backup_server.yml | 28 +++++++++++++++----- roles/matrix-awx/tasks/export_server.yml | 33 ++++++++++++++++++++++++ roles/matrix-awx/tasks/import_awx.yml | 11 -------- roles/matrix-awx/tasks/main.yml | 9 +++++++ 4 files changed, 64 insertions(+), 17 deletions(-) create mode 100644 roles/matrix-awx/tasks/export_server.yml diff --git a/roles/matrix-awx/tasks/backup_server.yml b/roles/matrix-awx/tasks/backup_server.yml index a82f46b0..b7a82b96 100644 --- a/roles/matrix-awx/tasks/backup_server.yml +++ b/roles/matrix-awx/tasks/backup_server.yml @@ -54,10 +54,6 @@ validate_certs: yes tags: use-survey -- name: Run export.sh if this job template is run by the client - command: /bin/sh /root/export.sh - tags: use-survey - - name: Include vars in matrix_vars.yml include_vars: file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml' @@ -70,8 +66,28 @@ mode: '0660' tags: use-survey -- name: Perform the borg backup - command: borgmatic +- name: Run initial backup of /matrix/ and snapshot the database simultaneously + command: "{{ item }}" + with_items: + - borgmatic -c /root/.config/borgmatic/config_1.yaml + - /bin/sh /usr/local/bin/awx-export-service.sh 1 0 + register: _create_instances + async: 3600 # Maximum runtime in seconds. + poll: 0 # Fire and continue (never poll) + when: matrix_awx_backup_enabled|bool + +- name: Wait for both of these jobs to finish + async_status: + jid: "{{ item.ansible_job_id }}" + register: _jobs + until: _jobs.finished + delay: 5 # Check every 5 seconds. + retries: 720 # Retry for a full hour. + with_items: "{{ _create_instances.results }}" + when: matrix_awx_backup_enabled|bool + +- name: Perform borg backup of postgres dump + command: borgmatic -c /root/.config/borgmatic/config_2.yaml when: matrix_awx_backup_enabled|bool - name: Set boolean value to exit playbook diff --git a/roles/matrix-awx/tasks/export_server.yml b/roles/matrix-awx/tasks/export_server.yml new file mode 100644 index 00000000..c70b0beb --- /dev/null +++ b/roles/matrix-awx/tasks/export_server.yml @@ -0,0 +1,33 @@ + +- name: Run export of /matrix/ and snapshot the database simultaneously + command: "{{ item }}" + with_items: + - /bin/sh /usr/local/bin/awx-export-service.sh 1 0 + - /bin/sh /usr/local/bin/awx-export-service.sh 0 1 + register: _create_instances + async: 3600 # Maximum runtime in seconds. + poll: 0 # Fire and continue (never poll) + +- name: Wait for both of these jobs to finish + async_status: + jid: "{{ item.ansible_job_id }}" + register: _jobs + until: _jobs.finished + delay: 5 # Check every 5 seconds. + retries: 720 # Retry for a full hour. + with_items: "{{ _create_instances.results }}" + +- name: Schedule deletion of the export in 24 hours + at: + command: rm /chroot/export/matrix* + count: 1 + units: days + unique: yes + +- name: Set boolean value to exit playbook + set_fact: + end_playbook: true + +- name: End playbook if this task list is called. + meta: end_play + when: end_playbook is defined and end_playbook|bool diff --git a/roles/matrix-awx/tasks/import_awx.yml b/roles/matrix-awx/tasks/import_awx.yml index 6017152f..d9c3ca6f 100644 --- a/roles/matrix-awx/tasks/import_awx.yml +++ b/roles/matrix-awx/tasks/import_awx.yml @@ -1,15 +1,4 @@ -- name: Ensure /matrix/awx is empty - shell: rm -r /matrix/awx/* - ignore_errors: yes - -- name: Ensure /matrix/synapse is empty - shell: rm -r /matrix/synapse/* - ignore_errors: yes - -- name: Extract from /chroot/export - shell: tar -xvzf /chroot/export/matrix.tar.gz -C /matrix/ - - name: Ensure correct ownership of /matrix/awx shell: chown -R matrix:matrix /matrix/awx diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index beee918e..6e192ce0 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -25,6 +25,15 @@ when: run_setup|bool and matrix_awx_enabled|bool tags: - backup-server + +# Perform a export of the server +- include_tasks: + file: "export_server.yml" + apply: + tags: export-server + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - export-server # Create a user account if called - include_tasks: From 1da3531a3d71ef26a2c9a17f64046d888923ba2d Mon Sep 17 00:00:00 2001 From: N07070 Date: Tue, 15 Jun 2021 14:56:23 +0200 Subject: [PATCH 2271/2384] Update configuring-playbook-synapse.md Added an example for configuring the variables for the OpenID, that might fails because the variables are not defined for the playbook parsing, but Synapse's own config file parsing. --- docs/configuring-playbook-synapse.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index bdfdfa63..e152e662 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -55,3 +55,22 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per ## Synapse + OpenID Connect for Single-Sign-On If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)). + +In case you encounter errors regarding the parsing of the variables, you can try to add `{%raw}` and `{% endraw %}` blocks around them. For example ; + +``` + - idp_id: keycloak + idp_name: "Keycloak" + issuer: "https://url.ix/auth/realms/x" + client_id: "matrix" + client_secret: "{{ vault_synapse_keycloak }}" + scopes: ["openid", "profile"] + authorization_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/auth" + token_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/token" + userinfo_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/userinfo" + user_mapping_provider: + config: + display_name_template: "{%raw}{{ user.given_name }}{% endraw %} {%raw}{{ user.family_name }}{% endraw %}" + email_template: "{%raw}{{ user.email }}{% endraw %}" +``` + From 9daeb397104570943fcee2f66bf008205d3c7ebf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 15 Jun 2021 19:25:41 +0300 Subject: [PATCH 2272/2384] Upgrade Synapse (1.35.1 -> 1.36.0) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- .../templates/synapse/homeserver.yaml.j2 | 15 --------------- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index bf2fcac6..cb5f9a3a 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.35.1 -matrix_synapse_version_arm64: v1.35.1 +matrix_synapse_version: v1.36.0 +matrix_synapse_version_arm64: v1.36.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 734a7e90..d92efdba 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2977,19 +2977,4 @@ redis: password: {{ matrix_synapse_redis_password }} -# Enable experimental features in Synapse. -# -# Experimental features might break or be removed without a deprecation -# period. -# -experimental_features: - # Support for Spaces (MSC1772), it enables the following: - # - # * The Spaces Summary API (MSC2946). - # * Restricting room membership based on space membership (MSC3083). - # - # Uncomment to disable support for Spaces. - #spaces_enabled: false - - # vim:ft=yaml From 3dd32d25126ad32aba23ba1b3bdb908bf109a966 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 15 Jun 2021 19:28:11 +0300 Subject: [PATCH 2273/2384] Update worker endpoints Should have been part of 9daeb3971045 --- roles/matrix-synapse/vars/workers.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml index c989fb5b..1f817c8e 100644 --- a/roles/matrix-synapse/vars/workers.yml +++ b/roles/matrix-synapse/vars/workers.yml @@ -51,6 +51,9 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/event/ + - ^/_matrix/client/(api/v1|r0|unstable)/joined_rooms$ + - ^/_matrix/client/(api/v1|r0|unstable)/search$ # Registration/login requests - ^/_matrix/client/(api/v1|r0|unstable)/login$ From 0217644b48d23b499e6590829e67348386cb9614 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Fri, 18 Jun 2021 23:27:23 +0530 Subject: [PATCH 2274/2384] Content-Security-Policy For Element Web https://github.com/vector-im/element-web#configuration-best-practices --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index ee23cdfe..17e8f131 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -12,6 +12,7 @@ add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'none'"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; From b82617113945c1fe13a18cb31ecfac2b2111967b Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Fri, 18 Jun 2021 23:32:30 +0530 Subject: [PATCH 2275/2384] Update grafana 8.0.2 -> 8.0.3 --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index bfd67e96..3f7746b8 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.0.2 +matrix_grafana_version: 8.0.3 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From ce28e87f4badd5c2c7c2ba1ffaf495b13cd20bd4 Mon Sep 17 00:00:00 2001 From: Marcel Ackermann <31695+dreamflasher@users.noreply.github.com> Date: Sun, 20 Jun 2021 16:38:04 +0200 Subject: [PATCH 2276/2384] according to discussion in channel not needed anymore --- docs/configuring-playbook-bridge-mx-puppet-slack.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-mx-puppet-slack.md b/docs/configuring-playbook-bridge-mx-puppet-slack.md index 61600c7a..e7d8dba2 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-slack.md +++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md @@ -13,8 +13,6 @@ playbook configuration: ```yaml matrix_mx_puppet_slack_enabled: true -matrix_mx_puppet_slack_client_id: "" -matrix_mx_puppet_slack_client_secret: "" ``` From ed078998b58dc35cb394ddcafc5a2b375bc4d97d Mon Sep 17 00:00:00 2001 From: Marcel Ackermann <31695+dreamflasher@users.noreply.github.com> Date: Mon, 21 Jun 2021 12:12:07 +0200 Subject: [PATCH 2277/2384] deprecated --- roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 index 01714cb3..b1917b86 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -18,10 +18,6 @@ bridge: # Slack OAuth settings. Create a slack app at https://api.slack.com/apps oauth: enabled: true - # Slack app credentials. - # N.B. This must be quoted so YAML wouldn't parse it as a float. - clientId: "{{ matrix_mx_puppet_slack_client_id }}" - clientSecret: {{ matrix_mx_puppet_slack_client_secret }} # Path where to listen for OAuth redirect callbacks. redirectPath: {{ matrix_mx_puppet_slack_redirect_path }} # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path, From a790096adfc88a31836012832644976b478fe420 Mon Sep 17 00:00:00 2001 From: Marcel Ackermann <31695+dreamflasher@users.noreply.github.com> Date: Mon, 21 Jun 2021 12:13:20 +0200 Subject: [PATCH 2278/2384] matrix_mx_puppet_slack_client_id deprecated --- roles/matrix-bridge-mx-puppet-slack/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml index 65b295c9..30d42475 100644 --- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml @@ -27,8 +27,6 @@ matrix_mx_puppet_slack_homeserver_address: "{{ matrix_homeserver_container_url } matrix_mx_puppet_slack_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_slack_appservice_address: 'http://matrix-mx-puppet-slack:{{ matrix_mx_puppet_slack_appservice_port }}' -matrix_mx_puppet_slack_client_id: '' -matrix_mx_puppet_slack_client_secret: '' matrix_mx_puppet_slack_redirect_path: '/slack/oauth' matrix_mx_puppet_slack_redirect_uri: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mx_puppet_slack_redirect_path }}' From 5a1dabe14fe73015a4119778e82ab65d2c6c5de6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 16 Jun 2021 15:22:21 +0300 Subject: [PATCH 2279/2384] Bump exim-relay Docker image tag The new one is based on Alpine 3.14, instead of Alpine 3.13. --- roles/matrix-mailer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 1340cc70..8ca1a8a3 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94.2-r0-1 +matrix_mailer_version: 4.94.2-r0-2 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" From 2ca92b76b6c79e305da47c4e2075a29f139b830c Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Mon, 21 Jun 2021 23:37:08 +0530 Subject: [PATCH 2280/2384] stable-5963 --- roles/matrix-jitsi/templates/jicofo/env.j2 | 41 +++++-- roles/matrix-jitsi/templates/jvb/env.j2 | 31 +++--- roles/matrix-jitsi/templates/prosody/env.j2 | 33 +++--- roles/matrix-jitsi/templates/web/env.j2 | 116 ++++++++++++++------ 4 files changed, 149 insertions(+), 72 deletions(-) diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 index a402d2d7..3de60282 100644 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -1,17 +1,34 @@ -ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} - -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} - -JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} +AUTH_TYPE={{ matrix_jitsi_auth_type }} +BRIDGE_AVG_PARTICIPANT_STRESS +BRIDGE_STRESS_THRESHOLD +ENABLE_AUTH +ENABLE_AUTO_OWNER +ENABLE_CODEC_VP8 +ENABLE_CODEC_VP9 +ENABLE_CODEC_H264 +ENABLE_OCTO +ENABLE_RECORDING +ENABLE_SCTP JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} - -JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} - +JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS +JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT +JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT +JICOFO_ENABLE_HEALTH_CHECKS +JICOFO_SHORT_ID +JICOFO_RESERVATION_ENABLED +JICOFO_RESERVATION_REST_BASE_URL JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} +JIBRI_REQUEST_RETRIES JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} - +JIGASI_BREWERY_MUC +JIGASI_SIP_URI +JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} +MAX_BRIDGE_PARTICIPANTS +OCTO_BRIDGE_SELECTION_STRATEGY TZ={{ matrix_jitsi_timezone }} +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_MUC_DOMAIN +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} \ No newline at end of file diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 index f7dc9247..a927314e 100644 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -1,20 +1,25 @@ -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} -JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} +ENABLE_COLIBRI_WEBSOCKET +ENABLE_OCTO +DOCKER_HOST_ADDRESS +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} - -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} - -HOSTNAME=matrix-jitsi-jvb - +JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} +JVB_TCP_HARVESTER_DISABLED=true +JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} +JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} {% if matrix_jitsi_jvb_stun_servers|length > 0 %} JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} {% endif %} - +JVB_ENABLE_APIS +JVB_WS_DOMAIN +JVB_WS_SERVER_ID PUBLIC_URL={{ matrix_jitsi_web_public_url }} - -{{ matrix_jitsi_jvb_environment_variables_extension }} +JVB_OCTO_BIND_ADDRESS +JVB_OCTO_PUBLIC_ADDRESS +JVB_OCTO_BIND_PORT +JVB_OCTO_REGION +TZ={{ matrix_jitsi_timezone }} \ No newline at end of file diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index 38b2456c..74df951e 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -1,10 +1,10 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }} - ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} - -PUBLIC_URL={{ matrix_jitsi_web_public_url }} - +ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} +ENABLE_XMPP_WEBSOCKET +GLOBAL_MODULES +GLOBAL_CONFIG LDAP_URL={{ matrix_jitsi_ldap_url }} LDAP_BASE={{ matrix_jitsi_ldap_base }} LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} @@ -18,32 +18,35 @@ LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} - XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} - XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} XMPP_MUC_MODULES= XMPP_INTERNAL_MUC_MODULES= - XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} - +XMPP_CROSS_DOMAIN=true JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} - JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} - +JIGASI_XMPP_USER= +JIGASI_XMPP_PASSWORD= JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} - JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} - -ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} - -TZ={{ matrix_jitsi_timezone }} +JWT_APP_ID +JWT_APP_SECRET +JWT_ACCEPTED_ISSUERS +JWT_ACCEPTED_AUDIENCES +JWT_ASAP_KEYSERVER +JWT_ALLOW_EMPTY +JWT_AUTH_TYPE +JWT_TOKEN_AUTH_MODULE +LOG_LEVEL +PUBLIC_URL={{ matrix_jitsi_web_public_url }} +TZ={{ matrix_jitsi_timezone }} \ No newline at end of file diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index 7b763a3c..35a1e7ff 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -1,42 +1,94 @@ +ENABLE_COLIBRI_WEBSOCKET +ENABLE_FLOC=0 +ENABLE_LETSENCRYPT=0 +ENABLE_HTTP_REDIRECT=0 +ENABLE_HSTS=0 +ENABLE_XMPP_WEBSOCKET +DISABLE_HTTPS=0 +DISABLE_DEEP_LINKING +LETSENCRYPT_DOMAIN +LETSENCRYPT_EMAIL +LETSENCRYPT_USE_STAGING +PUBLIC_URL={{ matrix_jitsi_web_public_url }} +TZ={{ matrix_jitsi_timezone }} +AMPLITUDE_ID +ANALYTICS_SCRIPT_URLS +ANALYTICS_WHITELISTED_EVENTS +CALLSTATS_CUSTOM_SCRIPT_URL +CALLSTATS_ID +CALLSTATS_SECRET +CHROME_EXTENSION_BANNER_JSON +CONFCODE_URL +CONFIG_EXTERNAL_CONNECT +DEFAULT_LANGUAGE +DEPLOYMENTINFO_ENVIRONMENT +DEPLOYMENTINFO_ENVIRONMENT_TYPE +DEPLOYMENTINFO_REGION +DEPLOYMENTINFO_SHARD +DEPLOYMENTINFO_USERREGION +DIALIN_NUMBERS_URL +DIALOUT_AUTH_URL +DIALOUT_CODES_URL +DROPBOX_APPKEY +DROPBOX_REDIRECT_URI +DYNAMIC_BRANDING_URL +ENABLE_AUDIO_PROCESSING ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_CALENDAR +ENABLE_FILE_RECORDING_SERVICE +ENABLE_FILE_RECORDING_SERVICE_SHARING ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} - -ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} - +ENABLE_IPV6 +ENABLE_LIPSYNC +ENABLE_NO_AUDIO_DETECTION ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} - -DISABLE_HTTPS=1 - -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} - -PUBLIC_URL={{ matrix_jitsi_web_public_url }} - -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} - -TZ={{ matrix_jitsi_timezone }} - -JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} -JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} - +ENABLE_PREJOIN_PAGE +ENABLE_WELCOME_PAGE +ENABLE_CLOSE_PAGE ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} - +ENABLE_REMB +ENABLE_REQUIRE_DISPLAY_NAME +ENABLE_SIMULCAST +ENABLE_STATS_ID +ENABLE_STEREO +ENABLE_SUBDOMAINS +ENABLE_TALK_WHILE_MUTED +ENABLE_TCC +ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} +ETHERPAD_PUBLIC_URL +ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} +GOOGLE_ANALYTICS_ID +GOOGLE_API_APP_CLIENT_ID +INVITE_SERVICE_URL +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +MATOMO_ENDPOINT +MATOMO_SITE_ID +MICROSOFT_API_APP_CLIENT_ID +NGINX_RESOLVER +NGINX_WORKER_PROCESSES +NGINX_WORKER_CONNECTIONS +PEOPLE_SEARCH_URL RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} - +START_AUDIO_ONLY START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} +START_WITH_AUDIO_MUTED +START_SILENT +DISABLE_AUDIO_LEVELS +ENABLE_NOISY_MIC_DETECTION +START_BITRATE +DESKTOP_SHARING_FRAMERATE_MIN +DESKTOP_SHARING_FRAMERATE_MAX START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} - -ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} - -{{ matrix_jitsi_web_environment_variables_extension }} +START_WITH_VIDEO_MUTED +TESTING_CAP_SCREENSHARE_BITRATE +TESTING_OCTO_PROBABILITY +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} +TOKEN_AUTH_URL \ No newline at end of file From 8af2d818b12fee7cebdd7c14545f9c637b0eeebd Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Mon, 21 Jun 2021 23:55:26 +0530 Subject: [PATCH 2281/2384] domain_fix --- roles/matrix-jitsi/defaults/main.yml | 4 ++-- roles/matrix-jitsi/templates/web/env.j2 | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 87d87706..436b0091 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -32,8 +32,8 @@ matrix_jitsi_ldap_start_tls: false matrix_jitsi_timezone: UTC -matrix_jitsi_xmpp_domain: matrix-jitsi-web -matrix_jitsi_xmpp_server: matrix-jitsi-prosody +matrix_jitsi_xmpp_domain: meet.jitsi +matrix_jitsi_xmpp_server: xmpp.meet.jitsi matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280 matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 index 35a1e7ff..c4faa5ba 100644 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -6,9 +6,9 @@ ENABLE_HSTS=0 ENABLE_XMPP_WEBSOCKET DISABLE_HTTPS=0 DISABLE_DEEP_LINKING -LETSENCRYPT_DOMAIN -LETSENCRYPT_EMAIL -LETSENCRYPT_USE_STAGING +LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }} +LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }} +LETSENCRYPT_USE_STAGING=0 PUBLIC_URL={{ matrix_jitsi_web_public_url }} TZ={{ matrix_jitsi_timezone }} AMPLITUDE_ID From 3e011bafd512e00c85a1d9115b018af8105c21db Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 22 Jun 2021 00:18:29 +0530 Subject: [PATCH 2282/2384] jibri env --- roles/matrix-jitsi/templates/jibri/env.j2 | 17 ++++++++++ .../jibri/matrix-jitsi-jibri.service.j2 | 33 +++++++++++++++++++ roles/matrix-jitsi/templates/jicofo/env.j2 | 2 +- 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-jitsi/templates/jibri/env.j2 create mode 100644 roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 diff --git a/roles/matrix-jitsi/templates/jibri/env.j2 b/roles/matrix-jitsi/templates/jibri/env.j2 new file mode 100644 index 00000000..b0dc8438 --- /dev/null +++ b/roles/matrix-jitsi/templates/jibri/env.j2 @@ -0,0 +1,17 @@ +PUBLIC_URL={{ matrix_jitsi_web_public_url }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} +JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} +JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} +JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} +JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} +JIBRI_RECORDING_DIR={{ matrix_jitsi_jibri_recording_dir }} +JIBRI_FINALIZE_RECORDING_SCRIPT_PATH +JIBRI_STRIP_DOMAIN_JID=muc +JIBRI_LOGS_DIR={{ matrix_jitsi_jibri_logs_dir }} +DISPLAY=:0 +TZ={{ matrix_jitsi_timezone }} \ No newline at end of file diff --git a/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 b/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 new file mode 100644 index 00000000..6ecafaa0 --- /dev/null +++ b/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 @@ -0,0 +1,33 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix jitsi-jicofo server +{% for service in matrix_jitsi_jicofo_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ + --mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \ + {% for arg in matrix_jitsi_jicofo_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_jitsi_jicofo_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jitsi-jicofo + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 index 3de60282..92728215 100644 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -30,5 +30,5 @@ TZ={{ matrix_jitsi_timezone }} XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_MUC_DOMAIN +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_SERVER={{ matrix_jitsi_xmpp_server }} \ No newline at end of file From f8be36327c54aef32d2ad02845336587599e3bd9 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 22 Jun 2021 11:11:01 +0530 Subject: [PATCH 2283/2384] jibri service --- .../jibri/matrix-jitsi-jibri.service.j2 | 30 +++++++++++-------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 b/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 index 6ecafaa0..044b9e69 100644 --- a/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 +++ b/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 @@ -1,7 +1,7 @@ #jinja2: lstrip_blocks: "True" [Unit] -Description=Matrix jitsi-jicofo server -{% for service in matrix_jitsi_jicofo_systemd_required_services_list %} +Description=Matrix jitsi-jibri server +{% for service in matrix_jitsi_jibri_systemd_required_services_list %} Requires={{ service }} After={{ service }} {% endfor %} @@ -10,24 +10,30 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jibri 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jibri 2>/dev/null' -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jibri \ --log-driver=none \ --network={{ matrix_docker_network }} \ - --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ - --mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \ - {% for arg in matrix_jitsi_jicofo_container_extra_arguments %} + --env-file={{ matrix_jitsi_jibri_base_path }}/env \ +# --device=/dev/snd:/dev/snd \ + --mount type=bind,src=/dev/snd,dst=/dev/snd \ + --mount type=bind,src={{ matrix_jitsi_jibri_config_path }},dst=/config \ +# --volume={{ matrix_jitsi_jibri_config_path }}:/config:Z \ + --volume=/dev/shm:/dev/shm \ + --cap-add=SYS_ADMIN \ + --cap-add=NET_BIND_SERVICE \ + {% for arg in matrix_jitsi_jibri_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_jitsi_jicofo_docker_image }} + {{ matrix_jitsi_jibri_docker_image }} -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jibri 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jibri 2>/dev/null' Restart=always RestartSec=30 -SyslogIdentifier=matrix-jitsi-jicofo +SyslogIdentifier=matrix-jitsi-jibri [Install] WantedBy=multi-user.target From c0cd2a3c938a9154ae4f9be124a8f6cd7c189d8f Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 22 Jun 2021 12:14:14 +0530 Subject: [PATCH 2284/2384] JICOFO_RESERVATION_ENABLED contains whitespaces. --- roles/matrix-jitsi/templates/jicofo/env.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 index 92728215..df669dc6 100644 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -16,7 +16,7 @@ JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT JICOFO_ENABLE_HEALTH_CHECKS JICOFO_SHORT_ID -JICOFO_RESERVATION_ENABLED +JICOFO_RESERVATION_ENABLED JICOFO_RESERVATION_REST_BASE_URL JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} JIBRI_REQUEST_RETRIES @@ -31,4 +31,4 @@ XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} \ No newline at end of file +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} From 125020890777570b8c92821a01e810c7bb86d8e9 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 22 Jun 2021 12:24:35 +0530 Subject: [PATCH 2285/2384] whitespaces --- roles/matrix-jitsi/templates/jicofo/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 index df669dc6..3764d056 100644 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -17,7 +17,7 @@ JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT JICOFO_ENABLE_HEALTH_CHECKS JICOFO_SHORT_ID JICOFO_RESERVATION_ENABLED -JICOFO_RESERVATION_REST_BASE_URL +JICOFO_RESERVATION_REST_BASE_URL JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} JIBRI_REQUEST_RETRIES JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} From b19fa3acb2fc4e5c64bed48677f76c79dd88b03f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 22 Jun 2021 10:18:58 +0300 Subject: [PATCH 2286/2384] Upgrade Element (1.7.30 -> 1.7.31) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index f836d4a4..c4e6a162 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.30 +matrix_client_element_version: v1.7.31 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 04805f35a77e07dddbaf24679521650a07504c1b Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 22 Jun 2021 22:39:35 +0530 Subject: [PATCH 2287/2384] Coturn update 4.5.2 -> 4.5.2-r2 --- roles/matrix-coturn/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 2539d8b1..e785877f 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,10 +2,10 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" -matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r1" +matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r2" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -matrix_coturn_version: 4.5.2 +matrix_coturn_version: 4.5.2-r2 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 0c8a3c401f8d152a7e6d2a839e94b440e3eb9864 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 22 Jun 2021 23:20:09 +0530 Subject: [PATCH 2288/2384] jibri service --- roles/matrix-jitsi/defaults/main.yml | 13 +++ roles/matrix-jitsi/tasks/init.yml | 2 +- roles/matrix-jitsi/tasks/main.yml | 6 ++ .../matrix-jitsi/tasks/setup_jitsi_jibri.yml | 83 +++++++++++++++++++ 4 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_jibri.yml diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 436b0091..c0c18fd7 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -259,3 +259,16 @@ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_ # # Takes an ":" or "" value (e.g. "127.0.0.1:12090"), or empty string to not expose. matrix_jitsi_jvb_container_colibri_ws_host_bind_port: '' + +# Jibri +matrix_jitsi_jibri_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jibri:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jibri_docker_image_force_pull: "{{ matrix_jitsi_jibri_docker_image.endswith(':latest') }}" + +matrix_jitsi_jibri_base_path: "{{ matrix_base_data_path }}/jitsi/jibri" +matrix_jitsi_jibri_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config" + +# A list of extra arguments to pass to the container +matrix_jitsi_jibri_container_extra_arguments: [] + +# List of systemd services that matrix-jitsi-jicofo.service depends on +matrix_jitsi_jibri_systemd_required_services_list: ['docker.service', 'matrix-jitsi-jicofo.service'] \ No newline at end of file diff --git a/roles/matrix-jitsi/tasks/init.yml b/roles/matrix-jitsi/tasks/init.yml index 1f7a2d1c..9dee6db0 100644 --- a/roles/matrix-jitsi/tasks/init.yml +++ b/roles/matrix-jitsi/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service', 'matrix-jitsi-jibri.service'] }}" when: matrix_jitsi_enabled|bool diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml index e4f3508f..30b3dd04 100644 --- a/roles/matrix-jitsi/tasks/main.yml +++ b/roles/matrix-jitsi/tasks/main.yml @@ -37,3 +37,9 @@ tags: - setup-all - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jibri.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jibri.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jibri.yml new file mode 100644 index 00000000..c2791d9c --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jibri.yml @@ -0,0 +1,83 @@ +--- + +# +# Tasks related to setting up jitsi-jibri +# + +- name: Ensure Matrix jitsi-jibri path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_jitsi_jibri_base_path }}", when: true } + - { path: "{{ matrix_jitsi_jibri_config_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +- name: Ensure jitsi-jibri Docker image is pulled + docker_image: + name: "{{ matrix_jitsi_jibri_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_jibri_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jibri_docker_image_force_pull }}" + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-jibri environment variables file created + template: + src: "{{ role_path }}/templates/jibri/env.j2" + dest: "{{ matrix_jitsi_jibri_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + +- name: Ensure matrix-jitsi-jibri.service installed + template: + src: "{{ role_path }}/templates/jibri/matrix-jitsi-jibri.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-jitsi-jibri.service" + mode: 0644 + register: matrix_jitsi_jibri_systemd_service_result + when: matrix_jitsi_enabled|bool + +- name: Ensure systemd reloaded after matrix-jitsi-jibri.service installation + service: + daemon_reload: yes + when: "matrix_jitsi_enabled and matrix_jitsi_jibri_systemd_service_result.changed" + +# +# Tasks related to getting rid of jitsi-jibri (if it was previously enabled) +# + +- name: Check existence of matrix-jitsi-jibri service + stat: + path: "{{ matrix_systemd_path }}/matrix-jitsi-jibri.service" + register: matrix_jitsi_jibri_service_stat + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure matrix-jitsi-jibri is stopped + service: + name: matrix-jitsi-jibri + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jibri_service_stat.stat.exists" + +- name: Ensure matrix-jitsi-jibri.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-jitsi-jibri.service" + state: absent + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jibri_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-jitsi-jibri.service removal + service: + daemon_reload: yes + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jibri_service_stat.stat.exists" + +- name: Ensure Matrix jitsi-jibri paths doesn't exist + file: + path: "{{ matrix_jitsi_jibri_base_path }}" + state: absent + when: "not matrix_jitsi_enabled|bool" + +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. From d9e943aaaa6d035abb24d7ff98f4997be0f12dde Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 22 Jun 2021 23:32:32 +0530 Subject: [PATCH 2289/2384] minor fix --- roles/matrix-jitsi/defaults/main.yml | 2 +- roles/matrix-jitsi/templates/jibri/env.j2 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index c0c18fd7..9daa1716 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -265,7 +265,7 @@ matrix_jitsi_jibri_docker_image: "{{ matrix_container_global_registry_prefix }}j matrix_jitsi_jibri_docker_image_force_pull: "{{ matrix_jitsi_jibri_docker_image.endswith(':latest') }}" matrix_jitsi_jibri_base_path: "{{ matrix_base_data_path }}/jitsi/jibri" -matrix_jitsi_jibri_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config" +matrix_jitsi_jibri_config_path: "{{ matrix_jitsi_jibri_base_path }}/config" # A list of extra arguments to pass to the container matrix_jitsi_jibri_container_extra_arguments: [] diff --git a/roles/matrix-jitsi/templates/jibri/env.j2 b/roles/matrix-jitsi/templates/jibri/env.j2 index b0dc8438..71862ca2 100644 --- a/roles/matrix-jitsi/templates/jibri/env.j2 +++ b/roles/matrix-jitsi/templates/jibri/env.j2 @@ -9,9 +9,9 @@ JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} -JIBRI_RECORDING_DIR={{ matrix_jitsi_jibri_recording_dir }} +JIBRI_RECORDING_DIR=/config/recordings JIBRI_FINALIZE_RECORDING_SCRIPT_PATH JIBRI_STRIP_DOMAIN_JID=muc -JIBRI_LOGS_DIR={{ matrix_jitsi_jibri_logs_dir }} +JIBRI_LOGS_DIR=/config/logs DISPLAY=:0 TZ={{ matrix_jitsi_timezone }} \ No newline at end of file From 6ede9c8cd6be996c00c5b6ae258846839d45457f Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Tue, 22 Jun 2021 23:59:49 +0530 Subject: [PATCH 2290/2384] network-alias added to fix domains --- roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 | 1 + .../templates/prosody/matrix-jitsi-prosody.service.j2 | 1 + roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 53c0c83a..2785795d 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -16,6 +16,7 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --network-alias=jvb.meet.jitsi \ --env-file={{ matrix_jitsi_jvb_base_path }}/env \ {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 4445e52b..5a4a81e5 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -16,6 +16,7 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --network-alias={{ matrix_jitsi_xmpp_server }} \ {% if matrix_jitsi_prosody_container_http_host_bind_port %} -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ {% endif %} diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 6ae2074d..5d386361 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -16,6 +16,7 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --network-alias={{ matrix_jitsi_xmpp_domain }} \ --env-file={{ matrix_jitsi_web_base_path }}/env \ {% if matrix_jitsi_web_container_http_host_bind_port %} -p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \ From d019e9078a5f81d2610052c8d5cb8d3159db84ac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 23 Jun 2021 09:54:22 +0300 Subject: [PATCH 2291/2384] Remove unused variables from mx-puppet-* bridges Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1131 --- docs/configuring-playbook-bridge-mx-puppet-discord.md | 2 -- docs/configuring-playbook-bridge-mx-puppet-groupme.md | 2 -- docs/configuring-playbook-bridge-mx-puppet-steam.md | 2 -- roles/matrix-bridge-mx-puppet-discord/defaults/main.yml | 3 --- roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml | 3 --- roles/matrix-bridge-mx-puppet-steam/defaults/main.yml | 3 --- 6 files changed, 15 deletions(-) diff --git a/docs/configuring-playbook-bridge-mx-puppet-discord.md b/docs/configuring-playbook-bridge-mx-puppet-discord.md index 7a3e986c..1a48f05b 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-discord.md +++ b/docs/configuring-playbook-bridge-mx-puppet-discord.md @@ -13,8 +13,6 @@ playbook configuration: ```yaml matrix_mx_puppet_discord_enabled: true -matrix_mx_puppet_discord_client_id: "" -matrix_mx_puppet_discord_client_secret: "" ``` diff --git a/docs/configuring-playbook-bridge-mx-puppet-groupme.md b/docs/configuring-playbook-bridge-mx-puppet-groupme.md index c3b9663f..2f0eda19 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-groupme.md +++ b/docs/configuring-playbook-bridge-mx-puppet-groupme.md @@ -11,8 +11,6 @@ playbook configuration: ```yaml matrix_mx_puppet_groupme_enabled: true -matrix_mx_puppet_groupme_client_id: "" -matrix_mx_puppet_groupme_client_secret: "" ``` diff --git a/docs/configuring-playbook-bridge-mx-puppet-steam.md b/docs/configuring-playbook-bridge-mx-puppet-steam.md index 616efbe2..5681c3d1 100644 --- a/docs/configuring-playbook-bridge-mx-puppet-steam.md +++ b/docs/configuring-playbook-bridge-mx-puppet-steam.md @@ -11,8 +11,6 @@ playbook configuration: ```yaml matrix_mx_puppet_steam_enabled: true -matrix_mx_puppet_steam_client_id: "" -matrix_mx_puppet_steam_client_secret: "" ``` diff --git a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml index 7e99c9b2..1113bb1c 100644 --- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml @@ -27,9 +27,6 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}' -matrix_mx_puppet_discord_client_id: '' -matrix_mx_puppet_discord_client_secret: '' - # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone diff --git a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml index 898768bf..8b382605 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml @@ -27,9 +27,6 @@ matrix_mx_puppet_groupme_homeserver_address: "{{ matrix_homeserver_container_url matrix_mx_puppet_groupme_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_groupme_appservice_address: 'http://matrix-mx-puppet-groupme:{{ matrix_mx_puppet_groupme_appservice_port }}' -matrix_mx_puppet_groupme_client_id: '' -matrix_mx_puppet_groupme_client_secret: '' - # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone diff --git a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml index e4df90a5..2af4a32a 100644 --- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml @@ -27,9 +27,6 @@ matrix_mx_puppet_steam_homeserver_address: "{{ matrix_homeserver_container_url } matrix_mx_puppet_steam_homeserver_domain: '{{ matrix_domain }}' matrix_mx_puppet_steam_appservice_address: 'http://matrix-mx-puppet-steam:{{ matrix_mx_puppet_steam_appservice_port }}' -matrix_mx_puppet_steam_client_id: '' -matrix_mx_puppet_steam_client_secret: '' - # "@user:server.com" to allow specific user # "@.*:yourserver.com" to allow users on a specific homeserver # "@.*" to allow anyone From f2f1b20e44671a4f4e8cca08090ea723d9e1c6db Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 23 Jun 2021 23:17:24 +0530 Subject: [PATCH 2292/2384] jicofo client proxy connection --- inventory/scripts/jitsi-generate-passwords.sh | 2 -- roles/matrix-jitsi/defaults/main.yml | 2 +- roles/matrix-jitsi/templates/prosody/env.j2 | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/inventory/scripts/jitsi-generate-passwords.sh b/inventory/scripts/jitsi-generate-passwords.sh index eacfa7d8..c48a0c2d 100755 --- a/inventory/scripts/jitsi-generate-passwords.sh +++ b/inventory/scripts/jitsi-generate-passwords.sh @@ -11,7 +11,6 @@ echo "# Install it before using this script, or simply create your own passwords echo "" -JICOFO_COMPONENT_SECRET=$(generatePassword) JICOFO_AUTH_PASSWORD=$(generatePassword) JVB_AUTH_PASSWORD=$(generatePassword) JIBRI_RECORDER_PASSWORD=$(generatePassword) @@ -19,7 +18,6 @@ JIBRI_XMPP_PASSWORD=$(generatePassword) echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:" echo "" -echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 9daa1716..55e24d80 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -53,7 +53,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-5765-1 +matrix_jitsi_version: stable-5963 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index 74df951e..e733e668 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -28,7 +28,7 @@ XMPP_MUC_MODULES= XMPP_INTERNAL_MUC_MODULES= XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} XMPP_CROSS_DOMAIN=true -JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} +JICOFO_COMPONENT_SECRET JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} From 0cc17ab2cafac628f4cb1cae4256224b60edacef Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 23 Jun 2021 23:55:55 +0530 Subject: [PATCH 2293/2384] matrix_jitsi_jicofo_component_secret validation --- roles/matrix-jitsi/tasks/validate_config.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml index cc8a4b22..d2887b12 100644 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -16,7 +16,6 @@ with_items: - "matrix_jitsi_jibri_xmpp_password" - "matrix_jitsi_jibri_recorder_password" - - "matrix_jitsi_jicofo_component_secret" - "matrix_jitsi_jicofo_auth_password" - "matrix_jitsi_jvb_auth_password" From 2b881e245b4449fe0881751698b206f14f90b911 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Thu, 24 Jun 2021 10:07:14 +0530 Subject: [PATCH 2294/2384] Update prometheus v2.27.1 -> v2.28.0 --- roles/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 6c0fef31..3cd2599b 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.27.1 +matrix_prometheus_version: v2.28.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From 2d740dbebd1eff406c5f99f316da43a97b63a22d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 24 Jun 2021 10:06:36 +0300 Subject: [PATCH 2295/2384] Mount /data in matrix-redis container Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1140 --- roles/matrix-redis/templates/systemd/matrix-redis.service.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 index 0752d23b..5f6699f8 100644 --- a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 +++ b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 @@ -19,7 +19,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-redis \ {% if matrix_redis_container_redis_bind_port %} -p {{ matrix_redis_container_redis_bind_port }}:6379 \ {% endif %} - -v {{ matrix_redis_base_path }}/redis.conf:/usr/local/etc/redis/redis.conf \ + --mount type=bind,src={{ matrix_redis_base_path }}/redis.conf,dst=/usr/local/etc/redis/redis.conf,ro \ + --mount type=bind,src={{ matrix_redis_data_path }},dst=/data \ {% for arg in matrix_redis_container_extra_arguments %} {{ arg }} \ {% endfor %} From ddbb4b2acc8582578a35c2b99bb66c3d76fc6ce1 Mon Sep 17 00:00:00 2001 From: hanthor Date: Thu, 24 Jun 2021 12:10:45 -0400 Subject: [PATCH 2296/2384] Update main.yml update to v0.2.0 --- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index 929565c5..fa2e38fd 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.1.57 +matrix_client_hydrogen_version: v0.2.0 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From 26a5c28274b265526870b4a2da2aaf9cffb1a221 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 25 Jun 2021 03:14:00 -0500 Subject: [PATCH 2297/2384] Remove asterisks from configuring-dns.md These previously denoted optional DNS records but now optional records are a separate table so they are unnecessary. --- docs/configuring-dns.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 0016464f..da2098c7 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -31,12 +31,12 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco | Type | Host | Priority | Weight | Port | Target | | ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- | | SRV | `_matrix-identity._tcp` | 10 | 0 | 443 | `matrix.` | -| CNAME | `dimension` (*) | - | - | - | `matrix.` | -| CNAME | `jitsi` (*) | - | - | - | `matrix.` | -| CNAME | `stats` (*) | - | - | - | `matrix.` | -| CNAME | `goneb` (*) | - | - | - | `matrix.` | -| CNAME | `sygnal` (*) | - | - | - | `matrix.` | -| CNAME | `hydrogen` (*) | - | - | - | `matrix.` | +| CNAME | `dimension` | - | - | - | `matrix.` | +| CNAME | `jitsi` | - | - | - | `matrix.` | +| CNAME | `stats` | - | - | - | `matrix.` | +| CNAME | `goneb` | - | - | - | `matrix.` | +| CNAME | `sygnal` | - | - | - | `matrix.` | +| CNAME | `hydrogen` | - | - | - | `matrix.` | ## Subdomains setup From 7578a355c4930fa27c1b39056c00c837df75a89c Mon Sep 17 00:00:00 2001 From: Michael Sasser Date: Tue, 29 Jun 2021 12:15:03 +0200 Subject: [PATCH 2298/2384] heisenbridge fix service name --- roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml index d5526f8a..853faf7a 100644 --- a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml @@ -7,7 +7,7 @@ - name: Ensure matrix-heisenbridge is stopped service: - name: heisenbridge + name: matrix-heisenbridge state: stopped daemon_reload: yes when: "matrix_heisenbridge_service_stat.stat.exists" From eb5619fd4b72a280566b502e6f1d33f42f9ba4ec Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Tue, 29 Jun 2021 12:45:21 +0200 Subject: [PATCH 2299/2384] Update IRC bridge --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index ca8797b4..c351bafa 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.26.1 +matrix_appservice_irc_version: release-0.27.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 3da4b684a5a6b1e421ca316db6caf909ba614a38 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 29 Jun 2021 13:49:00 +0300 Subject: [PATCH 2300/2384] Upgrade Synapse (1.36.0 -> 1.37.0) --- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 119 ++++++------------ 2 files changed, 40 insertions(+), 83 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index cb5f9a3a..8251481f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.36.0 -matrix_synapse_version_arm64: v1.36.0 +matrix_synapse_version: v1.37.0 +matrix_synapse_version_arm64: v1.37.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index d92efdba..f3d0734b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -7,6 +7,22 @@ # # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html + +## Modules ## + +# Server admins can expand Synapse's functionality with external modules. +# +# See https://matrix-org.github.io/synapse/develop/modules.html for more +# documentation on how to configure or create custom modules for Synapse. +# +modules: + # - module: my_super_module.MySuperClass + # config: + # do_thing: true + # - module: my_other_super_module.SomeClass + # config: {} + + ## Server ## # The public-facing domain of the server @@ -574,13 +590,9 @@ retention: # This certificate, as of Synapse 1.0, will need to be a valid and verifiable # certificate, signed by a recognised Certificate Authority. # -# See 'ACME support' below to enable auto-provisioning this certificate via -# Let's Encrypt. -# -# If supplying your own, be sure to use a `.pem` file that includes the -# full certificate chain including any intermediate certificates (for -# instance, if using certbot, use `fullchain.pem` as your certificate, -# not `cert.pem`). +# Be sure to use a `.pem` file that includes the full certificate chain including +# any intermediate certificates (for instance, if using certbot, use +# `fullchain.pem` as your certificate, not `cert.pem`). # tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} @@ -631,80 +643,6 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} # - myCA2.pem # - myCA3.pem -# ACME support: This will configure Synapse to request a valid TLS certificate -# for your configured `server_name` via Let's Encrypt. -# -# Note that ACME v1 is now deprecated, and Synapse currently doesn't support -# ACME v2. This means that this feature currently won't work with installs set -# up after November 2019. For more info, and alternative solutions, see -# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 -# -# Note that provisioning a certificate in this way requires port 80 to be -# routed to Synapse so that it can complete the http-01 ACME challenge. -# By default, if you enable ACME support, Synapse will attempt to listen on -# port 80 for incoming http-01 challenges - however, this will likely fail -# with 'Permission denied' or a similar error. -# -# There are a couple of potential solutions to this: -# -# * If you already have an Apache, Nginx, or similar listening on port 80, -# you can configure Synapse to use an alternate port, and have your web -# server forward the requests. For example, assuming you set 'port: 8009' -# below, on Apache, you would write: -# -# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge -# -# * Alternatively, you can use something like `authbind` to give Synapse -# permission to listen on port 80. -# -acme: - # ACME support is disabled by default. Uncomment the following line - # (and tls_certificate_path and tls_private_key_path above) to enable it. - # - #enabled: true - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - #url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - #port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - #bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - #reprovision_threshold: 30 - - # The domain that the certificate should be for. Normally this - # should be the same as your Matrix domain (i.e., 'server_name'), but, - # by putting a file at 'https:///.well-known/matrix/server', - # you can delegate incoming traffic to another server. If you do that, - # you should give the target of the delegation here. - # - # For example: if your 'server_name' is 'example.com', but - # 'https://example.com/.well-known/matrix/server' delegates to - # 'matrix.example.com', you should put 'matrix.example.com' here. - # - # If not set, defaults to your 'server_name'. - # - #domain: matrix.example.com - - # file to use for the account key. This will be generated if it doesn't - # exist. - # - # If unspecified, we will use CONFDIR/client.key. - # - #account_key_file: /data/acme_account.key - ## Federation ## @@ -957,6 +895,10 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire # The largest allowed upload size in bytes # +# If you are using a reverse proxy you may also need to set this value in +# your reverse proxy's config. Notably Nginx has a small max body size by default. +# See https://matrix-org.github.io/synapse/develop/reverse_proxy.html. +# max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" # Maximum number of pixels that will be thumbnailed @@ -2045,6 +1987,17 @@ sso: # - https://riot.im/develop # - https://my.custom.client/ + # Uncomment to keep a user's profile fields in sync with information from + # the identity provider. Currently only syncing the displayname is + # supported. Fields are checked on every SSO login, and are updated + # if necessary. + # + # Note that enabling this option will override user profile information, + # regardless of whether users have opted-out of syncing that + # information when first signing in. Defaults to false. + # + #update_profile_information: true + # Directory in which Synapse will try to find the template files below. # If not set, or the files named below are not found within the template # directory, default templates from within the Synapse package will be used. @@ -2326,6 +2279,10 @@ ui_auth: # the user-interactive authentication process, by allowing for multiple # (and potentially different) operations to use the same validation session. # + # This is ignored for potentially "dangerous" operations (including + # deactivating an account, modifying an account password, and + # adding a 3PID). + # # Uncomment below to allow for credential validation to last for 15 # seconds. # From d338090f0036f027ebf28152456909e8fa2b6725 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 30 Jun 2021 10:00:52 +0530 Subject: [PATCH 2301/2384] postgres minor updates --- roles/matrix-postgres/defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 72e42021..9c1cac9a 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -17,11 +17,11 @@ matrix_postgres_architecture: amd64 # > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" -matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.21{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.16{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.11{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.6{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.2{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.22{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.17{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.12{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.7{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.3{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. From c9d73c6606200db3c5892c5a99ea06d7872399fa Mon Sep 17 00:00:00 2001 From: Davy Landman Date: Wed, 30 Jun 2021 16:15:00 +0200 Subject: [PATCH 2302/2384] Updating to latest synapse release (performance regression) https://github.com/matrix-org/synapse/releases/tag/v1.37.1 --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 8251481f..d021bc5b 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.37.0 -matrix_synapse_version_arm64: v1.37.0 +matrix_synapse_version: v1.37.1 +matrix_synapse_version_arm64: v1.37.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 7b52e6ad5ed8aece4d86ce0f3063fabeed544294 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Wed, 30 Jun 2021 20:52:49 +0000 Subject: [PATCH 2303/2384] Add worker metrics to prometheus exporter --- roles/matrix-prometheus/templates/prometheus.yml.j2 | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index b3ee3b86..edfa476b 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -30,7 +30,15 @@ scrape_configs: - job_name: 'synapse' metrics_path: '/_synapse/metrics' static_configs: - - targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }} + - targets: + {% for target in matrix_prometheus_scraper_synapse_targets %} + - {{ target }} + {% endfor %} + {% for worker in matrix_synapse_workers_enabled_list|d([]) %} + {% if worker.metrics_port != 0 %} + - 'matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}' + {% endif %} + {% endfor %} {% endif %} {% if matrix_prometheus_scraper_node_enabled %} @@ -43,4 +51,4 @@ scrape_configs: - job_name: postgres static_configs: - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} - {% endif %} \ No newline at end of file + {% endif %} From 5df4d688292020c2d00bd15aa3bc4216a7b839e7 Mon Sep 17 00:00:00 2001 From: oxmie <61626020+oxmie@users.noreply.github.com> Date: Mon, 28 Jun 2021 14:30:48 +0200 Subject: [PATCH 2304/2384] Make federation domain customizable --- roles/matrix-base/defaults/main.yml | 3 +++ .../templates/static-files/well-known/matrix-server.j2 | 2 +- roles/matrix-nginx-proxy/defaults/main.yml | 1 + .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 86df4ad6..31bff105 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -11,6 +11,9 @@ matrix_domain: ~ # This and the Element FQN (see below) are expected to be on the same server. matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}" +# This is where you access federation API. +matrix_server_fqn_matrix_federation: '{{ matrix_server_fqn_matrix }}' + # This is where you access the Element web UI from (if enabled via matrix_client_element_enabled; enabled by default). # This and the Matrix FQN (see above) are expected to be on the same server. matrix_server_fqn_element: "element.{{ matrix_domain }}" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 index 8349a15c..3bc7346d 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2 @@ -1,4 +1,4 @@ #jinja2: lstrip_blocks: "True" { - "m.server": "{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}" + "m.server": "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}" } diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index e71a1038..c476fd48 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -120,6 +120,7 @@ matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_proxy_matrix_federation_hostname: "{{ matrix_nginx_proxy_proxy_matrix_hostname }}" # The port name used for federation in the nginx configuration. # This is not necessarily the port that it's actually on, # as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container. diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 7b26434d..04a77269 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -239,7 +239,7 @@ server { listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }}; {% endif %} - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; + server_name {{ matrix_nginx_proxy_proxy_matrix_federation_hostname }}; server_tokens off; root /dev/null; From 3d063f6acef368ae213c2987bbc00aeffc575099 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Wed, 30 Jun 2021 21:30:18 +0000 Subject: [PATCH 2305/2384] make them show as jobs in grafana --- .../templates/prometheus.yml.j2 | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index edfa476b..2ab7c4e1 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -30,15 +30,20 @@ scrape_configs: - job_name: 'synapse' metrics_path: '/_synapse/metrics' static_configs: - - targets: - {% for target in matrix_prometheus_scraper_synapse_targets %} - - {{ target }} - {% endfor %} - {% for worker in matrix_synapse_workers_enabled_list|d([]) %} - {% if worker.metrics_port != 0 %} - - 'matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}' - {% endif %} - {% endfor %} + - targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }} + labels: + instance: {{ matrix_domain }} + job: master + index: 1 + {% for worker in matrix_synapse_workers_enabled_list|d([]) %} + {% if worker.metrics_port != 0 %} + - targets: ['matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}'] + labels: + instance: {{ matrix_domain }} + job: {{ worker.type }} + index: {{ worker.instanceId }} + {% endif %} + {% endfor %} {% endif %} {% if matrix_prometheus_scraper_node_enabled %} From 09ee5ce52e9240e7aa620fed9093ded12950536b Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Wed, 30 Jun 2021 21:32:19 +0000 Subject: [PATCH 2306/2384] we index from 0 apparently --- roles/matrix-prometheus/templates/prometheus.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 2ab7c4e1..21a31ce1 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -34,7 +34,7 @@ scrape_configs: labels: instance: {{ matrix_domain }} job: master - index: 1 + index: 0 {% for worker in matrix_synapse_workers_enabled_list|d([]) %} {% if worker.metrics_port != 0 %} - targets: ['matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}'] From 6294e583043cf5596c43edc408f321eb8099644f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 1 Jul 2021 12:41:05 +0300 Subject: [PATCH 2307/2384] Fix Content-Security-Policy for Element Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1154 According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy, having both a header and the ``-tag provided by Element itself is not a problem. The 2 CSP policies get combined. --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 17e8f131..2f4f4aa1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -12,7 +12,7 @@ add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Content-Security-Policy "frame-ancestors 'self'"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; From 7b2211da8e251721f101a9052dd5c43f9a598e46 Mon Sep 17 00:00:00 2001 From: sak Date: Thu, 1 Jul 2021 15:37:20 +0530 Subject: [PATCH 2308/2384] remove jibri --- logs/log.0.txt | 71 ++++++++++++++++ roles/matrix-jitsi/defaults/main.yml | 13 --- roles/matrix-jitsi/tasks/init.yml | 2 +- roles/matrix-jitsi/tasks/main.yml | 6 -- .../matrix-jitsi/tasks/setup_jitsi_jibri.yml | 83 ------------------- roles/matrix-jitsi/templates/jibri/env.j2 | 17 ---- .../jibri/matrix-jitsi-jibri.service.j2 | 39 --------- 7 files changed, 72 insertions(+), 159 deletions(-) create mode 100644 logs/log.0.txt delete mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_jibri.yml delete mode 100644 roles/matrix-jitsi/templates/jibri/env.j2 delete mode 100644 roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 diff --git a/logs/log.0.txt b/logs/log.0.txt new file mode 100644 index 00000000..3deaf28d --- /dev/null +++ b/logs/log.0.txt @@ -0,0 +1,71 @@ +2021-06-25 04:54:56.392 INFO: [1] org.jitsi.jibri.Main.log() Jibri run with args [--config, /etc/jitsi/jibri/config.json] +2021-06-25 04:54:56.471 INFO: [1] org.jitsi.jibri.Main.log() Checking legacy config file /etc/jitsi/jibri/config.json +2021-06-25 04:54:57.150 INFO: [1] org.jitsi.jibri.Main.log() Parsed legacy config: +JibriConfig(jibriId=null, recordingDirectory=/config/recordings, singleUseMode=null, enabledStatsD=null, finalizeRecordingScriptPath=null, xmppEnvironments=[XmppEnvironmentConfig(name=prod environment, xmppServerHosts=[xmpp.meet.jitsi], xmppDomain=meet.jitsi, baseUrl=https://jitsi.domain.tld, controlLogin=XmppCredentials(domain=auth.meet.jitsi, port=null, username=jibri, password=e54e91c82a9081af3f4c93b1bfab5a69), controlMuc=XmppMuc(domain=internal-muc.meet.jitsi, roomName=jibribrewery, nickname=jibri-instanse-075102036), sipControlMuc=null, callLogin=XmppCredentials(domain=recorder.meet.jitsi, port=null, username=recorder, password=ab79147973e1ee2deb0dfad0fb1e4113), stripFromRoomDomain=muc., usageTimeoutMins=0, trustAllXmppCerts=true)]) +2021-06-25 04:54:57.178 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: + LambdaSupplier: 'JibriConfig::jibriId' + ConfigSourceSupplier: key: 'jibri.id', type: 'kotlin.String', source: 'config' +2021-06-25 04:54:57.179 FINE: [1] org.jitsi.jibri.config.log() LambdaSupplier: Trying to retrieve value via JibriConfig::jibriId +2021-06-25 04:54:57.180 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: failed to find value via LambdaSupplier: 'JibriConfig::jibriId': org.jitsi.metaconfig.ConfigException$UnableToRetrieve$Error: class java.lang.NullPointerException +2021-06-25 04:54:57.181 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.id' from source 'config' as type kotlin.String +2021-06-25 04:54:57.199 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.id' from source 'config' as type kotlin.String +2021-06-25 04:54:57.200 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.id', type: 'kotlin.String', source: 'config' +2021-06-25 04:54:57.200 INFO: [1] org.jitsi.jibri.Main.log() Jibri starting up with id +2021-06-25 04:54:57.205 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: + LambdaSupplier: 'JibriConfig::enableStatsD' + ConfigSourceSupplier: key: 'jibri.stats.enable-stats-d', type: 'kotlin.Boolean', source: 'config' +2021-06-25 04:54:57.206 FINE: [1] org.jitsi.jibri.config.log() LambdaSupplier: Trying to retrieve value via JibriConfig::enableStatsD +2021-06-25 04:54:57.206 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: failed to find value via LambdaSupplier: 'JibriConfig::enableStatsD': org.jitsi.metaconfig.ConfigException$UnableToRetrieve$Error: class java.lang.NullPointerException +2021-06-25 04:54:57.206 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.stats.enable-stats-d' from source 'config' as type kotlin.Boolean +2021-06-25 04:54:57.208 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.stats.enable-stats-d' from source 'config' as type kotlin.Boolean +2021-06-25 04:54:57.208 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.stats.enable-stats-d', type: 'kotlin.Boolean', source: 'config' +2021-06-25 04:54:57.221 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: + ConfigSourceSupplier: key: 'jibri.webhook.subscribers', type: 'kotlin.collections.List', source: 'config' +2021-06-25 04:54:57.222 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.webhook.subscribers' from source 'config' as type kotlin.collections.List +2021-06-25 04:54:57.228 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.webhook.subscribers' from source 'config' as type kotlin.collections.List +2021-06-25 04:54:57.228 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.webhook.subscribers', type: 'kotlin.collections.List', source: 'config' +2021-06-25 04:54:57.625 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.jwt-info' from source 'config' as type com.typesafe.config.ConfigObject +2021-06-25 04:54:57.635 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.jwt-info' from source 'config' as type com.typesafe.config.ConfigObject +2021-06-25 04:54:57.636 INFO: [1] org.jitsi.jibri.webhooks.v1.JwtInfo.log() got jwtConfig: {} + +2021-06-25 04:54:57.637 INFO: [1] org.jitsi.jibri.webhooks.v1.JwtInfo.log() Unable to create JwtInfo: com.typesafe.config.ConfigException$Missing: reference.conf @ jar:file:/opt/jitsi/jibri/jibri.jar!/reference.conf: 59: No configuration setting found for key 'signing-key-path' +2021-06-25 04:54:57.657 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: + ConfigSourceSupplier: key: 'internal_http_port', type: 'kotlin.Int', source: 'command line args' + ConfigSourceSupplier: key: 'jibri.api.http.internal-api-port', type: 'kotlin.Int', source: 'config' +2021-06-25 04:54:57.658 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'internal_http_port' from source 'command line args' as type kotlin.Int +2021-06-25 04:54:57.660 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: failed to find value via ConfigSourceSupplier: key: 'internal_http_port', type: 'kotlin.Int', source: 'command line args': org.jitsi.metaconfig.ConfigException$UnableToRetrieve$NotFound: not found +2021-06-25 04:54:57.660 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.api.http.internal-api-port' from source 'config' as type kotlin.Int +2021-06-25 04:54:57.662 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.api.http.internal-api-port' from source 'config' as type kotlin.Int +2021-06-25 04:54:57.663 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.api.http.internal-api-port', type: 'kotlin.Int', source: 'config' +2021-06-25 04:54:57.663 INFO: [1] org.jitsi.jibri.Main.log() Using port 3333 for internal HTTP API +2021-06-25 04:54:57.669 FINE: [26] org.jitsi.jibri.webhooks.v1.WebhookClient.log() Updating 0 subscribers of status +2021-06-25 04:54:57.827 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: + LambdaSupplier: 'JibriConfig::xmppEnvironments' + TypeConvertingSupplier: converting value from ConfigSourceSupplier: key: 'jibri.api.xmpp.environments', type: 'kotlin.collections.List', source: 'config' +2021-06-25 04:54:57.827 FINE: [1] org.jitsi.jibri.config.log() LambdaSupplier: Trying to retrieve value via JibriConfig::xmppEnvironments +2021-06-25 04:54:57.827 FINE: [1] org.jitsi.jibri.config.log() LambdaSupplier: 'JibriConfig::xmppEnvironments': found value +2021-06-25 04:54:57.828 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via LambdaSupplier: 'JibriConfig::xmppEnvironments' +2021-06-25 04:54:57.934 INFO: [1] org.jitsi.jibri.api.xmpp.XmppApi.log() Jibri reports its status is now JibriStatus(busyStatus=IDLE, health=OverallHealth(healthStatus=HEALTHY, details={})), publishing presence to connections +2021-06-25 04:54:57.936 FINE: [1] org.jitsi.xmpp.mucclient.MucClientManager.log() Setting a presence extension: org.jitsi.xmpp.extensions.jibri.JibriStatusPacketExt@18e8473e +2021-06-25 04:54:57.942 INFO: [1] org.jitsi.jibri.api.xmpp.XmppApi.log() Connecting to xmpp environment on xmpp.meet.jitsi with config XmppEnvironmentConfig(name=prod environment, xmppServerHosts=[xmpp.meet.jitsi], xmppDomain=meet.jitsi, baseUrl=https://jitsi.domain.tld, controlLogin=XmppCredentials(domain=auth.meet.jitsi, port=null, username=jibri, password=e54e91c82a9081af3f4c93b1bfab5a69), controlMuc=XmppMuc(domain=internal-muc.meet.jitsi, roomName=jibribrewery, nickname=jibri-instanse-075102036), sipControlMuc=null, callLogin=XmppCredentials(domain=recorder.meet.jitsi, port=null, username=recorder, password=ab79147973e1ee2deb0dfad0fb1e4113), stripFromRoomDomain=muc., usageTimeoutMins=0, trustAllXmppCerts=true) +2021-06-25 04:54:57.943 INFO: [1] org.jitsi.jibri.api.xmpp.XmppApi.log() The trustAllXmppCerts config is enabled for this domain, all XMPP server provided certificates will be accepted +2021-06-25 04:54:57.966 FINE: [39] org.jitsi.xmpp.mucclient.MucClient.log() Initializing a new MucClient for [ org.jitsi.xmpp.mucclient.MucClientConfiguration id=xmpp.meet.jitsi domain=auth.meet.jitsi hostname=xmpp.meet.jitsi port=null username=jibri mucs=[jibribrewery@internal-muc.meet.jitsi] mucNickname=jibri-instanse-075102036 disableCertificateVerification=true] +2021-06-25 04:54:57.967 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: + ConfigSourceSupplier: key: 'http_api_port', type: 'kotlin.Int', source: 'command line args' + ConfigSourceSupplier: key: 'jibri.api.http.external-api-port', type: 'kotlin.Int', source: 'config' +2021-06-25 04:54:57.967 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'http_api_port' from source 'command line args' as type kotlin.Int +2021-06-25 04:54:57.968 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: failed to find value via ConfigSourceSupplier: key: 'http_api_port', type: 'kotlin.Int', source: 'command line args': org.jitsi.metaconfig.ConfigException$UnableToRetrieve$NotFound: not found +2021-06-25 04:54:57.968 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.api.http.external-api-port' from source 'config' as type kotlin.Int +2021-06-25 04:54:57.969 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.api.http.external-api-port' from source 'config' as type kotlin.Int +2021-06-25 04:54:57.970 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.api.http.external-api-port', type: 'kotlin.Int', source: 'config' +2021-06-25 04:54:57.970 WARNING: [39] org.jitsi.xmpp.mucclient.MucClient.log() Disabling certificate verification! +2021-06-25 04:54:57.970 INFO: [1] org.jitsi.jibri.Main.log() Using port 2222 for HTTP API +2021-06-25 04:54:57.999 FINE: [39] org.jitsi.xmpp.mucclient.MucClient.log() About to connect and login. +2021-06-25 04:54:58.154 INFO: [39] org.jitsi.xmpp.mucclient.MucClient.log() Connected. +2021-06-25 04:54:58.155 INFO: [39] org.jitsi.xmpp.mucclient.MucClient.log() Logging in. +2021-06-25 04:54:58.210 FINE: [39] org.jitsi.xmpp.mucclient.MucClient.log() Authenticated, b=false +2021-06-25 04:54:58.210 FINE: [39] org.jitsi.xmpp.mucclient.MucClient.log() About to join MUCs: [jibribrewery@internal-muc.meet.jitsi] +2021-06-25 04:54:58.226 INFO: [39] org.jitsi.xmpp.mucclient.MucClient.log() Joined MUC: jibribrewery@internal-muc.meet.jitsi +2021-06-25 04:54:58.234 FINE: [55] org.jitsi.xmpp.extensions.DefaultPacketExtensionProvider.parse() Could not add a provider for element busy-status from namespace http://jitsi.org/protocol/jibri +2021-06-25 04:54:58.234 FINE: [55] org.jitsi.xmpp.extensions.DefaultPacketExtensionProvider.parse() Could not add a provider for element health-status from namespace http://jitsi.org/protocol/health +021-06-25 04:55:57.654 FINE: [26] org.jitsi.jibri.webhooks.v1.WebhookClient.log() Updating 0 subscribers of status diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 55e24d80..8c8d9156 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -259,16 +259,3 @@ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_ # # Takes an ":" or "" value (e.g. "127.0.0.1:12090"), or empty string to not expose. matrix_jitsi_jvb_container_colibri_ws_host_bind_port: '' - -# Jibri -matrix_jitsi_jibri_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jibri:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_jibri_docker_image_force_pull: "{{ matrix_jitsi_jibri_docker_image.endswith(':latest') }}" - -matrix_jitsi_jibri_base_path: "{{ matrix_base_data_path }}/jitsi/jibri" -matrix_jitsi_jibri_config_path: "{{ matrix_jitsi_jibri_base_path }}/config" - -# A list of extra arguments to pass to the container -matrix_jitsi_jibri_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-jicofo.service depends on -matrix_jitsi_jibri_systemd_required_services_list: ['docker.service', 'matrix-jitsi-jicofo.service'] \ No newline at end of file diff --git a/roles/matrix-jitsi/tasks/init.yml b/roles/matrix-jitsi/tasks/init.yml index 9dee6db0..1f7a2d1c 100644 --- a/roles/matrix-jitsi/tasks/init.yml +++ b/roles/matrix-jitsi/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service', 'matrix-jitsi-jibri.service'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}" when: matrix_jitsi_enabled|bool diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml index 30b3dd04..e4f3508f 100644 --- a/roles/matrix-jitsi/tasks/main.yml +++ b/roles/matrix-jitsi/tasks/main.yml @@ -37,9 +37,3 @@ tags: - setup-all - setup-jitsi - -- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jibri.yml" - when: run_setup|bool - tags: - - setup-all - - setup-jitsi diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jibri.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jibri.yml deleted file mode 100644 index c2791d9c..00000000 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jibri.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-jibri -# - -- name: Ensure Matrix jitsi-jibri path exists - file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_jitsi_jibri_base_path }}", when: true } - - { path: "{{ matrix_jitsi_jibri_config_path }}", when: true } - when: matrix_jitsi_enabled|bool and item.when - -- name: Ensure jitsi-jibri Docker image is pulled - docker_image: - name: "{{ matrix_jitsi_jibri_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_jibri_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jibri_docker_image_force_pull }}" - when: matrix_jitsi_enabled|bool - -- name: Ensure jitsi-jibri environment variables file created - template: - src: "{{ role_path }}/templates/jibri/env.j2" - dest: "{{ matrix_jitsi_jibri_base_path }}/env" - mode: 0640 - when: matrix_jitsi_enabled|bool - -- name: Ensure matrix-jitsi-jibri.service installed - template: - src: "{{ role_path }}/templates/jibri/matrix-jitsi-jibri.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-jitsi-jibri.service" - mode: 0644 - register: matrix_jitsi_jibri_systemd_service_result - when: matrix_jitsi_enabled|bool - -- name: Ensure systemd reloaded after matrix-jitsi-jibri.service installation - service: - daemon_reload: yes - when: "matrix_jitsi_enabled and matrix_jitsi_jibri_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-jibri (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-jibri service - stat: - path: "{{ matrix_systemd_path }}/matrix-jitsi-jibri.service" - register: matrix_jitsi_jibri_service_stat - when: "not matrix_jitsi_enabled|bool" - -- name: Ensure matrix-jitsi-jibri is stopped - service: - name: matrix-jitsi-jibri - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jibri_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-jibri.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-jitsi-jibri.service" - state: absent - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jibri_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-jibri.service removal - service: - daemon_reload: yes - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jibri_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-jibri paths doesn't exist - file: - path: "{{ matrix_jitsi_jibri_base_path }}" - state: absent - when: "not matrix_jitsi_enabled|bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/templates/jibri/env.j2 b/roles/matrix-jitsi/templates/jibri/env.j2 deleted file mode 100644 index 71862ca2..00000000 --- a/roles/matrix-jitsi/templates/jibri/env.j2 +++ /dev/null @@ -1,17 +0,0 @@ -PUBLIC_URL={{ matrix_jitsi_web_public_url }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} -JIBRI_RECORDING_DIR=/config/recordings -JIBRI_FINALIZE_RECORDING_SCRIPT_PATH -JIBRI_STRIP_DOMAIN_JID=muc -JIBRI_LOGS_DIR=/config/logs -DISPLAY=:0 -TZ={{ matrix_jitsi_timezone }} \ No newline at end of file diff --git a/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 b/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 deleted file mode 100644 index 044b9e69..00000000 --- a/roles/matrix-jitsi/templates/jibri/matrix-jitsi-jibri.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-jibri server -{% for service in matrix_jitsi_jibri_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jibri 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jibri 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jibri \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_jitsi_jibri_base_path }}/env \ -# --device=/dev/snd:/dev/snd \ - --mount type=bind,src=/dev/snd,dst=/dev/snd \ - --mount type=bind,src={{ matrix_jitsi_jibri_config_path }},dst=/config \ -# --volume={{ matrix_jitsi_jibri_config_path }}:/config:Z \ - --volume=/dev/shm:/dev/shm \ - --cap-add=SYS_ADMIN \ - --cap-add=NET_BIND_SERVICE \ - {% for arg in matrix_jitsi_jibri_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_jibri_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jibri 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jibri 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-jibri - -[Install] -WantedBy=multi-user.target From d87947c7793320aa5ef7024db8d5d3cc0e1dcc3e Mon Sep 17 00:00:00 2001 From: sak Date: Thu, 1 Jul 2021 15:42:18 +0530 Subject: [PATCH 2309/2384] remove jibri --- logs/log.0.txt | 71 -------------------------------------------------- 1 file changed, 71 deletions(-) delete mode 100644 logs/log.0.txt diff --git a/logs/log.0.txt b/logs/log.0.txt deleted file mode 100644 index 3deaf28d..00000000 --- a/logs/log.0.txt +++ /dev/null @@ -1,71 +0,0 @@ -2021-06-25 04:54:56.392 INFO: [1] org.jitsi.jibri.Main.log() Jibri run with args [--config, /etc/jitsi/jibri/config.json] -2021-06-25 04:54:56.471 INFO: [1] org.jitsi.jibri.Main.log() Checking legacy config file /etc/jitsi/jibri/config.json -2021-06-25 04:54:57.150 INFO: [1] org.jitsi.jibri.Main.log() Parsed legacy config: -JibriConfig(jibriId=null, recordingDirectory=/config/recordings, singleUseMode=null, enabledStatsD=null, finalizeRecordingScriptPath=null, xmppEnvironments=[XmppEnvironmentConfig(name=prod environment, xmppServerHosts=[xmpp.meet.jitsi], xmppDomain=meet.jitsi, baseUrl=https://jitsi.domain.tld, controlLogin=XmppCredentials(domain=auth.meet.jitsi, port=null, username=jibri, password=e54e91c82a9081af3f4c93b1bfab5a69), controlMuc=XmppMuc(domain=internal-muc.meet.jitsi, roomName=jibribrewery, nickname=jibri-instanse-075102036), sipControlMuc=null, callLogin=XmppCredentials(domain=recorder.meet.jitsi, port=null, username=recorder, password=ab79147973e1ee2deb0dfad0fb1e4113), stripFromRoomDomain=muc., usageTimeoutMins=0, trustAllXmppCerts=true)]) -2021-06-25 04:54:57.178 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: - LambdaSupplier: 'JibriConfig::jibriId' - ConfigSourceSupplier: key: 'jibri.id', type: 'kotlin.String', source: 'config' -2021-06-25 04:54:57.179 FINE: [1] org.jitsi.jibri.config.log() LambdaSupplier: Trying to retrieve value via JibriConfig::jibriId -2021-06-25 04:54:57.180 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: failed to find value via LambdaSupplier: 'JibriConfig::jibriId': org.jitsi.metaconfig.ConfigException$UnableToRetrieve$Error: class java.lang.NullPointerException -2021-06-25 04:54:57.181 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.id' from source 'config' as type kotlin.String -2021-06-25 04:54:57.199 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.id' from source 'config' as type kotlin.String -2021-06-25 04:54:57.200 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.id', type: 'kotlin.String', source: 'config' -2021-06-25 04:54:57.200 INFO: [1] org.jitsi.jibri.Main.log() Jibri starting up with id -2021-06-25 04:54:57.205 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: - LambdaSupplier: 'JibriConfig::enableStatsD' - ConfigSourceSupplier: key: 'jibri.stats.enable-stats-d', type: 'kotlin.Boolean', source: 'config' -2021-06-25 04:54:57.206 FINE: [1] org.jitsi.jibri.config.log() LambdaSupplier: Trying to retrieve value via JibriConfig::enableStatsD -2021-06-25 04:54:57.206 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: failed to find value via LambdaSupplier: 'JibriConfig::enableStatsD': org.jitsi.metaconfig.ConfigException$UnableToRetrieve$Error: class java.lang.NullPointerException -2021-06-25 04:54:57.206 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.stats.enable-stats-d' from source 'config' as type kotlin.Boolean -2021-06-25 04:54:57.208 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.stats.enable-stats-d' from source 'config' as type kotlin.Boolean -2021-06-25 04:54:57.208 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.stats.enable-stats-d', type: 'kotlin.Boolean', source: 'config' -2021-06-25 04:54:57.221 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: - ConfigSourceSupplier: key: 'jibri.webhook.subscribers', type: 'kotlin.collections.List', source: 'config' -2021-06-25 04:54:57.222 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.webhook.subscribers' from source 'config' as type kotlin.collections.List -2021-06-25 04:54:57.228 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.webhook.subscribers' from source 'config' as type kotlin.collections.List -2021-06-25 04:54:57.228 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.webhook.subscribers', type: 'kotlin.collections.List', source: 'config' -2021-06-25 04:54:57.625 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.jwt-info' from source 'config' as type com.typesafe.config.ConfigObject -2021-06-25 04:54:57.635 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.jwt-info' from source 'config' as type com.typesafe.config.ConfigObject -2021-06-25 04:54:57.636 INFO: [1] org.jitsi.jibri.webhooks.v1.JwtInfo.log() got jwtConfig: {} - -2021-06-25 04:54:57.637 INFO: [1] org.jitsi.jibri.webhooks.v1.JwtInfo.log() Unable to create JwtInfo: com.typesafe.config.ConfigException$Missing: reference.conf @ jar:file:/opt/jitsi/jibri/jibri.jar!/reference.conf: 59: No configuration setting found for key 'signing-key-path' -2021-06-25 04:54:57.657 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: - ConfigSourceSupplier: key: 'internal_http_port', type: 'kotlin.Int', source: 'command line args' - ConfigSourceSupplier: key: 'jibri.api.http.internal-api-port', type: 'kotlin.Int', source: 'config' -2021-06-25 04:54:57.658 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'internal_http_port' from source 'command line args' as type kotlin.Int -2021-06-25 04:54:57.660 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: failed to find value via ConfigSourceSupplier: key: 'internal_http_port', type: 'kotlin.Int', source: 'command line args': org.jitsi.metaconfig.ConfigException$UnableToRetrieve$NotFound: not found -2021-06-25 04:54:57.660 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.api.http.internal-api-port' from source 'config' as type kotlin.Int -2021-06-25 04:54:57.662 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.api.http.internal-api-port' from source 'config' as type kotlin.Int -2021-06-25 04:54:57.663 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.api.http.internal-api-port', type: 'kotlin.Int', source: 'config' -2021-06-25 04:54:57.663 INFO: [1] org.jitsi.jibri.Main.log() Using port 3333 for internal HTTP API -2021-06-25 04:54:57.669 FINE: [26] org.jitsi.jibri.webhooks.v1.WebhookClient.log() Updating 0 subscribers of status -2021-06-25 04:54:57.827 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: - LambdaSupplier: 'JibriConfig::xmppEnvironments' - TypeConvertingSupplier: converting value from ConfigSourceSupplier: key: 'jibri.api.xmpp.environments', type: 'kotlin.collections.List', source: 'config' -2021-06-25 04:54:57.827 FINE: [1] org.jitsi.jibri.config.log() LambdaSupplier: Trying to retrieve value via JibriConfig::xmppEnvironments -2021-06-25 04:54:57.827 FINE: [1] org.jitsi.jibri.config.log() LambdaSupplier: 'JibriConfig::xmppEnvironments': found value -2021-06-25 04:54:57.828 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via LambdaSupplier: 'JibriConfig::xmppEnvironments' -2021-06-25 04:54:57.934 INFO: [1] org.jitsi.jibri.api.xmpp.XmppApi.log() Jibri reports its status is now JibriStatus(busyStatus=IDLE, health=OverallHealth(healthStatus=HEALTHY, details={})), publishing presence to connections -2021-06-25 04:54:57.936 FINE: [1] org.jitsi.xmpp.mucclient.MucClientManager.log() Setting a presence extension: org.jitsi.xmpp.extensions.jibri.JibriStatusPacketExt@18e8473e -2021-06-25 04:54:57.942 INFO: [1] org.jitsi.jibri.api.xmpp.XmppApi.log() Connecting to xmpp environment on xmpp.meet.jitsi with config XmppEnvironmentConfig(name=prod environment, xmppServerHosts=[xmpp.meet.jitsi], xmppDomain=meet.jitsi, baseUrl=https://jitsi.domain.tld, controlLogin=XmppCredentials(domain=auth.meet.jitsi, port=null, username=jibri, password=e54e91c82a9081af3f4c93b1bfab5a69), controlMuc=XmppMuc(domain=internal-muc.meet.jitsi, roomName=jibribrewery, nickname=jibri-instanse-075102036), sipControlMuc=null, callLogin=XmppCredentials(domain=recorder.meet.jitsi, port=null, username=recorder, password=ab79147973e1ee2deb0dfad0fb1e4113), stripFromRoomDomain=muc., usageTimeoutMins=0, trustAllXmppCerts=true) -2021-06-25 04:54:57.943 INFO: [1] org.jitsi.jibri.api.xmpp.XmppApi.log() The trustAllXmppCerts config is enabled for this domain, all XMPP server provided certificates will be accepted -2021-06-25 04:54:57.966 FINE: [39] org.jitsi.xmpp.mucclient.MucClient.log() Initializing a new MucClient for [ org.jitsi.xmpp.mucclient.MucClientConfiguration id=xmpp.meet.jitsi domain=auth.meet.jitsi hostname=xmpp.meet.jitsi port=null username=jibri mucs=[jibribrewery@internal-muc.meet.jitsi] mucNickname=jibri-instanse-075102036 disableCertificateVerification=true] -2021-06-25 04:54:57.967 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: checking for value via suppliers: - ConfigSourceSupplier: key: 'http_api_port', type: 'kotlin.Int', source: 'command line args' - ConfigSourceSupplier: key: 'jibri.api.http.external-api-port', type: 'kotlin.Int', source: 'config' -2021-06-25 04:54:57.967 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'http_api_port' from source 'command line args' as type kotlin.Int -2021-06-25 04:54:57.968 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: failed to find value via ConfigSourceSupplier: key: 'http_api_port', type: 'kotlin.Int', source: 'command line args': org.jitsi.metaconfig.ConfigException$UnableToRetrieve$NotFound: not found -2021-06-25 04:54:57.968 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Trying to retrieve key 'jibri.api.http.external-api-port' from source 'config' as type kotlin.Int -2021-06-25 04:54:57.969 FINE: [1] org.jitsi.jibri.config.log() ConfigSourceSupplier: Successfully retrieved key 'jibri.api.http.external-api-port' from source 'config' as type kotlin.Int -2021-06-25 04:54:57.970 FINE: [1] org.jitsi.jibri.config.log() FallbackSupplier: value found via ConfigSourceSupplier: key: 'jibri.api.http.external-api-port', type: 'kotlin.Int', source: 'config' -2021-06-25 04:54:57.970 WARNING: [39] org.jitsi.xmpp.mucclient.MucClient.log() Disabling certificate verification! -2021-06-25 04:54:57.970 INFO: [1] org.jitsi.jibri.Main.log() Using port 2222 for HTTP API -2021-06-25 04:54:57.999 FINE: [39] org.jitsi.xmpp.mucclient.MucClient.log() About to connect and login. -2021-06-25 04:54:58.154 INFO: [39] org.jitsi.xmpp.mucclient.MucClient.log() Connected. -2021-06-25 04:54:58.155 INFO: [39] org.jitsi.xmpp.mucclient.MucClient.log() Logging in. -2021-06-25 04:54:58.210 FINE: [39] org.jitsi.xmpp.mucclient.MucClient.log() Authenticated, b=false -2021-06-25 04:54:58.210 FINE: [39] org.jitsi.xmpp.mucclient.MucClient.log() About to join MUCs: [jibribrewery@internal-muc.meet.jitsi] -2021-06-25 04:54:58.226 INFO: [39] org.jitsi.xmpp.mucclient.MucClient.log() Joined MUC: jibribrewery@internal-muc.meet.jitsi -2021-06-25 04:54:58.234 FINE: [55] org.jitsi.xmpp.extensions.DefaultPacketExtensionProvider.parse() Could not add a provider for element busy-status from namespace http://jitsi.org/protocol/jibri -2021-06-25 04:54:58.234 FINE: [55] org.jitsi.xmpp.extensions.DefaultPacketExtensionProvider.parse() Could not add a provider for element health-status from namespace http://jitsi.org/protocol/health -021-06-25 04:55:57.654 FINE: [26] org.jitsi.jibri.webhooks.v1.WebhookClient.log() Updating 0 subscribers of status From a7d51d493afb6c521451f33a8151716355eabacb Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Thu, 1 Jul 2021 22:16:01 +0200 Subject: [PATCH 2310/2384] Correct broken documentation link Recently, documentation on Synapse has been changed from .rst to .md. Therefore, the current links for the purge history API were resulting in a 404 error. --- docs/maintenance-synapse.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index 62bb8b16..9727f450 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -14,7 +14,7 @@ Table of contents: ## Purging old data with the Purge History API -You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**. +You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**. To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element). Alternatively, you can log in and obtain a new access token like this: @@ -27,7 +27,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login Synapse's Admin API is not exposed to the internet by default. To expose it you will need to add `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` to your `vars.yml` file. -Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions. +Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md) documentation page for the actual purging instructions. After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql). From 19ed8d1d1706a052406e863b96b949922e6377c8 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Jul 2021 00:10:59 -0500 Subject: [PATCH 2311/2384] Upgrade mjolnir (0.1.17 -> 0.1.18) and implement self building --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 ++ roles/matrix-bot-mjolnir/defaults/main.yml | 11 +++++++-- roles/matrix-bot-mjolnir/tasks/init.yml | 7 ++++++ .../tasks/setup_install.yml | 24 ++++++++++++++++++- 5 files changed, 42 insertions(+), 3 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index 303344ac..50fef2a3 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -26,6 +26,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-telegram` - `matrix-bridge-mx-puppet-skype` +- `matrix-bot-mjolnir` Adding self-building support to other roles is welcome. Feel free to contribute! diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 96b933f3..9883abf0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -851,6 +851,8 @@ matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en # We don't enable bots by default. matrix_bot_mjolnir_enabled: false +matrix_bot_mjolnir_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" + matrix_bot_mjolnir_systemd_required_services_list: | {{ ['docker.service'] diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index f97e997c..6138e922 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -2,13 +2,20 @@ # See: https://github.com/matrix-org/mjolnir matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v0.1.17" -matrix_bot_mjolnir_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" + +matrix_bot_mjolnir_version: "v0.1.18" + +matrix_bot_mjolnir_container_image_self_build: false +matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git" + +matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" +matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir" matrix_bot_mjolnir_config_path: "{{ matrix_bot_mjolnir_base_path }}/config" matrix_bot_mjolnir_data_path: "{{ matrix_bot_mjolnir_base_path }}/data" +matrix_bot_mjolnir_docker_src_files_path: "{{ matrix_bot_mjolnir_base_path }}/docker-src" # A list of extra arguments to pass to the container matrix_bot_mjolnir_container_extra_arguments: [] diff --git a/roles/matrix-bot-mjolnir/tasks/init.yml b/roles/matrix-bot-mjolnir/tasks/init.yml index d54684d2..b8ab58f1 100644 --- a/roles/matrix-bot-mjolnir/tasks/init.yml +++ b/roles/matrix-bot-mjolnir/tasks/init.yml @@ -1,3 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Mjolnir image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_bot_mjolnir_container_image_self_build and matrix_bot_mjolnir_enabled" + - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-mjolnir.service'] }}" when: matrix_bot_mjolnir_enabled|bool diff --git a/roles/matrix-bot-mjolnir/tasks/setup_install.yml b/roles/matrix-bot-mjolnir/tasks/setup_install.yml index 4c18bf6a..e770b6d5 100644 --- a/roles/matrix-bot-mjolnir/tasks/setup_install.yml +++ b/roles/matrix-bot-mjolnir/tasks/setup_install.yml @@ -14,14 +14,36 @@ - { path: "{{ matrix_bot_mjolnir_base_path }}", when: true } - { path: "{{ matrix_bot_mjolnir_config_path }}", when: true } - { path: "{{ matrix_bot_mjolnir_data_path }}", when: true } + - { path: "{{ matrix_bot_mjolnir_docker_src_files_path }}", when: "{{ matrix_bot_mjolnir_container_image_self_build }}" } when: "item.when|bool" -- name: Ensure mjolnir image is pulled +- name: Ensure mjolnir Docker image is pulled docker_image: name: "{{ matrix_bot_mjolnir_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_mjolnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_mjolnir_docker_image_force_pull }}" + when: "not matrix_bot_mjolnir_container_image_self_build|bool" + +- name: Ensure mjolnir repository is present on self-build + git: + repo: "{{ matrix_bot_mjolnir_container_image_self_build_repo }}" + dest: "{{ matrix_bot_mjolnir_docker_src_files_path }}" + version: "{{ matrix_bot_mjolnir_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_bot_mjolnir_git_pull_results + when: "matrix_bot_mjolnir_container_image_self_build|bool" + +- name: Ensure mjolnir Docker image is built + docker_image: + name: "{{ matrix_bot_mjolnir_docker_image }}" + source: build + force_source: "{{ matrix_bot_mjolnir_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_bot_mjolnir_docker_src_files_path }}" + pull: yes + when: "matrix_bot_mjolnir_container_image_self_build|bool" - name: Ensure matrix-bot-mjolnir config installed copy: From fc16fbda5bbccf8d2ba64eaf05dbe86c85d3eee0 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Fri, 2 Jul 2021 00:14:37 -0500 Subject: [PATCH 2312/2384] Remove a bunch of redundant Ansible <2.8 self building checks --- roles/matrix-bridge-mautrix-facebook/tasks/init.yml | 7 ------- roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 7 ------- roles/matrix-bridge-mautrix-instagram/tasks/init.yml | 7 ------- roles/matrix-bridge-mx-puppet-discord/tasks/init.yml | 7 ------- roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml | 7 ------- roles/matrix-bridge-mx-puppet-skype/tasks/init.yml | 7 ------- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 7 ------- roles/matrix-bridge-mx-puppet-steam/tasks/init.yml | 7 ------- roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml | 7 ------- 9 files changed, 63 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index fdfdfdae..cf67f227 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -21,10 +21,3 @@ + {{ ["/matrix-mautrix-facebook-registration.yaml"] }} when: matrix_mautrix_facebook_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 63a04618..6cc194fe 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -67,10 +67,3 @@ URL endpoint to the matrix-mautrix-hangouts container. You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable. when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build" diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml index c0b7da32..c44855d8 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/init.yml @@ -21,10 +21,3 @@ + {{ ["/matrix-mautrix-instagram-registration.yaml"] }} when: matrix_mautrix_instagram_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 33d35e60..6fa43037 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -21,10 +21,3 @@ + {{ ["/matrix-mx-puppet-discord-registration.yaml"] }} when: matrix_mx_puppet_discord_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml index 4cd3c6b3..b4469ea1 100644 --- a/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml @@ -21,10 +21,3 @@ + {{ ["/matrix-mx-puppet-groupme-registration.yaml"] }} when: matrix_mx_puppet_groupme_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index e8ed1a3a..5618821b 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -21,10 +21,3 @@ + {{ ["/matrix-mx-puppet-skype-registration.yaml"] }} when: matrix_mx_puppet_skype_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index 716cb351..f484c687 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -68,10 +68,3 @@ URL endpoint to the matrix-mx-puppet-slack container. You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable. when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index 38d0f9a2..c3218e89 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -21,10 +21,3 @@ + {{ ["/matrix-mx-puppet-steam-registration.yaml"] }} when: matrix_mx_puppet_steam_enabled|bool - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index f23a6a64..06cf83fa 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -68,10 +68,3 @@ URL endpoint to the matrix-mx-puppet-twitter container. You can expose the container's port using the `matrix_mx_puppet_twitter_container_http_host_bind_port` variable. when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined" - -# ansible lower than 2.8, does not support docker_image build parameters -# for self building it is explicitly needed, so we rather fail here -- name: Fail if running on Ansible lower than 2.8 and trying self building - fail: - msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build" From 55452c3068b7349bcb3af1899125cac7e9854af7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Jul 2021 08:28:44 +0300 Subject: [PATCH 2313/2384] Update Mjolnir (v0.1.17 -> v0.1.18) --- roles/matrix-bot-mjolnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-mjolnir/defaults/main.yml b/roles/matrix-bot-mjolnir/defaults/main.yml index f97e997c..5c22cef8 100644 --- a/roles/matrix-bot-mjolnir/defaults/main.yml +++ b/roles/matrix-bot-mjolnir/defaults/main.yml @@ -2,7 +2,7 @@ # See: https://github.com/matrix-org/mjolnir matrix_bot_mjolnir_enabled: true -matrix_bot_mjolnir_version: "v0.1.17" +matrix_bot_mjolnir_version: "v0.1.18" matrix_bot_mjolnir_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}" matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}" From 7acaef89dfcd3c93ba2bea30dd7051f22fcaa9eb Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Fri, 2 Jul 2021 14:11:09 +0800 Subject: [PATCH 2314/2384] GoMatrixHosting v0.5.1 --- roles/matrix-awx/tasks/set_variables_synapse.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index 6459f5a2..e2b2da13 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -1,13 +1,13 @@ -- name: Limit max upload size to 100MB part 1 +- name: Limit max upload size to 200MB part 1 set_fact: - matrix_synapse_max_upload_size_mb: "100" - when: matrix_synapse_max_upload_size_mb_raw|int >= 100 + matrix_synapse_max_upload_size_mb: "200" + when: matrix_synapse_max_upload_size_mb_raw|int >= 200 -- name: Limit max upload size to 100MB part 2 +- name: Limit max upload size to 200MB part 2 set_fact: matrix_synapse_max_upload_size_mb: "{{ matrix_synapse_max_upload_size_mb_raw }}" - when: matrix_synapse_max_upload_size_mb_raw|int < 100 + when: matrix_synapse_max_upload_size_mb_raw|int < 200 - name: Record Synapse variables locally on AWX delegate_to: 127.0.0.1 From 8b146f083ef3bf78c0bf0cc27658631d96ea30dd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Jul 2021 17:00:10 +0300 Subject: [PATCH 2315/2384] Disable turns when Let's Encrypt is used Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145 --- group_vars/matrix_servers | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9883abf0..c9928607 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1474,7 +1474,7 @@ matrix_postgres_additional_databases: | 'username': matrix_prometheus_postgres_exporter_database_username, 'password': matrix_prometheus_postgres_exporter_database_password, }] if (matrix_prometheus_postgres_exporter_enabled and matrix_prometheus_postgres_exporter_database_hostname == 'matrix-postgres') else []) - + }} matrix_postgres_import_roles_to_ignore: | @@ -1671,16 +1671,23 @@ matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. +# +# When Let's Encrypt certificates are used (the default case), +# we don't enable `turns` endpoints, because WebRTC in Element can't talk to them. +# Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145 matrix_synapse_turn_uris: | {{ + [] + + [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', + ] if matrix_coturn_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else [] + + + [ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', - ] - if matrix_coturn_enabled - else [] + ] if matrix_coturn_enabled else [] }} matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" From 37773347782b0365c03899c248587bb98f93bd8f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 2 Jul 2021 17:05:08 +0300 Subject: [PATCH 2316/2384] Do not try to use TURNS when TLS disabled for Coturn Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c9928607..2fc2b825 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1682,7 +1682,7 @@ matrix_synapse_turn_uris: | [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else [] + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else [] + [ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', From 2aa457efcc0a973d062d8240760e7095226199b4 Mon Sep 17 00:00:00 2001 From: Stuart Mumford Date: Fri, 2 Jul 2021 15:41:36 +0000 Subject: [PATCH 2317/2384] Use a prom variable and not a synapse role variable --- group_vars/matrix_servers | 1 + roles/matrix-prometheus/defaults/main.yml | 1 + roles/matrix-prometheus/templates/prometheus.yml.j2 | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 96b933f3..f52b4f10 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1768,6 +1768,7 @@ matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_en matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] +matrix_prometheus_scraper_synapse_workers_enabled_list: "{{ matrix_synapse_workers_enabled_list }}" matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 3cd2599b..79282f91 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -34,6 +34,7 @@ matrix_prometheus_scraper_synapse_rules_synapse_tag: "master" matrix_prometheus_scraper_synapse_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_scraper_synapse_rules_synapse_tag }}/contrib/prometheus/synapse-v2.rules" matrix_prometheus_scraper_synapse_targets: [] +matrix_prometheus_scraper_synapse_workers_enabled_list: [] # Tells whether the "node" scraper configuration is enabled. # This configuration aims to scrape the current node (this server). diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 index 21a31ce1..869b2da8 100644 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -35,7 +35,7 @@ scrape_configs: instance: {{ matrix_domain }} job: master index: 0 - {% for worker in matrix_synapse_workers_enabled_list|d([]) %} + {% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %} {% if worker.metrics_port != 0 %} - targets: ['matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}'] labels: From 1ad9bba88fcd8b45616dc67493f54bba8e62b242 Mon Sep 17 00:00:00 2001 From: Neutron Date: Fri, 2 Jul 2021 20:58:57 +0300 Subject: [PATCH 2318/2384] Skip importing validate_config task when Synapse is disabled --- roles/matrix-synapse/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml index e366a13f..8bf1c563 100644 --- a/roles/matrix-synapse/tasks/main.yml +++ b/roles/matrix-synapse/tasks/main.yml @@ -3,7 +3,7 @@ - always - import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup|bool + when: run_setup|bool and matrix_synapse_enabled|bool tags: - setup-all - setup-synapse From b6d71b9da1f4adb21386f62d6029e79cfdf9826b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 3 Jul 2021 10:06:09 +0300 Subject: [PATCH 2319/2384] Fix self-building for Coturn Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1158 --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index e785877f..45565686 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" -matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r2" +matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" matrix_coturn_version: 4.5.2-r2 From 29b6d011d757662567df437e99aa98693e4f04c7 Mon Sep 17 00:00:00 2001 From: Sergei Shikalov Date: Mon, 5 Jul 2021 14:47:50 +0700 Subject: [PATCH 2320/2384] Fix template syntax error in OIDC SSO example --- docs/configuring-playbook-synapse.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index e152e662..50860a17 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -56,7 +56,7 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)). -In case you encounter errors regarding the parsing of the variables, you can try to add `{%raw}` and `{% endraw %}` blocks around them. For example ; +In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ; ``` - idp_id: keycloak @@ -70,7 +70,7 @@ In case you encounter errors regarding the parsing of the variables, you can try userinfo_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/userinfo" user_mapping_provider: config: - display_name_template: "{%raw}{{ user.given_name }}{% endraw %} {%raw}{{ user.family_name }}{% endraw %}" - email_template: "{%raw}{{ user.email }}{% endraw %}" + display_name_template: "{% raw %}{{ user.given_name }}{% endraw %} {% raw %}{{ user.family_name }}{% endraw %}" + email_template: "{% raw %}{{ user.email }}{% endraw %}" ``` From 1c938c72fd87929ca907206ee3b5f2ba19d2185e Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Tue, 6 Jul 2021 14:51:36 +0800 Subject: [PATCH 2321/2384] GoMatrixHosting 0.5.2 --- roles/matrix-awx/tasks/set_variables_synapse.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index e2b2da13..cd200f5f 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -66,7 +66,7 @@ delegate_to: 127.0.0.1 lineinfile: path: '{{ awx_cached_matrix_vars }}' - regexp: "{{ item }}:" + regexp: "{{ item }}" line: "{{ item }}" insertbefore: '# Synapse Extension End' with_items: @@ -78,7 +78,7 @@ delegate_to: 127.0.0.1 lineinfile: path: '{{ awx_cached_matrix_vars }}' - regexp: "{{ item }}:" + regexp: "{{ item }}" line: "{{ item }}" insertbefore: '# Synapse Extension End' state: absent From 49455a9ce0b2aab9ec51f3ddf80862c351d7c5d8 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Wed, 7 Jul 2021 21:53:05 +0530 Subject: [PATCH 2322/2384] prometheus version 2.28.0 -> 2.28.1 --- roles/matrix-prometheus/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 79282f91..3725993c 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.28.0 +matrix_prometheus_version: v2.28.1 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" From f6e0cbe5f3887c707e06b0f6d47a2a04fa1ca1f8 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Thu, 8 Jul 2021 09:46:29 +0800 Subject: [PATCH 2323/2384] did i even update this --- roles/matrix-awx/surveys/backup_server.json.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-awx/surveys/backup_server.json.j2 b/roles/matrix-awx/surveys/backup_server.json.j2 index 80782b74..acb6e356 100644 --- a/roles/matrix-awx/surveys/backup_server.json.j2 +++ b/roles/matrix-awx/surveys/backup_server.json.j2 @@ -16,4 +16,3 @@ } ] } - From 3fa895fe96144be7e4554ba5a0e63e30df704b44 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 9 Jul 2021 11:26:13 +0300 Subject: [PATCH 2324/2384] Upgrade Element (1.7.31 -> 1.7.32) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index c4e6a162..e83c5717 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.31 +matrix_client_element_version: v1.7.32 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 7a51268dfc915b14029788bb9f9c758b8fb0b9d8 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Fri, 9 Jul 2021 17:51:27 +0530 Subject: [PATCH 2325/2384] Upgrade certbot & nginx Upgrade certbot (v1.16.0 -> v1.17.0) nginx (1.21.0 -> 1.21.1) --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index e71a1038..ba467ad3 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -1,5 +1,5 @@ matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.21.0-alpine +matrix_nginx_proxy_version: 1.21.1-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but @@ -404,7 +404,7 @@ matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.16.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.17.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From cd54147144f41ecf6156d3ea85f02a4cb74a97e5 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Fri, 9 Jul 2021 17:55:15 +0530 Subject: [PATCH 2326/2384] Upgrade grafana (8.0.3 -> 8.0.5) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 3f7746b8..88359fe1 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.0.3 +matrix_grafana_version: 8.0.5 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From 83b9908c9db03a29c0f2be8a8f972d3c3ba8c0be Mon Sep 17 00:00:00 2001 From: Markus <48181660+BackInBash@users.noreply.github.com> Date: Sat, 10 Jul 2021 14:09:08 +0200 Subject: [PATCH 2327/2384] Update to ma1sd v2.5.0 --- roles/matrix-ma1sd/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 7ab0d15e..036db4ca 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -7,9 +7,9 @@ matrix_ma1sd_container_image_self_build: false matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}" -matrix_ma1sd_architecture: "amd64" +matrix_ma1sd_architecture: "" -matrix_ma1sd_version: "2.4.0" +matrix_ma1sd_version: "2.5.0" matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_container_global_registry_prefix }}" From 2e0eddde9d2d5d0d5704da6c3be7286262663355 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 10 Jul 2021 19:40:53 +0300 Subject: [PATCH 2328/2384] Upgrade matrix-corporal (2.1.0 -> 2.1.1) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 05af8046..881bee67 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_version: 2.1.0 +matrix_corporal_version: 2.1.1 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility From c198320f658a2f150f10fed73ce1e420ada96c93 Mon Sep 17 00:00:00 2001 From: Janar Juusu Date: Tue, 13 Jul 2021 20:56:47 +0300 Subject: [PATCH 2329/2384] feat: update synapse to 1.38.0 --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d021bc5b..02b8d157 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.37.1 -matrix_synapse_version_arm64: v1.37.1 +matrix_synapse_version: v1.38.0 +matrix_synapse_version_arm64: v1.38.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From f732a75ca5ba4666d38c1541636b81499f85967b Mon Sep 17 00:00:00 2001 From: Toorero Date: Wed, 14 Jul 2021 03:04:15 +0200 Subject: [PATCH 2330/2384] Added selfbuild functionality to mautrix-signal bridge --- .../defaults/main.yml | 4 ++++ .../tasks/setup_install.yml | 23 ++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 50240548..8c121c03 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -3,6 +3,10 @@ matrix_mautrix_signal_enabled: true +matrix_mautrix_signal_self_build: false +matrix_mautrix_signal_docker_repo: "https://mau.dev/tulir/mautrix-signal.git" +matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" + matrix_mautrix_signal_version: latest matrix_mautrix_signal_daemon_version: latest # See: https://mau.dev/tulir/mautrix-signal/container_registry diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 61c6adff..f90043d8 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -8,13 +8,34 @@ The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- name: Ensure Mautrix Signal repository is present on self-build + git: + repo: "{{ matrix_mautrix_signal_docker_repo }}" + dest: "{{ matrix_mautrix_signal_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_signal_git_pull_results + when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool" + +- name: Ensure Mautrix Signal image is built + docker_image: + name: "{{ matrix_mautrix_signal_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_signal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_signal_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool" + - name: Ensure Mautrix Signal image is pulled docker_image: name: "{{ matrix_mautrix_signal_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" - when: matrix_mautrix_signal_enabled|bool + when: "matrix_mautrix_signal_enabled|bool and not matrix_mautrix_signal_container_self_build|bool" + - name: Ensure Mautrix Signal Daemon image is pulled docker_image: From aa6398a948f87f1c998e6f877823cb44138c4ffe Mon Sep 17 00:00:00 2001 From: Toorero Date: Wed, 14 Jul 2021 22:46:17 +0200 Subject: [PATCH 2331/2384] Autoset self-build for mautrix-signal bridge --- group_vars/matrix_servers | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 931207d2..8e151d15 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -380,6 +380,7 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key # ###################################################################### +matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" ###################################################################### # From ab0d2055baa9174372c0a1f74f8e2450e8b0f29d Mon Sep 17 00:00:00 2001 From: Toorero Date: Thu, 15 Jul 2021 02:15:07 +0200 Subject: [PATCH 2332/2384] Added proxy config for synapse-admin --- examples/apache/matrix-synapse.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index e4266b81..ddc362a0 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -45,6 +45,14 @@ ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client + + # Proxy Admin API (necessary for Synapse-Admin) + # ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon + # ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin + + # Proxy Synapse-Admin + # ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon + # ProxyPassReverse /synapse-admin http://127.0.0.1:8766 # Map /.well-known/matrix/client for client discovery Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client From 03006eb5ab519cebfbf62e5df870b6f02287685a Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Thu, 15 Jul 2021 12:46:38 +0800 Subject: [PATCH 2333/2384] GoMatrixHosting v0.5.5 --- .../tasks/customise_website_access_export.yml | 24 +- roles/matrix-awx/tasks/purge_media_local.yml | 2 +- roles/matrix-awx/tasks/purge_media_main.yml | 13 +- roles/matrix-awx/tasks/purge_media_remote.yml | 2 +- roles/matrix-bot-go-neb/defaults/main.yml | 231 -- roles/matrix-bot-go-neb/tasks/init.yml | 3 - roles/matrix-bot-go-neb/tasks/main.yml | 21 - .../matrix-bot-go-neb/tasks/setup_install.yml | 50 - .../tasks/setup_uninstall.yml | 35 - .../tasks/validate_config.yml | 13 - .../templates/config.yaml.j2 | 44 - .../systemd/matrix-bot-go-neb.service.j2 | 49 - .../defaults/main.yml | 47 - .../matrix-bridge-heisenbridge/tasks/init.yml | 24 - .../matrix-bridge-heisenbridge/tasks/main.yml | 15 - .../tasks/setup_install.yml | 38 - .../tasks/setup_uninstall.yml | 24 - .../systemd/matrix-heisenbridge.service.j2 | 51 - .../matrix-client-hydrogen/defaults/main.yml | 68 - roles/matrix-client-hydrogen/tasks/init.yml | 10 - roles/matrix-client-hydrogen/tasks/main.yml | 15 - .../tasks/self_check.yml | 22 - roles/matrix-client-hydrogen/tasks/setup.yml | 119 - .../tasks/validate_config.yml | 9 - .../templates/config.json.j2 | 3 - .../templates/nginx.conf.j2 | 66 - .../systemd/matrix-client-hydrogen.service.j2 | 39 - roles/matrix-dynamic-dns/defaults/main.yml | 48 - roles/matrix-dynamic-dns/tasks/init.yml | 10 - roles/matrix-dynamic-dns/tasks/install.yml | 62 - roles/matrix-dynamic-dns/tasks/main.yml | 21 - roles/matrix-dynamic-dns/tasks/uninstall.yml | 27 - .../tasks/validate_config.yml | 16 - .../templates/ddclient.conf.j2 | 26 - .../systemd/matrix-dynamic-dns.service.j2 | 36 - roles/matrix-email2matrix/defaults/main.yml | 44 - roles/matrix-email2matrix/tasks/init.yml | 3 - roles/matrix-email2matrix/tasks/main.yml | 15 - .../tasks/setup_email2matrix.yml | 88 - .../tasks/validate_config.yml | 7 - .../templates/config.json.j2 | 14 - .../systemd/matrix-email2matrix.service.j2 | 34 - roles/matrix-etherpad/defaults/main.yml | 87 - roles/matrix-etherpad/tasks/init.yml | 62 - roles/matrix-etherpad/tasks/main.yml | 21 - roles/matrix-etherpad/tasks/setup_install.yml | 36 - .../matrix-etherpad/tasks/setup_uninstall.yml | 35 - .../matrix-etherpad/tasks/validate_config.yml | 11 - .../templates/settings.json.j2 | 105 - .../systemd/matrix-etherpad.service.j2 | 44 - roles/matrix-grafana/defaults/main.yml | 59 - roles/matrix-grafana/tasks/init.yml | 5 - roles/matrix-grafana/tasks/main.yml | 14 - roles/matrix-grafana/tasks/setup.yml | 110 - .../matrix-grafana/tasks/validate_config.yml | 7 - .../templates/dashboards.yaml.j2 | 9 - .../templates/datasources.yaml.j2 | 8 - roles/matrix-grafana/templates/grafana.ini.j2 | 31 - .../systemd/matrix-grafana.service.j2 | 43 - roles/matrix-jitsi/defaults/main.yml | 261 -- roles/matrix-jitsi/tasks/init.yml | 3 - roles/matrix-jitsi/tasks/main.yml | 39 - roles/matrix-jitsi/tasks/setup_jitsi_base.yml | 20 - .../matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 93 - roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 93 - .../tasks/setup_jitsi_prosody.yml | 84 - roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 95 - roles/matrix-jitsi/tasks/validate_config.yml | 43 - roles/matrix-jitsi/templates/jicofo/env.j2 | 17 - .../templates/jicofo/logging.properties.j2 | 20 - .../jicofo/matrix-jitsi-jicofo.service.j2 | 33 - .../jicofo/sip-communicator.properties.j2 | 9 - .../jvb/custom-sip-communicator.properties.j2 | 7 - roles/matrix-jitsi/templates/jvb/env.j2 | 20 - .../templates/jvb/logging.properties.j2 | 13 - .../templates/jvb/matrix-jitsi-jvb.service.j2 | 42 - roles/matrix-jitsi/templates/prosody/env.j2 | 49 - .../prosody/matrix-jitsi-prosody.service.j2 | 37 - .../templates/web/custom-config.js.j2 | 18 - roles/matrix-jitsi/templates/web/env.j2 | 42 - .../templates/web/interface_config.js.j2 | 295 -- .../templates/web/matrix-jitsi-web.service.j2 | 37 - roles/matrix-ma1sd/defaults/main.yml | 163 - roles/matrix-ma1sd/tasks/init.yml | 10 - roles/matrix-ma1sd/tasks/main.yml | 28 - roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 72 - roles/matrix-ma1sd/tasks/self_check_ma1sd.yml | 22 - roles/matrix-ma1sd/tasks/setup_install.yml | 167 - roles/matrix-ma1sd/tasks/setup_uninstall.yml | 35 - roles/matrix-ma1sd/tasks/validate_config.yml | 67 - roles/matrix-ma1sd/templates/ma1sd.yaml.j2 | 104 - .../templates/systemd/matrix-ma1sd.service.j2 | 48 - roles/matrix-ma1sd/vars/main.yml | 5 - roles/matrix-mailer/defaults/main.yml | 31 - roles/matrix-mailer/tasks/init.yml | 10 - roles/matrix-mailer/tasks/main.yml | 9 - roles/matrix-mailer/tasks/setup_mailer.yml | 107 - roles/matrix-mailer/templates/env-mailer.j2 | 9 - .../systemd/matrix-mailer.service.j2 | 37 - roles/matrix-nginx-proxy/defaults/main.yml | 487 --- roles/matrix-nginx-proxy/tasks/init.yml | 8 - roles/matrix-nginx-proxy/tasks/main.yml | 38 - .../tasks/self_check_well_known.yml | 30 - .../tasks/self_check_well_known_file.yml | 73 - .../tasks/setup_nginx_proxy.yml | 272 -- .../tasks/setup_well_known.yml | 24 - roles/matrix-nginx-proxy/tasks/ssl/main.yml | 31 - .../tasks/ssl/setup_ssl_lets_encrypt.yml | 64 - ...tup_ssl_lets_encrypt_obtain_for_domain.yml | 91 - .../tasks/ssl/setup_ssl_manually_managed.yml | 8 - ...ssl_manually_managed_verify_for_domain.yml | 23 - .../tasks/ssl/setup_ssl_self_signed.yml | 32 - ...etup_ssl_self_signed_obtain_for_domain.yml | 42 - .../tasks/validate_config.yml | 47 - .../nginx/conf.d/matrix-base-domain.conf.j2 | 95 - .../nginx/conf.d/matrix-bot-go-neb.conf.j2 | 95 - .../conf.d/matrix-client-element.conf.j2 | 104 - .../conf.d/matrix-client-hydrogen.conf.j2 | 102 - .../nginx/conf.d/matrix-dimension.conf.j2 | 98 - .../nginx/conf.d/matrix-domain.conf.j2 | 293 -- .../nginx/conf.d/matrix-grafana.conf.j2 | 106 - .../nginx/conf.d/matrix-jitsi.conf.j2 | 140 - .../nginx/conf.d/matrix-riot-web.conf.j2 | 87 - .../nginx/conf.d/matrix-sygnal.conf.j2 | 97 - .../nginx/conf.d/matrix-synapse.conf.j2 | 231 -- .../templates/nginx/conf.d/nginx-http.conf.j2 | 14 - .../nginx/matrix-synapse-metrics-htpasswd.j2 | 3 - .../templates/nginx/nginx.conf.j2 | 61 - .../systemd/matrix-nginx-proxy.service.j2 | 58 - ...lets-encrypt-certificates-renew.service.j2 | 7 - ...l-lets-encrypt-certificates-renew.timer.j2 | 10 - .../matrix-ssl-nginx-proxy-reload.service.j2 | 6 - .../matrix-ssl-nginx-proxy-reload.timer.j2 | 10 - ...rix-ssl-lets-encrypt-certificates-renew.j2 | 31 - roles/matrix-nginx-proxy/vars/main.yml | 18 - roles/matrix-postgres/defaults/main.yml | 95 - .../tasks/import_generic_sqlite_db.yml | 97 - .../matrix-postgres/tasks/import_postgres.yml | 106 - .../tasks/import_synapse_sqlite_db.yml | 86 - roles/matrix-postgres/tasks/init.yml | 3 - roles/matrix-postgres/tasks/main.yml | 43 - .../tasks/migrate_postgres_data_directory.yml | 72 - roles/matrix-postgres/tasks/run_vacuum.yml | 90 - .../matrix-postgres/tasks/setup_postgres.yml | 197 -- .../tasks/upgrade_postgres.yml | 172 - .../tasks/util/create_additional_database.yml | 40 - .../util/create_additional_databases.yml | 23 - .../util/detect_existing_postgres_version.yml | 56 - .../tasks/util/migrate_db_to_postgres.yml | 169 - .../matrix-postgres/tasks/validate_config.yml | 39 - .../templates/env-postgres-psql.j2 | 4 - .../templates/env-postgres-server.j2 | 7 - .../init-additional-db-user-and-role.sql.j2 | 19 - .../systemd/matrix-postgres.service.j2 | 41 - .../matrix-change-user-admin-status.j2 | 19 - .../usr-local-bin/matrix-postgres-cli.j2 | 13 - ...trix-postgres-update-user-password-hash.j2 | 16 - .../defaults/main.yml | 34 - .../tasks/init.yml | 5 - .../tasks/main.yml | 8 - .../tasks/setup.yml | 54 - ...matrix-prometheus-node-exporter.service.j2 | 44 - .../defaults/main.yml | 49 - .../tasks/init.yml | 5 - .../tasks/main.yml | 8 - .../tasks/setup.yml | 54 - ...ix-prometheus-postgres-exporter.service.j2 | 42 - roles/matrix-prometheus/defaults/main.yml | 67 - roles/matrix-prometheus/tasks/init.yml | 5 - roles/matrix-prometheus/tasks/main.yml | 21 - .../matrix-prometheus/tasks/setup_install.yml | 50 - .../tasks/setup_uninstall.yml | 25 - .../tasks/validate_config.yml | 7 - .../templates/prometheus.yml.j2 | 59 - .../systemd/matrix-prometheus.service.j2 | 43 - roles/matrix-redis/defaults/main.yml | 22 - roles/matrix-redis/tasks/init.yml | 3 - roles/matrix-redis/tasks/main.yml | 9 - roles/matrix-redis/tasks/setup_redis.yml | 99 - roles/matrix-redis/templates/redis.conf.j2 | 4 - .../templates/systemd/matrix-redis.service.j2 | 37 - roles/matrix-registration/defaults/main.yml | 116 - .../tasks/generate_token.yml | 50 - roles/matrix-registration/tasks/init.yml | 68 - .../matrix-registration/tasks/list_tokens.yml | 29 - roles/matrix-registration/tasks/main.yml | 31 - .../tasks/setup_install.yml | 101 - .../tasks/setup_uninstall.yml | 30 - .../tasks/validate_config.yml | 20 - .../templates/config.yaml.j2 | 31 - .../systemd/matrix-registration.service.j2 | 42 - roles/matrix-sygnal/defaults/main.yml | 95 - roles/matrix-sygnal/tasks/init.yml | 3 - roles/matrix-sygnal/tasks/main.yml | 21 - roles/matrix-sygnal/tasks/setup_install.yml | 73 - roles/matrix-sygnal/tasks/setup_uninstall.yml | 35 - roles/matrix-sygnal/tasks/validate_config.yml | 13 - roles/matrix-sygnal/templates/sygnal.yaml.j2 | 288 -- .../systemd/matrix-sygnal.service.j2 | 42 - roles/matrix-synapse-admin/defaults/main.yml | 32 - roles/matrix-synapse-admin/tasks/init.yml | 59 - roles/matrix-synapse-admin/tasks/main.yml | 14 - roles/matrix-synapse-admin/tasks/setup.yml | 80 - .../tasks/validate_config.yml | 10 - .../systemd/matrix-synapse-admin.service.j2 | 42 - roles/matrix-synapse/defaults/main.yml | 612 ---- .../files/workers-doc-to-yaml.awk | 146 - .../files/workers-doc-to-yaml.sh | 6 - .../tasks/ext/ldap-auth/setup.yml | 8 - .../tasks/ext/mjolnir-antispam/setup.yml | 7 - .../ext/mjolnir-antispam/setup_install.yml | 52 - .../ext/mjolnir-antispam/setup_uninstall.yml | 6 - .../tasks/ext/rest-auth/setup.yml | 7 - .../tasks/ext/rest-auth/setup_install.yml | 28 - .../tasks/ext/rest-auth/setup_uninstall.yml | 6 - roles/matrix-synapse/tasks/ext/setup.yml | 11 - .../tasks/ext/shared-secret-auth/setup.yml | 7 - .../ext/shared-secret-auth/setup_install.yml | 28 - .../shared-secret-auth/setup_uninstall.yml | 6 - .../ext/synapse-simple-antispam/setup.yml | 7 - .../synapse-simple-antispam/setup_install.yml | 54 - .../setup_uninstall.yml | 6 - roles/matrix-synapse/tasks/goofys/setup.yml | 7 - .../tasks/goofys/setup_install.yml | 41 - .../tasks/goofys/setup_uninstall.yml | 33 - .../tasks/import_media_store.yml | 83 - roles/matrix-synapse/tasks/init.yml | 26 - roles/matrix-synapse/tasks/main.yml | 55 - roles/matrix-synapse/tasks/register_user.yml | 31 - .../compress_room.yml | 48 - .../rust-synapse-compress-state/main.yml | 118 - .../tasks/self_check_client_api.yml | 21 - .../tasks/self_check_federation_api.yml | 26 - roles/matrix-synapse/tasks/setup_synapse.yml | 25 - roles/matrix-synapse/tasks/synapse/setup.yml | 7 - .../tasks/synapse/setup_install.yml | 109 - .../tasks/synapse/setup_uninstall.yml | 28 - .../tasks/synapse/workers/init.yml | 86 - .../tasks/synapse/workers/setup.yml | 21 - .../tasks/synapse/workers/setup_install.yml | 42 - .../tasks/synapse/workers/setup_uninstall.yml | 36 - .../inject_systemd_services_for_worker.yml | 18 - .../workers/util/setup_files_for_worker.yml | 19 - .../tasks/update_user_password.yml | 43 - .../matrix-synapse/tasks/validate_config.yml | 59 - .../templates/goofys/env-goofys.j2 | 3 - .../goofys/systemd/matrix-goofys.service.j2 | 39 - .../templates/synapse/homeserver.yaml.j2 | 2937 ----------------- .../templates/synapse/synapse.log.config.j2 | 36 - .../systemd/matrix-synapse-worker.service.j2 | 64 - .../synapse/systemd/matrix-synapse.service.j2 | 76 - .../matrix-synapse-register-user.j2 | 17 - .../templates/synapse/worker.yaml.j2 | 45 - roles/matrix-synapse/vars/main.yml | 34 - roles/matrix-synapse/vars/workers.yml | 322 -- setup.yml | 58 - 256 files changed, 21 insertions(+), 16480 deletions(-) delete mode 100644 roles/matrix-bot-go-neb/defaults/main.yml delete mode 100644 roles/matrix-bot-go-neb/tasks/init.yml delete mode 100644 roles/matrix-bot-go-neb/tasks/main.yml delete mode 100644 roles/matrix-bot-go-neb/tasks/setup_install.yml delete mode 100644 roles/matrix-bot-go-neb/tasks/setup_uninstall.yml delete mode 100644 roles/matrix-bot-go-neb/tasks/validate_config.yml delete mode 100644 roles/matrix-bot-go-neb/templates/config.yaml.j2 delete mode 100644 roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 delete mode 100644 roles/matrix-bridge-heisenbridge/defaults/main.yml delete mode 100644 roles/matrix-bridge-heisenbridge/tasks/init.yml delete mode 100644 roles/matrix-bridge-heisenbridge/tasks/main.yml delete mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_install.yml delete mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml delete mode 100644 roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 delete mode 100644 roles/matrix-client-hydrogen/defaults/main.yml delete mode 100644 roles/matrix-client-hydrogen/tasks/init.yml delete mode 100644 roles/matrix-client-hydrogen/tasks/main.yml delete mode 100644 roles/matrix-client-hydrogen/tasks/self_check.yml delete mode 100644 roles/matrix-client-hydrogen/tasks/setup.yml delete mode 100644 roles/matrix-client-hydrogen/tasks/validate_config.yml delete mode 100644 roles/matrix-client-hydrogen/templates/config.json.j2 delete mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 delete mode 100644 roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 delete mode 100644 roles/matrix-dynamic-dns/defaults/main.yml delete mode 100644 roles/matrix-dynamic-dns/tasks/init.yml delete mode 100644 roles/matrix-dynamic-dns/tasks/install.yml delete mode 100644 roles/matrix-dynamic-dns/tasks/main.yml delete mode 100644 roles/matrix-dynamic-dns/tasks/uninstall.yml delete mode 100644 roles/matrix-dynamic-dns/tasks/validate_config.yml delete mode 100644 roles/matrix-dynamic-dns/templates/ddclient.conf.j2 delete mode 100644 roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 delete mode 100644 roles/matrix-email2matrix/defaults/main.yml delete mode 100644 roles/matrix-email2matrix/tasks/init.yml delete mode 100644 roles/matrix-email2matrix/tasks/main.yml delete mode 100644 roles/matrix-email2matrix/tasks/setup_email2matrix.yml delete mode 100644 roles/matrix-email2matrix/tasks/validate_config.yml delete mode 100644 roles/matrix-email2matrix/templates/config.json.j2 delete mode 100644 roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 delete mode 100644 roles/matrix-etherpad/defaults/main.yml delete mode 100644 roles/matrix-etherpad/tasks/init.yml delete mode 100644 roles/matrix-etherpad/tasks/main.yml delete mode 100644 roles/matrix-etherpad/tasks/setup_install.yml delete mode 100644 roles/matrix-etherpad/tasks/setup_uninstall.yml delete mode 100644 roles/matrix-etherpad/tasks/validate_config.yml delete mode 100644 roles/matrix-etherpad/templates/settings.json.j2 delete mode 100644 roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 delete mode 100644 roles/matrix-grafana/defaults/main.yml delete mode 100644 roles/matrix-grafana/tasks/init.yml delete mode 100644 roles/matrix-grafana/tasks/main.yml delete mode 100644 roles/matrix-grafana/tasks/setup.yml delete mode 100644 roles/matrix-grafana/tasks/validate_config.yml delete mode 100644 roles/matrix-grafana/templates/dashboards.yaml.j2 delete mode 100644 roles/matrix-grafana/templates/datasources.yaml.j2 delete mode 100644 roles/matrix-grafana/templates/grafana.ini.j2 delete mode 100644 roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 delete mode 100644 roles/matrix-jitsi/defaults/main.yml delete mode 100644 roles/matrix-jitsi/tasks/init.yml delete mode 100644 roles/matrix-jitsi/tasks/main.yml delete mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_base.yml delete mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml delete mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml delete mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml delete mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_web.yml delete mode 100644 roles/matrix-jitsi/tasks/validate_config.yml delete mode 100644 roles/matrix-jitsi/templates/jicofo/env.j2 delete mode 100644 roles/matrix-jitsi/templates/jicofo/logging.properties.j2 delete mode 100644 roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 delete mode 100644 roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 delete mode 100644 roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 delete mode 100644 roles/matrix-jitsi/templates/jvb/env.j2 delete mode 100644 roles/matrix-jitsi/templates/jvb/logging.properties.j2 delete mode 100644 roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 delete mode 100644 roles/matrix-jitsi/templates/prosody/env.j2 delete mode 100644 roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 delete mode 100644 roles/matrix-jitsi/templates/web/custom-config.js.j2 delete mode 100644 roles/matrix-jitsi/templates/web/env.j2 delete mode 100644 roles/matrix-jitsi/templates/web/interface_config.js.j2 delete mode 100644 roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 delete mode 100644 roles/matrix-ma1sd/defaults/main.yml delete mode 100644 roles/matrix-ma1sd/tasks/init.yml delete mode 100644 roles/matrix-ma1sd/tasks/main.yml delete mode 100644 roles/matrix-ma1sd/tasks/migrate_mxisd.yml delete mode 100644 roles/matrix-ma1sd/tasks/self_check_ma1sd.yml delete mode 100644 roles/matrix-ma1sd/tasks/setup_install.yml delete mode 100644 roles/matrix-ma1sd/tasks/setup_uninstall.yml delete mode 100644 roles/matrix-ma1sd/tasks/validate_config.yml delete mode 100644 roles/matrix-ma1sd/templates/ma1sd.yaml.j2 delete mode 100644 roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 delete mode 100644 roles/matrix-ma1sd/vars/main.yml delete mode 100644 roles/matrix-mailer/defaults/main.yml delete mode 100644 roles/matrix-mailer/tasks/init.yml delete mode 100644 roles/matrix-mailer/tasks/main.yml delete mode 100644 roles/matrix-mailer/tasks/setup_mailer.yml delete mode 100644 roles/matrix-mailer/templates/env-mailer.j2 delete mode 100644 roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 delete mode 100644 roles/matrix-nginx-proxy/defaults/main.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/init.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/main.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/self_check_well_known.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/setup_well_known.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/ssl/main.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml delete mode 100644 roles/matrix-nginx-proxy/tasks/validate_config.yml delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 delete mode 100755 roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 delete mode 100644 roles/matrix-nginx-proxy/vars/main.yml delete mode 100644 roles/matrix-postgres/defaults/main.yml delete mode 100644 roles/matrix-postgres/tasks/import_generic_sqlite_db.yml delete mode 100644 roles/matrix-postgres/tasks/import_postgres.yml delete mode 100644 roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml delete mode 100644 roles/matrix-postgres/tasks/init.yml delete mode 100644 roles/matrix-postgres/tasks/main.yml delete mode 100644 roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml delete mode 100644 roles/matrix-postgres/tasks/run_vacuum.yml delete mode 100644 roles/matrix-postgres/tasks/setup_postgres.yml delete mode 100644 roles/matrix-postgres/tasks/upgrade_postgres.yml delete mode 100644 roles/matrix-postgres/tasks/util/create_additional_database.yml delete mode 100644 roles/matrix-postgres/tasks/util/create_additional_databases.yml delete mode 100644 roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml delete mode 100644 roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml delete mode 100644 roles/matrix-postgres/tasks/validate_config.yml delete mode 100644 roles/matrix-postgres/templates/env-postgres-psql.j2 delete mode 100644 roles/matrix-postgres/templates/env-postgres-server.j2 delete mode 100644 roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 delete mode 100644 roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 delete mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 delete mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 delete mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 delete mode 100644 roles/matrix-prometheus-node-exporter/defaults/main.yml delete mode 100644 roles/matrix-prometheus-node-exporter/tasks/init.yml delete mode 100644 roles/matrix-prometheus-node-exporter/tasks/main.yml delete mode 100644 roles/matrix-prometheus-node-exporter/tasks/setup.yml delete mode 100644 roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 delete mode 100644 roles/matrix-prometheus-postgres-exporter/defaults/main.yml delete mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/init.yml delete mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/main.yml delete mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/setup.yml delete mode 100644 roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 delete mode 100644 roles/matrix-prometheus/defaults/main.yml delete mode 100644 roles/matrix-prometheus/tasks/init.yml delete mode 100644 roles/matrix-prometheus/tasks/main.yml delete mode 100644 roles/matrix-prometheus/tasks/setup_install.yml delete mode 100644 roles/matrix-prometheus/tasks/setup_uninstall.yml delete mode 100644 roles/matrix-prometheus/tasks/validate_config.yml delete mode 100644 roles/matrix-prometheus/templates/prometheus.yml.j2 delete mode 100644 roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 delete mode 100644 roles/matrix-redis/defaults/main.yml delete mode 100644 roles/matrix-redis/tasks/init.yml delete mode 100644 roles/matrix-redis/tasks/main.yml delete mode 100644 roles/matrix-redis/tasks/setup_redis.yml delete mode 100644 roles/matrix-redis/templates/redis.conf.j2 delete mode 100644 roles/matrix-redis/templates/systemd/matrix-redis.service.j2 delete mode 100644 roles/matrix-registration/defaults/main.yml delete mode 100644 roles/matrix-registration/tasks/generate_token.yml delete mode 100644 roles/matrix-registration/tasks/init.yml delete mode 100644 roles/matrix-registration/tasks/list_tokens.yml delete mode 100644 roles/matrix-registration/tasks/main.yml delete mode 100644 roles/matrix-registration/tasks/setup_install.yml delete mode 100644 roles/matrix-registration/tasks/setup_uninstall.yml delete mode 100644 roles/matrix-registration/tasks/validate_config.yml delete mode 100644 roles/matrix-registration/templates/config.yaml.j2 delete mode 100644 roles/matrix-registration/templates/systemd/matrix-registration.service.j2 delete mode 100644 roles/matrix-sygnal/defaults/main.yml delete mode 100644 roles/matrix-sygnal/tasks/init.yml delete mode 100644 roles/matrix-sygnal/tasks/main.yml delete mode 100644 roles/matrix-sygnal/tasks/setup_install.yml delete mode 100644 roles/matrix-sygnal/tasks/setup_uninstall.yml delete mode 100644 roles/matrix-sygnal/tasks/validate_config.yml delete mode 100644 roles/matrix-sygnal/templates/sygnal.yaml.j2 delete mode 100644 roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 delete mode 100644 roles/matrix-synapse-admin/defaults/main.yml delete mode 100644 roles/matrix-synapse-admin/tasks/init.yml delete mode 100644 roles/matrix-synapse-admin/tasks/main.yml delete mode 100644 roles/matrix-synapse-admin/tasks/setup.yml delete mode 100644 roles/matrix-synapse-admin/tasks/validate_config.yml delete mode 100644 roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 delete mode 100644 roles/matrix-synapse/defaults/main.yml delete mode 100755 roles/matrix-synapse/files/workers-doc-to-yaml.awk delete mode 100755 roles/matrix-synapse/files/workers-doc-to-yaml.sh delete mode 100644 roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml delete mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml delete mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml delete mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml delete mode 100644 roles/matrix-synapse/tasks/ext/rest-auth/setup.yml delete mode 100644 roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml delete mode 100644 roles/matrix-synapse/tasks/ext/rest-auth/setup_uninstall.yml delete mode 100644 roles/matrix-synapse/tasks/ext/setup.yml delete mode 100644 roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml delete mode 100644 roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml delete mode 100644 roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_uninstall.yml delete mode 100644 roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml delete mode 100644 roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml delete mode 100644 roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_uninstall.yml delete mode 100644 roles/matrix-synapse/tasks/goofys/setup.yml delete mode 100644 roles/matrix-synapse/tasks/goofys/setup_install.yml delete mode 100644 roles/matrix-synapse/tasks/goofys/setup_uninstall.yml delete mode 100644 roles/matrix-synapse/tasks/import_media_store.yml delete mode 100644 roles/matrix-synapse/tasks/init.yml delete mode 100644 roles/matrix-synapse/tasks/main.yml delete mode 100644 roles/matrix-synapse/tasks/register_user.yml delete mode 100644 roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml delete mode 100644 roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml delete mode 100644 roles/matrix-synapse/tasks/self_check_client_api.yml delete mode 100644 roles/matrix-synapse/tasks/self_check_federation_api.yml delete mode 100644 roles/matrix-synapse/tasks/setup_synapse.yml delete mode 100644 roles/matrix-synapse/tasks/synapse/setup.yml delete mode 100644 roles/matrix-synapse/tasks/synapse/setup_install.yml delete mode 100644 roles/matrix-synapse/tasks/synapse/setup_uninstall.yml delete mode 100644 roles/matrix-synapse/tasks/synapse/workers/init.yml delete mode 100644 roles/matrix-synapse/tasks/synapse/workers/setup.yml delete mode 100644 roles/matrix-synapse/tasks/synapse/workers/setup_install.yml delete mode 100644 roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml delete mode 100644 roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml delete mode 100644 roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml delete mode 100644 roles/matrix-synapse/tasks/update_user_password.yml delete mode 100644 roles/matrix-synapse/tasks/validate_config.yml delete mode 100644 roles/matrix-synapse/templates/goofys/env-goofys.j2 delete mode 100644 roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 delete mode 100644 roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 delete mode 100644 roles/matrix-synapse/templates/synapse/synapse.log.config.j2 delete mode 100644 roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 delete mode 100644 roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 delete mode 100644 roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 delete mode 100644 roles/matrix-synapse/templates/synapse/worker.yaml.j2 delete mode 100644 roles/matrix-synapse/vars/main.yml delete mode 100644 roles/matrix-synapse/vars/workers.yml delete mode 100755 setup.yml diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml index b7e27e9d..29019766 100755 --- a/roles/matrix-awx/tasks/customise_website_access_export.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -128,18 +128,13 @@ validate_certs: yes when: customise_base_domain_website is undefined -- name: Ensure group "sftp" exists - group: - name: sftp - state: present - - name: If user doesn't define a sftp_password, create a disabled 'sftp' account user: name: sftp comment: SFTP user to set custom web files and access servers export shell: /bin/false home: /home/sftp - group: sftp + group: matrix password: '*' update_password: always when: sftp_password|length == 0 @@ -150,15 +145,20 @@ comment: SFTP user to set custom web files and access servers export shell: /bin/false home: /home/sftp - group: sftp + group: matrix password: "{{ sftp_password | password_hash('sha512') }}" update_password: always when: sftp_password|length > 0 +- name: Ensure group "sftp" exists + group: + name: sftp + state: present + - name: adding existing user 'sftp' to group matrix user: name: sftp - groups: matrix + groups: sftp append: yes when: customise_base_domain_website is defined @@ -214,14 +214,14 @@ group: sftp mode: '0644' when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key") - -- name: Alter SSH Subsystem State 1 + +- name: Remove any existing Subsystem lines lineinfile: path: /etc/ssh/sshd_config - line: "Subsystem sftp /usr/lib/openssh/sftp-server" state: absent + regexp: '^Subsystem' -- name: Alter SSH Subsystem State 2 +- name: Set SSH Subsystem State lineinfile: path: /etc/ssh/sshd_config insertafter: "^# override default of no subsystems" diff --git a/roles/matrix-awx/tasks/purge_media_local.yml b/roles/matrix-awx/tasks/purge_media_local.yml index fcb4770f..b07c32ea 100644 --- a/roles/matrix-awx/tasks/purge_media_local.yml +++ b/roles/matrix-awx/tasks/purge_media_local.yml @@ -6,7 +6,7 @@ - name: Purge local media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}' + curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/media/matrix.{{ matrix_domain }}/delete?before_ts={{ epoche_time.stdout }}000' register: purge_command - name: Print output of purge command diff --git a/roles/matrix-awx/tasks/purge_media_main.yml b/roles/matrix-awx/tasks/purge_media_main.yml index 77a8fecc..84e73a8b 100644 --- a/roles/matrix-awx/tasks/purge_media_main.yml +++ b/roles/matrix-awx/tasks/purge_media_main.yml @@ -17,15 +17,16 @@ - jq state: present -- name: Collect access token for janitor user - shell: | - curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "https://matrix.{{ matrix_domain }}/_matrix/client/r0/login" | jq '.access_token' - register: janitors_token - - name: Collect the internal IP of the matrix-synapse container shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse" register: synapse_container_ip - + +- name: Collect access token for janitor user + shell: | + curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token' + register: janitors_token + no_log: True + - name: Generate list of dates to purge to delegate_to: 127.0.0.1 shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}" diff --git a/roles/matrix-awx/tasks/purge_media_remote.yml b/roles/matrix-awx/tasks/purge_media_remote.yml index 14f9c8d5..c2f75c81 100644 --- a/roles/matrix-awx/tasks/purge_media_remote.yml +++ b/roles/matrix-awx/tasks/purge_media_remote.yml @@ -6,7 +6,7 @@ - name: Purge remote media to specific date shell: | - curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}' + curl -X POST --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/purge_media_cache?before_ts={{ epoche_time.stdout }}000' register: purge_command - name: Print output of purge command diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml deleted file mode 100644 index 4dd4f1f6..00000000 --- a/roles/matrix-bot-go-neb/defaults/main.yml +++ /dev/null @@ -1,231 +0,0 @@ -# Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. -# See: https://github.com/matrix-org/go-neb - -matrix_bot_go_neb_enabled: true -matrix_bot_go_neb_version: latest -matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}" -matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}" - -matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb" -matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config" -matrix_bot_go_neb_config_path_in_container: "/config/config.yaml" -matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data" -matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store" - -# Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:4050"), or empty string to not expose. -matrix_bot_go_neb_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_bot_go_neb_container_extra_arguments: [] - -# List of systemd services that matrix-bot-go-neb.service depends on -matrix_bot_go_neb_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-bot-go-neb.service wants -matrix_bot_go_neb_systemd_wanted_services_list: [] - -# Database-related configuration fields. -# -# MUST be "sqlite3". No other type is supported. -matrix_bot_go_neb_database_engine: 'sqlite3' - -matrix_bot_go_neb_sqlite_database_path_local: "{{ matrix_bot_go_neb_data_path }}/bot.db" -matrix_bot_go_neb_sqlite_database_path_in_container: "/data/bot.db" - -matrix_bot_go_neb_storage_database: "{{ - { - 'sqlite3': (matrix_bot_go_neb_sqlite_database_path_in_container + '?_busy_timeout=5000'), - }[matrix_bot_go_neb_database_engine] -}}" - -# The bot's username(s). These users need to be created manually beforehand. -# The access tokens that the bot uses to authenticate. -# Generate one as described in -# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-dimension.md#access-token -# via curl. With the element method, you might run into decryption problems (see https://github.com/matrix-org/go-neb#quick-start) -matrix_bot_go_neb_clients: [] -# - UserID: "@goneb:{{ matrix_domain }}" -# AccessToken: "MDASDASJDIASDJASDAFGFRGER" -# DeviceID: "DEVICE1" -# HomeserverURL: "{{ matrix_homeserver_container_url }}" -# Sync: true -# AutoJoinRooms: true -# DisplayName: "Go-NEB!" -# AcceptVerificationFromUsers: [":{{ matrix_domain }}"] -# -# - UserID: "@another_goneb:{{ matrix_domain }}" -# AccessToken: "MDASDASJDIASDJASDAFGFRGER" -# DeviceID: "DEVICE2" -# HomeserverURL: "{{ matrix_homeserver_container_url }}" -# Sync: false -# AutoJoinRooms: false -# DisplayName: "Go-NEB!" -# AcceptVerificationFromUsers: ["^@admin:{{ matrix_domain }}"] - -# The list of realms which Go-NEB is aware of. -# Delete or modify this list as appropriate. -# See the docs for /configureAuthRealm for the full list of options: -# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest -matrix_bot_go_neb_realms: [] -# - ID: "github_realm" -# Type: "github" -# Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs - -# The list of *authenticated* sessions which Go-NEB is aware of. -# Delete or modify this list as appropriate. -# The full list of options are shown below: there is no single HTTP endpoint -# which maps to this section. -# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session -matrix_bot_go_neb_sessions: [] -# - SessionID: "your_github_session" -# RealmID: "github_realm" -# UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands -# Config: -# # Populate these fields by generating a "Personal Access Token" on github.com -# AccessToken: "YOUR_GITHUB_ACCESS_TOKEN" -# Scopes: "admin:org_hook,admin:repo_hook,repo,user" - -# The list of services which Go-NEB is aware of. -# Delete or modify this list as appropriate. -# See the docs for /configureService for the full list of options: -# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest -matrix_bot_go_neb_services: [] -# - ID: "echo_service" -# Type: "echo" -# UserID: "@goneb:{{ matrix_domain }}" -# Config: {} - -## Can be obtained from https://developers.giphy.com/dashboard/ -# - ID: "giphy_service" -# Type: "giphy" -# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client -# Config: -# api_key: "qwg4672vsuyfsfe" -# use_downsized: false -# -## This service has been dead for over a year :/ -# - ID: "guggy_service" -# Type: "guggy" -# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client -# Config: -# api_key: "2356saaqfhgfe" -# -## API Key via https://developers.google.com/custom-search/v1/introduction -## CX via http://www.google.com/cse/manage/all -## https://stackoverflow.com/questions/6562125/getting-a-cx-id-for-custom-search-google-api-python -## 'Search the entire web' and 'Image search' enabled for best results -# - ID: "google_service" -# Type: "google" -# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client -# Config: -# api_key: "AIzaSyA4FD39m9" -# cx: "AIASDFWSRRtrtr" -# -## Get a key via https://api.imgur.com/oauth2/addclient -## Select "oauth2 without callback url" -# - ID: "imgur_service" -# Type: "imgur" -# UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client -# Config: -# client_id: "AIzaSyA4FD39m9" -# client_secret: "somesecret" -# -# - ID: "wikipedia_service" -# Type: "wikipedia" -# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client -# Config: -# -# - ID: "rss_service" -# Type: "rssbot" -# UserID: "@another_goneb:{{ matrix_domain }}" -# Config: -# feeds: -# "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60": -# rooms: ["!qmElAGdFYCHoCJuaNt:localhost"] -# must_include: -# author: -# - author1 -# description: -# - lorem -# - ipsum -# must_not_include: -# title: -# - Lorem -# - Ipsum -# -# - ID: "github_cmd_service" -# Type: "github" -# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client -# Config: -# RealmID: "github_realm" -# -# # Make sure your BASE_URL can be accessed by Github! -# - ID: "github_webhook_service" -# Type: "github-webhook" -# UserID: "@another_goneb:{{ matrix_domain }}" -# Config: -# RealmID: "github_realm" -# ClientUserID: "@YOUR_USER_ID:{{ matrix_domain }}" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. -# Rooms: -# "!someroom:id": -# Repos: -# "matrix-org/synapse": -# Events: ["push", "issues"] -# "matrix-org/dendron": -# Events: ["pull_request"] -# "!anotherroom:id": -# Repos: -# "matrix-org/synapse": -# Events: ["push", "issues"] -# "matrix-org/dendron": -# Events: ["pull_request"] -# -# - ID: "slackapi_service" -# Type: "slackapi" -# UserID: "@slackapi:{{ matrix_domain }}" -# Config: -# Hooks: -# "hook1": -# RoomID: "!someroom:id" -# MessageType: "m.text" # default is m.text -# -# - ID: "alertmanager_service" -# Type: "alertmanager" -# UserID: "@alertmanager:{{ matrix_domain }}" -# Config: -# # This is for information purposes only. It should point to Go-NEB path as follows: -# # `/services/hooks/` -# # Where in this case "service ID" is "alertmanager_service" -# # Make sure your BASE_URL can be accessed by the Alertmanager instance! -# webhook_url: "http://localhost/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U" -# # Each room will get the notification with the alert rendered with the given template -# rooms: -# "!someroomid:domain.tld": -# text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" -# html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" -# msg_type: "m.text" # Must be either `m.text` or `m.notice` - -# Default configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_bot_go_neb_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_bot_go_neb_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" - -matrix_bot_go_neb_configuration_extension_yaml: | - # Your custom YAML configuration goes here. - # This configuration extends the default starting configuration (`matrix_bot_go_neb_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_bot_go_neb_configuration_yaml`. - -matrix_bot_go_neb_configuration_extension: "{{ matrix_bot_go_neb_configuration_extension_yaml|from_yaml if matrix_bot_go_neb_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_bot_go_neb_configuration_yaml`. -matrix_bot_go_neb_configuration: "{{ matrix_bot_go_neb_configuration_yaml|from_yaml|combine(matrix_bot_go_neb_configuration_extension, recursive=True) }}" - diff --git a/roles/matrix-bot-go-neb/tasks/init.yml b/roles/matrix-bot-go-neb/tasks/init.yml deleted file mode 100644 index 169f5978..00000000 --- a/roles/matrix-bot-go-neb/tasks/init.yml +++ /dev/null @@ -1,3 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-go-neb.service'] }}" - when: matrix_bot_go_neb_enabled|bool diff --git a/roles/matrix-bot-go-neb/tasks/main.yml b/roles/matrix-bot-go-neb/tasks/main.yml deleted file mode 100644 index 1a4fe70a..00000000 --- a/roles/matrix-bot-go-neb/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_bot_go_neb_enabled|bool" - tags: - - setup-all - - setup-bot-go-neb - -- import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup|bool and matrix_bot_go_neb_enabled|bool" - tags: - - setup-all - - setup-bot-go-neb - -- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup|bool and not matrix_bot_go_neb_enabled|bool" - tags: - - setup-all - - setup-bot-go-neb diff --git a/roles/matrix-bot-go-neb/tasks/setup_install.yml b/roles/matrix-bot-go-neb/tasks/setup_install.yml deleted file mode 100644 index e26be080..00000000 --- a/roles/matrix-bot-go-neb/tasks/setup_install.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- set_fact: - matrix_bot_go_neb_requires_restart: false - -- name: Ensure go-neb paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_bot_go_neb_config_path }}", when: true } - - { path: "{{ matrix_bot_go_neb_data_path }}", when: true } - - { path: "{{ matrix_bot_go_neb_data_store_path }}", when: true } - when: "item.when|bool" - -- name: Ensure go-neb image is pulled - docker_image: - name: "{{ matrix_bot_go_neb_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}" - -- name: Ensure go-neb config installed - copy: - content: "{{ matrix_bot_go_neb_configuration|to_nice_yaml }}" - dest: "{{ matrix_bot_go_neb_config_path }}/config.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-bot-go-neb.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" - mode: 0644 - register: matrix_bot_go_neb_systemd_service_result - -- name: Ensure systemd reloaded after matrix-bot-go-neb.service installation - service: - daemon_reload: yes - when: "matrix_bot_go_neb_systemd_service_result.changed|bool" - -- name: Ensure matrix-bot-go-neb.service restarted, if necessary - service: - name: "matrix-bot-go-neb.service" - state: restarted - when: "matrix_bot_go_neb_requires_restart|bool" diff --git a/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml deleted file mode 100644 index 49ad1fe7..00000000 --- a/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -- name: Check existence of matrix-go-neb service - stat: - path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" - register: matrix_bot_go_neb_service_stat - -- name: Ensure matrix-go-neb is stopped - service: - name: matrix-bot-go-neb - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_bot_go_neb_service_stat.stat.exists|bool" - -- name: Ensure matrix-bot-go-neb.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" - state: absent - when: "matrix_bot_go_neb_service_stat.stat.exists|bool" - -- name: Ensure systemd reloaded after matrix-bot-go-neb.service removal - service: - daemon_reload: yes - when: "matrix_bot_go_neb_service_stat.stat.exists|bool" - -- name: Ensure Matrix go-neb paths don't exist - file: - path: "{{ matrix_bot_go_neb_base_path }}" - state: absent - -- name: Ensure go-neb Docker image doesn't exist - docker_image: - name: "{{ matrix_bot_go_neb_docker_image }}" - state: absent diff --git a/roles/matrix-bot-go-neb/tasks/validate_config.yml b/roles/matrix-bot-go-neb/tasks/validate_config.yml deleted file mode 100644 index 7b292250..00000000 --- a/roles/matrix-bot-go-neb/tasks/validate_config.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- name: Fail if there's not at least 1 client - fail: - msg: >- - You need at least 1 client in the matrix_bot_go_neb_clients block. - when: matrix_bot_go_neb_clients is not defined or matrix_bot_go_neb_clients[0] is not defined - -- name: Fail if there's not at least 1 service - fail: - msg: >- - You need at least 1 service in the matrix_bot_go_neb_services block. - when: matrix_bot_go_neb_services is not defined or matrix_bot_go_neb_services[0] is not defined diff --git a/roles/matrix-bot-go-neb/templates/config.yaml.j2 b/roles/matrix-bot-go-neb/templates/config.yaml.j2 deleted file mode 100644 index c72dbf8d..00000000 --- a/roles/matrix-bot-go-neb/templates/config.yaml.j2 +++ /dev/null @@ -1,44 +0,0 @@ -# Go-NEB Configuration File -# -# This file provides an alternative way to configure Go-NEB which does not involve HTTP APIs. -# -# This file can be supplied to go-neb by the environment variable `CONFIG_FILE=config.yaml`. -# It will force Go-NEB to operate in "config" mode. This means: -# - Go-NEB will ONLY use the data contained inside this file. -# - All of Go-NEB's /admin HTTP listeners will be disabled. You will be unable to add new services at runtime. -# - The environment variable `DATABASE_URL` will be ignored and an in-memory database will be used instead. -# -# This file is broken down into 4 sections which matches the following HTTP APIs: -# - /configureClient -# - /configureAuthRealm -# - /configureService -# - /requestAuthSession (redirects not supported) - -# The list of clients which Go-NEB is aware of. -# Delete or modify this list as appropriate. -# See the docs for /configureClient for the full list of options: -# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ClientConfig -clients: - {{ matrix_bot_go_neb_clients|to_json }} - -# The list of realms which Go-NEB is aware of. -# Delete or modify this list as appropriate. -# See the docs for /configureAuthRealm for the full list of options: -# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest -realms: - {{ matrix_bot_go_neb_realms|to_json }} - -# The list of *authenticated* sessions which Go-NEB is aware of. -# Delete or modify this list as appropriate. -# The full list of options are shown below: there is no single HTTP endpoint -# which maps to this section. -# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session -sessions: - {{ matrix_bot_go_neb_sessions|to_json }} - -# The list of services which Go-NEB is aware of. -# Delete or modify this list as appropriate. -# See the docs for /configureService for the full list of options: -# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest -services: - {{ matrix_bot_go_neb_services|to_json }} diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 deleted file mode 100644 index eabf1137..00000000 --- a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 +++ /dev/null @@ -1,49 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Go-NEB bot -{% for service in matrix_bot_go_neb_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_bot_go_neb_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --network={{ matrix_docker_network }} \ - {% if matrix_bot_go_neb_container_http_host_bind_port %} - -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ - {% endif %} - -e 'BIND_ADDRESS=:4050' \ - -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ - -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ - -e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \ - -e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \ - --mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \ - --mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \ - --entrypoint=/bin/sh \ - {% for arg in matrix_bot_go_neb_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_bot_go_neb_docker_image }} \ - -c "go-neb /config/config.yaml" - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-bot-go-neb - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml deleted file mode 100644 index be95af8d..00000000 --- a/roles/matrix-bridge-heisenbridge/defaults/main.yml +++ /dev/null @@ -1,47 +0,0 @@ -# heisenbridge is a bouncer-style Matrix IRC bridge -# See: https://github.com/hifi/heisenbridge - -matrix_heisenbridge_enabled: true - -matrix_heisenbridge_version: latest -matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" -matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" - -# Set this to your Matrix ID if you want to enforce the owner, otherwise first _local_ user becomes one -matrix_heisenbridge_owner: "" - -# Enabling identd will bind to host port 113/TCP -matrix_heisenbridge_identd_enabled: false - -matrix_heisenbridge_base_path: "{{ matrix_base_data_path }}/heisenbridge" - -# A list of extra arguments to pass to the container -matrix_heisenbridge_container_extra_arguments: [] - -# List of systemd services that service depends on. -matrix_heisenbridge_systemd_required_services_list: ['docker.service'] - -# List of systemd services that service wants -matrix_heisenbridge_systemd_wanted_services_list: [] - -matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}" - -matrix_heisenbridge_appservice_token: '' -matrix_heisenbridge_homeserver_token: '' - -# Default registration file -matrix_heisenbridge_registration_yaml: - id: heisenbridge - url: http://matrix-heisenbridge:9898 - as_token: "{{ matrix_heisenbridge_appservice_token }}" - hs_token: "{{ matrix_heisenbridge_homeserver_token }}" - rate_limited: false - sender_localpart: heisenbridge - namespaces: - users: - - regex: '@hbirc_.*' - exclusive: true - aliases: [] - rooms: [] - -matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-heisenbridge/tasks/init.yml b/roles/matrix-bridge-heisenbridge/tasks/init.yml deleted file mode 100644 index 18e89b68..00000000 --- a/roles/matrix-bridge-heisenbridge/tasks/init.yml +++ /dev/null @@ -1,24 +0,0 @@ -# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. -# We don't want to fail in such cases. -- name: Fail if matrix-synapse role already executed - fail: - msg: >- - The matrix-bridge-heisenbridge role needs to execute before the matrix-synapse role. - when: "matrix_heisenbridge_enabled and matrix_synapse_role_executed|default(False)" - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-heisenbridge.service'] }}" - when: matrix_heisenbridge_enabled|bool - -# If the matrix-synapse role is not used, these variables may not exist. -- set_fact: - matrix_synapse_container_extra_arguments: > - {{ matrix_synapse_container_extra_arguments|default([]) }} - + - ["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"] - - matrix_synapse_app_service_config_files: > - {{ matrix_synapse_app_service_config_files|default([]) }} - + - {{ ["/heisenbridge-registration.yaml"] }} - when: matrix_heisenbridge_enabled|bool diff --git a/roles/matrix-bridge-heisenbridge/tasks/main.yml b/roles/matrix-bridge-heisenbridge/tasks/main.yml deleted file mode 100644 index 1358709d..00000000 --- a/roles/matrix-bridge-heisenbridge/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup|bool and matrix_heisenbridge_enabled|bool" - tags: - - setup-all - - setup-heisenbridge - -- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup|bool and not matrix_heisenbridge_enabled|bool" - tags: - - setup-all - - setup-heisenbridge diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml deleted file mode 100644 index 03cf9ec3..00000000 --- a/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- - -- name: Ensure heisenbridge image is pulled - docker_image: - name: "{{ matrix_heisenbridge_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_heisenbridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_heisenbridge_docker_image_force_pull }}" - -- name: Ensure heisenbridge paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_heisenbridge_base_path }}" - -- name: Ensure heisenbridge registration.yaml installed if provided - copy: - content: "{{ matrix_heisenbridge_registration|to_nice_yaml }}" - dest: "{{ matrix_heisenbridge_base_path }}/registration.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-heisenbridge.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-heisenbridge.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" - mode: 0644 - register: matrix_heisenbridge_systemd_service_result - -- name: Ensure systemd reloaded after matrix-heisenbridge.service installation - service: - daemon_reload: yes - when: matrix_heisenbridge_systemd_service_result.changed diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml deleted file mode 100644 index 853faf7a..00000000 --- a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -- name: Check existence of matrix-heisenbridge service - stat: - path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" - register: matrix_heisenbridge_service_stat - -- name: Ensure matrix-heisenbridge is stopped - service: - name: matrix-heisenbridge - state: stopped - daemon_reload: yes - when: "matrix_heisenbridge_service_stat.stat.exists" - -- name: Ensure matrix-heisenbridge.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" - state: absent - when: "matrix_heisenbridge_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-heisenbridge.service removal - service: - daemon_reload: yes - when: "matrix_heisenbridge_service_stat.stat.exists" diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 deleted file mode 100644 index e27b88f1..00000000 --- a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 +++ /dev/null @@ -1,51 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=a bouncer-style Matrix IRC bridge -{% for service in matrix_heisenbridge_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_heisenbridge_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-heisenbridge -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-heisenbridge - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - {% if matrix_heisenbridge_identd_enabled %} - -p 113:13113 \ - {% endif %} - -v {{ matrix_heisenbridge_base_path }}:/config:z \ - {% for arg in matrix_heisenbridge_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_heisenbridge_docker_image }} \ - {% if matrix_heisenbridge_identd_enabled %} - --identd \ - --identd-port 13113 \ - {% endif %} - {% if matrix_heisenbridge_owner %} - -o {{ matrix_heisenbridge_owner }} \ - {% endif %} - --config /config/registration.yaml \ - --listen-address 0.0.0.0 \ - --listen-port 9898 \ - {{ matrix_heisenbridge_homeserver_url }} - -ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge -ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-heisenbridge - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml deleted file mode 100644 index fa2e38fd..00000000 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ /dev/null @@ -1,68 +0,0 @@ -matrix_client_hydrogen_enabled: true - -# Self building is used by default because the `config.json` file is only read at build time. -# The pre-built images also were not functional as of 2021-05-15. -matrix_client_hydrogen_container_image_self_build: true -matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" - -matrix_client_hydrogen_version: v0.2.0 -matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" -matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" -matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" - -matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" -matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src" - -# Controls whether the container exposes its HTTP port (tcp/8080 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. -matrix_client_hydrogen_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_client_hydrogen_container_extra_arguments: [] - -# List of systemd services that matrix-client-hydrogen.service depends on -matrix_client_hydrogen_systemd_required_services_list: ['docker.service'] - -# Controls whether the self-check feature should validate SSL certificates. -matrix_client_hydrogen_self_check_validate_certificates: true - -# config.json -matrix_client_hydrogen_default_hs_url: "" - -# Default Hydrogen configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`) -# or completely replace this variable with your own template. -# -# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. -# This is unlike what it does when looking up YAML template files (no automatic parsing there). -matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" - -# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`. -# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`). -# -# You can override individual variables from the default configuration, or introduce new ones. -# -# If you need something more special, you can take full control by -# completely redefining `matrix_client_hydrogen_configuration_default`. -# -# Example configuration extension follows: -# -# matrix_client_hydrogen_configuration_extension_json: | -# { -# "push": { -# "appId": "io.element.hydrogen.web", -# "gatewayUrl": "https://matrix.org", -# "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM" -# }, -# "defaultHomeServer": "matrix.org" -# } -matrix_client_hydrogen_configuration_extension_json: '{}' - -matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json|from_json if matrix_client_hydrogen_configuration_extension_json|from_json is mapping else {} }}" - -# Holds the final Hydrogen configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`. -matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default|combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml deleted file mode 100644 index 8116a003..00000000 --- a/roles/matrix-client-hydrogen/tasks/init.yml +++ /dev/null @@ -1,10 +0,0 @@ -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - fail: - msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build and matrix_client_hydrogen_enabled" - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" - when: matrix_client_hydrogen_enabled|bool diff --git a/roles/matrix-client-hydrogen/tasks/main.yml b/roles/matrix-client-hydrogen/tasks/main.yml deleted file mode 100644 index 6534db05..00000000 --- a/roles/matrix-client-hydrogen/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_client_hydrogen_enabled|bool" - tags: - - setup-all - - setup-client-hydrogen - -- import_tasks: "{{ role_path }}/tasks/setup.yml" - when: run_setup|bool - tags: - - setup-all - - setup-client-hydrogen diff --git a/roles/matrix-client-hydrogen/tasks/self_check.yml b/roles/matrix-client-hydrogen/tasks/self_check.yml deleted file mode 100644 index c7407dcd..00000000 --- a/roles/matrix-client-hydrogen/tasks/self_check.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- set_fact: - matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}" - -- name: Check Hydrogen - uri: - url: "{{ matrix_client_hydrogen_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}" - register: matrix_client_hydrogen_self_check_result - check_mode: no - ignore_errors: true - -- name: Fail if Hydrogen not working - fail: - msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" - when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result" - -- name: Report working Hydrogen - debug: - msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml deleted file mode 100644 index 205fa3ce..00000000 --- a/roles/matrix-client-hydrogen/tasks/setup.yml +++ /dev/null @@ -1,119 +0,0 @@ ---- - -# -# Tasks related to setting up Hydrogen -# - -- name: Ensure Hydrogen paths exists - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_client_hydrogen_data_path }}", when: true } - - { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" } - when: matrix_client_hydrogen_enabled|bool and item.when - -- name: Ensure Hydrogen Docker image is pulled - docker_image: - name: "{{ matrix_client_hydrogen_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}" - when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build - -- name: Ensure Hydrogen repository is present on self-build - git: - repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" - dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" - version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" - force: "yes" - register: matrix_client_hydrogen_git_pull_results - when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" - -- name: Ensure Hydrogen configuration installed - copy: - content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" - dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" - -- name: Ensure Hydrogen additional config files installed - template: - src: "{{ item.src }}" - dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} - when: "matrix_client_hydrogen_enabled|bool and item.src is not none" - -- name: Ensure Hydrogen Docker image is built - docker_image: - name: "{{ matrix_client_hydrogen_docker_image }}" - source: build - force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_client_hydrogen_docker_src_files_path }}" - pull: yes - when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" - -- name: Ensure matrix-client-hydrogen.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" - mode: 0644 - register: matrix_client_hydrogen_systemd_service_result - when: matrix_client_hydrogen_enabled|bool - -- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation - service: - daemon_reload: yes - when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed" - -# -# Tasks related to getting rid of Hydrogen (if it was previously enabled) -# - -- name: Check existence of matrix-client-hydrogen.service - stat: - path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" - register: matrix_client_hydrogen_service_stat - when: "not matrix_client_hydrogen_enabled|bool" - -- name: Ensure matrix-client-hydrogen is stopped - service: - name: matrix-client-hydrogen - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" - -- name: Ensure matrix-client-hydrogen.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" - state: absent - when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal - service: - daemon_reload: yes - when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" - -- name: Ensure Hydrogen paths doesn't exist - file: - path: "{{ matrix_client_hydrogen_data_path }}" - state: absent - when: "not matrix_client_hydrogen_enabled|bool" - -- name: Ensure Hydrogen Docker image doesn't exist - docker_image: - name: "{{ matrix_client_hydrogen_docker_image }}" - state: absent - when: "not matrix_client_hydrogen_enabled|bool" diff --git a/roles/matrix-client-hydrogen/tasks/validate_config.yml b/roles/matrix-client-hydrogen/tasks/validate_config.yml deleted file mode 100644 index d3b9a709..00000000 --- a/roles/matrix-client-hydrogen/tasks/validate_config.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Fail if required Hydrogen settings not defined - fail: - msg: > - You need to define a required configuration setting (`{{ item }}`) to use Hydrogen. - when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build|bool" - with_items: - - "matrix_client_hydrogen_default_hs_url" diff --git a/roles/matrix-client-hydrogen/templates/config.json.j2 b/roles/matrix-client-hydrogen/templates/config.json.j2 deleted file mode 100644 index 62a849b0..00000000 --- a/roles/matrix-client-hydrogen/templates/config.json.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{ - "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url|string|to_json }} -} diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 deleted file mode 100644 index fba16bbd..00000000 --- a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 +++ /dev/null @@ -1,66 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# This is a custom nginx configuration file that we use in the container (instead of the default one), -# because it allows us to run nginx with a non-root user. -# -# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. -# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) -# -# The following changes have been done compared to a default nginx configuration file: -# - default server port is changed (80 -> 8080), so that a non-root user can bind it -# - various temp paths are changed to `/tmp`, so that a non-root user can write to them -# - the `user` directive was removed, as we don't want nginx to switch users - -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /tmp/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - proxy_temp_path /tmp/proxy_temp; - client_body_temp_path /tmp/client_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - server { - listen 8080; - server_name localhost; - - root /usr/share/nginx/html; - - location / { - index index.html index.htm; - } - - location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { - expires -1; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - } -} diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 deleted file mode 100644 index c85aeb97..00000000 --- a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Hydrogen Client -{% for service in matrix_client_hydrogen_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydrogen \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --network={{ matrix_docker_network }} \ - {% if matrix_client_hydrogen_container_http_host_bind_port %} - -p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \ - {% endif %} - --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ - --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ - {% for arg in matrix_client_hydrogen_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_client_hydrogen_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-client-hydrogen - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml deleted file mode 100644 index 3411d0f8..00000000 --- a/roles/matrix-dynamic-dns/defaults/main.yml +++ /dev/null @@ -1,48 +0,0 @@ -# Whether dynamic dns is enabled -matrix_dynamic_dns_enabled: true - -# The dynamic dns daemon interval -matrix_dynamic_dns_daemon_interval: '300' - -matrix_dynamic_dns_version: v3.9.1-ls45 - -# The docker container to use when in mode -matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" - -matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else matrix_container_global_registry_prefix }}" - -# The image to force pull -matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}" - -# List of extra arguments to pass to the ontainer mode -matrix_dynamic_dns_container_extra_arguments: [] - -# List of wanted services when running in mode -matrix_dynamic_dns_systemd_wanted_services_list: [] - -# List of required services when running in mode -matrix_dynamic_dns_systemd_required_services_list: ['docker.service'] - -# Build the container from source when running in mode -matrix_dynamic_dns_container_image_self_build: false -matrix_dynamic_dns_container_image_self_build_repo: "https://github.com/linuxserver/docker-ddclient.git" - -# Config paths -matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns" -matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config" -matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src" - -# Holds the configurations (the domains to update DNS for, the providers they use, etc.) -# -# Example: -# matrix_dynamic_dns_domain_configurations: -# - provider: domains.google.com -# protocol: dyndn2 -# username: XXXXXXXXXXXXXXXX -# password: XXXXXXXXXXXXXXXX -# domain: "{{ matrix_domain }}" -matrix_dynamic_dns_domain_configurations: [] - -# Config options -matrix_dynamic_dns_additional_configuration_blocks: [] -matrix_dynamic_dns_use: "web" diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml deleted file mode 100644 index e7d33ff2..00000000 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ /dev/null @@ -1,10 +0,0 @@ -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - fail: - msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build and matrix_dynamic_dns_enabled" - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" - when: "matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml deleted file mode 100644 index ac69ec89..00000000 --- a/roles/matrix-dynamic-dns/tasks/install.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- - -- name: Ensure Dynamic DNS image is pulled - docker_image: - name: "{{ matrix_dynamic_dns_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_dynamic_dns_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_docker_image_force_pull }}" - when: matrix_dynamic_dns_enabled|bool and not matrix_dynamic_dns_container_image_self_build - -- name: Ensure Dynamic DNS paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0751 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_dynamic_dns_base_path }}", when: true } - - { path: "{{ matrix_dynamic_dns_config_path }}", when: true } - - { path: "{{ matrix_dynamic_dns_docker_src_files_path }}", when: "{{ matrix_dynamic_dns_container_image_self_build }}" } - when: matrix_dynamic_dns_enabled|bool and item.when|bool - -- name: Ensure Dynamic DNS repository is present on self build - git: - repo: "{{ matrix_dynamic_dns_container_image_self_build_repo }}" - dest: "{{ matrix_dynamic_dns_docker_src_files_path }}" - force: "yes" - register: matrix_dynamic_dns_git_pull_results - when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build|bool" - -- name: Ensure Dynamic DNS Docker image is built - docker_image: - name: "{{ matrix_dynamic_dns_docker_image }}" - source: build - force_source: "{{ matrix_dynamic_dns_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_dynamic_dns_docker_src_files_path }}" - pull: yes - when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build|bool" - -- name: Ensure Dynamic DNS ddclient.conf installed - template: - src: "{{ role_path }}/templates/ddclient.conf.j2" - dest: "{{ matrix_dynamic_dns_config_path }}/ddclient.conf" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-dynamic-dns.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-dynamic-dns.service.j2" - dest: "/etc/systemd/system/matrix-dynamic-dns.service" - mode: 0644 - register: matrix_dynamic_dns_systemd_service_result - -- name: Ensure systemd reloaded after matrix-dynamic-dns.service installation - service: - daemon_reload: yes - when: "matrix_dynamic_dns_systemd_service_result.changed" diff --git a/roles/matrix-dynamic-dns/tasks/main.yml b/roles/matrix-dynamic-dns/tasks/main.yml deleted file mode 100644 index f9aaab8f..00000000 --- a/roles/matrix-dynamic-dns/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" - tags: - - setup-all - - setup-dynamic-dns - -- import_tasks: "{{ role_path }}/tasks/install.yml" - when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" - tags: - - setup-all - - setup-dynamic-dns - -- import_tasks: "{{ role_path }}/tasks/uninstall.yml" - when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" - tags: - - setup-all - - setup-dynamic-dns diff --git a/roles/matrix-dynamic-dns/tasks/uninstall.yml b/roles/matrix-dynamic-dns/tasks/uninstall.yml deleted file mode 100644 index f3caba25..00000000 --- a/roles/matrix-dynamic-dns/tasks/uninstall.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Check existence of matrix-dynamic-dns service - stat: - path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service" - register: matrix_dynamic_dns_service_stat - -- name: Ensure matrix-dynamic-dns is stopped - service: - name: matrix-dynamic-dns - state: stopped - daemon_reload: yes - when: "matrix_dynamic_dns_service_stat.stat.exists" - -- name: Ensure matrix-dynamic-dns.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service" - state: absent - when: "matrix_dynamic_dns_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-dynamic-dns.service removal - service: - daemon_reload: yes - when: "matrix_dynamic_dns_service_stat.stat.exists" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-dynamic-dns/tasks/validate_config.yml b/roles/matrix-dynamic-dns/tasks/validate_config.yml deleted file mode 100644 index 8f0001ea..00000000 --- a/roles/matrix-dynamic-dns/tasks/validate_config.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: Fail if no configurations specified - fail: - msg: >- - You need to define at least one configuration in `matrix_dynamic_dns_domain_configurations` for using matrix-dynamic-dns. - when: "matrix_dynamic_dns_domain_configurations|length == 0" - -- name: Fail if required settings not defined in configuration blocks - fail: - msg: >- - One of the configurations in matrix_dynamic_dns_domain_configurations is missing a required key (domain, provider, protocol). - when: "'domain' not in configuration or 'provider' not in configuration or 'protocol' not in configuration" - with_items: "{{ matrix_dynamic_dns_domain_configurations }}" - loop_control: - loop_var: configuration diff --git a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 deleted file mode 100644 index 1480d834..00000000 --- a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 +++ /dev/null @@ -1,26 +0,0 @@ -daemon={{ matrix_dynamic_dns_daemon_interval }} -syslog=no -pid=/var/run/ddclient/ddclient.pid -ssl=yes -use={{ matrix_dynamic_dns_use }} - -{% for dynamic_dns_domain_configuration in matrix_dynamic_dns_domain_configurations %} -protocol={{ dynamic_dns_domain_configuration.protocol }} -server={{ dynamic_dns_domain_configuration.provider }} {% if 'username' in dynamic_dns_domain_configuration %} -login='{{ dynamic_dns_domain_configuration.username }}' {% endif %} {% if 'password' in dynamic_dns_domain_configuration %} -password='{{ dynamic_dns_domain_configuration.password }}' {% endif %} {% if 'static' in dynamic_dns_domain_configuration %} -static=yes {% endif %} {% if 'custom' in dynamic_dns_domain_configuration %} -custom=yes {% endif %} {% if 'zone' in dynamic_dns_domain_configuration %} -zone={{ dynamic_dns_domain_configuration.zone }} {% endif %} {% if 'ttl' in dynamic_dns_domain_configuration %} -ttl={{ dynamic_dns_domain_configuration.ttl }} {% endif %} {% if 'mx' in dynamic_dns_domain_configuration %} -mx={{ dynamic_dns_domain_configuration.mx }} {% endif %} {% if 'wildcard' in dynamic_dns_domain_configuration %} -wildcard=yes {% endif %} -{{ dynamic_dns_domain_configuration.domain }} - -{% endfor %} - - -{% for matrix_dynamic_dns_additional_configuration in matrix_dynamic_dns_additional_configuration_blocks %} -{{ matrix_dynamic_dns_additional_configuration }} - -{% endfor %} diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 deleted file mode 100644 index dfdd2f72..00000000 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ /dev/null @@ -1,36 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Dynamic DNS -{% for service in matrix_dynamic_dns_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_dynamic_dns_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - -e PUID={{ matrix_user_uid }} \ - -e PGID={{ matrix_user_gid }} \ - -v {{ matrix_dynamic_dns_config_path }}:/config:z \ - {% for arg in matrix_dynamic_dns_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_dynamic_dns_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-dynamic-dns - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml deleted file mode 100644 index e6bfa0fe..00000000 --- a/roles/matrix-email2matrix/defaults/main.yml +++ /dev/null @@ -1,44 +0,0 @@ -matrix_email2matrix_enabled: true - -matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" -matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" - -matrix_email2matrix_version: 1.0.1 -matrix_email2matrix_docker_image: "{{ matrix_container_global_registry_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}" -matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_email2matrix_container_extra_arguments: [] - -# List of systemd services that matrix-corporal.service depends on -matrix_email2matrix_systemd_required_services_list: ['docker.service'] - -# Controls where the matrix-email2matrix container exposes the SMTP (tcp/2525 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:2525"). -# -# By default, we listen on port 25 on all of the host's network interfaces. -matrix_email2matrix_smtp_host_bind_port: "25" - -matrix_email2matrix_smtp_hostname: "{{ matrix_server_fqn_matrix }}" - -# A list of mailbox to Matrix mappings. -# -# Example: -# matrix_email2matrix_matrix_mappings: -# - MailboxName: "mailbox1" -# MatrixRoomId: "!bpcwlxIUxVvvgXcbjy:example.com" -# MatrixHomeserverUrl: "{{ matrix_homeserver_url }}" -# MatrixUserId": "@email2matrix:{{ matrix_domain }}" -# MatrixAccessToken": "TOKEN_HERE" -# IgnoreSubject: false -# -# - MailboxName: "mailbox2" -# MatrixRoomId: "!another:example.com" -# MatrixHomeserverUrl: "{{ matrix_homeserver_url }}" -# MatrixUserId": "@email2matrix:{{ matrix_domain }}" -# MatrixAccessToken": "TOKEN_HERE" -# IgnoreSubject: true -matrix_email2matrix_matrix_mappings: [] - -matrix_email2matrix_misc_debug: false diff --git a/roles/matrix-email2matrix/tasks/init.yml b/roles/matrix-email2matrix/tasks/init.yml deleted file mode 100644 index 0c8ffc0c..00000000 --- a/roles/matrix-email2matrix/tasks/init.yml +++ /dev/null @@ -1,3 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}" - when: matrix_email2matrix_enabled|bool diff --git a/roles/matrix-email2matrix/tasks/main.yml b/roles/matrix-email2matrix/tasks/main.yml deleted file mode 100644 index 23114673..00000000 --- a/roles/matrix-email2matrix/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_email2matrix_enabled|bool" - tags: - - setup-all - - setup-email2matrix - -- import_tasks: "{{ role_path }}/tasks/setup_email2matrix.yml" - when: run_setup|bool - tags: - - setup-all - - setup-email2matrix diff --git a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml deleted file mode 100644 index d5fa73a5..00000000 --- a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- - -# -# Tasks related to setting up Email2Matrix -# - -- name: Ensure Email2Matrix paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_email2matrix_base_path }}" - - "{{ matrix_email2matrix_config_dir_path }}" - when: matrix_email2matrix_enabled|bool - -- name: Ensure Email2Matrix configuration file created - template: - src: "{{ role_path }}/templates/config.json.j2" - dest: "{{ matrix_email2matrix_config_dir_path }}/config.json" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - when: matrix_email2matrix_enabled|bool - -- name: Ensure Email2Matrix image is pulled - docker_image: - name: "{{ matrix_email2matrix_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_email2matrix_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_docker_image_force_pull }}" - when: matrix_email2matrix_enabled|bool - -- name: Ensure matrix-email2matrix.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-email2matrix.service" - mode: 0644 - register: matrix_email2matrix_systemd_service_result - when: matrix_email2matrix_enabled|bool - -- name: Ensure systemd reloaded after matrix-email2matrix.service installation - service: - daemon_reload: yes - when: "matrix_email2matrix_enabled|bool and matrix_email2matrix_systemd_service_result.changed" - -# -# Tasks related to getting rid of the Email2Matrix (if it was previously enabled) -# - -- name: Check existence of matrix-email2matrix service - stat: - path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" - register: matrix_email2matrix_service_stat - when: "not matrix_email2matrix_enabled|bool" - -- name: Ensure matrix-email2matrix is stopped - service: - name: matrix-email2matrix - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" - -- name: Ensure matrix-email2matrix.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" - state: absent - when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-email2matrix.service removal - service: - daemon_reload: yes - when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" - -- name: Ensure Email2Matrix data path doesn't exist - file: - path: "{{ matrix_email2matrix_base_path }}" - state: absent - when: "not matrix_email2matrix_enabled|bool" - -- name: Ensure Email2Matrix Docker image doesn't exist - docker_image: - name: "{{ matrix_email2matrix_docker_image }}" - state: absent - when: "not matrix_email2matrix_enabled|bool" diff --git a/roles/matrix-email2matrix/tasks/validate_config.yml b/roles/matrix-email2matrix/tasks/validate_config.yml deleted file mode 100644 index d8beecf4..00000000 --- a/roles/matrix-email2matrix/tasks/validate_config.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: Fail if no mappings - fail: - msg: > - You need to define at least one mapping in `matrix_email2matrix_matrix_mappings` for enabling Email2Matrix. - when: "matrix_email2matrix_matrix_mappings|length == 0" diff --git a/roles/matrix-email2matrix/templates/config.json.j2 b/roles/matrix-email2matrix/templates/config.json.j2 deleted file mode 100644 index c1be97fd..00000000 --- a/roles/matrix-email2matrix/templates/config.json.j2 +++ /dev/null @@ -1,14 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{ - "Smtp": { - "ListenInterface": "0.0.0.0:2525", - "Hostname": {{ matrix_email2matrix_smtp_hostname|to_json }}, - "Workers": 10 - }, - "Matrix": { - "Mappings": {{ matrix_email2matrix_matrix_mappings|to_nice_json }} - }, - "Misc": { - "Debug": {{ matrix_email2matrix_misc_debug|to_json }} - } -} diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 deleted file mode 100644 index c9226768..00000000 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ /dev/null @@ -1,34 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Email2Matrix -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --network={{ matrix_docker_network }} \ - -p {{ matrix_email2matrix_smtp_host_bind_port }}:2525 \ - --mount type=bind,src={{ matrix_email2matrix_config_dir_path }}/config.json,dst=/config.json,ro \ - {% for arg in matrix_email2matrix_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_email2matrix_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-email2matrix - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml deleted file mode 100644 index 45f8f8b2..00000000 --- a/roles/matrix-etherpad/defaults/main.yml +++ /dev/null @@ -1,87 +0,0 @@ -matrix_etherpad_enabled: false - -matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" - -matrix_etherpad_version: 1.8.12 -matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" -matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" - -# List of systemd services that matrix-etherpad.service depends on. -matrix_etherpad_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-etherpad.service wants -matrix_etherpad_systemd_wanted_services_list: [] - -# Container user has to be able to write to the source file directories until this bug is fixed: -# https://github.com/ether/etherpad-lite/issues/2683 -matrix_etherpad_user_uid: '5001' -matrix_etherpad_user_gid: '5001' - -# Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9001"), or empty string to not expose. -matrix_etherpad_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_etherpad_container_extra_arguments: [] - -matrix_etherpad_public_endpoint: '/etherpad' - -# By default, the Etherpad app can be accessed within the Dimension domain -matrix_etherpad_base_url: "https://{{ matrix_server_fqn_dimension }}{{ matrix_etherpad_public_endpoint }}" - -# Database-related configuration fields. -# -# Etherpad requires a dedicated database -matrix_etherpad_database_engine: 'postgres' - -matrix_etherpad_database_username: 'matrix_etherpad' -matrix_etherpad_database_password: 'some-password' -matrix_etherpad_database_hostname: 'matrix-postgres' -matrix_etherpad_database_port: 5432 -matrix_etherpad_database_name: 'matrix_etherpad' - -matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' - -# Variables configuring the etherpad -matrix_etherpad_title: 'Etherpad' -matrix_etherpad_default_pad_text: | - Welcome to Etherpad! - - This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! - - Get involved with Etherpad at https://etherpad.org - -# Default Etherpad configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_etherpad_configuration_extension_json`) -# or completely replace this variable with your own template. -matrix_etherpad_configuration_default: "{{ lookup('template', 'templates/settings.json.j2') }}" - -# Your custom JSON configuration for Etherpad goes here. -# This configuration extends the default starting configuration (`matrix_etherpad_configuration_json`). -# -# You can override individual variables from the default configuration, or introduce new ones. -# -# If you need something more special, you can take full control by -# completely redefining `matrix_etherpad_configuration_json`. -# -# Example configuration extension follows: -# -# matrix_etherpad_configuration_extension_json: | -# { -# "loadTest": true, -# "commitRateLimiting": { -# "duration": 1, -# "points": 10 -# } -# } -# -matrix_etherpad_configuration_extension_json: '{}' - -matrix_etherpad_configuration_extension: "{{ matrix_etherpad_configuration_extension_json|from_json if matrix_etherpad_configuration_extension_json|from_json is mapping else {} }}" - -# Holds the final Etherpad configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_etherpad_configuration_json`. -matrix_etherpad_configuration: "{{ matrix_etherpad_configuration_default|combine(matrix_etherpad_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml deleted file mode 100644 index 081d4c23..00000000 --- a/roles/matrix-etherpad/tasks/init.yml +++ /dev/null @@ -1,62 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-etherpad.service'] }}" - when: matrix_etherpad_enabled|bool - -- block: - - name: Fail if matrix-nginx-proxy role already executed - fail: - msg: >- - Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, - so that the matrix-nginx-proxy role would run after the matrix-etherpad role. - when: matrix_nginx_proxy_role_executed|default(False)|bool - - - name: Generate Etherpad proxying configuration for matrix-nginx-proxy - set_fact: - matrix_etherpad_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; - - location {{ matrix_etherpad_public_endpoint }}/ { - {% if matrix_nginx_proxy_enabled|default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - proxy_pass http://matrix-etherpad:9001/; - {# These are proxy directives needed specifically by Etherpad #} - proxy_buffering off; - proxy_http_version 1.1; # recommended with keepalive connections - proxy_pass_header Server; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used - # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - {% else %} - {# Generic configuration for use outside of our container setup #} - # A good guide for setting up your Etherpad behind nginx: - # https://docs.gandi.net/en/cloud/tutorials/etherpad_lite.html - proxy_pass http://127.0.0.1:9001/; - {% endif %} - } - - - name: Register Etherpad proxying configuration with matrix-nginx-proxy - set_fact: - matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks|default([]) - + - [matrix_etherpad_matrix_nginx_proxy_configuration] - }} - tags: - - always - when: matrix_etherpad_enabled|bool - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - debug: - msg: >- - NOTE: You've enabled the Etherpad tool but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_etherpad_public_endpoint }}` - URL endpoint to the matrix-etherpad container. - You can expose the container's port using the `matrix_etherpad_container_http_host_bind_port` variable. - when: "matrix_etherpad_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-etherpad/tasks/main.yml b/roles/matrix-etherpad/tasks/main.yml deleted file mode 100644 index 27548aaf..00000000 --- a/roles/matrix-etherpad/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: run_setup|bool and matrix_etherpad_enabled|bool - tags: - - setup-all - - setup-etherpad - -- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: run_setup|bool and not matrix_etherpad_enabled|bool - tags: - - setup-all - - setup-etherpad - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup|bool and matrix_etherpad_enabled|bool - tags: - - setup-all - - setup-etherpad diff --git a/roles/matrix-etherpad/tasks/setup_install.yml b/roles/matrix-etherpad/tasks/setup_install.yml deleted file mode 100644 index a93c28de..00000000 --- a/roles/matrix-etherpad/tasks/setup_install.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -- name: Ensure Etherpad base path exists - file: - path: "{{ matrix_etherpad_base_path }}" - state: directory - mode: 0770 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad config installed - copy: - content: "{{ matrix_etherpad_configuration|to_nice_json }}" - dest: "{{ matrix_etherpad_base_path }}/settings.json" - mode: 0640 - owner: "{{ matrix_etherpad_user_uid }}" - group: "{{ matrix_etherpad_user_gid }}" - -- name: Ensure Etherpad image is pulled - docker_image: - name: "{{ matrix_etherpad_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_etherpad_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_etherpad_docker_image_force_pull }}" - -- name: Ensure matrix-etherpad.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-etherpad.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-etherpad.service" - mode: 0644 - register: matrix_etherpad_systemd_service_result - -- name: Ensure systemd reloaded after matrix-etherpad.service installation - service: - daemon_reload: yes - when: "matrix_etherpad_systemd_service_result.changed|bool" diff --git a/roles/matrix-etherpad/tasks/setup_uninstall.yml b/roles/matrix-etherpad/tasks/setup_uninstall.yml deleted file mode 100644 index 8f40f420..00000000 --- a/roles/matrix-etherpad/tasks/setup_uninstall.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -- name: Check existence of matrix-etherpad service - stat: - path: "{{ matrix_systemd_path }}/matrix-etherpad.service" - register: matrix_etherpad_service_stat - -- name: Ensure matrix-etherpad is stopped - service: - name: matrix-etherpad - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_etherpad_service_stat.stat.exists|bool" - -- name: Ensure matrix-etherpad.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-etherpad.service" - state: absent - when: "matrix_etherpad_service_stat.stat.exists|bool" - -- name: Ensure systemd reloaded after matrix-etherpad.service removal - service: - daemon_reload: yes - when: "matrix_etherpad_service_stat.stat.exists|bool" - -- name: Ensure Etherpad base directory doesn't exist - file: - path: "{{ matrix_etherpad_base_path }}" - state: absent - -- name: Ensure Etherpad Docker image doesn't exist - docker_image: - name: "{{ matrix_etherpad_docker_image }}" - state: absent diff --git a/roles/matrix-etherpad/tasks/validate_config.yml b/roles/matrix-etherpad/tasks/validate_config.yml deleted file mode 100644 index c76dc3b5..00000000 --- a/roles/matrix-etherpad/tasks/validate_config.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: Fail if Etherpad is enabled without the Dimension integrations manager - fail: - msg: >- - To integrate Etherpad notes with Matrix rooms you need to set "matrix_dimension_enabled" to true - when: "not matrix_dimension_enabled|bool" - -- name: Fail if no database is configured for Etherpad - fail: - msg: >- - Etherpad requires a dedicated Postgres database. Please enable the built in one, or configure an external DB by redefining "matrix_etherpad_database_hostname" - when: matrix_etherpad_database_hostname == "matrix-postgres" and not matrix_postgres_enabled diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 deleted file mode 100644 index 377bad98..00000000 --- a/roles/matrix-etherpad/templates/settings.json.j2 +++ /dev/null @@ -1,105 +0,0 @@ -{ - "title": {{ matrix_etherpad_title|to_json }}, - "favicon": "favicon.ico", - "skinName": "colibris", - "skinVariants": "super-light-toolbar super-light-editor light-background", - "ip": "::", - "port": 9001, - "showSettingsInAdminPage": true, - "dbType": {{ matrix_etherpad_database_engine|to_json }}, - "dbSettings": { - "database": {{ matrix_etherpad_database_name|to_json }}, - "host": {{ matrix_etherpad_database_hostname|to_json }}, - "password": {{ matrix_etherpad_database_password|to_json }}, - "port": {{ matrix_etherpad_database_port|to_json }}, - "user": {{ matrix_etherpad_database_username|to_json }} - }, - "defaultPadText" : {{ matrix_etherpad_default_pad_text|to_json }}, - "suppressErrorsInPadText": false, - "requireSession": false, - "editOnly": false, - "minify": true, - "maxAge": 21600, - "abiword": null, - "soffice": null, - "tidyHtml": null, - "allowUnknownFileEnds": true, - "requireAuthentication": false, - "requireAuthorization": false, - "trustProxy": true, - "cookie": { - "sameSite": "Lax" - }, - "disableIPlogging": true, - "automaticReconnectionTimeout": 0, - "scrollWhenFocusLineIsOutOfViewport": { - "percentage": { - "editionAboveViewport": 0, - "editionBelowViewport": 0 - }, - "duration": 0, - "scrollWhenCaretIsInTheLastLineOfViewport": false, - "percentageToScrollWhenUserPressesArrowUp": 0 - }, - "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], - "socketIo": { - "maxHttpBufferSize": 10000 - }, - "loadTest": false, - "importExportRateLimiting": { - "windowMs": 90000, - "max": 10 - }, - "importMaxFileSize": 52428800, - "commitRateLimiting": { - "duration": 1, - "points": 10 - }, - "exposeVersion": false, - "padOptions": { - "noColors": false, - "showControls": true, - "showChat": false, - "showLineNumbers": true, - "useMonospaceFont": false, - "userName": false, - "userColor": false, - "rtl": false, - "alwaysShowChat": false, - "chatAndUsers": false, - "lang": "en-gb" - }, - "padShortcutEnabled" : { - "altF9": true, - "altC": true, - "cmdShift2": true, - "delete": true, - "return": true, - "esc": true, - "cmdS": true, - "tab": true, - "cmdZ": true, - "cmdY": true, - "cmdI": true, - "cmdB": true, - "cmdU": true, - "cmd5": true, - "cmdShiftL": true, - "cmdShiftN": true, - "cmdShift1": true, - "cmdShiftC": true, - "cmdH": true, - "ctrlHome": true, - "pageUp": true, - "pageDown": true - }, - "loglevel": "INFO", - "logconfig" : - { "appenders": [ - { "type": "console", - "layout": {"type": "messagePassThrough"} - } - ] - }, - "customLocaleStrings": {} -} diff --git a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 deleted file mode 100644 index b579036b..00000000 --- a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 +++ /dev/null @@ -1,44 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Etherpad -{% for service in matrix_etherpad_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_etherpad_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-etherpad -ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-etherpad - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \ - --log-driver=none \ - --user={{ matrix_etherpad_user_uid }}:{{ matrix_etherpad_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - {% if matrix_etherpad_container_http_host_bind_port %} - -p {{ matrix_etherpad_container_http_host_bind_port }}:9001 \ - {% endif %} - --mount type=bind,src={{ matrix_etherpad_base_path }},dst=/data \ - {% for arg in matrix_etherpad_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_etherpad_docker_image }} \ - node --experimental-worker src/node/server.js \ - --settings /data/settings.json --credentials /data/credentials.json \ - --sessionkey /data/sessionkey.json --apikey /data/apijey.json - - -ExecStop=-{{ matrix_host_command_docker }} kill matrix-etherpad -ExecStop=-{{ matrix_host_command_docker }} rm matrix-etherpad -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-etherpad - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml deleted file mode 100644 index 88359fe1..00000000 --- a/roles/matrix-grafana/defaults/main.yml +++ /dev/null @@ -1,59 +0,0 @@ -# matrix-grafana is open source visualization and analytics software -# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md - -matrix_grafana_enabled: false - -matrix_grafana_version: 8.0.5 -matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" -matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" - -# Not conditional, because when someone disables metrics -# they might still want to look at the old existing data. -# So it would be silly to delete the dashboard in such case. -matrix_grafana_dashboard_download_urls: -- "https://raw.githubusercontent.com/matrix-org/synapse/master/contrib/grafana/synapse.json" -- "https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-full.json" - -matrix_grafana_base_path: "{{ matrix_base_data_path }}/grafana" -matrix_grafana_config_path: "{{ matrix_grafana_base_path }}/config" -matrix_grafana_data_path: "{{ matrix_grafana_base_path }}/data" - -# Allow viewing Grafana without logging in -matrix_grafana_anonymous_access: false - -# specify organization name that should be used for unauthenticated users -# if you change this in the Grafana admin panel, this needs to be updated -# to match to keep anonymous logins working -matrix_grafana_anonymous_access_org_name: 'Main Org.' - - -# default admin credentials, you are asked to change these on first login -matrix_grafana_default_admin_user: admin -matrix_grafana_default_admin_password: admin - -# Set to true to add the Content-Security-Policy header to your requests. -# CSP allows to control resources that the user agent can load and helps -# prevent XSS attacks. -# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) -matrix_grafana_content_security_policy: true - -# specify content security policy template to customized template -# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. -# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) -# [Content Security Policy Reference](https://content-security-policy.com/script-src/) -matrix_grafana_content_security_policy_customized: false -matrix_grafana_content_security_policy_template: "script-src 'self' 'unsafe-eval' 'unsafe-inline' http: https: 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';" - -# A list of extra arguments to pass to the container -matrix_grafana_container_extra_arguments: [] - -# List of systemd services that matrix-grafana.service depends on -matrix_grafana_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-grafana.service wants -matrix_grafana_systemd_wanted_services_list: [] - -# Controls whether the matrix-grafana container exposes its HTTP port (tcp/3000 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:3000"), or empty string to not expose. -matrix_grafana_container_http_host_bind_port: '' diff --git a/roles/matrix-grafana/tasks/init.yml b/roles/matrix-grafana/tasks/init.yml deleted file mode 100644 index 8a22e301..00000000 --- a/roles/matrix-grafana/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-grafana.service'] }}" - when: matrix_grafana_enabled|bool - - diff --git a/roles/matrix-grafana/tasks/main.yml b/roles/matrix-grafana/tasks/main.yml deleted file mode 100644 index fb16c394..00000000 --- a/roles/matrix-grafana/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_grafana_enabled|bool" - tags: - - setup-all - - setup-grafana - -- import_tasks: "{{ role_path }}/tasks/setup.yml" - tags: - - setup-all - - setup-grafana diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml deleted file mode 100644 index 00d2e230..00000000 --- a/roles/matrix-grafana/tasks/setup.yml +++ /dev/null @@ -1,110 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-grafana -# - -- name: Ensure matrix-grafana image is pulled - docker_image: - name: "{{ matrix_grafana_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_grafana_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_grafana_docker_image_force_pull }}" - when: "matrix_grafana_enabled|bool" - -- name: Ensure grafana paths exists - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_grafana_base_path }}" - - "{{ matrix_grafana_config_path }}" - - "{{ matrix_grafana_config_path }}/provisioning" - - "{{ matrix_grafana_config_path }}/provisioning/datasources" - - "{{ matrix_grafana_config_path }}/provisioning/dashboards" - - "{{ matrix_grafana_config_path }}/dashboards" - - "{{ matrix_grafana_data_path }}" - when: matrix_grafana_enabled|bool - -- name: Ensure grafana.ini present - template: - src: "{{ role_path }}/templates/grafana.ini.j2" - dest: "{{ matrix_grafana_config_path }}/grafana.ini" - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled|bool - -- name: Ensure provisioning/datasources/default.yaml present - template: - src: "{{ role_path }}/templates/datasources.yaml.j2" - dest: "{{ matrix_grafana_config_path }}/provisioning/datasources/default.yaml" - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled|bool - -- name: Ensure provisioning/dashboards/default.yaml present - template: - src: "{{ role_path }}/templates/dashboards.yaml.j2" - dest: "{{ matrix_grafana_config_path }}/provisioning/dashboards/default.yaml" - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_grafana_enabled|bool - -- name: Ensure dashboard(s) downloaded - get_url: - url: "{{ item }}" - dest: "{{ matrix_grafana_config_path }}/dashboards/" - force: true - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: "{{ matrix_grafana_dashboard_download_urls_all }}" - when: matrix_grafana_enabled|bool - -- name: Ensure matrix-grafana.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-grafana.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-grafana.service" - mode: 0644 - register: matrix_grafana_systemd_service_result - when: matrix_grafana_enabled|bool - -- name: Ensure systemd reloaded after matrix-grafana.service installation - service: - daemon_reload: yes - when: "matrix_grafana_enabled|bool and matrix_grafana_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-grafana (if it was previously enabled) -# - -- name: Check existence of matrix-grafana service - stat: - path: "{{ matrix_systemd_path }}/matrix-grafana.service" - register: matrix_grafana_service_stat - -- name: Ensure matrix-grafana is stopped - service: - name: matrix-grafana - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" - -- name: Ensure matrix-grafana.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-grafana.service" - state: absent - when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-grafana.service removal - service: - daemon_reload: yes - when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" - diff --git a/roles/matrix-grafana/tasks/validate_config.yml b/roles/matrix-grafana/tasks/validate_config.yml deleted file mode 100644 index 63d4919a..00000000 --- a/roles/matrix-grafana/tasks/validate_config.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: Fail if Prometheus not enabled - fail: - msg: > - You need to enable `matrix_prometheus_enabled` to use Prometheus as data source for Grafana. - when: "not matrix_prometheus_enabled" diff --git a/roles/matrix-grafana/templates/dashboards.yaml.j2 b/roles/matrix-grafana/templates/dashboards.yaml.j2 deleted file mode 100644 index aae42ba2..00000000 --- a/roles/matrix-grafana/templates/dashboards.yaml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: 1 - -providers: - - name: {{ matrix_server_fqn_matrix }} - Dashboards - folder: '' # The folder where to place the dashboards - type: file - allowUiUpdates: true - options: - path: /etc/grafana/dashboards diff --git a/roles/matrix-grafana/templates/datasources.yaml.j2 b/roles/matrix-grafana/templates/datasources.yaml.j2 deleted file mode 100644 index 6ccbe374..00000000 --- a/roles/matrix-grafana/templates/datasources.yaml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: 1 - -datasources: - - name: {{ matrix_server_fqn_matrix }} - Prometheus - type: prometheus - # Access mode - proxy (server in the UI) or direct (browser in the UI). - access: proxy - url: http://matrix-prometheus:9090 diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 deleted file mode 100644 index 8f4c88f0..00000000 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ /dev/null @@ -1,31 +0,0 @@ -[server] -root_url = "https://{{ matrix_server_fqn_grafana }}" - -[security] -# default admin user, created on startup -admin_user = "{{ matrix_grafana_default_admin_user }}" - -# default admin password, can be changed before first start of grafana, or in profile settings -admin_password = """{{ matrix_grafana_default_admin_password }}""" - -# specify content_security_policy to add the Content-Security-Policy header to your requests -content_security_policy = "{{ matrix_grafana_content_security_policy }}" - -# specify content security policy template to customized template -{% if matrix_grafana_content_security_policy_customized %} -content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}""" -{% endif %} - -[auth.anonymous] -# enable anonymous access -enabled = {{ matrix_grafana_anonymous_access }} - -# specify organization name that should be used for unauthenticated users -org_name = "{{ matrix_grafana_anonymous_access_org_name }}" - -[dashboards] -{% if matrix_synapse_metrics_enabled %} -default_home_dashboard_path = /etc/grafana/dashboards/synapse.json -{% else %} -default_home_dashboard_path = /etc/grafana/dashboards/node-exporter-full.json -{% endif %} diff --git a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 deleted file mode 100644 index a4f81e35..00000000 --- a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 +++ /dev/null @@ -1,43 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-grafana -{% for service in matrix_grafana_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_grafana_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' - - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --network={{ matrix_docker_network }} \ - {% if matrix_grafana_container_http_host_bind_port %} - -p {{ matrix_grafana_container_http_host_bind_port }}:3000 \ - {% endif %} - -v {{ matrix_grafana_config_path }}:/etc/grafana:z \ - -v {{ matrix_grafana_data_path }}:/var/lib/grafana:z \ - {% for arg in matrix_grafana_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_grafana_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-grafana - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml deleted file mode 100644 index 87d87706..00000000 --- a/roles/matrix-jitsi/defaults/main.yml +++ /dev/null @@ -1,261 +0,0 @@ -matrix_jitsi_enabled: true - -matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" - -matrix_jitsi_enable_auth: false -matrix_jitsi_enable_guests: false -matrix_jitsi_enable_recording: false -matrix_jitsi_enable_transcriptions: false -matrix_jitsi_enable_p2p: true - -# Authentication type, must be one of internal, jwt or ldap. Currently only -# internal and ldap are supported by this playbook. -matrix_jitsi_auth_type: internal - -# Configuration options for LDAP authentication. For details see upstream: -# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. -# Defaults are taken from: -# https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf -matrix_jitsi_ldap_url: "" -matrix_jitsi_ldap_base: "" -matrix_jitsi_ldap_binddn: "" -matrix_jitsi_ldap_bindpw: "" -matrix_jitsi_ldap_filter: "uid=%u" -matrix_jitsi_ldap_auth_method: "bind" -matrix_jitsi_ldap_version: "3" -matrix_jitsi_ldap_use_tls: false -matrix_jitsi_ldap_tls_ciphers: "" -matrix_jitsi_ldap_tls_check_peer: false -matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" -matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" -matrix_jitsi_ldap_start_tls: false - -matrix_jitsi_timezone: UTC - -matrix_jitsi_xmpp_domain: matrix-jitsi-web -matrix_jitsi_xmpp_server: matrix-jitsi-prosody -matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi -matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280 -matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi -matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi -matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi -matrix_jitsi_xmpp_modules: '' - -matrix_jitsi_recorder_domain: recorder.meet.jitsi - - -matrix_jitsi_jibri_brewery_muc: jibribrewery -matrix_jitsi_jibri_pending_timeout: 90 -matrix_jitsi_jibri_xmpp_user: jibri -matrix_jitsi_jibri_xmpp_password: '' -matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: '' - -matrix_jitsi_enable_lobby: false - -matrix_jitsi_version: stable-5765-1 -matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility - -matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" - -matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" -matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config" -matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts" - -matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" - -# STUN servers used in the web UI. Feel free to point them to your own STUN server. -# Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`. -matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443'] - -# Controls whether Etherpad will be available within Jitsi -matrix_jitsi_etherpad_enabled: false - -# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:13080"), or empty string to not expose. -matrix_jitsi_web_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_jitsi_web_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-web.service depends on -matrix_jitsi_web_systemd_required_services_list: ['docker.service'] - - -# Some variables controlling the interface of Jitsi Web. -# These get applied to `templates/web/interface_config.js.j2`. -# -# Besides this, you can also use `matrix_jitsi_web_custom_interface_config_extension` -# to define any other configuration option. -matrix_jitsi_web_interface_config_lang_detection: false -matrix_jitsi_web_interface_config_show_jitsi_watermark: true -matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" -matrix_jitsi_web_interface_config_show_brand_watermark: false -matrix_jitsi_web_interface_config_brand_watermark_link: "" -matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true -matrix_jitsi_web_interface_config_display_welcome_page_content: true -matrix_jitsi_web_interface_config_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" -matrix_jitsi_web_interface_config_provider_name: "Jitsi" -matrix_jitsi_web_interface_config_show_powered_by: false -matrix_jitsi_web_interface_config_disable_transcription_subtitles: false -matrix_jitsi_web_interface_config_show_deep_linking_image: false - -# Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web. -# This configuration gets appended to the final interface configuration that Jitsi Web uses. -# -# Note: not to be confused with `matrix_jitsi_web_custom_config_extension`. -# -# For interface configuration, the flow is like this: -# - the contents of `templates/web/interface_config.js.j2` is generated (based on various `matrix_jitsi_web_interface_config_*` variables you see in this file) -# - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults. -# -# Example: -# matrix_jitsi_web_custom_interface_config_extension: | -# interfaceConfig.CONNECTION_INDICATOR_AUTO_HIDE_ENABLED = false; -# interfaceConfig.DISABLE_VIDEO_BACKGROUND = true; -matrix_jitsi_web_custom_interface_config_extension: '' - - -# Controls after which participant audio will be muted. If not specified, defaults to Jitsi's default value (likely 10) -matrix_jitsi_web_config_start_audio_muted_after_nth_participant: ~ -# Controls after which participant video will be muted. If not specified, defaults to Jitsi's default value (likely 10) -matrix_jitsi_web_config_start_video_muted_after_nth_participant: ~ - -matrix_jitsi_web_config_defaultLanguage: 'en' - -# Ideal and also maximum resolution width. If not specified, defaults to Jitsi's default value (likely 1280) -matrix_jitsi_web_config_resolution_width_ideal_and_max: ~ -# Minimum resolution width. If not specified, defaults to Jitsi's default value (likely 320) -matrix_jitsi_web_config_resolution_width_min: ~ -# Ideal and also maximum resolution height. If not specified, defaults to Jitsi's default value (likely 720) -matrix_jitsi_web_config_resolution_height_ideal_and_max: ~ -# Minimum resolution height. If not specified, defaults to Jitsi's default value (likely 180) -matrix_jitsi_web_config_resolution_height_min: ~ - -# Custom configuration to be injected into `custom-config.js`, passed to Jitsi Web. -# This configuration gets appended to the final configuration that Jitsi Web uses. -# -# Note: not to be confused with `matrix_jitsi_web_custom_interface_config_extension`. -# -# The flow is like this: -# - some default configuration is automatically generated based on the environment variables passed to the Jitsi Web container -# - the contents of `custom-config.js` is appended to it (see `templates/web/custom-config.js.j2`) -# - said `custom-config.js` contains your custom contents specified in `matrix_jitsi_web_custom_config_extension`. -# -# Example: -# matrix_jitsi_web_custom_config_extension: | -# if (!config.hasOwnProperty('testing')) config.testing = {}; -# config.testing.p2pTestMode = true -matrix_jitsi_web_custom_config_extension: '' - -# Additional environment variables to pass to the Jitsi Web container. -# You can use this to further influence the default configuration generated by the Jitsi Web container on every startup. -# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration -# by using `matrix_jitsi_web_custom_config_extension`. -# -# Example: -# matrix_jitsi_web_environment_variables_extension: | -# ENABLE_FILE_RECORDING_SERVICE=1 -# DROPBOX_APPKEY=something -# DROPBOX_REDIRECT_URI=something -matrix_jitsi_web_environment_variables_extension: '' - - -matrix_jitsi_prosody_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" - -matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" -matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" -matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" - -# A list of extra arguments to pass to the container -matrix_jitsi_prosody_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-prosody.service depends on -matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] - -# Neccessary Port binding for those disabling the integrated nginx proxy -matrix_jitsi_prosody_container_http_host_bind_port: '' - -matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" - -matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" -matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config" - -# A list of extra arguments to pass to the container -matrix_jitsi_jicofo_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-jicofo.service depends on -matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] - -matrix_jitsi_jicofo_component_secret: '' -matrix_jitsi_jicofo_auth_user: focus -matrix_jitsi_jicofo_auth_password: '' - - -matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" -matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" - -matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" -matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config" - -# A list of extra arguments to pass to the container -matrix_jitsi_jvb_container_extra_arguments: [] - -# List of systemd services that matrix-jitsi-jvb.service depends on -matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] - -matrix_jitsi_jvb_auth_user: jvb -matrix_jitsi_jvb_auth_password: '' - -# STUN servers used by JVB on the server-side, so it can discover its own external IP address. -# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. -matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] - -matrix_jitsi_jvb_brewery_muc: jvbbrewery -matrix_jitsi_jvb_rtp_udp_port: 10000 -matrix_jitsi_jvb_rtp_tcp_port: 4443 - -# Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. -# This configuration gets appended to the final configuration that Jitsi JVB uses. -# -# The flow is like this: -# - some default configuration is automatically generated based on the environment variables passed to the Jitsi JVB container -# - the contents of `custom-sip-communicator.properties` is appended to it (see `templates/jvb/custom-sip-communicator.properties.j2`) -# - said `custom-sip-communicator.properties` contains your custom contents specified in `matrix_jitsi_jvb_custom_config_extension`. -# -# Example: -# matrix_jitsi_jvb_custom_config_extension: | -# org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=false -# org.jitsi.videobridge.ENABLE_STATISTICS=false -matrix_jitsi_jvb_custom_config_extension: '' - -# Additional environment variables to pass to the Jitsi JVB container. -# You can use this to further influence the default configuration generated by the Jitsi JVB container on every startup. -# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration -# by using `matrix_jitsi_jvb_custom_config_extension`. -# -# Example: -# matrix_jitsi_jvb_environment_variables_extension: | -# SOME_VARIABLE=1 -# ANOTHER_VARIABLE=something -matrix_jitsi_jvb_environment_variables_extension: '' - -# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:10000"), or empty string to not expose. -matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}" - -# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:4443"), or empty string to not expose. -matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}" - -# Controls whether the matrix-jitsi-jvb container exposes its Colibri WebSocket port (tcp/9090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:12090"), or empty string to not expose. -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: '' diff --git a/roles/matrix-jitsi/tasks/init.yml b/roles/matrix-jitsi/tasks/init.yml deleted file mode 100644 index 1f7a2d1c..00000000 --- a/roles/matrix-jitsi/tasks/init.yml +++ /dev/null @@ -1,3 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}" - when: matrix_jitsi_enabled|bool diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml deleted file mode 100644 index e4f3508f..00000000 --- a/roles/matrix-jitsi/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_jitsi_enabled|bool" - tags: - - setup-all - - setup-jitsi - -- import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" - when: run_setup|bool - tags: - - setup-all - - setup-jitsi - -- import_tasks: "{{ role_path }}/tasks/setup_jitsi_web.yml" - when: run_setup|bool - tags: - - setup-all - - setup-jitsi - -- import_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody.yml" - when: run_setup|bool - tags: - - setup-all - - setup-jitsi - -- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo.yml" - when: run_setup|bool - tags: - - setup-all - - setup-jitsi - -- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb.yml" - when: run_setup|bool - tags: - - setup-all - - setup-jitsi diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml deleted file mode 100644 index 408027ee..00000000 --- a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi -# - -- name: Ensure Matrix jitsi base path exists - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_jitsi_base_path }}", when: true } - when: matrix_jitsi_enabled|bool and item.when - -# -# Tasks related to getting rid of jitsi (if it was previously enabled) -# diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml deleted file mode 100644 index dd2a7bd2..00000000 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-jicofo -# - -- name: Ensure Matrix jitsi-jicofo path exists - file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true } - - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true } - when: matrix_jitsi_enabled|bool and item.when - -- name: Ensure jitsi-jicofo Docker image is pulled - docker_image: - name: "{{ matrix_jitsi_jicofo_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}" - when: matrix_jitsi_enabled|bool - -- name: Ensure jitsi-jicofo environment variables file created - template: - src: "{{ role_path }}/templates/jicofo/env.j2" - dest: "{{ matrix_jitsi_jicofo_base_path }}/env" - mode: 0640 - when: matrix_jitsi_enabled|bool - -- name: Ensure jitsi-jicofo configuration files created - template: - src: "{{ role_path }}/templates/jicofo/{{ item }}.j2" - dest: "{{ matrix_jitsi_jicofo_config_path }}/{{ item }}" - mode: 0644 - with_items: - - sip-communicator.properties - - logging.properties - when: matrix_jitsi_enabled|bool - -- name: Ensure matrix-jitsi-jicofo.service installed - template: - src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service" - mode: 0644 - register: matrix_jitsi_jicofo_systemd_service_result - when: matrix_jitsi_enabled|bool - -- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service installation - service: - daemon_reload: yes - when: "matrix_jitsi_enabled and matrix_jitsi_jicofo_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-jicofo (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-jicofo service - stat: - path: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service" - register: matrix_jitsi_jicofo_service_stat - when: "not matrix_jitsi_enabled|bool" - -- name: Ensure matrix-jitsi-jicofo is stopped - service: - name: matrix-jitsi-jicofo - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-jicofo.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service" - state: absent - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service removal - service: - daemon_reload: yes - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-jicofo paths doesn't exist - file: - path: "{{ matrix_jitsi_jicofo_base_path }}" - state: absent - when: "not matrix_jitsi_enabled|bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml deleted file mode 100644 index b73426db..00000000 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-jvb -# - -- name: Ensure Matrix jitsi-jvb path exists - file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true } - - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true } - when: matrix_jitsi_enabled|bool and item.when - -- name: Ensure jitsi-jvb Docker image is pulled - docker_image: - name: "{{ matrix_jitsi_jvb_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}" - when: matrix_jitsi_enabled|bool - -- name: Ensure jitsi-jvb configuration files created - template: - src: "{{ role_path }}/templates/jvb/{{ item }}.j2" - dest: "{{ matrix_jitsi_jvb_config_path }}/{{ item }}" - mode: 0644 - with_items: - - custom-sip-communicator.properties - - logging.properties - when: matrix_jitsi_enabled|bool - -- name: Ensure jitsi-jvb environment variables file created - template: - src: "{{ role_path }}/templates/jvb/env.j2" - dest: "{{ matrix_jitsi_jvb_base_path }}/env" - mode: 0640 - when: matrix_jitsi_enabled|bool - -- name: Ensure matrix-jitsi-jvb.service installed - template: - src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service" - mode: 0644 - register: matrix_jitsi_jvb_systemd_service_result - when: matrix_jitsi_enabled|bool - -- name: Ensure systemd reloaded after matrix-jitsi-jvb.service installation - service: - daemon_reload: yes - when: "matrix_jitsi_enabled and matrix_jitsi_jvb_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-jvb (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-jvb service - stat: - path: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service" - register: matrix_jitsi_jvb_service_stat - when: "not matrix_jitsi_enabled|bool" - -- name: Ensure matrix-jitsi-jvb is stopped - service: - name: matrix-jitsi-jvb - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-jvb.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service" - state: absent - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-jvb.service removal - service: - daemon_reload: yes - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-jvb paths doesn't exist - file: - path: "{{ matrix_jitsi_jvb_base_path }}" - state: absent - when: "not matrix_jitsi_enabled|bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml deleted file mode 100644 index fd051fda..00000000 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ /dev/null @@ -1,84 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-prosody -# - -- name: Ensure Matrix jitsi-prosody path exists - file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true } - - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true } - - { path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true } - when: matrix_jitsi_enabled|bool and item.when - -- name: Ensure jitsi-prosody Docker image is pulled - docker_image: - name: "{{ matrix_jitsi_prosody_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" - when: matrix_jitsi_enabled|bool - -- name: Ensure jitsi-prosody environment variables file created - template: - src: "{{ role_path }}/templates/prosody/env.j2" - dest: "{{ matrix_jitsi_prosody_base_path }}/env" - mode: 0640 - when: matrix_jitsi_enabled|bool - -- name: Ensure matrix-jitsi-prosody.service installed - template: - src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" - mode: 0644 - register: matrix_jitsi_prosody_systemd_service_result - when: matrix_jitsi_enabled|bool - -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation - service: - daemon_reload: yes - when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-prosody (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-prosody service - stat: - path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" - register: matrix_jitsi_prosody_service_stat - when: "not matrix_jitsi_enabled|bool" - -- name: Ensure matrix-jitsi-prosody is stopped - service: - name: matrix-jitsi-prosody - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-prosody.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" - state: absent - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal - service: - daemon_reload: yes - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-prosody paths doesn't exist - file: - path: "{{ matrix_jitsi_prosody_base_path }}" - state: absent - when: "not matrix_jitsi_enabled|bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml deleted file mode 100644 index 2b8a2cd2..00000000 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- - -# -# Tasks related to setting up jitsi-web -# - -- name: Ensure Matrix jitsi-web path exists - file: - path: "{{ item.path }}" - state: directory - mode: 0777 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_jitsi_web_base_path }}", when: true } - - { path: "{{ matrix_jitsi_web_config_path }}", when: true } - - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true } - when: matrix_jitsi_enabled|bool and item.when - -- name: Ensure jitsi-web Docker image is pulled - docker_image: - name: "{{ matrix_jitsi_web_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}" - when: matrix_jitsi_enabled|bool - -- name: Ensure jitsi-web environment variables file created - template: - src: "{{ role_path }}/templates/web/env.j2" - dest: "{{ matrix_jitsi_web_base_path }}/env" - mode: 0640 - when: matrix_jitsi_enabled|bool - -- name: Ensure jitsi-web configuration files created - template: - src: "{{ role_path }}/templates/web/{{ item }}.j2" - dest: "{{ matrix_jitsi_web_config_path }}/{{ item }}" - mode: 0644 - with_items: - - custom-config.js - - interface_config.js - when: matrix_jitsi_enabled|bool - -- name: Ensure matrix-jitsi-web.service installed - template: - src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-jitsi-web.service" - mode: 0644 - register: matrix_jitsi_web_systemd_service_result - when: matrix_jitsi_enabled|bool - -- name: Ensure systemd reloaded after matrix-jitsi-web.service installation - service: - daemon_reload: yes - when: "matrix_jitsi_enabled and matrix_jitsi_web_systemd_service_result.changed" - -# -# Tasks related to getting rid of jitsi-web (if it was previously enabled) -# - -- name: Check existence of matrix-jitsi-web service - stat: - path: "{{ matrix_systemd_path }}/matrix-jitsi-web.service" - register: matrix_jitsi_web_service_stat - when: "not matrix_jitsi_enabled|bool" - -- name: Ensure matrix-jitsi-web is stopped - service: - name: matrix-jitsi-web - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" - -- name: Ensure matrix-jitsi-web.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-jitsi-web.service" - state: absent - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-jitsi-web.service removal - service: - daemon_reload: yes - when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" - -- name: Ensure Matrix jitsi-web paths doesn't exist - file: - path: "{{ matrix_jitsi_web_base_path }}" - state: absent - when: "not matrix_jitsi_enabled|bool" - -# Intentionally not removing the Docker image when uninstalling. -# We can't be sure it had been pulled by us in the first place. - diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml deleted file mode 100644 index cc8a4b22..00000000 --- a/roles/matrix-jitsi/tasks/validate_config.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- - -- name: Fail if required Jitsi settings not defined - fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Jitsi. - - If you're setting up Jitsi for the first time, you may have missed a step. - Refer to our setup instructions (docs/configuring-playbook-jitsi.md). - - If you had setup Jitsi successfully before and it's just now that you're observing this failure, - it means that your installation may be using some default passwords that the playbook used to define until now. - This is not secure and we urge you to rebuild your Jitsi setup. - Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). - when: "vars[item] == ''" - with_items: - - "matrix_jitsi_jibri_xmpp_password" - - "matrix_jitsi_jibri_recorder_password" - - "matrix_jitsi_jicofo_component_secret" - - "matrix_jitsi_jicofo_auth_password" - - "matrix_jitsi_jvb_auth_password" - -- name: (Deprecation) Catch and report renamed settings - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_jitsi_web_config_constraints_enabled', 'new': ''} - - {'old': 'matrix_jitsi_web_config_constraints_video_aspectRatio', 'new': ''} - - {'old': 'matrix_jitsi_web_config_constraints_video_height_ideal', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} - - {'old': 'matrix_jitsi_web_config_constraints_video_height_max', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} - - {'old': 'matrix_jitsi_web_config_constraints_video_height_min', 'new': 'matrix_jitsi_web_config_resolution_height_min'} - - {'old': 'matrix_jitsi_web_config_disableAudioLevels', 'new': ''} - - {'old': 'matrix_jitsi_web_config_enableLayerSuspension', 'new': ''} - - {'old': 'matrix_jitsi_web_config_channelLastN', 'new': ''} - - {'old': 'matrix_jitsi_web_config_testing_p2pTestMode', 'new': ''} - - {'old': 'matrix_jitsi_web_config_start_with_audio_muted', 'new': ''} - - {'old': 'matrix_jitsi_web_config_start_with_video_muted', 'new': ''} - - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} - - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} - - {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'} diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 deleted file mode 100644 index a402d2d7..00000000 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ /dev/null @@ -1,17 +0,0 @@ -ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} - -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} - -JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} -JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} - -JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} - -JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} -JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} - -TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 deleted file mode 100644 index 7eba95af..00000000 --- a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 +++ /dev/null @@ -1,20 +0,0 @@ -handlers= java.util.logging.ConsoleHandler - -java.util.logging.ConsoleHandler.level = ALL -java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter - -net.java.sip.communicator.util.ScLogFormatter.programname=Jicofo - -.level=INFO -net.sf.level=SEVERE -net.java.sip.communicator.plugin.reconnectplugin.level=FINE -org.ice4j.level=SEVERE -org.jitsi.impl.neomedia.level=SEVERE - -# Do not worry about missing strings -net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE - -#net.java.sip.communicator.service.protocol.level=ALL - -# Enable debug packets logging -#org.jitsi.impl.protocol.xmpp.level=FINE diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 deleted file mode 100644 index 6ecafaa0..00000000 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ /dev/null @@ -1,33 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-jicofo server -{% for service in matrix_jitsi_jicofo_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ - --mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \ - {% for arg in matrix_jitsi_jicofo_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_jicofo_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-jicofo - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 deleted file mode 100644 index c62e04ff..00000000 --- a/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 +++ /dev/null @@ -1,9 +0,0 @@ -org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true -org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} - -org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} -org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90 - -{% if matrix_jitsi_enable_auth %} -org.jitsi.jicofo.auth.URL=XMPP:{{ matrix_jitsi_xmpp_domain }} -{% endif %} diff --git a/roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 deleted file mode 100644 index 44b6b8c2..00000000 --- a/roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 +++ /dev/null @@ -1,7 +0,0 @@ -org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true - -org.jitsi.videobridge.ENABLE_STATISTICS=true -org.jitsi.videobridge.STATISTICS_TRANSPORT=muc -org.jitsi.videobridge.STATISTICS_INTERVAL=5000 - -{{ matrix_jitsi_jvb_custom_config_extension }} diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 deleted file mode 100644 index f7dc9247..00000000 --- a/roles/matrix-jitsi/templates/jvb/env.j2 +++ /dev/null @@ -1,20 +0,0 @@ -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} -JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} -JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} - -XMPP_SERVER={{ matrix_jitsi_xmpp_server }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} - -HOSTNAME=matrix-jitsi-jvb - -{% if matrix_jitsi_jvb_stun_servers|length > 0 %} -JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} -{% endif %} - -PUBLIC_URL={{ matrix_jitsi_web_public_url }} - -{{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 deleted file mode 100644 index 48c1e9fa..00000000 --- a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 +++ /dev/null @@ -1,13 +0,0 @@ -handlers= java.util.logging.ConsoleHandler - -java.util.logging.ConsoleHandler.level = ALL -java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter - -net.java.sip.communicator.util.ScLogFormatter.programname=JVB - -.level=INFO - -org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE - -# All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. -org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 deleted file mode 100644 index 53c0c83a..00000000 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ /dev/null @@ -1,42 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-jvb server -{% for service in matrix_jitsi_jvb_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_jitsi_jvb_base_path }}/env \ - {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} - -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ - {% endif %} - {% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %} - -p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \ - {% endif %} - {% if matrix_jitsi_jvb_container_colibri_ws_host_bind_port %} - -p {{ matrix_jitsi_jvb_container_colibri_ws_host_bind_port }}:9090 \ - {% endif %} - --mount type=bind,src={{ matrix_jitsi_jvb_config_path }},dst=/config \ - {% for arg in matrix_jitsi_jvb_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_jvb_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-jvb - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 deleted file mode 100644 index 38b2456c..00000000 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ /dev/null @@ -1,49 +0,0 @@ -AUTH_TYPE={{ matrix_jitsi_auth_type }} - -ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} -ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} - -PUBLIC_URL={{ matrix_jitsi_web_public_url }} - -LDAP_URL={{ matrix_jitsi_ldap_url }} -LDAP_BASE={{ matrix_jitsi_ldap_base }} -LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} -LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} -LDAP_FILTER={{ matrix_jitsi_ldap_filter }} -LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} -LDAP_VERSION={{ matrix_jitsi_ldap_version }} -LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} -LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} -LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} -LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} -LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} -LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} - -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} - -XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} -XMPP_MUC_MODULES= -XMPP_INTERNAL_MUC_MODULES= - -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} - -JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} -JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} - -JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} -JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} - -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} - -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} - -ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} - -TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 deleted file mode 100644 index 4445e52b..00000000 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ /dev/null @@ -1,37 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-prosody server -{% for service in matrix_jitsi_prosody_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - {% if matrix_jitsi_prosody_container_http_host_bind_port %} - -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ - {% endif %} - --env-file={{ matrix_jitsi_prosody_base_path }}/env \ - --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ - --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ - {% for arg in matrix_jitsi_prosody_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_prosody_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-prosody - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/web/custom-config.js.j2 b/roles/matrix-jitsi/templates/web/custom-config.js.j2 deleted file mode 100644 index bbe85798..00000000 --- a/roles/matrix-jitsi/templates/web/custom-config.js.j2 +++ /dev/null @@ -1,18 +0,0 @@ -config.defaultLanguage = {{ matrix_jitsi_web_config_defaultLanguage|to_json }}; - - -if (!config.hasOwnProperty('p2p')) config.p2p = {% raw %}{}{% endraw %}; - -{% if matrix_jitsi_web_stun_servers|length > 0 %} -config.p2p.stunServers = [ - {% for url in matrix_jitsi_web_stun_servers %} - { urls: {{ url|to_json }} }{% if not loop.last %},{% endif %} - {% endfor %} -]; -{% endif %} - -{% if matrix_jitsi_etherpad_enabled %} -config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }} -{% endif %} - -{{ matrix_jitsi_web_custom_config_extension }} diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 deleted file mode 100644 index 7b763a3c..00000000 --- a/roles/matrix-jitsi/templates/web/env.j2 +++ /dev/null @@ -1,42 +0,0 @@ -ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} -ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} - -ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} - -ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} - -DISABLE_HTTPS=1 - -JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} - -PUBLIC_URL={{ matrix_jitsi_web_public_url }} - -XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} -XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} -XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} -XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} -XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} -XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} - -TZ={{ matrix_jitsi_timezone }} - -JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} -JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} -JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} -JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} -JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} -JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} - -ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} - -RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} -RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} -RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} -RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} - -START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} -START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} - -ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} - -{{ matrix_jitsi_web_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 deleted file mode 100644 index 08ac02fe..00000000 --- a/roles/matrix-jitsi/templates/web/interface_config.js.j2 +++ /dev/null @@ -1,295 +0,0 @@ -/* eslint-disable no-unused-vars, no-var, max-len */ -/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */ - -var interfaceConfig = { - APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }}, - AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)', - AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)', - - /** - * A UX mode where the last screen share participant is automatically - * pinned. Valid values are the string "remote-only" so remote participants - * get pinned but not local, otherwise any truthy value for all participants, - * and any falsy value to disable the feature. - * - * Note: this mode is experimental and subject to breakage. - */ - AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only', - BRAND_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_brand_watermark_link|to_json }}, - - CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it - /** - * Whether the connection indicator icon should hide itself based on - * connection strength. If true, the connection indicator will remain - * displayed while the participant has a weak connection and will hide - * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is - * strong. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, - - /** - * How long the connection indicator should remain displayed before hiding. - * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. - * - * @type {number} - */ - CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, - - /** - * If true, hides the connection indicators completely. - * - * @type {boolean} - */ - CONNECTION_INDICATOR_DISABLED: false, - - DEFAULT_BACKGROUND: '#474747', - DEFAULT_LOCAL_DISPLAY_NAME: 'me', - DEFAULT_LOGO_URL: 'images/watermark.svg', - DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', - DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', - - DISABLE_DOMINANT_SPEAKER_INDICATOR: false, - - DISABLE_FOCUS_INDICATOR: false, - - /** - * If true, notifications regarding joining/leaving are no longer displayed. - */ - DISABLE_JOIN_LEAVE_NOTIFICATIONS: false, - - /** - * If true, presence status: busy, calling, connected etc. is not displayed. - */ - DISABLE_PRESENCE_STATUS: false, - - /** - * Whether the ringing sound in the call/ring overlay is disabled. If - * {@code undefined}, defaults to {@code false}. - * - * @type {boolean} - */ - DISABLE_RINGING: false, - - /** - * Whether the speech to text transcription subtitles panel is disabled. - * If {@code undefined}, defaults to {@code false}. - * - * @type {boolean} - */ - DISABLE_TRANSCRIPTION_SUBTITLES: {{ matrix_jitsi_web_interface_config_disable_transcription_subtitles|to_json }}, - - /** - * Whether or not the blurred video background for large video should be - * displayed on browsers that can support it. - */ - DISABLE_VIDEO_BACKGROUND: false, - - DISPLAY_WELCOME_FOOTER: true, - DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false, - DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }}, - DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false, - - ENABLE_DIAL_OUT: true, - - ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation. - - FILM_STRIP_MAX_HEIGHT: 120, - - GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }}, - - /** - * Hide the logo on the deep linking pages. - */ - HIDE_DEEP_LINKING_LOGO: false, - - /** - * Hide the invite prompt in the header when alone in the meeting. - */ - HIDE_INVITE_MORE_HEADER: false, - - INITIAL_TOOLBAR_TIMEOUT: 20000, - JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }}, - - LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language - LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature. - LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 - - /** - * Maximum coefficient of the ratio of the large video to the visible area - * after the large video is scaled to fit the window. - * - * @type {number} - */ - MAXIMUM_ZOOMING_COEFFICIENT: 1.3, - - /** - * Whether the mobile app Jitsi Meet is to be promoted to participants - * attempting to join a conference in a mobile Web browser. If - * {@code undefined}, defaults to {@code true}. - * - * @type {boolean} - */ - MOBILE_APP_PROMO: true, - - /** - * Specify custom URL for downloading android mobile app. - */ - MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet', - - /** - * Specify custom URL for downloading f droid app. - */ - MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/', - - /** - * Specify URL for downloading ios mobile app. - */ - MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905', - - NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }}, - - // Names of browsers which should show a warning stating the current browser - // has a suboptimal experience. Browsers which are not listed as optimal or - // unsupported are considered suboptimal. Valid values are: - // chrome, chromium, edge, electron, firefox, nwjs, opera, safari - OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ], - - POLICY_LOGO: null, - PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }}, - - /** - * If true, will display recent list - * - * @type {boolean} - */ - RECENT_LIST_ENABLED: true, - REMOTE_THUMBNAIL_RATIO: 1, // 1:1 - - SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ], - SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }}, - - /** - * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. - * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) - * being already installed is done before rendering. - */ - SHOW_CHROME_EXTENSION_BANNER: false, - - SHOW_DEEP_LINKING_IMAGE: {{ matrix_jitsi_web_interface_config_show_deep_linking_image|to_json }}, - SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }}, - SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }}, - SHOW_PROMOTIONAL_CLOSE_PAGE: false, - - /* - * If indicated some of the error dialogs may point to the support URL for - * help. - */ - SUPPORT_URL: 'https://community.jitsi.org/', - - TOOLBAR_ALWAYS_VISIBLE: false, - - /** - * The name of the toolbar buttons to display in the toolbar, including the - * "More actions" menu. If present, the button will display. Exceptions are - * "livestreaming" and "recording" which also require being a moderator and - * some values in config.js to be enabled. Also, the "profile" button will - * not display for users with a JWT. - * Notes: - * - it's impossible to choose which buttons go in the "More actions" menu - * - it's impossible to control the placement of buttons - * - 'desktop' controls the "Share your screen" button - */ - TOOLBAR_BUTTONS: [ - {% if matrix_jitsi_enable_transcriptions %} - 'closedcaptions', - {% endif %} - {% if matrix_jitsi_enable_recording %} - 'recording', - {% endif %} - 'microphone', 'camera', 'desktop', 'embedmeeting', 'fullscreen', - 'fodeviceselection', 'hangup', 'profile', 'chat', - 'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand', - 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', - 'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone', 'security' - ], - - TOOLBAR_TIMEOUT: 4000, - - // Browsers, in addition to those which do not fully support WebRTC, that - // are not supported and should show the unsupported browser page. - UNSUPPORTED_BROWSERS: [], - - /** - * Whether to show thumbnails in filmstrip as a column instead of as a row. - */ - VERTICAL_FILMSTRIP: true, - - // Determines how the video would fit the screen. 'both' would fit the whole - // screen, 'height' would fit the original video height to the height of the - // screen, 'width' would fit the original video width to the width of the - // screen respecting ratio. - VIDEO_LAYOUT_FIT: 'both', - - /** - * If true, hides the video quality label indicating the resolution status - * of the current large video. - * - * @type {boolean} - */ - VIDEO_QUALITY_LABEL_DISABLED: false, - - /** - * How many columns the tile view can expand to. The respected range is - * between 1 and 5. - */ - // TILE_VIEW_MAX_COLUMNS: 5, - - /** - * Specify Firebase dynamic link properties for the mobile apps. - */ - // MOBILE_DYNAMIC_LINK: { - // APN: 'org.jitsi.meet', - // APP_CODE: 'w2atb', - // CUSTOM_DOMAIN: undefined, - // IBI: 'com.atlassian.JitsiMeet.ios', - // ISI: '1165103905' - // }, - - /** - * Specify mobile app scheme for opening the app from the mobile browser. - */ - // APP_SCHEME: 'org.jitsi.meet', - - /** - * Specify the Android app package name. - */ - // ANDROID_APP_PACKAGE: 'org.jitsi.meet', - - /** - * Override the behavior of some notifications to remain displayed until - * explicitly dismissed through a user action. The value is how long, in - * milliseconds, those notifications should remain displayed. - */ - // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, - - // List of undocumented settings - /** - INDICATOR_FONT_SIZES - PHONE_NUMBER_REGEX - */ - - // Allow all above example options to include a trailing comma and - // prevent fear when commenting out the last value. - // eslint-disable-next-line sort-keys - makeJsonParserHappy: 'even if last key had a trailing comma' - - // No configuration value should follow this line. -}; - - -{{ matrix_jitsi_web_custom_interface_config_extension }} - - -/* eslint-enable no-unused-vars, no-var, max-len */ diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 deleted file mode 100644 index 6ae2074d..00000000 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ /dev/null @@ -1,37 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix jitsi-web server -{% for service in matrix_jitsi_web_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ - --log-driver=none \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_jitsi_web_base_path }}/env \ - {% if matrix_jitsi_web_container_http_host_bind_port %} - -p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \ - {% endif %} - --mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \ - --mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \ - {% for arg in matrix_jitsi_web_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_jitsi_web_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-jitsi-web - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml deleted file mode 100644 index 7ab0d15e..00000000 --- a/roles/matrix-ma1sd/defaults/main.yml +++ /dev/null @@ -1,163 +0,0 @@ -# ma1sd is a Federated Matrix Identity Server -# See: https://github.com/ma1uta/ma1sd - -matrix_ma1sd_enabled: true - -matrix_ma1sd_container_image_self_build: false -matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" -matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}" - -matrix_ma1sd_architecture: "amd64" - -matrix_ma1sd_version: "2.4.0" - -matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" -matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" - -matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" -# We need the docker src directory to be named ma1sd. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588 -matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src/ma1sd" -matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" -matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" - -# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. -matrix_ma1sd_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_ma1sd_container_extra_arguments: [] - -# List of systemd services that matrix-ma1sd.service depends on -matrix_ma1sd_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-ma1sd.service wants -matrix_ma1sd_systemd_wanted_services_list: [] - -# Your identity server is private by default. -# To ensure maximum discovery, you can make your identity server -# also forward lookups to the central matrix.org Identity server -# (at the cost of potentially leaking all your contacts information). -# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups -matrix_ma1sd_matrixorg_forwarding_enabled: false - - -# Database-related configuration fields. -# -# To use SQLite, stick to these defaults. -# -# To use Postgres: -# - change the engine (`matrix_ma1sd_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables -matrix_ma1sd_database_engine: 'sqlite' - -matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db" -matrix_ma1sd_sqlite_database_path_in_container: "/var/ma1sd/ma1sd.db" - -matrix_ma1sd_database_username: 'matrix_ma1sd' -matrix_ma1sd_database_password: 'some-password' -matrix_ma1sd_database_hostname: 'matrix-postgres' -matrix_ma1sd_database_port: 5432 -matrix_ma1sd_database_name: 'matrix_ma1sd' - -matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}' - - -# ma1sd has serveral supported identity stores. -# One of them is storing identities directly in Synapse's database. -# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md -matrix_ma1sd_synapsesql_enabled: false -matrix_ma1sd_synapsesql_type: "" -matrix_ma1sd_synapsesql_connection: "" - -# Setting up email-sending settings is required for using ma1sd. -matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" -matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "" -matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587 -matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1 -matrix_ma1sd_threepid_medium_email_connectors_smtp_login: "" -matrix_ma1sd_threepid_medium_email_connectors_smtp_password: "" - -# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly. -# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd, -# so that ma1sd can rewrite the original URL to one that would reach the homeserver. -matrix_ma1sd_dns_overwrite_enabled: false -matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" - -# Override the default session templates -# To use this, fill in the template variables with the full desired template as a multi-line YAML variable -# -# More info: -# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/session/session-views.md -matrix_ma1sd_view_session_custom_templates_enabled: false -# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitSuccess.html -matrix_ma1sd_view_session_custom_onTokenSubmit_success_template: "" -# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitFailure.html -matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template: "" - -# Override the default email templates -# To use this, fill in the template variables with the full desired template as a multi-line YAML variable -# -# More info: -# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md -# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email -matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false -# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/invite-template.eml -matrix_ma1sd_threepid_medium_email_custom_invite_template: "" -# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/validate-template.eml -matrix_ma1sd_threepid_medium_email_custom_session_validation_template: "" -# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/unbind-notification.eml -matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template: "" -# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml -matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" - -# Controls whether the self-check feature should validate SSL certificates. -matrix_ma1sd_self_check_validate_certificates: true - -# Controls ma1sd logging verbosity for troubleshooting. -# -# According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity -matrix_ma1sd_verbose_logging: false - -# Setting up support for API prefixes -matrix_ma1sd_v1_enabled: true -matrix_ma1sd_v2_enabled: true - -# Fix for missing 3PIDS bug -matrix_ma1sd_hashing_enabled: true - -# Default ma1sd configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_ma1sd_configuration_yaml: "{{ lookup('template', 'templates/ma1sd.yaml.j2') }}" - -matrix_ma1sd_configuration_extension_yaml: | - # Your custom YAML configuration for ma1sd goes here. - # This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_ma1sd_configuration_yaml`. - # - # Example configuration extension follows: - # - # ldap: - # enabled: true - # connection: - # host: ldapHostnameOrIp - # tls: false - # port: 389 - # baseDNs: ['OU=Users,DC=example,DC=org'] - # bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org - # bindPassword: TheUserPassword - -matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final ma1sd configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`. -matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml|from_yaml|combine(matrix_ma1sd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml deleted file mode 100644 index 04cc3a21..00000000 --- a/roles/matrix-ma1sd/tasks/init.yml +++ /dev/null @@ -1,10 +0,0 @@ -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - fail: - msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build and matrix_ma1sd_enabled|bool" - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" - when: matrix_ma1sd_enabled|bool diff --git a/roles/matrix-ma1sd/tasks/main.yml b/roles/matrix-ma1sd/tasks/main.yml deleted file mode 100644 index 0b8a114e..00000000 --- a/roles/matrix-ma1sd/tasks/main.yml +++ /dev/null @@ -1,28 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_ma1sd_enabled|bool" - tags: - - setup-all - - setup-ma1sd - -- import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup|bool and matrix_ma1sd_enabled|bool" - tags: - - setup-all - - setup-ma1sd - -- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup|bool and not matrix_ma1sd_enabled|bool" - tags: - - setup-all - - setup-ma1sd - -- import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check|bool and matrix_ma1sd_enabled|bool" - tags: - - self-check diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml deleted file mode 100644 index 1d966204..00000000 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- - -# This task is for migrating existing mxisd data when transitioning to the ma1sd fork. - -- name: Check for existent mxisd data - stat: - path: "{{ matrix_base_data_path }}/mxisd/data" - register: ma1sd_migrate_mxisd_data_dir_stat - -- name: Warn if mxisd data detected - debug: - msg: > - You seem to have an existing mxisd folder in `{{ matrix_base_data_path }}/mxisd`. - We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - -- name: Check existence of old matrix-mxisd service - stat: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - register: matrix_mxisd_service_stat - -- name: Ensure matrix-mxisd is stopped - service: - name: matrix-mxisd - state: stopped - daemon_reload: yes - when: "matrix_mxisd_service_stat.stat.exists" - -- name: Check existence of matrix-ma1sd service - stat: - path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" - register: matrix_ma1sd_service_stat - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - -- name: Ensure matrix-ma1sd is stopped - service: - name: matrix-ma1sd - state: stopped - daemon_reload: yes - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" - -# We use shell commands for the migration, because the Ansible copy module cannot -# recursively copy remote directories (like `/matrix/mxisd/data/sign.key`) in older versions of Ansible. -- block: - - name: Copy mxisd data files to ma1sd folder - command: "cp -ar {{ matrix_base_data_path }}/mxisd/data {{ matrix_ma1sd_base_path }}" - - - name: Check existence of mxisd.db file - stat: - path: "{{ matrix_ma1sd_data_path }}/mxisd.db" - register: matrix_ma1sd_mxisd_db_stat - - - name: Rename database (mxisd.db -> ma1sd.db) - command: "mv {{ matrix_ma1sd_data_path }}/mxisd.db {{ matrix_ma1sd_data_path }}/ma1sd.db" - when: "matrix_ma1sd_mxisd_db_stat.stat.exists" - - - name: Rename mxisd folder - command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - -- name: Ensure outdated matrix-mxisd.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - state: absent - when: "matrix_mxisd_service_stat.stat.exists" - -- name: Ensure systemd reloaded after removing outdated matrix-mxisd.service - service: - daemon_reload: yes - when: "matrix_mxisd_service_stat.stat.exists" - - diff --git a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml deleted file mode 100644 index b8a7faaa..00000000 --- a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- set_fact: - ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" - -- name: Check ma1sd Identity Service - uri: - url: "{{ ma1sd_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}" - check_mode: no - register: result_ma1sd - ignore_errors: true - -- name: Fail if ma1sd Identity Service not working - fail: - msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}" - when: "result_ma1sd.failed or 'json' not in result_ma1sd" - -- name: Report working ma1sd Identity Service - debug: - msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)" diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml deleted file mode 100644 index 3f319eef..00000000 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ /dev/null @@ -1,167 +0,0 @@ ---- - -- name: Ensure ma1sd paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_ma1sd_config_path }}", when: true } - - { path: "{{ matrix_ma1sd_data_path }}", when: true } - - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} - when: "item.when|bool" - -- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" - - -# These (SQLite -> Postgres) migration tasks are usually at the top, -# but we'd like to run them after `migrate_mxisd.yml`, which requires the ma1sd paths to exist. -- set_fact: - matrix_ma1sd_requires_restart: false - -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_ma1sd_sqlite_database_path_local }}" - register: matrix_ma1sd_sqlite_database_path_local_stat_result - - - block: - - set_fact: - matrix_postgres_db_migration_request: - src: "{{ matrix_ma1sd_sqlite_database_path_local }}" - dst: "{{ matrix_ma1sd_database_connection_string }}" - caller: "{{ role_path|basename }}" - engine_variable_name: 'matrix_ma1sd_database_engine' - engine_old: 'sqlite' - systemd_services_to_stop: ['matrix-ma1sd.service'] - pgloader_options: ['--with "quote identifiers"'] - - - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - - - set_fact: - matrix_ma1sd_requires_restart: true - when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists|bool" - when: "matrix_ma1sd_database_engine == 'postgres'" - -- name: Ensure ma1sd image is pulled - docker_image: - name: "{{ matrix_ma1sd_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}" - when: "not matrix_ma1sd_container_image_self_build|bool" - -- block: - - name: Ensure gradle is installed for self-building (Debian) - apt: - name: - - gradle - state: present - update_cache: yes - when: (ansible_os_family == 'Debian') - - - name: Ensure gradle is installed for self-building (CentOS) - fail: - msg: "Installing gradle on CentOS is currently not supported, so self-building ma1sd cannot happen at this time" - when: ansible_distribution == 'CentOS' - - - name: Ensure gradle is installed for self-building (Archlinux) - pacman: - name: - - gradle - state: latest - update_cache: yes - when: ansible_distribution == 'Archlinux' - - - name: Ensure ma1sd repository is present on self-build - git: - repo: "{{ matrix_ma1sd_container_image_self_build_repo }}" - dest: "{{ matrix_ma1sd_docker_src_files_path }}" - version: "{{ matrix_ma1sd_container_image_self_build_branch }}" - force: "yes" - register: matrix_ma1sd_git_pull_results - - - name: Ensure ma1sd Docker image is built - shell: "DOCKER_BUILDKIT=1 ./gradlew dockerBuild" - args: - chdir: "{{ matrix_ma1sd_docker_src_files_path }}" - - - name: Ensure ma1sd Docker image is tagged correctly - docker_image: - # The build script always tags the image with 2 tags: - # - based on the branch/version: e.g. `ma1uta/ma1sd:2.4.0` (when on `2.4.0`) - # or `ma1uta/ma1sd:2.4.0-19-ga71d32b` (when on a given commit for a pre-release) - # - generic one: `ma1uta/ma1sd:latest-dev` - # - # It's hard to predict the first one, so we'll use the latter. - name: "ma1uta/ma1sd:latest-dev" - repository: "{{ matrix_ma1sd_docker_image }}" - force_tag: yes - source: local - when: "matrix_ma1sd_container_image_self_build|bool" - -- name: Ensure ma1sd config installed - copy: - content: "{{ matrix_ma1sd_configuration|to_nice_yaml }}" - dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure custom view templates are installed, if any - copy: - content: "{{ item.value }}" - dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_success_template }}", location: 'tokenSubmitSuccess.html'} - - {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template }}", location: 'tokenSubmitFailure.html'} - when: "matrix_ma1sd_view_session_custom_templates_enabled|bool and item.value" - -- name: Ensure custom email templates are installed, if any - copy: - content: "{{ item.value }}" - dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} - - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'} - - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} - when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" - -# Only cleaning up for people who define the respective templates -- name: (Cleanup) Ensure custom email templates are not in data/ anymore (we've put them in config/) - file: - path: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" - state: absent - with_items: - - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} - - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'} - - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} - when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" - -- name: Ensure matrix-ma1sd.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service" - mode: 0644 - register: matrix_ma1sd_systemd_service_result - -- name: Ensure systemd reloaded after matrix-ma1sd.service installation - service: - daemon_reload: yes - when: "matrix_ma1sd_systemd_service_result.changed|bool" - -- name: Ensure matrix-ma1sd.service restarted, if necessary - service: - name: "matrix-ma1sd.service" - state: restarted - when: "matrix_ma1sd_requires_restart|bool" diff --git a/roles/matrix-ma1sd/tasks/setup_uninstall.yml b/roles/matrix-ma1sd/tasks/setup_uninstall.yml deleted file mode 100644 index b36ab508..00000000 --- a/roles/matrix-ma1sd/tasks/setup_uninstall.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -- name: Check existence of matrix-ma1sd service - stat: - path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" - register: matrix_ma1sd_service_stat - -- name: Ensure matrix-ma1sd is stopped - service: - name: matrix-ma1sd - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_ma1sd_service_stat.stat.exists|bool" - -- name: Ensure matrix-ma1sd.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" - state: absent - when: "matrix_ma1sd_service_stat.stat.exists|bool" - -- name: Ensure systemd reloaded after matrix-ma1sd.service removal - service: - daemon_reload: yes - when: "matrix_ma1sd_service_stat.stat.exists|bool" - -- name: Ensure Matrix ma1sd paths don't exist - file: - path: "{{ matrix_ma1sd_base_path }}" - state: absent - -- name: Ensure ma1sd Docker image doesn't exist - docker_image: - name: "{{ matrix_ma1sd_docker_image }}" - state: absent diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml deleted file mode 100644 index 4ca25e7e..00000000 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- - -- name: (Deprecation) Warn about ma1sd variables that are not used anymore - fail: - msg: > - The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of extending ma1sd configuration. - See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples. - when: "item in vars" - with_items: - - 'matrix_ma1sd_ldap_enabled' - - 'matrix_ma1sd_ldap_connection_host' - - 'matrix_ma1sd_ldap_connection_tls' - - 'matrix_ma1sd_ldap_connection_port' - - 'matrix_ma1sd_ldap_connection_baseDn' - - 'matrix_ma1sd_ldap_connection_baseDns' - - 'matrix_ma1sd_ldap_connection_bindDn' - - 'matrix_ma1sd_ldap_connection_bindPassword' - - 'matrix_ma1sd_ldap_filter' - - 'matrix_ma1sd_ldap_attribute_uid_type' - - 'matrix_ma1sd_ldap_attribute_uid_value' - - 'matrix_ma1sd_ldap_connection_bindPassword' - - 'matrix_ma1sd_ldap_attribute_name' - - 'matrix_ma1sd_ldap_attribute_threepid_email' - - 'matrix_ma1sd_ldap_attribute_threepid_msisdn' - - 'matrix_ma1sd_ldap_identity_filter' - - 'matrix_ma1sd_ldap_identity_medium' - - 'matrix_ma1sd_ldap_auth_filter' - - 'matrix_ma1sd_ldap_directory_filter' - - 'matrix_ma1sd_template_config' - -- name: Ensure ma1sd configuration does not contain any dot-notation keys - fail: - msg: > - Since version 1.3.0, ma1sd will not accept property-style configuration keys. - You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130 - when: "'.' in item.key" - with_dict: "{{ matrix_ma1sd_configuration }}" - -- name: Fail if required ma1sd settings not defined - fail: - msg: > - You need to define a required configuration setting (`{{ item }}`) for using ma1sd. - when: "vars[item] == ''" - with_items: - - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" - -- name: (Deprecation) Catch and report renamed ma1sd variables - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" - with_items: - - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} - - {'old': 'matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template', 'new': 'matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template'} - -- name: (Deprecation) Catch and report mxisd variables - fail: - msg: >- - mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork. - The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names. - Please change your configuration (vars.yml) to rename all mxisd variables (`{{ item.old }}` -> `{{ item.new }}`). - when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" - with_items: - - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 deleted file mode 100644 index a4100adc..00000000 --- a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 +++ /dev/null @@ -1,104 +0,0 @@ -#jinja2: lstrip_blocks: True -matrix: - domain: {{ matrix_domain }} - v1: {{ matrix_ma1sd_v1_enabled|to_json }} - v2: {{ matrix_ma1sd_v2_enabled|to_json }} - -server: - name: {{ matrix_server_fqn_matrix }} - -key: - path: /var/ma1sd/sign.key - -storage: - {% if matrix_ma1sd_database_engine == 'sqlite' %} - backend: sqlite - provider: - sqlite: - database: {{ matrix_ma1sd_sqlite_database_path_in_container|to_json }} - {% elif matrix_ma1sd_database_engine == 'postgres' %} - backend: postgresql - provider: - postgresql: - database: //{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }} - username: {{ matrix_ma1sd_database_username|to_json }} - password: {{ matrix_ma1sd_database_password|to_json }} - {% endif %} - -{% if matrix_ma1sd_dns_overwrite_enabled %} -dns: - overwrite: - homeserver: - client: - - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} - value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} -{% endif %} - -{% if matrix_ma1sd_matrixorg_forwarding_enabled %} -forward: - servers: ['matrix-org'] -{% endif %} - -threepid: - medium: - email: - identity: - from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} - connectors: - smtp: - host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} - port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} - tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} - login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} - password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} -{% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} - generators: - template: - {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} - invite: '/etc/ma1sd/invite-template.eml' - {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %} - session: - {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} - validation: '/etc/ma1sd/validate-template.eml' - {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %} - unbind: - notification: '/etc/ma1sd/unbind-notification.eml' - {% endif %} - {% endif %} - {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} - generic: - matrixId: '/etc/ma1sd/mxid-template.eml' - {% endif %} -{% endif %} - -{% if matrix_ma1sd_view_session_custom_templates_enabled %} -view: - session: - onTokenSubmit: - {% if matrix_ma1sd_view_session_custom_onTokenSubmit_success_template %} - success: '/etc/ma1sd/tokenSubmitSuccess.html' - {% endif %} - {% if matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template %} - failure: '/etc/ma1sd/tokenSubmitFailure.html' - {% endif %} -{% endif %} - -{% if matrix_ma1sd_hashing_enabled %} -hashing: - enabled: true # enable or disable the hash lookup MSC2140 (default is false) - pepperLength: 20 # length of the pepper value (default is 20) - rotationPolicy: per_requests # or `per_seconds` how often the hashes will be updating - hashStorageType: sql # or `in_memory` where the hashes will be stored - algorithms: - - none # the same as v1 bulk lookup - - sha256 # hash the 3PID and pepper. - delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s) - requests: 10 -{% endif %} - -synapseSql: - enabled: {{ matrix_ma1sd_synapsesql_enabled|to_json }} - type: {{ matrix_ma1sd_synapsesql_type|to_json }} - connection: {{ matrix_ma1sd_synapsesql_connection|to_json }} diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 deleted file mode 100644 index c2adffc0..00000000 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ /dev/null @@ -1,48 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix ma1sd Identity server -{% for service in matrix_ma1sd_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_ma1sd_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' - -# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, -# so /tmp needs to be mounted with an exec option. -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,exec,nosuid,size=10m \ - --network={{ matrix_docker_network }} \ - {% if matrix_ma1sd_container_http_host_bind_port %} - -p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \ - {% endif %} - {% if matrix_ma1sd_verbose_logging %} - -e MA1SD_LOG_LEVEL=debug \ - {% endif %} - --mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \ - --mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \ - {% for arg in matrix_ma1sd_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_ma1sd_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-ma1sd - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-ma1sd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml deleted file mode 100644 index b6c97a59..00000000 --- a/roles/matrix-ma1sd/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. -matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml deleted file mode 100644 index 8ca1a8a3..00000000 --- a/roles/matrix-mailer/defaults/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -matrix_mailer_enabled: true - -matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer" - -matrix_mailer_container_image_self_build: false -matrix_mailer_container_image_self_build_repository_url: "https://github.com/devture/exim-relay" -matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" -matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" - -matrix_mailer_version: 4.94.2-r0-2 -matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" -matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" - -# The user/group that the container runs with. -# These match the `exim` user/group within the container image. -matrix_mailer_container_user_uid: 100 -matrix_mailer_container_user_gid: 101 - -# A list of extra arguments to pass to the container -matrix_mailer_container_extra_arguments: [] - -matrix_mailer_hostname: "{{ matrix_server_fqn_matrix }}" - -matrix_mailer_sender_address: "matrix@{{ matrix_domain }}" -matrix_mailer_relay_use: false -matrix_mailer_relay_host_name: "mail.example.com" -matrix_mailer_relay_host_port: 587 -matrix_mailer_relay_auth: false -matrix_mailer_relay_auth_username: "" -matrix_mailer_relay_auth_password: "" diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml deleted file mode 100644 index d07380f0..00000000 --- a/roles/matrix-mailer/tasks/init.yml +++ /dev/null @@ -1,10 +0,0 @@ -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - fail: - msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build and matrix_mailer_enabled" - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" - when: matrix_mailer_enabled|bool diff --git a/roles/matrix-mailer/tasks/main.yml b/roles/matrix-mailer/tasks/main.yml deleted file mode 100644 index f636614e..00000000 --- a/roles/matrix-mailer/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/setup_mailer.yml" - when: run_setup|bool - tags: - - setup-all - - setup-mailer diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml deleted file mode 100644 index 251a52da..00000000 --- a/roles/matrix-mailer/tasks/setup_mailer.yml +++ /dev/null @@ -1,107 +0,0 @@ ---- - -# -# Tasks related to setting up the mailer -# - -- name: Ensure mailer base path exists - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_mailer_base_path }}", when: true } - - { path: "{{ matrix_mailer_container_image_self_build_src_files_path }}", when: "{{ matrix_mailer_container_image_self_build }}" } - when: "matrix_mailer_enabled|bool and item.when" - -- name: Ensure mailer environment variables file created - template: - src: "{{ role_path }}/templates/env-mailer.j2" - dest: "{{ matrix_mailer_base_path }}/env-mailer" - mode: 0640 - when: matrix_mailer_enabled|bool - -- name: Ensure exim-relay repository is present on self-build - git: - repo: "{{ matrix_mailer_container_image_self_build_repository_url }}" - dest: "{{ matrix_mailer_container_image_self_build_src_files_path }}" - version: "{{ matrix_mailer_container_image_self_build_version }}" - force: "yes" - register: matrix_mailer_git_pull_results - when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool" - -- name: Ensure exim-relay Docker image is built - docker_image: - name: "{{ matrix_mailer_docker_image }}" - source: build - force_source: "{{ matrix_mailer_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" - pull: yes - when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool" - -- name: Ensure exim-relay image is pulled - docker_image: - name: "{{ matrix_mailer_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mailer_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_docker_image_force_pull }}" - when: "matrix_mailer_enabled|bool and not matrix_mailer_container_image_self_build|bool" - -- name: Ensure matrix-mailer.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-mailer.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mailer.service" - mode: 0644 - register: matrix_mailer_systemd_service_result - when: matrix_mailer_enabled|bool - -- name: Ensure systemd reloaded after matrix-mailer.service installation - service: - daemon_reload: yes - when: "matrix_mailer_enabled|bool and matrix_mailer_systemd_service_result.changed" - -# -# Tasks related to getting rid of the mailer (if it was previously enabled) -# - -- name: Check existence of matrix-mailer service - stat: - path: "{{ matrix_systemd_path }}/matrix-mailer.service" - register: matrix_mailer_service_stat - when: "not matrix_mailer_enabled|bool" - -- name: Ensure matrix-mailer is stopped - service: - name: matrix-mailer - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists" - -- name: Ensure matrix-mailer.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-mailer.service" - state: absent - when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mailer.service removal - service: - daemon_reload: yes - when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists" - -- name: Ensure Matrix mailer environment variables path doesn't exist - file: - path: "{{ matrix_mailer_base_path }}" - state: absent - when: "not matrix_mailer_enabled|bool" - -- name: Ensure mailer Docker image doesn't exist - docker_image: - name: "{{ matrix_mailer_docker_image }}" - state: absent - when: "not matrix_mailer_enabled|bool" diff --git a/roles/matrix-mailer/templates/env-mailer.j2 b/roles/matrix-mailer/templates/env-mailer.j2 deleted file mode 100644 index eb3f8699..00000000 --- a/roles/matrix-mailer/templates/env-mailer.j2 +++ /dev/null @@ -1,9 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{% if matrix_mailer_relay_use %} -SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port }} -{% endif %} -{% if matrix_mailer_relay_auth %} -SMTP_USERNAME={{ matrix_mailer_relay_auth_username }} -SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }} -{% endif %} -HOSTNAME={{ matrix_mailer_hostname }} diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 deleted file mode 100644 index bf5a2e42..00000000 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ /dev/null @@ -1,37 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix mailer -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' - -# --hostname gives us a friendlier hostname than the default. -# The real hostname is passed via a `HOSTNAME` environment variable though. -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ - --log-driver=none \ - --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \ - --network={{ matrix_docker_network }} \ - --env-file={{ matrix_mailer_base_path }}/env-mailer \ - --hostname=matrix-mailer \ - {% for arg in matrix_mailer_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_mailer_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-mailer - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml deleted file mode 100644 index ba467ad3..00000000 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ /dev/null @@ -1,487 +0,0 @@ -matrix_nginx_proxy_enabled: true -matrix_nginx_proxy_version: 1.21.1-alpine - -# We use an official nginx image, which we fix-up to run unprivileged. -# An alternative would be an `nginxinc/nginx-unprivileged` image, but -# that is frequently out of date. -matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}" -matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" - -matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" -matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" -matrix_nginx_proxy_data_path_in_container: "/nginx-data" -matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" - -# List of systemd services that matrix-nginx-proxy.service depends on -matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-nginx-proxy.service wants -matrix_nginx_proxy_systemd_wanted_services_list: [] - -# A list of additional "volumes" to mount in the container. -# This list gets populated dynamically at runtime. You can provide a different default value, -# if you wish to mount your own files into the container. -# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} -matrix_nginx_proxy_container_additional_volumes: [] - -# A list of extra arguments to pass to the container -matrix_nginx_proxy_container_extra_arguments: [] - -# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP. -# -# If enabled: -# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`) -# - the HTTP vhost would be made a redirect to the HTTPS vhost -# -# If not enabled: -# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`) -# - naturally, there's no HTTPS vhost -# - services are served directly from the HTTP vhost -matrix_nginx_proxy_https_enabled: true - -# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:80"), or empty string to not expose. -matrix_nginx_proxy_container_http_host_bind_port: '80' - -# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:443"), or empty string to not expose. -# -# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`. -# Otherwise, there are no HTTPS vhosts to expose. -matrix_nginx_proxy_container_https_host_bind_port: '443' - -# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8448"), or empty string to not expose. -# -# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`. -# Otherwise, there is no Matrix Federation port to expose. -# -# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`. -# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy. -matrix_nginx_proxy_container_federation_host_bind_port: '8448' - -# Controls whether matrix-nginx-proxy should serve the base domain. -# -# This is useful for when you only have your Matrix server, but you need to serve -# to serve `/.well-known/matrix/*` files from the base domain for the needs of -# Server-Discovery (Federation) and for Client-Discovery. -# -# Besides serving these Matrix files, a homepage would be served with content -# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable. -# You can also put additional files to use for this webpage -# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory. -matrix_nginx_proxy_base_domain_serving_enabled: false - -matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}" - -# Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file -# in the `/matrix/nginx-proxy/data/matrix-domain` directory. -# -# If you would instead like to serve a static website by yourself, you can disable this. -# When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually -# and can expect that the playbook won't intefere with the `index.html` file. -matrix_nginx_proxy_base_domain_homepage_enabled: true - -matrix_nginx_proxy_base_domain_homepage_template: |- - - - - - Hello from {{ matrix_domain }}! - - - -# Option to disable the access log -matrix_nginx_proxy_access_log_enabled: true - -# Controls whether proxying the riot domain should be done. -matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false -matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}" - -# Controls whether proxying the Synapse domain should be done. -matrix_nginx_proxy_proxy_synapse_enabled: false -matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" -matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" -# The addresses where the Federation API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048" -matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048" - -# Controls whether proxying the Element domain should be done. -matrix_nginx_proxy_proxy_element_enabled: false -matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" - -# Controls whether proxying the Hydrogen domain should be done. -matrix_nginx_proxy_proxy_hydrogen_enabled: false -matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" - -# Controls whether proxying the matrix domain should be done. -matrix_nginx_proxy_proxy_matrix_enabled: false -matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" -# The port name used for federation in the nginx configuration. -# This is not necessarily the port that it's actually on, -# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container. -matrix_nginx_proxy_proxy_matrix_federation_port: 8448 - -# Controls whether proxying the dimension domain should be done. -matrix_nginx_proxy_proxy_dimension_enabled: false -matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" - -# Controls whether proxying the goneb domain should be done. -matrix_nginx_proxy_proxy_bot_go_neb_enabled: false -matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" - -# Controls whether proxying the jitsi domain should be done. -matrix_nginx_proxy_proxy_jitsi_enabled: false -matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" - -# Controls whether proxying the grafana domain should be done. -matrix_nginx_proxy_proxy_grafana_enabled: false -matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" - -# Controls whether proxying the sygnal domain should be done. -matrix_nginx_proxy_proxy_sygnal_enabled: false -matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" - -# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) -matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" - -# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). -# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. -# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" - -# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). -# This allows another service to control registrations involving 3PIDs. -# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md -matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090" -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090" - -# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) -matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" - -# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) -matrix_nginx_proxy_proxy_synapse_metrics: false -matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false -matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" - -# The addresses where the Matrix Client API is. -# Certain extensions (like matrix-corporal) may override this in order to capture all traffic. -matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" - -# The addresses where the Matrix Client API is, when using Synapse. -matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:8008" -matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:8008" - -# This needs to be equal or higher than the maximum upload size accepted by Synapse. -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 - - -# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server. -matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true - -# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server. -# Enable this if you need OpenID Connect authentication support. -matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false - -# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server. -# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. -matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false - -# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds -# the location prefixes that get forwarded to the Matrix Client API server. -# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`. -matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | - {{ - (['/_matrix']) - + - (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else []) - + - (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else []) - + - (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) - + - (['/_synapse/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else []) - }} - -# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. -# If this has an empty value, they're just passed to the homeserver, which serves a static page. -# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here. -# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`). -matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "" - -# Controls whether proxying for the Matrix Federation API should be done. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false -matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" -matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088" -matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem" - -# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. -matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" - -# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). -# for big matrixservers to enlarge the number of open files to prevent timeouts -# matrix_nginx_proxy_proxy_additional_configuration_blocks: -# - 'worker_rlimit_nofile 30000;' -matrix_nginx_proxy_proxy_additional_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). -matrix_nginx_proxy_proxy_event_additional_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). -matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). -matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf). -matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf). -matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). -matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). -matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). -matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf). -matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf). -matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf). -matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf). -matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). -matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] - -# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. -# -# Learn more about what it is here: -# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea -# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network -# - https://amifloced.org/ -# -# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. -matrix_nginx_proxy_floc_optout_enabled: true - -# HSTS Preloading Enable -# -# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and -# indicates a willingness to be “preloaded” into browsers: -# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` -# For more information visit: -# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security -# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -# - https://hstspreload.org/#opt-in -matrix_nginx_proxy_hsts_preload_enabled: false - -# X-XSS-Protection Enable -# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. -# Note: Not applicable for grafana -# -# Learn more about it is here: -# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection -# - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_nginx_proxy_xss_protection: "1; mode=block" - -# Specifies the SSL configuration that should be used for the SSL protocols and ciphers -# This is based on the Mozilla Server Side TLS Recommended configurations. -# -# The posible values are: -# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -# - "intermediate" - Recommended configuration for a general-purpose server -# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -# -# For more information visit: -# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations -# - https://ssl-config.mozilla.org/#server=nginx -matrix_nginx_proxy_ssl_preset: "intermediate" - -# Presets are taken from Mozilla's Server Side TLS Recommended configurations -# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers` -# if you wish to use something more custom. -matrix_nginx_proxy_ssl_presets: - modern: - protocols: TLSv1.3 - ciphers: "" - prefer_server_ciphers: "off" - intermediate: - protocols: TLSv1.2 TLSv1.3 - ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - prefer_server_ciphers: "off" - old: - protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 - ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA - prefer_server_ciphers: "on" - - -# Specifies which *SSL protocols* to use when serving all the various vhosts. -matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" - -# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers. -matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" - -# Specifies which *SSL Cipher suites* to use when serving all the various vhosts. -# To see the full list for suportes ciphers run `openssl ciphers` on your server -matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" - -# Controls whether the self-check feature should validate SSL certificates. -matrix_nginx_proxy_self_check_validate_certificates: true - -# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource. -# -# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be, -# so we default to not following redirects as well. -matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none - -# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). -# -# Otherwise, we get warnings like this: -# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" -# -# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. -# -# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver. -# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people. -# It might also be that no such warnings occur when not running in a container. -matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}" - -# By default, this playbook automatically retrieves and auto-renews -# free SSL certificates from Let's Encrypt. -# -# The following retrieval methods are supported: -# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt -# - "self-signed" - the playbook generates and self-signs certificates -# - "manually-managed" - lets you manage certificates by yourself (manually; see below) -# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects -# -# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), -# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` -# obeying the following hierarchy: -# - /live//fullchain.pem -# - /live//privkey.pem -# where refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`). -# -# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen. -# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`) -# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself. -# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve -# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy. -matrix_ssl_retrieval_method: "lets-encrypt" - -matrix_ssl_architecture: "amd64" - -# The full list of domains that this role will obtain certificates for. -# This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled). -# To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead. -matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" - -# A list of additional domain names to obtain certificates for. -matrix_ssl_additional_domains_to_obtain_certificates_for: [] - -# Controls whether to obtain production or staging certificates from Let's Encrypt. -matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.17.0" -matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" -matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 -matrix_ssl_lets_encrypt_support_email: ~ - -# Tells which interface and port the Let's Encrypt (certbot) container should try to bind to -# when it tries to obtain initial certificates in standalone mode. -# -# This should normally be a public interface and port. -# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`) -matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80' - -matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" -matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" -matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" - -# If you'd like to start some service before a certificate is obtained, specify it here. -# This could be something like `matrix-dynamic-dns`, etc. -matrix_ssl_pre_obtaining_required_service_name: ~ -matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 - -# Nginx Optimize SSL Session -# -# ssl_session_cache: -# - Creating a cache of TLS connection parameters reduces the number of handshakes -# and thus can improve the performance of application. -# - Default session cache is not optimal as it can be used by only one worker process -# and can cause memory fragmentation. It is much better to use shared cache. -# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html -# -# ssl_session_timeout: -# - Nginx by default it is set to 5 minutes which is very low. -# should be like 4h or 1d but will require you to increase the size of cache. -# - Learn More: -# https://github.com/certbot/certbot/issues/6903 -# https://github.com/mozilla/server-side-tls/issues/198 -# -# ssl_session_tickets: -# - In case of session tickets, information about session is given to the client. -# Enabling this improve performance also make Perfect Forward Secrecy useless. -# - If you would instead like to use ssl_session_tickets by yourself, you can set -# matrix_nginx_proxy_ssl_session_tickets_off false. -# - Learn More: https://github.com/mozilla/server-side-tls/issues/135 -# -# Presets are taken from Mozilla's Server Side TLS Recommended configurations -matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m" -matrix_nginx_proxy_ssl_session_timeout: "1d" -matrix_nginx_proxy_ssl_session_tickets_off: true - -# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. -# OCSP stapling can provide a performance boost of up to 30% -# nginx web server supports OCSP stapling since version 1.3.7. -# -# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. -# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling -# -# Learn more about what it is here: -# - https://en.wikipedia.org/wiki/OCSP_stapling -# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ -# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ -matrix_nginx_proxy_ocsp_stapling_enabled: true - -# nginx status page configurations. -matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false -matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] - - -# synapse worker activation and endpoint mappings -matrix_nginx_proxy_synapse_workers_enabled: false -matrix_nginx_proxy_synapse_workers_list: [] -matrix_nginx_proxy_synapse_generic_worker_client_server_locations: [] -matrix_nginx_proxy_synapse_generic_worker_federation_locations: [] -matrix_nginx_proxy_synapse_media_repository_locations: [] -matrix_nginx_proxy_synapse_user_dir_locations: [] -matrix_nginx_proxy_synapse_frontend_proxy_locations: [] - -# The amount of worker processes and connections -# Consider increasing these when you are expecting high amounts of traffic -# http://nginx.org/en/docs/ngx_core_module.html#worker_connections -matrix_nginx_proxy_worker_processes: 1 -matrix_nginx_proxy_worker_connections: 1024 diff --git a/roles/matrix-nginx-proxy/tasks/init.yml b/roles/matrix-nginx-proxy/tasks/init.yml deleted file mode 100644 index 0161da23..00000000 --- a/roles/matrix-nginx-proxy/tasks/init.yml +++ /dev/null @@ -1,8 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}" - when: matrix_nginx_proxy_enabled|bool - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}" - when: "item.applicable|bool and item.enableable|bool" - with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" diff --git a/roles/matrix-nginx-proxy/tasks/main.yml b/roles/matrix-nginx-proxy/tasks/main.yml deleted file mode 100644 index ad111951..00000000 --- a/roles/matrix-nginx-proxy/tasks/main.yml +++ /dev/null @@ -1,38 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -# Always validating the configuration, even if `matrix_nginx_proxy: false`. -# This role performs actions even if the role is disabled, so we need -# to ensure there's a valid configuration in any case. -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup|bool - tags: - - setup-all - - setup-nginx-proxy - -- import_tasks: "{{ role_path }}/tasks/ssl/main.yml" - when: run_setup|bool - tags: - - setup-all - - setup-nginx-proxy - - setup-ssl - -- import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml" - when: run_setup|bool - tags: - - setup-all - - setup-nginx-proxy - -- import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check|bool - tags: - - self-check - -- name: Mark matrix-nginx-proxy role as executed - set_fact: - matrix_nginx_proxy_role_executed: true - tags: - - always diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml deleted file mode 100644 index be1b6555..00000000 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -- name: Determine well-known files to check (Matrix) - set_fact: - well_known_file_checks: - - path: /.well-known/matrix/client - purpose: Client Discovery - cors: true - follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}" - validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - -- block: - - set_fact: - well_known_file_check_matrix_server: - path: /.well-known/matrix/server - purpose: Server Discovery - cors: false - follow_redirects: safe - validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - - - name: Determine domains that we require certificates for (ma1sd) - set_fact: - well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" - when: matrix_well_known_matrix_server_enabled|bool - -- name: Perform well-known checks - include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml" - with_items: "{{ well_known_file_checks }}" - loop_control: - loop_var: well_known_file_check diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml deleted file mode 100644 index 6f831a29..00000000 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- - -- set_fact: - well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}" - well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}" - -# These well-known files may be served without a `Content-Type: application/json` header, -# so we can't rely on the uri module's automatic parsing of JSON. -- name: Check .well-known on the matrix hostname - uri: - url: "{{ well_known_url_matrix }}" - follow_redirects: none - return_content: true - validate_certs: "{{ well_known_file_check.validate_certs }}" - headers: - Origin: example.com - check_mode: no - register: result_well_known_matrix - ignore_errors: true - -- name: Fail if .well-known not working on the matrix hostname - fail: - msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" - when: "result_well_known_matrix.failed" - -- name: Parse JSON for well-known payload at the matrix hostname - set_fact: - well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}" - -- name: Fail if .well-known not CORS-aware on the matrix hostname - fail: - msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." - when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix" - -- name: Report working .well-known on the matrix hostname - debug: - msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" - -- name: Check .well-known on the identity hostname - uri: - url: "{{ well_known_url_identity }}" - follow_redirects: "{{ well_known_file_check.follow_redirects }}" - return_content: true - validate_certs: "{{ well_known_file_check.validate_certs }}" - headers: - Origin: example.com - check_mode: no - register: result_well_known_identity - ignore_errors: true - -- name: Fail if .well-known not working on the identity hostname - fail: - msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" - when: "result_well_known_identity.failed" - -- name: Parse JSON for well-known payload at the identity hostname - set_fact: - well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}" - -- name: Fail if .well-known not CORS-aware on the identity hostname - fail: - msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md" - when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity" - -# For people who manually copy the well-known file, try to detect if it's outdated -- name: Fail if well-known is different on matrix hostname and identity hostname - fail: - msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?" - when: "well_known_matrix_payload != well_known_identity_payload" - -- name: Report working .well-known on the identity hostname - debug: - msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml deleted file mode 100644 index 1d59f567..00000000 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ /dev/null @@ -1,272 +0,0 @@ ---- - -# -# Generic tasks that we always want to happen, regardless -# if the user wants matrix-nginx-proxy or not. -# -# If the user would set up their own nginx proxy server, -# the config files from matrix-nginx-proxy can be reused. -# -# It doesn't hurt to put them in place, even if they turn out -# to be unnecessary. -# -- name: Ensure Matrix nginx-proxy paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_nginx_proxy_base_path }}" - - "{{ matrix_nginx_proxy_data_path }}" - - "{{ matrix_nginx_proxy_confd_path }}" - -- name: Ensure Matrix nginx-proxy configured (main config override) - template: - src: "{{ role_path }}/templates/nginx/nginx.conf.j2" - dest: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" - mode: 0644 - when: matrix_nginx_proxy_enabled|bool - -- name: Ensure matrix-synapse-metrics-htpasswd is present (protecting /_synapse/metrics URI) - template: - src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2" - dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0400 - when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool" - -- name: Ensure Matrix nginx-proxy configured (generic) - template: - src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf" - mode: 0644 - when: matrix_nginx_proxy_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for matrix-synapse exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_synapse_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for matrix-synapse deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for Element domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_element_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for riot domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for dimension domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_dimension_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for goneb domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_jitsi_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for grafana domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-grafana.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_grafana_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_sygnal_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" - mode: 0644 - -- name: Ensure Matrix nginx-proxy data directory for base domain exists - file: - path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled|bool - -- name: Ensure Matrix nginx-proxy homepage for base domain exists - copy: - content: "{{ matrix_nginx_proxy_base_domain_homepage_template }}" - dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for base domain exists - template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-base-domain.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf" - mode: 0644 - when: matrix_nginx_proxy_base_domain_serving_enabled|bool - -# -# Tasks related to setting up matrix-nginx-proxy -# -- name: Ensure nginx Docker image is pulled - docker_image: - name: "{{ matrix_nginx_proxy_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_nginx_proxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_docker_image_force_pull }}" - when: matrix_nginx_proxy_enabled|bool - -- name: Ensure matrix-nginx-proxy.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service" - mode: 0644 - register: matrix_nginx_proxy_systemd_service_result - when: matrix_nginx_proxy_enabled|bool - -- name: Ensure systemd reloaded after matrix-nginx-proxy.service installation - service: - daemon_reload: yes - when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed" - - -# -# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) -# - -- name: Check existence of matrix-nginx-proxy service - stat: - path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service" - register: matrix_nginx_proxy_service_stat - when: "not matrix_nginx_proxy_enabled|bool" - -- name: Ensure matrix-nginx-proxy is stopped - service: - name: matrix-nginx-proxy - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists" - -- name: Ensure matrix-nginx-proxy.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service" - state: absent - when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-nginx-proxy.service removal - service: - daemon_reload: yes - when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists" - -- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_matrix_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for riot domain deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_jitsi_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for grafana domain deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool" - -- name: Ensure Matrix nginx-proxy homepage for base domain deleted - file: - path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" - state: absent - when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for base domain deleted - file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf" - state: absent - when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for main config override deleted - file: - path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" - state: absent - when: "not matrix_nginx_proxy_enabled|bool" - -- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /_synapse/metrics URI) - file: - path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" - state: absent - when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool or not matrix_nginx_proxy_proxy_synapse_metrics|bool" diff --git a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml deleted file mode 100644 index 3e43a8c6..00000000 --- a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml +++ /dev/null @@ -1,24 +0,0 @@ -- set_fact: - matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" - -# We need others to be able to read these directories too, -# so that matrix-nginx-proxy's nginx user can access the files. -# -# For running with another webserver, we recommend being part of the `matrix` group. -- name: Ensure Matrix static-files path exists - file: - path: "{{ item }}" - state: directory - mode: 0755 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_static_files_base_path }}/.well-known/matrix" - -- name: Ensure Matrix /.well-known/matrix/client configured - template: - src: "{{ role_path }}/templates/well-known/matrix-client.j2" - dest: "{{ matrix_static_files_base_path }}/.well-known/matrix" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml deleted file mode 100644 index 6c060818..00000000 --- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -- name: Fail if using unsupported SSL certificate retrieval method - fail: - msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value" - when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" - - -# Common tasks, required by almost any method below. - -- name: Ensure SSL certificate paths exists - file: - path: "{{ item }}" - state: directory - mode: 0770 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - recurse: true - with_items: - - "{{ matrix_ssl_log_dir_path }}" - - "{{ matrix_ssl_config_dir_path }}" - when: "matrix_ssl_retrieval_method != 'none'" - - -# Method specific tasks follow - -- import_tasks: tasks/ssl/setup_ssl_lets_encrypt.yml - -- import_tasks: tasks/ssl/setup_ssl_self_signed.yml - -- import_tasks: tasks/ssl/setup_ssl_manually_managed.yml diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml deleted file mode 100644 index bfd25894..00000000 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- - -# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name. -# This migration task can be removed some time in the future. -- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files - file: - path: "{{ item }}" - state: absent - with_items: - - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew" - - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" - - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" - - "/etc/cron.d/matrix-ssl-lets-encrypt" - -# -# Tasks related to setting up Let's Encrypt's management of certificates -# - -- block: - - name: Ensure certbot Docker image is pulled - docker_image: - name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}" - - - name: Obtain Let's Encrypt certificates - include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" - loop_control: - loop_var: domain_name - - - name: Ensure Let's Encrypt SSL renewal script installed - template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" - dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - mode: 0755 - - - name: Ensure SSL renewal systemd units installed - template: - src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2" - dest: "{{ matrix_systemd_path }}/{{ item.name }}" - mode: 0644 - when: "item.applicable|bool" - with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" - when: "matrix_ssl_retrieval_method == 'lets-encrypt'" - -# -# Tasks related to getting rid of Let's Encrypt's management of certificates -# - -- block: - - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed - file: - path: "{{ matrix_systemd_path }}/{{ item.name }}" - state: absent - when: "not item.applicable|bool" - with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" - - - name: Ensure Let's Encrypt SSL renewal script removed - file: - path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - state: absent - when: "matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml deleted file mode 100644 index 4639f122..00000000 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ /dev/null @@ -1,91 +0,0 @@ -- debug: - msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}" - -- set_fact: - domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" - -- name: Check if a certificate for the domain already exists - stat: - path: "{{ domain_name_certificate_path }}" - register: domain_name_certificate_path_stat - -- set_fact: - domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" - -- block: - - name: Ensure required service for obtaining is started - service: - name: "{{ matrix_ssl_pre_obtaining_required_service_name }}" - state: started - register: matrix_ssl_pre_obtaining_required_service_start_result - - - name: Wait some time, so that the required service for obtaining can start - wait_for: - timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}" - when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool" - when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''" - -# This will fail if there is something running on port 80 (like matrix-nginx-proxy). -# We suppress the error, as we'll try another method below. -- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly) - shell: >- - {{ matrix_host_command_docker }} run - --rm - --name=matrix-certbot - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080 - --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt - --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt - {{ matrix_ssl_lets_encrypt_certbot_docker_image }} - certonly - --non-interactive - --work-dir=/tmp - --http-01-port 8080 - {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} - --standalone - --preferred-challenges http - --agree-tos - --email={{ matrix_ssl_lets_encrypt_support_email }} - -d {{ domain_name }} - when: domain_name_needs_cert|bool - register: result_certbot_direct - ignore_errors: true - -# If matrix-nginx-proxy is configured from a previous run of this playbook, -# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`. -- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy) - shell: >- - {{ matrix_host_command_docker }} run - --rm - --name=matrix-certbot - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 - --network={{ matrix_docker_network }} - --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt - --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt - {{ matrix_ssl_lets_encrypt_certbot_docker_image }} - certonly - --non-interactive - --work-dir=/tmp - --http-01-port 8080 - {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} - --standalone - --preferred-challenges http - --agree-tos - --email={{ matrix_ssl_lets_encrypt_support_email }} - -d {{ domain_name }} - when: "domain_name_needs_cert and result_certbot_direct.failed" - register: result_certbot_proxy - ignore_errors: true - -- name: Fail if all SSL certificate retrieval attempts failed - fail: - msg: | - Failed to obtain a certificate directly (by listening on port 80) - and also failed to obtain by relying on the server at port 80 to proxy the request. - See above for details. - You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or, - more easily, stop the server on port 80 while this playbook runs. - when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml deleted file mode 100644 index ea39f5e9..00000000 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Verify certificates - include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" - loop_control: - loop_var: domain_name - when: "matrix_ssl_retrieval_method == 'manually-managed'" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml deleted file mode 100644 index be0444b1..00000000 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- set_fact: - matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" - matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem" - -- name: Check if SSL certificate file exists - stat: - path: "{{ matrix_ssl_certificate_verification_cert_path }}" - register: matrix_ssl_certificate_verification_cert_path_stat_result - -- fail: - msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`" - when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists" - -- name: Check if SSL certificate key file exists - stat: - path: "{{ matrix_ssl_certificate_verification_cert_key_path }}" - register: matrix_ssl_certificate_verification_cert_key_path_stat_result - -- fail: - msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`" - when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml deleted file mode 100644 index 8fa316da..00000000 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- - -- name: Ensure OpenSSL installed (RedHat) - yum: - name: - - openssl - state: present - update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'RedHat'" - -- name: Ensure APT usage dependencies are installed (Debian) - apt: - name: - - openssl - state: present - update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" - -- name: Ensure OpenSSL installed (Archlinux) - pacman: - name: - - openssl - state: latest - update_cache: no - when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux'" - -- name: Generate self-signed certificates - include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" - loop_control: - loop_var: domain_name - when: "matrix_ssl_retrieval_method == 'self-signed'" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml deleted file mode 100644 index aea17cc0..00000000 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- - -- set_fact: - matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr" - matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" - matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem" - -- name: Check if SSL certificate file exists - stat: - path: "{{ matrix_ssl_certificate_cert_path }}" - register: matrix_ssl_certificate_cert_path_stat_result - -# In order to do any sort of generation (below), we need to ensure the directory exists first -- name: Ensure SSL certificate directory exists - file: - path: "{{ matrix_ssl_certificate_csr_path|dirname }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" - -# The proper way to do this is by using a sequence of -# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`. -# -# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work, -# which is not available on CentOS 7 (at least). -# -# We'll do it in a more manual way. -- name: Generate SSL certificate - command: | - openssl req -x509 \ - -sha256 \ - -newkey rsa:4096 \ - -nodes \ - -subj "/CN={{ domain_name }}" \ - -keyout {{ matrix_ssl_certificate_cert_key_path }} \ - -out {{ matrix_ssl_certificate_cert_path }} \ - -days 3650 - become: true - become_user: "{{ matrix_user_username }}" - when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml deleted file mode 100644 index 9661ae5e..00000000 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- - -- name: (Deprecation) Catch and report renamed settings - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container'} - - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container'} - # People who configured this to disable Riot, would now wish to be disabling Element. - # We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default. - - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'} - - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': ''} - - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} - -- name: Fail on unknown matrix_ssl_retrieval_method - fail: - msg: >- - `matrix_ssl_retrieval_method` needs to be set to a known value. - when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" - -- name: Fail on unknown matrix_nginx_proxy_ssl_config - fail: - msg: >- - `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. - when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" - -- block: - - name: (Deprecation) Catch and report renamed settings - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - with_items: - - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} - - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} - when: "item.old in vars" - - - name: Fail if required variables are undefined - fail: - msg: "The `{{ item }}` variable must be defined and have a non-null value" - with_items: - - "matrix_ssl_lets_encrypt_support_email" - when: "vars[item] == '' or vars[item] is none" - when: "matrix_ssl_retrieval_method == 'lets-encrypt'" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 deleted file mode 100644 index 37863d73..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ /dev/null @@ -1,95 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - root /nginx-data/matrix-domain; - - gzip on; - gzip_types text/plain application/json; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - - {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location /.well-known/matrix { - root {{ matrix_static_files_base_path }}; - {# - A somewhat long expires value is used to prevent outages - in case this is unreachable due to network failure. - #} - expires 4h; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_base_domain_hostname }}; - server_tokens off; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_base_domain_hostname }}; - server_tokens off; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 deleted file mode 100644 index 6cb5f57a..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ /dev/null @@ -1,95 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - -{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-bot-go-neb:4050"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:4050; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 deleted file mode 100644 index 2f4f4aa1..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ /dev/null @@ -1,104 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'self'"; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - - {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-client-element:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8765; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_element_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_element_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 deleted file mode 100644 index d9a05926..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ /dev/null @@ -1,102 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'none'"; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - {% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-client-hydrogen:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8768; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 deleted file mode 100644 index ef8ee972..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ /dev/null @@ -1,98 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - -{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-dimension:8184"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8184; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 deleted file mode 100644 index 7b26434d..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ /dev/null @@ -1,293 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{% macro render_nginx_status_location_block(addresses) %} - {# Empty first line to make indentation prettier. #} - - location /nginx_status { - stub_status on; - access_log off; - {% for address in addresses %} - allow {{ address }}; - {% endfor %} - deny all; - } -{% endmacro %} - - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - - location /.well-known/matrix { - root {{ matrix_static_files_base_path }}; - {# - A somewhat long expires value is used to prevent outages - in case this is unreachable due to network failure or - due to the base domain's server completely dying. - #} - expires 4h; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } - - {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} - {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} - {% endif %} - - {% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} - location ^~ /_matrix/corporal { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - } - {% endif %} - - {% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %} - location ^~ /_matrix/identity { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - } - {% endif %} - - {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} - location ^~ /_matrix/client/r0/user_directory/search { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } - {% endif %} - - {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %} - location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - } - {% endif %} - - {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - {# - This handles the Matrix Client API only. - The Matrix Federation API is handled by a separate vhost. - #} - location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - } - - {# - We only handle the root URI for this redirect or homepage serving. - Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404, - instead of causing a redirect. - See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058 - #} - location ~* ^/$ { - {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} - return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; - {% else %} - rewrite ^/$ /_matrix/static/ last; - {% endif %} - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} - {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} - {% endif %} - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} - -{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} -{# - This federation vhost is a little special. - It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`. -#} -server { - {% if matrix_nginx_proxy_https_enabled %} - listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; - listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; - {% else %} - listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }}; - {% endif %} - - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; - server_tokens off; - - root /dev/null; - - gzip on; - gzip_types text/plain application/json; - - {% if matrix_nginx_proxy_https_enabled %} - ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; - ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - {% endif %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - } -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 deleted file mode 100644 index 0f7c43c5..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ /dev/null @@ -1,106 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - # duplicate X-Content-Type-Options & X-Frame-Options header - # Enabled by grafana by default - # add_header X-Content-Type-Options nosniff; - # add_header X-Frame-Options SAMEORIGIN; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - proxy_cookie_path / "/; HTTPOnly; Secure"; - - {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-grafana:3000"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:3000; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 deleted file mode 100644 index 0ccda7d3..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ /dev/null @@ -1,140 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - -{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-jitsi-web:80"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:13080; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - } - - # colibri (JVB) websockets - location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) { - {% if matrix_nginx_proxy_enabled %} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-jitsi-jvb:9090"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:13090; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_http_version 1.1; - - tcp_nodelay on; - } - - # XMPP websocket - location = /xmpp-websocket { - {% if matrix_nginx_proxy_enabled %} - resolver 127.0.0.11 valid=5s; - set $backend {{ matrix_jitsi_xmpp_bosh_url_base }}; - proxy_pass $backend/xmpp-websocket; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:5280; - {% endif %} - proxy_set_header Host $host; - - proxy_http_version 1.1; - proxy_read_timeout 900s; - proxy_set_header Connection "upgrade"; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - tcp_nodelay on; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 deleted file mode 100644 index d153d5c2..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ /dev/null @@ -1,87 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - - {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - return 301 https://{{ matrix_nginx_proxy_proxy_element_hostname }}$request_uri; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 deleted file mode 100644 index d5760434..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ /dev/null @@ -1,97 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options DENY; - -{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-sygnal:6000"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:6000; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 deleted file mode 100644 index db111090..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ /dev/null @@ -1,231 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %} -{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %} -{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %} -{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %} -{% if matrix_nginx_proxy_synapse_workers_enabled %} - # Round Robin "upstream" pools for workers - - {% if generic_workers %} - upstream generic_worker_upstream { - # ensures that requests from the same client will always be passed - # to the same server (except when this server is unavailable) - hash $http_x_forwarded_for; - - {% for worker in generic_workers %} - {% if matrix_nginx_proxy_enabled %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; - {% else %} - server "127.0.0.1:{{ worker.port }}"; - {% endif %} - {% endfor %} - } - {% endif %} - - {% if frontend_proxy_workers %} - upstream frontend_proxy_upstream { - {% for worker in frontend_proxy_workers %} - {% if matrix_nginx_proxy_enabled %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; - {% else %} - server "127.0.0.1:{{ worker.port }}"; - {% endif %} - {% endfor %} - } - {% endif %} - - {% if media_repository_workers %} - upstream media_repository_upstream { - {% for worker in media_repository_workers %} - {% if matrix_nginx_proxy_enabled %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; - {% else %} - server "127.0.0.1:{{ worker.port }}"; - {% endif %} - {% endfor %} - } - {% endif %} - - {% if user_dir_workers %} - upstream user_dir_upstream { - {% for worker in user_dir_workers %} - {% if matrix_nginx_proxy_enabled %} - server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; - {% else %} - server "127.0.0.1:{{ worker.port }}"; - {% endif %} - {% endfor %} - } - {% endif %} -{% endif %} - -server { - listen 12080; - server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; - - server_tokens off; - root /dev/null; - - gzip on; - gzip_types text/plain application/json; - - {% if matrix_nginx_proxy_synapse_workers_enabled %} - {# Workers redirects BEGIN #} - - {% if generic_workers %} - # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker - {% for location in matrix_nginx_proxy_synapse_generic_worker_client_server_locations %} - location ~ {{ location }} { - proxy_pass http://generic_worker_upstream$request_uri; - proxy_set_header Host $host; - } - {% endfor %} - {% endif %} - - {% if media_repository_workers %} - # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository - {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} - location ~ {{ location }} { - proxy_pass http://media_repository_upstream$request_uri; - proxy_set_header Host $host; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - } - {% endfor %} - {% endif %} - - {% if user_dir_workers %} - # FIXME: obsolete if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled is set - # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappuser_dir - {% for location in matrix_nginx_proxy_synapse_user_dir_locations %} - location ~ {{ location }} { - proxy_pass http://user_dir_upstream$request_uri; - proxy_set_header Host $host; - } - {% endfor %} - {% endif %} - - {% if frontend_proxy_workers %} - # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfrontend_proxy - {% for location in matrix_nginx_proxy_synapse_frontend_proxy_locations %} - location ~ {{ location }} { - proxy_pass http://frontend_proxy_upstream$request_uri; - proxy_set_header Host $host; - } - {% endfor %} - {% if matrix_nginx_proxy_synapse_presence_disabled %} - # FIXME: keep in sync with synapse workers documentation manually - location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { - proxy_pass http://frontend_proxy_upstream$request_uri; - proxy_set_header Host $host; - } - {% endif %} - {% endif %} - {# Workers redirects END #} - {% endif %} - - - {% for configuration_block in matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - {% if matrix_nginx_proxy_proxy_synapse_metrics %} - location /_synapse/metrics { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - - {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} - auth_basic "protected"; - auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; - {% endif %} - } - {% endif %} - - {# Everything else just goes to the API server ##} - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - } -} - -{% if matrix_nginx_proxy_proxy_synapse_federation_api_enabled %} -server { - listen 12088; - - server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; - server_tokens off; - - root /dev/null; - - gzip on; - gzip_types text/plain application/json; - - {% if matrix_nginx_proxy_synapse_workers_enabled %} - {% if generic_workers %} - # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker - {% for location in matrix_nginx_proxy_synapse_generic_worker_federation_locations %} - location ~ {{ location }} { - proxy_pass http://generic_worker_upstream$request_uri; - proxy_set_header Host $host; - } - {% endfor %} - {% endif %} - {% if media_repository_workers %} - # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository - {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} - location ~ {{ location }} { - proxy_pass http://media_repository_upstream$request_uri; - proxy_set_header Host $host; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - } - {% endfor %} - {% endif %} - {% endif %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - } -} -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 deleted file mode 100644 index beea6afa..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ /dev/null @@ -1,14 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# The default is aligned to the CPU's cache size, -# which can sometimes be too low to handle our 2 vhosts (Synapse and Element). -# -# Thus, we ensure a larger bucket size value is used. -server_names_hash_bucket_size 64; - -{% if matrix_nginx_proxy_http_level_resolver %} - resolver {{ matrix_nginx_proxy_http_level_resolver }}; -{% endif %} - -{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 deleted file mode 100644 index 1a7247ac..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# User and password for protecting /_synapse/metrics URI -prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 deleted file mode 100644 index 9ec7fa56..00000000 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ /dev/null @@ -1,61 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# This is a custom nginx configuration file that we use in the container (instead of the default one), -# because it allows us to run nginx with a non-root user. -# -# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. -# -# The following changes have been done compared to a default nginx configuration file: -# - various temp paths are changed to `/tmp`, so that a non-root user can write to them -# - the `user` directive was removed, as we don't want nginx to switch users - -worker_processes {{ matrix_nginx_proxy_worker_processes }}; -error_log /var/log/nginx/error.log warn; -pid /tmp/nginx.pid; -{% for configuration_block in matrix_nginx_proxy_proxy_additional_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - -events { - worker_connections {{ matrix_nginx_proxy_worker_connections }}; -{% for configuration_block in matrix_nginx_proxy_proxy_event_additional_configuration_blocks %} - {{- configuration_block }} -{% endfor %} -} - - -http { - proxy_temp_path /tmp/proxy_temp; - client_body_temp_path /tmp/client_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - {% if matrix_nginx_proxy_access_log_enabled %} - access_log /var/log/nginx/access.log main; - {% else %} - access_log off; - {% endif %} - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - server_tokens off; - - #gzip on; - {# Map directive needed for proxied WebSocket upgrades #} - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - include /etc/nginx/conf.d/*.conf; -} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 deleted file mode 100755 index c4000fa9..00000000 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ /dev/null @@ -1,58 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix nginx-proxy server -{% for service in matrix_nginx_proxy_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_nginx_proxy_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ - {% if matrix_nginx_proxy_container_http_host_bind_port %} - -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \ - {% endif %} - {% if matrix_nginx_proxy_https_enabled and matrix_nginx_proxy_container_https_host_bind_port %} - -p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \ - {% endif %} - {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %} - -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \ - {% endif %} - --mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ - --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \ - --mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ - {% if matrix_ssl_retrieval_method != 'none' %} - --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ - {% endif %} - --mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \ - {% for volume in matrix_nginx_proxy_container_additional_volumes %} - -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ - {% endfor %} - {% for arg in matrix_nginx_proxy_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_nginx_proxy_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' -ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-nginx-proxy - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 deleted file mode 100644 index c14905ce..00000000 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Renews Let's Encrypt SSL certificates - -[Service] -Type=oneshot -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 deleted file mode 100644 index b1e1c21e..00000000 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Renews Let's Encrypt SSL certificates periodically - -[Timer] -Unit=matrix-ssl-lets-encrypt-certificates-renew.service -OnCalendar=*-*-* 04:00:00 -RandomizedDelaySec=2h - -[Install] -WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 deleted file mode 100644 index 851655ba..00000000 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Reloads matrix-nginx-proxy so that new SSL certificates can kick in - -[Service] -Type=oneshot -ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 deleted file mode 100644 index 09cb6dad..00000000 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates can kick in - -[Timer] -Unit=matrix-ssl-nginx-proxy-reload.service -OnCalendar=*-*-* 06:30:00 -RandomizedDelaySec=1h - -[Install] -WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 deleted file mode 100644 index bc45e85e..00000000 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ /dev/null @@ -1,31 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) -# need to forward requests for `/.well-known/acme-challenge` to the certbot container. -# -# This can happen inside the container network by proxying to `http://matrix-certbot:8080` -# or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. - -docker run \ - --rm \ - --name=matrix-certbot \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network="{{ matrix_docker_network }}" \ - -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ - --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \ - --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \ - {{ matrix_ssl_lets_encrypt_certbot_docker_image }} \ - renew \ - --non-interactive \ - --work-dir=/tmp \ - --http-01-port 8080 \ - {% if matrix_ssl_lets_encrypt_staging %} - --staging \ - {% endif %} - --standalone \ - --preferred-challenges http \ - --agree-tos \ - --email={{ matrix_ssl_lets_encrypt_support_email }} \ - --no-random-sleep-on-renew diff --git a/roles/matrix-nginx-proxy/vars/main.yml b/roles/matrix-nginx-proxy/vars/main.yml deleted file mode 100644 index 5c51fe5b..00000000 --- a/roles/matrix-nginx-proxy/vars/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -# Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_nginx_proxy_role_executed: false - -matrix_ssl_renewal_systemd_units_list: - - name: matrix-ssl-lets-encrypt-certificates-renew.service - applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" - enableable: false - - name: matrix-ssl-lets-encrypt-certificates-renew.timer - applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" - enableable: true - - name: matrix-ssl-nginx-proxy-reload.service - applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}" - enableable: false - - name: matrix-ssl-nginx-proxy-reload.timer - applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}" - enableable: true diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml deleted file mode 100644 index 9c1cac9a..00000000 --- a/roles/matrix-postgres/defaults/main.yml +++ /dev/null @@ -1,95 +0,0 @@ -matrix_postgres_enabled: true - -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_port: 5432 -matrix_postgres_connection_username: "matrix" -matrix_postgres_connection_password: "" -matrix_postgres_db_name: "matrix" - -matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" -matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" - -matrix_postgres_architecture: amd64 - -# matrix_postgres_docker_image_suffix controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. -# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). -# On ARM32, `-alpine` images fail with the following error: -# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault -matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" - -matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.22{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.17{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.12{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.7{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.3{{ matrix_postgres_docker_image_suffix }}" -matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" - -# This variable is assigned at runtime. Overriding its value has no effect. -matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}' - -matrix_postgres_docker_image_force_pull: "{{ matrix_postgres_docker_image_to_use.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_postgres_container_extra_arguments: [] - -# A list of extra arguments to pass to the postgres process -# e.g. "-c 'max_connections=200'" -matrix_postgres_process_extra_arguments: [] - -# Controls whether the matrix-postgres container exposes a port (tcp/5432 in the -# container) that can be used to access the database from outside the container (e.g. with psql) -# -# psql postgresql://username:password@localhost:/database_name -# -# Takes an ":" or "" value (e.g. "127.0.0.1:5432"), or empty string to not expose. -matrix_postgres_container_postgres_bind_port: "" - -# A list of additional (databases and their credentials) to create. -# -# Example: -# matrix_postgres_additional_databases: -# - name: matrix_appservice_discord -# username: matrix_appservice_discord -# password: some_password -# - name: matrix_appservice_slack -# username: matrix_appservice_slack -# password: some_password -matrix_postgres_additional_databases: [] - -# A list of roles/users to avoid creating when importing (or upgrading) the database. -# If a dump file contains the roles and they've also been created beforehand (see `matrix_postgres_additional_databases`), -# importing would fail. -# We either need to not create them or to ignore the `CREATE ROLE` statements in the dump. -matrix_postgres_import_roles_to_ignore: [matrix_postgres_connection_username] - -matrix_postgres_import_roles_ignore_regex: "^CREATE ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }});" - -# A list of databases to avoid creating when importing (or upgrading) the database. -# If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`), -# importing would fail. -# We either need to not create them or to ignore the `CREATE DATABASE` statements in the dump. -matrix_postgres_import_databases_to_ignore: [matrix_postgres_db_name] - -matrix_postgres_import_databases_ignore_regex: "^CREATE DATABASE ({{ matrix_postgres_import_databases_to_ignore|join('|') }})\\s" - -# The number of seconds to wait after starting `matrix-postgres.service` -# and before trying to run queries for creating additional databases/users against it. -# -# For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all. -# -# On ARM, we wait some more. ARM32 devices are especially known for being slow. -# ARM64 likely don't need such a long delay, but it doesn't hurt too much having it. -matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: "{{ 45 if matrix_postgres_architecture in ['arm32', 'arm64'] else 15 }}" - - -matrix_postgres_pgloader_container_image_self_build: false -matrix_postgres_pgloader_container_image_self_build_repo: "https://github.com/illagrenan/pgloader-docker.git" -matrix_postgres_pgloader_container_image_self_build_repo_branch: "v{{ matrix_postgres_pgloader_docker_image_tag }}" -matrix_postgres_pgloader_container_image_self_build_src_path: "{{ matrix_postgres_base_path }}/pgloader-container-src" - -# We use illagrenan/pgloader, instead of the more official dimitri/pgloader image, -# because the official one only provides a `latest` tag. -matrix_postgres_pgloader_docker_image: "{{ matrix_postgres_pgloader_docker_image_name_prefix }}illagrenan/pgloader:{{ matrix_postgres_pgloader_docker_image_tag }}" -matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_postgres_pgloader_docker_image_tag: "3.6.2" -matrix_postgres_pgloader_docker_image_force_pull: "{{ matrix_postgres_pgloader_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml b/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml deleted file mode 100644 index a42c6f55..00000000 --- a/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml +++ /dev/null @@ -1,97 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled|bool" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `sqlite_database_path` variable needs to be provided to this playbook, via --extra-vars" - when: "sqlite_database_path is not defined or sqlite_database_path.startswith('<')" - -- name: Check if the provided SQLite database file exists - stat: - path: "{{ sqlite_database_path }}" - register: sqlite_database_path_stat_result - -- name: Fail if provided SQLite database file doesn't exist - fail: - msg: "File cannot be found on the server at {{ sqlite_database_path }}" - when: "not sqlite_database_path_stat_result.stat.exists" - -# We either expect `postgres_db_connection_string` specifying a full Postgres database connection string, -# or `postgres_connection_string_variable_name`, specifying a name of a variable, which contains a valid connection string. - -- block: - - name: Fail if postgres_connection_string_variable_name points to an undefined variable - fail: msg="postgres_connection_string_variable_name is defined, but there is no variable with the name `{{ postgres_connection_string_variable_name }}`" - when: "postgres_connection_string_variable_name not in vars" - - - name: Get Postgres connection string from variable - set_fact: - postgres_db_connection_string: "{{ lookup('vars', postgres_connection_string_variable_name) }}" - when: 'postgres_connection_string_variable_name is defined' - -- name: Fail if playbook called incorrectly - fail: - msg: >- - Either a `postgres_db_connection_string` variable or a `postgres_connection_string_variable_name` needs to be provided to this playbook, via `--extra-vars`. - Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:/database_name"` or `--extra-vars="postgres_connection_string_variable_name=matrix_appservice_discord_database_connString"` - when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time|default('') == ''" - - -# Actual import work - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed|bool" - -- name: Import SQLite database from {{ sqlite_database_path }} into Postgres - command: - cmd: >- - {{ matrix_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --mount type=bind,src={{ sqlite_database_path }},dst=/in.db,ro - --entrypoint=/bin/sh - {{ matrix_postgres_pgloader_docker_image }} - -c - 'pgloader /in.db {{ postgres_db_connection_string }}' - -- name: Archive SQLite database ({{ sqlite_database_path }} -> {{ sqlite_database_path }}.backup) - command: - cmd: "mv {{ sqlite_database_path }} {{ sqlite_database_path }}.backup" - -- name: Inject result - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [ - "NOTE: Your SQLite database file has been imported into Postgres. The original file has been moved from `{{ sqlite_database_path }}` to `{{ sqlite_database_path }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." - ] - }} diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml deleted file mode 100644 index b8e93219..00000000 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ /dev/null @@ -1,106 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled|bool" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars" - when: "server_path_postgres_dump is not defined or server_path_postgres_dump.startswith('<')" - -- name: Check if the provided Postgres dump file exists - stat: - path: "{{ server_path_postgres_dump }}" - register: result_server_path_postgres_dump_stat - -- name: Fail if provided Postgres dump file doesn't exists - fail: - msg: "File cannot be found on the server at {{ server_path_postgres_dump }}" - when: "not result_server_path_postgres_dump_stat.stat.exists" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time|default('') == ''" - -- name: Set postgres_import_wait_time, if not provided - set_fact: - postgres_import_wait_time: "{{ 7 * 86400 }}" - when: "postgres_import_wait_time|default('') == ''" - -# By default, we connect and import into the main (`matrix`) database. -# Single-database dumps for Synapse may wish to import into `synapse` instead. -- name: Set postgres_default_import_database, if not provided - set_fact: - postgres_default_import_database: "{{ matrix_postgres_db_name }}" - when: "postgres_default_import_database|default('') == ''" - -# Actual import work - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -- import_tasks: tasks/util/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing|bool" - -# Starting the database container had automatically created the default -# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`). -# The dump most likely contains those same entries and would try to re-create them, leading to errors. -# We need to skip over those lines. -- name: Generate Postgres database import command - set_fact: - matrix_postgres_import_command: >- - {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --mount type=bind,src={{ server_path_postgres_dump }},dst=/{{ server_path_postgres_dump|basename }},ro - --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_latest }} - -c "cat /{{ server_path_postgres_dump|basename }} | - {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} - grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | - grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | - psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname={{ postgres_default_import_database }}" - -# This is a hack. -# See: https://ansibledaily.com/print-to-standard-output-without-escaping/ -# -# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it, -# which ruins the command (`matrix_postgres_import_command`) -- name: Note about Postgres importing alternative - set_fact: - dummy: true - with_items: - - >- - Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. - If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), - delete its existing data (`rm -rf {{ matrix_postgres_data_path }}/*`), start it again (`systemctl start matrix-postgres`) - and manually run the above import command directly on the server. - -- name: Perform Postgres database import - command: "{{ matrix_postgres_import_command }}" - async: "{{ postgres_import_wait_time }}" - poll: 10 diff --git a/roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml b/roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml deleted file mode 100644 index ea15c5a8..00000000 --- a/roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." - when: "not matrix_postgres_enabled|bool" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" - when: "server_path_homeserver_db is not defined or server_path_homeserver_db.startswith('<')" - -- name: Check if the provided SQLite homeserver.db file exists - stat: - path: "{{ server_path_homeserver_db }}" - register: result_server_path_homeserver_db_stat - -- name: Fail if provided SQLite homeserver.db file doesn't exist - fail: - msg: "File cannot be found on the server at {{ server_path_homeserver_db }}" - when: "not result_server_path_homeserver_db_stat.stat.exists" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time|default('') == ''" - - -# Actual import work - -- name: Ensure matrix-postgres is stopped - service: - name: matrix-postgres - state: stopped - daemon_reload: yes - -- name: Ensure postgres data is wiped out - file: - path: "{{ matrix_postgres_data_path }}" - state: absent - -- name: Ensure postgres data path exists - file: - path: "{{ matrix_postgres_data_path }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: restarted - daemon_reload: yes - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -# We don't use the `docker_container` module, because using it with `cap_drop` requires -# a very recent version, which is not available for a lot of people yet. -# -# Also, some old `docker_container` versions were buggy and would leave containers behind -# on failure, which we had to work around to allow retries (by re-running the playbook). -- name: Import SQLite database into Postgres - command: | - docker run - --rm - --name=matrix-synapse-migrate - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --entrypoint=python - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/matrix-media-store-parent/media-store - --mount type=bind,src={{ server_path_homeserver_db }},dst=/{{ server_path_homeserver_db|basename }} - {{ matrix_synapse_docker_image }} - /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml diff --git a/roles/matrix-postgres/tasks/init.yml b/roles/matrix-postgres/tasks/init.yml deleted file mode 100644 index a0f2ae60..00000000 --- a/roles/matrix-postgres/tasks/init.yml +++ /dev/null @@ -1,3 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres.service'] }}" - when: matrix_postgres_enabled|bool diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml deleted file mode 100644 index b9c2ae7c..00000000 --- a/roles/matrix-postgres/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_postgres_enabled|bool" - tags: - - setup-all - - setup-postgres - -- import_tasks: "{{ role_path }}/tasks/setup_postgres.yml" - when: run_setup|bool - tags: - - setup-all - - setup-postgres - -- import_tasks: "{{ role_path }}/tasks/import_postgres.yml" - when: run_postgres_import|bool - tags: - - import-postgres - -# The `run_postgres_import_sqlite_db` variable had better be renamed to be consistent, -# but that's a breaking change which may cause trouble for people. -- import_tasks: "{{ role_path }}/tasks/import_synapse_sqlite_db.yml" - when: run_postgres_import_sqlite_db|bool - tags: - - import-synapse-sqlite-db - -# Perhaps we need a new variable here, instead of `run_postgres_import_sqlite_db`. -- import_tasks: "{{ role_path }}/tasks/import_generic_sqlite_db.yml" - when: run_postgres_import_sqlite_db|bool - tags: - - import-generic-sqlite-db - -- import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml" - when: run_postgres_upgrade|bool - tags: - - upgrade-postgres - -- import_tasks: "{{ role_path }}/tasks/run_vacuum.yml" - when: run_postgres_vacuum|bool - tags: - - run-postgres-vacuum diff --git a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml deleted file mode 100644 index ef5fbf47..00000000 --- a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- - -# We used to store Postgres data directly under `/matrix/postgres` (what is now considered `matrix_postgres_base_path`). -# -# From now on, we expect to store Postgres data one directory below now (`/matrix/postgres/data` - `matrix_postgres_data_path`). -# We wish to use the base directory for other purposes (storing environment variable files, etc.). -# Mixing those with the Postgres data is no good and it leads to Postgres's `initdb` complaining to initialize -# a database in a non-empty directory. -# -# For this reason, we store the Postgres data in `/matrix/postgres/data` and need to relocate any installations -# which still store it in the parent directory (`/matrix/postgres`). - -- name: Check if old Postgres data directory is used - stat: - path: "{{ matrix_postgres_base_path }}/PG_VERSION" - register: result_pg_old_data_dir_stat - -- name: Warn if old Postgres data directory detected - debug: - msg: > - Found that you have Postgres data in `{{ matrix_postgres_base_path }}`. - From now on, Postgres data is supposed to be stored in `{{ matrix_postgres_data_path }}` instead. - We'll stop Postgres and relocate the files there for you. - when: "result_pg_old_data_dir_stat.stat.exists" - -# We should stop Postgres first, before building a list of files, -# as to ignore any `postmaster.pid` files, etc. -- name: Ensure matrix-postgres is stopped - service: - name: matrix-postgres - state: stopped - daemon_reload: yes - when: "result_pg_old_data_dir_stat.stat.exists" - -- name: Find files and directories in old Postgres data path - find: - paths: "{{ matrix_postgres_base_path }}" - file_type: any - excludes: ["data"] - register: "result_pg_old_data_dir_find" - when: "result_pg_old_data_dir_stat.stat.exists" - -- name: Ensure new Postgres data path exists - file: - path: "{{ matrix_postgres_data_path }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "result_pg_old_data_dir_stat.stat.exists" - -- block: - - name: Relocate Postgres data files from old directory to new - command: "mv {{ item.path }} {{ matrix_postgres_data_path }}/{{ item.path|basename }}" - with_items: "{{ result_pg_old_data_dir_find.files }}" - when: "result_pg_old_data_dir_stat.stat.exists" - -# Intentionally not starting matrix-postgres here. -# It likely needs to be updated to point to the new directory. -# In fact, let's even get rid of the outdated service, to ensure no one will start it -# and have it initialize a new database. - -- name: Ensure outdated matrix-postgres.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-postgres.service" - state: absent - when: "result_pg_old_data_dir_stat.stat.exists" - -- name: Ensure systemd reloaded after getting rid of outdated matrix-postgres.service - service: - daemon_reload: yes - when: "result_pg_old_data_dir_stat.stat.exists" \ No newline at end of file diff --git a/roles/matrix-postgres/tasks/run_vacuum.yml b/roles/matrix-postgres/tasks/run_vacuum.yml deleted file mode 100644 index 19a27562..00000000 --- a/roles/matrix-postgres/tasks/run_vacuum.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if Postgres not enabled - fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot run vacuum." - when: "not matrix_postgres_enabled|bool" - - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time|default('') == ''" - -- name: Set postgres_vacuum_wait_time, if not provided - set_fact: - postgres_vacuum_wait_time: "{{ 7 * 86400 }}" - when: "postgres_vacuum_wait_time|default('') == ''" - - -# Actual vacuuming work - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -- import_tasks: tasks/util/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing|bool" - -- name: Generate Postgres database vacuum command - set_fact: - matrix_postgres_vacuum_command: >- - {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-vacuum - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - {{ matrix_postgres_docker_image_latest }} - psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c 'VACUUM FULL VERBOSE' - -- name: Note about Postgres vacuum alternative - debug: - msg: >- - Running vacuum with the following Postgres command: `{{ matrix_postgres_vacuum_command }}`. - If this crashes, you can stop all processes (`systemctl stop matrix-*`), - start Postgres only (`systemctl start matrix-postgres`) - and manually run the above command directly on the server. - -- name: Populate service facts - service_facts: - -- set_fact: - matrix_postgres_synapse_was_running: "{{ ansible_facts.services['matrix-synapse.service']|default(none) is not none and ansible_facts.services['matrix-synapse.service'].state == 'running' }}" - -- name: Ensure matrix-synapse is stopped - service: - name: matrix-synapse - state: stopped - daemon_reload: yes - -- name: Run Postgres vacuum command - command: "{{ matrix_postgres_vacuum_command }}" - async: "{{ postgres_vacuum_wait_time }}" - poll: 10 - register: matrix_postgres_synapse_vacuum_result - -# Intentionally show the results -- debug: var="matrix_postgres_synapse_vacuum_result" - -- name: Ensure matrix-synapse is started, if it previously was - service: - name: matrix-synapse - state: started - daemon_reload: yes - when: "matrix_postgres_synapse_was_running|bool" diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml deleted file mode 100644 index 4294bc11..00000000 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ /dev/null @@ -1,197 +0,0 @@ ---- - -# -# Tasks related to setting up an internal postgres server -# - -- import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml" - when: matrix_postgres_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml" - when: matrix_postgres_enabled|bool - -# If we have found an existing version (installed from before), we use its corresponding Docker image. -# If not, we install using the latest Postgres. -# -# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). -- set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" - when: matrix_postgres_enabled|bool - -- name: Inject warning if on an old version of Postgres - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [ - "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" - ] - }} - when: "matrix_postgres_enabled|bool and matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest" - -# Even if we don't run the internal server, we still need this for running the CLI -- name: Ensure postgres Docker image is pulled - docker_image: - name: "{{ matrix_postgres_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_postgres_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_docker_image_force_pull }}" - when: matrix_postgres_enabled|bool - -- name: Ensure Postgres paths exist - file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_postgres_base_path }}" - - "{{ matrix_postgres_data_path }}" - when: matrix_postgres_enabled|bool - -# We do this as a separate task, because: -# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) -# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true -- name: Ensure Postgres data path ownership is correct - file: - path: "{{ matrix_postgres_data_path }}" - state: directory - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - recurse: yes - when: matrix_postgres_enabled|bool - -- name: Ensure Postgres environment variables file created - template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_postgres_base_path }}/{{ item }}" - mode: 0640 - with_items: - - "env-postgres-psql" - - "env-postgres-server" - when: matrix_postgres_enabled|bool - -- name: Ensure matrix-postgres-cli script created - template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" - dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli" - mode: 0755 - when: matrix_postgres_enabled|bool - -- name: Ensure matrix-change-user-admin-status script created - template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" - dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status" - mode: 0755 - when: matrix_postgres_enabled|bool - -- name: (Migration) Ensure old matrix-make-user-admin script deleted - file: - path: "{{ matrix_local_bin_path }}/matrix-make-user-admin" - state: absent - when: matrix_postgres_enabled|bool - -- name: Ensure matrix-postgres-update-user-password-hash script created - template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" - dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash" - mode: 0755 - when: matrix_postgres_enabled|bool - -- name: Ensure matrix-postgres.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-postgres.service" - mode: 0644 - register: matrix_postgres_systemd_service_result - when: matrix_postgres_enabled|bool - -- name: Ensure systemd reloaded after matrix-postgres.service installation - service: - daemon_reload: yes - when: "matrix_postgres_enabled|bool and matrix_postgres_systemd_service_result.changed" - -- include_tasks: - file: "{{ role_path }}/tasks/util/create_additional_databases.yml" - apply: - tags: - - always - when: "matrix_postgres_enabled|bool and matrix_postgres_additional_databases|length > 0" - -- name: Check existence of matrix-postgres backup data path - stat: - path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" - register: matrix_postgres_data_backup_path_stat - when: "matrix_postgres_enabled|bool" - -- name: Inject warning if backup data remains - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [ - "NOTE: You have some Postgres backup data in `{{ matrix_postgres_data_path }}-auto-upgrade-backup`, which was created during the last major Postgres update you ran. If your setup works well after this upgrade, feel free to delete this whole directory." - ] - }} - when: "matrix_postgres_enabled|bool and matrix_postgres_data_backup_path_stat.stat.exists" - - -# -# Tasks related to getting rid of the internal postgres server (if it was previously enabled) -# - -- name: Check existence of matrix-postgres service - stat: - path: "{{ matrix_systemd_path }}/matrix-postgres.service" - register: matrix_postgres_service_stat - when: "not matrix_postgres_enabled|bool" - -- name: Ensure matrix-postgres is stopped - service: - name: matrix-postgres - state: stopped - daemon_reload: yes - when: "not matrix_postgres_enabled|bool and matrix_postgres_service_stat.stat.exists" - -- name: Ensure matrix-postgres.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-postgres.service" - state: absent - when: "not matrix_postgres_enabled|bool and matrix_postgres_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-postgres.service removal - service: - daemon_reload: yes - when: "not matrix_postgres_enabled|bool and matrix_postgres_service_stat.stat.exists" - -- name: Check existence of matrix-postgres local data path - stat: - path: "{{ matrix_postgres_data_path }}" - register: matrix_postgres_data_path_stat - when: "not matrix_postgres_enabled|bool" - -# We just want to notify the user. Deleting data is too destructive. -- name: Inject warning if matrix-postgres local data remains - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [ - "NOTE: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." - ] - }} - when: "not matrix_postgres_enabled|bool and matrix_postgres_data_path_stat.stat.exists" - -- name: Remove Postgres scripts - file: - path: "{{ matrix_local_bin_path }}/{{ item }}" - state: absent - with_items: - - matrix-postgres-cli - - matrix-change-user-admin-status - - matrix-postgres-update-user-password-hash - when: "not matrix_postgres_enabled|bool" diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml deleted file mode 100644 index 564265d8..00000000 --- a/roles/matrix-postgres/tasks/upgrade_postgres.yml +++ /dev/null @@ -1,172 +0,0 @@ ---- - -- name: Set default postgres_dump_dir, if not provided - set_fact: - postgres_dump_dir: "/tmp" - when: "postgres_dump_dir|default('') == ''" - -- name: Set postgres_dump_name, if not provided - set_fact: - postgres_dump_name: "matrix-postgres-dump.sql.gz" - when: "postgres_dump_name|default('') == ''" - -- name: Set postgres_auto_upgrade_backup_data_path, if not provided - set_fact: - postgres_auto_upgrade_backup_data_path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" - when: "postgres_auto_upgrade_backup_data_path|default('') == ''" - -- name: Set postgres_start_wait_time, if not provided - set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time|default('') == ''" - -- name: Set postgres_force_upgrade, if not provided - set_fact: - postgres_force_upgrade: false - when: "postgres_force_upgrade|default('') == ''" - -- name: Fail, if trying to upgrade external Postgres database - fail: - msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade." - when: "not matrix_postgres_enabled|bool" - -- name: Check Postgres auto-upgrade backup data directory - stat: - path: "{{ postgres_auto_upgrade_backup_data_path }}" - register: result_auto_upgrade_path - -- name: Abort, if existing Postgres auto-upgrade data path detected - fail: - msg: "Detected that a left-over {{ postgres_auto_upgrade_backup_data_path }} exists. You should rename it to {{ matrix_postgres_data_path }} if the previous upgrade went wrong, or delete it if it went well." - when: "result_auto_upgrade_path.stat.exists" - -- import_tasks: tasks/util/detect_existing_postgres_version.yml - -- name: Abort, if no existing Postgres version detected - fail: - msg: "Could not find existing Postgres installation" - when: "not matrix_postgres_detected_existing|bool" - -- name: Abort, if already at latest Postgres version - fail: - msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" - when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest and not postgres_force_upgrade" - -- debug: - msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}" - -- name: Ensure matrix-synapse is stopped - service: - name: matrix-synapse - state: stopped - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -# We dump all databases, roles, etc. -# -# Because we'll be importing into a new container which initializes the default -# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`) by itself on startup, -# we need to remove these from the dump, or we'll get errors saying these already exist. -- name: Perform Postgres database dump - command: >- - {{ matrix_host_command_docker }} run --rm --name matrix-postgres-dump - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --entrypoint=/bin/sh - --mount type=bind,src={{ postgres_dump_dir }},dst=/out - {{ matrix_postgres_detected_version_corresponding_docker_image }} - -c "pg_dumpall -h matrix-postgres - {{ '| gzip -c ' if postgres_dump_name.endswith('.gz') else '' }} - > /out/{{ postgres_dump_name }}" - -- name: Ensure matrix-postgres is stopped - service: - name: matrix-postgres - state: stopped - -- name: Rename existing Postgres data directory - command: "mv {{ matrix_postgres_data_path }} {{ postgres_auto_upgrade_backup_data_path }}" - -- debug: - msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation." - -- import_tasks: tasks/setup_postgres.yml - -- name: Ensure matrix-postgres autoruns and is restarted - service: - name: matrix-postgres - enabled: yes - state: restarted - daemon_reload: yes - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - -# Starting the database container had automatically created the default -# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`). -# The dump most likely contains those same entries and would try to re-create them, leading to errors. -# We need to skip over those lines. -- name: Generate Postgres database import command - set_fact: - matrix_postgres_import_command: >- - {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import - --log-driver=none - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --entrypoint=/bin/sh - --mount type=bind,src={{ postgres_dump_dir }},dst=/in,ro - {{ matrix_postgres_docker_image_latest }} - -c "cat /in/{{ postgres_dump_name }} | - {{ 'gunzip |' if postgres_dump_name.endswith('.gz') else '' }} - grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | - grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | - psql -v ON_ERROR_STOP=1 -h matrix-postgres" - -# This is a hack. -# See: https://ansibledaily.com/print-to-standard-output-without-escaping/ -# -# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it, -# which ruins the command (`matrix_postgres_import_command`) -- name: Note about Postgres importing - set_fact: - dummy: true - with_items: - - >- - Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. - If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), - delete the new database data (`rm -rf {{ matrix_postgres_data_path }}`) - and restore the automatically-made backup (`mv {{ postgres_auto_upgrade_backup_data_path }} {{ matrix_postgres_data_path }}`). - -- name: Perform Postgres database import - command: "{{ matrix_postgres_import_command }}" - -- name: Delete Postgres database dump file - file: - path: "{{ postgres_dump_dir }}/{{ postgres_dump_name }}" - state: absent - -- name: Ensure matrix-synapse is started - service: - name: matrix-synapse - state: started - daemon_reload: yes - -- debug: - msg: "NOTE: Your old Postgres data directory is preserved at `{{ postgres_auto_upgrade_backup_data_path }}`. You might want to get rid of it once you've confirmed that all is well." diff --git a/roles/matrix-postgres/tasks/util/create_additional_database.yml b/roles/matrix-postgres/tasks/util/create_additional_database.yml deleted file mode 100644 index 22b3c9a2..00000000 --- a/roles/matrix-postgres/tasks/util/create_additional_database.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- - -# It'd be better if this is belonged to `validate_config.yml`, but it would have to be some loop-within-a-loop there, -# and that's ugly. We also don't expect this to catch errors often. It's more of a defensive last-minute check. -- name: Fail if additional database data appears invalid - fail: - msg: "Additional database definition ({{ additional_db }} lacks a required key: {{ item }}" - when: "item not in additional_db" - with_items: "{{ ['name', 'username', 'password'] }}" - -# The SQL statements that we'll run against Postgres are stored in a file that others can't read. -# This file will be mounted into the container and fed to Postgres. -# This way, we avoid passing sensitive data around in CLI commands that other users on the system can see. -- name: Create additional database initialization SQL file for {{ additional_db.name }} - template: - src: "{{ role_path }}/templates/sql/init-additional-db-user-and-role.sql.j2" - dest: "/tmp/matrix-postgres-init-additional-db-user-and-role.sql" - mode: 0600 - owner: "{{ matrix_user_uid }}" - group: "{{ matrix_user_gid }}" - -- name: Execute Postgres additional database initialization SQL file for {{ additional_db.name }} - command: - cmd: >- - {{ matrix_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --network {{ matrix_docker_network }} - --mount type=bind,src=/tmp/matrix-postgres-init-additional-db-user-and-role.sql,dst=/matrix-postgres-init-additional-db-user-and-role.sql,ro - --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_to_use }} - -c - 'psql -h {{ matrix_postgres_connection_hostname }} --file=/matrix-postgres-init-additional-db-user-and-role.sql' - -- name: Delete additional database initialization SQL file for {{ additional_db.name }} - file: - path: /tmp/matrix-postgres-init-additional-db-user-and-role.sql - state: absent diff --git a/roles/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/matrix-postgres/tasks/util/create_additional_databases.yml deleted file mode 100644 index 0ad460dd..00000000 --- a/roles/matrix-postgres/tasks/util/create_additional_databases.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed|bool" - -- name: Create additional Postgres user and database - include_tasks: "{{ role_path }}/tasks/util/create_additional_database.yml" - with_items: "{{ matrix_postgres_additional_databases }}" - loop_control: - loop_var: additional_db - # Suppress logging to avoid dumping the credentials to the shell - no_log: true diff --git a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml deleted file mode 100644 index 9032c15e..00000000 --- a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- - -# This utility aims to determine if there is some existing Postgres version in use or not. -# If there is, it also tries to detect the Docker image that corresponds to that version. - -- name: Initialize Postgres version determination variables (default to empty) - set_fact: - matrix_postgres_detection_pg_version_path: "{{ matrix_postgres_data_path }}/PG_VERSION" - matrix_postgres_detected_existing: false - matrix_postgres_detected_version: "" - matrix_postgres_detected_version_corresponding_docker_image: "" - -- name: Determine existing Postgres version (check PG_VERSION file) - stat: - path: "{{ matrix_postgres_detection_pg_version_path }}" - register: result_pg_version_stat - -- set_fact: - matrix_postgres_detected_existing: true - when: "result_pg_version_stat.stat.exists" - -- name: Determine existing Postgres version (read PG_VERSION file) - slurp: - src: "{{ matrix_postgres_detection_pg_version_path }}" - register: result_pg_version - when: matrix_postgres_detected_existing|bool - -- name: Determine existing Postgres version (make sense of PG_VERSION file) - set_fact: - matrix_postgres_detected_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" - when: matrix_postgres_detected_existing|bool - -- name: Determine corresponding Docker image to detected version (assume default of latest) - set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_latest }}" - when: "matrix_postgres_detected_version != ''" - -- name: Determine corresponding Docker image to detected version (use 9.x, if detected) - set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v9 }}" - when: "matrix_postgres_detected_version.startswith('9.')" - -- name: Determine corresponding Docker image to detected version (use 10.x, if detected) - set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v10 }}" - when: "matrix_postgres_detected_version == '10' or matrix_postgres_detected_version.startswith('10.')" - -- name: Determine corresponding Docker image to detected version (use 11.x, if detected) - set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v11 }}" - when: "matrix_postgres_detected_version == '11' or matrix_postgres_detected_version.startswith('11.')" - -- name: Determine corresponding Docker image to detected version (use 12.x, if detected) - set_fact: - matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}" - when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml deleted file mode 100644 index cf595ade..00000000 --- a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml +++ /dev/null @@ -1,169 +0,0 @@ ---- - -- name: Fail if Postgres not enabled - fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." - when: "not matrix_postgres_enabled|bool" - -- name: Fail if util called incorrectly (missing matrix_postgres_db_migration_request) - fail: - msg: "The `matrix_postgres_db_migration_request` variable needs to be provided to this util." - when: "matrix_postgres_db_migration_request is not defined" - -- name: Fail if util called incorrectly (invalid matrix_postgres_db_migration_request) - fail: - msg: "The `matrix_postgres_db_migration_request` variable needs to contain `{{ item }}`." - with_items: - - src - - dst - - caller - - engine_variable_name - - systemd_services_to_stop - when: "item not in matrix_postgres_db_migration_request" - -- name: Check if the provided source database file exists - stat: - path: "{{ matrix_postgres_db_migration_request.src }}" - register: matrix_postgres_db_migration_request_src_stat_result - -- name: Fail if provided source database file doesn't exist - fail: - msg: "File cannot be found on the server at {{ matrix_postgres_db_migration_request.src }}" - when: "not matrix_postgres_db_migration_request_src_stat_result.stat.exists" - -- block: - - name: Ensure pgloader repository is present on self-build - git: - repo: "{{ matrix_postgres_pgloader_container_image_self_build_repo }}" - dest: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" - version: "{{ matrix_postgres_pgloader_container_image_self_build_repo_branch }}" - force: "yes" - register: matrix_postgres_pgloader_git_pull_results - - # If `stable` is used, we hit an error when processing /opt/src/pgloader/build/quicklisp/dists/quicklisp/software/uax-15-20201220-git/data/CompositionExclusions.txt: - # > the octet sequence #(194) cannot be decoded - # - # The issue is described here and is not getting fixed for months: https://github.com/dimitri/pgloader/pull/1179 - # - # Although we're not using the dimitri/pgloader image, the one we're using suffers from the same problem. - - name: Switch pgloader base image from Debian stable (likely 10.x/Buster) to Bullseye - lineinfile: - path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}/Dockerfile" - regexp: "{{ item.match }}" - line: "{{ item.replace }}" - with_items: - - match: '^FROM debian:stable-slim as builder$' - replace: 'FROM debian:bullseye-slim as builder' - - match: '^FROM debian:stable-slim$' - replace: 'FROM debian:bullseye-slim' - - - name: Ensure pgloader Docker image is built - docker_image: - name: "{{ matrix_postgres_pgloader_docker_image }}" - source: build - force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" - pull: yes - when: "matrix_postgres_pgloader_container_image_self_build|bool" - -- name: Ensure pgloader Docker image is pulled - docker_image: - name: "{{ matrix_postgres_pgloader_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_postgres_pgloader_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_docker_image_force_pull }}" - when: "not matrix_postgres_pgloader_container_image_self_build" - -# Defaults - -- name: Set postgres_start_wait_time, if not provided - set_fact: - postgres_start_wait_time: 15 - when: "postgres_start_wait_time|default('') == ''" - -# Actual import work - -# matrix-postgres is most likely started already -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - register: matrix_postgres_service_start_result - -- name: Wait a bit, so that Postgres can start - wait_for: - timeout: "{{ postgres_start_wait_time }}" - delegate_to: 127.0.0.1 - become: false - when: "matrix_postgres_service_start_result.changed|bool" - -# We only stop services here, leaving it to the caller to start them later. -# -# We can't start them, because they probably need to be reconfigured too (changing the configuration from using SQLite to Postgres, etc.), -# before starting. -# -# Since the caller will be starting them, it might make sense to leave stopping to it as well. -# However, we don't do it, because it's simpler having it here, and it also gets to happen only if we'll be doing an import. -# If we bailed out (somewhere above), nothing would have gotten stopped. It's nice to leave this running in such cases. -- name: Ensure systemd services blocking the database import are stopped - service: - name: "{{ item }}" - state: stopped - failed_when: false - with_items: "{{ matrix_postgres_db_migration_request.systemd_services_to_stop }}" - -- name: Import {{ matrix_postgres_db_migration_request.engine_old }} database from {{ matrix_postgres_db_migration_request.src }} into Postgres - command: - cmd: >- - {{ matrix_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --mount type=bind,src={{ matrix_postgres_db_migration_request.src }},dst=/in.db,ro - --entrypoint=/bin/sh - {{ matrix_postgres_pgloader_docker_image }} - -c - 'pgloader {{ matrix_postgres_db_migration_request.pgloader_options|default([])|join(' ') }} /in.db {{ matrix_postgres_db_migration_request.dst }}' - -- block: - # We can't use `{{ role_path }}` here, neither with `import_tasks`, nor with `include_tasks`, - # because it refers to the role that included this util, and not to the role this file belongs to. - - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/detect_existing_postgres_version.yml" - - - set_fact: - matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" - - - name: Execute additional Postgres SQL migration statements - command: - cmd: >- - {{ matrix_host_command_docker }} run - --rm - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --network={{ matrix_docker_network }} - {{ matrix_postgres_docker_image_to_use }} - psql --host=matrix-postgres --dbname={{ matrix_postgres_db_migration_request.additional_psql_statements_db_name }} --command='{{ item }}' - with_items: "{{ matrix_postgres_db_migration_request.additional_psql_statements_list }}" - - when: "matrix_postgres_db_migration_request.additional_psql_statements_list|default([])|length > 0" - -- name: Archive {{ matrix_postgres_db_migration_request.engine_old }} database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) - command: - cmd: "mv {{ matrix_postgres_db_migration_request.src }} {{ matrix_postgres_db_migration_request.src }}.backup" - -- name: Inject result - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [ - "NOTE: Your {{ matrix_postgres_db_migration_request.engine_old }} database file has been imported into Postgres. The original database file has been moved from `{{ matrix_postgres_db_migration_request.src }}` to `{{ matrix_postgres_db_migration_request.src }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." - ] - }} diff --git a/roles/matrix-postgres/tasks/validate_config.yml b/roles/matrix-postgres/tasks/validate_config.yml deleted file mode 100644 index eac4dd5b..00000000 --- a/roles/matrix-postgres/tasks/validate_config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- - -- name: (Deprecation) Warn about matrix_postgres_use_external usage - fail: - msg: > - The `matrix_postgres_use_external` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of using an external Postgres server. - It's a combination of `matrix_postgres_enabled: false` and specifying Postgres connection - details in a few `matrix_postgres_connection_` variables. - See the "Using an external PostgreSQL server (optional)" documentation page. - when: "'matrix_postgres_use_external' in vars" - -# This is separate (from the other required variables below), -# because we'd like to have a friendlier message for our existing users. -- name: Fail if matrix_postgres_connection_password not defined - fail: - msg: >- - The playbook no longer has a default Postgres password defined in the `matrix_postgres_connection_password` variable, among lots of other Postgres changes. - You need to perform multiple manual steps to resolve this. - See our changelog for more details: - https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-postgres-changes-that-require-manual-intervention - when: "matrix_postgres_connection_password == ''" - -- name: Fail if required Postgres settings not defined - fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" - with_items: - - "matrix_postgres_connection_hostname" - - "matrix_postgres_connection_port" - - "matrix_postgres_connection_username" - - "matrix_postgres_connection_password" - - "matrix_postgres_db_name" - -- name: Fail if Postgres password length exceeded - fail: - msg: "The maximum `matrix_postgres_connection_password` length is 99 characters" - when: "matrix_postgres_connection_password|length > 99" diff --git a/roles/matrix-postgres/templates/env-postgres-psql.j2 b/roles/matrix-postgres/templates/env-postgres-psql.j2 deleted file mode 100644 index c61927a3..00000000 --- a/roles/matrix-postgres/templates/env-postgres-psql.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#jinja2: lstrip_blocks: "True" -PGUSER={{ matrix_postgres_connection_username }} -PGPASSWORD={{ matrix_postgres_connection_password }} -PGDATABASE={{ matrix_postgres_db_name }} \ No newline at end of file diff --git a/roles/matrix-postgres/templates/env-postgres-server.j2 b/roles/matrix-postgres/templates/env-postgres-server.j2 deleted file mode 100644 index 06feb82a..00000000 --- a/roles/matrix-postgres/templates/env-postgres-server.j2 +++ /dev/null @@ -1,7 +0,0 @@ -#jinja2: lstrip_blocks: "True" -POSTGRES_USER={{ matrix_postgres_connection_username }} -POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} -POSTGRES_DB={{ matrix_postgres_db_name }} -# Synapse refuses to run if collation is not C. -# See https://github.com/matrix-org/synapse/issues/6722 -POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8 diff --git a/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 b/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 deleted file mode 100644 index a5a3385b..00000000 --- a/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 +++ /dev/null @@ -1,19 +0,0 @@ --- `CREATE USER` does not support `IF NOT EXISTS`, so we use this workaround to prevent an error and raise a notice instead. --- Seen here: https://stackoverflow.com/a/49858797 -DO $$ -BEGIN - CREATE USER "{{ additional_db.username }}"; - EXCEPTION WHEN DUPLICATE_OBJECT THEN - RAISE NOTICE 'not creating user "{{ additional_db.username }}", since it already exists'; -END -$$; - --- This is useful for initial user creation (since we don't assign a password above) and for handling subsequent password changes --- TODO - we should escape quotes in the password. -ALTER ROLE "{{ additional_db.username }}" PASSWORD '{{ additional_db.password }}'; - --- This will generate an error on subsequent execution -CREATE DATABASE "{{ additional_db.name }}" WITH LC_CTYPE 'C' LC_COLLATE 'C' OWNER "{{ additional_db.username }}"; - --- This is useful for changing the database owner subsequently -ALTER DATABASE "{{ additional_db.name }}" OWNER TO "{{ additional_db.username }}"; diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 deleted file mode 100644 index 6d1b1c6f..00000000 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ /dev/null @@ -1,41 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Postgres server -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --tmpfs=/run/postgresql:rw,noexec,nosuid,size=100m \ - --network={{ matrix_docker_network }} \ - {% if matrix_postgres_container_postgres_bind_port %} - -p {{ matrix_postgres_container_postgres_bind_port }}:5432 \ - {% endif %} - --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ - --mount type=bind,src={{ matrix_postgres_data_path }},dst=/var/lib/postgresql/data \ - --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ - {% for arg in matrix_postgres_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_postgres_docker_image_to_use }} \ - postgres {{ matrix_postgres_process_extra_arguments|join(' ') }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-postgres - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 deleted file mode 100644 index 6c3082ef..00000000 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ /dev/null @@ -1,19 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 2 ]; then - echo "Usage: "$0" <0/1>" - echo "Usage: 0 = non-admin" - echo "Usage: 1 = admin" - exit 1 -fi - -docker run \ - -it \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 deleted file mode 100644 index de09a4eb..00000000 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 +++ /dev/null @@ -1,13 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -docker run \ - -it \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} \ - "$@" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 deleted file mode 100644 index 0fbf4f21..00000000 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 +++ /dev/null @@ -1,16 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 2 ]; then - echo "Usage: "$0" " - exit 1 -fi - -docker run \ - --rm \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ - --network {{ matrix_docker_network }} \ - {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml deleted file mode 100644 index 492d48b1..00000000 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ /dev/null @@ -1,34 +0,0 @@ -# matrix-prometheus-node-exporter is an Prometheus exporter for machine metrics -# See: https://prometheus.io/docs/guides/node-exporter/ - -matrix_prometheus_node_exporter_enabled: false - -matrix_prometheus_node_exporter_version: v1.1.2 -matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" -matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_prometheus_node_exporter_container_extra_arguments: [] - -# List of systemd services that matrix-prometheus.service depends on -matrix_prometheus_node_exporter_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-prometheus.service wants -matrix_prometheus_node_exporter_systemd_wanted_services_list: [] - -# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). -# -# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. -# -# Official recommendations are to run this container with `--net=host`, -# but we don't do that, since it: -# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) -# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) -# -# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, -# but that's trickier to accomplish and won't necessarily work (hasn't been tested). -# -# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), -# because node-exporter can't see all interfaces, etc. -# For now, we'll live with that, until someone develops a better solution. -matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/tasks/init.yml b/roles/matrix-prometheus-node-exporter/tasks/init.yml deleted file mode 100644 index 2894b717..00000000 --- a/roles/matrix-prometheus-node-exporter/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-node-exporter.service'] }}" - when: matrix_prometheus_node_exporter_enabled|bool - - diff --git a/roles/matrix-prometheus-node-exporter/tasks/main.yml b/roles/matrix-prometheus-node-exporter/tasks/main.yml deleted file mode 100644 index 172b5721..00000000 --- a/roles/matrix-prometheus-node-exporter/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/setup.yml" - tags: - - setup-all - - setup-prometheus-node-exporter diff --git a/roles/matrix-prometheus-node-exporter/tasks/setup.yml b/roles/matrix-prometheus-node-exporter/tasks/setup.yml deleted file mode 100644 index 34086e6c..00000000 --- a/roles/matrix-prometheus-node-exporter/tasks/setup.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-prometheus-node-exporter -# - -- name: Ensure matrix-prometheus-node-exporter image is pulled - docker_image: - name: "{{ matrix_prometheus_node_exporter_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_node_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_node_exporter_docker_image_force_pull }}" - when: "matrix_prometheus_node_exporter_enabled|bool" - -- name: Ensure matrix-prometheus-node-exporter.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus-node-exporter.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-prometheus-node-exporter.service" - mode: 0644 - register: matrix_prometheus_node_exporter_systemd_service_result - when: matrix_prometheus_node_exporter_enabled|bool - -- name: Ensure systemd reloaded after matrix-prometheus.service installation - service: - daemon_reload: yes - when: "matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-prometheus-node-exporter (if it was previously enabled) -# - -- name: Check existence of matrix-prometheus-node-exporter service - stat: - path: "{{ matrix_systemd_path }}/matrix-prometheus-node-exporter.service" - register: matrix_prometheus_node_exporter_service_stat - -- name: Ensure matrix-prometheus-node-exporter is stopped - service: - name: matrix-prometheus-node-exporter - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" - -- name: Ensure matrix-prometheus-node-exporter.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-prometheus-node-exporter.service" - state: absent - when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-prometheus-node-exporter.service removal - service: - daemon_reload: yes - when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 deleted file mode 100644 index 210a0d97..00000000 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ /dev/null @@ -1,44 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-prometheus-node-exporter -{% for service in matrix_prometheus_node_exporter_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_prometheus_node_exporter_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' - - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-node-exporter \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - --network={{ matrix_docker_network }} \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} - --pid=host \ - --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ - {{ matrix_prometheus_node_exporter_docker_image }} \ - --path.rootfs=/host - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-prometheus-node-exporter - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml deleted file mode 100644 index 8aca4576..00000000 --- a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml +++ /dev/null @@ -1,49 +0,0 @@ -# matrix-prometheus-postgres-exporter is an Prometheus exporter for postgres metrics -# See: https://github.com/prometheus-community/postgres_exporter - -matrix_prometheus_postgres_exporter_enabled: false - -matrix_prometheus_postgres_exporter_version: v0.9.0 -matrix_prometheus_postgres_exporter_port: 9187 - -matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" -matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_prometheus_postgres_exporter_container_extra_arguments: ["-e PG_EXPORTER_AUTO_DISCOVER_DATABASES=true", - "-e PG_EXPORTER_WEB_LISTEN_ADDRESS=\":{{matrix_prometheus_postgres_exporter_port}}\"", - "-e DATA_SOURCE_NAME=\"postgresql://{{matrix_prometheus_postgres_exporter_database_username}}:{{matrix_prometheus_postgres_exporter_database_password}}@{{matrix_prometheus_postgres_exporter_database_hostname}}:5432/{{matrix_prometheus_postgres_exporter_database_name}}?sslmode=disable\"" ] - -# List of systemd services that matrix-prometheus-postgres-exporter.service depends on -matrix_prometheus_postgres_exporter_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-prometheus-postgres-exporter.service wants -matrix_prometheus_postgres_exporter_systemd_wanted_services_list: [] - -# details for connecting to the database -matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' -matrix_prometheus_postgres_exporter_database_password: 'some-password' -matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres' -matrix_prometheus_postgres_exporter_database_port: 5432 -matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter' - - -# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). -# -# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. -# -# Official recommendations are to run this container with `--net=host`, -# but we don't do that, since it: -# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) -# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) -# -# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, -# but that's trickier to accomplish and won't necessarily work (hasn't been tested). -# -# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), -# because node-exporter can't see all interfaces, etc. -# For now, we'll live with that, until someone develops a better solution. -matrix_prometheus_postgres_exporter_container_http_host_bind_port: '' - -matrix_prometheus_postgres_exporter_dashboard_urls: -- "https://grafana.com/api/dashboards/9628/revisions/7/download" \ No newline at end of file diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/init.yml b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml deleted file mode 100644 index 2bd6904e..00000000 --- a/roles/matrix-prometheus-postgres-exporter/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}" - when: matrix_prometheus_postgres_exporter_enabled|bool - - diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml deleted file mode 100644 index e3c364fa..00000000 --- a/roles/matrix-prometheus-postgres-exporter/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/setup.yml" - tags: - - setup-all - - setup-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml deleted file mode 100644 index 076ece1a..00000000 --- a/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-prometheus-postgres-exporter -# - -- name: Ensure matrix-prometheus-postgres-exporter image is pulled - docker_image: - name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" - when: "matrix_prometheus_postgres_exporter_enabled|bool" - -- name: Ensure matrix-prometheus-postgres-exporter.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" - mode: 0644 - register: matrix_prometheus_postgres_exporter_systemd_service_result - when: matrix_prometheus_postgres_exporter_enabled|bool - -- name: Ensure systemd reloaded after matrix-prometheus.service installation - service: - daemon_reload: yes - when: "matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-prometheus-postgres-exporter (if it was previously enabled) -# - -- name: Check existence of matrix-prometheus-postgres-exporter service - stat: - path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" - register: matrix_prometheus_postgres_exporter_service_stat - -- name: Ensure matrix-prometheus-postgres-exporter is stopped - service: - name: matrix-prometheus-postgres-exporter - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" - -- name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" - state: absent - when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-prometheus-postgres-exporter.service removal - service: - daemon_reload: yes - when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 deleted file mode 100644 index b25cb5de..00000000 --- a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 +++ /dev/null @@ -1,42 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-prometheus-postgres-exporter -{% for service in matrix_prometheus_postgres_exporter_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_prometheus_postgres_exporter_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' - - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-postgres-exporter \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - {% for arg in matrix_prometheus_postgres_exporter_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - --network={{ matrix_docker_network }} \ - {% if matrix_prometheus_postgres_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ - {% endif %} - --pid=host \ - {{ matrix_prometheus_postgres_exporter_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-prometheus-postgres-exporter - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml deleted file mode 100644 index 3725993c..00000000 --- a/roles/matrix-prometheus/defaults/main.yml +++ /dev/null @@ -1,67 +0,0 @@ -# matrix-prometheus is an open-source systems monitoring and alerting toolkit -# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md - -matrix_prometheus_enabled: false - -matrix_prometheus_version: v2.28.1 -matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" -matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" - -matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" -matrix_prometheus_config_path: "{{ matrix_prometheus_base_path }}/config" -matrix_prometheus_data_path: "{{ matrix_prometheus_base_path }}/data" - -# A list of extra arguments to pass to the container -matrix_prometheus_container_extra_arguments: [] - -# List of systemd services that matrix-prometheus.service depends on -matrix_prometheus_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-prometheus.service wants -matrix_prometheus_systemd_wanted_services_list: [] - -# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9090"), or empty string to not expose. -matrix_prometheus_container_http_host_bind_port: '' - -# Tells whether the "synapse" scraper configuration is enabled. -matrix_prometheus_scraper_synapse_enabled: false - -# Tells whether to download and load a Synapse rules file -matrix_prometheus_scraper_synapse_rules_enabled: "{{ matrix_prometheus_scraper_synapse_enabled }}" -matrix_prometheus_scraper_synapse_rules_synapse_tag: "master" -matrix_prometheus_scraper_synapse_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_scraper_synapse_rules_synapse_tag }}/contrib/prometheus/synapse-v2.rules" - -matrix_prometheus_scraper_synapse_targets: [] -matrix_prometheus_scraper_synapse_workers_enabled_list: [] - -# Tells whether the "node" scraper configuration is enabled. -# This configuration aims to scrape the current node (this server). -matrix_prometheus_scraper_node_enabled: false - -# Target addresses for the "node" scraper configuration. -# Unless you define this as a non-empty list, it gets populated at runtime with the IP address of `matrix-prometheus-node-exporter` and port 9100. -matrix_prometheus_scraper_node_targets: [] - -# Default prometheus configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_prometheus_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_prometheus_configuration_yaml: "{{ lookup('template', 'templates/prometheus.yml.j2') }}" - -matrix_prometheus_configuration_extension_yaml: | - # Your custom YAML configuration goes here. - # This configuration extends the default starting configuration (`matrix_prometheus_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_prometheus_configuration_yaml`. - -matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_extension_yaml|from_yaml if matrix_prometheus_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`. -matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml|from_yaml|combine(matrix_prometheus_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-prometheus/tasks/init.yml b/roles/matrix-prometheus/tasks/init.yml deleted file mode 100644 index 12fae831..00000000 --- a/roles/matrix-prometheus/tasks/init.yml +++ /dev/null @@ -1,5 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus.service'] }}" - when: matrix_prometheus_enabled|bool - - diff --git a/roles/matrix-prometheus/tasks/main.yml b/roles/matrix-prometheus/tasks/main.yml deleted file mode 100644 index 20f18cc3..00000000 --- a/roles/matrix-prometheus/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_prometheus_enabled|bool" - tags: - - setup-all - - setup-prometheus - -- import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup|bool and matrix_prometheus_enabled|bool" - tags: - - setup-all - - setup-prometheus - -- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup|bool and not matrix_prometheus_enabled|bool" - tags: - - setup-all - - setup-prometheus diff --git a/roles/matrix-prometheus/tasks/setup_install.yml b/roles/matrix-prometheus/tasks/setup_install.yml deleted file mode 100644 index 15a69279..00000000 --- a/roles/matrix-prometheus/tasks/setup_install.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- name: Ensure matrix-prometheus image is pulled - docker_image: - name: "{{ matrix_prometheus_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_prometheus_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_docker_image_force_pull }}" - -- name: Ensure Prometheus paths exists - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_prometheus_base_path }}" - - "{{ matrix_prometheus_config_path }}" - - "{{ matrix_prometheus_data_path }}" - -- name: Download synapse-v2.rules - get_url: - url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}" - dest: "{{ matrix_prometheus_config_path }}/synapse-v2.rules" - force: true - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "matrix_prometheus_scraper_synapse_rules_enabled|bool" - -- name: Ensure prometheus.yml installed - copy: - content: "{{ matrix_prometheus_configuration|to_nice_yaml }}" - dest: "{{ matrix_prometheus_config_path }}/prometheus.yml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-prometheus.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-prometheus.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-prometheus.service" - mode: 0644 - register: matrix_prometheus_systemd_service_result - -- name: Ensure systemd reloaded after matrix-prometheus.service installation - service: - daemon_reload: yes - when: "matrix_prometheus_systemd_service_result.changed|bool" diff --git a/roles/matrix-prometheus/tasks/setup_uninstall.yml b/roles/matrix-prometheus/tasks/setup_uninstall.yml deleted file mode 100644 index dd46a222..00000000 --- a/roles/matrix-prometheus/tasks/setup_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Check existence of matrix-prometheus service - stat: - path: "{{ matrix_systemd_path }}/matrix-prometheus.service" - register: matrix_prometheus_service_stat - -- name: Ensure matrix-prometheus is stopped - service: - name: matrix-prometheus - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_prometheus_service_stat.stat.exists|bool" - -- name: Ensure matrix-prometheus.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-prometheus.service" - state: absent - when: "matrix_prometheus_service_stat.stat.exists|bool" - -- name: Ensure systemd reloaded after matrix-prometheus.service removal - service: - daemon_reload: yes - when: "matrix_prometheus_service_stat.stat.exists|bool" diff --git a/roles/matrix-prometheus/tasks/validate_config.yml b/roles/matrix-prometheus/tasks/validate_config.yml deleted file mode 100644 index 9fcfe12b..00000000 --- a/roles/matrix-prometheus/tasks/validate_config.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: Fail if Synapse metrics or Prometheus Node Exporter not enabled - fail: - msg: > - You need to enable `matrix_prometheus_scraper_synapse_enabled` and/or `matrix_prometheus_scraper_node_enabled` for Prometheus grab metrics. - when: "not matrix_prometheus_scraper_synapse_enabled and not matrix_prometheus_scraper_node_enabled" diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 deleted file mode 100644 index 869b2da8..00000000 --- a/roles/matrix-prometheus/templates/prometheus.yml.j2 +++ /dev/null @@ -1,59 +0,0 @@ -#jinja2: lstrip_blocks: "True" -global: - scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. - evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. - # scrape_timeout is set to the global default (10s). - -# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. -rule_files: - {% if matrix_prometheus_scraper_synapse_rules_enabled %} - - 'synapse-v2.rules' - {% endif %} - -# A scrape configuration containing exactly one endpoint to scrape: -# Here it's Prometheus itself. -scrape_configs: - # The job name is added as a label `job=` to any timeseries scraped from this config. - - job_name: 'prometheus' - - # Override the global default and scrape targets from this job every 5 seconds. - scrape_interval: 5s - scrape_timeout: 5s - - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - - static_configs: - - targets: ['localhost:9090'] - - {% if matrix_prometheus_scraper_synapse_enabled %} - - job_name: 'synapse' - metrics_path: '/_synapse/metrics' - static_configs: - - targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }} - labels: - instance: {{ matrix_domain }} - job: master - index: 0 - {% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %} - {% if worker.metrics_port != 0 %} - - targets: ['matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}'] - labels: - instance: {{ matrix_domain }} - job: {{ worker.type }} - index: {{ worker.instanceId }} - {% endif %} - {% endfor %} - {% endif %} - - {% if matrix_prometheus_scraper_node_enabled %} - - job_name: node - static_configs: - - targets: {{ matrix_prometheus_scraper_node_targets|to_json }} - {% endif %} - - {% if matrix_prometheus_scraper_postgres_enabled %} - - job_name: postgres - static_configs: - - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} - {% endif %} diff --git a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 deleted file mode 100644 index ad75d664..00000000 --- a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 +++ /dev/null @@ -1,43 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-prometheus -{% for service in matrix_prometheus_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_prometheus_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' - - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --network={{ matrix_docker_network }} \ - {% if matrix_prometheus_container_http_host_bind_port %} - -p {{ matrix_prometheus_container_http_host_bind_port }}:9090 \ - {% endif %} - -v {{ matrix_prometheus_config_path }}:/etc/prometheus:z \ - -v {{ matrix_prometheus_data_path }}:/prometheus:z \ - {% for arg in matrix_prometheus_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_prometheus_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-prometheus - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml deleted file mode 100644 index 409c7926..00000000 --- a/roles/matrix-redis/defaults/main.yml +++ /dev/null @@ -1,22 +0,0 @@ -matrix_redis_enabled: true - -matrix_redis_connection_password: "" - -matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" -matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" - -matrix_redis_version: 6.2.4-alpine -matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" -matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" -matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' - -matrix_redis_docker_image_force_pull: "{{ matrix_redis_docker_image_to_use.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_redis_container_extra_arguments: [] - -# Controls whether the matrix-redis container exposes a port (tcp/6379 in the container) -# that can be used to access redis from outside the container -# -# Takes an ":" or "" value (e.g. "127.0.0.1:6379"), or empty string to not expose. -matrix_redis_container_redis_bind_port: "" diff --git a/roles/matrix-redis/tasks/init.yml b/roles/matrix-redis/tasks/init.yml deleted file mode 100644 index 49068851..00000000 --- a/roles/matrix-redis/tasks/init.yml +++ /dev/null @@ -1,3 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-redis'] }}" - when: matrix_redis_enabled|bool diff --git a/roles/matrix-redis/tasks/main.yml b/roles/matrix-redis/tasks/main.yml deleted file mode 100644 index 595b09f5..00000000 --- a/roles/matrix-redis/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/setup_redis.yml" - when: run_setup|bool - tags: - - setup-all - - setup-redis diff --git a/roles/matrix-redis/tasks/setup_redis.yml b/roles/matrix-redis/tasks/setup_redis.yml deleted file mode 100644 index 6f00282b..00000000 --- a/roles/matrix-redis/tasks/setup_redis.yml +++ /dev/null @@ -1,99 +0,0 @@ ---- - -# -# Tasks related to setting up an internal redis server -# - -- name: Ensure redis Docker image is pulled - docker_image: - name: "{{ matrix_redis_docker_image_to_use }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_redis_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_redis_docker_image_force_pull }}" - when: matrix_redis_enabled|bool - -- name: Ensure redis paths exist - file: - path: "{{ item }}" - state: directory - mode: 0700 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - "{{ matrix_redis_base_path }}" - - "{{ matrix_redis_data_path }}" - when: matrix_redis_enabled|bool - -# We do this as a separate task, because: -# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) -# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true -- name: Ensure redis data path ownership is correct - file: - path: "{{ matrix_redis_data_path }}" - state: directory - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - recurse: yes - when: matrix_redis_enabled|bool - -- name: Ensure redis environment variables file created - template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_redis_base_path }}/{{ item }}" - mode: 0644 - with_items: - - "redis.conf" - when: matrix_redis_enabled|bool - -- name: Ensure matrix-redis.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-redis.service" - mode: 0644 - register: matrix_redis_systemd_service_result - when: matrix_redis_enabled|bool - -- name: Ensure systemd reloaded after matrix-redis.service installation - service: - daemon_reload: yes - when: "matrix_redis_enabled|bool and matrix_redis_systemd_service_result.changed" - -# -# Tasks related to getting rid of the internal redis server (if it was previously enabled) -# - -- name: Check existence of matrix-redis service - stat: - path: "{{ matrix_systemd_path }}/matrix-redis.service" - register: matrix_redis_service_stat - when: "not matrix_redis_enabled|bool" - -- name: Ensure matrix-redis is stopped - service: - name: matrix-redis - state: stopped - daemon_reload: yes - when: "not matrix_redis_enabled|bool and matrix_redis_service_stat.stat.exists" - -- name: Ensure matrix-redis.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-redis.service" - state: absent - when: "not matrix_redis_enabled|bool and matrix_redis_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-redis.service removal - service: - daemon_reload: yes - when: "not matrix_redis_enabled|bool and matrix_redis_service_stat.stat.exists" - -- name: Check existence of matrix-redis local data path - stat: - path: "{{ matrix_redis_data_path }}" - register: matrix_redis_data_path_stat - when: "not matrix_redis_enabled|bool" - -# We just want to notify the user. Deleting data is too destructive. -- name: Notify if matrix-redis local data remains - debug: - msg: "Note: You are not using a local redis instance, but some old data remains from before in `{{ matrix_redis_data_path }}`. Feel free to delete it." - when: "not matrix_redis_enabled|bool and matrix_redis_data_path_stat.stat.exists" diff --git a/roles/matrix-redis/templates/redis.conf.j2 b/roles/matrix-redis/templates/redis.conf.j2 deleted file mode 100644 index 34371356..00000000 --- a/roles/matrix-redis/templates/redis.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{% if matrix_redis_connection_password %} -requirepass {{ matrix_redis_connection_password }} -{% endif %} diff --git a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 deleted file mode 100644 index 5f6699f8..00000000 --- a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 +++ /dev/null @@ -1,37 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Redis server -After=docker.service -Requires=docker.service - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker stop matrix-redis -ExecStartPre=-/usr/bin/docker rm matrix-redis - -ExecStart=/usr/bin/docker run --rm --name matrix-redis \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ - --network={{ matrix_docker_network }} \ - {% if matrix_redis_container_redis_bind_port %} - -p {{ matrix_redis_container_redis_bind_port }}:6379 \ - {% endif %} - --mount type=bind,src={{ matrix_redis_base_path }}/redis.conf,dst=/usr/local/etc/redis/redis.conf,ro \ - --mount type=bind,src={{ matrix_redis_data_path }},dst=/data \ - {% for arg in matrix_redis_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_redis_docker_image_to_use }} \ - redis-server /usr/local/etc/redis/redis.conf - -ExecStop=-/usr/bin/docker stop matrix-redis -ExecStop=-/usr/bin/docker rm matrix-redis -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-redis - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml deleted file mode 100644 index e03891b2..00000000 --- a/roles/matrix-registration/defaults/main.yml +++ /dev/null @@ -1,116 +0,0 @@ -# matrix-registration is a simple python application to have a token based matrix registration -# See: https://zeratax.github.io/matrix-registration/ - -matrix_registration_enabled: true - -matrix_registration_container_image_self_build: false -matrix_registration_container_image_self_build_repo: "https://github.com/ZerataX/matrix-registration" -matrix_registration_container_image_self_build_branch: "{{ 'master' if matrix_registration_version == 'latest' else matrix_registration_version }}" - -matrix_registration_base_path: "{{ matrix_base_data_path }}/matrix-registration" -matrix_registration_config_path: "{{ matrix_registration_base_path }}/config" -matrix_registration_data_path: "{{ matrix_registration_base_path }}/data" -matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/docker-src" - -matrix_registration_version: "v0.7.2" - -matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}zeratax/matrix-registration:{{ matrix_registration_version }}" -matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else matrix_container_global_registry_prefix }}" -matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_registration_container_extra_arguments: [] - -# List of systemd services that matrix-registration.service depends on -matrix_registration_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-registration.service wants -matrix_registration_systemd_wanted_services_list: [] - -# Controls whether the matrix-registration container exposes its HTTP port (tcp/5000 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8767"), or empty string to not expose. -matrix_registration_container_http_host_bind_port: '' - -# Database-related configuration fields. -# -# To use SQLite, stick to these defaults. -# -# To use Postgres: -# - change the engine (`matrix_registration_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_registration_postgres_*` variables -matrix_registration_database_engine: 'sqlite' - -matrix_registration_sqlite_database_path_local: "{{ matrix_registration_data_path }}/db.sqlite3" -matrix_registration_sqlite_database_path_in_container: "/data/db.sqlite3" - -matrix_registration_database_username: 'matrix_registration' -matrix_registration_database_password: 'some-password' -matrix_registration_database_hostname: 'matrix-postgres' -matrix_registration_database_port: 5432 -matrix_registration_database_name: 'matrix_registration' - -matrix_registration_database_connection_string: 'postgresql://{{ matrix_registration_database_username }}:{{ matrix_registration_database_password }}@{{ matrix_registration_database_hostname }}:{{ matrix_registration_database_port }}/{{ matrix_registration_database_name }}' - -# For some reason, matrix-registraiton expects the `db` field to be like this: `sqlite:////data/db.sqlite3`. -# (seems like one too many slashes, but..) -matrix_registration_db: "{{ - { - 'sqlite': ('sqlite:///' + matrix_registration_sqlite_database_path_in_container), - 'postgres': matrix_registration_database_connection_string, - }[matrix_registration_database_engine] -}}" - - -# The path at which Matrix Registration will be exposed on `matrix.DOMAIN` -# (only applies when matrix-nginx-proxy is used). -matrix_registration_public_endpoint: /matrix-registration - -matrix_registration_base_url: "{{ matrix_registration_public_endpoint }}" - -matrix_registration_api_register_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/register" -matrix_registration_api_token_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/token" - -matrix_registration_api_validate_certs: true - -# The URL to your homeserver (e.g.: `https://matrix.DOMAIN`). -# A local (in-container address) is preferable. -matrix_registration_server_location: "" - -matrix_registration_server_name: "{{ matrix_domain }}" - -# matrix_registration_shared_secret needs to match the homeserver's registration secret. -# For Synapse, that's the `registration_shared_secret` setting. -matrix_registration_shared_secret: "" - -# matrix_registration_admin_secret is your own admin secret for using matrix-registration (creating new tokens, etc.) -matrix_registration_admin_secret: "" - -matrix_registration_riot_instance: "https://riot.im/app/" - -# Default matrix-registration configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_registration_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_registration_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" - -matrix_registration_configuration_extension_yaml: | - # Your custom YAML configuration for registration goes here. - # This configuration extends the default starting configuration (`matrix_registration_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_registration_configuration_yaml`. - # - # Example configuration extension follows: - # - # password: - # min_length: 12 - -matrix_registration_configuration_extension: "{{ matrix_registration_configuration_extension_yaml|from_yaml if matrix_registration_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final matrix-registration configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_registration_configuration_yaml`. -matrix_registration_configuration: "{{ matrix_registration_configuration_yaml|from_yaml|combine(matrix_registration_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-registration/tasks/generate_token.yml b/roles/matrix-registration/tasks/generate_token.yml deleted file mode 100644 index ae5bdf4c..00000000 --- a/roles/matrix-registration/tasks/generate_token.yml +++ /dev/null @@ -1,50 +0,0 @@ -- name: Fail if playbook called incorrectly - fail: - msg: "The `one_time` variable needs to be provided to this playbook, via --extra-vars" - when: "one_time is not defined or one_time not in ['yes', 'no']" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `ex_date` variable (expiration date) needs to be provided to this playbook, via --extra-vars" - when: "ex_date is not defined or ex_date == ''" - -- name: Call matrix-registration token creation API - uri: - url: "{{ matrix_registration_api_token_endpoint }}" - follow_redirects: none - validate_certs: "{{ matrix_registration_api_validate_certs }}" - headers: - Content-Type: application/json - Authorization: "SharedSecret {{ matrix_registration_admin_secret }}" - method: POST - body_format: json - body: | - { - "one_time": {{ 'true' if one_time == 'yes' else 'false' }}, - "ex_date": {{ ex_date|to_json }} - } - check_mode: no - register: matrix_registration_api_result - -- set_fact: - matrix_registration_api_result_message: >- - matrix-registration result: - - Direct registration link (with the token prefilled): - - {{ matrix_registration_api_register_endpoint }}?token={{ matrix_registration_api_result.json.name }} - - Full token details are: - - {{ matrix_registration_api_result.json }} - check_mode: no - -- name: Inject result message into matrix_playbook_runtime_results - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [matrix_registration_api_result_message] - }} - check_mode: no diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml deleted file mode 100644 index 32a35c7d..00000000 --- a/roles/matrix-registration/tasks/init.yml +++ /dev/null @@ -1,68 +0,0 @@ -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - fail: - msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build and matrix_registration_enabled" - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" - when: matrix_registration_enabled|bool - -- block: - - name: Fail if matrix-nginx-proxy role already executed - fail: - msg: >- - Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, - so that the matrix-nginx-proxy role would run after the matrix-registration role. - when: matrix_nginx_proxy_role_executed|default(False)|bool - - - name: Generate matrix-registration proxying configuration for matrix-nginx-proxy - set_fact: - matrix_registration_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent; - rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect; - - location ~ ^{{ matrix_registration_public_endpoint }}/(.*) { - {% if matrix_nginx_proxy_enabled|default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-registration:5000"; - proxy_pass http://$backend/$1; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8767/$1; - {% endif %} - - {# - Workaround matrix-registration serving the background image at /static - (see https://github.com/ZerataX/matrix-registration/issues/47) - #} - sub_filter_once off; - sub_filter_types text/css; - sub_filter "/static/" "{{ matrix_registration_public_endpoint }}/static/"; - } - - - name: Register matrix-registration proxying configuration with matrix-nginx-proxy - set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) - + - [matrix_registration_matrix_nginx_proxy_configuration] - }} - tags: - - always - when: matrix_registration_enabled|bool - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - debug: - msg: >- - NOTE: You've enabled the matrix-registration tool but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_registration_public_endpoint }}` - URL endpoint to the matrix-registration container. - You can expose the container's port using the `matrix_registration_container_http_host_bind_port` variable. - when: "matrix_registration_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-registration/tasks/list_tokens.yml b/roles/matrix-registration/tasks/list_tokens.yml deleted file mode 100644 index dea3eb31..00000000 --- a/roles/matrix-registration/tasks/list_tokens.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: Call matrix-registration list all tokens API - uri: - url: "{{ matrix_registration_api_token_endpoint }}" - follow_redirects: none - validate_certs: "{{ matrix_registration_api_validate_certs }}" - headers: - Content-Type: application/json - Authorization: "SharedSecret {{ matrix_registration_admin_secret }}" - method: GET - body_format: json - check_mode: no - register: matrix_registration_api_result - -- set_fact: - matrix_registration_api_result_message: >- - matrix-registration result: - - {{ matrix_registration_api_result.json | to_nice_json }} - check_mode: no - -- name: Inject result message into matrix_playbook_runtime_results - set_fact: - matrix_playbook_runtime_results: | - {{ - matrix_playbook_runtime_results|default([]) - + - [matrix_registration_api_result_message] - }} - check_mode: no diff --git a/roles/matrix-registration/tasks/main.yml b/roles/matrix-registration/tasks/main.yml deleted file mode 100644 index 3324e083..00000000 --- a/roles/matrix-registration/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_registration_enabled|bool" - tags: - - setup-all - - setup-matrix-registration - -- import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: "run_setup|bool and matrix_registration_enabled|bool" - tags: - - setup-all - - setup-matrix-registration - -- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: "run_setup|bool and not matrix_registration_enabled|bool" - tags: - - setup-all - - setup-matrix-registration - -- import_tasks: "{{ role_path }}/tasks/generate_token.yml" - when: "run_setup|bool and matrix_registration_enabled|bool" - tags: - - generate-matrix-registration-token - -- import_tasks: "{{ role_path }}/tasks/list_tokens.yml" - when: "run_setup|bool and matrix_registration_enabled|bool" - tags: - - list-matrix-registration-tokens diff --git a/roles/matrix-registration/tasks/setup_install.yml b/roles/matrix-registration/tasks/setup_install.yml deleted file mode 100644 index 0d7da9ce..00000000 --- a/roles/matrix-registration/tasks/setup_install.yml +++ /dev/null @@ -1,101 +0,0 @@ ---- - -- set_fact: - matrix_registration_requires_restart: false - -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_registration_sqlite_database_path_local }}" - register: matrix_registration_sqlite_database_path_local_stat_result - - - block: - - set_fact: - matrix_postgres_db_migration_request: - src: "{{ matrix_registration_sqlite_database_path_local }}" - dst: "{{ matrix_registration_database_connection_string }}" - caller: "{{ role_path|basename }}" - engine_variable_name: 'matrix_registration_database_engine' - engine_old: 'sqlite' - systemd_services_to_stop: ['matrix-registration.service'] - # pgloader makes `ex_date` of type `TIMESTAMP WITH TIMEZONE`, - # which makes matrix-registration choke on it later on when comparing dates. - additional_psql_statements_list: - - ALTER TABLE tokens ALTER COLUMN ex_date TYPE TIMESTAMP WITHOUT TIME ZONE; - additional_psql_statements_db_name: "{{ matrix_registration_database_name }}" - - - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - - - set_fact: - matrix_registration_requires_restart: true - when: "matrix_registration_sqlite_database_path_local_stat_result.stat.exists|bool" - when: "matrix_registration_database_engine == 'postgres'" - -- name: Ensure matrix-registration paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_registration_base_path }}", when: true } - - { path: "{{ matrix_registration_config_path }}", when: true } - - { path: "{{ matrix_registration_data_path }}", when: true } - - { path: "{{ matrix_registration_docker_src_files_path }}", when: "{{ matrix_registration_container_image_self_build }}"} - when: "item.when|bool" - -- name: Ensure matrix-registration image is pulled - docker_image: - name: "{{ matrix_registration_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_registration_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_docker_image_force_pull }}" - when: "not matrix_registration_container_image_self_build|bool" - -- name: Ensure matrix-registration repository is present when self-building - git: - repo: "{{ matrix_registration_container_image_self_build_repo }}" - dest: "{{ matrix_registration_docker_src_files_path }}" - version: "{{ matrix_registration_container_image_self_build_branch }}" - force: "yes" - register: matrix_registration_git_pull_results - when: "matrix_registration_container_image_self_build|bool" - -- name: Ensure matrix-registration Docker image is built - docker_image: - name: "{{ matrix_registration_docker_image }}" - source: build - force_source: "{{ matrix_registration_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_registration_docker_src_files_path }}" - pull: yes - when: "matrix_registration_container_image_self_build|bool" - -- name: Ensure matrix-registration config installed - copy: - content: "{{ matrix_registration_configuration|to_nice_yaml }}" - dest: "{{ matrix_registration_config_path }}/config.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-registration.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-registration.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-registration.service" - mode: 0644 - register: matrix_registration_systemd_service_result - -- name: Ensure systemd reloaded after matrix-registration.service installation - service: - daemon_reload: yes - when: "matrix_registration_systemd_service_result.changed|bool" - -- name: Ensure matrix-registration.service restarted, if necessary - service: - name: "matrix-registration.service" - state: restarted - when: "matrix_registration_requires_restart|bool" diff --git a/roles/matrix-registration/tasks/setup_uninstall.yml b/roles/matrix-registration/tasks/setup_uninstall.yml deleted file mode 100644 index 573f8170..00000000 --- a/roles/matrix-registration/tasks/setup_uninstall.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -- name: Check existence of matrix-registration service - stat: - path: "{{ matrix_systemd_path }}/matrix-registration.service" - register: matrix_registration_service_stat - -- name: Ensure matrix-registration is stopped - service: - name: matrix-registration - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_registration_service_stat.stat.exists|bool" - -- name: Ensure matrix-registration.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-registration.service" - state: absent - when: "matrix_registration_service_stat.stat.exists|bool" - -- name: Ensure systemd reloaded after matrix-registration.service removal - service: - daemon_reload: yes - when: "matrix_registration_service_stat.stat.exists|bool" - -- name: Ensure matrix-registration Docker image doesn't exist - docker_image: - name: "{{ matrix_registration_docker_image }}" - state: absent diff --git a/roles/matrix-registration/tasks/validate_config.yml b/roles/matrix-registration/tasks/validate_config.yml deleted file mode 100644 index 90466b46..00000000 --- a/roles/matrix-registration/tasks/validate_config.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Fail if required matrix-registration settings not defined - fail: - msg: > - You need to define a required configuration setting (`{{ item }}`) for using matrix-registration. - when: "vars[item] == ''" - with_items: - - "matrix_registration_shared_secret" - - "matrix_registration_admin_secret" - - "matrix_registration_server_location" - -- name: (Deprecation) Catch and report renamed settings - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_registration_docker_repo', 'new': 'matrix_registration_container_image_self_build_repo'} diff --git a/roles/matrix-registration/templates/config.yaml.j2 b/roles/matrix-registration/templates/config.yaml.j2 deleted file mode 100644 index 39211b24..00000000 --- a/roles/matrix-registration/templates/config.yaml.j2 +++ /dev/null @@ -1,31 +0,0 @@ -server_location: {{ matrix_registration_server_location|to_json }} -server_name: {{ matrix_registration_server_name|to_json }} -shared_secret: {{ matrix_registration_shared_secret|to_json }} -admin_secret: {{ matrix_registration_admin_secret|to_json }} -riot_instance: {{ matrix_registration_riot_instance|to_json }} -db: {{ matrix_registration_db|to_json }} -host: '0.0.0.0' -port: 5000 -rate_limit: ["100 per day", "10 per minute"] -allow_cors: false -logging: - disable_existing_loggers: False - version: 1 - root: - level: DEBUG - handlers: [console] - formatters: - brief: - format: '%(name)s - %(levelname)s - %(message)s' - precise: - format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s' - handlers: - console: - class: logging.StreamHandler - level: INFO - formatter: brief - stream: ext://sys.stdout -# password requirements -password: - min_length: 8 -base_url: {{ matrix_registration_base_url|to_json }} diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 deleted file mode 100644 index e73e3e5f..00000000 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ /dev/null @@ -1,42 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-registration -{% for service in matrix_registration_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_registration_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_docker_network }} \ - {% if matrix_registration_container_http_host_bind_port %} - -p {{ matrix_registration_container_http_host_bind_port }}:5000 \ - {% endif %} - --mount type=bind,src={{ matrix_registration_config_path }},dst=/config,ro \ - --mount type=bind,src={{ matrix_registration_data_path }},dst=/data \ - {% for arg in matrix_registration_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_registration_docker_image }} \ - serve - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-registration - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml deleted file mode 100644 index 476ac2ad..00000000 --- a/roles/matrix-sygnal/defaults/main.yml +++ /dev/null @@ -1,95 +0,0 @@ -# Sygnal is a reference Push Gateway for Matrix. -# To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app. -# Learn more here: https://github.com/matrix-org/sygnal -matrix_sygnal_enabled: false - -matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" -matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" -matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" - -matrix_sygnal_version: v0.9.0 -matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" -matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" - -# List of systemd services that matrix-sygnal.service depends on. -matrix_sygnal_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-sygnal.service wants -matrix_sygnal_systemd_wanted_services_list: [] - -# Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:6000"), or empty string to not expose. -matrix_sygnal_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_sygnal_container_extra_arguments: [] - -# Database-related configuration fields. -# -# To use SQLite, stick to these defaults. -# -# To use Postgres: -# - change the engine (`matrix_sygnal_database_engine: 'postgres'`) -# - adjust your database credentials via the `matrix_sygnal_postgres_*` variables -matrix_sygnal_database_engine: 'sqlite' - -matrix_sygnal_sqlite_database_path_local: "{{ matrix_sygnal_data_path }}/sygnal.db" -matrix_sygnal_sqlite_database_path_in_container: "/data/sygnal.db" - -matrix_sygnal_database_username: 'matrix_sygnal' -matrix_sygnal_database_password: 'some-password' -matrix_sygnal_database_hostname: 'matrix-postgres' -matrix_sygnal_database_port: 5432 -matrix_sygnal_database_name: 'matrix_sygnal' - -matrix_sygnal_database_connection_string: 'postgres://{{ matrix_sygnal_database_username }}:{{ matrix_sygnal_database_password }}@{{ matrix_sygnal_database_hostname }}:{{ matrix_sygnal_database_port }}/{{ matrix_sygnal_database_name }}' - -# A map (dictionary) of apps instances that this server works with. -# -# Example configuration: -# -# matrix_sygnal_apps: -# com.example.myapp.ios: -# type: apns -# # .. more configuration .. -# com.example.myapp.android: -# type: gcm -# api_key: your_api_key_for_gcm -# # .. more configuration .. -# -# The APNS configuration needs to reference some certificate files. -# One can put these in the `matrix_sygnal_data_path` directory (`/matrix/sygnal/data`), mounted to `/data` in the container. -# The `matrix_sygnal_apps` paths need to use the in-container path (`/data`). -# To install these files via the playbook, one can use the `matrix-aux` role. -# Examples and more details are available in `docs/configuring-playbook-sygnal.md`. -matrix_sygnal_apps: [] - -matrix_sygnal_metrics_prometheus_enabled: false - -# Default Sygnal configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_sygnal_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_sygnal_configuration_yaml: "{{ lookup('template', 'templates/sygnal.yaml.j2') }}" - -matrix_sygnal_configuration_extension_yaml: | - # Your custom YAML configuration for Sygnal goes here. - # This configuration extends the default starting configuration (`matrix_sygnal_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_sygnal_configuration_yaml`. - # - # Example configuration extension follows: - # metrics: - # opentracing: - # enabled: true - -matrix_sygnal_configuration_extension: "{{ matrix_sygnal_configuration_extension_yaml|from_yaml if matrix_sygnal_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final sygnal configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_sygnal_configuration_yaml`. -matrix_sygnal_configuration: "{{ matrix_sygnal_configuration_yaml|from_yaml|combine(matrix_sygnal_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-sygnal/tasks/init.yml b/roles/matrix-sygnal/tasks/init.yml deleted file mode 100644 index 559a3681..00000000 --- a/roles/matrix-sygnal/tasks/init.yml +++ /dev/null @@ -1,3 +0,0 @@ -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sygnal.service'] }}" - when: matrix_sygnal_enabled|bool diff --git a/roles/matrix-sygnal/tasks/main.yml b/roles/matrix-sygnal/tasks/main.yml deleted file mode 100644 index c00862a4..00000000 --- a/roles/matrix-sygnal/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup|bool - tags: - - setup-all - - setup-sygnal - -- import_tasks: "{{ role_path }}/tasks/setup_install.yml" - when: run_setup|bool and matrix_sygnal_enabled|bool - tags: - - setup-all - - setup-sygnal - -- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" - when: run_setup|bool and not matrix_sygnal_enabled|bool - tags: - - setup-all - - setup-sygnal diff --git a/roles/matrix-sygnal/tasks/setup_install.yml b/roles/matrix-sygnal/tasks/setup_install.yml deleted file mode 100644 index afac61c4..00000000 --- a/roles/matrix-sygnal/tasks/setup_install.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- - -- set_fact: - matrix_sygnal_requires_restart: false - -- block: - - name: Check if an SQLite database already exists - stat: - path: "{{ matrix_sygnal_sqlite_database_path_local }}" - register: matrix_sygnal_sqlite_database_path_local_stat_result - - - block: - - set_fact: - matrix_postgres_db_migration_request: - src: "{{ matrix_sygnal_sqlite_database_path_local }}" - dst: "{{ matrix_sygnal_database_connection_string }}" - caller: "{{ role_path|basename }}" - engine_variable_name: 'matrix_sygnal_database_engine' - engine_old: 'sqlite' - systemd_services_to_stop: ['matrix-sygnal.service'] - pgloader_options: ['--with "quote identifiers"'] - - - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" - - - set_fact: - matrix_sygnal_requires_restart: true - when: "matrix_sygnal_sqlite_database_path_local_stat_result.stat.exists|bool" - when: "matrix_sygnal_database_engine == 'postgres'" - -- name: Ensure Sygnal image is pulled - docker_image: - name: "{{ matrix_sygnal_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" - -- name: Ensure Sygnal paths exists - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_sygnal_base_path }}" - - "{{ matrix_sygnal_config_path }}" - - "{{ matrix_sygnal_data_path }}" - -- name: Ensure Sygnal config installed - copy: - content: "{{ matrix_sygnal_configuration|to_nice_yaml }}" - dest: "{{ matrix_sygnal_config_path }}/sygnal.yaml" - mode: 0640 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure matrix-sygnal.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-sygnal.service" - mode: 0644 - register: matrix_sygnal_systemd_service_result - -- name: Ensure systemd reloaded after matrix-sygnal.service installation - service: - daemon_reload: yes - when: "matrix_sygnal_systemd_service_result.changed|bool" - -- name: Ensure matrix-sygnal.service restarted, if necessary - service: - name: "matrix-sygnal.service" - state: restarted - when: "matrix_sygnal_requires_restart|bool" diff --git a/roles/matrix-sygnal/tasks/setup_uninstall.yml b/roles/matrix-sygnal/tasks/setup_uninstall.yml deleted file mode 100644 index dc50078c..00000000 --- a/roles/matrix-sygnal/tasks/setup_uninstall.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -- name: Check existence of matrix-sygnal service - stat: - path: "{{ matrix_systemd_path }}/matrix-sygnal.service" - register: matrix_sygnal_service_stat - -- name: Ensure matrix-sygnal is stopped - service: - name: matrix-sygnal - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_sygnal_service_stat.stat.exists|bool" - -- name: Ensure matrix-sygnal.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-sygnal.service" - state: absent - when: "matrix_sygnal_service_stat.stat.exists|bool" - -- name: Ensure systemd reloaded after matrix-sygnal.service removal - service: - daemon_reload: yes - when: "matrix_sygnal_service_stat.stat.exists|bool" - -- name: Ensure Sygnal base directory doesn't exist - file: - path: "{{ matrix_sygnal_base_path }}" - state: absent - -- name: Ensure Sygnal Docker image doesn't exist - docker_image: - name: "{{ matrix_sygnal_docker_image }}" - state: absent diff --git a/roles/matrix-sygnal/tasks/validate_config.yml b/roles/matrix-sygnal/tasks/validate_config.yml deleted file mode 100644 index efd64104..00000000 --- a/roles/matrix-sygnal/tasks/validate_config.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: Fail if no Sygnal apps defined - fail: - msg: >- - Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` - when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0" - -- name: Fail if running on a non-supported architecture - fail: - msg: >- - Sygnal can only be used on the amd64 architecture for now. - Only amd64 container images are pushed for the `docker.io/matrixdotorg/sygnal` container image. - Either use a different image (by redefining `matrix_sygnal_docker_image`) or consider contributing self-building support to this role. - when: "matrix_sygnal_enabled and matrix_architecture != 'amd64' and matrix_sygnal_docker_image.startswith('docker.io/matrixdotorg/sygnal')" diff --git a/roles/matrix-sygnal/templates/sygnal.yaml.j2 b/roles/matrix-sygnal/templates/sygnal.yaml.j2 deleted file mode 100644 index bb8c521d..00000000 --- a/roles/matrix-sygnal/templates/sygnal.yaml.j2 +++ /dev/null @@ -1,288 +0,0 @@ -## -# This is a configuration for Sygnal, the reference Push Gateway for Matrix -# See: matrix.org -## - -# The 'database' setting defines the database that sygnal uses to store all of -# its data. -# -# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or -# 'psycopg2' (for PostgreSQL). -# -# 'args' gives options which are passed through to the database engine, -# except for options starting 'cp_', which are used to configure the Twisted -# connection pool. For a reference to valid arguments, see: -# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect -# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS -# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ -# -# -# Example SQLite configuration: -# -#database: -# name: sqlite3 -# args: -# dbfile: /path/to/database.db -# -# -# Example Postgres configuration: -# -#database: -# name: psycopg2 -# args: -# host: localhost -# database: sygnal -# user: sygnal -# password: pass -# cp_min: 1 -# cp_max: 5 -# -{% if matrix_sygnal_database_engine == 'sqlite' %} -database: - name: sqlite3 - args: - dbfile: {{ matrix_sygnal_sqlite_database_path_in_container|to_json }} -{% else %} -database: - name: psycopg2 - args: - host: {{ matrix_sygnal_database_hostname|to_json }} - database: {{ matrix_sygnal_database_name|to_json }} - user: {{ matrix_sygnal_database_username|to_json }} - password: {{ matrix_sygnal_database_password|to_json }} - cp_min: 1 - cp_max: 5 -{% endif %} - -## Logging # -# -log: - # Specify a Python logging 'dictConfig', as described at: - # https://docs.python.org/3.7/library/logging.config.html#logging.config.dictConfig - # - setup: - version: 1 - formatters: - normal: - format: "%(asctime)s [%(process)d] %(levelname)-5s %(name)s %(message)s" - handlers: - # This handler prints to Standard Error - # - stderr: - class: "logging.StreamHandler" - formatter: "normal" - stream: "ext://sys.stderr" - - # This handler prints to Standard Output. - # - stdout: - class: "logging.StreamHandler" - formatter: "normal" - stream: "ext://sys.stdout" - - # This handler demonstrates logging to a text file on the filesystem. - # You can use logrotate(8) to perform log rotation. - # - #file: - # class: "logging.handlers.WatchedFileHandler" - # formatter: "normal" - # filename: "./sygnal.log" - loggers: - # sygnal.access contains the access logging lines. - # Comment out this section if you don't want to give access logging - # any special treatment. - # - sygnal.access: - propagate: false - handlers: ["stdout"] - level: "INFO" - - # sygnal contains log lines from Sygnal itself. - # You can comment out this section to fall back to the root logger. - # - sygnal: - propagate: false - handlers: ["stderr"] - - root: - # Specify the handler(s) to send log messages to. - handlers: ["stderr"] - level: "INFO" - - disable_existing_loggers: false - - - access: - # Specify whether or not to trust the IP address in the `X-Forwarded-For` - # header. In general, you want to enable this if and only if you are using a - # reverse proxy which is configured to emit it. - # - x_forwarded_for: true - -## HTTP Server (Matrix Push Gateway API) # -# -http: - # Specify a list of interface addresses to bind to. - # - # This example listens on the IPv4 loopback device: - #bind_addresses: ['127.0.0.1'] - # This example listens on all IPv4 interfaces: - #bind_addresses: ['0.0.0.0'] - # This example listens on all IPv4 and IPv6 interfaces: - #bind_addresses: ['0.0.0.0', '::'] - bind_addresses: ['::'] - - # Specify the port number to listen on. - # - port: 6000 - -## Proxying for outgoing connections # -# -# Specify the URL of a proxy to use for outgoing traffic -# (e.g. to Apple & Google) if desired. -# Currently only HTTP proxies with CONNECT capability are supported. -# -# If you do not specify a value, the `HTTPS_PROXY` environment variable will -# be used if present. Otherwise, no proxy will be used. -# -# Default is unspecified. -# -#proxy: 'http://user:secret@prox:8080' - -## Metrics # -# -metrics: - ## Prometheus # - # - prometheus: - # Specify whether or not to enable Prometheus. - # - enabled: false - - # Specify an address for the Prometheus HTTP Server to listen on. - # - address: '0.0.0.0' - - # Specify a port for the Prometheus HTTP Server to listen on. - # - port: 8000 - - ## OpenTracing # - # - opentracing: - # Specify whether or not to enable OpenTracing. - # - enabled: false - - # Specify an implementation of OpenTracing to use. Currently only 'jaeger' - # is supported. - # - implementation: jaeger - - # Specify the service name to be reported to the tracer. - # - service_name: sygnal - - # Specify configuration values to pass to jaeger_client. - # - jaeger: - sampler: - type: 'const' - param: 1 -# local_agent: -# reporting_host: '127.0.0.1' -# reporting_port: - logging: true - - ## Sentry # - # - sentry: - # Specify whether or not to enable Sentry. - # - enabled: false - - # Specify your Sentry DSN if you enable Sentry - # - #dsn: "https://@sentry.example.org/" - -## Pushkins/Apps # -# -# Add a section for every push application here. -# Specify the pushkey for the application and also the type. -# For the type, you may specify a fully-qualified Python classname if desired. -# -#apps: - # This is an example APNs push configuration - # - #com.example.myapp.ios: - # type: apns - # - # # Authentication - # # - # # Two methods of authentication to APNs are currently supported. - # # - # # You can authenticate using a key: - # keyfile: my_key.p8 - # key_id: MY_KEY_ID - # team_id: MY_TEAM_ID - # topic: MY_TOPIC - # - # # Or, a certificate can be used instead: - # certfile: com.example.myApp_prod_APNS.pem - # - # # This is the maximum number of in-flight requests *for this pushkin* - # # before additional notifications will be failed. - # # (This is a robustness measure to prevent one pushkin stacking up with - # # queued requests and saturating the inbound connection queue of a load - # # balancer or reverse proxy). - # # Defaults to 512 if unset. - # # - # #inflight_request_limit: 512 - # - # # Specifies whether to use the production or sandbox APNs server. Note that - # # sandbox tokens should only be used with the sandbox server and vice versa. - # # - # # Valid options are: - # # * production - # # * sandbox - # # - # # The default is 'production'. Uncomment to use the sandbox instance. - # #platform: sandbox - - # This is an example GCM/FCM push configuration. - # - #com.example.myapp.android: - # type: gcm - # api_key: your_api_key_for_gcm - # - # # This is the maximum number of connections to GCM servers at any one time - # # the default is 20. - # #max_connections: 20 - # - # # This is the maximum number of in-flight requests *for this pushkin* - # # before additional notifications will be failed. - # # (This is a robustness measure to prevent one pushkin stacking up with - # # queued requests and saturating the inbound connection queue of a load - # # balancer or reverse proxy). - # # Defaults to 512 if unset. - # # - # #inflight_request_limit: 512 - # - # # This allows you to specify additional options to send to Firebase. - # # - # # Of particular interest, admins who wish to support iOS apps using Firebase - # # probably wish to set content_available, and may need to set mutable_content. - # # (content_available allows your iOS app to be woken up by data messages, - # # and mutable_content allows your notification to be modified by a - # # Notification Service app extension). - # # - # # See https://firebase.google.com/docs/cloud-messaging/http-server-ref - # # for the exhaustive list of valid options. - # # - # # Do not specify `data`, `priority`, `to` or `registration_ids` as they may - # # be overwritten or lead to an invalid request. - # # - # #fcm_options: - # # content_available: true - # # mutable_content: true -apps: {{ matrix_sygnal_apps|to_json }} diff --git a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 deleted file mode 100644 index 019ab40c..00000000 --- a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 +++ /dev/null @@ -1,42 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Sygnal -{% for service in matrix_sygnal_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_sygnal_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --env=SYGNAL_CONF=/config/sygnal.yaml \ - --network={{ matrix_docker_network }} \ - {% if matrix_sygnal_container_http_host_bind_port %} - -p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \ - {% endif %} - --mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \ - --mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \ - {% for arg in matrix_sygnal_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_sygnal_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-sygnal - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml deleted file mode 100644 index 069b6279..00000000 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ /dev/null @@ -1,32 +0,0 @@ -# matrix-synapse-admin is a web UI for mananging the Synapse Matrix server -# See: https://github.com/Awesome-Technologies/synapse-admin - -matrix_synapse_admin_enabled: true - -matrix_synapse_admin_container_self_build: false -matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" - -matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" - -matrix_synapse_admin_version: 0.8.1 -matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" -matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" -matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" - -# A list of extra arguments to pass to the container -matrix_synapse_admin_container_extra_arguments: [] - -# List of systemd services that matrix-synapse-admin.service depends on -matrix_synapse_admin_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-synapse-admin.service wants -matrix_synapse_admin_systemd_wanted_services_list: [] - -# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/80 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8766"), or empty string to not expose. -matrix_synapse_admin_container_http_host_bind_port: '' - -# The path at which Synapse Admin will be exposed on `matrix.DOMAIN` -# (only applies when matrix-nginx-proxy is used). -matrix_synapse_admin_public_endpoint: /synapse-admin diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml deleted file mode 100644 index 9e171015..00000000 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ /dev/null @@ -1,59 +0,0 @@ -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - fail: - msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled" - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" - when: matrix_synapse_admin_enabled|bool - -- block: - - name: Fail if matrix-nginx-proxy role already executed - fail: - msg: >- - Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, - but it's pointless since the matrix-nginx-proxy role had already executed. - To fix this, please change the order of roles in your plabook, - so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. - when: matrix_nginx_proxy_role_executed|default(False)|bool - - - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy - set_fact: - matrix_synapse_admin_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ $scheme://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; - - location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { - {% if matrix_nginx_proxy_enabled|default(False) %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-synapse-admin:80"; - proxy_pass http://$backend/$1; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8766/$1; - {% endif %} - } - - - name: Register Synapse Admin proxying configuration with matrix-nginx-proxy - set_fact: - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | - {{ - matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) - + - [matrix_synapse_admin_matrix_nginx_proxy_configuration] - }} - tags: - - always - when: matrix_synapse_admin_enabled|bool - -- name: Warn about reverse-proxying if matrix-nginx-proxy not used - debug: - msg: >- - NOTE: You've enabled the Synapse Admin tool but are not using the matrix-nginx-proxy - reverse proxy. - Please make sure that you're proxying the `{{ matrix_synapse_admin_public_endpoint }}` - URL endpoint to the matrix-synapse-admin container. - You can expose the container's port using the `matrix_synapse_admin_container_http_host_bind_port` variable. - when: "matrix_synapse_admin_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-synapse-admin/tasks/main.yml b/roles/matrix-synapse-admin/tasks/main.yml deleted file mode 100644 index b5cb1689..00000000 --- a/roles/matrix-synapse-admin/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup|bool - tags: - - setup-all - - setup-synapse-admin - -- import_tasks: "{{ role_path }}/tasks/setup.yml" - tags: - - setup-all - - setup-synapse-admin diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml deleted file mode 100644 index 002ff68d..00000000 --- a/roles/matrix-synapse-admin/tasks/setup.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- - -# -# Tasks related to setting up matrix-synapse-admin -# - -- name: Ensure matrix-synapse-admin image is pulled - docker_image: - name: "{{ matrix_synapse_admin_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}" - when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_self_build|bool" - -- name: Ensure matrix-synapse-admin repository is present when self-building - git: - repo: "{{ matrix_synapse_admin_container_self_build_repo }}" - dest: "{{ matrix_synapse_admin_docker_src_files_path }}" - force: "yes" - register: matrix_synapse_admin_git_pull_results - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" - -- name: Ensure matrix-synapse-admin Docker image is built - docker_image: - name: "{{ matrix_synapse_admin_docker_image }}" - source: build - force_source: "{{ matrix_synapse_admin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_synapse_admin_docker_src_files_path }}" - pull: yes - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" - -- name: Ensure matrix-synapse-admin.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-synapse-admin.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-synapse-admin.service" - mode: 0644 - register: matrix_synapse_admin_systemd_service_result - when: matrix_synapse_admin_enabled|bool - -- name: Ensure systemd reloaded after matrix-synapse-admin.service installation - service: - daemon_reload: yes - when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_systemd_service_result.changed" - -# -# Tasks related to getting rid of matrix-synapse-admin (if it was previously enabled) -# - -- name: Check existence of matrix-synapse-admin service - stat: - path: "{{ matrix_systemd_path }}/matrix-synapse-admin.service" - register: matrix_synapse_admin_service_stat - -- name: Ensure matrix-synapse-admin is stopped - service: - name: matrix-synapse-admin - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists" - -- name: Ensure matrix-synapse-admin.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-synapse-admin.service" - state: absent - when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-synapse-admin.service removal - service: - daemon_reload: yes - when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists" - -- name: Ensure matrix-synapse-admin Docker image doesn't exist - docker_image: - name: "{{ matrix_synapse_admin_docker_image }}" - state: absent - when: "not matrix_synapse_admin_enabled|bool" diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml deleted file mode 100644 index e08680e0..00000000 --- a/roles/matrix-synapse-admin/tasks/validate_config.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: (Deprecation) Catch and report renamed settings - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 deleted file mode 100644 index 4823d89c..00000000 --- a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ /dev/null @@ -1,42 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=matrix-synapse-admin -{% for service in matrix_synapse_admin_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_synapse_admin_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse-admin \ - --log-driver=none \ - --cap-drop=ALL \ - --cap-add=CHOWN \ - --cap-add=NET_BIND_SERVICE \ - --cap-add=SETUID \ - --cap-add=SETGID \ - --network={{ matrix_docker_network }} \ - {% if matrix_synapse_admin_container_http_host_bind_port %} - -p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \ - {% endif %} - {% for arg in matrix_synapse_admin_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_synapse_admin_docker_image }} - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-synapse-admin - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml deleted file mode 100644 index 02b8d157..00000000 --- a/roles/matrix-synapse/defaults/main.yml +++ /dev/null @@ -1,612 +0,0 @@ -# Synapse is a Matrix homeserver -# See: https://github.com/matrix-org/synapse - -matrix_synapse_enabled: true - -matrix_synapse_container_image_self_build: false -matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git" - -matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" -matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" -# The if statement below may look silly at times (leading to the same version being returned), -# but ARM-compatible container images are only released 1-7 hours after a release, -# so we may often be on different versions for different architectures when new Synapse releases come out. -# -# amd64 gets released first. -# arm32 relies on self-building, so the same version can be built immediately. -# arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.38.0 -matrix_synapse_version_arm64: v1.38.0 -matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" -matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" - -matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" -matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" -matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" -matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" -matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" -matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" - -# Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. -matrix_synapse_container_client_api_host_bind_port: '' - -# Controls whether the matrix-synapse container exposes the plain (unencrypted) Server/Server (Federation) API port (tcp/8048 in the container). -# -# Takes effect only if federation is enabled (matrix_synapse_federation_enabled). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8048"), or empty string to not expose. -matrix_synapse_container_federation_api_plain_host_bind_port: '' - -# Controls whether the matrix-synapse container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container). -# -# Takes effect only if federation is enabled (matrix_synapse_federation_enabled) -# and TLS support is enabled (matrix_synapse_tls_federation_listener_enabled). -# -# Takes an ":" or "" value (e.g. "8448"), or empty string to not expose. -matrix_synapse_container_federation_api_tls_host_bind_port: '' - -# Controls whether the matrix-synapse container exposes the metrics port (tcp/9100 in the container). -# -# Takes effect only if metrics are enabled (matrix_synapse_metrics_enabled). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. -matrix_synapse_container_metrics_api_host_bind_port: '' - -# Controls whether the matrix-synapse container exposes the manhole port (tcp/9000 in the container). -# -# Takes effect only if the manhole is enabled (matrix_synapse_manhole_enabled). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. -matrix_synapse_container_manhole_api_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_synapse_container_extra_arguments: [] - -# List of systemd services that matrix-synapse.service depends on -matrix_synapse_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-synapse.service wants -matrix_synapse_systemd_wanted_services_list: [] - -matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.8/site-packages" - -# Specifies which template files to use when configuring Synapse. -# If you'd like to have your own different configuration, feel free to copy and paste -# the original files into your inventory (e.g. in `inventory/host_vars//`) -# and then change the specific host's `vars.yaml` file like this: -# matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars//homeserver.yaml.j2" -matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2" -matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2" - -matrix_synapse_macaroon_secret_key: "" -matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" -matrix_synapse_allow_guest_access: false -matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" - -matrix_synapse_max_upload_size_mb: 50 - -# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. -matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}" - -# Log levels -# Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels -# warning: setting log level to DEBUG will make synapse log sensitive information such -# as access tokens. -# -# Increasing verbosity may lead to an excessive amount of log messages being generated, -# some of which may get dropped by systemd-journald on certain distributions (like CentOS 7). -# You can work around it by adding `RateLimitInterval=0` and `RateLimitBurst=0` under `[Storage]` in -# `/etc/systemd/journald.conf` and restarting the logging service (`systemctl restart systemd-journald`). -matrix_synapse_log_level: "WARNING" -matrix_synapse_storage_sql_log_level: "WARNING" -matrix_synapse_root_log_level: "WARNING" - -# Rate limits -matrix_synapse_rc_message: - per_second: 0.2 - burst_count: 10 - -matrix_synapse_rc_registration: - per_second: 0.17 - burst_count: 3 - -matrix_synapse_rc_login: - address: - per_second: 0.17 - burst_count: 3 - account: - per_second: 0.17 - burst_count: 3 - failed_attempts: - per_second: 0.17 - burst_count: 3 - -matrix_synapse_rc_admin_redaction: - per_second: 1 - burst_count: 50 - -matrix_synapse_rc_joins: - local: - per_second: 0.1 - burst_count: 3 - remote: - per_second: 0.01 - burst_count: 3 - -matrix_synapse_rc_federation: - window_size: 1000 - sleep_limit: 10 - sleep_delay: 500 - reject_limit: 50 - concurrent: 3 - -matrix_synapse_federation_rr_transactions_per_room_per_second: 50 - -# Controls whether the TLS federation listener is enabled (tcp/8448). -# Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). -# Note that federation may potentially be enabled as non-TLS on tcp/8048 as well. -# If you're serving Synapse behind an HTTPS-capable reverse-proxy, -# you can disable the TLS listener (`matrix_synapse_tls_federation_listener_enabled: false`). -matrix_synapse_tls_federation_listener_enabled: true -matrix_synapse_tls_certificate_path: "/data/{{ matrix_server_fqn_matrix }}.tls.crt" -matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.key" - -# Resource names used by the unsecure HTTP listener. Here only the Client API -# is defined, see the homeserver config for a full list of valid resource -# names. -matrix_synapse_http_listener_resource_names: ["client"] - -# Resources served on Synapse's federation port. -# When disabling federation, we may wish to serve the `openid` resource here, -# so that services like Dimension and ma1sd can work. -matrix_synapse_federation_listener_resource_names: "{{ ['federation'] if matrix_synapse_federation_enabled else (['openid'] if matrix_synapse_federation_port_openid_resource_required else []) }}" - -# Enable this to allow Synapse to report utilization statistics about your server to matrix.org -# (things like number of users, number of messages sent, uptime, load, etc.) -matrix_synapse_report_stats: false - -# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. -# If users participate in large rooms with many other servers, -# disabling this will decrease server load significantly. -matrix_synapse_presence_enabled: true - -# Controls whether accessing the server's public rooms directory can be done without authentication. -# For private servers, you most likely wish to require authentication, -# unless you know what list of rooms you're publishing to the world and explicitly want to do it. -matrix_synapse_allow_public_rooms_without_auth: false - -# Controls whether remote servers can fetch this server's public rooms directory via federation. -# For private servers, you most likely wish to forbid it. -matrix_synapse_allow_public_rooms_over_federation: false - -# Whether to require authentication to retrieve profile data (avatars, -# display names) of other users through the client API. Defaults to -# 'false'. Note that profile data is also available via the federation -# API, so this setting is of limited value if federation is enabled on -# the server. -matrix_synapse_require_auth_for_profile_requests: false - -# Set to true to require a user to share a room with another user in order -# to retrieve their profile information. Only checked on Client-Server -# requests. Profile requests from other servers should be checked by the -# requesting server. Defaults to 'false'. -matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false - -# Set to false to prevent a user's profile data from being retrieved and -# displayed in a room until they have joined it. By default, a user's -# profile data is included in an invite event, regardless of the values -# of the above two settings, and whether or not the users share a server. -# Defaults to 'true'. -matrix_synapse_include_profile_data_on_invite: true - -# Controls whether people with access to the homeserver can register by themselves. -matrix_synapse_enable_registration: false - -# reCAPTCHA API for validating registration attempts -matrix_synapse_enable_registration_captcha: false -matrix_synapse_recaptcha_public_key: '' -matrix_synapse_recaptcha_private_key: '' - -# Allows non-server-admin users to create groups on this server -matrix_synapse_enable_group_creation: false - -# A list of 3PID types which users must supply when registering (possible values: email, msisdn). -matrix_synapse_registrations_require_3pid: [] - -# A list of patterns 3pids must match in order to permit registration, e.g.: -# - medium: email -# pattern: '.*@example\.com' -# - medium: msisdn -# pattern: '\+44' -matrix_synapse_allowed_local_3pids: [] - -# The server to use for email threepid validation. When empty, Synapse does it by itself. -# Otherwise, this should be pointed to an identity server. -matrix_synapse_account_threepid_delegates_email: '' - -# The server to use for phone number threepid validation. When empty, validation cannot happen, as Synapse doesn't support it. -# To make it work, this should be pointed to an identity server. -matrix_synapse_account_threepid_delegates_msisdn: '' - -# Users who register on this homeserver will automatically be joined to these rooms. -# Rooms are to be specified using addresses (e.g. `#address:example.com`) -matrix_synapse_auto_join_rooms: [] - -# Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created -# automatically if they don't already exist. -matrix_synapse_autocreate_auto_join_rooms: true - -# Controls password-peppering for Synapse. Not to be changed after initial setup. -matrix_synapse_password_config_pepper: "" - -# Controls if Synapse allows people to authenticate against its local database. -# It may be useful to disable this if you've configured additional password providers -# and only wish authentication to happen through them. -matrix_synapse_password_config_localdb_enabled: true - -# Controls the number of events that Synapse caches in memory. -matrix_synapse_event_cache_size: "100K" - -# Controls cache sizes for Synapse. -# Raise this to increase cache sizes or lower it to potentially lower memory use. -# To learn more, see: -# - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram -# - https://github.com/matrix-org/synapse/issues/3939 -matrix_synapse_caches_global_factor: 0.5 - -# Controls whether Synapse will federate at all. -# Disable this to completely isolate your server from the rest of the Matrix network. -# -# Disabling this still keeps the federation port exposed, because it may be used for other services (`openid`). -# -# Also see: -# - `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled, -# but want to stop the TLS listener (port 8448). -# - `matrix_synapse_federation_port_enabled` to avoid exposing the federation ports -matrix_synapse_federation_enabled: true - -# Controls whether the federation ports are used at all. -# One may wish to disable federation (`matrix_synapse_federation_enabled: true`), -# but still run other resources (like `openid`) on the federation port -# by enabling them in `matrix_synapse_federation_listener_resource_names`. -matrix_synapse_federation_port_enabled: "{{ matrix_synapse_federation_enabled or matrix_synapse_federation_port_openid_resource_required }}" - -# Controls whether an `openid` listener is to be enabled. Useful when disabling federation, -# but needing the `openid` APIs for Dimension or an identity server like ma1sd. -matrix_synapse_federation_port_openid_resource_required: false - -# A list of domain names that are allowed to federate with the given Synapse server. -# An empty list value (`[]`) will also effectively stop federation, but if that's the desired -# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. -matrix_synapse_federation_domain_whitelist: ~ - -# A list of additional "volumes" to mount in the container. -# This list gets populated dynamically based on Synapse extensions that have been enabled. -# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} -# -# Note: internally, this uses the `-v` flag for mounting the specified volumes. -# It's better (safer) to use the `--mount` flag for mounting volumes. -# To use `--mount`, specify it in `matrix_synapse_container_extra_arguments`. -# Example: `matrix_synapse_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro'] -matrix_synapse_container_additional_volumes: [] - -# A list of additional loggers to register in synapse.log.config. -# This list gets populated dynamically based on Synapse extensions that have been enabled. -# Contains definition objects like this: `{"name": "..", "level": "DEBUG"} -matrix_synapse_additional_loggers: [] - -# A list of appservice config files (in-container filesystem paths). -# This list gets populated dynamically based on Synapse extensions that have been enabled. -# You may wish to use this together with `matrix_synapse_container_additional_volumes` or `matrix_synapse_container_extra_arguments`. -matrix_synapse_app_service_config_files: [] - -# This is set dynamically during execution depending on whether -# any password providers have been enabled or not. -matrix_synapse_password_providers_enabled: false - -# Whether clients can request to include message content in push notifications -# sent through third party servers. Setting this to false requires mobile clients -# to load message content directly from the homeserver. -matrix_synapse_push_include_content: true - -# If url previews should be generated. This will cause a request from Synapse to -# URLs shared by users. -matrix_synapse_url_preview_enabled: true - -# Enable exposure of metrics to Prometheus -# See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md -matrix_synapse_metrics_enabled: false -matrix_synapse_metrics_port: 9100 - -# Enable the Synapse manhole -# See https://github.com/matrix-org/synapse/blob/master/docs/manhole.md -matrix_synapse_manhole_enabled: false - -# Enable support for Synapse workers -matrix_synapse_workers_enabled: false - -# Specifies worker configuration that should be used when workers are enabled. -# -# The posible values (as seen in `matrix_synapse_workers_presets`) are: -# - "little-federation-helper" - a very minimal worker configuration to improve federation performance -# - "one-of-each" - one worker of each supported type -# -# You can override `matrix_synapse_workers_presets` to define your own presets, which is ill-advised, because it's fragile. -# To use a more custom configuration, start with one of these presets as a base and configure `matrix_synapse_workers_*_count` variables manually, to suit your liking. -matrix_synapse_workers_preset: one-of-each - -matrix_synapse_workers_presets: - little-federation-helper: - generic_workers_count: 0 - pusher_workers_count: 0 - appservice_workers_count: 0 - federation_sender_workers_count: 1 - media_repository_workers_count: 0 - user_dir_workers_count: 0 - frontend_proxy_workers_count: 0 - one-of-each: - generic_workers_count: 1 - pusher_workers_count: 1 - appservice_workers_count: 1 - federation_sender_workers_count: 1 - media_repository_workers_count: 1 - # Disabled until https://github.com/matrix-org/synapse/issues/8787 is resolved. - user_dir_workers_count: 0 - frontend_proxy_workers_count: 1 - -# Controls whether the matrix-synapse container exposes the various worker ports -# (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container. -# -# Takes an "" value (e.g. "127.0.0.1", "0.0.0.0", etc), or empty string to not expose. -# It takes "*" to signify "bind on all interfaces" ("0.0.0.0" is IPv4-only). -matrix_synapse_workers_container_host_bind_address: '' - -matrix_synapse_workers_generic_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['generic_workers_count'] }}" -matrix_synapse_workers_generic_workers_port_range_start: 18111 -matrix_synapse_workers_generic_workers_metrics_range_start: 19111 - -# matrix_synapse_workers_pusher_workers_count can only be 0 or 1 for now. -# More instances are not supported due to a playbook limitation having to do with keeping `pusher_instances` in `homeserver.yaml` updated. -# See https://github.com/matrix-org/synapse/commit/ddfdf945064925eba761ae3748e38f3a1c73c328 -matrix_synapse_workers_pusher_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['pusher_workers_count'] }}" -matrix_synapse_workers_pusher_workers_metrics_range_start: 19200 - -# matrix_synapse_workers_appservice_workers_count can only be 0 or 1. More instances are not supported. -matrix_synapse_workers_appservice_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['appservice_workers_count'] }}" -matrix_synapse_workers_appservice_workers_metrics_range_start: 19300 - -# matrix_synapse_workers_federation_sender_workers_count can only be 0 or 1 for now. -# More instances are not supported due to a playbook limitation having to do with keeping `federation_sender_instances` in `homeserver.yaml` updated. -# See https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfederation_sender -matrix_synapse_workers_federation_sender_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['federation_sender_workers_count'] }}" -matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 - -matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] }}" -matrix_synapse_workers_media_repository_workers_port_range_start: 18551 -matrix_synapse_workers_media_repository_workers_metrics_range_start: 19551 - -# Disabled until https://github.com/matrix-org/synapse/issues/8787 is resolved. -matrix_synapse_workers_user_dir_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['user_dir_workers_count'] }}" -matrix_synapse_workers_user_dir_workers_port_range_start: 18661 -matrix_synapse_workers_user_dir_workers_metrics_range_start: 19661 - -matrix_synapse_workers_frontend_proxy_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['frontend_proxy_workers_count'] }}" -matrix_synapse_workers_frontend_proxy_workers_port_range_start: 18771 -matrix_synapse_workers_frontend_proxy_workers_metrics_range_start: 19771 - -# Default list of workers to spawn. -# -# Unless you populate this manually, this list is dynamically generated -# based on other variables above: -# - `matrix_synapse_workers_*_workers_count` -# - `matrix_synapse_workers_*_workers_port_range_start` -# - `matrix_synapse_workers_*_workers_port_metrics_range_start` -# -# We advise that you use those variables and let this list be populated dynamically. -# Doing that is simpler and also protects you from shooting yourself in the foot, -# as certain workers can only be spawned just once. -# -# Each worker instance in the list defines the following fields: -# - `type` - the type of worker (`generic_worker`, etc.) -# - `instanceId` - a string that identifies the worker. The combination of (`type` + `instanceId`) represents the name of the worker and must be unique. -# - `port` - an HTTP port where the worker listens for requests (can be `0` for workers that don't do HTTP request processing) -# - `metrics_port` - an HTTP port where the worker exports Prometheus metrics -# -# Example of what this needs to look like, if you're defining it manually: -# matrix_synapse_workers_enabled_list: -# - { type: generic_worker, instanceId: '18111', port: 18111, metrics_port: 19111 } -# - { type: generic_worker, instanceId: '18112', port: 18112, metrics_port: 19112 } -# - { type: generic_worker, instanceId: '18113', port: 18113, metrics_port: 19113 } -# - { type: generic_worker, instanceId: '18114', port: 18114, metrics_port: 19114 } -# - { type: generic_worker, instanceId: '18115', port: 18115, metrics_port: 19115 } -# - { type: generic_worker, instanceId: '18116', port: 18116, metrics_port: 19116 } -# - { type: pusher, instanceId: '0', port: 0, metrics_port: 19200 } -# - { type: appservice, instanceId: '0', port: 0, metrics_port: 19300 } -# - { type: federation_sender, instanceId: '0', port: 0, metrics_port: 19400 } -# - { type: media_repository, instanceId: '18551', port: 18551, metrics_port: 19551 } -matrix_synapse_workers_enabled_list: [] - -# Redis information -matrix_synapse_redis_enabled: false -matrix_synapse_redis_host: "" -matrix_synapse_redis_port: 6379 -matrix_synapse_redis_password: "" - -# Controls whether Synapse starts a replication listener necessary for workers. -# -# If Redis is available, we prefer to use that, instead of talking over Synapse's custom replication protocol. -# -# matrix_synapse_replication_listener_enabled: "{{ matrix_synapse_workers_enabled and not matrix_redis_enabled }}" -# We force-enable this listener for now until we debug why communication via Redis fails. -matrix_synapse_replication_listener_enabled: true - -# Port used for communication between main synapse process and workers. -# Only gets used if `matrix_synapse_replication_listener_enabled: true` -matrix_synapse_replication_http_port: 9093 - -# Send ERROR logs to sentry.io for easier tracking -# To set this up: go to sentry.io, create a python project, and set -# matrix_synapse_sentry_dsn to the URL it gives you. -# See https://github.com/matrix-org/synapse/issues/4632 for important privacy concerns -matrix_synapse_sentry_dsn: "" - -# Postgres database information -matrix_synapse_database_host: "matrix-postgres" -matrix_synapse_database_port: 5432 -matrix_synapse_database_user: "synapse" -matrix_synapse_database_password: "" -matrix_synapse_database_database: "synapse" - -matrix_synapse_turn_uris: [] -matrix_synapse_turn_shared_secret: "" -matrix_synapse_turn_allow_guests: False - -matrix_synapse_email_enabled: false -matrix_synapse_email_smtp_host: "" -matrix_synapse_email_smtp_port: 587 -matrix_synapse_email_smtp_require_transport_security: false -matrix_synapse_email_notif_from: "Matrix " -matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_element }}" - - -# Enable this to activate the REST auth password provider module. -# See: https://github.com/ma1uta/matrix-synapse-rest-password-provider -matrix_synapse_ext_password_provider_rest_auth_enabled: false -matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/ma1uta/matrix-synapse-rest-password-provider/ed377fb70513c2e51b42055eb364195af1ccaf33/rest_auth_provider.py" -matrix_synapse_ext_password_provider_rest_auth_endpoint: "" -matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false -matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true -matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false - -# Enable this to activate the Shared Secret Auth password provider module. -# See: https://github.com/devture/matrix-synapse-shared-secret-auth -matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false -matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.2/shared_secret_authenticator.py" -matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" - -# Enable this to activate LDAP password provider -matrix_synapse_ext_password_provider_ldap_enabled: false -matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" -matrix_synapse_ext_password_provider_ldap_start_tls: true -matrix_synapse_ext_password_provider_ldap_base: "" -matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" -matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" -matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" -matrix_synapse_ext_password_provider_ldap_bind_dn: "" -matrix_synapse_ext_password_provider_ldap_bind_password: "" -matrix_synapse_ext_password_provider_ldap_filter: "" -matrix_synapse_ext_password_provider_ldap_active_directory: false -matrix_synapse_ext_password_provider_ldap_default_domain: "" - -# Enable this to activate the Synapse Antispam spam-checker module. -# See: https://github.com/t2bot/synapse-simple-antispam -matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false -matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam" -matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" -matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] - -# Enable this to activate the Mjolnir Antispam spam-checker module. -# See: https://github.com/matrix-org/mjolnir#synapse-module -matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false -matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir" -matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "70f353fbbad0af469b1001080dea194d512b2815" -matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true -# Flag messages sent by servers/users in the ban lists as spam. Currently -# this means that spammy messages will appear as empty to users. Default -# false. -matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false -# Remove users from the user directory search by filtering matrix IDs and -# display names by the entries in the user ban list. Default false. -matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false -# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir, -# this list cannot be room aliases or permalinks. This server is expected -# to already be joined to the room - Mjolnir will not automatically join -# these rooms. -# ["!roomid:example.org"] -matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] - - -matrix_s3_media_store_enabled: false -matrix_s3_media_store_custom_endpoint_enabled: false -matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" -matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" -matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" -matrix_s3_media_store_bucket_name: "your-bucket-name" -matrix_s3_media_store_aws_access_key: "your-aws-access-key" -matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" -matrix_s3_media_store_region: "eu-central-1" -matrix_s3_media_store_path: "{{ matrix_synapse_media_store_path }}" - -# Controls whether the self-check feature should validate SSL certificates. -matrix_synapse_self_check_validate_certificates: true - -# Controls whether searching the public room list is enabled. -matrix_synapse_enable_room_list_search: true - -# Controls who's allowed to create aliases on this server. -matrix_synapse_alias_creation_rules: - - user_id: "*" - alias: "*" - room_id: "*" - action: allow - -# Controls who can publish and which rooms can be published in the public room list. -matrix_synapse_room_list_publication_rules: - - user_id: "*" - alias: "*" - room_id: "*" - action: allow - -matrix_synapse_default_room_version: "6" - -# Controls the Synapse `spam_checker` setting. -# -# If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime. -# If not, you can also control its value manually. -matrix_synapse_spam_checker: [] - -matrix_synapse_trusted_key_servers: - - server_name: "matrix.org" - -matrix_synapse_redaction_retention_period: 7d - -matrix_synapse_user_ips_max_age: 28d - - -matrix_synapse_rust_synapse_compress_state_docker_image: "devture/rust-synapse-compress-state:v0.1.0" -matrix_synapse_rust_synapse_compress_state_docker_image_force_pull: "{{ matrix_synapse_rust_synapse_compress_state_docker_image.endswith(':latest') }}" - -matrix_synapse_rust_synapse_compress_state_base_path: "{{ matrix_base_data_path }}/rust-synapse-compress-state" - - -# Default Synapse configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_synapse_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_synapse_configuration_yaml: "{{ lookup('template', 'templates/synapse/homeserver.yaml.j2') }}" - -matrix_synapse_configuration_extension_yaml: | - # Your custom YAML configuration for Synapse goes here. - # This configuration extends the default starting configuration (`matrix_synapse_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_synapse_configuration_yaml`. - # - # Example configuration extension follows: - # - # server_notices: - # system_mxid_localpart: notices - # system_mxid_display_name: "Server Notices" - # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" - # room_name: "Server Notices" - -matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extension_yaml|from_yaml if matrix_synapse_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final Synapse configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`. -matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml|from_yaml|combine(matrix_synapse_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.awk b/roles/matrix-synapse/files/workers-doc-to-yaml.awk deleted file mode 100755 index d9295e32..00000000 --- a/roles/matrix-synapse/files/workers-doc-to-yaml.awk +++ /dev/null @@ -1,146 +0,0 @@ -#!/usr/bin/awk -# Hackish approach to get a machine-readable list of current matrix -# synapse REST API endpoints from the official documentation at -# https://github.com/matrix-org/synapse/raw/master/docs/workers.md -# -# invoke in shell with: -# URL=https://github.com/matrix-org/synapse/raw/master/docs/workers.md -# curl -L ${URL} | awk -f workers-doc-to-yaml.awk - - -function worker_stanza_append(string) { - worker_stanza = worker_stanza string -} - -function line_is_endpoint_url(line) { - # probably API endpoint if it starts with white-space and ^ or / - return (line ~ /^ +[\^\/].*\//) -} - -# Put YAML marker at beginning of file. -BEGIN { - print "---" - endpoint_conditional_comment = " # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually\n" -} - -# Enable further processing after the introductory text. -# Read each synapse worker section as record and its lines as fields. -/Available worker applications/ { - enable_parsing = 1 - # set record separator to markdown section header - RS = "\n### " - # set field separator to newline - FS = "\n" -} - -# Once parsing is active, this will process each section as record. -enable_parsing { - # Each worker section starts with a synapse.app.X headline - if ($1 ~ /synapse\.app\./) { - - # get rid of the backticks and extract worker type from headline - gsub("`", "", $1) - gsub("synapse.app.", "", $1) - worker_type = $1 - - # initialize empty worker stanza - worker_stanza = "" - - # track if any endpoints are mentioned in a specific section - worker_has_urls = 0 - - # some endpoint descriptions contain flag terms - endpoints_seem_conditional = 0 - - # also, collect a list of available workers - workers = (workers ? workers "\n" : "") " - " worker_type - - # loop through the lines (2 - number of fields in record) - for (i = 2; i < NF + 1; i++) { - # copy line for gsub replacements - line = $i - - # end all lines but the last with a linefeed - linefeed = (i < NF - 1) ? "\n" : "" - - # line starts with white-space and a hash: endpoint block headline - if (line ~ /^ +#/) { - - # copy to output verbatim, normalizing white-space - gsub(/^ +/, "", line) - worker_stanza_append(" " line linefeed) - - } else if (line_is_endpoint_url(line)) { - - # mark section for special output formatting - worker_has_urls = 1 - - # remove leading white-space - gsub(/^ +/, "", line) - api_endpoint_regex = line - - # FIXME: https://github.com/matrix-org/synapse/issues/new - # munge inconsistent media_repository endpoint notation - if (api_endpoint_regex == "/_matrix/media/") { - api_endpoint_regex = "^" line - } - - # FIXME: https://github.com/matrix-org/synapse/issues/7530 - # https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456#issuecomment-719015911 - if (api_endpoint_regex == "^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$") { - worker_stanza_append(" # FIXME: possible bug with SSO and multiple generic workers\n") - worker_stanza_append(" # see https://github.com/matrix-org/synapse/issues/7530\n") - worker_stanza_append(" # " api_endpoint_regex linefeed) - continue - } - - # disable endpoints which specify complications - if (endpoints_seem_conditional) { - # only add notice if previous line didn't match - if (!line_is_endpoint_url($(i - 1))) { - worker_stanza_append(endpoint_conditional_comment) - } - worker_stanza_append(" # " api_endpoint_regex linefeed) - } else { - # output endpoint regex - worker_stanza_append(" - " api_endpoint_regex linefeed) - } - - # white-space only line? - } else if (line ~ /^ *$/) { - - if (i > 3 && i < NF) { - # print white-space lines unless 1st or last line in section - worker_stanza_append(line linefeed) - } - - # nothing of the above: the line is regular documentation text - } else { - - # include this text line as comment - worker_stanza_append(" # " line linefeed) - - # and take note of words hinting at additional conditions to be met - if (line ~ /(^| )[Ii]f |(^| )[Ff]or /) { - endpoints_seem_conditional = 1 - } - } - } - - if (worker_has_urls) { - print "\nmatrix_synapse_workers_" worker_type "_endpoints:" - print worker_stanza - } else { - # include workers without endpoints as well for reference - print "\n# " worker_type " worker (no API endpoints) [" - print worker_stanza - print "# ]" - } - } -} - -END { - print "\nmatrix_synapse_workers_avail_list:" - print workers | "sort" -} - -# vim: tabstop=4 shiftwidth=4 expandtab autoindent diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.sh b/roles/matrix-synapse/files/workers-doc-to-yaml.sh deleted file mode 100755 index 5981523b..00000000 --- a/roles/matrix-synapse/files/workers-doc-to-yaml.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -# Fetch the synapse worker documentation and extract endpoint URLs -# matrix-org/synapse master branch points to current stable release - -URL=https://github.com/matrix-org/synapse/raw/master/docs/workers.md -curl -L ${URL} | awk -f workers-doc-to-yaml.awk > ../vars/workers.yml diff --git a/roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml b/roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml deleted file mode 100644 index e760626d..00000000 --- a/roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml +++ /dev/null @@ -1,8 +0,0 @@ -- set_fact: - matrix_synapse_password_providers_enabled: true - - matrix_synapse_additional_loggers: > - {{ matrix_synapse_additional_loggers }} - + - {{ [{'name': 'ldap_auth_provider', 'level': 'INFO'}] }} - when: matrix_synapse_ext_password_provider_ldap_enabled|bool diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml deleted file mode 100644 index 6c45f469..00000000 --- a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" - when: "not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml deleted file mode 100644 index a416e42b..00000000 --- a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- - -- name: Ensure git installed (RedHat) - yum: - name: - - git - state: present - update_cache: no - when: "ansible_os_family == 'RedHat'" - -- name: Ensure git installed (Debian) - apt: - name: - - git - state: present - update_cache: no - when: "ansible_os_family == 'Debian'" - -- name: Ensure git installed (Archlinux) - pacman: - name: - - git - state: present - update_cache: no - when: "ansible_distribution == 'Archlinux'" - -- name: Clone mjolnir-antispam git repository - git: - repo: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url }}" - version: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version }}" - dest: "{{ matrix_synapse_ext_path }}/mjolnir" - become: true - become_user: "{{ matrix_user_username }}" - -- set_fact: - matrix_synapse_spam_checker: > - {{ matrix_synapse_spam_checker }} - + - [{ - "module": "mjolnir.AntiSpam", - "config": { - "block_invites": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites }}, - "block_messages": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages }}, - "block_usernames": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames }}, - "ban_lists": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists }} - } - }] - - matrix_synapse_container_extra_arguments: > - {{ matrix_synapse_container_extra_arguments|default([]) }} - + - ["--mount type=bind,src={{ matrix_synapse_ext_path }}/mjolnir/synapse_antispam/mjolnir,dst={{ matrix_synapse_in_container_python_packages_path }}/mjolnir,ro"] diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml deleted file mode 100644 index f8439a87..00000000 --- a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: Ensure mjolnir-antispam doesn't exist - file: - path: "{{ matrix_synapse_ext_path }}/mjolnir" - state: absent diff --git a/roles/matrix-synapse/tasks/ext/rest-auth/setup.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup.yml deleted file mode 100644 index 0270784a..00000000 --- a/roles/matrix-synapse/tasks/ext/rest-auth/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" - when: matrix_synapse_ext_password_provider_rest_auth_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" - when: "not matrix_synapse_ext_password_provider_rest_auth_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml deleted file mode 100644 index 634b1ca5..00000000 --- a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -- name: Fail if REST Auth endpoint not configured - fail: - msg: "You have enabled the REST Auth password provider, but have not configured its endpoint in the `matrix_synapse_ext_password_provider_rest_auth_endpoint` variable. Consult the documentation." - when: "matrix_synapse_ext_password_provider_rest_auth_endpoint == ''" - -- name: Download matrix-synapse-rest-auth - get_url: - url: "{{ matrix_synapse_ext_password_provider_rest_auth_download_url }}" - dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" - force: true - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- set_fact: - matrix_synapse_password_providers_enabled: true - - matrix_synapse_container_extra_arguments: > - {{ matrix_synapse_container_extra_arguments|default([]) }} - + - ["--mount type=bind,src={{ matrix_synapse_ext_path }}/rest_auth_provider.py,dst={{ matrix_synapse_in_container_python_packages_path }}/rest_auth_provider.py,ro"] - - matrix_synapse_additional_loggers: > - {{ matrix_synapse_additional_loggers }} - + - {{ [{'name': 'rest_auth_provider', 'level': 'INFO'}] }} diff --git a/roles/matrix-synapse/tasks/ext/rest-auth/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup_uninstall.yml deleted file mode 100644 index be8ad600..00000000 --- a/roles/matrix-synapse/tasks/ext/rest-auth/setup_uninstall.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: Ensure matrix-synapse-rest-auth doesn't exist - file: - path: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" - state: absent diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml deleted file mode 100644 index 31637fa9..00000000 --- a/roles/matrix-synapse/tasks/ext/setup.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup.yml" diff --git a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml deleted file mode 100644 index ed8d0197..00000000 --- a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" - when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" - when: "not matrix_synapse_ext_password_provider_shared_secret_auth_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml deleted file mode 100644 index af92041d..00000000 --- a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -- name: Fail if Shared Secret Auth secret not set - fail: - msg: "Shared Secret Auth is enabled, but no secret has been set in matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret" - when: "matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret == ''" - -- name: Download matrix-synapse-shared-secret-auth - get_url: - url: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_download_url }}" - dest: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py" - force: true - mode: 0440 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- set_fact: - matrix_synapse_password_providers_enabled: true - - matrix_synapse_container_extra_arguments: > - {{ matrix_synapse_container_extra_arguments|default([]) }} - + - ["--mount type=bind,src={{ matrix_synapse_ext_path }}/shared_secret_authenticator.py,dst={{ matrix_synapse_in_container_python_packages_path }}/shared_secret_authenticator.py,ro"] - - matrix_synapse_additional_loggers: > - {{ matrix_synapse_additional_loggers }} - + - {{ [{'name': 'shared_secret_authenticator', 'level': 'INFO'}] }} diff --git a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_uninstall.yml deleted file mode 100644 index e564909e..00000000 --- a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_uninstall.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: Ensure matrix-synapse-shared-secret-auth doesn't exist - file: - path: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py" - state: absent diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml deleted file mode 100644 index efd4a027..00000000 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" - when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" - when: "not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml deleted file mode 100644 index 2599e7f1..00000000 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -- name: Fail if Synapse Simple Antispam blocked homeservers is not set - fail: - msg: "Synapse Simple Antispam is enabled, but no blocked homeservers have been set in matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers" - when: "matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers|length == 0" - -- name: Ensure git installed (RedHat) - yum: - name: - - git - state: present - update_cache: no - when: "ansible_os_family == 'RedHat'" - -- name: Ensure git installed (Debian) - apt: - name: - - git - state: present - update_cache: no - when: "ansible_os_family == 'Debian'" - -- name: Ensure git installed (Archlinux) - pacman: - name: - - git - state: present - update_cache: no - when: "ansible_distribution == 'Archlinux'" - -- name: Clone synapse-simple-antispam git repository - git: - repo: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url }}" - version: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version }}" - dest: "{{ matrix_synapse_ext_path }}/synapse-simple-antispam" - become: true - become_user: "{{ matrix_user_username }}" - -- set_fact: - matrix_synapse_spam_checker: > - {{ matrix_synapse_spam_checker }} - + - [{ - "module": "synapse_simple_antispam.AntiSpamInvites", - "config": { - "blocked_homeservers": {{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers }} - } - }] - - matrix_synapse_container_extra_arguments: > - {{ matrix_synapse_container_extra_arguments|default([]) }} - + - ["--mount type=bind,src={{ matrix_synapse_ext_path }}/synapse-simple-antispam/synapse_simple_antispam,dst={{ matrix_synapse_in_container_python_packages_path }}/synapse_simple_antispam,ro"] diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_uninstall.yml deleted file mode 100644 index 14cefc72..00000000 --- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_uninstall.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: Ensure synapse-simple-antispam doesn't exist - file: - path: "{{ matrix_synapse_ext_path }}/synapse-simple-antispam" - state: absent diff --git a/roles/matrix-synapse/tasks/goofys/setup.yml b/roles/matrix-synapse/tasks/goofys/setup.yml deleted file mode 100644 index 6370408d..00000000 --- a/roles/matrix-synapse/tasks/goofys/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" - when: matrix_s3_media_store_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" - when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml deleted file mode 100644 index b5e95614..00000000 --- a/roles/matrix-synapse/tasks/goofys/setup_install.yml +++ /dev/null @@ -1,41 +0,0 @@ -- name: Ensure Goofys Docker image is pulled - docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_s3_goofys_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_docker_image_force_pull }}" - -# This will throw a Permission Denied error if already mounted -- name: Check Matrix Goofys external storage mountpoint path - stat: - path: "{{ matrix_s3_media_store_path }}" - register: local_path_matrix_s3_media_store_path_stat - ignore_errors: yes - -- name: Ensure Matrix Goofys external storage mountpoint exists - file: - path: "{{ matrix_s3_media_store_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "not local_path_matrix_s3_media_store_path_stat.failed and not local_path_matrix_s3_media_store_path_stat.stat.exists" - -- name: Ensure goofys environment variables file created - template: - src: "{{ role_path }}/templates/goofys/env-goofys.j2" - dest: "{{ matrix_synapse_config_dir_path }}/env-goofys" - owner: root - mode: 0600 - -- name: Ensure matrix-goofys.service installed - template: - src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-goofys.service" - mode: 0644 - register: matrix_goofys_systemd_service_result - -- name: Ensure systemd reloaded after matrix-goofys.service installation - service: - daemon_reload: yes - when: "matrix_goofys_systemd_service_result.changed" diff --git a/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml b/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml deleted file mode 100644 index 91d43456..00000000 --- a/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: Check existence of matrix-goofys service - stat: - path: "{{ matrix_systemd_path }}/matrix-goofys.service" - register: matrix_goofys_service_stat - -- name: Ensure matrix-goofys is stopped - service: - name: matrix-goofys - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure matrix-goofys.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-goofys.service" - state: absent - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-goofys.service removal - service: - daemon_reload: yes - when: "matrix_goofys_service_stat.stat.exists" - -- name: Ensure goofys environment variables file doesn't exist - file: - path: "{{ matrix_synapse_config_dir_path }}/env-goofys" - state: absent - -- name: Ensure Goofys Docker image doesn't exist - docker_image: - name: "{{ matrix_s3_goofys_docker_image }}" - state: absent diff --git a/roles/matrix-synapse/tasks/import_media_store.yml b/roles/matrix-synapse/tasks/import_media_store.yml deleted file mode 100644 index 487bcb35..00000000 --- a/roles/matrix-synapse/tasks/import_media_store.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- - -# Pre-checks - -- name: Fail if playbook called incorrectly - fail: - msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" - when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" - -- name: Fail if media store is on Amazon S3 - fail: - msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." - when: matrix_s3_media_store_enabled|bool - -- name: Check if the provided media store directory exists - stat: - path: "{{ server_path_media_store }}" - register: server_path_media_store_stat - -- name: Fail if provided media store directory doesn't exist on the server - fail: - msg: "{{ server_path_media_store }} cannot be found on the server" - when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" - -- name: Check if media store contains local_content - stat: - path: "{{ server_path_media_store }}/local_content" - register: server_path_media_store_local_content_stat - -- name: Check if media store contains remote_content - stat: - path: "{{ server_path_media_store }}/remote_content" - register: server_path_media_store_remote_content_stat - -- name: Fail if media store directory doesn't look okay (lacking remote and local content) - fail: - msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." - when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" - - -# Actual import work - -- name: Ensure matrix-synapse is stopped - service: - name: matrix-synapse - state: stopped - daemon_reload: yes - register: stopping_result - -# This can only work with local files, not if the media store is on Amazon S3, -# as it won't be accessible in such a case. -- name: Ensure provided media store directory is synchronized - synchronize: - src: "{{ server_path_media_store }}/" - dest: "{{ matrix_synapse_media_store_path }}" - delete: yes - # It's wasteful to preserve owner/group now. We chown below anyway. - owner: no - group: no - times: yes - delegate_to: "{{ inventory_hostname }}" - -# This is for the generic case and fails in other cases (remote file systems), -# because in such cases the base path (matrix_synapse_media_store_path) is a mount point. -- name: Ensure media store permissions are correct (generic case) - file: - path: "{{ matrix_synapse_media_store_path }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - recurse: yes - when: "not matrix_s3_media_store_enabled|bool" - -# We don't chown for Goofys, because due to the way it's mounted, -# all files become owned by whoever needs to own them. - -- name: Ensure Synapse is started (if it previously was) - service: - name: "{{ item }}" - state: started - daemon_reload: yes - when: "stopping_result.changed" - with_items: - - matrix-synapse diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml deleted file mode 100644 index bc23fc86..00000000 --- a/roles/matrix-synapse/tasks/init.yml +++ /dev/null @@ -1,26 +0,0 @@ -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 -- name: Fail if trying to self-build on Ansible < 2.8 - fail: - msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled" - -# Unless `matrix_synapse_workers_enabled_list` is explicitly defined, -# we'll generate it dynamically. -- import_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" - when: "matrix_synapse_enabled and matrix_synapse_workers_enabled and matrix_synapse_workers_enabled_list|length == 0" - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse.service'] }}" - when: matrix_synapse_enabled|bool - -- name: Ensure systemd services for workers are injected - include_tasks: "{{ role_path }}/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml" - with_items: "{{ matrix_synapse_workers_enabled_list }}" - loop_control: - loop_var: matrix_synapse_worker_details - when: matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" - when: matrix_s3_media_store_enabled|bool diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml deleted file mode 100644 index 8bf1c563..00000000 --- a/roles/matrix-synapse/tasks/main.yml +++ /dev/null @@ -1,55 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup|bool and matrix_synapse_enabled|bool - tags: - - setup-all - - setup-synapse - -- import_tasks: "{{ role_path }}/tasks/setup_synapse.yml" - when: run_setup|bool - tags: - - setup-all - - setup-synapse - -- import_tasks: "{{ role_path }}/tasks/import_media_store.yml" - when: run_synapse_import_media_store|bool - tags: - - import-synapse-media-store - -- import_tasks: "{{ role_path }}/tasks/register_user.yml" - when: run_synapse_register_user|bool - tags: - - register-user - -- import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check|bool - tags: - - self-check - -- import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check|bool - tags: - - self-check - -- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" - when: run_synapse_update_user_password|bool - tags: - - update-user-password - -- import_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" - when: run_synapse_rust_synapse_compress_state|bool - tags: - - rust-synapse-compress-state - -- name: Mark matrix-synapse role as executed - set_fact: - matrix_synapse_role_executed: true - tags: - - always diff --git a/roles/matrix-synapse/tasks/register_user.yml b/roles/matrix-synapse/tasks/register_user.yml deleted file mode 100644 index 9c2a3ea0..00000000 --- a/roles/matrix-synapse/tasks/register_user.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -- name: Fail if playbook called incorrectly - fail: - msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" - when: "username is not defined or username == ''" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" - when: "password is not defined or password == ''" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `admin` variable needs to be provided to this playbook, via --extra-vars" - when: "admin is not defined or admin not in ['yes', 'no']" - -- name: Ensure matrix-synapse is started - service: - name: matrix-synapse - state: started - daemon_reload: yes - register: start_result - -- name: Wait a while, so that Synapse can manage to start - pause: - seconds: 7 - when: "start_result.changed" - -- name: Register user - command: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username|quote }} {{ password|quote }} {{ '1' if admin == 'yes' else '0' }}" diff --git a/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml deleted file mode 100644 index 46cad808..00000000 --- a/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml +++ /dev/null @@ -1,48 +0,0 @@ -- debug: - msg: "Compressing room `{{ room_details.room_id }}` having {{ room_details.count }} state group rows" - -- name: Generate rust-synapse-compress-state room compression command - set_fact: - matrix_synapse_rust_synapse_compress_state_compress_room_command: >- - {{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-compress-room - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work - {{ matrix_synapse_rust_synapse_compress_state_docker_image }} - /synapse-compress-state -t -o /work/state-compressor.sql - -p "host={{ matrix_synapse_database_host }} user={{ matrix_synapse_database_user }} password={{ matrix_synapse_database_password }} dbname={{ matrix_synapse_database_database }}" - -r '{{ room_details.room_id }}' - -- name: Run rust-synapse-compress-state room compression command (SQL generation) - command: "{{ matrix_synapse_rust_synapse_compress_state_compress_room_command }}" - async: "{{ matrix_synapse_rust_synapse_compress_state_compress_room_time }}" - poll: 10 - register: matrix_synapse_rust_synapse_compress_state_compress_room_command_result - -- debug: var="matrix_synapse_rust_synapse_compress_state_compress_room_command_result" - -- name: Generate Postgres compression SQL import command - set_fact: - matrix_synapse_rust_synapse_compress_state_psql_import_command: >- - {{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-psql-import - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work,ro - --entrypoint=/bin/sh - {{ matrix_postgres_docker_image_latest }} - -c "cat /work/state-compressor.sql | - psql -v ON_ERROR_STOP=1 -h matrix-postgres -d {{ matrix_synapse_database_database }}" - -- name: Import compression SQL into Postgres - command: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_command }}" - async: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_time }}" - poll: 10 - register: matrix_synapse_rust_synapse_compress_state_psql_import_command_result - -- name: Clean up - file: - path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}/state-compressor.sql" - state: absent diff --git a/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml b/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml deleted file mode 100644 index 106c59d5..00000000 --- a/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml +++ /dev/null @@ -1,118 +0,0 @@ -# Pre-checks - -- name: Fail if Postgres not enabled - fail: - msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot use rust-synapse-compress-state." - when: "not matrix_postgres_enabled|bool" - - -# Defaults - -- name: Set matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time, if not provided - set_fact: - matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 300 - when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time|default('') == ''" - -- name: Set matrix_synapse_rust_synapse_compress_state_compress_room_time, if not provided - set_fact: - matrix_synapse_rust_synapse_compress_state_compress_room_time: 1800 - when: "matrix_synapse_rust_synapse_compress_state_compress_room_time|default('') == ''" - -- name: Set matrix_synapse_rust_synapse_compress_state_psql_import_time, if not provided - set_fact: - matrix_synapse_rust_synapse_compress_state_psql_import_time: 1800 - when: "matrix_synapse_rust_synapse_compress_state_psql_import_time|default('') == ''" - -- name: Set matrix_synapse_rust_synapse_compress_state_min_state_groups_required, if not provided - set_fact: - # The minimum number of state groups we're looking for before we consider a room eligible for compression. - # Rooms with a smaller state groups count will not be compressed. - matrix_synapse_rust_synapse_compress_state_min_state_groups_required: 100000 - when: "matrix_synapse_rust_synapse_compress_state_min_state_groups_required|default('') == ''" - - -# Actual compression work - -- name: Ensure rust-synapse-compress-state paths exist - file: - path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure rust-synapse-compress-state image is pulled - docker_image: - name: "{{ matrix_synapse_rust_synapse_compress_state_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_rust_synapse_compress_state_docker_image_force_pull }}" - -- name: Generate rust-synapse-compress-state room find command - set_fact: - matrix_synapse_rust_synapse_compress_state_find_rooms_command: >- - {{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-find-rooms - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --network={{ matrix_docker_network }} - --env-file={{ matrix_postgres_base_path }}/env-postgres-psql - {{ matrix_postgres_docker_image_latest }} - psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c - 'SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;' - -- name: Find rooms eligible for compression with rust-synapse-compress-state - command: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command }}" - async: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time }}" - poll: 10 - register: matrix_synapse_rust_synapse_compress_state_find_rooms_command_result - -# We expect the output to be like this: -# -# "stdout_lines": [ -# " array_to_json ", -# "----------------------------------------------------------------------------------------------------------------------------", -# " [{\"room_id\":\"!some-id\",\"count\":2461329},{\"room_id\":\"!another-id\",\"count\":512017}]", -# "(1 row)" -# ] -# -# Row 3 (out of 4) contains the actual result. -# -# Row 3 contains a space when there's no result. - -- block: - - debug: var="matrix_synapse_rust_synapse_compress_state_find_rooms_command_result" - - - name: Fail if room find result is not what we expect - fail: - msg: >- - Expecting 4 lines in the "find rooms" result. - when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.failed or matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines|length != 4" - -- block: - # matrix_synapse_rust_synapse_compress_state_eligible_rooms is a list - # of dictionaries like this: {'room_id': '!some-id', 'count': 2461329} - - set_fact: - matrix_synapse_rust_synapse_compress_state_eligible_rooms: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] | from_json }}" - - - name: Display rooms that will be compressed - debug: - msg: >- - The following rooms contain more than {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} state group rows - (configurable via `matrix_synapse_rust_synapse_compress_state_min_state_groups_required`) - and will be compressed: - {{ matrix_synapse_rust_synapse_compress_state_eligible_rooms }} - - - name: Compress room state - include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/compress_room.yml" - with_items: "{{ matrix_synapse_rust_synapse_compress_state_eligible_rooms }}" - loop_control: - loop_var: room_details - when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] != ' '" - -- name: Show notice about lack of rooms to compress - debug: - msg: >- - No rooms were found to contain more than {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} state group rows - (configurable via `matrix_synapse_rust_synapse_compress_state_min_state_groups_required`), - so there's nothing to compress. - when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] == ' '" diff --git a/roles/matrix-synapse/tasks/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml deleted file mode 100644 index 30244d50..00000000 --- a/roles/matrix-synapse/tasks/self_check_client_api.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Check Matrix Client API - uri: - url: "{{ matrix_synapse_client_api_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" - register: result_matrix_synapse_client_api - ignore_errors: true - check_mode: no - when: matrix_synapse_enabled|bool - -- name: Fail if Matrix Client API not working - fail: - msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_synapse_client_api }}" - when: "matrix_synapse_enabled|bool and (result_matrix_synapse_client_api.failed or 'json' not in result_matrix_synapse_client_api)" - -- name: Report working Matrix Client API - debug: - msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`) is working" - when: matrix_synapse_enabled|bool diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml deleted file mode 100644 index 57c9e56b..00000000 --- a/roles/matrix-synapse/tasks/self_check_federation_api.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- name: Check Matrix Federation API - uri: - url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" - register: result_matrix_synapse_federation_api - ignore_errors: true - check_mode: no - when: matrix_synapse_enabled|bool - -- name: Fail if Matrix Federation API not working - fail: - msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" - when: "matrix_synapse_enabled|bool and matrix_synapse_federation_enabled|bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)" - -- name: Fail if Matrix Federation API unexpectedly enabled - fail: - msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled." - when: "matrix_synapse_enabled|bool and not matrix_synapse_federation_enabled|bool and not result_matrix_synapse_federation_api.failed" - -- name: Report working Matrix Federation API - debug: - msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working" - when: "matrix_synapse_enabled|bool and matrix_synapse_federation_enabled|bool" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml deleted file mode 100644 index f8bc05a1..00000000 --- a/roles/matrix-synapse/tasks/setup_synapse.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Ensure Synapse paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - { path: "{{ matrix_synapse_config_dir_path }}", when: true } - - { path: "{{ matrix_synapse_ext_path }}", when: true } - - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" } - # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), - # because if it's using Goofys and it's already mounted (from before), - # trying to chown/chmod it here will cause trouble. - when: "(matrix_synapse_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" - -- import_tasks: "{{ role_path }}/tasks/ext/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/synapse/workers/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/synapse/setup.yml" - -- import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/matrix-synapse/tasks/synapse/setup.yml b/roles/matrix-synapse/tasks/synapse/setup.yml deleted file mode 100644 index b5d27c36..00000000 --- a/roles/matrix-synapse/tasks/synapse/setup.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- import_tasks: "{{ role_path }}/tasks/synapse/setup_install.yml" - when: matrix_synapse_enabled|bool - -- import_tasks: "{{ role_path }}/tasks/synapse/setup_uninstall.yml" - when: "not matrix_synapse_enabled|bool" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml deleted file mode 100644 index b658cfff..00000000 --- a/roles/matrix-synapse/tasks/synapse/setup_install.yml +++ /dev/null @@ -1,109 +0,0 @@ ---- - -# This will throw a Permission Denied error if already mounted using fuse -- name: Check Synapse media store path - stat: - path: "{{ matrix_synapse_media_store_path }}" - register: local_path_media_store_stat - ignore_errors: yes - -# This is separate and conditional, to ensure we don't execute it -# if the path already exists or we failed to check, because it's mounted using fuse. -- name: Ensure Synapse media store path exists - file: - path: "{{ matrix_synapse_media_store_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - -- name: Ensure Synapse repository is present on self-build - git: - repo: "{{ matrix_synapse_container_image_self_build_repo }}" - dest: "{{ matrix_synapse_docker_src_files_path }}" - version: "{{ matrix_synapse_docker_image.split(':')[1] }}" - force: "yes" - register: matrix_synapse_git_pull_results - when: "matrix_synapse_container_image_self_build|bool" - -- name: Ensure Synapse Docker image is built - docker_image: - name: "{{ matrix_synapse_docker_image }}" - source: build - force_source: "{{ matrix_synapse_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_git_pull_results.changed }}" - build: - dockerfile: docker/Dockerfile - path: "{{ matrix_synapse_docker_src_files_path }}" - pull: yes - when: "matrix_synapse_container_image_self_build|bool" - -- name: Ensure Synapse Docker image is pulled - docker_image: - name: "{{ matrix_synapse_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_synapse_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_docker_image_force_pull }}" - when: "not matrix_synapse_container_image_self_build" - -- name: Check if a Synapse signing key exists - stat: - path: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" - register: matrix_synapse_signing_key_stat - -# We do this so that the signing key would get generated. -# -# This will also generate a default homeserver.yaml configuration file and a log configuration file. -# We don't care about those configuraiton files, as we replace them with our own anyway (see below). -# -# We don't use the `docker_container` module, because using it with `cap_drop` requires -# a very recent version, which is not available for a lot of people yet. -- name: Generate initial Synapse config and signing key - command: | - docker run - --rm - --name=matrix-config - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data - -e UID={{ matrix_user_uid }} - -e GID={{ matrix_user_gid }} - -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml - -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} - -e SYNAPSE_REPORT_STATS=no - {{ matrix_synapse_docker_image }} - generate - when: "not matrix_synapse_signing_key_stat.stat.exists" - -- name: Ensure Synapse homeserver config installed - copy: - content: "{{ matrix_synapse_configuration|to_nice_yaml }}" - dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - -- name: Ensure Synapse log config installed - template: - src: "{{ matrix_synapse_template_synapse_log }}" - dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.log.config" - mode: 0644 - -- name: Ensure matrix-synapse.service installed - template: - src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-synapse.service" - mode: 0644 - register: matrix_synapse_systemd_service_result - -- name: Ensure systemd reloaded after matrix-synapse.service installation - service: - daemon_reload: yes - when: "matrix_synapse_systemd_service_result.changed" - -- name: Ensure matrix-synapse-register-user script created - template: - src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" - dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user" - mode: 0755 diff --git a/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml deleted file mode 100644 index f1cdf167..00000000 --- a/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: Check existence of matrix-synapse service - stat: - path: "{{ matrix_systemd_path }}/matrix-synapse.service" - register: matrix_synapse_service_stat - -- name: Ensure matrix-synapse is stopped - service: - name: matrix-synapse - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_synapse_service_stat.stat.exists" - -- name: Ensure matrix-synapse.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-synapse.service" - state: absent - when: "matrix_synapse_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-synapse.service removal - service: - daemon_reload: yes - when: "matrix_synapse_service_stat.stat.exists" - -- name: Ensure Synapse Docker image doesn't exist - docker_image: - name: "{{ matrix_synapse_docker_image }}" - state: absent diff --git a/roles/matrix-synapse/tasks/synapse/workers/init.yml b/roles/matrix-synapse/tasks/synapse/workers/init.yml deleted file mode 100644 index c6fc32c3..00000000 --- a/roles/matrix-synapse/tasks/synapse/workers/init.yml +++ /dev/null @@ -1,86 +0,0 @@ -# Below is a huge hack for dynamically building a list of workers and finally assigning it to `matrix_synapse_workers_enabled_list`. -# -# set_fact within a loop does not work reliably in Ansible (it only executes on the first iteration for some reason), -# so we're forced to do something much uglier. - -- name: Build generic workers - set_fact: - worker: - type: 'generic_worker' - instanceId: "{{ matrix_synapse_workers_generic_workers_port_range_start + item }}" - port: "{{ matrix_synapse_workers_generic_workers_port_range_start + item }}" - metrics_port: "{{ matrix_synapse_workers_generic_workers_metrics_range_start + item }}" - register: "matrix_synapse_workers_list_results_generic_workers" - loop: "{{ range(0, matrix_synapse_workers_generic_workers_count|int)|list }}" - -- name: Build federation sender workers - set_fact: - worker: - type: 'federation_sender' - instanceId: "{{ item }}" - port: 0 - metrics_port: "{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start + item }}" - register: "matrix_synapse_workers_list_results_federation_sender_workers" - loop: "{{ range(0, matrix_synapse_workers_federation_sender_workers_count|int)|list }}" - -# This type of worker can only have a count of 1, at most -- name: Build pusher workers - set_fact: - worker: - type: 'pusher' - instanceId: "{{ item }}" - port: 0 - metrics_port: "{{ matrix_synapse_workers_pusher_workers_metrics_range_start + item }}" - register: "matrix_synapse_workers_list_results_pusher_workers" - loop: "{{ range(0, matrix_synapse_workers_pusher_workers_count|int)|list }}" - -# This type of worker can only have a count of 1, at most -- name: Build appservice workers - set_fact: - worker: - type: 'appservice' - instanceId: "{{ item }}" - port: 0 - metrics_port: "{{ matrix_synapse_workers_appservice_workers_metrics_range_start + item }}" - register: "matrix_synapse_workers_list_results_appservice_workers" - loop: "{{ range(0, matrix_synapse_workers_appservice_workers_count|int)|list }}" - -- name: Build media_repository workers - set_fact: - worker: - type: 'media_repository' - instanceId: "{{ matrix_synapse_workers_media_repository_workers_port_range_start + item }}" - port: "{{ matrix_synapse_workers_media_repository_workers_port_range_start + item }}" - metrics_port: "{{ matrix_synapse_workers_media_repository_workers_metrics_range_start + item }}" - register: "matrix_synapse_workers_list_results_media_repository_workers" - loop: "{{ range(0, matrix_synapse_workers_media_repository_workers_count|int)|list }}" - -- name: Build frontend_proxy workers - set_fact: - worker: - type: 'frontend_proxy' - instanceId: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" - port: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" - metrics_port: "{{ matrix_synapse_workers_frontend_proxy_workers_metrics_range_start + item }}" - register: "matrix_synapse_workers_list_results_frontend_proxy_workers" - loop: "{{ range(0, matrix_synapse_workers_frontend_proxy_workers_count|int)|list }}" - -- set_fact: - matrix_synapse_dynamic_workers_list: "{{ matrix_synapse_dynamic_workers_list|default([]) + [item.ansible_facts.worker] }}" - with_items: | - {{ - matrix_synapse_workers_list_results_generic_workers.results - + - matrix_synapse_workers_list_results_federation_sender_workers.results - + - matrix_synapse_workers_list_results_pusher_workers.results - + - matrix_synapse_workers_list_results_appservice_workers.results - + - matrix_synapse_workers_list_results_media_repository_workers.results - + - matrix_synapse_workers_list_results_frontend_proxy_workers.results - }} - -- set_fact: - matrix_synapse_workers_enabled_list: "{{ matrix_synapse_dynamic_workers_list }}" diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup.yml b/roles/matrix-synapse/tasks/synapse/workers/setup.yml deleted file mode 100644 index ce66a2e4..00000000 --- a/roles/matrix-synapse/tasks/synapse/workers/setup.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -# A previous version of the worker setup used this. -# This is a temporary cleanup for people who ran that version. -- name: Ensure old matrix-synapse.service.wants directory is gone - file: - path: "{{ matrix_systemd_path }}/matrix-synapse.service.wants" - state: absent - -# Same. This was part of a previous version of the worker setup. -# No longer necessary. -- name: Ensure matrix-synapse-worker-write-pid script is removed - file: - path: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" - state: absent - -- include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" - when: "matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool" - -- include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" - when: "not matrix_synapse_workers_enabled|bool" diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup_install.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_install.yml deleted file mode 100644 index 983f1876..00000000 --- a/roles/matrix-synapse/tasks/synapse/workers/setup_install.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- - -- name: Determine current worker configs - find: - path: "{{ matrix_synapse_config_dir_path }}" - patterns: "worker.*.yaml" - use_regex: true - register: matrix_synapse_workers_current_config_files - -# This also deletes some things which we need. They will be recreated below. -- name: Ensure previous worker configs are cleaned - file: - path: "{{ item.path }}" - state: absent - with_items: "{{ matrix_synapse_workers_current_config_files.files }}" - -- name: Determine current worker systemd services - find: - path: "{{ matrix_systemd_path }}" - patterns: "matrix-synapse-worker.*.service" - use_regex: true - register: matrix_synapse_workers_current_systemd_services - -- name: Ensure unnecessary worker systemd services are stopped and disabled - service: - name: "{{ item.path|basename }}" - state: stopped - enabled: false - with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" - when: "not ansible_check_mode and item.path|basename not in matrix_systemd_services_list" - -- name: Ensure unnecessary worker systemd services are cleaned - file: - path: "{{ item.path }}" - state: absent - with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" - -- name: Ensure creation of worker systemd service files and configuration files - include_tasks: "{{ role_path }}/tasks/synapse/workers/util/setup_files_for_worker.yml" - with_items: "{{ matrix_synapse_workers_enabled_list }}" - loop_control: - loop_var: matrix_synapse_worker_details diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml deleted file mode 100644 index 4a90bfa6..00000000 --- a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -- name: Populate service facts - service_facts: - -- name: Ensure any worker services are stopped - service: - name: "{{ item.key }}" - state: stopped - with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}" - -- name: Find worker configs to be cleaned - find: - path: "{{ matrix_synapse_config_dir_path }}" - patterns: "worker.*.yaml" - use_regex: true - register: matrix_synapse_workers_current_config_files - -- name: Ensure previous worker configs are cleaned - file: - path: "{{ item.path }}" - state: absent - with_items: "{{ matrix_synapse_workers_current_config_files.files }}" - -- name: Find worker systemd services to be cleaned - find: - path: "{{ matrix_systemd_path }}" - patterns: "matrix-synapse-worker.*.service" - use_regex: true - register: matrix_synapse_workers_current_systemd_services - -- name: Ensure previous worker systemd services are cleaned - file: - path: "{{ item.path }}" - state: absent - with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" diff --git a/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml b/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml deleted file mode 100644 index 62b42625..00000000 --- a/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml +++ /dev/null @@ -1,18 +0,0 @@ -# The tasks below run before `validate_config.yml`. -# To avoid failing with a cryptic error message, we'll do validation here. -# -# This check is mostly relevant to people who explicitly define `matrix_synapse_workers_enabled_list` -# (Synapse Workers users from the earlier days of this PR - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456). -# -# In the future, it should be possible to remove this check. -# Our own code which dynamically builds `matrix_synapse_workers_enabled_list` does things right. -- name: Fail if instanceId not defined for worker - fail: - msg: "Synapse workers (like {{ matrix_synapse_worker_details|to_json }}) need to define an instanceId property (type + instanceId must be unique)" - when: "'instanceId' not in matrix_synapse_worker_details" - -- set_fact: - matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.instanceId }}.service" - -- set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + [matrix_synapse_worker_systemd_service_name] }}" diff --git a/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml b/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml deleted file mode 100644 index 93ed6575..00000000 --- a/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml +++ /dev/null @@ -1,19 +0,0 @@ -- set_fact: - matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.instanceId }}" - -- set_fact: - matrix_synapse_worker_container_name: "{{ matrix_synapse_worker_systemd_service_name }}" - -- set_fact: - matrix_synapse_worker_config_file_name: "worker.{{ matrix_synapse_worker_details.type }}_{{ matrix_synapse_worker_details.instanceId }}.yaml" - -- name: Ensure configuration exists for {{ matrix_synapse_worker_systemd_service_name }} - template: - src: "{{ role_path }}/templates/synapse/worker.yaml.j2" - dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_config_file_name }}" - -- name: Ensure systemd service exists for {{ matrix_synapse_worker_systemd_service_name }} - template: - src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse-worker.service.j2" - dest: "{{ matrix_systemd_path }}/{{ matrix_synapse_worker_systemd_service_name }}.service" - mode: 0644 diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml deleted file mode 100644 index 78136785..00000000 --- a/roles/matrix-synapse/tasks/update_user_password.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- - -- name: Fail if playbook called incorrectly - fail: - msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" - when: "username is not defined or username == ''" - -- name: Fail if playbook called incorrectly - fail: - msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" - when: "password is not defined or password == ''" - -- name: Fail if not using matrix-postgres container - fail: - msg: "This command is working only when matrix-postgres container is being used" - when: "not matrix_postgres_enabled|bool" - -- name: Ensure matrix-synapse is started - service: - name: matrix-synapse - state: started - daemon_reload: yes - register: start_result - -- name: Ensure matrix-postgres is started - service: - name: matrix-postgres - state: started - daemon_reload: yes - register: postgres_start_result - - -- name: Wait a while, so that Matrix Synapse can manage to start - pause: - seconds: 7 - when: "start_result.changed or postgres_start_result.changed" - -- name: Generate password hash - shell: "{{ matrix_host_command_docker }} exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" - register: password_hash - -- name: Update user password hash - command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml deleted file mode 100644 index 6dcb50ce..00000000 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -- name: Fail if required Synapse settings not defined - fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Synapse. - when: "vars[item] == ''" - with_items: - - "matrix_synapse_macaroon_secret_key" - - "matrix_synapse_database_host" - - "matrix_synapse_database_user" - - "matrix_synapse_database_password" - - "matrix_synapse_database_database" - -- name: Fail if asking for more than 1 instance of single-instance workers - fail: - msg: >- - `{{ item }}` cannot be more than 1. This is a single-instance worker. - when: "vars[item]|int > 1" - with_items: - - "matrix_synapse_workers_appservice_workers_count" - - "matrix_synapse_workers_pusher_workers_count" - - "matrix_synapse_workers_federation_sender_workers_count" - -- name: (Deprecation) Catch and report renamed settings - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_synapse_email_riot_base_url', 'new': ''} - - {'old': 'matrix_synapse_container_expose_api_port', 'new': ''} - - {'old': 'matrix_synapse_no_tls', 'new': ''} - - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'} - - {'old': 'matrix_alias_creation_rules', 'new': 'matrix_synapse_alias_creation_rules'} - - {'old': 'matrix_room_list_publication_rules', 'new': 'matrix_synapse_room_list_publication_rules'} - - {'old': 'matrix_synapse_rc_messages_per_second', 'new': ''} - - {'old': 'matrix_synapse_rc_message_burst_count', 'new': ''} - - {'old': 'matrix_synapse_federation_rc_window_size', 'new': ''} - - {'old': 'matrix_synapse_federation_rc_sleep_limit', 'new': ''} - - {'old': 'matrix_synapse_federation_rc_sleep_delay', 'new': ''} - - {'old': 'matrix_synapse_federation_rc_reject_limit', 'new': ''} - - {'old': 'matrix_synapse_federation_rc_concurrent', 'new': ''} - - {'old': 'matrix_synapse_container_expose_client_api_port', 'new': ''} - - {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': ''} - - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} - - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} - - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': ''} - - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'} - -- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml - fail: - msg: >- - Your matrix_synapse_configuration_extension_yaml configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in matrix_synapse_configuration_extension" - with_items: - - {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'} diff --git a/roles/matrix-synapse/templates/goofys/env-goofys.j2 b/roles/matrix-synapse/templates/goofys/env-goofys.j2 deleted file mode 100644 index 2955efdd..00000000 --- a/roles/matrix-synapse/templates/goofys/env-goofys.j2 +++ /dev/null @@ -1,3 +0,0 @@ -#jinja2: lstrip_blocks: "True" -AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} -AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 deleted file mode 100644 index df4a4f23..00000000 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ /dev/null @@ -1,39 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix Goofys media store -After=docker.service -Requires=docker.service -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_docker }} kill %n -ExecStartPre=-{{ matrix_host_command_docker }} rm %n - -ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ - --mount type=bind,src=/etc/group,dst=/etc/group,ro \ - --mount type=bind,src={{ matrix_s3_media_store_path }},dst=/s3,bind-propagation=shared \ - --security-opt apparmor:unconfined \ - --cap-add mknod \ - --cap-add sys_admin \ - --device=/dev/fuse \ - --env-file={{ matrix_synapse_config_dir_path }}/env-goofys \ - --entrypoint /bin/sh \ - {{ matrix_s3_goofys_docker_image }} \ - -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' - -TimeoutStartSec=5min -ExecStop=-{{ matrix_host_command_docker }} stop %n -ExecStop=-{{ matrix_host_command_docker }} kill %n -ExecStop=-{{ matrix_host_command_docker }} rm %n -ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} -Restart=always -RestartSec=5 -SyslogIdentifier=matrix-goofys - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 deleted file mode 100644 index f3d0734b..00000000 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ /dev/null @@ -1,2937 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# Configuration file for Synapse. -# -# This is a YAML file: see [1] for a quick introduction. Note in particular -# that *indentation is important*: all the elements of a list or dictionary -# should have the same indentation. -# -# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html - - -## Modules ## - -# Server admins can expand Synapse's functionality with external modules. -# -# See https://matrix-org.github.io/synapse/develop/modules.html for more -# documentation on how to configure or create custom modules for Synapse. -# -modules: - # - module: my_super_module.MySuperClass - # config: - # do_thing: true - # - module: my_other_super_module.SomeClass - # config: {} - - -## Server ## - -# The public-facing domain of the server -# -# The server_name name will appear at the end of usernames and room addresses -# created on this server. For example if the server_name was example.com, -# usernames on this server would be in the format @user:example.com -# -# In most cases you should avoid using a matrix specific subdomain such as -# matrix.example.com or synapse.example.com as the server_name for the same -# reasons you wouldn't use user@email.example.com as your email address. -# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md -# for information on how to host Synapse on a subdomain while preserving -# a clean server_name. -# -# The server_name cannot be changed later so it is important to -# configure this correctly before you start Synapse. It should be all -# lowercase and may contain an explicit port. -# Examples: matrix.org, localhost:8080 -# -server_name: "{{ matrix_domain }}" - -# When running as a daemon, the file to store the pid in -# -pid_file: /homeserver.pid - -# The absolute URL to the web client which /_matrix/client will redirect -# to if 'webclient' is configured under the 'listeners' configuration. -# -# This option can be also set to the filesystem path to the web client -# which will be served at /_matrix/client/ if 'webclient' is configured -# under the 'listeners' configuration, however this is a security risk: -# https://github.com/matrix-org/synapse#security-note -# -#web_client_location: https://riot.example.com/ - -# The public-facing base URL that clients use to access this Homeserver (not -# including _matrix/...). This is the same URL a user might enter into the -# 'Custom Homeserver URL' field on their client. If you use Synapse with a -# reverse proxy, this should be the URL to reach Synapse via the proxy. -# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see -# 'listeners' below). -# -public_baseurl: https://{{ matrix_server_fqn_matrix }}/ - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -# -#soft_file_limit: 0 - -# Presence tracking allows users to see the state (e.g online/offline) -# of other local and remote users. -# -presence: - # Uncomment to disable presence tracking on this homeserver. This option - # replaces the previous top-level 'use_presence' option. - # - enabled: {{ matrix_synapse_presence_enabled|to_json }} - - # Presence routers are third-party modules that can specify additional logic - # to where presence updates from users are routed. - # - presence_router: - # The custom module's class. Uncomment to use a custom presence router module. - # - #module: "my_custom_router.PresenceRouter" - - # Configuration options of the custom module. Refer to your module's - # documentation for available options. - # - #config: - # example_option: 'something' - -# Whether to require authentication to retrieve profile data (avatars, -# display names) of other users through the client API. Defaults to -# 'false'. Note that profile data is also available via the federation -# API, unless allow_profile_lookup_over_federation is set to false. -# -require_auth_for_profile_requests: {{ matrix_synapse_require_auth_for_profile_requests|to_json }} - -# Uncomment to require a user to share a room with another user in order -# to retrieve their profile information. Only checked on Client-Server -# requests. Profile requests from other servers should be checked by the -# requesting server. Defaults to 'false'. -# -limit_profile_requests_to_users_who_share_rooms: {{ matrix_synapse_limit_profile_requests_to_users_who_share_rooms|to_json }} - -# Uncomment to prevent a user's profile data from being retrieved and -# displayed in a room until they have joined it. By default, a user's -# profile data is included in an invite event, regardless of the values -# of the above two settings, and whether or not the users share a server. -# Defaults to 'true'. -# -include_profile_data_on_invite: {{ matrix_synapse_include_profile_data_on_invite|to_json }} - -# If set to 'true', removes the need for authentication to access the server's -# public rooms directory through the client API, meaning that anyone can -# query the room directory. Defaults to 'false'. -# -allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }} - -# If set to 'true', allows any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'false'. -# -allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }} - -# The default room version for newly created rooms. -# -# Known room versions are listed here: -# https://matrix.org/docs/spec/#complete-list-of-room-versions -# -# For example, for room version 1, default_room_version should be set -# to "1". -# -default_room_version: {{ matrix_synapse_default_room_version|to_json }} - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# -#gc_thresholds: [700, 10, 10] - -# The minimum time in seconds between each GC for a generation, regardless of -# the GC thresholds. This ensures that we don't do GC too frequently. -# -# A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive -# generation 0 GCs, etc. -# -# Defaults to `[1s, 10s, 30s]`. -# -#gc_min_interval: [0.5s, 30s, 1m] - -# Set the limit on the returned events in the timeline in the get -# and sync operations. The default value is 100. -1 means no upper limit. -# -# Uncomment the following to increase the limit to 5000. -# -#filter_timeline_limit: 5000 - -# Whether room invites to users on this server should be blocked -# (except those sent by local server admins). The default is False. -# -#block_non_admin_invites: True - -# Room searching -# -# If disabled, new messages will not be indexed for searching and users -# will receive errors when searching for messages. Defaults to enabled. -# -#enable_search: false - -# Prevent outgoing requests from being sent to the following blacklisted IP address -# CIDR ranges. If this option is not specified then it defaults to private IP -# address ranges (see the example below). -# -# The blacklist applies to the outbound requests for federation, identity servers, -# push servers, and for checking key validity for third-party invite events. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. -# -#ip_range_blacklist: -# - '127.0.0.0/8' -# - '10.0.0.0/8' -# - '172.16.0.0/12' -# - '192.168.0.0/16' -# - '100.64.0.0/10' -# - '192.0.0.0/24' -# - '169.254.0.0/16' -# - '192.88.99.0/24' -# - '198.18.0.0/15' -# - '192.0.2.0/24' -# - '198.51.100.0/24' -# - '203.0.113.0/24' -# - '224.0.0.0/4' -# - '::1/128' -# - 'fe80::/10' -# - 'fc00::/7' -# - '2001:db8::/32' -# - 'ff00::/8' -# - 'fec0::/10' - -# List of IP address CIDR ranges that should be allowed for federation, -# identity servers, push servers, and for checking key validity for -# third-party invite events. This is useful for specifying exceptions to -# wide-ranging blacklisted target IP ranges - e.g. for communication with -# a push server only visible in your network. -# -# This whitelist overrides ip_range_blacklist and defaults to an empty -# list. -# -#ip_range_whitelist: -# - '192.168.1.1' - -# List of ports that Synapse should listen on, their purpose and their -# configuration. -# -# Options for each listener include: -# -# port: the TCP port to bind to -# -# bind_addresses: a list of local addresses to listen on. The default is -# 'all local interfaces'. -# -# type: the type of listener. Normally 'http', but other valid options are: -# 'manhole' (see docs/manhole.md), -# 'metrics' (see docs/metrics-howto.md), -# 'replication' (see docs/workers.md). -# -# tls: set to true to enable TLS for this listener. Will use the TLS -# key/cert specified in tls_private_key_path / tls_certificate_path. -# -# x_forwarded: Only valid for an 'http' listener. Set to true to use the -# X-Forwarded-For header as the client IP. Useful when Synapse is -# behind a reverse-proxy. -# -# resources: Only valid for an 'http' listener. A list of resources to host -# on this port. Options for each resource are: -# -# names: a list of names of HTTP resources. See below for a list of -# valid resource names. -# -# compress: set to true to enable HTTP compression for this resource. -# -# additional_resources: Only valid for an 'http' listener. A map of -# additional endpoints which should be loaded via dynamic modules. -# -# Valid resource names are: -# -# client: the client-server API (/_matrix/client), and the synapse admin -# API (/_synapse/admin). Also implies 'media' and 'static'. -# -# consent: user consent forms (/_matrix/consent). See -# docs/consent_tracking.md. -# -# federation: the server-server API (/_matrix/federation). Also implies -# 'media', 'keys', 'openid' -# -# keys: the key discovery API (/_matrix/keys). -# -# media: the media API (/_matrix/media). -# -# metrics: the metrics interface. See docs/metrics-howto.md. -# -# openid: OpenID authentication. -# -# replication: the HTTP replication API (/_synapse/replication). See -# docs/workers.md. -# -# static: static resources under synapse/static (/_matrix/static). (Mostly -# useful for 'fallback authentication'.) -# -# webclient: A web client. Requires web_client_location to be set. -# -listeners: -{% if matrix_synapse_metrics_enabled %} - - type: metrics - port: {{ matrix_synapse_metrics_port }} - bind_addresses: - - '0.0.0.0' -{% endif %} - -{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} - # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - - port: 8448 - tls: true - bind_addresses: ['::'] - type: http - x_forwarded: false - - resources: - - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} - compress: false -{% endif %} - - # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - - port: 8008 - tls: false - bind_addresses: ['::'] - type: http - x_forwarded: true - - resources: - - names: {{ matrix_synapse_http_listener_resource_names|to_json }} - compress: false - -{% if matrix_synapse_federation_port_enabled %} - # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy - # that unwraps TLS. - - port: 8048 - tls: false - bind_addresses: ['::'] - type: http - x_forwarded: true - - resources: - - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} - compress: false -{% endif %} - -{% if matrix_synapse_manhole_enabled %} - # Turn on the twisted ssh manhole service on localhost on the given - # port. - - port: 9000 - bind_addresses: ['0.0.0.0'] - type: manhole -{% endif %} - -{% if matrix_synapse_workers_enabled %} - -{% if matrix_synapse_replication_listener_enabled %} - # c.f. https://github.com/matrix-org/synapse/tree/master/docs/workers.md - # HTTP replication: for the workers to send data to the main synapse process - - port: {{ matrix_synapse_replication_http_port }} - bind_addresses: ['0.0.0.0'] - type: http - resources: - - names: [replication] -{% endif %} - -# c.f. https://github.com/matrix-org/synapse/tree/master/contrib/systemd-with-workers/README.md -worker_app: synapse.app.homeserver - -# thx https://oznetnerd.com/2017/04/18/jinja2-selectattr-filter/ -# reduce the main worker's offerings to core homeserver business -{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'appservice')|list %} -notify_appservices: false -{% endif %} -{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'federation_sender')|list %} -send_federation: false -{% endif %} -{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'media_repository')|list %} -enable_media_repo: false -{% endif %} -{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'pusher')|list %} -start_pushers: false -{% endif %} -{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'user_dir')|list %} -update_user_directory: false -{% endif %} - -daemonize: false -{% endif %} - -# Forward extremities can build up in a room due to networking delays between -# homeservers. Once this happens in a large room, calculation of the state of -# that room can become quite expensive. To mitigate this, once the number of -# forward extremities reaches a given threshold, Synapse will send an -# org.matrix.dummy_event event, which will reduce the forward extremities -# in the room. -# -# This setting defines the threshold (i.e. number of forward extremities in the -# room) at which dummy events are sent. The default value is 10. -# -#dummy_events_threshold: 5 - - -## Homeserver blocking ## - -# How to reach the server admin, used in ResourceLimitError -# -#admin_contact: 'mailto:admin@server.com' - -# Global blocking -# -#hs_disabled: False -#hs_disabled_message: 'Human readable reason for why the HS is blocked' -#hs_disabled_limit_type: 'error code(str), to help clients decode reason' - -# Monthly Active User Blocking -# -# Used in cases where the admin or server owner wants to limit to the -# number of monthly active users. -# -# 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# enabled and a limit is reached the server returns a 'ResourceLimitError' -# with error type Codes.RESOURCE_LIMIT_EXCEEDED -# -# 'max_mau_value' is the hard limit of monthly active users above which -# the server will start blocking user actions. -# -# 'mau_trial_days' is a means to add a grace period for active users. It -# means that users must be active for this number of days before they -# can be considered active and guards against the case where lots of users -# sign up in a short space of time never to return after their initial -# session. -# -#limit_usage_by_mau: False -#max_mau_value: 50 -#mau_trial_days: 2 - -# If enabled, the metrics for the number of monthly active users will -# be populated, however no one will be limited. If limit_usage_by_mau -# is true, this is implied to be true. -# -#mau_stats_only: False - -# Sometimes the server admin will want to ensure certain accounts are -# never blocked by mau checking. These accounts are specified here. -# -#mau_limit_reserved_threepids: -# - medium: 'email' -# address: 'reserved_user@example.com' - -# Used by phonehome stats to group together related servers. -#server_context: context - -# Resource-constrained homeserver settings -# -# When this is enabled, the room "complexity" will be checked before a user -# joins a new remote room. If it is above the complexity limit, the server will -# disallow joining, or will instantly leave. -# -# Room complexity is an arbitrary measure based on factors such as the number of -# users in the room. -# -limit_remote_rooms: - # Uncomment to enable room complexity checking. - # - #enabled: true - - # the limit above which rooms cannot be joined. The default is 1.0. - # - #complexity: 0.5 - - # override the error which is returned when the room is too complex. - # - #complexity_error: "This room is too complex." - - # allow server admins to join complex rooms. Default is false. - # - #admins_can_join: true - -# Whether to require a user to be in the room to add an alias to it. -# Defaults to 'true'. -# -#require_membership_for_aliases: false - -# Whether to allow per-room membership profiles through the send of membership -# events with profile information that differ from the target's global profile. -# Defaults to 'true'. -# -#allow_per_room_profiles: false - -# How long to keep redacted events in unredacted form in the database. After -# this period redacted events get replaced with their redacted form in the DB. -# -# Defaults to `7d`. Set to `null` to disable. -# -#redaction_retention_period: 28d - -redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} - -# How long to track users' last seen time and IPs in the database. -# -# Defaults to `28d`. Set to `null` to disable clearing out of old rows. -# -#user_ips_max_age: 14d - -user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} - -# Message retention policy at the server level. -# -# Room admins and mods can define a retention period for their rooms using the -# 'm.room.retention' state event, and server admins can cap this period by setting -# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. -# -# If this feature is enabled, Synapse will regularly look for and purge events -# which are older than the room's maximum retention period. Synapse will also -# filter events received over federation so that events that should have been -# purged are ignored and not stored again. -# -retention: - # The message retention policies feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # Default retention policy. If set, Synapse will apply it to rooms that lack the - # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't - # matter much because Synapse doesn't take it into account yet. - # - #default_policy: - # min_lifetime: 1d - # max_lifetime: 1y - - # Retention policy limits. If set, and the state of a room contains a - # 'm.room.retention' event in its state which contains a 'min_lifetime' or a - # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy - # to these limits when running purge jobs. - # - #allowed_lifetime_min: 1d - #allowed_lifetime_max: 1y - - # Server admins can define the settings of the background jobs purging the - # events which lifetime has expired under the 'purge_jobs' section. - # - # If no configuration is provided, a single job will be set up to delete expired - # events in every room daily. - # - # Each job's configuration defines which range of message lifetimes the job - # takes care of. For example, if 'shortest_max_lifetime' is '2d' and - # 'longest_max_lifetime' is '3d', the job will handle purging expired events in - # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and - # lower than or equal to 3 days. Both the minimum and the maximum value of a - # range are optional, e.g. a job with no 'shortest_max_lifetime' and a - # 'longest_max_lifetime' of '3d' will handle every room with a retention policy - # which 'max_lifetime' is lower than or equal to three days. - # - # The rationale for this per-job configuration is that some rooms might have a - # retention policy with a low 'max_lifetime', where history needs to be purged - # of outdated messages on a more frequent basis than for the rest of the rooms - # (e.g. every 12h), but not want that purge to be performed by a job that's - # iterating over every room it knows, which could be heavy on the server. - # - # If any purge job is configured, it is strongly recommended to have at least - # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' - # set, or one job without 'shortest_max_lifetime' and one job without - # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if - # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a - # room's policy to these values is done after the policies are retrieved from - # Synapse's database (which is done using the range specified in a purge job's - # configuration). - # - #purge_jobs: - # - longest_max_lifetime: 3d - # interval: 12h - # - shortest_max_lifetime: 3d - # interval: 1d - -# Inhibits the /requestToken endpoints from returning an error that might leak -# information about whether an e-mail address is in use or not on this -# homeserver. -# Note that for some endpoints the error situation is the e-mail already being -# used, and for others the error is entering the e-mail being unused. -# If this option is enabled, instead of returning an error, these endpoints will -# act as if no error happened and return a fake session ID ('sid') to clients. -# -#request_token_inhibit_3pid_errors: true - -# A list of domains that the domain portion of 'next_link' parameters -# must match. -# -# This parameter is optionally provided by clients while requesting -# validation of an email or phone number, and maps to a link that -# users will be automatically redirected to after validation -# succeeds. Clients can make use this parameter to aid the validation -# process. -# -# The whitelist is applied whether the homeserver or an -# identity server is handling validation. -# -# The default value is no whitelist functionality; all domains are -# allowed. Setting this value to an empty list will instead disallow -# all domains. -# -#next_link_domain_whitelist: ["matrix.org"] - - -## TLS ## - -# PEM-encoded X509 certificate for TLS. -# This certificate, as of Synapse 1.0, will need to be a valid and verifiable -# certificate, signed by a recognised Certificate Authority. -# -# Be sure to use a `.pem` file that includes the full certificate chain including -# any intermediate certificates (for instance, if using certbot, use -# `fullchain.pem` as your certificate, not `cert.pem`). -# -tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} - -# PEM-encoded private key for TLS -# -tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} - -# Whether to verify TLS server certificates for outbound federation requests. -# -# Defaults to `true`. To disable certificate verification, uncomment the -# following line. -# -#federation_verify_certificates: false - -# The minimum TLS version that will be used for outbound federation requests. -# -# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note -# that setting this value higher than `1.2` will prevent federation to most -# of the public Matrix network: only configure it to `1.3` if you have an -# entirely private federation setup and you can ensure TLS 1.3 support. -# -#federation_client_minimum_tls_version: 1.2 - -# Skip federation certificate verification on the following whitelist -# of domains. -# -# This setting should only be used in very specific cases, such as -# federation over Tor hidden services and similar. For private networks -# of homeservers, you likely want to use a private CA instead. -# -# Only effective if federation_verify_certicates is `true`. -# -#federation_certificate_verification_whitelist: -# - lon.example.com -# - *.domain.com -# - *.onion - -# List of custom certificate authorities for federation traffic. -# -# This setting should only normally be used within a private network of -# homeservers. -# -# Note that this list will replace those that are provided by your -# operating environment. Certificates must be in PEM format. -# -#federation_custom_ca_list: -# - myCA1.pem -# - myCA2.pem -# - myCA3.pem - - -## Federation ## - -# Restrict federation to the following whitelist of domains. -# N.B. we recommend also firewalling your federation listener to limit -# inbound federation traffic as early as possible, rather than relying -# purely on this application-layer restriction. If not specified, the -# default is to whitelist everything. -# -#federation_domain_whitelist: -# - lon.example.com -# - nyc.example.com -# - syd.example.com -{% if matrix_synapse_federation_domain_whitelist is not none %} -{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #} -federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} -{% endif %} - -# Report prometheus metrics on the age of PDUs being sent to and received from -# the following domains. This can be used to give an idea of "delay" on inbound -# and outbound federation, though be aware that any delay can be due to problems -# at either end or with the intermediate network. -# -# By default, no domains are monitored in this way. -# -#federation_metrics_domains: -# - matrix.org -# - example.com - -# Uncomment to disable profile lookup over federation. By default, the -# Federation API allows other homeservers to obtain profile data of any user -# on this homeserver. Defaults to 'true'. -# -#allow_profile_lookup_over_federation: false - -# Uncomment to disable device display name lookup over federation. By default, the -# Federation API allows other homeservers to obtain device display names of any user -# on this homeserver. Defaults to 'true'. -# -#allow_device_name_lookup_over_federation: false - - -## Caching ## - -# Caching can be configured through the following options. -# -# A cache 'factor' is a multiplier that can be applied to each of -# Synapse's caches in order to increase or decrease the maximum -# number of entries that can be stored. - -# The number of events to cache in memory. Not affected by -# caches.global_factor. -# -event_cache_size: "{{ matrix_synapse_event_cache_size }}" - -caches: - # Controls the global cache factor, which is the default cache factor - # for all caches if a specific factor for that cache is not otherwise - # set. - # - # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment - # variable. Setting by environment variable takes priority over - # setting through the config file. - # - # Defaults to 0.5, which will half the size of all caches. - # - global_factor: {{ matrix_synapse_caches_global_factor }} - - # A dictionary of cache name to cache factor for that individual - # cache. Overrides the global cache factor for a given cache. - # - # These can also be set through environment variables comprised - # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital - # letters and underscores. Setting by environment variable - # takes priority over setting through the config file. - # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 - # - # Some caches have '*' and other characters that are not - # alphanumeric or underscores. These caches can be named with or - # without the special characters stripped. For example, to specify - # the cache factor for `*stateGroupCache*` via an environment - # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. - # - per_cache_factors: - #get_users_who_share_room_with_user: 2.0 - - -## Database ## - -database: - # The database engine name - name: "psycopg2" - args: - user: {{ matrix_synapse_database_user|string|to_json }} - password: {{ matrix_synapse_database_password|string|to_json }} - database: "{{ matrix_synapse_database_database }}" - host: "{{ matrix_synapse_database_host }}" - port: {{ matrix_synapse_database_port }} - cp_min: 5 - cp_max: 10 - - -## Logging ## - -# A yaml python logging config file as described by -# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema -# -log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" - - -## Ratelimiting ## - -# Ratelimiting settings for client actions (registration, login, messaging). -# -# Each ratelimiting configuration is made of two parameters: -# - per_second: number of requests a client can send per second. -# - burst_count: number of requests a client can send before being throttled. -# -# Synapse currently uses the following configurations: -# - one for messages that ratelimits sending based on the account the client -# is using -# - one for registration that ratelimits registration requests based on the -# client's IP address. -# - one for login that ratelimits login requests based on the client's IP -# address. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into. -# - one for login that ratelimits login requests based on the account the -# client is attempting to log into, based on the amount of failed login -# attempts for this account. -# - one for ratelimiting redactions by room admins. If this is not explicitly -# set then it uses the same ratelimiting as per rc_message. This is useful -# to allow room admins to deal with abuse quickly. -# - two for ratelimiting number of rooms a user can join, "local" for when -# users are joining rooms the server is already in (this is cheap) vs -# "remote" for when users are trying to join rooms not on the server (which -# can be more expensive) -# - one for ratelimiting how often a user or IP can attempt to validate a 3PID. -# - two for ratelimiting how often invites can be sent in a room or to a -# specific user. -# -# The defaults are as shown below. -# -#rc_message: -# per_second: 0.2 -# burst_count: 10 -rc_message: {{ matrix_synapse_rc_message|to_json }} -# -#rc_registration: -# per_second: 0.17 -# burst_count: 3 -rc_registration: {{ matrix_synapse_rc_registration|to_json }} -# -#rc_login: -# address: -# per_second: 0.17 -# burst_count: 3 -# account: -# per_second: 0.17 -# burst_count: 3 -# failed_attempts: -# per_second: 0.17 -# burst_count: 3 -rc_login: {{ matrix_synapse_rc_login|to_json }} -# -#rc_admin_redaction: -# per_second: 1 -# burst_count: 50 -rc_admin_redaction: {{ matrix_synapse_rc_admin_redaction|to_json }} -# -#rc_joins: -# local: -# per_second: 0.1 -# burst_count: 10 -# remote: -# per_second: 0.01 -# burst_count: 10 -rc_joins: {{ matrix_synapse_rc_joins|to_json }} -# -#rc_3pid_validation: -# per_second: 0.003 -# burst_count: 5 -# -#rc_invites: -# per_room: -# per_second: 0.3 -# burst_count: 10 -# per_user: -# per_second: 0.003 -# burst_count: 5 - -# Ratelimiting settings for incoming federation -# -# The rc_federation configuration is made up of the following settings: -# - window_size: window size in milliseconds -# - sleep_limit: number of federation requests from a single server in -# a window before the server will delay processing the request. -# - sleep_delay: duration in milliseconds to delay processing events -# from remote servers by if they go over the sleep limit. -# - reject_limit: maximum number of concurrent federation requests -# allowed from a single server -# - concurrent: number of federation requests to concurrently process -# from a single server -# -# The defaults are as shown below. -# -#rc_federation: -# window_size: 1000 -# sleep_limit: 10 -# sleep_delay: 500 -# reject_limit: 50 -# concurrent: 3 -rc_federation: {{ matrix_synapse_rc_federation|to_json }} - -# Target outgoing federation transaction frequency for sending read-receipts, -# per-room. -# -# If we end up trying to send out more read-receipts, they will get buffered up -# into fewer transactions. -# -#federation_rr_transactions_per_room_per_second: 50 -federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }} - - - -## Media Store ## - -# Enable the media store service in the Synapse master. Uncomment the -# following if you are using a separate media store worker. -# -#enable_media_repo: false - -# Directory where uploaded images and attachments are stored. -# -media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" - -# Media storage providers allow media to be stored in different -# locations. -# -#media_storage_providers: -# - module: file_system -# # Whether to store newly uploaded local files -# store_local: false -# # Whether to store newly downloaded remote files -# store_remote: false -# # Whether to wait for successful storage for local uploads -# store_synchronous: false -# config: -# directory: /mnt/some/other/directory - -# The largest allowed upload size in bytes -# -# If you are using a reverse proxy you may also need to set this value in -# your reverse proxy's config. Notably Nginx has a small max body size by default. -# See https://matrix-org.github.io/synapse/develop/reverse_proxy.html. -# -max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" - -# Maximum number of pixels that will be thumbnailed -# -#max_image_pixels: 32M - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. -# -#dynamic_thumbnails: false - -# List of thumbnails to precalculate when an image is uploaded. -# -#thumbnail_sizes: -# - width: 32 -# height: 32 -# method: crop -# - width: 96 -# height: 96 -# method: crop -# - width: 320 -# height: 240 -# method: scale -# - width: 640 -# height: 480 -# method: scale -# - width: 800 -# height: 600 -# method: scale - -# Is the preview URL API enabled? -# -# 'false' by default: uncomment the following to enable it (and specify a -# url_preview_ip_range_blacklist blacklist). -# -url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -# This must be specified if url_preview_enabled is set. It is recommended that -# you uncomment the following list as a starting point. -# -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '192.0.0.0/24' - - '169.254.0.0/16' - - '192.88.99.0/24' - - '198.18.0.0/15' - - '192.0.2.0/24' - - '198.51.100.0/24' - - '203.0.113.0/24' - - '224.0.0.0/4' - - '::1/128' - - 'fe80::/10' - - 'fc00::/7' - - '2001:db8::/32' - - 'ff00::/8' - - 'fec0::/10' - -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -#url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -#url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -# -max_spider_size: 10M - -# A list of values for the Accept-Language HTTP header used when -# downloading webpages during URL preview generation. This allows -# Synapse to specify the preferred languages that URL previews should -# be in when communicating with remote servers. -# -# Each value is a IETF language tag; a 2-3 letter identifier for a -# language, optionally followed by subtags separated by '-', specifying -# a country or region variant. -# -# Multiple values can be provided, and a weight can be added to each by -# using quality value syntax (;q=). '*' translates to any language. -# -# Defaults to "en". -# -# Example: -# -# url_preview_accept_language: -# - en-UK -# - en-US;q=0.9 -# - fr;q=0.8 -# - *;q=0.7 -# -url_preview_accept_language: -# - en - - -## Captcha ## -# See docs/CAPTCHA_SETUP.md for full details of configuring this. - -# This homeserver's ReCAPTCHA public key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} - -# This homeserver's ReCAPTCHA private key. Must be specified if -# enable_registration_captcha is enabled. -# -recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} - -# Uncomment to enable ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. Defaults to 'false'. -# -enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha|to_json }} - -# The API endpoint to use for verifying m.login.recaptcha responses. -# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". -# -#recaptcha_siteverify_api: "https://my.recaptcha.site" - - -## TURN ## - -# The public URIs of the TURN server to give to clients -# -turn_uris: {{ matrix_synapse_turn_uris|to_json }} - -# The shared secret used to compute passwords for the TURN server -# -turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} - -# The Username and password if the TURN server needs them and -# does not use a token -# -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" - -# How long generated TURN credentials last -# -#turn_user_lifetime: 1h - -# Whether guests should be allowed to use the TURN server. -# This defaults to True, otherwise VoIP will be unreliable for guests. -# However, it does introduce a slight security risk as it allows users to -# connect to arbitrary endpoints without having first signed up for a -# valid account (e.g. by passing a CAPTCHA). -# -turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} - - -## Registration ## -# -# Registration can be rate-limited using the parameters in the "Ratelimiting" -# section of this file. - -# Enable registration for new users. -# -enable_registration: {{ matrix_synapse_enable_registration|to_json }} - -# Time that a user's session remains valid for, after they log in. -# -# Note that this is not currently compatible with guest logins. -# -# Note also that this is calculated at login time: changes are not applied -# retrospectively to users who have already logged in. -# -# By default, this is infinite. -# -#session_lifetime: 24h - -# The user must provide all of the below types of 3PID when registering. -# -#registrations_require_3pid: -# - email -# - msisdn -{% if matrix_synapse_registrations_require_3pid|length > 0 %} -registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} -{% endif %} - -# Explicitly disable asking for MSISDNs from the registration -# flow (overrides registrations_require_3pid if MSISDNs are set as required) -# -#disable_msisdn_registration: true - -# Mandate that users are only allowed to associate certain formats of -# 3PIDs with accounts on this server. -# -#allowed_local_3pids: -# - medium: email -# pattern: '^[^@]+@matrix\.org$' -# - medium: email -# pattern: '^[^@]+@vector\.im$' -# - medium: msisdn -# pattern: '\+44' -{% if matrix_synapse_allowed_local_3pids|length > 0 %} -allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} -{% endif %} - -# Enable 3PIDs lookup requests to identity servers from this server. -# -#enable_3pid_lookup: true - -# If set, allows registration of standard or admin accounts by anyone who -# has the shared secret, even if registration is otherwise disabled. -# -registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number is 12 (which equates to 2^12 rounds). -# N.B. that increasing this will exponentially increase the time required -# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. -# -#bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -# -allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} - -# The identity server which we suggest that clients should use when users log -# in on this server. -# -# (By default, no suggestion is made, so it is left up to the client. -# This setting is ignored unless public_baseurl is also set.) -# -#default_identity_server: https://matrix.org - -# Handle threepid (email/phone etc) registration and password resets through a set of -# *trusted* identity servers. Note that this allows the configured identity server to -# reset passwords for accounts! -# -# Be aware that if `email` is not set, and SMTP options have not been -# configured in the email config block, registration and user password resets via -# email will be globally disabled. -# -# Additionally, if `msisdn` is not set, registration and password resets via msisdn -# will be disabled regardless, and users will not be able to associate an msisdn -# identifier to their account. This is due to Synapse currently not supporting -# any method of sending SMS messages on its own. -# -# To enable using an identity server for operations regarding a particular third-party -# identifier type, set the value to the URL of that identity server as shown in the -# examples below. -# -# Servers handling the these requests must answer the `/requestToken` endpoints defined -# by the Matrix Identity Service API specification: -# https://matrix.org/docs/spec/identity_service/latest -# -# If a delegate is specified, the config option public_baseurl must also be filled out. -# -account_threepid_delegates: - email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} - msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} - -# Whether users are allowed to change their displayname after it has -# been initially set. Useful when provisioning users based on the -# contents of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_displayname: false - -# Whether users are allowed to change their avatar after it has been -# initially set. Useful when provisioning users based on the contents -# of a third-party directory. -# -# Does not apply to server administrators. Defaults to 'true' -# -#enable_set_avatar_url: false - -# Whether users can change the 3PIDs associated with their accounts -# (email address and msisdn). -# -# Defaults to 'true' -# -#enable_3pid_changes: false - -# Users who register on this homeserver will automatically be joined -# to these rooms. -# -# By default, any room aliases included in this list will be created -# as a publicly joinable room when the first user registers for the -# homeserver. This behaviour can be customised with the settings below. -# If the room already exists, make certain it is a publicly joinable -# room. The join rule of the room must be set to 'public'. -# -#auto_join_rooms: -# - "#example:example.com" -{% if matrix_synapse_auto_join_rooms|length > 0 %} -auto_join_rooms: -{{ matrix_synapse_auto_join_rooms|to_nice_yaml }} -{% endif %} - -# Where auto_join_rooms are specified, setting this flag ensures that the -# the rooms exist by creating them when the first user on the -# homeserver registers. -# -# By default the auto-created rooms are publicly joinable from any federated -# server. Use the autocreate_auto_join_rooms_federated and -# autocreate_auto_join_room_preset settings below to customise this behaviour. -# -# Setting to false means that if the rooms are not manually created, -# users cannot be auto-joined since they do not exist. -# -# Defaults to true. Uncomment the following line to disable automatically -# creating auto-join rooms. -# -autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} - -# Whether the auto_join_rooms that are auto-created are available via -# federation. Only has an effect if autocreate_auto_join_rooms is true. -# -# Note that whether a room is federated cannot be modified after -# creation. -# -# Defaults to true: the room will be joinable from other servers. -# Uncomment the following to prevent users from other homeservers from -# joining these rooms. -# -#autocreate_auto_join_rooms_federated: false - -# The room preset to use when auto-creating one of auto_join_rooms. Only has an -# effect if autocreate_auto_join_rooms is true. -# -# This can be one of "public_chat", "private_chat", or "trusted_private_chat". -# If a value of "private_chat" or "trusted_private_chat" is used then -# auto_join_mxid_localpart must also be configured. -# -# Defaults to "public_chat", meaning that the room is joinable by anyone, including -# federated servers if autocreate_auto_join_rooms_federated is true (the default). -# Uncomment the following to require an invitation to join these rooms. -# -#autocreate_auto_join_room_preset: private_chat - -# The local part of the user id which is used to create auto_join_rooms if -# autocreate_auto_join_rooms is true. If this is not provided then the -# initial user account that registers will be used to create the rooms. -# -# The user id is also used to invite new users to any auto-join rooms which -# are set to invite-only. -# -# It *must* be configured if autocreate_auto_join_room_preset is set to -# "private_chat" or "trusted_private_chat". -# -# Note that this must be specified in order for new users to be correctly -# invited to any auto-join rooms which have been set to invite-only (either -# at the time of creation or subsequently). -# -# Note that, if the room already exists, this user must be joined and -# have the appropriate permissions to invite new members. -# -#auto_join_mxid_localpart: system - -# When auto_join_rooms is specified, setting this flag to false prevents -# guest accounts from being automatically joined to the rooms. -# -# Defaults to true. -# -#auto_join_rooms_for_guests: false - - -## Account Validity ## - -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - # The currently available templates are: - # - # * account_renewed.html: Displayed to the user after they have successfully - # renewed their account. - # - # * account_previously_renewed.html: Displayed to the user if they attempt to - # renew their account with a token that is valid, but that has already - # been used. In this case the account is not renewed again. - # - # * invalid_token.html: Displayed to the user when they try to renew an account - # with an unknown or invalid renewal token. - # - # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for - # default template contents. - # - # The file name of some of these templates can be configured below for legacy - # reasons. - # - #template_dir: "res/templates" - - # A custom file name for the 'account_renewed.html' template. - # - # If not set, the file is assumed to be named "account_renewed.html". - # - #account_renewed_html_path: "account_renewed.html" - - # A custom file name for the 'invalid_token.html' template. - # - # If not set, the file is assumed to be named "invalid_token.html". - # - #invalid_token_html_path: "invalid_token.html" - - -## Metrics ### - -# Enable collection and rendering of performance metrics -# -enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} - -# Enable sentry integration -# NOTE: While attempts are made to ensure that the logs don't contain -# any sensitive information, this cannot be guaranteed. By enabling -# this option the sentry server may therefore receive sensitive -# information, and it in turn may then diseminate sensitive information -# through insecure notification channels if so configured. -# -{% if matrix_synapse_sentry_dsn != "" %} -sentry: - dsn: {{ matrix_synapse_sentry_dsn|to_json }} -{% endif %} - -# Flags to enable Prometheus metrics which are not suitable to be -# enabled by default, either for performance reasons or limited use. -# -metrics_flags: - # Publish synapse_federation_known_servers, a gauge of the number of - # servers this homeserver knows about, including itself. May cause - # performance problems on large homeservers. - # - #known_servers: true - -# Whether or not to report anonymized homeserver usage statistics. -# -report_stats: {{ matrix_synapse_report_stats|to_json }} - -# The endpoint to report the anonymized homeserver usage statistics to. -# Defaults to https://matrix.org/report-usage-stats/push -# -#report_stats_endpoint: https://example.com/report-usage-stats/push - - -## API Configuration ## - -# Controls for the state that is shared with users who receive an invite -# to a room -# -room_prejoin_state: - # By default, the following state event types are shared with users who - # receive invites to the room: - # - # - m.room.join_rules - # - m.room.canonical_alias - # - m.room.avatar - # - m.room.encryption - # - m.room.name - # - m.room.create - # - # Uncomment the following to disable these defaults (so that only the event - # types listed in 'additional_event_types' are shared). Defaults to 'false'. - # - #disable_default_event_types: true - - # Additional state event types to share with users when they are invited - # to a room. - # - # By default, this list is empty (so only the default event types are shared). - # - #additional_event_types: - # - org.example.custom.event.type - - -# A list of application service config files to use -# -app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }} - -# Uncomment to enable tracking of application service IP addresses. Implicitly -# enables MAU tracking for application service users. -# -#track_appservice_user_ips: True - - -# a secret which is used to sign access tokens. If none is specified, -# the registration_shared_secret is used, if one is given; otherwise, -# a secret key is derived from the signing key. -# -macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} - -# a secret which is used to calculate HMACs for form values, to stop -# falsification of values. Must be specified for the User Consent -# forms to work. -# -form_secret: {{ matrix_synapse_form_secret|string|to_json }} - -## Signing Keys ## - -# Path to the signing key to sign messages with -# -signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. -# -old_signing_keys: - # For each key, `key` should be the base64-encoded public key, and - # `expired_ts`should be the time (in milliseconds since the unix epoch) that - # it was last used. - # - # It is possible to build an entry from an old signing.key file using the - # `export_signing_key` script which is provided with synapse. - # - # For example: - # - #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -# -#key_refresh_interval: 1d - -# The trusted servers to download signing keys from. -# -# When we need to fetch a signing key, each server is tried in parallel. -# -# Normally, the connection to the key server is validated via TLS certificates. -# Additional security can be provided by configuring a `verify key`, which -# will make synapse check that the response is signed by that key. -# -# This setting supercedes an older setting named `perspectives`. The old format -# is still supported for backwards-compatibility, but it is deprecated. -# -# 'trusted_key_servers' defaults to matrix.org, but using it will generate a -# warning on start-up. To suppress this warning, set -# 'suppress_key_server_warning' to true. -# -# Options for each entry in the list include: -# -# server_name: the name of the server. required. -# -# verify_keys: an optional map from key id to base64-encoded public key. -# If specified, we will check that the response is signed by at least -# one of the given keys. -# -# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, -# and federation_verify_certificates is not `true`, synapse will refuse -# to start, because this would allow anyone who can spoof DNS responses -# to masquerade as the trusted key server. If you know what you are doing -# and are sure that your network environment provides a secure connection -# to the key server, you can set this to `true` to override this -# behaviour. -# -# An example configuration might look like: -# -#trusted_key_servers: -# - server_name: "my_trusted_server.example.com" -# verify_keys: -# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" -# - server_name: "my_other_trusted_server.example.com" -# -trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} - - -# Uncomment the following to disable the warning that is emitted when the -# trusted_key_servers include 'matrix.org'. See above. -# -#suppress_key_server_warning: true - -# The signing keys to use when acting as a trusted key server. If not specified -# defaults to the server signing key. -# -# Can contain multiple keys, one per line. -# -#key_server_signing_keys_path: "key_server_signing_keys.key" - - -## Single sign-on integration ## - -# The following settings can be used to make Synapse use a single sign-on -# provider for authentication, instead of its internal password database. -# -# You will probably also want to set the following options to `false` to -# disable the regular login/registration flows: -# * enable_registration -# * password_config.enabled -# -# You will also want to investigate the settings under the "sso" configuration -# section below. - -# Enable SAML2 for registration and login. Uses pysaml2. -# -# At least one of `sp_config` or `config_path` must be set in this section to -# enable SAML login. -# -# Once SAML support is enabled, a metadata file will be exposed at -# https://:/_synapse/client/saml2/metadata.xml, which you may be able to -# use to configure your SAML IdP with. Alternatively, you can manually configure -# the IdP to use an ACS location of -# https://:/_synapse/client/saml2/authn_response. -# -saml2_config: - # `sp_config` is the configuration for the pysaml2 Service Provider. - # See pysaml2 docs for format of config. - # - # Default values will be used for the 'entityid' and 'service' settings, - # so it is not normally necessary to specify them unless you need to - # override them. - # - sp_config: - # Point this to the IdP's metadata. You must provide either a local - # file via the `local` attribute or (preferably) a URL via the - # `remote` attribute. - # - #metadata: - # local: ["saml2/idp.xml"] - # remote: - # - url: https://our_idp/metadata.xml - - # Allowed clock difference in seconds between the homeserver and IdP. - # - # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. - # - #accepted_time_diff: 3 - - # By default, the user has to go to our login page first. If you'd like - # to allow IdP-initiated login, set 'allow_unsolicited: true' in a - # 'service.sp' section: - # - #service: - # sp: - # allow_unsolicited: true - - # The examples below are just used to generate our metadata xml, and you - # may well not need them, depending on your setup. Alternatively you - # may need a whole lot more detail - see the pysaml2 docs! - - #description: ["My awesome SP", "en"] - #name: ["Test SP", "en"] - - #ui_info: - # display_name: - # - lang: en - # text: "Display Name is the descriptive name of your service." - # description: - # - lang: en - # text: "Description should be a short paragraph explaining the purpose of the service." - # information_url: - # - lang: en - # text: "https://example.com/terms-of-service" - # privacy_statement_url: - # - lang: en - # text: "https://example.com/privacy-policy" - # keywords: - # - lang: en - # text: ["Matrix", "Element"] - # logo: - # - lang: en - # text: "https://example.com/logo.svg" - # width: "200" - # height: "80" - - #organization: - # name: Example com - # display_name: - # - ["Example co", "en"] - # url: "http://example.com" - - #contact_person: - # - given_name: Bob - # sur_name: "the Sysadmin" - # email_address": ["admin@example.com"] - # contact_type": technical - - # Instead of putting the config inline as above, you can specify a - # separate pysaml2 configuration file: - # - #config_path: "/data/sp_conf.py" - - # The lifetime of a SAML session. This defines how long a user has to - # complete the authentication process, if allow_unsolicited is unset. - # The default is 15 minutes. - # - #saml_session_lifetime: 5m - - # An external module can be provided here as a custom solution to - # mapping attributes returned from a saml provider onto a matrix user. - # - user_mapping_provider: - # The custom module's class. Uncomment to use a custom module. - # - #module: mapping_provider.SamlMappingProvider - - # Custom configuration values for the module. Below options are - # intended for the built-in provider, they should be changed if - # using a custom module. This section will be passed as a Python - # dictionary to the module's `parse_config` method. - # - config: - # The SAML attribute (after mapping via the attribute maps) to use - # to derive the Matrix ID from. 'uid' by default. - # - # Note: This used to be configured by the - # saml2_config.mxid_source_attribute option. If that is still - # defined, its value will be used instead. - # - #mxid_source_attribute: displayName - - # The mapping system to use for mapping the saml attribute onto a - # matrix ID. - # - # Options include: - # * 'hexencode' (which maps unpermitted characters to '=xx') - # * 'dotreplace' (which replaces unpermitted characters with - # '.'). - # The default is 'hexencode'. - # - # Note: This used to be configured by the - # saml2_config.mxid_mapping option. If that is still defined, its - # value will be used instead. - # - #mxid_mapping: dotreplace - - # In previous versions of synapse, the mapping from SAML attribute to - # MXID was always calculated dynamically rather than stored in a - # table. For backwards- compatibility, we will look for user_ids - # matching such a pattern before creating a new account. - # - # This setting controls the SAML attribute which will be used for this - # backwards-compatibility lookup. Typically it should be 'uid', but if - # the attribute maps are changed, it may be necessary to change it. - # - # The default is 'uid'. - # - #grandfathered_mxid_source_attribute: upn - - # It is possible to configure Synapse to only allow logins if SAML attributes - # match particular values. The requirements can be listed under - # `attribute_requirements` as shown below. All of the listed attributes must - # match for the login to be permitted. - # - #attribute_requirements: - # - attribute: userGroup - # value: "staff" - # - attribute: department - # value: "sales" - - # If the metadata XML contains multiple IdP entities then the `idp_entityid` - # option must be set to the entity to redirect users to. - # - # Most deployments only have a single IdP entity and so should omit this - # option. - # - #idp_entityid: 'https://our_idp/entityid' - - -# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration -# and login. -# -# Options for each entry include: -# -# idp_id: a unique identifier for this identity provider. Used internally -# by Synapse; should be a single word such as 'github'. -# -# Note that, if this is changed, users authenticating via that provider -# will no longer be recognised as the same user! -# -# (Use "oidc" here if you are migrating from an old "oidc_config" -# configuration.) -# -# idp_name: A user-facing name for this identity provider, which is used to -# offer the user a choice of login mechanisms. -# -# idp_icon: An optional icon for this identity provider, which is presented -# by clients and Synapse's own IdP picker page. If given, must be an -# MXC URI of the format mxc:///. (An easy way to -# obtain such an MXC URI is to upload an image to an (unencrypted) room -# and then copy the "url" from the source of the event.) -# -# idp_brand: An optional brand for this identity provider, allowing clients -# to style the login flow according to the identity provider in question. -# See the spec for possible options here. -# -# discover: set to 'false' to disable the use of the OIDC discovery mechanism -# to discover endpoints. Defaults to true. -# -# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery -# is enabled) to discover the provider's endpoints. -# -# client_id: Required. oauth2 client id to use. -# -# client_secret: oauth2 client secret to use. May be omitted if -# client_secret_jwt_key is given, or if client_auth_method is 'none'. -# -# client_secret_jwt_key: Alternative to client_secret: details of a key used -# to create a JSON Web Token to be used as an OAuth2 client secret. If -# given, must be a dictionary with the following properties: -# -# key: a pem-encoded signing key. Must be a suitable key for the -# algorithm specified. Required unless 'key_file' is given. -# -# key_file: the path to file containing a pem-encoded signing key file. -# Required unless 'key' is given. -# -# jwt_header: a dictionary giving properties to include in the JWT -# header. Must include the key 'alg', giving the algorithm used to -# sign the JWT, such as "ES256", using the JWA identifiers in -# RFC7518. -# -# jwt_payload: an optional dictionary giving properties to include in -# the JWT payload. Normally this should include an 'iss' key. -# -# client_auth_method: auth method to use when exchanging the token. Valid -# values are 'client_secret_basic' (default), 'client_secret_post' and -# 'none'. -# -# scopes: list of scopes to request. This should normally include the "openid" -# scope. Defaults to ["openid"]. -# -# authorization_endpoint: the oauth2 authorization endpoint. Required if -# provider discovery is disabled. -# -# token_endpoint: the oauth2 token endpoint. Required if provider discovery is -# disabled. -# -# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is -# disabled and the 'openid' scope is not requested. -# -# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and -# the 'openid' scope is used. -# -# skip_verification: set to 'true' to skip metadata verification. Use this if -# you are connecting to a provider that is not OpenID Connect compliant. -# Defaults to false. Avoid this in production. -# -# user_profile_method: Whether to fetch the user profile from the userinfo -# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. -# -# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is -# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the -# userinfo endpoint. -# -# allow_existing_users: set to 'true' to allow a user logging in via OIDC to -# match a pre-existing account instead of failing. This could be used if -# switching from password logins to OIDC. Defaults to false. -# -# user_mapping_provider: Configuration for how attributes returned from a OIDC -# provider are mapped onto a matrix user. This setting has the following -# sub-properties: -# -# module: The class name of a custom mapping module. Default is -# 'synapse.handlers.oidc.JinjaOidcMappingProvider'. -# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers -# for information on implementing a custom mapping provider. -# -# config: Configuration for the mapping provider module. This section will -# be passed as a Python dictionary to the user mapping provider -# module's `parse_config` method. -# -# For the default provider, the following settings are available: -# -# subject_claim: name of the claim containing a unique identifier -# for the user. Defaults to 'sub', which OpenID Connect -# compliant providers should provide. -# -# localpart_template: Jinja2 template for the localpart of the MXID. -# If this is not set, the user will be prompted to choose their -# own username (see 'sso_auth_account_details.html' in the 'sso' -# section of this file). -# -# display_name_template: Jinja2 template for the display name to set -# on first login. If unset, no displayname will be set. -# -# email_template: Jinja2 template for the email address of the user. -# If unset, no email address will be added to the account. -# -# extra_attributes: a map of Jinja2 templates for extra attributes -# to send back to the client during login. -# Note that these are non-standard and clients will ignore them -# without modifications. -# -# When rendering, the Jinja2 templates are given a 'user' variable, -# which is set to the claims returned by the UserInfo Endpoint and/or -# in the ID Token. -# -# It is possible to configure Synapse to only allow logins if certain attributes -# match particular values in the OIDC userinfo. The requirements can be listed under -# `attribute_requirements` as shown below. All of the listed attributes must -# match for the login to be permitted. Additional attributes can be added to -# userinfo by expanding the `scopes` section of the OIDC config to retrieve -# additional information from the OIDC provider. -# -# If the OIDC claim is a list, then the attribute must match any value in the list. -# Otherwise, it must exactly match the value of the claim. Using the example -# below, the `family_name` claim MUST be "Stephensson", but the `groups` -# claim MUST contain "admin". -# -# attribute_requirements: -# - attribute: family_name -# value: "Stephensson" -# - attribute: groups -# value: "admin" -# -# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md -# for information on how to configure these options. -# -# For backwards compatibility, it is also possible to configure a single OIDC -# provider via an 'oidc_config' setting. This is now deprecated and admins are -# advised to migrate to the 'oidc_providers' format. (When doing that migration, -# use 'oidc' for the idp_id to ensure that existing users continue to be -# recognised.) -# -oidc_providers: - # Generic example - # - #- idp_id: my_idp - # idp_name: "My OpenID provider" - # idp_icon: "mxc://example.com/mediaid" - # discover: false - # issuer: "https://accounts.example.com/" - # client_id: "provided-by-your-issuer" - # client_secret: "provided-by-your-issuer" - # client_auth_method: client_secret_post - # scopes: ["openid", "profile"] - # authorization_endpoint: "https://accounts.example.com/oauth2/auth" - # token_endpoint: "https://accounts.example.com/oauth2/token" - # userinfo_endpoint: "https://accounts.example.com/userinfo" - # jwks_uri: "https://accounts.example.com/.well-known/jwks.json" - # user_mapping_provider: - # config: - # subject_claim: "id" - # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" - # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" - # email_template: "{% raw %}{{ user.email }}{% endraw %}" - # attribute_requirements: - # - attribute: userGroup - # value: "synapseUsers" - - -# Enable Central Authentication Service (CAS) for registration and login. -# -cas_config: - # Uncomment the following to enable authorization against a CAS server. - # Defaults to false. - # - #enabled: true - - # The URL of the CAS authorization endpoint. - # - #server_url: "https://cas-server.com" - - # The attribute of the CAS response to use as the display name. - # - # If unset, no displayname will be set. - # - #displayname_attribute: name - - # It is possible to configure Synapse to only allow logins if CAS attributes - # match particular values. All of the keys in the mapping below must exist - # and the values must match the given value. Alternately if the given value - # is None then any value is allowed (the attribute just must exist). - # All of the listed attributes must match for the login to be permitted. - # - #required_attributes: - # userGroup: "staff" - # department: None - - -# Additional settings to use with single-sign on systems such as OpenID Connect, -# SAML2 and CAS. -# -sso: - # A list of client URLs which are whitelisted so that the user does not - # have to confirm giving access to their account to the URL. Any client - # whose URL starts with an entry in the following list will not be subject - # to an additional confirmation step after the SSO login is completed. - # - # WARNING: An entry such as "https://my.client" is insecure, because it - # will also match "https://my.client.evil.site", exposing your users to - # phishing attacks from evil.site. To avoid this, include a slash after the - # hostname: "https://my.client/". - # - # If public_baseurl is set, then the login fallback page (used by clients - # that don't natively support the required login flows) is whitelisted in - # addition to any URLs in this list. - # - # By default, this list is empty. - # - #client_whitelist: - # - https://riot.im/develop - # - https://my.custom.client/ - - # Uncomment to keep a user's profile fields in sync with information from - # the identity provider. Currently only syncing the displayname is - # supported. Fields are checked on every SSO login, and are updated - # if necessary. - # - # Note that enabling this option will override user profile information, - # regardless of whether users have opted-out of syncing that - # information when first signing in. Defaults to false. - # - #update_profile_information: true - - # Directory in which Synapse will try to find the template files below. - # If not set, or the files named below are not found within the template - # directory, default templates from within the Synapse package will be used. - # - # Synapse will look for the following templates in this directory: - # - # * HTML page to prompt the user to choose an Identity Provider during - # login: 'sso_login_idp_picker.html'. - # - # This is only used if multiple SSO Identity Providers are configured. - # - # When rendering, this template is given the following variables: - # * redirect_url: the URL that the user will be redirected to after - # login. - # - # * server_name: the homeserver's name. - # - # * providers: a list of available Identity Providers. Each element is - # an object with the following attributes: - # - # * idp_id: unique identifier for the IdP - # * idp_name: user-facing name for the IdP - # * idp_icon: if specified in the IdP config, an MXC URI for an icon - # for the IdP - # * idp_brand: if specified in the IdP config, a textual identifier - # for the brand of the IdP - # - # The rendered HTML page should contain a form which submits its results - # back as a GET request, with the following query parameters: - # - # * redirectUrl: the client redirect URI (ie, the `redirect_url` passed - # to the template) - # - # * idp: the 'idp_id' of the chosen IDP. - # - # * HTML page to prompt new users to enter a userid and confirm other - # details: 'sso_auth_account_details.html'. This is only shown if the - # SSO implementation (with any user_mapping_provider) does not return - # a localpart. - # - # When rendering, this template is given the following variables: - # - # * server_name: the homeserver's name. - # - # * idp: details of the SSO Identity Provider that the user logged in - # with: an object with the following attributes: - # - # * idp_id: unique identifier for the IdP - # * idp_name: user-facing name for the IdP - # * idp_icon: if specified in the IdP config, an MXC URI for an icon - # for the IdP - # * idp_brand: if specified in the IdP config, a textual identifier - # for the brand of the IdP - # - # * user_attributes: an object containing details about the user that - # we received from the IdP. May have the following attributes: - # - # * display_name: the user's display_name - # * emails: a list of email addresses - # - # The template should render a form which submits the following fields: - # - # * username: the localpart of the user's chosen user id - # - # * HTML page allowing the user to consent to the server's terms and - # conditions. This is only shown for new users, and only if - # `user_consent.require_at_registration` is set. - # - # When rendering, this template is given the following variables: - # - # * server_name: the homeserver's name. - # - # * user_id: the user's matrix proposed ID. - # - # * user_profile.display_name: the user's proposed display name, if any. - # - # * consent_version: the version of the terms that the user will be - # shown - # - # * terms_url: a link to the page showing the terms. - # - # The template should render a form which submits the following fields: - # - # * accepted_version: the version of the terms accepted by the user - # (ie, 'consent_version' from the input variables). - # - # * HTML page for a confirmation step before redirecting back to the client - # with the login token: 'sso_redirect_confirm.html'. - # - # When rendering, this template is given the following variables: - # - # * redirect_url: the URL the user is about to be redirected to. - # - # * display_url: the same as `redirect_url`, but with the query - # parameters stripped. The intention is to have a - # human-readable URL to show to users, not to use it as - # the final address to redirect to. - # - # * server_name: the homeserver's name. - # - # * new_user: a boolean indicating whether this is the user's first time - # logging in. - # - # * user_id: the user's matrix ID. - # - # * user_profile.avatar_url: an MXC URI for the user's avatar, if any. - # None if the user has not set an avatar. - # - # * user_profile.display_name: the user's display name. None if the user - # has not set a display name. - # - # * HTML page which notifies the user that they are authenticating to confirm - # an operation on their account during the user interactive authentication - # process: 'sso_auth_confirm.html'. - # - # When rendering, this template is given the following variables: - # * redirect_url: the URL the user is about to be redirected to. - # - # * description: the operation which the user is being asked to confirm - # - # * idp: details of the Identity Provider that we will use to confirm - # the user's identity: an object with the following attributes: - # - # * idp_id: unique identifier for the IdP - # * idp_name: user-facing name for the IdP - # * idp_icon: if specified in the IdP config, an MXC URI for an icon - # for the IdP - # * idp_brand: if specified in the IdP config, a textual identifier - # for the brand of the IdP - # - # * HTML page shown after a successful user interactive authentication session: - # 'sso_auth_success.html'. - # - # Note that this page must include the JavaScript which notifies of a successful authentication - # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). - # - # This template has no additional variables. - # - # * HTML page shown after a user-interactive authentication session which - # does not map correctly onto the expected user: 'sso_auth_bad_user.html'. - # - # When rendering, this template is given the following variables: - # * server_name: the homeserver's name. - # * user_id_to_verify: the MXID of the user that we are trying to - # validate. - # - # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) - # attempts to login: 'sso_account_deactivated.html'. - # - # This template has no additional variables. - # - # * HTML page to display to users if something goes wrong during the - # OpenID Connect authentication process: 'sso_error.html'. - # - # When rendering, this template is given two variables: - # * error: the technical name of the error - # * error_description: a human-readable message for the error - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - -# JSON web token integration. The following settings can be used to make -# Synapse JSON web tokens for authentication, instead of its internal -# password database. -# -# Each JSON Web Token needs to contain a "sub" (subject) claim, which is -# used as the localpart of the mxid. -# -# Additionally, the expiration time ("exp"), not before time ("nbf"), -# and issued at ("iat") claims are validated if present. -# -# Note that this is a non-standard login type and client support is -# expected to be non-existent. -# -# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. -# -#jwt_config: - # Uncomment the following to enable authorization using JSON web - # tokens. Defaults to false. - # - #enabled: true - - # This is either the private shared secret or the public key used to - # decode the contents of the JSON web token. - # - # Required if 'enabled' is true. - # - #secret: "provided-by-your-issuer" - - # The algorithm used to sign the JSON web token. - # - # Supported algorithms are listed at - # https://pyjwt.readthedocs.io/en/latest/algorithms.html - # - # Required if 'enabled' is true. - # - #algorithm: "provided-by-your-issuer" - - # The issuer to validate the "iss" claim against. - # - # Optional, if provided the "iss" claim will be required and - # validated for all JSON web tokens. - # - #issuer: "provided-by-your-issuer" - - # A list of audiences to validate the "aud" claim against. - # - # Optional, if provided the "aud" claim will be required and - # validated for all JSON web tokens. - # - # Note that if the "aud" claim is included in a JSON web token then - # validation will fail without configuring audiences. - # - #audiences: - # - "provided-by-your-issuer" - - -password_config: - # Uncomment to disable password login - # - #enabled: false - - # Uncomment to disable authentication against the local password - # database. This is ignored if `enabled` is false, and is only useful - # if you have other password_providers. - # - localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} - - # Uncomment and change to a secret random string for extra security. - # DO NOT CHANGE THIS AFTER INITIAL SETUP! - # - pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} - - # Define and enforce a password policy. Each parameter is optional. - # This is an implementation of MSC2000. - # - policy: - # Whether to enforce the password policy. - # Defaults to 'false'. - # - #enabled: true - - # Minimum accepted length for a password. - # Defaults to 0. - # - #minimum_length: 15 - - # Whether a password must contain at least one digit. - # Defaults to 'false'. - # - #require_digit: true - - # Whether a password must contain at least one symbol. - # A symbol is any character that's not a number or a letter. - # Defaults to 'false'. - # - #require_symbol: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_lowercase: true - - # Whether a password must contain at least one lowercase letter. - # Defaults to 'false'. - # - #require_uppercase: true - -ui_auth: - # The amount of time to allow a user-interactive authentication session - # to be active. - # - # This defaults to 0, meaning the user is queried for their credentials - # before every action, but this can be overridden to allow a single - # validation to be re-used. This weakens the protections afforded by - # the user-interactive authentication process, by allowing for multiple - # (and potentially different) operations to use the same validation session. - # - # This is ignored for potentially "dangerous" operations (including - # deactivating an account, modifying an account password, and - # adding a 3PID). - # - # Uncomment below to allow for credential validation to last for 15 - # seconds. - # - #session_timeout: "15s" - - -{% if matrix_synapse_email_enabled %} -# Configuration for sending emails from Synapse. -# -email: - # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. - # - #smtp_host: mail.server - smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} - - # The port on the mail server for outgoing SMTP. Defaults to 25. - # - #smtp_port: 587 - smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} - - # Username/password for authentication to the SMTP server. By default, no - # authentication is attempted. - # - #smtp_user: "exampleusername" - #smtp_pass: "examplepassword" - - # Uncomment the following to require TLS transport security for SMTP. - # By default, Synapse will connect over plain text, and will then switch to - # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, - # Synapse will refuse to connect unless the server supports STARTTLS. - # - #require_transport_security: true - require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} - - # Enable sending emails for messages that the user has missed - # - #enable_notifs: false - enable_notifs: true - - # notif_from defines the "From" address to use when sending emails. - # It must be set if email sending is enabled. - # - # The placeholder '%(app)s' will be replaced by the application name, - # which is normally 'app_name' (below), but may be overridden by the - # Matrix client application. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - #notif_from: "Your Friendly %(app)s homeserver " - notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} - - # app_name defines the default value for '%(app)s' in notif_from and email - # subjects. It defaults to 'Matrix'. - # - #app_name: my_branded_matrix_server - app_name: Matrix - - # Uncomment the following to disable automatic subscription to email - # notifications for new users. Enabled by default. - # - #notif_for_new_users: false - notif_for_new_users: True - - # Custom URL for client links within the email notifications. By default - # links will be based on "https://matrix.to". - # - # (This setting used to be called riot_base_url; the old name is still - # supported for backwards-compatibility but is now deprecated.) - # - #client_base_url: "http://localhost/riot" - client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} - - # Configure the time that a validation email will expire after sending. - # Defaults to 1h. - # - #validation_token_lifetime: 15m - - # Directory in which Synapse will try to find the template files below. - # If not set, or the files named below are not found within the template - # directory, default templates from within the Synapse package will be used. - # - # Synapse will look for the following templates in this directory: - # - # * The contents of email notifications of missed events: 'notif_mail.html' and - # 'notif_mail.txt'. - # - # * The contents of account expiry notice emails: 'notice_expiry.html' and - # 'notice_expiry.txt'. - # - # * The contents of password reset emails sent by the homeserver: - # 'password_reset.html' and 'password_reset.txt' - # - # * An HTML page that a user will see when they follow the link in the password - # reset email. The user will be asked to confirm the action before their - # password is reset: 'password_reset_confirmation.html' - # - # * HTML pages for success and failure that a user will see when they confirm - # the password reset flow using the page above: 'password_reset_success.html' - # and 'password_reset_failure.html' - # - # * The contents of address verification emails sent during registration: - # 'registration.html' and 'registration.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent during registration: - # 'registration_success.html' and 'registration_failure.html' - # - # * The contents of address verification emails sent when an address is added - # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' - # - # * HTML pages for success and failure that a user will see when they follow - # the link in an address verification email sent when an address is added - # to a Matrix account: 'add_threepid_success.html' and - # 'add_threepid_failure.html' - # - # You can see the default templates at: - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates - # - #template_dir: "res/templates" - - # Subjects to use when sending emails from Synapse. - # - # The placeholder '%(app)s' will be replaced with the value of the 'app_name' - # setting above, or by a value dictated by the Matrix client application. - # - # If a subject isn't overridden in this configuration file, the value used as - # its example will be used. - # - #subjects: - - # Subjects for notification emails. - # - # On top of the '%(app)s' placeholder, these can use the following - # placeholders: - # - # * '%(person)s', which will be replaced by the display name of the user(s) - # that sent the message(s), e.g. "Alice and Bob". - # * '%(room)s', which will be replaced by the name of the room the - # message(s) have been sent to, e.g. "My super room". - # - # See the example provided for each setting to see which placeholder can be - # used and how to use them. - # - # Subject to use to notify about one message from one or more user(s) in a - # room which has a name. - #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." - # - # Subject to use to notify about one message from one or more user(s) in a - # room which doesn't have a name. - #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." - # - # Subject to use to notify about multiple messages from one or more users in - # a room which doesn't have a name. - #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." - # - # Subject to use to notify about multiple messages in a room which has a - # name. - #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." - # - # Subject to use to notify about multiple messages in multiple rooms. - #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." - # - # Subject to use to notify about multiple messages from multiple persons in - # multiple rooms. This is similar to the setting above except it's used when - # the room in which the notification was triggered has no name. - #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." - # - # Subject to use to notify about an invite to a room which has a name. - #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." - # - # Subject to use to notify about an invite to a room which doesn't have a - # name. - #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." - - # Subject for emails related to account administration. - # - # On top of the '%(app)s' placeholder, these one can use the - # '%(server_name)s' placeholder, which will be replaced by the value of the - # 'server_name' setting in your Synapse configuration. - # - # Subject to use when sending a password reset email. - #password_reset: "[%(server_name)s] Password reset" - # - # Subject to use when sending a verification email to assert an address's - # ownership. - #email_validation: "[%(server_name)s] Validate your email" -{% endif %} - -# Password providers allow homeserver administrators to integrate -# their Synapse installation with existing authentication methods -# ex. LDAP, external tokens, etc. -# -# For more information and known implementations, please see -# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md -# -# Note: instances wishing to use SAML or CAS authentication should -# instead use the `saml2_config` or `cas_config` options, -# respectively. -# -# password_providers: -# # Example config for an LDAP auth provider -# - module: "ldap_auth_provider.LdapAuthProvider" -# config: -# enabled: true -# uri: "ldap://ldap.example.com:389" -# start_tls: true -# base: "ou=users,dc=example,dc=com" -# attributes: -# uid: "cn" -# mail: "email" -# name: "givenName" -# #bind_dn: -# #bind_password: -# #filter: "(objectClass=posixAccount)" -{% if matrix_synapse_password_providers_enabled %} -password_providers: -{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} - - module: "shared_secret_authenticator.SharedSecretAuthenticator" - config: - sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} -{% endif %} -{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} - - module: "rest_auth_provider.RestAuthProvider" - config: - endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} - policy: - registration: - username: - enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} - profile: - name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} - login: - profile: - name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} -{% endif %} -{% if matrix_synapse_ext_password_provider_ldap_enabled %} - - module: "ldap_auth_provider.LdapAuthProvider" - config: - enabled: true - uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} - start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} - base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} - active_directory: {{ matrix_synapse_ext_password_provider_ldap_active_directory|to_json }} - default_domain: {{ matrix_synapse_ext_password_provider_ldap_default_domain|string|to_json }} - attributes: - uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} - mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} - name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} - bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} - bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} - filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} -{% endif %} -{% endif %} - - -## Push ## - -push: - # Clients requesting push notifications can either have the body of - # the message sent in the notification poke along with other details - # like the sender, or just the event ID and room ID (`event_id_only`). - # If clients choose the former, this option controls whether the - # notification request includes the content of the event (other details - # like the sender are still included). For `event_id_only` push, it - # has no effect. - # - # For modern android devices the notification content will still appear - # because it is loaded by the app. iPhone, however will send a - # notification saying only that a message arrived and who it came from. - # - # The default value is "true" to include message details. Uncomment to only - # include the event ID and room ID in push notification payloads. - # - include_content: {{ matrix_synapse_push_include_content|to_json }} - - # When a push notification is received, an unread count is also sent. - # This number can either be calculated as the number of unread messages - # for the user, or the number of *rooms* the user has unread messages in. - # - # The default value is "true", meaning push clients will see the number of - # rooms with unread messages in them. Uncomment to instead send the number - # of unread messages. - # - #group_unread_count_by_room: false - - -# Spam checkers are third-party modules that can block specific actions -# of local users, such as creating rooms and registering undesirable -# usernames, as well as remote users by redacting incoming events. -# -# spam_checker: - #- module: "my_custom_project.SuperSpamChecker" - # config: - # example_option: 'things' - #- module: "some_other_project.BadEventStopper" - # config: - # example_stop_events_from: ['@bad:example.com'] -spam_checker: {{ matrix_synapse_spam_checker|to_json }} - - -## Rooms ## - -# Controls whether locally-created rooms should be end-to-end encrypted by -# default. -# -# Possible options are "all", "invite", and "off". They are defined as: -# -# * "all": any locally-created room -# * "invite": any room created with the "private_chat" or "trusted_private_chat" -# room creation presets -# * "off": this option will take no effect -# -# The default value is "off". -# -# Note that this option will only affect rooms created after it is set. It -# will also not affect rooms created by other servers. -# -#encryption_enabled_by_default_for_room_type: invite - - -# Uncomment to allow non-server-admin users to create groups on this server -# -enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} - -# If enabled, non server admins can only create groups with local parts -# starting with this prefix -# -#group_creation_prefix: "unofficial_" - - - -# User Directory configuration -# -user_directory: - # Defines whether users can search the user directory. If false then - # empty responses are returned to all queries. Defaults to true. - # - # Uncomment to disable the user directory. - # - #enabled: false - - # Defines whether to search all users visible to your HS when searching - # the user directory, rather than limiting to users visible in public - # rooms. Defaults to false. - # - # If you set it true, you'll have to rebuild the user_directory search - # indexes, see: - # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md - # - # Uncomment to return search results containing all known users, even if that - # user does not share a room with the requester. - # - #search_all_users: true - - # Defines whether to prefer local users in search query results. - # If True, local users are more likely to appear above remote users - # when searching the user directory. Defaults to false. - # - # Uncomment to prefer local over remote users in user directory search - # results. - # - #prefer_local_users: true - - -# User Consent configuration -# -# for detailed instructions, see -# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md -# -# Parts of this section are required if enabling the 'consent' resource under -# 'listeners', in particular 'template_dir' and 'version'. -# -# 'template_dir' gives the location of the templates for the HTML forms. -# This directory should contain one subdirectory per language (eg, 'en', 'fr'), -# and each language directory should contain the policy document (named as -# '.html') and a success page (success.html). -# -# 'version' specifies the 'current' version of the policy document. It defines -# the version to be served by the consent resource if there is no 'v' -# parameter. -# -# 'server_notice_content', if enabled, will send a user a "Server Notice" -# asking them to consent to the privacy policy. The 'server_notices' section -# must also be configured for this to work. Notices will *not* be sent to -# guest users unless 'send_server_notice_to_guests' is set to true. -# -# 'block_events_error', if set, will block any attempts to send events -# until the user consents to the privacy policy. The value of the setting is -# used as the text of the error. -# -# 'require_at_registration', if enabled, will add a step to the registration -# process, similar to how captcha works. Users will be required to accept the -# policy before their account is created. -# -# 'policy_name' is the display name of the policy users will see when registering -# for an account. Has no effect unless `require_at_registration` is enabled. -# Defaults to "Privacy Policy". -# -#user_consent: -# template_dir: res/templates/privacy -# version: 1.0 -# server_notice_content: -# msgtype: m.text -# body: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# send_server_notice_to_guests: True -# block_events_error: >- -# To continue using this homeserver you must review and agree to the -# terms and conditions at %(consent_uri)s -# require_at_registration: False -# policy_name: Privacy Policy -# - - - -# Settings for local room and user statistics collection. See -# docs/room_and_user_statistics.md. -# -stats: - # Uncomment the following to disable room and user statistics. Note that doing - # so may cause certain features (such as the room directory) not to work - # correctly. - # - #enabled: false - - # The size of each timeslice in the room_stats_historical and - # user_stats_historical tables, as a time period. Defaults to "1d". - # - #bucket_size: 1h - - -# Server Notices room configuration -# -# Uncomment this section to enable a room which can be used to send notices -# from the server to users. It is a special room which cannot be left; notices -# come from a special "notices" user id. -# -# If you uncomment this section, you *must* define the system_mxid_localpart -# setting, which defines the id of the user which will be used to send the -# notices. -# -# It's also possible to override the room name, the display name of the -# "notices" user, and the avatar for the user. -# -#server_notices: -# system_mxid_localpart: notices -# system_mxid_display_name: "Server Notices" -# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" -# room_name: "Server Notices" - - - -# Uncomment to disable searching the public room list. When disabled -# blocks searching local and remote room lists for local and remote -# users by always returning an empty list for all queries. -# -#enable_room_list_search: false - -enable_room_list_search: {{ matrix_synapse_enable_room_list_search|to_json }} - -# The `alias_creation` option controls who's allowed to create aliases -# on this server. -# -# The format of this option is a list of rules that contain globs that -# match against user_id, room_id and the new alias (fully qualified with -# server name). The action in the first rule that matches is taken, -# which can currently either be "allow" or "deny". -# -# Missing user_id/room_id/alias fields default to "*". -# -# If no rules match the request is denied. An empty list means no one -# can create aliases. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# alias: Matches against the alias being created -# room_id: Matches against the room ID the alias is being pointed at -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#alias_creation_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} - -# The `room_list_publication_rules` option controls who can publish and -# which rooms can be published in the public room list. -# -# The format of this option is the same as that for -# `alias_creation_rules`. -# -# If the room has one or more aliases associated with it, only one of -# the aliases needs to match the alias rule. If there are no aliases -# then only rules with `alias: *` match. -# -# If no rules match the request is denied. An empty list means no one -# can publish rooms. -# -# Options for the rules include: -# -# user_id: Matches against the creator of the alias -# room_id: Matches against the room ID being published -# alias: Matches against any current local or canonical aliases -# associated with the room -# action: Whether to "allow" or "deny" the request if the rule matches -# -# The default is: -# -#room_list_publication_rules: -# - user_id: "*" -# alias: "*" -# room_id: "*" -# action: allow - -room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} - - -# Server admins can define a Python module that implements extra rules for -# allowing or denying incoming events. In order to work, this module needs to -# override the methods defined in synapse/events/third_party_rules.py. -# -# This feature is designed to be used in closed federations only, where each -# participating server enforces the same rules. -# -#third_party_event_rules: -# module: "my_custom_project.SuperRulesSet" -# config: -# example_option: 'things' - - -## Opentracing ## - -# These settings enable opentracing, which implements distributed tracing. -# This allows you to observe the causal chains of events across servers -# including requests, key lookups etc., across any server running -# synapse or any other other services which supports opentracing -# (specifically those implemented with Jaeger). -# -opentracing: - # tracing is disabled by default. Uncomment the following line to enable it. - # - #enabled: true - - # The list of homeservers we wish to send and receive span contexts and span baggage. - # See docs/opentracing.rst. - # - # This is a list of regexes which are matched against the server_name of the - # homeserver. - # - # By default, it is empty, so no servers are matched. - # - #homeserver_whitelist: - # - ".*" - - # A list of the matrix IDs of users whose requests will always be traced, - # even if the tracing system would otherwise drop the traces due to - # probabilistic sampling. - # - # By default, the list is empty. - # - #force_tracing_for_users: - # - "@user1:server_name" - # - "@user2:server_name" - - # Jaeger can be configured to sample traces at different rates. - # All configuration options provided by Jaeger can be set here. - # Jaeger's configuration is mostly related to trace sampling which - # is documented here: - # https://www.jaegertracing.io/docs/latest/sampling/. - # - #jaeger_config: - # sampler: - # type: const - # param: 1 - # logging: - # false - - -## Workers ## - -# Disables sending of outbound federation transactions on the main process. -# Uncomment if using a federation sender worker. -# -#send_federation: false - -# It is possible to run multiple federation sender workers, in which case the -# work is balanced across them. -# -# This configuration must be shared between all federation sender workers, and if -# changed all federation sender workers must be stopped at the same time and then -# started, to ensure that all instances are running with the same config (otherwise -# events may be dropped). -# -#federation_sender_instances: -# - federation_sender1 - -# When using workers this should be a map from `worker_name` to the -# HTTP replication listener of the worker, if configured. -# -#instance_map: -# worker1: -# host: localhost -# port: 8034 - -# Experimental: When using workers you can define which workers should -# handle event persistence and typing notifications. Any worker -# specified here must also be in the `instance_map`. -# -#stream_writers: -# events: worker1 -# typing: worker1 - -# The worker that is used to run background tasks (e.g. cleaning up expired -# data). If not provided this defaults to the main process. -# -#run_background_tasks_on: worker1 - -# A shared secret used by the replication APIs to authenticate HTTP requests -# from workers. -# -# By default this is unused and traffic is not authenticated. -# -#worker_replication_secret: "" - - -# Configuration for Redis when using workers. This *must* be enabled when -# using workers (unless using old style direct TCP configuration). -# -redis: - # Uncomment the below to enable Redis support. - # - enabled: {{ matrix_synapse_redis_enabled }} - - # Optional host and port to use to connect to redis. Defaults to - # localhost and 6379 - # - host: {{ matrix_synapse_redis_host }} - port: {{ matrix_synapse_redis_port }} - - # Optional password if configured on the Redis instance - # - password: {{ matrix_synapse_redis_password }} - - -# vim:ft=yaml diff --git a/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 b/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 deleted file mode 100644 index 09f07a2e..00000000 --- a/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 +++ /dev/null @@ -1,36 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -version: 1 - -formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' - -filters: - context: - (): synapse.util.logcontext.LoggingContextFilter - request: "" - -handlers: - console: - class: logging.StreamHandler - formatter: precise - filters: [context] - -loggers: - synapse: - level: {{ matrix_synapse_log_level }} - - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: {{ matrix_synapse_storage_sql_log_level }} - -{% for logger in matrix_synapse_additional_loggers %} - {{ logger.name }}: - level: {{ logger.level }} -{% endfor %} - -root: - level: {{ matrix_synapse_root_log_level }} - handlers: [console] diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 deleted file mode 100644 index 6c90c9a3..00000000 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 +++ /dev/null @@ -1,64 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Synapse worker ({{ matrix_synapse_worker_container_name }}) -AssertPathExists={{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_config_file_name }} -After=matrix-synapse.service - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" - -ExecStartPre=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} -ExecStartPre=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} - -# Intentional delay, so that the homeserver can manage to start. -ExecStartPre={{ matrix_host_command_sleep }} 5 - -ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - -e UID={{ matrix_user_uid }} \ - -e GID={{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ - {% if matrix_synapse_worker_details.port != 0 %} - --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ - {% else %} - --no-healthcheck \ - {% endif %} - {% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %} - {% if matrix_synapse_worker_details.port != 0 %} - -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.port }}:{{ matrix_synapse_worker_details.port }} \ - {% endif %} - {% if matrix_synapse_worker_details.metrics_port != 0 %} - -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.metrics_port }}:{{ matrix_synapse_worker_details.metrics_port }} \ - {% endif %} - {% endif %} - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ - --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - {% for volume in matrix_synapse_container_additional_volumes %} - -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ - {% endfor %} - {% for arg in matrix_synapse_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_synapse_docker_image }} \ - run -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} - - -ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} -ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} - -ExecReload={{ matrix_host_command_docker }} exec {{ matrix_synapse_worker_container_name }} /bin/sh -c 'kill -HUP 1' -Restart=always -RestartSec=30 -SyslogIdentifier={{ matrix_synapse_worker_container_name }} - -# Intentionally not making this WantedBy=matrix-synapse.service, -# as matrix.synapse.service already has `Wants=` lines. -# Also, WantedBy will trigger the creation of some `matrix-synapse.service.wants/` directory, -# which we'd have to clean, etc. Better not. -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 deleted file mode 100644 index 2fbaac7b..00000000 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ /dev/null @@ -1,76 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Synapse server -{% for service in matrix_synapse_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} - -{% endfor %} -{% for service in matrix_synapse_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} - -{% if matrix_synapse_workers_enabled %} -{% for matrix_synapse_worker_details in matrix_synapse_workers_enabled_list %} -Wants=matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.port }}.service -{% endfor %} -{% endif %} - -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' -{% if matrix_s3_media_store_enabled %} -# Allow for some time before starting, so that media store can mount. -# Mounting can happen later too, but if we start writing, -# we'd write files to the local filesystem and fusermount will complain. -ExecStartPre={{ matrix_host_command_sleep }} 3 -{% endif %} - -ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --env=UID={{ matrix_user_uid }} \ - --env=GID={{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ - --network={{ matrix_docker_network }} \ - {% if matrix_synapse_container_client_api_host_bind_port %} - -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \ - {% endif %} - {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %} - -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:8448 \ - {% endif %} - {% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %} - -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:8048 \ - {% endif %} - {% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %} - -p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \ - {% endif %} - {% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %} - -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ - {% endif %} - --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ - --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ - {% for volume in matrix_synapse_container_additional_volumes %} - -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ - {% endfor %} - {% for arg in matrix_synapse_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_synapse_docker_image }} \ - run -m synapse.app.homeserver -c /data/homeserver.yaml - -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' -ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' -ExecReload={{ matrix_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-synapse - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 deleted file mode 100644 index 456c0667..00000000 --- a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 +++ /dev/null @@ -1,17 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -if [ $# -ne 3 ]; then - echo "Usage: "$0" " - exit 1 -fi - -user=$1 -password=$2 -admin=$3 - -if [ "$admin" -eq "1" ]; then - docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --admin http://localhost:8008 -else - docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --no-admin http://localhost:8008 -fi diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 deleted file mode 100644 index 36ae5a7e..00000000 --- a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 +++ /dev/null @@ -1,45 +0,0 @@ -#jinja2: lstrip_blocks: "True" -worker_app: synapse.app.{{ matrix_synapse_worker_details.type }} -worker_name: {{ matrix_synapse_worker_details.type ~ ':' ~ matrix_synapse_worker_details.port }} - -{% if matrix_synapse_replication_listener_enabled %} -worker_replication_host: matrix-synapse -worker_replication_http_port: {{ matrix_synapse_replication_http_port }} -{% endif %} - -{% set has_listeners = (matrix_synapse_worker_details.type not in [ 'appservice', 'federation_sender', 'pusher' ] or matrix_synapse_metrics_enabled) %} - -{% set http_resources = [] %} - -{% if matrix_synapse_worker_details.type in ['generic_worker', 'frontend_proxy', 'user_dir'] %} - {% set http_resources = http_resources + ['client'] %} -{% endif %} -{% if matrix_synapse_worker_details.type in ['generic_worker'] %} - {% set http_resources = http_resources+ ['federation'] %} -{% endif %} -{% if matrix_synapse_worker_details.type in ['media_repository'] %} - {% set http_resources = http_resources + ['media'] %} -{% endif %} - -{% if http_resources|length > 0 or matrix_synapse_metrics_enabled %} -worker_listeners: -{% if http_resources|length > 0 %} - - type: http - bind_addresses: ['::'] - port: {{ matrix_synapse_worker_details.port }} - resources: - - names: {{ http_resources|to_json }} -{% endif %} -{% if matrix_synapse_metrics_enabled %} - - type: metrics - bind_addresses: ['0.0.0.0'] - port: {{ matrix_synapse_worker_details.metrics_port }} -{% endif %} -{% endif %} - -{% if matrix_synapse_worker_details.type == 'frontend_proxy' %} -worker_main_http_uri: http://matrix-synapse:8008 -{% endif %} - -worker_daemonize: false -worker_log_config: /data/{{ matrix_server_fqn_matrix }}.log.config diff --git a/roles/matrix-synapse/vars/main.yml b/roles/matrix-synapse/vars/main.yml deleted file mode 100644 index 5839aa81..00000000 --- a/roles/matrix-synapse/vars/main.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" -matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" - -# Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_synapse_role_executed: false - -matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}" - -# A Synapse generic worker can handle both federation and client-server API endpoints. -# We wish to split these, as we normally serve federation separately and don't want them mixed up. -# -# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492), -# which takes a list of various strings and removes the ones NOT containing `/_matrix/client` anywhere in them. -# -# We intentionally don't do a diff between everything possible (`matrix_synapse_workers_generic_worker_endpoints`) and `matrix_synapse_workers_generic_worker_federation_endpoints`, -# because `matrix_synapse_workers_generic_worker_endpoints` also contains things like `/_synapse/client/`, etc. -# While /_synapse/client/ endpoints are somewhat client-server API-related, they're: -# - neither part of the client-server API spec (and are thus, different) -# - nor always OK to forward to a worker (we're supposed to obey `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled`) -# -# It's also not too many of these APIs (only `^/_synapse/client/password_reset/email/submit_token$` at the time of this writing / 2021-01-24), -# so it's not that important whether we forward them or not. -# -# Basically, we aim to cover most things. Skipping `/_synapse/client` or a few other minor things doesn't matter too much. -matrix_synapse_workers_generic_worker_client_server_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*/_matrix/client.*')| list | difference([none]) }}" - -# A Synapse generic worker can handle both federation and client-server API endpoints. -# We wish to split these, as we normally serve federation separately and don't want them mixed up. -# -# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492), -# which takes a list of various strings and removes the ones NOT containing `/_matrix/federation` or `/_matrix/key` anywhere in them. -matrix_synapse_workers_generic_worker_federation_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*(/_matrix/federation|/_matrix/key).*')| list | difference([none]) }}" diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml deleted file mode 100644 index 1f817c8e..00000000 --- a/roles/matrix-synapse/vars/workers.yml +++ /dev/null @@ -1,322 +0,0 @@ ---- - -matrix_synapse_workers_generic_worker_endpoints: - # This worker can handle API requests matching the following regular - # expressions: - - # Sync requests - - ^/_matrix/client/(v2_alpha|r0)/sync$ - - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ - - ^/_matrix/client/(api/v1|r0)/initialSync$ - - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ - - # Federation requests - - ^/_matrix/federation/v1/event/ - - ^/_matrix/federation/v1/state/ - - ^/_matrix/federation/v1/state_ids/ - - ^/_matrix/federation/v1/backfill/ - - ^/_matrix/federation/v1/get_missing_events/ - - ^/_matrix/federation/v1/publicRooms - - ^/_matrix/federation/v1/query/ - - ^/_matrix/federation/v1/make_join/ - - ^/_matrix/federation/v1/make_leave/ - - ^/_matrix/federation/v1/send_join/ - - ^/_matrix/federation/v2/send_join/ - - ^/_matrix/federation/v1/send_leave/ - - ^/_matrix/federation/v2/send_leave/ - - ^/_matrix/federation/v1/invite/ - - ^/_matrix/federation/v2/invite/ - - ^/_matrix/federation/v1/query_auth/ - - ^/_matrix/federation/v1/event_auth/ - - ^/_matrix/federation/v1/exchange_third_party_invite/ - - ^/_matrix/federation/v1/user/devices/ - - ^/_matrix/federation/v1/get_groups_publicised$ - - ^/_matrix/key/v2/query - - # Inbound federation transaction request - - ^/_matrix/federation/v1/send/ - - # Client API requests - - ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$ - - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ - - ^/_matrix/client/(api/v1|r0|unstable)/devices$ - - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$ - - ^/_matrix/client/(api/v1|r0|unstable)/keys/changes$ - - ^/_matrix/client/versions$ - - ^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$ - - ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ - - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ - - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/event/ - - ^/_matrix/client/(api/v1|r0|unstable)/joined_rooms$ - - ^/_matrix/client/(api/v1|r0|unstable)/search$ - - # Registration/login requests - - ^/_matrix/client/(api/v1|r0|unstable)/login$ - - ^/_matrix/client/(r0|unstable)/register$ - - # Event sending requests - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/ - - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ - - ^/_matrix/client/(api/v1|r0|unstable)/join/ - - ^/_matrix/client/(api/v1|r0|unstable)/profile/ - - - # Additionally, the following REST endpoints can be handled for GET requests: - - # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/federation/v1/groups/ - - # Pagination requests can also be handled, but all requests for a given - # room must be routed to the same instance. Additionally, care must be taken to - # ensure that the purge history admin API is not used while pagination requests - # for the room are in flight: - - # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/messages$ - - # Additionally, the following endpoints should be included if Synapse is configured - # to use SSO (you only need to include the ones for whichever SSO provider you're - # using): - - # for all SSO providers - # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect - # ^/_synapse/client/pick_idp$ - # ^/_synapse/client/pick_username - # ^/_synapse/client/new_user_consent$ - # ^/_synapse/client/sso_register$ - - # OpenID Connect requests. - # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_synapse/client/oidc/callback$ - - # SAML requests. - # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_synapse/client/saml2/authn_response$ - - # CAS requests. - # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/login/cas/ticket$ - - # Ensure that all SSO logins go to a single process. - # For multiple workers not handling the SSO endpoints properly, see - # [#7530](https://github.com/matrix-org/synapse/issues/7530) and - # [#9427](https://github.com/matrix-org/synapse/issues/9427). - - # Note that a HTTP listener with `client` and `federation` resources must be - # configured in the `worker_listeners` option in the worker config. - - # #### Load balancing - - # It is possible to run multiple instances of this worker app, with incoming requests - # being load-balanced between them by the reverse-proxy. However, different endpoints - # have different characteristics and so admins - # may wish to run multiple groups of workers handling different endpoints so that - # load balancing can be done in different ways. - - # For `/sync` and `/initialSync` requests it will be more efficient if all - # requests from a particular user are routed to a single instance. Extracting a - # user ID from the access token or `Authorization` header is currently left as an - # exercise for the reader. Admins may additionally wish to separate out `/sync` - # requests that have a `since` query parameter from those that don't (and - # `/initialSync`), as requests that don't are known as "initial sync" that happens - # when a user logs in on a new device and can be *very* resource intensive, so - # isolating these requests will stop them from interfering with other users ongoing - # syncs. - - # Federation and client requests can be balanced via simple round robin. - - # The inbound federation transaction request `^/_matrix/federation/v1/send/` - # should be balanced by source IP so that transactions from the same remote server - # go to the same process. - - # Registration/login requests can be handled separately purely to help ensure that - # unexpected load doesn't affect new logins and sign ups. - - # Finally, event sending requests can be balanced by the room ID in the URI (or - # the full URI, or even just round robin), the room ID is the path component after - # `/rooms/`. If there is a large bridge connected that is sending or may send lots - # of events, then a dedicated set of workers can be provisioned to limit the - # effects of bursts of events from that bridge on events sent by normal users. - - # #### Stream writers - - # Additionally, there is *experimental* support for moving writing of specific - # streams (such as events) off of the main process to a particular worker. (This - # is only supported with Redis-based replication.) - - # Currently supported streams are `events` and `typing`. - - # To enable this, the worker must have a HTTP replication listener configured, - # have a `worker_name` and be listed in the `instance_map` config. For example to - # move event persistence off to a dedicated worker, the shared configuration would - # include: - - # ```yaml - # instance_map: - # event_persister1: - # host: localhost - # port: 8034 - - # stream_writers: - # events: event_persister1 - # ``` - - # The `events` stream also experimentally supports having multiple writers, where - # work is sharded between them by room ID. Note that you *must* restart all worker - # instances when adding or removing event persisters. An example `stream_writers` - # configuration with multiple writers: - - # ```yaml - # stream_writers: - # events: - # - event_persister1 - # - event_persister2 - # ``` - - # #### Background tasks - - # There is also *experimental* support for moving background tasks to a separate - # worker. Background tasks are run periodically or started via replication. Exactly - # which tasks are configured to run depends on your Synapse configuration (e.g. if - # stats is enabled). - - # To enable this, the worker must have a `worker_name` and can be configured to run - # background tasks. For example, to move background tasks to a dedicated worker, - # the shared configuration would include: - - # ```yaml - # run_background_tasks_on: background_worker - # ``` - - # You might also wish to investigate the `update_user_directory` and - # `media_instance_running_background_jobs` settings. - -# pusher worker (no API endpoints) [ - # Handles sending push notifications to sygnal and email. Doesn't handle any - # REST endpoints itself, but you should set `start_pushers: False` in the - # shared configuration file to stop the main synapse sending push notifications. - - # To run multiple instances at once the `pusher_instances` option should list all - # pusher instances by their worker name, e.g.: - - # ```yaml - # pusher_instances: - # - pusher_worker1 - # - pusher_worker2 - # ``` - -# ] - -# appservice worker (no API endpoints) [ - # Handles sending output traffic to Application Services. Doesn't handle any - # REST endpoints itself, but you should set `notify_appservices: False` in the - # shared configuration file to stop the main synapse sending appservice notifications. - - # Note this worker cannot be load-balanced: only one instance should be active. - -# ] - -# federation_sender worker (no API endpoints) [ - # Handles sending federation traffic to other servers. Doesn't handle any - # REST endpoints itself, but you should set `send_federation: False` in the - # shared configuration file to stop the main synapse sending this traffic. - - # If running multiple federation senders then you must list each - # instance in the `federation_sender_instances` option by their `worker_name`. - # All instances must be stopped and started when adding or removing instances. - # For example: - - # ```yaml - # federation_sender_instances: - # - federation_sender1 - # - federation_sender2 - # ``` -# ] - -matrix_synapse_workers_media_repository_endpoints: - # Handles the media repository. It can handle all endpoints starting with: - - - ^/_matrix/media/ - - # ... and the following regular expressions matching media-specific administration APIs: - - - ^/_synapse/admin/v1/purge_media_cache$ - - ^/_synapse/admin/v1/room/.*/media.*$ - - ^/_synapse/admin/v1/user/.*/media.*$ - - ^/_synapse/admin/v1/media/.*$ - - ^/_synapse/admin/v1/quarantine_media/.*$ - - # You should also set `enable_media_repo: False` in the shared configuration - # file to stop the main synapse running background jobs related to managing the - # media repository. - - # In the `media_repository` worker configuration file, configure the http listener to - # expose the `media` resource. For example: - - # ```yaml - # worker_listeners: - # - type: http - # port: 8085 - # resources: - # - names: - # - media - # ``` - - # Note that if running multiple media repositories they must be on the same server - # and you must configure a single instance to run the background tasks, e.g.: - - # ```yaml - # media_instance_running_background_jobs: "media-repository-1" - # ``` - - # Note that if a reverse proxy is used , then `/_matrix/media/` must be routed for both inbound client and federation requests (if they are handled separately). - -matrix_synapse_workers_user_dir_endpoints: - # Handles searches in the user directory. It can handle REST endpoints matching - # the following regular expressions: - - - ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ - - # When using this worker you must also set `update_user_directory: False` in the - # shared configuration file to stop the main synapse running background - # jobs related to updating the user directory. - -matrix_synapse_workers_frontend_proxy_endpoints: - # Proxies some frequently-requested client endpoints to add caching and remove - # load from the main synapse. It can handle REST endpoints matching the following - # regular expressions: - - - ^/_matrix/client/(api/v1|r0|unstable)/keys/upload - - # If `use_presence` is False in the homeserver config, it can also handle REST - # endpoints matching the following regular expressions: - - # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually - # ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status - - # This "stub" presence handler will pass through `GET` request but make the - # `PUT` effectively a no-op. - - # It will proxy any requests it cannot handle to the main synapse instance. It - # must therefore be configured with the location of the main instance, via - # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration - # file. For example: - - # worker_main_http_uri: http://127.0.0.1:8008 - -matrix_synapse_workers_avail_list: - - appservice - - federation_sender - - frontend_proxy - - generic_worker - - media_repository - - pusher - - user_dir diff --git a/setup.yml b/setup.yml deleted file mode 100755 index 142364c4..00000000 --- a/setup.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -- name: "Set up a Matrix server" - hosts: "{{ target if target is defined else 'matrix_servers' }}" - become: true - - vars_files: - - roles/matrix-synapse/vars/workers.yml - - roles: - - matrix-awx - - matrix-base - - matrix-dynamic-dns - - matrix-mailer - - matrix-postgres - - matrix-redis - - matrix-corporal - - matrix-bridge-appservice-discord - - matrix-bridge-appservice-slack - - matrix-bridge-appservice-webhooks - - matrix-bridge-appservice-irc - - matrix-bridge-mautrix-facebook - - matrix-bridge-mautrix-hangouts - - matrix-bridge-mautrix-instagram - - matrix-bridge-mautrix-signal - - matrix-bridge-mautrix-telegram - - matrix-bridge-mautrix-whatsapp - - matrix-bridge-mx-puppet-discord - - matrix-bridge-mx-puppet-groupme - - matrix-bridge-mx-puppet-steam - - matrix-bridge-mx-puppet-skype - - matrix-bridge-mx-puppet-slack - - matrix-bridge-mx-puppet-twitter - - matrix-bridge-mx-puppet-instagram - - matrix-bridge-sms - - matrix-bridge-heisenbridge - - matrix-bot-matrix-reminder-bot - - matrix-bot-go-neb - - matrix-bot-mjolnir - - matrix-synapse - - matrix-synapse-admin - - matrix-prometheus-node-exporter - - matrix-prometheus - - matrix-grafana - - matrix-registration - - matrix-client-element - - matrix-client-hydrogen - - matrix-jitsi - - matrix-ma1sd - - matrix-dimension - - matrix-etherpad - - matrix-email2matrix - - matrix-sygnal - - matrix-nginx-proxy - - matrix-coturn - - matrix-aux - - matrix-postgres-backup - - matrix-prometheus-postgres-exporter - - matrix-common-after \ No newline at end of file From 86e464957892897eca166920093109099ae6c134 Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Thu, 15 Jul 2021 12:47:00 +0800 Subject: [PATCH 2334/2384] GoMatrixHosting v0.5.5 --- roles/matrix-bot-go-neb/defaults/main.yml | 231 ++ roles/matrix-bot-go-neb/tasks/init.yml | 3 + roles/matrix-bot-go-neb/tasks/main.yml | 21 + .../matrix-bot-go-neb/tasks/setup_install.yml | 50 + .../tasks/setup_uninstall.yml | 35 + .../tasks/validate_config.yml | 13 + .../templates/config.yaml.j2 | 44 + .../systemd/matrix-bot-go-neb.service.j2 | 49 + .../defaults/main.yml | 47 + .../matrix-bridge-heisenbridge/tasks/init.yml | 24 + .../matrix-bridge-heisenbridge/tasks/main.yml | 15 + .../tasks/setup_install.yml | 38 + .../tasks/setup_uninstall.yml | 24 + .../systemd/matrix-heisenbridge.service.j2 | 51 + .../matrix-client-hydrogen/defaults/main.yml | 68 + roles/matrix-client-hydrogen/tasks/init.yml | 10 + roles/matrix-client-hydrogen/tasks/main.yml | 15 + .../tasks/self_check.yml | 22 + roles/matrix-client-hydrogen/tasks/setup.yml | 119 + .../tasks/validate_config.yml | 9 + .../templates/config.json.j2 | 3 + .../templates/nginx.conf.j2 | 66 + .../systemd/matrix-client-hydrogen.service.j2 | 39 + roles/matrix-dynamic-dns/defaults/main.yml | 48 + roles/matrix-dynamic-dns/tasks/init.yml | 10 + roles/matrix-dynamic-dns/tasks/install.yml | 62 + roles/matrix-dynamic-dns/tasks/main.yml | 21 + roles/matrix-dynamic-dns/tasks/uninstall.yml | 27 + .../tasks/validate_config.yml | 16 + .../templates/ddclient.conf.j2 | 26 + .../systemd/matrix-dynamic-dns.service.j2 | 36 + roles/matrix-email2matrix/defaults/main.yml | 44 + roles/matrix-email2matrix/tasks/init.yml | 3 + roles/matrix-email2matrix/tasks/main.yml | 15 + .../tasks/setup_email2matrix.yml | 88 + .../tasks/validate_config.yml | 7 + .../templates/config.json.j2 | 14 + .../systemd/matrix-email2matrix.service.j2 | 34 + roles/matrix-etherpad/defaults/main.yml | 87 + roles/matrix-etherpad/tasks/init.yml | 62 + roles/matrix-etherpad/tasks/main.yml | 21 + roles/matrix-etherpad/tasks/setup_install.yml | 36 + .../matrix-etherpad/tasks/setup_uninstall.yml | 35 + .../matrix-etherpad/tasks/validate_config.yml | 11 + .../templates/settings.json.j2 | 105 + .../systemd/matrix-etherpad.service.j2 | 44 + roles/matrix-grafana/defaults/main.yml | 59 + roles/matrix-grafana/tasks/init.yml | 5 + roles/matrix-grafana/tasks/main.yml | 14 + roles/matrix-grafana/tasks/setup.yml | 110 + .../matrix-grafana/tasks/validate_config.yml | 7 + .../templates/dashboards.yaml.j2 | 9 + .../templates/datasources.yaml.j2 | 8 + roles/matrix-grafana/templates/grafana.ini.j2 | 31 + .../systemd/matrix-grafana.service.j2 | 43 + roles/matrix-jitsi/defaults/main.yml | 261 ++ roles/matrix-jitsi/tasks/init.yml | 3 + roles/matrix-jitsi/tasks/main.yml | 39 + roles/matrix-jitsi/tasks/setup_jitsi_base.yml | 20 + .../matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 93 + roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 93 + .../tasks/setup_jitsi_prosody.yml | 84 + roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 95 + roles/matrix-jitsi/tasks/validate_config.yml | 43 + roles/matrix-jitsi/templates/jicofo/env.j2 | 17 + .../templates/jicofo/logging.properties.j2 | 20 + .../jicofo/matrix-jitsi-jicofo.service.j2 | 33 + .../jicofo/sip-communicator.properties.j2 | 9 + .../jvb/custom-sip-communicator.properties.j2 | 7 + roles/matrix-jitsi/templates/jvb/env.j2 | 20 + .../templates/jvb/logging.properties.j2 | 13 + .../templates/jvb/matrix-jitsi-jvb.service.j2 | 42 + roles/matrix-jitsi/templates/prosody/env.j2 | 49 + .../prosody/matrix-jitsi-prosody.service.j2 | 37 + .../templates/web/custom-config.js.j2 | 18 + roles/matrix-jitsi/templates/web/env.j2 | 42 + .../templates/web/interface_config.js.j2 | 295 ++ .../templates/web/matrix-jitsi-web.service.j2 | 37 + roles/matrix-ma1sd/defaults/main.yml | 163 + roles/matrix-ma1sd/tasks/init.yml | 10 + roles/matrix-ma1sd/tasks/main.yml | 28 + roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 72 + roles/matrix-ma1sd/tasks/self_check_ma1sd.yml | 22 + roles/matrix-ma1sd/tasks/setup_install.yml | 167 + roles/matrix-ma1sd/tasks/setup_uninstall.yml | 35 + roles/matrix-ma1sd/tasks/validate_config.yml | 67 + roles/matrix-ma1sd/templates/ma1sd.yaml.j2 | 104 + .../templates/systemd/matrix-ma1sd.service.j2 | 48 + roles/matrix-ma1sd/vars/main.yml | 5 + roles/matrix-mailer/defaults/main.yml | 31 + roles/matrix-mailer/tasks/init.yml | 10 + roles/matrix-mailer/tasks/main.yml | 9 + roles/matrix-mailer/tasks/setup_mailer.yml | 107 + roles/matrix-mailer/templates/env-mailer.j2 | 9 + .../systemd/matrix-mailer.service.j2 | 37 + roles/matrix-nginx-proxy/defaults/main.yml | 487 +++ roles/matrix-nginx-proxy/tasks/init.yml | 8 + roles/matrix-nginx-proxy/tasks/main.yml | 38 + .../tasks/self_check_well_known.yml | 30 + .../tasks/self_check_well_known_file.yml | 73 + .../tasks/setup_nginx_proxy.yml | 272 ++ .../tasks/setup_well_known.yml | 24 + roles/matrix-nginx-proxy/tasks/ssl/main.yml | 31 + .../tasks/ssl/setup_ssl_lets_encrypt.yml | 64 + ...tup_ssl_lets_encrypt_obtain_for_domain.yml | 91 + .../tasks/ssl/setup_ssl_manually_managed.yml | 8 + ...ssl_manually_managed_verify_for_domain.yml | 23 + .../tasks/ssl/setup_ssl_self_signed.yml | 32 + ...etup_ssl_self_signed_obtain_for_domain.yml | 42 + .../tasks/validate_config.yml | 47 + .../nginx/conf.d/matrix-base-domain.conf.j2 | 95 + .../nginx/conf.d/matrix-bot-go-neb.conf.j2 | 95 + .../conf.d/matrix-client-element.conf.j2 | 104 + .../conf.d/matrix-client-hydrogen.conf.j2 | 102 + .../nginx/conf.d/matrix-dimension.conf.j2 | 98 + .../nginx/conf.d/matrix-domain.conf.j2 | 293 ++ .../nginx/conf.d/matrix-grafana.conf.j2 | 106 + .../nginx/conf.d/matrix-jitsi.conf.j2 | 140 + .../nginx/conf.d/matrix-riot-web.conf.j2 | 87 + .../nginx/conf.d/matrix-sygnal.conf.j2 | 97 + .../nginx/conf.d/matrix-synapse.conf.j2 | 231 ++ .../templates/nginx/conf.d/nginx-http.conf.j2 | 14 + .../nginx/matrix-synapse-metrics-htpasswd.j2 | 3 + .../templates/nginx/nginx.conf.j2 | 61 + .../systemd/matrix-nginx-proxy.service.j2 | 58 + ...lets-encrypt-certificates-renew.service.j2 | 7 + ...l-lets-encrypt-certificates-renew.timer.j2 | 10 + .../matrix-ssl-nginx-proxy-reload.service.j2 | 6 + .../matrix-ssl-nginx-proxy-reload.timer.j2 | 10 + ...rix-ssl-lets-encrypt-certificates-renew.j2 | 31 + roles/matrix-nginx-proxy/vars/main.yml | 18 + roles/matrix-postgres/defaults/main.yml | 95 + .../tasks/import_generic_sqlite_db.yml | 97 + .../matrix-postgres/tasks/import_postgres.yml | 106 + .../tasks/import_synapse_sqlite_db.yml | 86 + roles/matrix-postgres/tasks/init.yml | 3 + roles/matrix-postgres/tasks/main.yml | 43 + .../tasks/migrate_postgres_data_directory.yml | 72 + roles/matrix-postgres/tasks/run_vacuum.yml | 90 + .../matrix-postgres/tasks/setup_postgres.yml | 197 ++ .../tasks/upgrade_postgres.yml | 172 + .../tasks/util/create_additional_database.yml | 40 + .../util/create_additional_databases.yml | 23 + .../util/detect_existing_postgres_version.yml | 56 + .../tasks/util/migrate_db_to_postgres.yml | 169 + .../matrix-postgres/tasks/validate_config.yml | 39 + .../templates/env-postgres-psql.j2 | 4 + .../templates/env-postgres-server.j2 | 7 + .../init-additional-db-user-and-role.sql.j2 | 19 + .../systemd/matrix-postgres.service.j2 | 41 + .../matrix-change-user-admin-status.j2 | 19 + .../usr-local-bin/matrix-postgres-cli.j2 | 13 + ...trix-postgres-update-user-password-hash.j2 | 16 + .../defaults/main.yml | 34 + .../tasks/init.yml | 5 + .../tasks/main.yml | 8 + .../tasks/setup.yml | 54 + ...matrix-prometheus-node-exporter.service.j2 | 44 + .../defaults/main.yml | 49 + .../tasks/init.yml | 5 + .../tasks/main.yml | 8 + .../tasks/setup.yml | 54 + ...ix-prometheus-postgres-exporter.service.j2 | 42 + roles/matrix-prometheus/defaults/main.yml | 67 + roles/matrix-prometheus/tasks/init.yml | 5 + roles/matrix-prometheus/tasks/main.yml | 21 + .../matrix-prometheus/tasks/setup_install.yml | 50 + .../tasks/setup_uninstall.yml | 25 + .../tasks/validate_config.yml | 7 + .../templates/prometheus.yml.j2 | 59 + .../systemd/matrix-prometheus.service.j2 | 43 + roles/matrix-redis/defaults/main.yml | 22 + roles/matrix-redis/tasks/init.yml | 3 + roles/matrix-redis/tasks/main.yml | 9 + roles/matrix-redis/tasks/setup_redis.yml | 99 + roles/matrix-redis/templates/redis.conf.j2 | 4 + .../templates/systemd/matrix-redis.service.j2 | 37 + roles/matrix-registration/defaults/main.yml | 116 + .../tasks/generate_token.yml | 50 + roles/matrix-registration/tasks/init.yml | 68 + .../matrix-registration/tasks/list_tokens.yml | 29 + roles/matrix-registration/tasks/main.yml | 31 + .../tasks/setup_install.yml | 101 + .../tasks/setup_uninstall.yml | 30 + .../tasks/validate_config.yml | 20 + .../templates/config.yaml.j2 | 31 + .../systemd/matrix-registration.service.j2 | 42 + roles/matrix-sygnal/defaults/main.yml | 95 + roles/matrix-sygnal/tasks/init.yml | 3 + roles/matrix-sygnal/tasks/main.yml | 21 + roles/matrix-sygnal/tasks/setup_install.yml | 73 + roles/matrix-sygnal/tasks/setup_uninstall.yml | 35 + roles/matrix-sygnal/tasks/validate_config.yml | 13 + roles/matrix-sygnal/templates/sygnal.yaml.j2 | 288 ++ .../systemd/matrix-sygnal.service.j2 | 42 + roles/matrix-synapse-admin/defaults/main.yml | 32 + roles/matrix-synapse-admin/tasks/init.yml | 59 + roles/matrix-synapse-admin/tasks/main.yml | 14 + roles/matrix-synapse-admin/tasks/setup.yml | 80 + .../tasks/validate_config.yml | 10 + .../systemd/matrix-synapse-admin.service.j2 | 42 + roles/matrix-synapse/defaults/main.yml | 612 ++++ .../files/workers-doc-to-yaml.awk | 146 + .../files/workers-doc-to-yaml.sh | 6 + .../tasks/ext/ldap-auth/setup.yml | 8 + .../tasks/ext/mjolnir-antispam/setup.yml | 7 + .../ext/mjolnir-antispam/setup_install.yml | 52 + .../ext/mjolnir-antispam/setup_uninstall.yml | 6 + .../tasks/ext/rest-auth/setup.yml | 7 + .../tasks/ext/rest-auth/setup_install.yml | 28 + .../tasks/ext/rest-auth/setup_uninstall.yml | 6 + roles/matrix-synapse/tasks/ext/setup.yml | 11 + .../tasks/ext/shared-secret-auth/setup.yml | 7 + .../ext/shared-secret-auth/setup_install.yml | 28 + .../shared-secret-auth/setup_uninstall.yml | 6 + .../ext/synapse-simple-antispam/setup.yml | 7 + .../synapse-simple-antispam/setup_install.yml | 54 + .../setup_uninstall.yml | 6 + roles/matrix-synapse/tasks/goofys/setup.yml | 7 + .../tasks/goofys/setup_install.yml | 41 + .../tasks/goofys/setup_uninstall.yml | 33 + .../tasks/import_media_store.yml | 83 + roles/matrix-synapse/tasks/init.yml | 26 + roles/matrix-synapse/tasks/main.yml | 55 + roles/matrix-synapse/tasks/register_user.yml | 31 + .../compress_room.yml | 48 + .../rust-synapse-compress-state/main.yml | 118 + .../tasks/self_check_client_api.yml | 21 + .../tasks/self_check_federation_api.yml | 26 + roles/matrix-synapse/tasks/setup_synapse.yml | 25 + roles/matrix-synapse/tasks/synapse/setup.yml | 7 + .../tasks/synapse/setup_install.yml | 109 + .../tasks/synapse/setup_uninstall.yml | 28 + .../tasks/synapse/workers/init.yml | 86 + .../tasks/synapse/workers/setup.yml | 21 + .../tasks/synapse/workers/setup_install.yml | 42 + .../tasks/synapse/workers/setup_uninstall.yml | 36 + .../inject_systemd_services_for_worker.yml | 18 + .../workers/util/setup_files_for_worker.yml | 19 + .../tasks/update_user_password.yml | 43 + .../matrix-synapse/tasks/validate_config.yml | 59 + .../templates/goofys/env-goofys.j2 | 3 + .../goofys/systemd/matrix-goofys.service.j2 | 39 + .../templates/synapse/homeserver.yaml.j2 | 2937 +++++++++++++++++ .../templates/synapse/synapse.log.config.j2 | 36 + .../systemd/matrix-synapse-worker.service.j2 | 64 + .../synapse/systemd/matrix-synapse.service.j2 | 76 + .../matrix-synapse-register-user.j2 | 17 + .../templates/synapse/worker.yaml.j2 | 45 + roles/matrix-synapse/vars/main.yml | 34 + roles/matrix-synapse/vars/workers.yml | 322 ++ setup.yml | 58 + 252 files changed, 16460 insertions(+) create mode 100644 roles/matrix-bot-go-neb/defaults/main.yml create mode 100644 roles/matrix-bot-go-neb/tasks/init.yml create mode 100644 roles/matrix-bot-go-neb/tasks/main.yml create mode 100644 roles/matrix-bot-go-neb/tasks/setup_install.yml create mode 100644 roles/matrix-bot-go-neb/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bot-go-neb/tasks/validate_config.yml create mode 100644 roles/matrix-bot-go-neb/templates/config.yaml.j2 create mode 100644 roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 create mode 100644 roles/matrix-bridge-heisenbridge/defaults/main.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/init.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/main.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 create mode 100644 roles/matrix-client-hydrogen/defaults/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/init.yml create mode 100644 roles/matrix-client-hydrogen/tasks/main.yml create mode 100644 roles/matrix-client-hydrogen/tasks/self_check.yml create mode 100644 roles/matrix-client-hydrogen/tasks/setup.yml create mode 100644 roles/matrix-client-hydrogen/tasks/validate_config.yml create mode 100644 roles/matrix-client-hydrogen/templates/config.json.j2 create mode 100644 roles/matrix-client-hydrogen/templates/nginx.conf.j2 create mode 100644 roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 create mode 100644 roles/matrix-dynamic-dns/defaults/main.yml create mode 100644 roles/matrix-dynamic-dns/tasks/init.yml create mode 100644 roles/matrix-dynamic-dns/tasks/install.yml create mode 100644 roles/matrix-dynamic-dns/tasks/main.yml create mode 100644 roles/matrix-dynamic-dns/tasks/uninstall.yml create mode 100644 roles/matrix-dynamic-dns/tasks/validate_config.yml create mode 100644 roles/matrix-dynamic-dns/templates/ddclient.conf.j2 create mode 100644 roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 create mode 100644 roles/matrix-email2matrix/defaults/main.yml create mode 100644 roles/matrix-email2matrix/tasks/init.yml create mode 100644 roles/matrix-email2matrix/tasks/main.yml create mode 100644 roles/matrix-email2matrix/tasks/setup_email2matrix.yml create mode 100644 roles/matrix-email2matrix/tasks/validate_config.yml create mode 100644 roles/matrix-email2matrix/templates/config.json.j2 create mode 100644 roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 create mode 100644 roles/matrix-etherpad/defaults/main.yml create mode 100644 roles/matrix-etherpad/tasks/init.yml create mode 100644 roles/matrix-etherpad/tasks/main.yml create mode 100644 roles/matrix-etherpad/tasks/setup_install.yml create mode 100644 roles/matrix-etherpad/tasks/setup_uninstall.yml create mode 100644 roles/matrix-etherpad/tasks/validate_config.yml create mode 100644 roles/matrix-etherpad/templates/settings.json.j2 create mode 100644 roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 create mode 100644 roles/matrix-grafana/defaults/main.yml create mode 100644 roles/matrix-grafana/tasks/init.yml create mode 100644 roles/matrix-grafana/tasks/main.yml create mode 100644 roles/matrix-grafana/tasks/setup.yml create mode 100644 roles/matrix-grafana/tasks/validate_config.yml create mode 100644 roles/matrix-grafana/templates/dashboards.yaml.j2 create mode 100644 roles/matrix-grafana/templates/datasources.yaml.j2 create mode 100644 roles/matrix-grafana/templates/grafana.ini.j2 create mode 100644 roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 create mode 100644 roles/matrix-jitsi/defaults/main.yml create mode 100644 roles/matrix-jitsi/tasks/init.yml create mode 100644 roles/matrix-jitsi/tasks/main.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_base.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml create mode 100644 roles/matrix-jitsi/tasks/setup_jitsi_web.yml create mode 100644 roles/matrix-jitsi/tasks/validate_config.yml create mode 100644 roles/matrix-jitsi/templates/jicofo/env.j2 create mode 100644 roles/matrix-jitsi/templates/jicofo/logging.properties.j2 create mode 100644 roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 create mode 100644 roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 create mode 100644 roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 create mode 100644 roles/matrix-jitsi/templates/jvb/env.j2 create mode 100644 roles/matrix-jitsi/templates/jvb/logging.properties.j2 create mode 100644 roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 create mode 100644 roles/matrix-jitsi/templates/prosody/env.j2 create mode 100644 roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 create mode 100644 roles/matrix-jitsi/templates/web/custom-config.js.j2 create mode 100644 roles/matrix-jitsi/templates/web/env.j2 create mode 100644 roles/matrix-jitsi/templates/web/interface_config.js.j2 create mode 100644 roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 create mode 100644 roles/matrix-ma1sd/defaults/main.yml create mode 100644 roles/matrix-ma1sd/tasks/init.yml create mode 100644 roles/matrix-ma1sd/tasks/main.yml create mode 100644 roles/matrix-ma1sd/tasks/migrate_mxisd.yml create mode 100644 roles/matrix-ma1sd/tasks/self_check_ma1sd.yml create mode 100644 roles/matrix-ma1sd/tasks/setup_install.yml create mode 100644 roles/matrix-ma1sd/tasks/setup_uninstall.yml create mode 100644 roles/matrix-ma1sd/tasks/validate_config.yml create mode 100644 roles/matrix-ma1sd/templates/ma1sd.yaml.j2 create mode 100644 roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 create mode 100644 roles/matrix-ma1sd/vars/main.yml create mode 100644 roles/matrix-mailer/defaults/main.yml create mode 100644 roles/matrix-mailer/tasks/init.yml create mode 100644 roles/matrix-mailer/tasks/main.yml create mode 100644 roles/matrix-mailer/tasks/setup_mailer.yml create mode 100644 roles/matrix-mailer/templates/env-mailer.j2 create mode 100644 roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 create mode 100644 roles/matrix-nginx-proxy/defaults/main.yml create mode 100644 roles/matrix-nginx-proxy/tasks/init.yml create mode 100644 roles/matrix-nginx-proxy/tasks/main.yml create mode 100644 roles/matrix-nginx-proxy/tasks/self_check_well_known.yml create mode 100644 roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml create mode 100644 roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml create mode 100644 roles/matrix-nginx-proxy/tasks/setup_well_known.yml create mode 100644 roles/matrix-nginx-proxy/tasks/ssl/main.yml create mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml create mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml create mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml create mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml create mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml create mode 100644 roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml create mode 100644 roles/matrix-nginx-proxy/tasks/validate_config.yml create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 create mode 100644 roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 create mode 100755 roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 create mode 100644 roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 create mode 100644 roles/matrix-nginx-proxy/vars/main.yml create mode 100644 roles/matrix-postgres/defaults/main.yml create mode 100644 roles/matrix-postgres/tasks/import_generic_sqlite_db.yml create mode 100644 roles/matrix-postgres/tasks/import_postgres.yml create mode 100644 roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml create mode 100644 roles/matrix-postgres/tasks/init.yml create mode 100644 roles/matrix-postgres/tasks/main.yml create mode 100644 roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml create mode 100644 roles/matrix-postgres/tasks/run_vacuum.yml create mode 100644 roles/matrix-postgres/tasks/setup_postgres.yml create mode 100644 roles/matrix-postgres/tasks/upgrade_postgres.yml create mode 100644 roles/matrix-postgres/tasks/util/create_additional_database.yml create mode 100644 roles/matrix-postgres/tasks/util/create_additional_databases.yml create mode 100644 roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml create mode 100644 roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml create mode 100644 roles/matrix-postgres/tasks/validate_config.yml create mode 100644 roles/matrix-postgres/templates/env-postgres-psql.j2 create mode 100644 roles/matrix-postgres/templates/env-postgres-server.j2 create mode 100644 roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 create mode 100644 roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 create mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 create mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 create mode 100644 roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 create mode 100644 roles/matrix-prometheus-node-exporter/defaults/main.yml create mode 100644 roles/matrix-prometheus-node-exporter/tasks/init.yml create mode 100644 roles/matrix-prometheus-node-exporter/tasks/main.yml create mode 100644 roles/matrix-prometheus-node-exporter/tasks/setup.yml create mode 100644 roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 create mode 100644 roles/matrix-prometheus-postgres-exporter/defaults/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/init.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/main.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/tasks/setup.yml create mode 100644 roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 create mode 100644 roles/matrix-prometheus/defaults/main.yml create mode 100644 roles/matrix-prometheus/tasks/init.yml create mode 100644 roles/matrix-prometheus/tasks/main.yml create mode 100644 roles/matrix-prometheus/tasks/setup_install.yml create mode 100644 roles/matrix-prometheus/tasks/setup_uninstall.yml create mode 100644 roles/matrix-prometheus/tasks/validate_config.yml create mode 100644 roles/matrix-prometheus/templates/prometheus.yml.j2 create mode 100644 roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 create mode 100644 roles/matrix-redis/defaults/main.yml create mode 100644 roles/matrix-redis/tasks/init.yml create mode 100644 roles/matrix-redis/tasks/main.yml create mode 100644 roles/matrix-redis/tasks/setup_redis.yml create mode 100644 roles/matrix-redis/templates/redis.conf.j2 create mode 100644 roles/matrix-redis/templates/systemd/matrix-redis.service.j2 create mode 100644 roles/matrix-registration/defaults/main.yml create mode 100644 roles/matrix-registration/tasks/generate_token.yml create mode 100644 roles/matrix-registration/tasks/init.yml create mode 100644 roles/matrix-registration/tasks/list_tokens.yml create mode 100644 roles/matrix-registration/tasks/main.yml create mode 100644 roles/matrix-registration/tasks/setup_install.yml create mode 100644 roles/matrix-registration/tasks/setup_uninstall.yml create mode 100644 roles/matrix-registration/tasks/validate_config.yml create mode 100644 roles/matrix-registration/templates/config.yaml.j2 create mode 100644 roles/matrix-registration/templates/systemd/matrix-registration.service.j2 create mode 100644 roles/matrix-sygnal/defaults/main.yml create mode 100644 roles/matrix-sygnal/tasks/init.yml create mode 100644 roles/matrix-sygnal/tasks/main.yml create mode 100644 roles/matrix-sygnal/tasks/setup_install.yml create mode 100644 roles/matrix-sygnal/tasks/setup_uninstall.yml create mode 100644 roles/matrix-sygnal/tasks/validate_config.yml create mode 100644 roles/matrix-sygnal/templates/sygnal.yaml.j2 create mode 100644 roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 create mode 100644 roles/matrix-synapse-admin/defaults/main.yml create mode 100644 roles/matrix-synapse-admin/tasks/init.yml create mode 100644 roles/matrix-synapse-admin/tasks/main.yml create mode 100644 roles/matrix-synapse-admin/tasks/setup.yml create mode 100644 roles/matrix-synapse-admin/tasks/validate_config.yml create mode 100644 roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 create mode 100644 roles/matrix-synapse/defaults/main.yml create mode 100755 roles/matrix-synapse/files/workers-doc-to-yaml.awk create mode 100755 roles/matrix-synapse/files/workers-doc-to-yaml.sh create mode 100644 roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml create mode 100644 roles/matrix-synapse/tasks/ext/rest-auth/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/ext/rest-auth/setup_uninstall.yml create mode 100644 roles/matrix-synapse/tasks/ext/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_uninstall.yml create mode 100644 roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml create mode 100644 roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_uninstall.yml create mode 100644 roles/matrix-synapse/tasks/goofys/setup.yml create mode 100644 roles/matrix-synapse/tasks/goofys/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/goofys/setup_uninstall.yml create mode 100644 roles/matrix-synapse/tasks/import_media_store.yml create mode 100644 roles/matrix-synapse/tasks/init.yml create mode 100644 roles/matrix-synapse/tasks/main.yml create mode 100644 roles/matrix-synapse/tasks/register_user.yml create mode 100644 roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml create mode 100644 roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml create mode 100644 roles/matrix-synapse/tasks/self_check_client_api.yml create mode 100644 roles/matrix-synapse/tasks/self_check_federation_api.yml create mode 100644 roles/matrix-synapse/tasks/setup_synapse.yml create mode 100644 roles/matrix-synapse/tasks/synapse/setup.yml create mode 100644 roles/matrix-synapse/tasks/synapse/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/synapse/setup_uninstall.yml create mode 100644 roles/matrix-synapse/tasks/synapse/workers/init.yml create mode 100644 roles/matrix-synapse/tasks/synapse/workers/setup.yml create mode 100644 roles/matrix-synapse/tasks/synapse/workers/setup_install.yml create mode 100644 roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml create mode 100644 roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml create mode 100644 roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml create mode 100644 roles/matrix-synapse/tasks/update_user_password.yml create mode 100644 roles/matrix-synapse/tasks/validate_config.yml create mode 100644 roles/matrix-synapse/templates/goofys/env-goofys.j2 create mode 100644 roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 create mode 100644 roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 create mode 100644 roles/matrix-synapse/templates/synapse/synapse.log.config.j2 create mode 100644 roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 create mode 100644 roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 create mode 100644 roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 create mode 100644 roles/matrix-synapse/templates/synapse/worker.yaml.j2 create mode 100644 roles/matrix-synapse/vars/main.yml create mode 100644 roles/matrix-synapse/vars/workers.yml create mode 100755 setup.yml diff --git a/roles/matrix-bot-go-neb/defaults/main.yml b/roles/matrix-bot-go-neb/defaults/main.yml new file mode 100644 index 00000000..4dd4f1f6 --- /dev/null +++ b/roles/matrix-bot-go-neb/defaults/main.yml @@ -0,0 +1,231 @@ +# Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python. +# See: https://github.com/matrix-org/go-neb + +matrix_bot_go_neb_enabled: true +matrix_bot_go_neb_version: latest +matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}" +matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}" + +matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb" +matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config" +matrix_bot_go_neb_config_path_in_container: "/config/config.yaml" +matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data" +matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store" + +# Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:4050"), or empty string to not expose. +matrix_bot_go_neb_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_bot_go_neb_container_extra_arguments: [] + +# List of systemd services that matrix-bot-go-neb.service depends on +matrix_bot_go_neb_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-go-neb.service wants +matrix_bot_go_neb_systemd_wanted_services_list: [] + +# Database-related configuration fields. +# +# MUST be "sqlite3". No other type is supported. +matrix_bot_go_neb_database_engine: 'sqlite3' + +matrix_bot_go_neb_sqlite_database_path_local: "{{ matrix_bot_go_neb_data_path }}/bot.db" +matrix_bot_go_neb_sqlite_database_path_in_container: "/data/bot.db" + +matrix_bot_go_neb_storage_database: "{{ + { + 'sqlite3': (matrix_bot_go_neb_sqlite_database_path_in_container + '?_busy_timeout=5000'), + }[matrix_bot_go_neb_database_engine] +}}" + +# The bot's username(s). These users need to be created manually beforehand. +# The access tokens that the bot uses to authenticate. +# Generate one as described in +# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-dimension.md#access-token +# via curl. With the element method, you might run into decryption problems (see https://github.com/matrix-org/go-neb#quick-start) +matrix_bot_go_neb_clients: [] +# - UserID: "@goneb:{{ matrix_domain }}" +# AccessToken: "MDASDASJDIASDJASDAFGFRGER" +# DeviceID: "DEVICE1" +# HomeserverURL: "{{ matrix_homeserver_container_url }}" +# Sync: true +# AutoJoinRooms: true +# DisplayName: "Go-NEB!" +# AcceptVerificationFromUsers: [":{{ matrix_domain }}"] +# +# - UserID: "@another_goneb:{{ matrix_domain }}" +# AccessToken: "MDASDASJDIASDJASDAFGFRGER" +# DeviceID: "DEVICE2" +# HomeserverURL: "{{ matrix_homeserver_container_url }}" +# Sync: false +# AutoJoinRooms: false +# DisplayName: "Go-NEB!" +# AcceptVerificationFromUsers: ["^@admin:{{ matrix_domain }}"] + +# The list of realms which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureAuthRealm for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest +matrix_bot_go_neb_realms: [] +# - ID: "github_realm" +# Type: "github" +# Config: {} # No need for client ID or Secret as Go-NEB isn't generating OAuth URLs + +# The list of *authenticated* sessions which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# The full list of options are shown below: there is no single HTTP endpoint +# which maps to this section. +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session +matrix_bot_go_neb_sessions: [] +# - SessionID: "your_github_session" +# RealmID: "github_realm" +# UserID: "@YOUR_USER_ID:{{ matrix_domain }}" # This needs to be the username of the person that's allowed to use the !github commands +# Config: +# # Populate these fields by generating a "Personal Access Token" on github.com +# AccessToken: "YOUR_GITHUB_ACCESS_TOKEN" +# Scopes: "admin:org_hook,admin:repo_hook,repo,user" + +# The list of services which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureService for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest +matrix_bot_go_neb_services: [] +# - ID: "echo_service" +# Type: "echo" +# UserID: "@goneb:{{ matrix_domain }}" +# Config: {} + +## Can be obtained from https://developers.giphy.com/dashboard/ +# - ID: "giphy_service" +# Type: "giphy" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# api_key: "qwg4672vsuyfsfe" +# use_downsized: false +# +## This service has been dead for over a year :/ +# - ID: "guggy_service" +# Type: "guggy" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# api_key: "2356saaqfhgfe" +# +## API Key via https://developers.google.com/custom-search/v1/introduction +## CX via http://www.google.com/cse/manage/all +## https://stackoverflow.com/questions/6562125/getting-a-cx-id-for-custom-search-google-api-python +## 'Search the entire web' and 'Image search' enabled for best results +# - ID: "google_service" +# Type: "google" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# api_key: "AIzaSyA4FD39m9" +# cx: "AIASDFWSRRtrtr" +# +## Get a key via https://api.imgur.com/oauth2/addclient +## Select "oauth2 without callback url" +# - ID: "imgur_service" +# Type: "imgur" +# UserID: "@imgur:{{ matrix_domain }}" # requires a Syncing client +# Config: +# client_id: "AIzaSyA4FD39m9" +# client_secret: "somesecret" +# +# - ID: "wikipedia_service" +# Type: "wikipedia" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# +# - ID: "rss_service" +# Type: "rssbot" +# UserID: "@another_goneb:{{ matrix_domain }}" +# Config: +# feeds: +# "http://lorem-rss.herokuapp.com/feed?unit=second&interval=60": +# rooms: ["!qmElAGdFYCHoCJuaNt:localhost"] +# must_include: +# author: +# - author1 +# description: +# - lorem +# - ipsum +# must_not_include: +# title: +# - Lorem +# - Ipsum +# +# - ID: "github_cmd_service" +# Type: "github" +# UserID: "@goneb:{{ matrix_domain }}" # requires a Syncing client +# Config: +# RealmID: "github_realm" +# +# # Make sure your BASE_URL can be accessed by Github! +# - ID: "github_webhook_service" +# Type: "github-webhook" +# UserID: "@another_goneb:{{ matrix_domain }}" +# Config: +# RealmID: "github_realm" +# ClientUserID: "@YOUR_USER_ID:{{ matrix_domain }}" # needs to be an authenticated user so Go-NEB can create webhooks. Check the UserID field in the github_realm in matrix_bot_go_neb_sessions. +# Rooms: +# "!someroom:id": +# Repos: +# "matrix-org/synapse": +# Events: ["push", "issues"] +# "matrix-org/dendron": +# Events: ["pull_request"] +# "!anotherroom:id": +# Repos: +# "matrix-org/synapse": +# Events: ["push", "issues"] +# "matrix-org/dendron": +# Events: ["pull_request"] +# +# - ID: "slackapi_service" +# Type: "slackapi" +# UserID: "@slackapi:{{ matrix_domain }}" +# Config: +# Hooks: +# "hook1": +# RoomID: "!someroom:id" +# MessageType: "m.text" # default is m.text +# +# - ID: "alertmanager_service" +# Type: "alertmanager" +# UserID: "@alertmanager:{{ matrix_domain }}" +# Config: +# # This is for information purposes only. It should point to Go-NEB path as follows: +# # `/services/hooks/` +# # Where in this case "service ID" is "alertmanager_service" +# # Make sure your BASE_URL can be accessed by the Alertmanager instance! +# webhook_url: "http://localhost/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U" +# # Each room will get the notification with the alert rendered with the given template +# rooms: +# "!someroomid:domain.tld": +# text_template: "{{range .Alerts -}} [{{ .Status }}] {{index .Labels \"alertname\" }}: {{index .Annotations \"description\"}} {{ end -}}" +# html_template: "{{range .Alerts -}} {{ $severity := index .Labels \"severity\" }} {{ if eq .Status \"firing\" }} {{ if eq $severity \"critical\"}} [FIRING - CRITICAL] {{ else if eq $severity \"warning\"}} [FIRING - WARNING] {{ else }} [FIRING - {{ $severity }}] {{ end }} {{ else }} [RESOLVED] {{ end }} {{ index .Labels \"alertname\"}} : {{ index .Annotations \"description\"}} source
{{end -}}" +# msg_type: "m.text" # Must be either `m.text` or `m.notice` + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_bot_go_neb_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_bot_go_neb_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_bot_go_neb_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_go_neb_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_go_neb_configuration_yaml`. + +matrix_bot_go_neb_configuration_extension: "{{ matrix_bot_go_neb_configuration_extension_yaml|from_yaml if matrix_bot_go_neb_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_bot_go_neb_configuration_yaml`. +matrix_bot_go_neb_configuration: "{{ matrix_bot_go_neb_configuration_yaml|from_yaml|combine(matrix_bot_go_neb_configuration_extension, recursive=True) }}" + diff --git a/roles/matrix-bot-go-neb/tasks/init.yml b/roles/matrix-bot-go-neb/tasks/init.yml new file mode 100644 index 00000000..169f5978 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-go-neb.service'] }}" + when: matrix_bot_go_neb_enabled|bool diff --git a/roles/matrix-bot-go-neb/tasks/main.yml b/roles/matrix-bot-go-neb/tasks/main.yml new file mode 100644 index 00000000..1a4fe70a --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_bot_go_neb_enabled|bool" + tags: + - setup-all + - setup-bot-go-neb + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_bot_go_neb_enabled|bool" + tags: + - setup-all + - setup-bot-go-neb + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_bot_go_neb_enabled|bool" + tags: + - setup-all + - setup-bot-go-neb diff --git a/roles/matrix-bot-go-neb/tasks/setup_install.yml b/roles/matrix-bot-go-neb/tasks/setup_install.yml new file mode 100644 index 00000000..e26be080 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/setup_install.yml @@ -0,0 +1,50 @@ +--- + +- set_fact: + matrix_bot_go_neb_requires_restart: false + +- name: Ensure go-neb paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_bot_go_neb_config_path }}", when: true } + - { path: "{{ matrix_bot_go_neb_data_path }}", when: true } + - { path: "{{ matrix_bot_go_neb_data_store_path }}", when: true } + when: "item.when|bool" + +- name: Ensure go-neb image is pulled + docker_image: + name: "{{ matrix_bot_go_neb_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}" + +- name: Ensure go-neb config installed + copy: + content: "{{ matrix_bot_go_neb_configuration|to_nice_yaml }}" + dest: "{{ matrix_bot_go_neb_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-bot-go-neb.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" + mode: 0644 + register: matrix_bot_go_neb_systemd_service_result + +- name: Ensure systemd reloaded after matrix-bot-go-neb.service installation + service: + daemon_reload: yes + when: "matrix_bot_go_neb_systemd_service_result.changed|bool" + +- name: Ensure matrix-bot-go-neb.service restarted, if necessary + service: + name: "matrix-bot-go-neb.service" + state: restarted + when: "matrix_bot_go_neb_requires_restart|bool" diff --git a/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml new file mode 100644 index 00000000..49ad1fe7 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-go-neb service + stat: + path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" + register: matrix_bot_go_neb_service_stat + +- name: Ensure matrix-go-neb is stopped + service: + name: matrix-bot-go-neb + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_bot_go_neb_service_stat.stat.exists|bool" + +- name: Ensure matrix-bot-go-neb.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-bot-go-neb.service" + state: absent + when: "matrix_bot_go_neb_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-bot-go-neb.service removal + service: + daemon_reload: yes + when: "matrix_bot_go_neb_service_stat.stat.exists|bool" + +- name: Ensure Matrix go-neb paths don't exist + file: + path: "{{ matrix_bot_go_neb_base_path }}" + state: absent + +- name: Ensure go-neb Docker image doesn't exist + docker_image: + name: "{{ matrix_bot_go_neb_docker_image }}" + state: absent diff --git a/roles/matrix-bot-go-neb/tasks/validate_config.yml b/roles/matrix-bot-go-neb/tasks/validate_config.yml new file mode 100644 index 00000000..7b292250 --- /dev/null +++ b/roles/matrix-bot-go-neb/tasks/validate_config.yml @@ -0,0 +1,13 @@ +--- + +- name: Fail if there's not at least 1 client + fail: + msg: >- + You need at least 1 client in the matrix_bot_go_neb_clients block. + when: matrix_bot_go_neb_clients is not defined or matrix_bot_go_neb_clients[0] is not defined + +- name: Fail if there's not at least 1 service + fail: + msg: >- + You need at least 1 service in the matrix_bot_go_neb_services block. + when: matrix_bot_go_neb_services is not defined or matrix_bot_go_neb_services[0] is not defined diff --git a/roles/matrix-bot-go-neb/templates/config.yaml.j2 b/roles/matrix-bot-go-neb/templates/config.yaml.j2 new file mode 100644 index 00000000..c72dbf8d --- /dev/null +++ b/roles/matrix-bot-go-neb/templates/config.yaml.j2 @@ -0,0 +1,44 @@ +# Go-NEB Configuration File +# +# This file provides an alternative way to configure Go-NEB which does not involve HTTP APIs. +# +# This file can be supplied to go-neb by the environment variable `CONFIG_FILE=config.yaml`. +# It will force Go-NEB to operate in "config" mode. This means: +# - Go-NEB will ONLY use the data contained inside this file. +# - All of Go-NEB's /admin HTTP listeners will be disabled. You will be unable to add new services at runtime. +# - The environment variable `DATABASE_URL` will be ignored and an in-memory database will be used instead. +# +# This file is broken down into 4 sections which matches the following HTTP APIs: +# - /configureClient +# - /configureAuthRealm +# - /configureService +# - /requestAuthSession (redirects not supported) + +# The list of clients which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureClient for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ClientConfig +clients: + {{ matrix_bot_go_neb_clients|to_json }} + +# The list of realms which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureAuthRealm for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureAuthRealmRequest +realms: + {{ matrix_bot_go_neb_realms|to_json }} + +# The list of *authenticated* sessions which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# The full list of options are shown below: there is no single HTTP endpoint +# which maps to this section. +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#Session +sessions: + {{ matrix_bot_go_neb_sessions|to_json }} + +# The list of services which Go-NEB is aware of. +# Delete or modify this list as appropriate. +# See the docs for /configureService for the full list of options: +# https://matrix-org.github.io/go-neb/pkg/github.com/matrix-org/go-neb/api/index.html#ConfigureServiceRequest +services: + {{ matrix_bot_go_neb_services|to_json }} diff --git a/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 new file mode 100644 index 00000000..eabf1137 --- /dev/null +++ b/roles/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2 @@ -0,0 +1,49 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Go-NEB bot +{% for service in matrix_bot_go_neb_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_go_neb_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-go-neb \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_bot_go_neb_container_http_host_bind_port %} + -p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \ + {% endif %} + -e 'BIND_ADDRESS=:4050' \ + -e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \ + -e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \ + -e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \ + -e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \ + --mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \ + --entrypoint=/bin/sh \ + {% for arg in matrix_bot_go_neb_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_go_neb_docker_image }} \ + -c "go-neb /config/config.yaml" + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-go-neb + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-bridge-heisenbridge/defaults/main.yml b/roles/matrix-bridge-heisenbridge/defaults/main.yml new file mode 100644 index 00000000..be95af8d --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/defaults/main.yml @@ -0,0 +1,47 @@ +# heisenbridge is a bouncer-style Matrix IRC bridge +# See: https://github.com/hifi/heisenbridge + +matrix_heisenbridge_enabled: true + +matrix_heisenbridge_version: latest +matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}" +matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}" + +# Set this to your Matrix ID if you want to enforce the owner, otherwise first _local_ user becomes one +matrix_heisenbridge_owner: "" + +# Enabling identd will bind to host port 113/TCP +matrix_heisenbridge_identd_enabled: false + +matrix_heisenbridge_base_path: "{{ matrix_base_data_path }}/heisenbridge" + +# A list of extra arguments to pass to the container +matrix_heisenbridge_container_extra_arguments: [] + +# List of systemd services that service depends on. +matrix_heisenbridge_systemd_required_services_list: ['docker.service'] + +# List of systemd services that service wants +matrix_heisenbridge_systemd_wanted_services_list: [] + +matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}" + +matrix_heisenbridge_appservice_token: '' +matrix_heisenbridge_homeserver_token: '' + +# Default registration file +matrix_heisenbridge_registration_yaml: + id: heisenbridge + url: http://matrix-heisenbridge:9898 + as_token: "{{ matrix_heisenbridge_appservice_token }}" + hs_token: "{{ matrix_heisenbridge_homeserver_token }}" + rate_limited: false + sender_localpart: heisenbridge + namespaces: + users: + - regex: '@hbirc_.*' + exclusive: true + aliases: [] + rooms: [] + +matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-heisenbridge/tasks/init.yml b/roles/matrix-bridge-heisenbridge/tasks/init.yml new file mode 100644 index 00000000..18e89b68 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/init.yml @@ -0,0 +1,24 @@ +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-heisenbridge role needs to execute before the matrix-synapse role. + when: "matrix_heisenbridge_enabled and matrix_synapse_role_executed|default(False)" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-heisenbridge.service'] }}" + when: matrix_heisenbridge_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/heisenbridge-registration.yaml"] }} + when: matrix_heisenbridge_enabled|bool diff --git a/roles/matrix-bridge-heisenbridge/tasks/main.yml b/roles/matrix-bridge-heisenbridge/tasks/main.yml new file mode 100644 index 00000000..1358709d --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_heisenbridge_enabled|bool" + tags: + - setup-all + - setup-heisenbridge + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_heisenbridge_enabled|bool" + tags: + - setup-all + - setup-heisenbridge diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml new file mode 100644 index 00000000..03cf9ec3 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_install.yml @@ -0,0 +1,38 @@ +--- + +- name: Ensure heisenbridge image is pulled + docker_image: + name: "{{ matrix_heisenbridge_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_heisenbridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_heisenbridge_docker_image_force_pull }}" + +- name: Ensure heisenbridge paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_heisenbridge_base_path }}" + +- name: Ensure heisenbridge registration.yaml installed if provided + copy: + content: "{{ matrix_heisenbridge_registration|to_nice_yaml }}" + dest: "{{ matrix_heisenbridge_base_path }}/registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-heisenbridge.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-heisenbridge.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + mode: 0644 + register: matrix_heisenbridge_systemd_service_result + +- name: Ensure systemd reloaded after matrix-heisenbridge.service installation + service: + daemon_reload: yes + when: matrix_heisenbridge_systemd_service_result.changed diff --git a/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml new file mode 100644 index 00000000..853faf7a --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-heisenbridge service + stat: + path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + register: matrix_heisenbridge_service_stat + +- name: Ensure matrix-heisenbridge is stopped + service: + name: matrix-heisenbridge + state: stopped + daemon_reload: yes + when: "matrix_heisenbridge_service_stat.stat.exists" + +- name: Ensure matrix-heisenbridge.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service" + state: absent + when: "matrix_heisenbridge_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-heisenbridge.service removal + service: + daemon_reload: yes + when: "matrix_heisenbridge_service_stat.stat.exists" diff --git a/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 new file mode 100644 index 00000000..e27b88f1 --- /dev/null +++ b/roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2 @@ -0,0 +1,51 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=a bouncer-style Matrix IRC bridge +{% for service in matrix_heisenbridge_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_heisenbridge_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-heisenbridge + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_heisenbridge_identd_enabled %} + -p 113:13113 \ + {% endif %} + -v {{ matrix_heisenbridge_base_path }}:/config:z \ + {% for arg in matrix_heisenbridge_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_heisenbridge_docker_image }} \ + {% if matrix_heisenbridge_identd_enabled %} + --identd \ + --identd-port 13113 \ + {% endif %} + {% if matrix_heisenbridge_owner %} + -o {{ matrix_heisenbridge_owner }} \ + {% endif %} + --config /config/registration.yaml \ + --listen-address 0.0.0.0 \ + --listen-port 9898 \ + {{ matrix_heisenbridge_homeserver_url }} + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge +ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-heisenbridge + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml new file mode 100644 index 00000000..fa2e38fd --- /dev/null +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -0,0 +1,68 @@ +matrix_client_hydrogen_enabled: true + +# Self building is used by default because the `config.json` file is only read at build time. +# The pre-built images also were not functional as of 2021-05-15. +matrix_client_hydrogen_container_image_self_build: true +matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" + +matrix_client_hydrogen_version: v0.2.0 +matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" +matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" +matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" + +matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen" +matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8768"), or empty string to not expose. +matrix_client_hydrogen_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_client_hydrogen_container_extra_arguments: [] + +# List of systemd services that matrix-client-hydrogen.service depends on +matrix_client_hydrogen_systemd_required_services_list: ['docker.service'] + +# Controls whether the self-check feature should validate SSL certificates. +matrix_client_hydrogen_self_check_validate_certificates: true + +# config.json +matrix_client_hydrogen_default_hs_url: "" + +# Default Hydrogen configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`) +# or completely replace this variable with your own template. +# +# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict. +# This is unlike what it does when looking up YAML template files (no automatic parsing there). +matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}" + +# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`. +# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_client_hydrogen_configuration_default`. +# +# Example configuration extension follows: +# +# matrix_client_hydrogen_configuration_extension_json: | +# { +# "push": { +# "appId": "io.element.hydrogen.web", +# "gatewayUrl": "https://matrix.org", +# "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM" +# }, +# "defaultHomeServer": "matrix.org" +# } +matrix_client_hydrogen_configuration_extension_json: '{}' + +matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json|from_json if matrix_client_hydrogen_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final Hydrogen configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`. +matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default|combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-client-hydrogen/tasks/init.yml b/roles/matrix-client-hydrogen/tasks/init.yml new file mode 100644 index 00000000..8116a003 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build and matrix_client_hydrogen_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" + when: matrix_client_hydrogen_enabled|bool diff --git a/roles/matrix-client-hydrogen/tasks/main.yml b/roles/matrix-client-hydrogen/tasks/main.yml new file mode 100644 index 00000000..6534db05 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_client_hydrogen_enabled|bool" + tags: + - setup-all + - setup-client-hydrogen + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: run_setup|bool + tags: + - setup-all + - setup-client-hydrogen diff --git a/roles/matrix-client-hydrogen/tasks/self_check.yml b/roles/matrix-client-hydrogen/tasks/self_check.yml new file mode 100644 index 00000000..c7407dcd --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/self_check.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}" + +- name: Check Hydrogen + uri: + url: "{{ matrix_client_hydrogen_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}" + register: matrix_client_hydrogen_self_check_result + check_mode: no + ignore_errors: true + +- name: Fail if Hydrogen not working + fail: + msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}" + when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result" + +- name: Report working Hydrogen + debug: + msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)" diff --git a/roles/matrix-client-hydrogen/tasks/setup.yml b/roles/matrix-client-hydrogen/tasks/setup.yml new file mode 100644 index 00000000..205fa3ce --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/setup.yml @@ -0,0 +1,119 @@ +--- + +# +# Tasks related to setting up Hydrogen +# + +- name: Ensure Hydrogen paths exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_client_hydrogen_data_path }}", when: true } + - { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" } + when: matrix_client_hydrogen_enabled|bool and item.when + +- name: Ensure Hydrogen Docker image is pulled + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}" + when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build + +- name: Ensure Hydrogen repository is present on self-build + git: + repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}" + version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_client_hydrogen_git_pull_results + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen configuration installed + copy: + content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}" + dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure Hydrogen additional config files installed + template: + src: "{{ item.src }}" + dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"} + when: "matrix_client_hydrogen_enabled|bool and item.src is not none" + +- name: Ensure Hydrogen Docker image is built + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + source: build + force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_client_hydrogen_docker_src_files_path }}" + pull: yes + when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" + +- name: Ensure matrix-client-hydrogen.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + mode: 0644 + register: matrix_client_hydrogen_systemd_service_result + when: matrix_client_hydrogen_enabled|bool + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation + service: + daemon_reload: yes + when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed" + +# +# Tasks related to getting rid of Hydrogen (if it was previously enabled) +# + +- name: Check existence of matrix-client-hydrogen.service + stat: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + register: matrix_client_hydrogen_service_stat + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure matrix-client-hydrogen is stopped + service: + name: matrix-client-hydrogen + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure matrix-client-hydrogen.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service" + state: absent + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal + service: + daemon_reload: yes + when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists" + +- name: Ensure Hydrogen paths doesn't exist + file: + path: "{{ matrix_client_hydrogen_data_path }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" + +- name: Ensure Hydrogen Docker image doesn't exist + docker_image: + name: "{{ matrix_client_hydrogen_docker_image }}" + state: absent + when: "not matrix_client_hydrogen_enabled|bool" diff --git a/roles/matrix-client-hydrogen/tasks/validate_config.yml b/roles/matrix-client-hydrogen/tasks/validate_config.yml new file mode 100644 index 00000000..d3b9a709 --- /dev/null +++ b/roles/matrix-client-hydrogen/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required Hydrogen settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) to use Hydrogen. + when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build|bool" + with_items: + - "matrix_client_hydrogen_default_hs_url" diff --git a/roles/matrix-client-hydrogen/templates/config.json.j2 b/roles/matrix-client-hydrogen/templates/config.json.j2 new file mode 100644 index 00000000..62a849b0 --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/config.json.j2 @@ -0,0 +1,3 @@ +{ + "defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url|string|to_json }} +} diff --git a/roles/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 new file mode 100644 index 00000000..fba16bbd --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/nginx.conf.j2 @@ -0,0 +1,66 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well) +# +# The following changes have been done compared to a default nginx configuration file: +# - default server port is changed (80 -> 8080), so that a non-root user can bind it +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + + location / { + index index.html index.htm; + } + + location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) { + expires -1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +} diff --git a/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 new file mode 100644 index 00000000..c85aeb97 --- /dev/null +++ b/roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2 @@ -0,0 +1,39 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Hydrogen Client +{% for service in matrix_client_hydrogen_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydrogen \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_client_hydrogen_container_http_host_bind_port %} + -p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \ + {% endif %} + --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ + --mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + {% for arg in matrix_client_hydrogen_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_client_hydrogen_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-client-hydrogen + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-dynamic-dns/defaults/main.yml b/roles/matrix-dynamic-dns/defaults/main.yml new file mode 100644 index 00000000..3411d0f8 --- /dev/null +++ b/roles/matrix-dynamic-dns/defaults/main.yml @@ -0,0 +1,48 @@ +# Whether dynamic dns is enabled +matrix_dynamic_dns_enabled: true + +# The dynamic dns daemon interval +matrix_dynamic_dns_daemon_interval: '300' + +matrix_dynamic_dns_version: v3.9.1-ls45 + +# The docker container to use when in mode +matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}" + +matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else matrix_container_global_registry_prefix }}" + +# The image to force pull +matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}" + +# List of extra arguments to pass to the ontainer mode +matrix_dynamic_dns_container_extra_arguments: [] + +# List of wanted services when running in mode +matrix_dynamic_dns_systemd_wanted_services_list: [] + +# List of required services when running in mode +matrix_dynamic_dns_systemd_required_services_list: ['docker.service'] + +# Build the container from source when running in mode +matrix_dynamic_dns_container_image_self_build: false +matrix_dynamic_dns_container_image_self_build_repo: "https://github.com/linuxserver/docker-ddclient.git" + +# Config paths +matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns" +matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config" +matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src" + +# Holds the configurations (the domains to update DNS for, the providers they use, etc.) +# +# Example: +# matrix_dynamic_dns_domain_configurations: +# - provider: domains.google.com +# protocol: dyndn2 +# username: XXXXXXXXXXXXXXXX +# password: XXXXXXXXXXXXXXXX +# domain: "{{ matrix_domain }}" +matrix_dynamic_dns_domain_configurations: [] + +# Config options +matrix_dynamic_dns_additional_configuration_blocks: [] +matrix_dynamic_dns_use: "web" diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml new file mode 100644 index 00000000..e7d33ff2 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build and matrix_dynamic_dns_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" + when: "matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-dynamic-dns/tasks/install.yml b/roles/matrix-dynamic-dns/tasks/install.yml new file mode 100644 index 00000000..ac69ec89 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/install.yml @@ -0,0 +1,62 @@ +--- + +- name: Ensure Dynamic DNS image is pulled + docker_image: + name: "{{ matrix_dynamic_dns_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_dynamic_dns_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_docker_image_force_pull }}" + when: matrix_dynamic_dns_enabled|bool and not matrix_dynamic_dns_container_image_self_build + +- name: Ensure Dynamic DNS paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0751 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_dynamic_dns_base_path }}", when: true } + - { path: "{{ matrix_dynamic_dns_config_path }}", when: true } + - { path: "{{ matrix_dynamic_dns_docker_src_files_path }}", when: "{{ matrix_dynamic_dns_container_image_self_build }}" } + when: matrix_dynamic_dns_enabled|bool and item.when|bool + +- name: Ensure Dynamic DNS repository is present on self build + git: + repo: "{{ matrix_dynamic_dns_container_image_self_build_repo }}" + dest: "{{ matrix_dynamic_dns_docker_src_files_path }}" + force: "yes" + register: matrix_dynamic_dns_git_pull_results + when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build|bool" + +- name: Ensure Dynamic DNS Docker image is built + docker_image: + name: "{{ matrix_dynamic_dns_docker_image }}" + source: build + force_source: "{{ matrix_dynamic_dns_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_dynamic_dns_docker_src_files_path }}" + pull: yes + when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build|bool" + +- name: Ensure Dynamic DNS ddclient.conf installed + template: + src: "{{ role_path }}/templates/ddclient.conf.j2" + dest: "{{ matrix_dynamic_dns_config_path }}/ddclient.conf" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-dynamic-dns.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-dynamic-dns.service.j2" + dest: "/etc/systemd/system/matrix-dynamic-dns.service" + mode: 0644 + register: matrix_dynamic_dns_systemd_service_result + +- name: Ensure systemd reloaded after matrix-dynamic-dns.service installation + service: + daemon_reload: yes + when: "matrix_dynamic_dns_systemd_service_result.changed" diff --git a/roles/matrix-dynamic-dns/tasks/main.yml b/roles/matrix-dynamic-dns/tasks/main.yml new file mode 100644 index 00000000..f9aaab8f --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" + tags: + - setup-all + - setup-dynamic-dns + +- import_tasks: "{{ role_path }}/tasks/install.yml" + when: "run_setup|bool and matrix_dynamic_dns_enabled|bool" + tags: + - setup-all + - setup-dynamic-dns + +- import_tasks: "{{ role_path }}/tasks/uninstall.yml" + when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool" + tags: + - setup-all + - setup-dynamic-dns diff --git a/roles/matrix-dynamic-dns/tasks/uninstall.yml b/roles/matrix-dynamic-dns/tasks/uninstall.yml new file mode 100644 index 00000000..f3caba25 --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/uninstall.yml @@ -0,0 +1,27 @@ +--- + +- name: Check existence of matrix-dynamic-dns service + stat: + path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service" + register: matrix_dynamic_dns_service_stat + +- name: Ensure matrix-dynamic-dns is stopped + service: + name: matrix-dynamic-dns + state: stopped + daemon_reload: yes + when: "matrix_dynamic_dns_service_stat.stat.exists" + +- name: Ensure matrix-dynamic-dns.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service" + state: absent + when: "matrix_dynamic_dns_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-dynamic-dns.service removal + service: + daemon_reload: yes + when: "matrix_dynamic_dns_service_stat.stat.exists" + +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-dynamic-dns/tasks/validate_config.yml b/roles/matrix-dynamic-dns/tasks/validate_config.yml new file mode 100644 index 00000000..8f0001ea --- /dev/null +++ b/roles/matrix-dynamic-dns/tasks/validate_config.yml @@ -0,0 +1,16 @@ +--- + +- name: Fail if no configurations specified + fail: + msg: >- + You need to define at least one configuration in `matrix_dynamic_dns_domain_configurations` for using matrix-dynamic-dns. + when: "matrix_dynamic_dns_domain_configurations|length == 0" + +- name: Fail if required settings not defined in configuration blocks + fail: + msg: >- + One of the configurations in matrix_dynamic_dns_domain_configurations is missing a required key (domain, provider, protocol). + when: "'domain' not in configuration or 'provider' not in configuration or 'protocol' not in configuration" + with_items: "{{ matrix_dynamic_dns_domain_configurations }}" + loop_control: + loop_var: configuration diff --git a/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 new file mode 100644 index 00000000..1480d834 --- /dev/null +++ b/roles/matrix-dynamic-dns/templates/ddclient.conf.j2 @@ -0,0 +1,26 @@ +daemon={{ matrix_dynamic_dns_daemon_interval }} +syslog=no +pid=/var/run/ddclient/ddclient.pid +ssl=yes +use={{ matrix_dynamic_dns_use }} + +{% for dynamic_dns_domain_configuration in matrix_dynamic_dns_domain_configurations %} +protocol={{ dynamic_dns_domain_configuration.protocol }} +server={{ dynamic_dns_domain_configuration.provider }} {% if 'username' in dynamic_dns_domain_configuration %} +login='{{ dynamic_dns_domain_configuration.username }}' {% endif %} {% if 'password' in dynamic_dns_domain_configuration %} +password='{{ dynamic_dns_domain_configuration.password }}' {% endif %} {% if 'static' in dynamic_dns_domain_configuration %} +static=yes {% endif %} {% if 'custom' in dynamic_dns_domain_configuration %} +custom=yes {% endif %} {% if 'zone' in dynamic_dns_domain_configuration %} +zone={{ dynamic_dns_domain_configuration.zone }} {% endif %} {% if 'ttl' in dynamic_dns_domain_configuration %} +ttl={{ dynamic_dns_domain_configuration.ttl }} {% endif %} {% if 'mx' in dynamic_dns_domain_configuration %} +mx={{ dynamic_dns_domain_configuration.mx }} {% endif %} {% if 'wildcard' in dynamic_dns_domain_configuration %} +wildcard=yes {% endif %} +{{ dynamic_dns_domain_configuration.domain }} + +{% endfor %} + + +{% for matrix_dynamic_dns_additional_configuration in matrix_dynamic_dns_additional_configuration_blocks %} +{{ matrix_dynamic_dns_additional_configuration }} + +{% endfor %} diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 new file mode 100644 index 00000000..dfdd2f72 --- /dev/null +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -0,0 +1,36 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Dynamic DNS +{% for service in matrix_dynamic_dns_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_dynamic_dns_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + -e PUID={{ matrix_user_uid }} \ + -e PGID={{ matrix_user_gid }} \ + -v {{ matrix_dynamic_dns_config_path }}:/config:z \ + {% for arg in matrix_dynamic_dns_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_dynamic_dns_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-dynamic-dns 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-dynamic-dns 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-dynamic-dns + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml new file mode 100644 index 00000000..e6bfa0fe --- /dev/null +++ b/roles/matrix-email2matrix/defaults/main.yml @@ -0,0 +1,44 @@ +matrix_email2matrix_enabled: true + +matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" +matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" + +matrix_email2matrix_version: 1.0.1 +matrix_email2matrix_docker_image: "{{ matrix_container_global_registry_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}" +matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_email2matrix_container_extra_arguments: [] + +# List of systemd services that matrix-corporal.service depends on +matrix_email2matrix_systemd_required_services_list: ['docker.service'] + +# Controls where the matrix-email2matrix container exposes the SMTP (tcp/2525 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:2525"). +# +# By default, we listen on port 25 on all of the host's network interfaces. +matrix_email2matrix_smtp_host_bind_port: "25" + +matrix_email2matrix_smtp_hostname: "{{ matrix_server_fqn_matrix }}" + +# A list of mailbox to Matrix mappings. +# +# Example: +# matrix_email2matrix_matrix_mappings: +# - MailboxName: "mailbox1" +# MatrixRoomId: "!bpcwlxIUxVvvgXcbjy:example.com" +# MatrixHomeserverUrl: "{{ matrix_homeserver_url }}" +# MatrixUserId": "@email2matrix:{{ matrix_domain }}" +# MatrixAccessToken": "TOKEN_HERE" +# IgnoreSubject: false +# +# - MailboxName: "mailbox2" +# MatrixRoomId: "!another:example.com" +# MatrixHomeserverUrl: "{{ matrix_homeserver_url }}" +# MatrixUserId": "@email2matrix:{{ matrix_domain }}" +# MatrixAccessToken": "TOKEN_HERE" +# IgnoreSubject: true +matrix_email2matrix_matrix_mappings: [] + +matrix_email2matrix_misc_debug: false diff --git a/roles/matrix-email2matrix/tasks/init.yml b/roles/matrix-email2matrix/tasks/init.yml new file mode 100644 index 00000000..0c8ffc0c --- /dev/null +++ b/roles/matrix-email2matrix/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}" + when: matrix_email2matrix_enabled|bool diff --git a/roles/matrix-email2matrix/tasks/main.yml b/roles/matrix-email2matrix/tasks/main.yml new file mode 100644 index 00000000..23114673 --- /dev/null +++ b/roles/matrix-email2matrix/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_email2matrix_enabled|bool" + tags: + - setup-all + - setup-email2matrix + +- import_tasks: "{{ role_path }}/tasks/setup_email2matrix.yml" + when: run_setup|bool + tags: + - setup-all + - setup-email2matrix diff --git a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml new file mode 100644 index 00000000..d5fa73a5 --- /dev/null +++ b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml @@ -0,0 +1,88 @@ +--- + +# +# Tasks related to setting up Email2Matrix +# + +- name: Ensure Email2Matrix paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_email2matrix_base_path }}" + - "{{ matrix_email2matrix_config_dir_path }}" + when: matrix_email2matrix_enabled|bool + +- name: Ensure Email2Matrix configuration file created + template: + src: "{{ role_path }}/templates/config.json.j2" + dest: "{{ matrix_email2matrix_config_dir_path }}/config.json" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + when: matrix_email2matrix_enabled|bool + +- name: Ensure Email2Matrix image is pulled + docker_image: + name: "{{ matrix_email2matrix_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_email2matrix_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_docker_image_force_pull }}" + when: matrix_email2matrix_enabled|bool + +- name: Ensure matrix-email2matrix.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-email2matrix.service" + mode: 0644 + register: matrix_email2matrix_systemd_service_result + when: matrix_email2matrix_enabled|bool + +- name: Ensure systemd reloaded after matrix-email2matrix.service installation + service: + daemon_reload: yes + when: "matrix_email2matrix_enabled|bool and matrix_email2matrix_systemd_service_result.changed" + +# +# Tasks related to getting rid of the Email2Matrix (if it was previously enabled) +# + +- name: Check existence of matrix-email2matrix service + stat: + path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" + register: matrix_email2matrix_service_stat + when: "not matrix_email2matrix_enabled|bool" + +- name: Ensure matrix-email2matrix is stopped + service: + name: matrix-email2matrix + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" + +- name: Ensure matrix-email2matrix.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" + state: absent + when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-email2matrix.service removal + service: + daemon_reload: yes + when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" + +- name: Ensure Email2Matrix data path doesn't exist + file: + path: "{{ matrix_email2matrix_base_path }}" + state: absent + when: "not matrix_email2matrix_enabled|bool" + +- name: Ensure Email2Matrix Docker image doesn't exist + docker_image: + name: "{{ matrix_email2matrix_docker_image }}" + state: absent + when: "not matrix_email2matrix_enabled|bool" diff --git a/roles/matrix-email2matrix/tasks/validate_config.yml b/roles/matrix-email2matrix/tasks/validate_config.yml new file mode 100644 index 00000000..d8beecf4 --- /dev/null +++ b/roles/matrix-email2matrix/tasks/validate_config.yml @@ -0,0 +1,7 @@ +--- + +- name: Fail if no mappings + fail: + msg: > + You need to define at least one mapping in `matrix_email2matrix_matrix_mappings` for enabling Email2Matrix. + when: "matrix_email2matrix_matrix_mappings|length == 0" diff --git a/roles/matrix-email2matrix/templates/config.json.j2 b/roles/matrix-email2matrix/templates/config.json.j2 new file mode 100644 index 00000000..c1be97fd --- /dev/null +++ b/roles/matrix-email2matrix/templates/config.json.j2 @@ -0,0 +1,14 @@ +#jinja2: lstrip_blocks: "True" +{ + "Smtp": { + "ListenInterface": "0.0.0.0:2525", + "Hostname": {{ matrix_email2matrix_smtp_hostname|to_json }}, + "Workers": 10 + }, + "Matrix": { + "Mappings": {{ matrix_email2matrix_matrix_mappings|to_nice_json }} + }, + "Misc": { + "Debug": {{ matrix_email2matrix_misc_debug|to_json }} + } +} diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 new file mode 100644 index 00000000..c9226768 --- /dev/null +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -0,0 +1,34 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Email2Matrix +After=docker.service +Requires=docker.service +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + -p {{ matrix_email2matrix_smtp_host_bind_port }}:2525 \ + --mount type=bind,src={{ matrix_email2matrix_config_dir_path }}/config.json,dst=/config.json,ro \ + {% for arg in matrix_email2matrix_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_email2matrix_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-email2matrix 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-email2matrix 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-email2matrix + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml new file mode 100644 index 00000000..45f8f8b2 --- /dev/null +++ b/roles/matrix-etherpad/defaults/main.yml @@ -0,0 +1,87 @@ +matrix_etherpad_enabled: false + +matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad" + +matrix_etherpad_version: 1.8.12 +matrix_etherpad_docker_image: "{{ matrix_container_global_registry_prefix }}etherpad/etherpad:{{ matrix_etherpad_version }}" +matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}" + +# List of systemd services that matrix-etherpad.service depends on. +matrix_etherpad_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-etherpad.service wants +matrix_etherpad_systemd_wanted_services_list: [] + +# Container user has to be able to write to the source file directories until this bug is fixed: +# https://github.com/ether/etherpad-lite/issues/2683 +matrix_etherpad_user_uid: '5001' +matrix_etherpad_user_gid: '5001' + +# Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9001"), or empty string to not expose. +matrix_etherpad_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_etherpad_container_extra_arguments: [] + +matrix_etherpad_public_endpoint: '/etherpad' + +# By default, the Etherpad app can be accessed within the Dimension domain +matrix_etherpad_base_url: "https://{{ matrix_server_fqn_dimension }}{{ matrix_etherpad_public_endpoint }}" + +# Database-related configuration fields. +# +# Etherpad requires a dedicated database +matrix_etherpad_database_engine: 'postgres' + +matrix_etherpad_database_username: 'matrix_etherpad' +matrix_etherpad_database_password: 'some-password' +matrix_etherpad_database_hostname: 'matrix-postgres' +matrix_etherpad_database_port: 5432 +matrix_etherpad_database_name: 'matrix_etherpad' + +matrix_etherpad_database_connection_string: 'postgres://{{ matrix_etherpad_database_username }}:{{ matrix_etherpad_database_password }}@{{ matrix_etherpad_database_hostname }}:{{ matrix_etherpad_database_port }}/{{ matrix_etherpad_database_name }}' + +# Variables configuring the etherpad +matrix_etherpad_title: 'Etherpad' +matrix_etherpad_default_pad_text: | + Welcome to Etherpad! + + This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! + + Get involved with Etherpad at https://etherpad.org + +# Default Etherpad configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_etherpad_configuration_extension_json`) +# or completely replace this variable with your own template. +matrix_etherpad_configuration_default: "{{ lookup('template', 'templates/settings.json.j2') }}" + +# Your custom JSON configuration for Etherpad goes here. +# This configuration extends the default starting configuration (`matrix_etherpad_configuration_json`). +# +# You can override individual variables from the default configuration, or introduce new ones. +# +# If you need something more special, you can take full control by +# completely redefining `matrix_etherpad_configuration_json`. +# +# Example configuration extension follows: +# +# matrix_etherpad_configuration_extension_json: | +# { +# "loadTest": true, +# "commitRateLimiting": { +# "duration": 1, +# "points": 10 +# } +# } +# +matrix_etherpad_configuration_extension_json: '{}' + +matrix_etherpad_configuration_extension: "{{ matrix_etherpad_configuration_extension_json|from_json if matrix_etherpad_configuration_extension_json|from_json is mapping else {} }}" + +# Holds the final Etherpad configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_etherpad_configuration_json`. +matrix_etherpad_configuration: "{{ matrix_etherpad_configuration_default|combine(matrix_etherpad_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-etherpad/tasks/init.yml b/roles/matrix-etherpad/tasks/init.yml new file mode 100644 index 00000000..081d4c23 --- /dev/null +++ b/roles/matrix-etherpad/tasks/init.yml @@ -0,0 +1,62 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-etherpad.service'] }}" + when: matrix_etherpad_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Etherpad's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-etherpad role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Etherpad proxying configuration for matrix-nginx-proxy + set_fact: + matrix_etherpad_matrix_nginx_proxy_configuration: | + rewrite ^{{ matrix_etherpad_public_endpoint }}$ $scheme://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent; + + location {{ matrix_etherpad_public_endpoint }}/ { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + proxy_pass http://matrix-etherpad:9001/; + {# These are proxy directives needed specifically by Etherpad #} + proxy_buffering off; + proxy_http_version 1.1; # recommended with keepalive connections + proxy_pass_header Server; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used + # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + {% else %} + {# Generic configuration for use outside of our container setup #} + # A good guide for setting up your Etherpad behind nginx: + # https://docs.gandi.net/en/cloud/tutorials/etherpad_lite.html + proxy_pass http://127.0.0.1:9001/; + {% endif %} + } + + - name: Register Etherpad proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks|default([]) + + + [matrix_etherpad_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_etherpad_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Etherpad tool but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_etherpad_public_endpoint }}` + URL endpoint to the matrix-etherpad container. + You can expose the container's port using the `matrix_etherpad_container_http_host_bind_port` variable. + when: "matrix_etherpad_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-etherpad/tasks/main.yml b/roles/matrix-etherpad/tasks/main.yml new file mode 100644 index 00000000..27548aaf --- /dev/null +++ b/roles/matrix-etherpad/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: run_setup|bool and matrix_etherpad_enabled|bool + tags: + - setup-all + - setup-etherpad + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: run_setup|bool and not matrix_etherpad_enabled|bool + tags: + - setup-all + - setup-etherpad + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool and matrix_etherpad_enabled|bool + tags: + - setup-all + - setup-etherpad diff --git a/roles/matrix-etherpad/tasks/setup_install.yml b/roles/matrix-etherpad/tasks/setup_install.yml new file mode 100644 index 00000000..a93c28de --- /dev/null +++ b/roles/matrix-etherpad/tasks/setup_install.yml @@ -0,0 +1,36 @@ +--- + +- name: Ensure Etherpad base path exists + file: + path: "{{ matrix_etherpad_base_path }}" + state: directory + mode: 0770 + owner: "{{ matrix_etherpad_user_uid }}" + group: "{{ matrix_etherpad_user_gid }}" + +- name: Ensure Etherpad config installed + copy: + content: "{{ matrix_etherpad_configuration|to_nice_json }}" + dest: "{{ matrix_etherpad_base_path }}/settings.json" + mode: 0640 + owner: "{{ matrix_etherpad_user_uid }}" + group: "{{ matrix_etherpad_user_gid }}" + +- name: Ensure Etherpad image is pulled + docker_image: + name: "{{ matrix_etherpad_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_etherpad_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_etherpad_docker_image_force_pull }}" + +- name: Ensure matrix-etherpad.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-etherpad.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-etherpad.service" + mode: 0644 + register: matrix_etherpad_systemd_service_result + +- name: Ensure systemd reloaded after matrix-etherpad.service installation + service: + daemon_reload: yes + when: "matrix_etherpad_systemd_service_result.changed|bool" diff --git a/roles/matrix-etherpad/tasks/setup_uninstall.yml b/roles/matrix-etherpad/tasks/setup_uninstall.yml new file mode 100644 index 00000000..8f40f420 --- /dev/null +++ b/roles/matrix-etherpad/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-etherpad service + stat: + path: "{{ matrix_systemd_path }}/matrix-etherpad.service" + register: matrix_etherpad_service_stat + +- name: Ensure matrix-etherpad is stopped + service: + name: matrix-etherpad + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_etherpad_service_stat.stat.exists|bool" + +- name: Ensure matrix-etherpad.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-etherpad.service" + state: absent + when: "matrix_etherpad_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-etherpad.service removal + service: + daemon_reload: yes + when: "matrix_etherpad_service_stat.stat.exists|bool" + +- name: Ensure Etherpad base directory doesn't exist + file: + path: "{{ matrix_etherpad_base_path }}" + state: absent + +- name: Ensure Etherpad Docker image doesn't exist + docker_image: + name: "{{ matrix_etherpad_docker_image }}" + state: absent diff --git a/roles/matrix-etherpad/tasks/validate_config.yml b/roles/matrix-etherpad/tasks/validate_config.yml new file mode 100644 index 00000000..c76dc3b5 --- /dev/null +++ b/roles/matrix-etherpad/tasks/validate_config.yml @@ -0,0 +1,11 @@ +- name: Fail if Etherpad is enabled without the Dimension integrations manager + fail: + msg: >- + To integrate Etherpad notes with Matrix rooms you need to set "matrix_dimension_enabled" to true + when: "not matrix_dimension_enabled|bool" + +- name: Fail if no database is configured for Etherpad + fail: + msg: >- + Etherpad requires a dedicated Postgres database. Please enable the built in one, or configure an external DB by redefining "matrix_etherpad_database_hostname" + when: matrix_etherpad_database_hostname == "matrix-postgres" and not matrix_postgres_enabled diff --git a/roles/matrix-etherpad/templates/settings.json.j2 b/roles/matrix-etherpad/templates/settings.json.j2 new file mode 100644 index 00000000..377bad98 --- /dev/null +++ b/roles/matrix-etherpad/templates/settings.json.j2 @@ -0,0 +1,105 @@ +{ + "title": {{ matrix_etherpad_title|to_json }}, + "favicon": "favicon.ico", + "skinName": "colibris", + "skinVariants": "super-light-toolbar super-light-editor light-background", + "ip": "::", + "port": 9001, + "showSettingsInAdminPage": true, + "dbType": {{ matrix_etherpad_database_engine|to_json }}, + "dbSettings": { + "database": {{ matrix_etherpad_database_name|to_json }}, + "host": {{ matrix_etherpad_database_hostname|to_json }}, + "password": {{ matrix_etherpad_database_password|to_json }}, + "port": {{ matrix_etherpad_database_port|to_json }}, + "user": {{ matrix_etherpad_database_username|to_json }} + }, + "defaultPadText" : {{ matrix_etherpad_default_pad_text|to_json }}, + "suppressErrorsInPadText": false, + "requireSession": false, + "editOnly": false, + "minify": true, + "maxAge": 21600, + "abiword": null, + "soffice": null, + "tidyHtml": null, + "allowUnknownFileEnds": true, + "requireAuthentication": false, + "requireAuthorization": false, + "trustProxy": true, + "cookie": { + "sameSite": "Lax" + }, + "disableIPlogging": true, + "automaticReconnectionTimeout": 0, + "scrollWhenFocusLineIsOutOfViewport": { + "percentage": { + "editionAboveViewport": 0, + "editionBelowViewport": 0 + }, + "duration": 0, + "scrollWhenCaretIsInTheLastLineOfViewport": false, + "percentageToScrollWhenUserPressesArrowUp": 0 + }, + "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], + "socketIo": { + "maxHttpBufferSize": 10000 + }, + "loadTest": false, + "importExportRateLimiting": { + "windowMs": 90000, + "max": 10 + }, + "importMaxFileSize": 52428800, + "commitRateLimiting": { + "duration": 1, + "points": 10 + }, + "exposeVersion": false, + "padOptions": { + "noColors": false, + "showControls": true, + "showChat": false, + "showLineNumbers": true, + "useMonospaceFont": false, + "userName": false, + "userColor": false, + "rtl": false, + "alwaysShowChat": false, + "chatAndUsers": false, + "lang": "en-gb" + }, + "padShortcutEnabled" : { + "altF9": true, + "altC": true, + "cmdShift2": true, + "delete": true, + "return": true, + "esc": true, + "cmdS": true, + "tab": true, + "cmdZ": true, + "cmdY": true, + "cmdI": true, + "cmdB": true, + "cmdU": true, + "cmd5": true, + "cmdShiftL": true, + "cmdShiftN": true, + "cmdShift1": true, + "cmdShiftC": true, + "cmdH": true, + "ctrlHome": true, + "pageUp": true, + "pageDown": true + }, + "loglevel": "INFO", + "logconfig" : + { "appenders": [ + { "type": "console", + "layout": {"type": "messagePassThrough"} + } + ] + }, + "customLocaleStrings": {} +} diff --git a/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 new file mode 100644 index 00000000..b579036b --- /dev/null +++ b/roles/matrix-etherpad/templates/systemd/matrix-etherpad.service.j2 @@ -0,0 +1,44 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Etherpad +{% for service in matrix_etherpad_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_etherpad_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-etherpad +ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-etherpad + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-etherpad \ + --log-driver=none \ + --user={{ matrix_etherpad_user_uid }}:{{ matrix_etherpad_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_etherpad_container_http_host_bind_port %} + -p {{ matrix_etherpad_container_http_host_bind_port }}:9001 \ + {% endif %} + --mount type=bind,src={{ matrix_etherpad_base_path }},dst=/data \ + {% for arg in matrix_etherpad_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_etherpad_docker_image }} \ + node --experimental-worker src/node/server.js \ + --settings /data/settings.json --credentials /data/credentials.json \ + --sessionkey /data/sessionkey.json --apikey /data/apijey.json + + +ExecStop=-{{ matrix_host_command_docker }} kill matrix-etherpad +ExecStop=-{{ matrix_host_command_docker }} rm matrix-etherpad +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-etherpad + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml new file mode 100644 index 00000000..88359fe1 --- /dev/null +++ b/roles/matrix-grafana/defaults/main.yml @@ -0,0 +1,59 @@ +# matrix-grafana is open source visualization and analytics software +# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md + +matrix_grafana_enabled: false + +matrix_grafana_version: 8.0.5 +matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" +matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" + +# Not conditional, because when someone disables metrics +# they might still want to look at the old existing data. +# So it would be silly to delete the dashboard in such case. +matrix_grafana_dashboard_download_urls: +- "https://raw.githubusercontent.com/matrix-org/synapse/master/contrib/grafana/synapse.json" +- "https://raw.githubusercontent.com/rfrail3/grafana-dashboards/master/prometheus/node-exporter-full.json" + +matrix_grafana_base_path: "{{ matrix_base_data_path }}/grafana" +matrix_grafana_config_path: "{{ matrix_grafana_base_path }}/config" +matrix_grafana_data_path: "{{ matrix_grafana_base_path }}/data" + +# Allow viewing Grafana without logging in +matrix_grafana_anonymous_access: false + +# specify organization name that should be used for unauthenticated users +# if you change this in the Grafana admin panel, this needs to be updated +# to match to keep anonymous logins working +matrix_grafana_anonymous_access_org_name: 'Main Org.' + + +# default admin credentials, you are asked to change these on first login +matrix_grafana_default_admin_user: admin +matrix_grafana_default_admin_password: admin + +# Set to true to add the Content-Security-Policy header to your requests. +# CSP allows to control resources that the user agent can load and helps +# prevent XSS attacks. +# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) +matrix_grafana_content_security_policy: true + +# specify content security policy template to customized template +# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. +# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) +# [Content Security Policy Reference](https://content-security-policy.com/script-src/) +matrix_grafana_content_security_policy_customized: false +matrix_grafana_content_security_policy_template: "script-src 'self' 'unsafe-eval' 'unsafe-inline' http: https: 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';" + +# A list of extra arguments to pass to the container +matrix_grafana_container_extra_arguments: [] + +# List of systemd services that matrix-grafana.service depends on +matrix_grafana_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-grafana.service wants +matrix_grafana_systemd_wanted_services_list: [] + +# Controls whether the matrix-grafana container exposes its HTTP port (tcp/3000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:3000"), or empty string to not expose. +matrix_grafana_container_http_host_bind_port: '' diff --git a/roles/matrix-grafana/tasks/init.yml b/roles/matrix-grafana/tasks/init.yml new file mode 100644 index 00000000..8a22e301 --- /dev/null +++ b/roles/matrix-grafana/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-grafana.service'] }}" + when: matrix_grafana_enabled|bool + + diff --git a/roles/matrix-grafana/tasks/main.yml b/roles/matrix-grafana/tasks/main.yml new file mode 100644 index 00000000..fb16c394 --- /dev/null +++ b/roles/matrix-grafana/tasks/main.yml @@ -0,0 +1,14 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_grafana_enabled|bool" + tags: + - setup-all + - setup-grafana + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-grafana diff --git a/roles/matrix-grafana/tasks/setup.yml b/roles/matrix-grafana/tasks/setup.yml new file mode 100644 index 00000000..00d2e230 --- /dev/null +++ b/roles/matrix-grafana/tasks/setup.yml @@ -0,0 +1,110 @@ +--- + +# +# Tasks related to setting up matrix-grafana +# + +- name: Ensure matrix-grafana image is pulled + docker_image: + name: "{{ matrix_grafana_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_grafana_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_grafana_docker_image_force_pull }}" + when: "matrix_grafana_enabled|bool" + +- name: Ensure grafana paths exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_grafana_base_path }}" + - "{{ matrix_grafana_config_path }}" + - "{{ matrix_grafana_config_path }}/provisioning" + - "{{ matrix_grafana_config_path }}/provisioning/datasources" + - "{{ matrix_grafana_config_path }}/provisioning/dashboards" + - "{{ matrix_grafana_config_path }}/dashboards" + - "{{ matrix_grafana_data_path }}" + when: matrix_grafana_enabled|bool + +- name: Ensure grafana.ini present + template: + src: "{{ role_path }}/templates/grafana.ini.j2" + dest: "{{ matrix_grafana_config_path }}/grafana.ini" + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_grafana_enabled|bool + +- name: Ensure provisioning/datasources/default.yaml present + template: + src: "{{ role_path }}/templates/datasources.yaml.j2" + dest: "{{ matrix_grafana_config_path }}/provisioning/datasources/default.yaml" + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_grafana_enabled|bool + +- name: Ensure provisioning/dashboards/default.yaml present + template: + src: "{{ role_path }}/templates/dashboards.yaml.j2" + dest: "{{ matrix_grafana_config_path }}/provisioning/dashboards/default.yaml" + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_grafana_enabled|bool + +- name: Ensure dashboard(s) downloaded + get_url: + url: "{{ item }}" + dest: "{{ matrix_grafana_config_path }}/dashboards/" + force: true + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: "{{ matrix_grafana_dashboard_download_urls_all }}" + when: matrix_grafana_enabled|bool + +- name: Ensure matrix-grafana.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-grafana.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-grafana.service" + mode: 0644 + register: matrix_grafana_systemd_service_result + when: matrix_grafana_enabled|bool + +- name: Ensure systemd reloaded after matrix-grafana.service installation + service: + daemon_reload: yes + when: "matrix_grafana_enabled|bool and matrix_grafana_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-grafana (if it was previously enabled) +# + +- name: Check existence of matrix-grafana service + stat: + path: "{{ matrix_systemd_path }}/matrix-grafana.service" + register: matrix_grafana_service_stat + +- name: Ensure matrix-grafana is stopped + service: + name: matrix-grafana + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" + +- name: Ensure matrix-grafana.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-grafana.service" + state: absent + when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-grafana.service removal + service: + daemon_reload: yes + when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists" + diff --git a/roles/matrix-grafana/tasks/validate_config.yml b/roles/matrix-grafana/tasks/validate_config.yml new file mode 100644 index 00000000..63d4919a --- /dev/null +++ b/roles/matrix-grafana/tasks/validate_config.yml @@ -0,0 +1,7 @@ +--- + +- name: Fail if Prometheus not enabled + fail: + msg: > + You need to enable `matrix_prometheus_enabled` to use Prometheus as data source for Grafana. + when: "not matrix_prometheus_enabled" diff --git a/roles/matrix-grafana/templates/dashboards.yaml.j2 b/roles/matrix-grafana/templates/dashboards.yaml.j2 new file mode 100644 index 00000000..aae42ba2 --- /dev/null +++ b/roles/matrix-grafana/templates/dashboards.yaml.j2 @@ -0,0 +1,9 @@ +apiVersion: 1 + +providers: + - name: {{ matrix_server_fqn_matrix }} - Dashboards + folder: '' # The folder where to place the dashboards + type: file + allowUiUpdates: true + options: + path: /etc/grafana/dashboards diff --git a/roles/matrix-grafana/templates/datasources.yaml.j2 b/roles/matrix-grafana/templates/datasources.yaml.j2 new file mode 100644 index 00000000..6ccbe374 --- /dev/null +++ b/roles/matrix-grafana/templates/datasources.yaml.j2 @@ -0,0 +1,8 @@ +apiVersion: 1 + +datasources: + - name: {{ matrix_server_fqn_matrix }} - Prometheus + type: prometheus + # Access mode - proxy (server in the UI) or direct (browser in the UI). + access: proxy + url: http://matrix-prometheus:9090 diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 new file mode 100644 index 00000000..8f4c88f0 --- /dev/null +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -0,0 +1,31 @@ +[server] +root_url = "https://{{ matrix_server_fqn_grafana }}" + +[security] +# default admin user, created on startup +admin_user = "{{ matrix_grafana_default_admin_user }}" + +# default admin password, can be changed before first start of grafana, or in profile settings +admin_password = """{{ matrix_grafana_default_admin_password }}""" + +# specify content_security_policy to add the Content-Security-Policy header to your requests +content_security_policy = "{{ matrix_grafana_content_security_policy }}" + +# specify content security policy template to customized template +{% if matrix_grafana_content_security_policy_customized %} +content_security_policy_template = """{{ matrix_grafana_content_security_policy_template }}""" +{% endif %} + +[auth.anonymous] +# enable anonymous access +enabled = {{ matrix_grafana_anonymous_access }} + +# specify organization name that should be used for unauthenticated users +org_name = "{{ matrix_grafana_anonymous_access_org_name }}" + +[dashboards] +{% if matrix_synapse_metrics_enabled %} +default_home_dashboard_path = /etc/grafana/dashboards/synapse.json +{% else %} +default_home_dashboard_path = /etc/grafana/dashboards/node-exporter-full.json +{% endif %} diff --git a/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 new file mode 100644 index 00000000..a4f81e35 --- /dev/null +++ b/roles/matrix-grafana/templates/systemd/matrix-grafana.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-grafana +{% for service in matrix_grafana_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_grafana_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-grafana \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_grafana_container_http_host_bind_port %} + -p {{ matrix_grafana_container_http_host_bind_port }}:3000 \ + {% endif %} + -v {{ matrix_grafana_config_path }}:/etc/grafana:z \ + -v {{ matrix_grafana_data_path }}:/var/lib/grafana:z \ + {% for arg in matrix_grafana_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_grafana_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-grafana 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-grafana 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-grafana + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml new file mode 100644 index 00000000..87d87706 --- /dev/null +++ b/roles/matrix-jitsi/defaults/main.yml @@ -0,0 +1,261 @@ +matrix_jitsi_enabled: true + +matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi" + +matrix_jitsi_enable_auth: false +matrix_jitsi_enable_guests: false +matrix_jitsi_enable_recording: false +matrix_jitsi_enable_transcriptions: false +matrix_jitsi_enable_p2p: true + +# Authentication type, must be one of internal, jwt or ldap. Currently only +# internal and ldap are supported by this playbook. +matrix_jitsi_auth_type: internal + +# Configuration options for LDAP authentication. For details see upstream: +# https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap. +# Defaults are taken from: +# https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf +matrix_jitsi_ldap_url: "" +matrix_jitsi_ldap_base: "" +matrix_jitsi_ldap_binddn: "" +matrix_jitsi_ldap_bindpw: "" +matrix_jitsi_ldap_filter: "uid=%u" +matrix_jitsi_ldap_auth_method: "bind" +matrix_jitsi_ldap_version: "3" +matrix_jitsi_ldap_use_tls: false +matrix_jitsi_ldap_tls_ciphers: "" +matrix_jitsi_ldap_tls_check_peer: false +matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" +matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" +matrix_jitsi_ldap_start_tls: false + +matrix_jitsi_timezone: UTC + +matrix_jitsi_xmpp_domain: matrix-jitsi-web +matrix_jitsi_xmpp_server: matrix-jitsi-prosody +matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi +matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280 +matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi +matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi +matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi +matrix_jitsi_xmpp_modules: '' + +matrix_jitsi_recorder_domain: recorder.meet.jitsi + + +matrix_jitsi_jibri_brewery_muc: jibribrewery +matrix_jitsi_jibri_pending_timeout: 90 +matrix_jitsi_jibri_xmpp_user: jibri +matrix_jitsi_jibri_xmpp_password: '' +matrix_jitsi_jibri_recorder_user: recorder +matrix_jitsi_jibri_recorder_password: '' + +matrix_jitsi_enable_lobby: false + +matrix_jitsi_version: stable-5765-1 +matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility + +matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" + +matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" +matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config" +matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts" + +matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" + +# STUN servers used in the web UI. Feel free to point them to your own STUN server. +# Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`. +matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443'] + +# Controls whether Etherpad will be available within Jitsi +matrix_jitsi_etherpad_enabled: false + +# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:13080"), or empty string to not expose. +matrix_jitsi_web_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_jitsi_web_container_extra_arguments: [] + +# List of systemd services that matrix-jitsi-web.service depends on +matrix_jitsi_web_systemd_required_services_list: ['docker.service'] + + +# Some variables controlling the interface of Jitsi Web. +# These get applied to `templates/web/interface_config.js.j2`. +# +# Besides this, you can also use `matrix_jitsi_web_custom_interface_config_extension` +# to define any other configuration option. +matrix_jitsi_web_interface_config_lang_detection: false +matrix_jitsi_web_interface_config_show_jitsi_watermark: true +matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" +matrix_jitsi_web_interface_config_show_brand_watermark: false +matrix_jitsi_web_interface_config_brand_watermark_link: "" +matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true +matrix_jitsi_web_interface_config_display_welcome_page_content: true +matrix_jitsi_web_interface_config_app_name: "Jitsi Meet" +matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" +matrix_jitsi_web_interface_config_provider_name: "Jitsi" +matrix_jitsi_web_interface_config_show_powered_by: false +matrix_jitsi_web_interface_config_disable_transcription_subtitles: false +matrix_jitsi_web_interface_config_show_deep_linking_image: false + +# Custom configuration to be injected into `interface_config.js`, passed to Jitsi Web. +# This configuration gets appended to the final interface configuration that Jitsi Web uses. +# +# Note: not to be confused with `matrix_jitsi_web_custom_config_extension`. +# +# For interface configuration, the flow is like this: +# - the contents of `templates/web/interface_config.js.j2` is generated (based on various `matrix_jitsi_web_interface_config_*` variables you see in this file) +# - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults. +# +# Example: +# matrix_jitsi_web_custom_interface_config_extension: | +# interfaceConfig.CONNECTION_INDICATOR_AUTO_HIDE_ENABLED = false; +# interfaceConfig.DISABLE_VIDEO_BACKGROUND = true; +matrix_jitsi_web_custom_interface_config_extension: '' + + +# Controls after which participant audio will be muted. If not specified, defaults to Jitsi's default value (likely 10) +matrix_jitsi_web_config_start_audio_muted_after_nth_participant: ~ +# Controls after which participant video will be muted. If not specified, defaults to Jitsi's default value (likely 10) +matrix_jitsi_web_config_start_video_muted_after_nth_participant: ~ + +matrix_jitsi_web_config_defaultLanguage: 'en' + +# Ideal and also maximum resolution width. If not specified, defaults to Jitsi's default value (likely 1280) +matrix_jitsi_web_config_resolution_width_ideal_and_max: ~ +# Minimum resolution width. If not specified, defaults to Jitsi's default value (likely 320) +matrix_jitsi_web_config_resolution_width_min: ~ +# Ideal and also maximum resolution height. If not specified, defaults to Jitsi's default value (likely 720) +matrix_jitsi_web_config_resolution_height_ideal_and_max: ~ +# Minimum resolution height. If not specified, defaults to Jitsi's default value (likely 180) +matrix_jitsi_web_config_resolution_height_min: ~ + +# Custom configuration to be injected into `custom-config.js`, passed to Jitsi Web. +# This configuration gets appended to the final configuration that Jitsi Web uses. +# +# Note: not to be confused with `matrix_jitsi_web_custom_interface_config_extension`. +# +# The flow is like this: +# - some default configuration is automatically generated based on the environment variables passed to the Jitsi Web container +# - the contents of `custom-config.js` is appended to it (see `templates/web/custom-config.js.j2`) +# - said `custom-config.js` contains your custom contents specified in `matrix_jitsi_web_custom_config_extension`. +# +# Example: +# matrix_jitsi_web_custom_config_extension: | +# if (!config.hasOwnProperty('testing')) config.testing = {}; +# config.testing.p2pTestMode = true +matrix_jitsi_web_custom_config_extension: '' + +# Additional environment variables to pass to the Jitsi Web container. +# You can use this to further influence the default configuration generated by the Jitsi Web container on every startup. +# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration +# by using `matrix_jitsi_web_custom_config_extension`. +# +# Example: +# matrix_jitsi_web_environment_variables_extension: | +# ENABLE_FILE_RECORDING_SERVICE=1 +# DROPBOX_APPKEY=something +# DROPBOX_REDIRECT_URI=something +matrix_jitsi_web_environment_variables_extension: '' + + +matrix_jitsi_prosody_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" + +matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" +matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" +matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" + +# A list of extra arguments to pass to the container +matrix_jitsi_prosody_container_extra_arguments: [] + +# List of systemd services that matrix-jitsi-prosody.service depends on +matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] + +# Neccessary Port binding for those disabling the integrated nginx proxy +matrix_jitsi_prosody_container_http_host_bind_port: '' + +matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" + +matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" +matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config" + +# A list of extra arguments to pass to the container +matrix_jitsi_jicofo_container_extra_arguments: [] + +# List of systemd services that matrix-jitsi-jicofo.service depends on +matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] + +matrix_jitsi_jicofo_component_secret: '' +matrix_jitsi_jicofo_auth_user: focus +matrix_jitsi_jicofo_auth_password: '' + + +matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}" +matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" + +matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" +matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config" + +# A list of extra arguments to pass to the container +matrix_jitsi_jvb_container_extra_arguments: [] + +# List of systemd services that matrix-jitsi-jvb.service depends on +matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] + +matrix_jitsi_jvb_auth_user: jvb +matrix_jitsi_jvb_auth_password: '' + +# STUN servers used by JVB on the server-side, so it can discover its own external IP address. +# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. +matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] + +matrix_jitsi_jvb_brewery_muc: jvbbrewery +matrix_jitsi_jvb_rtp_udp_port: 10000 +matrix_jitsi_jvb_rtp_tcp_port: 4443 + +# Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB. +# This configuration gets appended to the final configuration that Jitsi JVB uses. +# +# The flow is like this: +# - some default configuration is automatically generated based on the environment variables passed to the Jitsi JVB container +# - the contents of `custom-sip-communicator.properties` is appended to it (see `templates/jvb/custom-sip-communicator.properties.j2`) +# - said `custom-sip-communicator.properties` contains your custom contents specified in `matrix_jitsi_jvb_custom_config_extension`. +# +# Example: +# matrix_jitsi_jvb_custom_config_extension: | +# org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=false +# org.jitsi.videobridge.ENABLE_STATISTICS=false +matrix_jitsi_jvb_custom_config_extension: '' + +# Additional environment variables to pass to the Jitsi JVB container. +# You can use this to further influence the default configuration generated by the Jitsi JVB container on every startup. +# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration +# by using `matrix_jitsi_jvb_custom_config_extension`. +# +# Example: +# matrix_jitsi_jvb_environment_variables_extension: | +# SOME_VARIABLE=1 +# ANOTHER_VARIABLE=something +matrix_jitsi_jvb_environment_variables_extension: '' + +# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:10000"), or empty string to not expose. +matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}" + +# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:4443"), or empty string to not expose. +matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}" + +# Controls whether the matrix-jitsi-jvb container exposes its Colibri WebSocket port (tcp/9090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:12090"), or empty string to not expose. +matrix_jitsi_jvb_container_colibri_ws_host_bind_port: '' diff --git a/roles/matrix-jitsi/tasks/init.yml b/roles/matrix-jitsi/tasks/init.yml new file mode 100644 index 00000000..1f7a2d1c --- /dev/null +++ b/roles/matrix-jitsi/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}" + when: matrix_jitsi_enabled|bool diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml new file mode 100644 index 00000000..e4f3508f --- /dev/null +++ b/roles/matrix-jitsi/tasks/main.yml @@ -0,0 +1,39 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_jitsi_enabled|bool" + tags: + - setup-all + - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_web.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi + +- import_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb.yml" + when: run_setup|bool + tags: + - setup-all + - setup-jitsi diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml new file mode 100644 index 00000000..408027ee --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml @@ -0,0 +1,20 @@ +--- + +# +# Tasks related to setting up jitsi +# + +- name: Ensure Matrix jitsi base path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_jitsi_base_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +# +# Tasks related to getting rid of jitsi (if it was previously enabled) +# diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml new file mode 100644 index 00000000..dd2a7bd2 --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -0,0 +1,93 @@ +--- + +# +# Tasks related to setting up jitsi-jicofo +# + +- name: Ensure Matrix jitsi-jicofo path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true } + - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +- name: Ensure jitsi-jicofo Docker image is pulled + docker_image: + name: "{{ matrix_jitsi_jicofo_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}" + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-jicofo environment variables file created + template: + src: "{{ role_path }}/templates/jicofo/env.j2" + dest: "{{ matrix_jitsi_jicofo_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-jicofo configuration files created + template: + src: "{{ role_path }}/templates/jicofo/{{ item }}.j2" + dest: "{{ matrix_jitsi_jicofo_config_path }}/{{ item }}" + mode: 0644 + with_items: + - sip-communicator.properties + - logging.properties + when: matrix_jitsi_enabled|bool + +- name: Ensure matrix-jitsi-jicofo.service installed + template: + src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service" + mode: 0644 + register: matrix_jitsi_jicofo_systemd_service_result + when: matrix_jitsi_enabled|bool + +- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service installation + service: + daemon_reload: yes + when: "matrix_jitsi_enabled and matrix_jitsi_jicofo_systemd_service_result.changed" + +# +# Tasks related to getting rid of jitsi-jicofo (if it was previously enabled) +# + +- name: Check existence of matrix-jitsi-jicofo service + stat: + path: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service" + register: matrix_jitsi_jicofo_service_stat + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure matrix-jitsi-jicofo is stopped + service: + name: matrix-jitsi-jicofo + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" + +- name: Ensure matrix-jitsi-jicofo.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-jitsi-jicofo.service" + state: absent + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-jitsi-jicofo.service removal + service: + daemon_reload: yes + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jicofo_service_stat.stat.exists" + +- name: Ensure Matrix jitsi-jicofo paths doesn't exist + file: + path: "{{ matrix_jitsi_jicofo_base_path }}" + state: absent + when: "not matrix_jitsi_enabled|bool" + +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml new file mode 100644 index 00000000..b73426db --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -0,0 +1,93 @@ +--- + +# +# Tasks related to setting up jitsi-jvb +# + +- name: Ensure Matrix jitsi-jvb path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true } + - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +- name: Ensure jitsi-jvb Docker image is pulled + docker_image: + name: "{{ matrix_jitsi_jvb_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}" + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-jvb configuration files created + template: + src: "{{ role_path }}/templates/jvb/{{ item }}.j2" + dest: "{{ matrix_jitsi_jvb_config_path }}/{{ item }}" + mode: 0644 + with_items: + - custom-sip-communicator.properties + - logging.properties + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-jvb environment variables file created + template: + src: "{{ role_path }}/templates/jvb/env.j2" + dest: "{{ matrix_jitsi_jvb_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + +- name: Ensure matrix-jitsi-jvb.service installed + template: + src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service" + mode: 0644 + register: matrix_jitsi_jvb_systemd_service_result + when: matrix_jitsi_enabled|bool + +- name: Ensure systemd reloaded after matrix-jitsi-jvb.service installation + service: + daemon_reload: yes + when: "matrix_jitsi_enabled and matrix_jitsi_jvb_systemd_service_result.changed" + +# +# Tasks related to getting rid of jitsi-jvb (if it was previously enabled) +# + +- name: Check existence of matrix-jitsi-jvb service + stat: + path: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service" + register: matrix_jitsi_jvb_service_stat + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure matrix-jitsi-jvb is stopped + service: + name: matrix-jitsi-jvb + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" + +- name: Ensure matrix-jitsi-jvb.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-jitsi-jvb.service" + state: absent + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-jitsi-jvb.service removal + service: + daemon_reload: yes + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_jvb_service_stat.stat.exists" + +- name: Ensure Matrix jitsi-jvb paths doesn't exist + file: + path: "{{ matrix_jitsi_jvb_base_path }}" + state: absent + when: "not matrix_jitsi_enabled|bool" + +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml new file mode 100644 index 00000000..fd051fda --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -0,0 +1,84 @@ +--- + +# +# Tasks related to setting up jitsi-prosody +# + +- name: Ensure Matrix jitsi-prosody path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true } + - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true } + - { path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +- name: Ensure jitsi-prosody Docker image is pulled + docker_image: + name: "{{ matrix_jitsi_prosody_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}" + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-prosody environment variables file created + template: + src: "{{ role_path }}/templates/prosody/env.j2" + dest: "{{ matrix_jitsi_prosody_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + +- name: Ensure matrix-jitsi-prosody.service installed + template: + src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" + mode: 0644 + register: matrix_jitsi_prosody_systemd_service_result + when: matrix_jitsi_enabled|bool + +- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation + service: + daemon_reload: yes + when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed" + +# +# Tasks related to getting rid of jitsi-prosody (if it was previously enabled) +# + +- name: Check existence of matrix-jitsi-prosody service + stat: + path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" + register: matrix_jitsi_prosody_service_stat + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure matrix-jitsi-prosody is stopped + service: + name: matrix-jitsi-prosody + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" + +- name: Ensure matrix-jitsi-prosody.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service" + state: absent + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal + service: + daemon_reload: yes + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists" + +- name: Ensure Matrix jitsi-prosody paths doesn't exist + file: + path: "{{ matrix_jitsi_prosody_base_path }}" + state: absent + when: "not matrix_jitsi_enabled|bool" + +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml new file mode 100644 index 00000000..2b8a2cd2 --- /dev/null +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -0,0 +1,95 @@ +--- + +# +# Tasks related to setting up jitsi-web +# + +- name: Ensure Matrix jitsi-web path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0777 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_jitsi_web_base_path }}", when: true } + - { path: "{{ matrix_jitsi_web_config_path }}", when: true } + - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true } + when: matrix_jitsi_enabled|bool and item.when + +- name: Ensure jitsi-web Docker image is pulled + docker_image: + name: "{{ matrix_jitsi_web_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}" + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-web environment variables file created + template: + src: "{{ role_path }}/templates/web/env.j2" + dest: "{{ matrix_jitsi_web_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + +- name: Ensure jitsi-web configuration files created + template: + src: "{{ role_path }}/templates/web/{{ item }}.j2" + dest: "{{ matrix_jitsi_web_config_path }}/{{ item }}" + mode: 0644 + with_items: + - custom-config.js + - interface_config.js + when: matrix_jitsi_enabled|bool + +- name: Ensure matrix-jitsi-web.service installed + template: + src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-jitsi-web.service" + mode: 0644 + register: matrix_jitsi_web_systemd_service_result + when: matrix_jitsi_enabled|bool + +- name: Ensure systemd reloaded after matrix-jitsi-web.service installation + service: + daemon_reload: yes + when: "matrix_jitsi_enabled and matrix_jitsi_web_systemd_service_result.changed" + +# +# Tasks related to getting rid of jitsi-web (if it was previously enabled) +# + +- name: Check existence of matrix-jitsi-web service + stat: + path: "{{ matrix_systemd_path }}/matrix-jitsi-web.service" + register: matrix_jitsi_web_service_stat + when: "not matrix_jitsi_enabled|bool" + +- name: Ensure matrix-jitsi-web is stopped + service: + name: matrix-jitsi-web + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" + +- name: Ensure matrix-jitsi-web.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-jitsi-web.service" + state: absent + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-jitsi-web.service removal + service: + daemon_reload: yes + when: "not matrix_jitsi_enabled|bool and matrix_jitsi_web_service_stat.stat.exists" + +- name: Ensure Matrix jitsi-web paths doesn't exist + file: + path: "{{ matrix_jitsi_web_base_path }}" + state: absent + when: "not matrix_jitsi_enabled|bool" + +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. + diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml new file mode 100644 index 00000000..cc8a4b22 --- /dev/null +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -0,0 +1,43 @@ +--- + +- name: Fail if required Jitsi settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + If you had setup Jitsi successfully before and it's just now that you're observing this failure, + it means that your installation may be using some default passwords that the playbook used to define until now. + This is not secure and we urge you to rebuild your Jitsi setup. + Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). + when: "vars[item] == ''" + with_items: + - "matrix_jitsi_jibri_xmpp_password" + - "matrix_jitsi_jibri_recorder_password" + - "matrix_jitsi_jicofo_component_secret" + - "matrix_jitsi_jicofo_auth_password" + - "matrix_jitsi_jvb_auth_password" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_jitsi_web_config_constraints_enabled', 'new': ''} + - {'old': 'matrix_jitsi_web_config_constraints_video_aspectRatio', 'new': ''} + - {'old': 'matrix_jitsi_web_config_constraints_video_height_ideal', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} + - {'old': 'matrix_jitsi_web_config_constraints_video_height_max', 'new': 'matrix_jitsi_web_config_resolution_height_ideal_and_max'} + - {'old': 'matrix_jitsi_web_config_constraints_video_height_min', 'new': 'matrix_jitsi_web_config_resolution_height_min'} + - {'old': 'matrix_jitsi_web_config_disableAudioLevels', 'new': ''} + - {'old': 'matrix_jitsi_web_config_enableLayerSuspension', 'new': ''} + - {'old': 'matrix_jitsi_web_config_channelLastN', 'new': ''} + - {'old': 'matrix_jitsi_web_config_testing_p2pTestMode', 'new': ''} + - {'old': 'matrix_jitsi_web_config_start_with_audio_muted', 'new': ''} + - {'old': 'matrix_jitsi_web_config_start_with_video_muted', 'new': ''} + - {'old': 'matrix_jitsi_web_interface_config_show_watermark_for_guests', 'new': ''} + - {'old': 'matrix_jitsi_web_interface_config_invitation_powered_by', 'new': ''} + - {'old': 'matrix_jisti_web_interface_config_show_deep_linking_image', 'new': 'matrix_jitsi_web_interface_config_show_deep_linking_image'} diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 new file mode 100644 index 00000000..a402d2d7 --- /dev/null +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -0,0 +1,17 @@ +ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} + +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} + +JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} + +JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} + +JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} +JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} + +TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 new file mode 100644 index 00000000..7eba95af --- /dev/null +++ b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2 @@ -0,0 +1,20 @@ +handlers= java.util.logging.ConsoleHandler + +java.util.logging.ConsoleHandler.level = ALL +java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter + +net.java.sip.communicator.util.ScLogFormatter.programname=Jicofo + +.level=INFO +net.sf.level=SEVERE +net.java.sip.communicator.plugin.reconnectplugin.level=FINE +org.ice4j.level=SEVERE +org.jitsi.impl.neomedia.level=SEVERE + +# Do not worry about missing strings +net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE + +#net.java.sip.communicator.service.protocol.level=ALL + +# Enable debug packets logging +#org.jitsi.impl.protocol.xmpp.level=FINE diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 new file mode 100644 index 00000000..6ecafaa0 --- /dev/null +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -0,0 +1,33 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix jitsi-jicofo server +{% for service in matrix_jitsi_jicofo_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_jicofo_base_path }}/env \ + --mount type=bind,src={{ matrix_jitsi_jicofo_config_path }},dst=/config \ + {% for arg in matrix_jitsi_jicofo_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_jitsi_jicofo_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jitsi-jicofo + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 new file mode 100644 index 00000000..c62e04ff --- /dev/null +++ b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 @@ -0,0 +1,9 @@ +org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true +org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} + +org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} +org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90 + +{% if matrix_jitsi_enable_auth %} +org.jitsi.jicofo.auth.URL=XMPP:{{ matrix_jitsi_xmpp_domain }} +{% endif %} diff --git a/roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 new file mode 100644 index 00000000..44b6b8c2 --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/custom-sip-communicator.properties.j2 @@ -0,0 +1,7 @@ +org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true + +org.jitsi.videobridge.ENABLE_STATISTICS=true +org.jitsi.videobridge.STATISTICS_TRANSPORT=muc +org.jitsi.videobridge.STATISTICS_INTERVAL=5000 + +{{ matrix_jitsi_jvb_custom_config_extension }} diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 new file mode 100644 index 00000000..f7dc9247 --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -0,0 +1,20 @@ +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} +JVB_TCP_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }} +JVB_PORT={{ matrix_jitsi_jvb_rtp_udp_port }} +JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} +JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }} + +XMPP_SERVER={{ matrix_jitsi_xmpp_server }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} + +HOSTNAME=matrix-jitsi-jvb + +{% if matrix_jitsi_jvb_stun_servers|length > 0 %} +JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }} +{% endif %} + +PUBLIC_URL={{ matrix_jitsi_web_public_url }} + +{{ matrix_jitsi_jvb_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/jvb/logging.properties.j2 b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 new file mode 100644 index 00000000..48c1e9fa --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/logging.properties.j2 @@ -0,0 +1,13 @@ +handlers= java.util.logging.ConsoleHandler + +java.util.logging.ConsoleHandler.level = ALL +java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter + +net.java.sip.communicator.util.ScLogFormatter.programname=JVB + +.level=INFO + +org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE + +# All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. +org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 new file mode 100644 index 00000000..53c0c83a --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix jitsi-jvb server +{% for service in matrix_jitsi_jvb_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_jvb_base_path }}/env \ + {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} + -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ + {% endif %} + {% if matrix_jitsi_jvb_container_rtp_tcp_host_bind_port %} + -p {{ matrix_jitsi_jvb_container_rtp_tcp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_tcp_port }} \ + {% endif %} + {% if matrix_jitsi_jvb_container_colibri_ws_host_bind_port %} + -p {{ matrix_jitsi_jvb_container_colibri_ws_host_bind_port }}:9090 \ + {% endif %} + --mount type=bind,src={{ matrix_jitsi_jvb_config_path }},dst=/config \ + {% for arg in matrix_jitsi_jvb_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_jitsi_jvb_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-jvb 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-jvb 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jitsi-jvb + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 new file mode 100644 index 00000000..38b2456c --- /dev/null +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -0,0 +1,49 @@ +AUTH_TYPE={{ matrix_jitsi_auth_type }} + +ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} + +PUBLIC_URL={{ matrix_jitsi_web_public_url }} + +LDAP_URL={{ matrix_jitsi_ldap_url }} +LDAP_BASE={{ matrix_jitsi_ldap_base }} +LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} +LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }} +LDAP_FILTER={{ matrix_jitsi_ldap_filter }} +LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }} +LDAP_VERSION={{ matrix_jitsi_ldap_version }} +LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} +LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }} +LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }} +LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }} +LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} +LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} + +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} +XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} + +XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} +XMPP_MUC_MODULES= +XMPP_INTERNAL_MUC_MODULES= + +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} + +JICOFO_COMPONENT_SECRET={{ matrix_jitsi_jicofo_component_secret }} +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} +JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} + +JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} + +JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} +JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} + +JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} +JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} + +ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }} + +TZ={{ matrix_jitsi_timezone }} diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 new file mode 100644 index 00000000..4445e52b --- /dev/null +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -0,0 +1,37 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix jitsi-prosody server +{% for service in matrix_jitsi_prosody_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + {% if matrix_jitsi_prosody_container_http_host_bind_port %} + -p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \ + {% endif %} + --env-file={{ matrix_jitsi_prosody_base_path }}/env \ + --mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \ + {% for arg in matrix_jitsi_prosody_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_jitsi_prosody_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-prosody 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-prosody 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jitsi-prosody + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-jitsi/templates/web/custom-config.js.j2 b/roles/matrix-jitsi/templates/web/custom-config.js.j2 new file mode 100644 index 00000000..bbe85798 --- /dev/null +++ b/roles/matrix-jitsi/templates/web/custom-config.js.j2 @@ -0,0 +1,18 @@ +config.defaultLanguage = {{ matrix_jitsi_web_config_defaultLanguage|to_json }}; + + +if (!config.hasOwnProperty('p2p')) config.p2p = {% raw %}{}{% endraw %}; + +{% if matrix_jitsi_web_stun_servers|length > 0 %} +config.p2p.stunServers = [ + {% for url in matrix_jitsi_web_stun_servers %} + { urls: {{ url|to_json }} }{% if not loop.last %},{% endif %} + {% endfor %} +]; +{% endif %} + +{% if matrix_jitsi_etherpad_enabled %} +config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }} +{% endif %} + +{{ matrix_jitsi_web_custom_config_extension }} diff --git a/roles/matrix-jitsi/templates/web/env.j2 b/roles/matrix-jitsi/templates/web/env.j2 new file mode 100644 index 00000000..7b763a3c --- /dev/null +++ b/roles/matrix-jitsi/templates/web/env.j2 @@ -0,0 +1,42 @@ +ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} +ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} + +ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }} + +ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }} + +DISABLE_HTTPS=1 + +JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} + +PUBLIC_URL={{ matrix_jitsi_web_public_url }} + +XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }} +XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }} +XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }} +XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} +XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} +XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} + +TZ={{ matrix_jitsi_timezone }} + +JIBRI_BREWERY_MUC={{ matrix_jitsi_jibri_brewery_muc }} +JIBRI_PENDING_TIMEOUT={{ matrix_jitsi_jibri_pending_timeout }} +JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }} +JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }} +JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }} +JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }} + +ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }} + +RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }} +RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }} +RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }} +RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }} + +START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }} +START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }} + +ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}} + +{{ matrix_jitsi_web_environment_variables_extension }} diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 new file mode 100644 index 00000000..08ac02fe --- /dev/null +++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2 @@ -0,0 +1,295 @@ +/* eslint-disable no-unused-vars, no-var, max-len */ +/* eslint sort-keys: ["error", "asc", {"caseSensitive": false}] */ + +var interfaceConfig = { + APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }}, + AUDIO_LEVEL_PRIMARY_COLOR: 'rgba(255,255,255,0.4)', + AUDIO_LEVEL_SECONDARY_COLOR: 'rgba(255,255,255,0.2)', + + /** + * A UX mode where the last screen share participant is automatically + * pinned. Valid values are the string "remote-only" so remote participants + * get pinned but not local, otherwise any truthy value for all participants, + * and any falsy value to disable the feature. + * + * Note: this mode is experimental and subject to breakage. + */ + AUTO_PIN_LATEST_SCREEN_SHARE: 'remote-only', + BRAND_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_brand_watermark_link|to_json }}, + + CLOSE_PAGE_GUEST_HINT: false, // A html text to be shown to guests on the close page, false disables it + /** + * Whether the connection indicator icon should hide itself based on + * connection strength. If true, the connection indicator will remain + * displayed while the participant has a weak connection and will hide + * itself after the CONNECTION_INDICATOR_HIDE_TIMEOUT when the connection is + * strong. + * + * @type {boolean} + */ + CONNECTION_INDICATOR_AUTO_HIDE_ENABLED: true, + + /** + * How long the connection indicator should remain displayed before hiding. + * Used in conjunction with CONNECTION_INDICATOR_AUTOHIDE_ENABLED. + * + * @type {number} + */ + CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT: 5000, + + /** + * If true, hides the connection indicators completely. + * + * @type {boolean} + */ + CONNECTION_INDICATOR_DISABLED: false, + + DEFAULT_BACKGROUND: '#474747', + DEFAULT_LOCAL_DISPLAY_NAME: 'me', + DEFAULT_LOGO_URL: 'images/watermark.svg', + DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', + DEFAULT_WELCOME_PAGE_LOGO_URL: 'images/watermark.svg', + + DISABLE_DOMINANT_SPEAKER_INDICATOR: false, + + DISABLE_FOCUS_INDICATOR: false, + + /** + * If true, notifications regarding joining/leaving are no longer displayed. + */ + DISABLE_JOIN_LEAVE_NOTIFICATIONS: false, + + /** + * If true, presence status: busy, calling, connected etc. is not displayed. + */ + DISABLE_PRESENCE_STATUS: false, + + /** + * Whether the ringing sound in the call/ring overlay is disabled. If + * {@code undefined}, defaults to {@code false}. + * + * @type {boolean} + */ + DISABLE_RINGING: false, + + /** + * Whether the speech to text transcription subtitles panel is disabled. + * If {@code undefined}, defaults to {@code false}. + * + * @type {boolean} + */ + DISABLE_TRANSCRIPTION_SUBTITLES: {{ matrix_jitsi_web_interface_config_disable_transcription_subtitles|to_json }}, + + /** + * Whether or not the blurred video background for large video should be + * displayed on browsers that can support it. + */ + DISABLE_VIDEO_BACKGROUND: false, + + DISPLAY_WELCOME_FOOTER: true, + DISPLAY_WELCOME_PAGE_ADDITIONAL_CARD: false, + DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }}, + DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: false, + + ENABLE_DIAL_OUT: true, + + ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation. + + FILM_STRIP_MAX_HEIGHT: 120, + + GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }}, + + /** + * Hide the logo on the deep linking pages. + */ + HIDE_DEEP_LINKING_LOGO: false, + + /** + * Hide the invite prompt in the header when alone in the meeting. + */ + HIDE_INVITE_MORE_HEADER: false, + + INITIAL_TOOLBAR_TIMEOUT: 20000, + JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }}, + + LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language + LIVE_STREAMING_HELP_LINK: 'https://jitsi.org/live', // Documentation reference for the live streaming feature. + LOCAL_THUMBNAIL_RATIO: 16 / 9, // 16:9 + + /** + * Maximum coefficient of the ratio of the large video to the visible area + * after the large video is scaled to fit the window. + * + * @type {number} + */ + MAXIMUM_ZOOMING_COEFFICIENT: 1.3, + + /** + * Whether the mobile app Jitsi Meet is to be promoted to participants + * attempting to join a conference in a mobile Web browser. If + * {@code undefined}, defaults to {@code true}. + * + * @type {boolean} + */ + MOBILE_APP_PROMO: true, + + /** + * Specify custom URL for downloading android mobile app. + */ + MOBILE_DOWNLOAD_LINK_ANDROID: 'https://play.google.com/store/apps/details?id=org.jitsi.meet', + + /** + * Specify custom URL for downloading f droid app. + */ + MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/', + + /** + * Specify URL for downloading ios mobile app. + */ + MOBILE_DOWNLOAD_LINK_IOS: 'https://itunes.apple.com/us/app/jitsi-meet/id1165103905', + + NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }}, + + // Names of browsers which should show a warning stating the current browser + // has a suboptimal experience. Browsers which are not listed as optimal or + // unsupported are considered suboptimal. Valid values are: + // chrome, chromium, edge, electron, firefox, nwjs, opera, safari + OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ], + + POLICY_LOGO: null, + PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }}, + + /** + * If true, will display recent list + * + * @type {boolean} + */ + RECENT_LIST_ENABLED: true, + REMOTE_THUMBNAIL_RATIO: 1, // 1:1 + + SETTINGS_SECTIONS: [ 'devices', 'language', 'moderator', 'profile', 'calendar' ], + SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }}, + + /** + * Decides whether the chrome extension banner should be rendered on the landing page and during the meeting. + * If this is set to false, the banner will not be rendered at all. If set to true, the check for extension(s) + * being already installed is done before rendering. + */ + SHOW_CHROME_EXTENSION_BANNER: false, + + SHOW_DEEP_LINKING_IMAGE: {{ matrix_jitsi_web_interface_config_show_deep_linking_image|to_json }}, + SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }}, + SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }}, + SHOW_PROMOTIONAL_CLOSE_PAGE: false, + + /* + * If indicated some of the error dialogs may point to the support URL for + * help. + */ + SUPPORT_URL: 'https://community.jitsi.org/', + + TOOLBAR_ALWAYS_VISIBLE: false, + + /** + * The name of the toolbar buttons to display in the toolbar, including the + * "More actions" menu. If present, the button will display. Exceptions are + * "livestreaming" and "recording" which also require being a moderator and + * some values in config.js to be enabled. Also, the "profile" button will + * not display for users with a JWT. + * Notes: + * - it's impossible to choose which buttons go in the "More actions" menu + * - it's impossible to control the placement of buttons + * - 'desktop' controls the "Share your screen" button + */ + TOOLBAR_BUTTONS: [ + {% if matrix_jitsi_enable_transcriptions %} + 'closedcaptions', + {% endif %} + {% if matrix_jitsi_enable_recording %} + 'recording', + {% endif %} + 'microphone', 'camera', 'desktop', 'embedmeeting', 'fullscreen', + 'fodeviceselection', 'hangup', 'profile', 'chat', + 'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand', + 'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts', + 'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone', 'security' + ], + + TOOLBAR_TIMEOUT: 4000, + + // Browsers, in addition to those which do not fully support WebRTC, that + // are not supported and should show the unsupported browser page. + UNSUPPORTED_BROWSERS: [], + + /** + * Whether to show thumbnails in filmstrip as a column instead of as a row. + */ + VERTICAL_FILMSTRIP: true, + + // Determines how the video would fit the screen. 'both' would fit the whole + // screen, 'height' would fit the original video height to the height of the + // screen, 'width' would fit the original video width to the width of the + // screen respecting ratio. + VIDEO_LAYOUT_FIT: 'both', + + /** + * If true, hides the video quality label indicating the resolution status + * of the current large video. + * + * @type {boolean} + */ + VIDEO_QUALITY_LABEL_DISABLED: false, + + /** + * How many columns the tile view can expand to. The respected range is + * between 1 and 5. + */ + // TILE_VIEW_MAX_COLUMNS: 5, + + /** + * Specify Firebase dynamic link properties for the mobile apps. + */ + // MOBILE_DYNAMIC_LINK: { + // APN: 'org.jitsi.meet', + // APP_CODE: 'w2atb', + // CUSTOM_DOMAIN: undefined, + // IBI: 'com.atlassian.JitsiMeet.ios', + // ISI: '1165103905' + // }, + + /** + * Specify mobile app scheme for opening the app from the mobile browser. + */ + // APP_SCHEME: 'org.jitsi.meet', + + /** + * Specify the Android app package name. + */ + // ANDROID_APP_PACKAGE: 'org.jitsi.meet', + + /** + * Override the behavior of some notifications to remain displayed until + * explicitly dismissed through a user action. The value is how long, in + * milliseconds, those notifications should remain displayed. + */ + // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000, + + // List of undocumented settings + /** + INDICATOR_FONT_SIZES + PHONE_NUMBER_REGEX + */ + + // Allow all above example options to include a trailing comma and + // prevent fear when commenting out the last value. + // eslint-disable-next-line sort-keys + makeJsonParserHappy: 'even if last key had a trailing comma' + + // No configuration value should follow this line. +}; + + +{{ matrix_jitsi_web_custom_interface_config_extension }} + + +/* eslint-enable no-unused-vars, no-var, max-len */ diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 new file mode 100644 index 00000000..6ae2074d --- /dev/null +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -0,0 +1,37 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix jitsi-web server +{% for service in matrix_jitsi_web_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \ + --log-driver=none \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_web_base_path }}/env \ + {% if matrix_jitsi_web_container_http_host_bind_port %} + -p {{ matrix_jitsi_web_container_http_host_bind_port }}:80 \ + {% endif %} + --mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \ + {% for arg in matrix_jitsi_web_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_jitsi_web_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-jitsi-web 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-jitsi-web 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-jitsi-web + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml new file mode 100644 index 00000000..7ab0d15e --- /dev/null +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -0,0 +1,163 @@ +# ma1sd is a Federated Matrix Identity Server +# See: https://github.com/ma1uta/ma1sd + +matrix_ma1sd_enabled: true + +matrix_ma1sd_container_image_self_build: false +matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" +matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}" + +matrix_ma1sd_architecture: "amd64" + +matrix_ma1sd_version: "2.4.0" + +matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" +matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" + +matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" +# We need the docker src directory to be named ma1sd. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588 +matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src/ma1sd" +matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" +matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" + +# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. +matrix_ma1sd_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_ma1sd_container_extra_arguments: [] + +# List of systemd services that matrix-ma1sd.service depends on +matrix_ma1sd_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-ma1sd.service wants +matrix_ma1sd_systemd_wanted_services_list: [] + +# Your identity server is private by default. +# To ensure maximum discovery, you can make your identity server +# also forward lookups to the central matrix.org Identity server +# (at the cost of potentially leaking all your contacts information). +# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups +matrix_ma1sd_matrixorg_forwarding_enabled: false + + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_ma1sd_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables +matrix_ma1sd_database_engine: 'sqlite' + +matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db" +matrix_ma1sd_sqlite_database_path_in_container: "/var/ma1sd/ma1sd.db" + +matrix_ma1sd_database_username: 'matrix_ma1sd' +matrix_ma1sd_database_password: 'some-password' +matrix_ma1sd_database_hostname: 'matrix-postgres' +matrix_ma1sd_database_port: 5432 +matrix_ma1sd_database_name: 'matrix_ma1sd' + +matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}' + + +# ma1sd has serveral supported identity stores. +# One of them is storing identities directly in Synapse's database. +# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md +matrix_ma1sd_synapsesql_enabled: false +matrix_ma1sd_synapsesql_type: "" +matrix_ma1sd_synapsesql_connection: "" + +# Setting up email-sending settings is required for using ma1sd. +matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1 +matrix_ma1sd_threepid_medium_email_connectors_smtp_login: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_password: "" + +# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly. +# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd, +# so that ma1sd can rewrite the original URL to one that would reach the homeserver. +matrix_ma1sd_dns_overwrite_enabled: false +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" + +# Override the default session templates +# To use this, fill in the template variables with the full desired template as a multi-line YAML variable +# +# More info: +# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/session/session-views.md +matrix_ma1sd_view_session_custom_templates_enabled: false +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitSuccess.html +matrix_ma1sd_view_session_custom_onTokenSubmit_success_template: "" +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitFailure.html +matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template: "" + +# Override the default email templates +# To use this, fill in the template variables with the full desired template as a multi-line YAML variable +# +# More info: +# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md +# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email +matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/invite-template.eml +matrix_ma1sd_threepid_medium_email_custom_invite_template: "" +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/validate-template.eml +matrix_ma1sd_threepid_medium_email_custom_session_validation_template: "" +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/unbind-notification.eml +matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template: "" +# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml +matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_ma1sd_self_check_validate_certificates: true + +# Controls ma1sd logging verbosity for troubleshooting. +# +# According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity +matrix_ma1sd_verbose_logging: false + +# Setting up support for API prefixes +matrix_ma1sd_v1_enabled: true +matrix_ma1sd_v2_enabled: true + +# Fix for missing 3PIDS bug +matrix_ma1sd_hashing_enabled: true + +# Default ma1sd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_ma1sd_configuration_yaml: "{{ lookup('template', 'templates/ma1sd.yaml.j2') }}" + +matrix_ma1sd_configuration_extension_yaml: | + # Your custom YAML configuration for ma1sd goes here. + # This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_ma1sd_configuration_yaml`. + # + # Example configuration extension follows: + # + # ldap: + # enabled: true + # connection: + # host: ldapHostnameOrIp + # tls: false + # port: 389 + # baseDNs: ['OU=Users,DC=example,DC=org'] + # bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org + # bindPassword: TheUserPassword + +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final ma1sd configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`. +matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml|from_yaml|combine(matrix_ma1sd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml new file mode 100644 index 00000000..04cc3a21 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build and matrix_ma1sd_enabled|bool" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" + when: matrix_ma1sd_enabled|bool diff --git a/roles/matrix-ma1sd/tasks/main.yml b/roles/matrix-ma1sd/tasks/main.yml new file mode 100644 index 00000000..0b8a114e --- /dev/null +++ b/roles/matrix-ma1sd/tasks/main.yml @@ -0,0 +1,28 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_ma1sd_enabled|bool" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_ma1sd_enabled|bool" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_ma1sd_enabled|bool" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_ma1sd_enabled|bool" + tags: + - self-check diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml new file mode 100644 index 00000000..1d966204 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -0,0 +1,72 @@ +--- + +# This task is for migrating existing mxisd data when transitioning to the ma1sd fork. + +- name: Check for existent mxisd data + stat: + path: "{{ matrix_base_data_path }}/mxisd/data" + register: ma1sd_migrate_mxisd_data_dir_stat + +- name: Warn if mxisd data detected + debug: + msg: > + You seem to have an existing mxisd folder in `{{ matrix_base_data_path }}/mxisd`. + We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Check existence of old matrix-mxisd service + stat: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + register: matrix_mxisd_service_stat + +- name: Ensure matrix-mxisd is stopped + service: + name: matrix-mxisd + state: stopped + daemon_reload: yes + when: "matrix_mxisd_service_stat.stat.exists" + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" + +# We use shell commands for the migration, because the Ansible copy module cannot +# recursively copy remote directories (like `/matrix/mxisd/data/sign.key`) in older versions of Ansible. +- block: + - name: Copy mxisd data files to ma1sd folder + command: "cp -ar {{ matrix_base_data_path }}/mxisd/data {{ matrix_ma1sd_base_path }}" + + - name: Check existence of mxisd.db file + stat: + path: "{{ matrix_ma1sd_data_path }}/mxisd.db" + register: matrix_ma1sd_mxisd_db_stat + + - name: Rename database (mxisd.db -> ma1sd.db) + command: "mv {{ matrix_ma1sd_data_path }}/mxisd.db {{ matrix_ma1sd_data_path }}/ma1sd.db" + when: "matrix_ma1sd_mxisd_db_stat.stat.exists" + + - name: Rename mxisd folder + command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure outdated matrix-mxisd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + state: absent + when: "matrix_mxisd_service_stat.stat.exists" + +- name: Ensure systemd reloaded after removing outdated matrix-mxisd.service + service: + daemon_reload: yes + when: "matrix_mxisd_service_stat.stat.exists" + + diff --git a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml new file mode 100644 index 00000000..b8a7faaa --- /dev/null +++ b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml @@ -0,0 +1,22 @@ +--- + +- set_fact: + ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" + +- name: Check ma1sd Identity Service + uri: + url: "{{ ma1sd_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}" + check_mode: no + register: result_ma1sd + ignore_errors: true + +- name: Fail if ma1sd Identity Service not working + fail: + msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}" + when: "result_ma1sd.failed or 'json' not in result_ma1sd" + +- name: Report working ma1sd Identity Service + debug: + msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)" diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml new file mode 100644 index 00000000..3f319eef --- /dev/null +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -0,0 +1,167 @@ +--- + +- name: Ensure ma1sd paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_ma1sd_config_path }}", when: true } + - { path: "{{ matrix_ma1sd_data_path }}", when: true } + - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} + when: "item.when|bool" + +- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" + + +# These (SQLite -> Postgres) migration tasks are usually at the top, +# but we'd like to run them after `migrate_mxisd.yml`, which requires the ma1sd paths to exist. +- set_fact: + matrix_ma1sd_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_ma1sd_sqlite_database_path_local }}" + register: matrix_ma1sd_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_ma1sd_sqlite_database_path_local }}" + dst: "{{ matrix_ma1sd_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_ma1sd_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-ma1sd.service'] + pgloader_options: ['--with "quote identifiers"'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_ma1sd_requires_restart: true + when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_ma1sd_database_engine == 'postgres'" + +- name: Ensure ma1sd image is pulled + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}" + when: "not matrix_ma1sd_container_image_self_build|bool" + +- block: + - name: Ensure gradle is installed for self-building (Debian) + apt: + name: + - gradle + state: present + update_cache: yes + when: (ansible_os_family == 'Debian') + + - name: Ensure gradle is installed for self-building (CentOS) + fail: + msg: "Installing gradle on CentOS is currently not supported, so self-building ma1sd cannot happen at this time" + when: ansible_distribution == 'CentOS' + + - name: Ensure gradle is installed for self-building (Archlinux) + pacman: + name: + - gradle + state: latest + update_cache: yes + when: ansible_distribution == 'Archlinux' + + - name: Ensure ma1sd repository is present on self-build + git: + repo: "{{ matrix_ma1sd_container_image_self_build_repo }}" + dest: "{{ matrix_ma1sd_docker_src_files_path }}" + version: "{{ matrix_ma1sd_container_image_self_build_branch }}" + force: "yes" + register: matrix_ma1sd_git_pull_results + + - name: Ensure ma1sd Docker image is built + shell: "DOCKER_BUILDKIT=1 ./gradlew dockerBuild" + args: + chdir: "{{ matrix_ma1sd_docker_src_files_path }}" + + - name: Ensure ma1sd Docker image is tagged correctly + docker_image: + # The build script always tags the image with 2 tags: + # - based on the branch/version: e.g. `ma1uta/ma1sd:2.4.0` (when on `2.4.0`) + # or `ma1uta/ma1sd:2.4.0-19-ga71d32b` (when on a given commit for a pre-release) + # - generic one: `ma1uta/ma1sd:latest-dev` + # + # It's hard to predict the first one, so we'll use the latter. + name: "ma1uta/ma1sd:latest-dev" + repository: "{{ matrix_ma1sd_docker_image }}" + force_tag: yes + source: local + when: "matrix_ma1sd_container_image_self_build|bool" + +- name: Ensure ma1sd config installed + copy: + content: "{{ matrix_ma1sd_configuration|to_nice_yaml }}" + dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure custom view templates are installed, if any + copy: + content: "{{ item.value }}" + dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_success_template }}", location: 'tokenSubmitSuccess.html'} + - {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template }}", location: 'tokenSubmitFailure.html'} + when: "matrix_ma1sd_view_session_custom_templates_enabled|bool and item.value" + +- name: Ensure custom email templates are installed, if any + copy: + content: "{{ item.value }}" + dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} + when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" + +# Only cleaning up for people who define the respective templates +- name: (Cleanup) Ensure custom email templates are not in data/ anymore (we've put them in config/) + file: + path: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" + state: absent + with_items: + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} + when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" + +- name: Ensure matrix-ma1sd.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + mode: 0644 + register: matrix_ma1sd_systemd_service_result + +- name: Ensure systemd reloaded after matrix-ma1sd.service installation + service: + daemon_reload: yes + when: "matrix_ma1sd_systemd_service_result.changed|bool" + +- name: Ensure matrix-ma1sd.service restarted, if necessary + service: + name: "matrix-ma1sd.service" + state: restarted + when: "matrix_ma1sd_requires_restart|bool" diff --git a/roles/matrix-ma1sd/tasks/setup_uninstall.yml b/roles/matrix-ma1sd/tasks/setup_uninstall.yml new file mode 100644 index 00000000..b36ab508 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_ma1sd_service_stat.stat.exists|bool" + +- name: Ensure matrix-ma1sd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + state: absent + when: "matrix_ma1sd_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-ma1sd.service removal + service: + daemon_reload: yes + when: "matrix_ma1sd_service_stat.stat.exists|bool" + +- name: Ensure Matrix ma1sd paths don't exist + file: + path: "{{ matrix_ma1sd_base_path }}" + state: absent + +- name: Ensure ma1sd Docker image doesn't exist + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + state: absent diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml new file mode 100644 index 00000000..4ca25e7e --- /dev/null +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -0,0 +1,67 @@ +--- + +- name: (Deprecation) Warn about ma1sd variables that are not used anymore + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of extending ma1sd configuration. + See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples. + when: "item in vars" + with_items: + - 'matrix_ma1sd_ldap_enabled' + - 'matrix_ma1sd_ldap_connection_host' + - 'matrix_ma1sd_ldap_connection_tls' + - 'matrix_ma1sd_ldap_connection_port' + - 'matrix_ma1sd_ldap_connection_baseDn' + - 'matrix_ma1sd_ldap_connection_baseDns' + - 'matrix_ma1sd_ldap_connection_bindDn' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_filter' + - 'matrix_ma1sd_ldap_attribute_uid_type' + - 'matrix_ma1sd_ldap_attribute_uid_value' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_attribute_name' + - 'matrix_ma1sd_ldap_attribute_threepid_email' + - 'matrix_ma1sd_ldap_attribute_threepid_msisdn' + - 'matrix_ma1sd_ldap_identity_filter' + - 'matrix_ma1sd_ldap_identity_medium' + - 'matrix_ma1sd_ldap_auth_filter' + - 'matrix_ma1sd_ldap_directory_filter' + - 'matrix_ma1sd_template_config' + +- name: Ensure ma1sd configuration does not contain any dot-notation keys + fail: + msg: > + Since version 1.3.0, ma1sd will not accept property-style configuration keys. + You have defined a key (`{{ item.key }}`) which contains a dot. + Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130 + when: "'.' in item.key" + with_dict: "{{ matrix_ma1sd_configuration }}" + +- name: Fail if required ma1sd settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using ma1sd. + when: "vars[item] == ''" + with_items: + - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" + +- name: (Deprecation) Catch and report renamed ma1sd variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" + with_items: + - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} + - {'old': 'matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template', 'new': 'matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template'} + +- name: (Deprecation) Catch and report mxisd variables + fail: + msg: >- + mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork. + The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names. + Please change your configuration (vars.yml) to rename all mxisd variables (`{{ item.old }}` -> `{{ item.new }}`). + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" + with_items: + - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} diff --git a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 new file mode 100644 index 00000000..a4100adc --- /dev/null +++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2 @@ -0,0 +1,104 @@ +#jinja2: lstrip_blocks: True +matrix: + domain: {{ matrix_domain }} + v1: {{ matrix_ma1sd_v1_enabled|to_json }} + v2: {{ matrix_ma1sd_v2_enabled|to_json }} + +server: + name: {{ matrix_server_fqn_matrix }} + +key: + path: /var/ma1sd/sign.key + +storage: + {% if matrix_ma1sd_database_engine == 'sqlite' %} + backend: sqlite + provider: + sqlite: + database: {{ matrix_ma1sd_sqlite_database_path_in_container|to_json }} + {% elif matrix_ma1sd_database_engine == 'postgres' %} + backend: postgresql + provider: + postgresql: + database: //{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }} + username: {{ matrix_ma1sd_database_username|to_json }} + password: {{ matrix_ma1sd_database_password|to_json }} + {% endif %} + +{% if matrix_ma1sd_dns_overwrite_enabled %} +dns: + overwrite: + homeserver: + client: + - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} + value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} +{% endif %} + +{% if matrix_ma1sd_matrixorg_forwarding_enabled %} +forward: + servers: ['matrix-org'] +{% endif %} + +threepid: + medium: + email: + identity: + from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} + connectors: + smtp: + host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} +{% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} + generators: + template: + {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} + invite: '/etc/ma1sd/invite-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %} + session: + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} + validation: '/etc/ma1sd/validate-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %} + unbind: + notification: '/etc/ma1sd/unbind-notification.eml' + {% endif %} + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} + generic: + matrixId: '/etc/ma1sd/mxid-template.eml' + {% endif %} +{% endif %} + +{% if matrix_ma1sd_view_session_custom_templates_enabled %} +view: + session: + onTokenSubmit: + {% if matrix_ma1sd_view_session_custom_onTokenSubmit_success_template %} + success: '/etc/ma1sd/tokenSubmitSuccess.html' + {% endif %} + {% if matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template %} + failure: '/etc/ma1sd/tokenSubmitFailure.html' + {% endif %} +{% endif %} + +{% if matrix_ma1sd_hashing_enabled %} +hashing: + enabled: true # enable or disable the hash lookup MSC2140 (default is false) + pepperLength: 20 # length of the pepper value (default is 20) + rotationPolicy: per_requests # or `per_seconds` how often the hashes will be updating + hashStorageType: sql # or `in_memory` where the hashes will be stored + algorithms: + - none # the same as v1 bulk lookup + - sha256 # hash the 3PID and pepper. + delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s) + requests: 10 +{% endif %} + +synapseSql: + enabled: {{ matrix_ma1sd_synapsesql_enabled|to_json }} + type: {{ matrix_ma1sd_synapsesql_type|to_json }} + connection: {{ matrix_ma1sd_synapsesql_connection|to_json }} diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 new file mode 100644 index 00000000..c2adffc0 --- /dev/null +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -0,0 +1,48 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix ma1sd Identity server +{% for service in matrix_ma1sd_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_ma1sd_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' + +# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, +# so /tmp needs to be mounted with an exec option. +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,exec,nosuid,size=10m \ + --network={{ matrix_docker_network }} \ + {% if matrix_ma1sd_container_http_host_bind_port %} + -p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \ + {% endif %} + {% if matrix_ma1sd_verbose_logging %} + -e MA1SD_LOG_LEVEL=debug \ + {% endif %} + --mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \ + --mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \ + {% for arg in matrix_ma1sd_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_ma1sd_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ma1sd 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ma1sd 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-ma1sd + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-ma1sd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml new file mode 100644 index 00000000..b6c97a59 --- /dev/null +++ b/roles/matrix-ma1sd/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml new file mode 100644 index 00000000..8ca1a8a3 --- /dev/null +++ b/roles/matrix-mailer/defaults/main.yml @@ -0,0 +1,31 @@ +matrix_mailer_enabled: true + +matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer" + +matrix_mailer_container_image_self_build: false +matrix_mailer_container_image_self_build_repository_url: "https://github.com/devture/exim-relay" +matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" +matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" + +matrix_mailer_version: 4.94.2-r0-2 +matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" +matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" + +# The user/group that the container runs with. +# These match the `exim` user/group within the container image. +matrix_mailer_container_user_uid: 100 +matrix_mailer_container_user_gid: 101 + +# A list of extra arguments to pass to the container +matrix_mailer_container_extra_arguments: [] + +matrix_mailer_hostname: "{{ matrix_server_fqn_matrix }}" + +matrix_mailer_sender_address: "matrix@{{ matrix_domain }}" +matrix_mailer_relay_use: false +matrix_mailer_relay_host_name: "mail.example.com" +matrix_mailer_relay_host_port: 587 +matrix_mailer_relay_auth: false +matrix_mailer_relay_auth_username: "" +matrix_mailer_relay_auth_password: "" diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml new file mode 100644 index 00000000..d07380f0 --- /dev/null +++ b/roles/matrix-mailer/tasks/init.yml @@ -0,0 +1,10 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build and matrix_mailer_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" + when: matrix_mailer_enabled|bool diff --git a/roles/matrix-mailer/tasks/main.yml b/roles/matrix-mailer/tasks/main.yml new file mode 100644 index 00000000..f636614e --- /dev/null +++ b/roles/matrix-mailer/tasks/main.yml @@ -0,0 +1,9 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_mailer.yml" + when: run_setup|bool + tags: + - setup-all + - setup-mailer diff --git a/roles/matrix-mailer/tasks/setup_mailer.yml b/roles/matrix-mailer/tasks/setup_mailer.yml new file mode 100644 index 00000000..251a52da --- /dev/null +++ b/roles/matrix-mailer/tasks/setup_mailer.yml @@ -0,0 +1,107 @@ +--- + +# +# Tasks related to setting up the mailer +# + +- name: Ensure mailer base path exists + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mailer_base_path }}", when: true } + - { path: "{{ matrix_mailer_container_image_self_build_src_files_path }}", when: "{{ matrix_mailer_container_image_self_build }}" } + when: "matrix_mailer_enabled|bool and item.when" + +- name: Ensure mailer environment variables file created + template: + src: "{{ role_path }}/templates/env-mailer.j2" + dest: "{{ matrix_mailer_base_path }}/env-mailer" + mode: 0640 + when: matrix_mailer_enabled|bool + +- name: Ensure exim-relay repository is present on self-build + git: + repo: "{{ matrix_mailer_container_image_self_build_repository_url }}" + dest: "{{ matrix_mailer_container_image_self_build_src_files_path }}" + version: "{{ matrix_mailer_container_image_self_build_version }}" + force: "yes" + register: matrix_mailer_git_pull_results + when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool" + +- name: Ensure exim-relay Docker image is built + docker_image: + name: "{{ matrix_mailer_docker_image }}" + source: build + force_source: "{{ matrix_mailer_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mailer_container_image_self_build_src_files_path }}" + pull: yes + when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool" + +- name: Ensure exim-relay image is pulled + docker_image: + name: "{{ matrix_mailer_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mailer_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_docker_image_force_pull }}" + when: "matrix_mailer_enabled|bool and not matrix_mailer_container_image_self_build|bool" + +- name: Ensure matrix-mailer.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mailer.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-mailer.service" + mode: 0644 + register: matrix_mailer_systemd_service_result + when: matrix_mailer_enabled|bool + +- name: Ensure systemd reloaded after matrix-mailer.service installation + service: + daemon_reload: yes + when: "matrix_mailer_enabled|bool and matrix_mailer_systemd_service_result.changed" + +# +# Tasks related to getting rid of the mailer (if it was previously enabled) +# + +- name: Check existence of matrix-mailer service + stat: + path: "{{ matrix_systemd_path }}/matrix-mailer.service" + register: matrix_mailer_service_stat + when: "not matrix_mailer_enabled|bool" + +- name: Ensure matrix-mailer is stopped + service: + name: matrix-mailer + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists" + +- name: Ensure matrix-mailer.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mailer.service" + state: absent + when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mailer.service removal + service: + daemon_reload: yes + when: "not matrix_mailer_enabled|bool and matrix_mailer_service_stat.stat.exists" + +- name: Ensure Matrix mailer environment variables path doesn't exist + file: + path: "{{ matrix_mailer_base_path }}" + state: absent + when: "not matrix_mailer_enabled|bool" + +- name: Ensure mailer Docker image doesn't exist + docker_image: + name: "{{ matrix_mailer_docker_image }}" + state: absent + when: "not matrix_mailer_enabled|bool" diff --git a/roles/matrix-mailer/templates/env-mailer.j2 b/roles/matrix-mailer/templates/env-mailer.j2 new file mode 100644 index 00000000..eb3f8699 --- /dev/null +++ b/roles/matrix-mailer/templates/env-mailer.j2 @@ -0,0 +1,9 @@ +#jinja2: lstrip_blocks: "True" +{% if matrix_mailer_relay_use %} +SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port }} +{% endif %} +{% if matrix_mailer_relay_auth %} +SMTP_USERNAME={{ matrix_mailer_relay_auth_username }} +SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }} +{% endif %} +HOSTNAME={{ matrix_mailer_hostname }} diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 new file mode 100644 index 00000000..bf5a2e42 --- /dev/null +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -0,0 +1,37 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix mailer +After=docker.service +Requires=docker.service +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' + +# --hostname gives us a friendlier hostname than the default. +# The real hostname is passed via a `HOSTNAME` environment variable though. +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ + --log-driver=none \ + --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \ + --network={{ matrix_docker_network }} \ + --env-file={{ matrix_mailer_base_path }}/env-mailer \ + --hostname=matrix-mailer \ + {% for arg in matrix_mailer_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mailer_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mailer 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mailer 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mailer + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml new file mode 100644 index 00000000..ba467ad3 --- /dev/null +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -0,0 +1,487 @@ +matrix_nginx_proxy_enabled: true +matrix_nginx_proxy_version: 1.21.1-alpine + +# We use an official nginx image, which we fix-up to run unprivileged. +# An alternative would be an `nginxinc/nginx-unprivileged` image, but +# that is frequently out of date. +matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}" +matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" + +matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" +matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" +matrix_nginx_proxy_data_path_in_container: "/nginx-data" +matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" + +# List of systemd services that matrix-nginx-proxy.service depends on +matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-nginx-proxy.service wants +matrix_nginx_proxy_systemd_wanted_services_list: [] + +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically at runtime. You can provide a different default value, +# if you wish to mount your own files into the container. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +matrix_nginx_proxy_container_additional_volumes: [] + +# A list of extra arguments to pass to the container +matrix_nginx_proxy_container_extra_arguments: [] + +# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP. +# +# If enabled: +# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`) +# - the HTTP vhost would be made a redirect to the HTTPS vhost +# +# If not enabled: +# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`) +# - naturally, there's no HTTPS vhost +# - services are served directly from the HTTP vhost +matrix_nginx_proxy_https_enabled: true + +# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:80"), or empty string to not expose. +matrix_nginx_proxy_container_http_host_bind_port: '80' + +# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:443"), or empty string to not expose. +# +# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`. +# Otherwise, there are no HTTPS vhosts to expose. +matrix_nginx_proxy_container_https_host_bind_port: '443' + +# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8448"), or empty string to not expose. +# +# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`. +# Otherwise, there is no Matrix Federation port to expose. +# +# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`. +# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy. +matrix_nginx_proxy_container_federation_host_bind_port: '8448' + +# Controls whether matrix-nginx-proxy should serve the base domain. +# +# This is useful for when you only have your Matrix server, but you need to serve +# to serve `/.well-known/matrix/*` files from the base domain for the needs of +# Server-Discovery (Federation) and for Client-Discovery. +# +# Besides serving these Matrix files, a homepage would be served with content +# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable. +# You can also put additional files to use for this webpage +# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory. +matrix_nginx_proxy_base_domain_serving_enabled: false + +matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}" + +# Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file +# in the `/matrix/nginx-proxy/data/matrix-domain` directory. +# +# If you would instead like to serve a static website by yourself, you can disable this. +# When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually +# and can expect that the playbook won't intefere with the `index.html` file. +matrix_nginx_proxy_base_domain_homepage_enabled: true + +matrix_nginx_proxy_base_domain_homepage_template: |- + + + + + Hello from {{ matrix_domain }}! + + + +# Option to disable the access log +matrix_nginx_proxy_access_log_enabled: true + +# Controls whether proxying the riot domain should be done. +matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false +matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}" + +# Controls whether proxying the Synapse domain should be done. +matrix_nginx_proxy_proxy_synapse_enabled: false +matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" +matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" +# The addresses where the Federation API is, when using Synapse. +matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048" +matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048" + +# Controls whether proxying the Element domain should be done. +matrix_nginx_proxy_proxy_element_enabled: false +matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" + +# Controls whether proxying the Hydrogen domain should be done. +matrix_nginx_proxy_proxy_hydrogen_enabled: false +matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" + +# Controls whether proxying the matrix domain should be done. +matrix_nginx_proxy_proxy_matrix_enabled: false +matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" +# The port name used for federation in the nginx configuration. +# This is not necessarily the port that it's actually on, +# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container. +matrix_nginx_proxy_proxy_matrix_federation_port: 8448 + +# Controls whether proxying the dimension domain should be done. +matrix_nginx_proxy_proxy_dimension_enabled: false +matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" + +# Controls whether proxying the goneb domain should be done. +matrix_nginx_proxy_proxy_bot_go_neb_enabled: false +matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" + +# Controls whether proxying the jitsi domain should be done. +matrix_nginx_proxy_proxy_jitsi_enabled: false +matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" + +# Controls whether proxying the grafana domain should be done. +matrix_nginx_proxy_proxy_grafana_enabled: false +matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" + +# Controls whether proxying the sygnal domain should be done. +matrix_nginx_proxy_proxy_sygnal_enabled: false +matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" + +# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) +matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" + +# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). +# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" + +# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). +# This allows another service to control registrations involving 3PIDs. +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md +matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090" +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090" + +# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) +matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" + +# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) +matrix_nginx_proxy_proxy_synapse_metrics: false +matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false +matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" + +# The addresses where the Matrix Client API is. +# Certain extensions (like matrix-corporal) may override this in order to capture all traffic. +matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" + +# The addresses where the Matrix Client API is, when using Synapse. +matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:8008" +matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:8008" + +# This needs to be equal or higher than the maximum upload size accepted by Synapse. +matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 + + +# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server. +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true + +# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server. +# Enable this if you need OpenID Connect authentication support. +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false + +# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server. +# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false + +# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds +# the location prefixes that get forwarded to the Matrix Client API server. +# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`. +matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | + {{ + (['/_matrix']) + + + (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else []) + + + (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else []) + + + (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) + + + (['/_synapse/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else []) + }} + +# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. +# If this has an empty value, they're just passed to the homeserver, which serves a static page. +# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here. +# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`). +matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "" + +# Controls whether proxying for the Matrix Federation API should be done. +matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false +matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" +matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088" +matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem" + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" + +# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). +# for big matrixservers to enlarge the number of open files to prevent timeouts +# matrix_nginx_proxy_proxy_additional_configuration_blocks: +# - 'worker_rlimit_nofile 30000;' +matrix_nginx_proxy_proxy_additional_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). +matrix_nginx_proxy_proxy_event_additional_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). +matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). +matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf). +matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf). +matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). +matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). +matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf). +matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf). +matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf). +matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf). +matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). +matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +matrix_nginx_proxy_floc_optout_enabled: true + +# HSTS Preloading Enable +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be “preloaded” into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +matrix_nginx_proxy_hsts_preload_enabled: false + +# X-XSS-Protection Enable +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# Note: Not applicable for grafana +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_nginx_proxy_xss_protection: "1; mode=block" + +# Specifies the SSL configuration that should be used for the SSL protocols and ciphers +# This is based on the Mozilla Server Side TLS Recommended configurations. +# +# The posible values are: +# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +# - "intermediate" - Recommended configuration for a general-purpose server +# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +# +# For more information visit: +# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations +# - https://ssl-config.mozilla.org/#server=nginx +matrix_nginx_proxy_ssl_preset: "intermediate" + +# Presets are taken from Mozilla's Server Side TLS Recommended configurations +# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers` +# if you wish to use something more custom. +matrix_nginx_proxy_ssl_presets: + modern: + protocols: TLSv1.3 + ciphers: "" + prefer_server_ciphers: "off" + intermediate: + protocols: TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + prefer_server_ciphers: "off" + old: + protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA + prefer_server_ciphers: "on" + + +# Specifies which *SSL protocols* to use when serving all the various vhosts. +matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" + +# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers. +matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" + +# Specifies which *SSL Cipher suites* to use when serving all the various vhosts. +# To see the full list for suportes ciphers run `openssl ciphers` on your server +matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_nginx_proxy_self_check_validate_certificates: true + +# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource. +# +# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be, +# so we default to not following redirects as well. +matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none + +# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). +# +# Otherwise, we get warnings like this: +# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" +# +# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. +# +# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver. +# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people. +# It might also be that no such warnings occur when not running in a container. +matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}" + +# By default, this playbook automatically retrieves and auto-renews +# free SSL certificates from Let's Encrypt. +# +# The following retrieval methods are supported: +# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt +# - "self-signed" - the playbook generates and self-signs certificates +# - "manually-managed" - lets you manage certificates by yourself (manually; see below) +# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects +# +# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), +# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` +# obeying the following hierarchy: +# - /live//fullchain.pem +# - /live//privkey.pem +# where refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`). +# +# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen. +# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`) +# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself. +# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve +# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy. +matrix_ssl_retrieval_method: "lets-encrypt" + +matrix_ssl_architecture: "amd64" + +# The full list of domains that this role will obtain certificates for. +# This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled). +# To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead. +matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" + +# A list of additional domain names to obtain certificates for. +matrix_ssl_additional_domains_to_obtain_certificates_for: [] + +# Controls whether to obtain production or staging certificates from Let's Encrypt. +matrix_ssl_lets_encrypt_staging: false +matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.17.0" +matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" +matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 +matrix_ssl_lets_encrypt_support_email: ~ + +# Tells which interface and port the Let's Encrypt (certbot) container should try to bind to +# when it tries to obtain initial certificates in standalone mode. +# +# This should normally be a public interface and port. +# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`) +matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80' + +matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" +matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" +matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" + +# If you'd like to start some service before a certificate is obtained, specify it here. +# This could be something like `matrix-dynamic-dns`, etc. +matrix_ssl_pre_obtaining_required_service_name: ~ +matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 + +# Nginx Optimize SSL Session +# +# ssl_session_cache: +# - Creating a cache of TLS connection parameters reduces the number of handshakes +# and thus can improve the performance of application. +# - Default session cache is not optimal as it can be used by only one worker process +# and can cause memory fragmentation. It is much better to use shared cache. +# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html +# +# ssl_session_timeout: +# - Nginx by default it is set to 5 minutes which is very low. +# should be like 4h or 1d but will require you to increase the size of cache. +# - Learn More: +# https://github.com/certbot/certbot/issues/6903 +# https://github.com/mozilla/server-side-tls/issues/198 +# +# ssl_session_tickets: +# - In case of session tickets, information about session is given to the client. +# Enabling this improve performance also make Perfect Forward Secrecy useless. +# - If you would instead like to use ssl_session_tickets by yourself, you can set +# matrix_nginx_proxy_ssl_session_tickets_off false. +# - Learn More: https://github.com/mozilla/server-side-tls/issues/135 +# +# Presets are taken from Mozilla's Server Side TLS Recommended configurations +matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m" +matrix_nginx_proxy_ssl_session_timeout: "1d" +matrix_nginx_proxy_ssl_session_tickets_off: true + +# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. +# OCSP stapling can provide a performance boost of up to 30% +# nginx web server supports OCSP stapling since version 1.3.7. +# +# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. +# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling +# +# Learn more about what it is here: +# - https://en.wikipedia.org/wiki/OCSP_stapling +# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ +# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ +matrix_nginx_proxy_ocsp_stapling_enabled: true + +# nginx status page configurations. +matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false +matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] + + +# synapse worker activation and endpoint mappings +matrix_nginx_proxy_synapse_workers_enabled: false +matrix_nginx_proxy_synapse_workers_list: [] +matrix_nginx_proxy_synapse_generic_worker_client_server_locations: [] +matrix_nginx_proxy_synapse_generic_worker_federation_locations: [] +matrix_nginx_proxy_synapse_media_repository_locations: [] +matrix_nginx_proxy_synapse_user_dir_locations: [] +matrix_nginx_proxy_synapse_frontend_proxy_locations: [] + +# The amount of worker processes and connections +# Consider increasing these when you are expecting high amounts of traffic +# http://nginx.org/en/docs/ngx_core_module.html#worker_connections +matrix_nginx_proxy_worker_processes: 1 +matrix_nginx_proxy_worker_connections: 1024 diff --git a/roles/matrix-nginx-proxy/tasks/init.yml b/roles/matrix-nginx-proxy/tasks/init.yml new file mode 100644 index 00000000..0161da23 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/init.yml @@ -0,0 +1,8 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}" + when: matrix_nginx_proxy_enabled|bool + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}" + when: "item.applicable|bool and item.enableable|bool" + with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" diff --git a/roles/matrix-nginx-proxy/tasks/main.yml b/roles/matrix-nginx-proxy/tasks/main.yml new file mode 100644 index 00000000..ad111951 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/main.yml @@ -0,0 +1,38 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +# Always validating the configuration, even if `matrix_nginx_proxy: false`. +# This role performs actions even if the role is disabled, so we need +# to ensure there's a valid configuration in any case. +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-nginx-proxy + +- import_tasks: "{{ role_path }}/tasks/ssl/main.yml" + when: run_setup|bool + tags: + - setup-all + - setup-nginx-proxy + - setup-ssl + +- import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml" + when: run_setup|bool + tags: + - setup-all + - setup-nginx-proxy + +- import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool + tags: + - self-check + +- name: Mark matrix-nginx-proxy role as executed + set_fact: + matrix_nginx_proxy_role_executed: true + tags: + - always diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml new file mode 100644 index 00000000..be1b6555 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -0,0 +1,30 @@ +--- + +- name: Determine well-known files to check (Matrix) + set_fact: + well_known_file_checks: + - path: /.well-known/matrix/client + purpose: Client Discovery + cors: true + follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}" + validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" + +- block: + - set_fact: + well_known_file_check_matrix_server: + path: /.well-known/matrix/server + purpose: Server Discovery + cors: false + follow_redirects: safe + validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" + + - name: Determine domains that we require certificates for (ma1sd) + set_fact: + well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" + when: matrix_well_known_matrix_server_enabled|bool + +- name: Perform well-known checks + include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml" + with_items: "{{ well_known_file_checks }}" + loop_control: + loop_var: well_known_file_check diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml new file mode 100644 index 00000000..6f831a29 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml @@ -0,0 +1,73 @@ +--- + +- set_fact: + well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}" + well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}" + +# These well-known files may be served without a `Content-Type: application/json` header, +# so we can't rely on the uri module's automatic parsing of JSON. +- name: Check .well-known on the matrix hostname + uri: + url: "{{ well_known_url_matrix }}" + follow_redirects: none + return_content: true + validate_certs: "{{ well_known_file_check.validate_certs }}" + headers: + Origin: example.com + check_mode: no + register: result_well_known_matrix + ignore_errors: true + +- name: Fail if .well-known not working on the matrix hostname + fail: + msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}" + when: "result_well_known_matrix.failed" + +- name: Parse JSON for well-known payload at the matrix hostname + set_fact: + well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}" + +- name: Fail if .well-known not CORS-aware on the matrix hostname + fail: + msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." + when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix" + +- name: Report working .well-known on the matrix hostname + debug: + msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)" + +- name: Check .well-known on the identity hostname + uri: + url: "{{ well_known_url_identity }}" + follow_redirects: "{{ well_known_file_check.follow_redirects }}" + return_content: true + validate_certs: "{{ well_known_file_check.validate_certs }}" + headers: + Origin: example.com + check_mode: no + register: result_well_known_identity + ignore_errors: true + +- name: Fail if .well-known not working on the identity hostname + fail: + msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}" + when: "result_well_known_identity.failed" + +- name: Parse JSON for well-known payload at the identity hostname + set_fact: + well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}" + +- name: Fail if .well-known not CORS-aware on the identity hostname + fail: + msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md" + when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity" + +# For people who manually copy the well-known file, try to detect if it's outdated +- name: Fail if well-known is different on matrix hostname and identity hostname + fail: + msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?" + when: "well_known_matrix_payload != well_known_identity_payload" + +- name: Report working .well-known on the identity hostname + debug: + msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)" diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml new file mode 100644 index 00000000..1d59f567 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -0,0 +1,272 @@ +--- + +# +# Generic tasks that we always want to happen, regardless +# if the user wants matrix-nginx-proxy or not. +# +# If the user would set up their own nginx proxy server, +# the config files from matrix-nginx-proxy can be reused. +# +# It doesn't hurt to put them in place, even if they turn out +# to be unnecessary. +# +- name: Ensure Matrix nginx-proxy paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_nginx_proxy_base_path }}" + - "{{ matrix_nginx_proxy_data_path }}" + - "{{ matrix_nginx_proxy_confd_path }}" + +- name: Ensure Matrix nginx-proxy configured (main config override) + template: + src: "{{ role_path }}/templates/nginx/nginx.conf.j2" + dest: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" + mode: 0644 + when: matrix_nginx_proxy_enabled|bool + +- name: Ensure matrix-synapse-metrics-htpasswd is present (protecting /_synapse/metrics URI) + template: + src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2" + dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0400 + when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool" + +- name: Ensure Matrix nginx-proxy configured (generic) + template: + src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf" + mode: 0644 + when: matrix_nginx_proxy_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for matrix-synapse exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_synapse_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for matrix-synapse deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for Element domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_element_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for riot domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for dimension domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_dimension_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for goneb domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_jitsi_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for grafana domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-grafana.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_grafana_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" + mode: 0644 + when: matrix_nginx_proxy_proxy_sygnal_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" + mode: 0644 + +- name: Ensure Matrix nginx-proxy data directory for base domain exists + file: + path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_nginx_proxy_base_domain_serving_enabled|bool + +- name: Ensure Matrix nginx-proxy homepage for base domain exists + copy: + content: "{{ matrix_nginx_proxy_base_domain_homepage_template }}" + dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool + +- name: Ensure Matrix nginx-proxy configuration for base domain exists + template: + src: "{{ role_path }}/templates/nginx/conf.d/matrix-base-domain.conf.j2" + dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf" + mode: 0644 + when: matrix_nginx_proxy_base_domain_serving_enabled|bool + +# +# Tasks related to setting up matrix-nginx-proxy +# +- name: Ensure nginx Docker image is pulled + docker_image: + name: "{{ matrix_nginx_proxy_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_nginx_proxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_docker_image_force_pull }}" + when: matrix_nginx_proxy_enabled|bool + +- name: Ensure matrix-nginx-proxy.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service" + mode: 0644 + register: matrix_nginx_proxy_systemd_service_result + when: matrix_nginx_proxy_enabled|bool + +- name: Ensure systemd reloaded after matrix-nginx-proxy.service installation + service: + daemon_reload: yes + when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed" + + +# +# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) +# + +- name: Check existence of matrix-nginx-proxy service + stat: + path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service" + register: matrix_nginx_proxy_service_stat + when: "not matrix_nginx_proxy_enabled|bool" + +- name: Ensure matrix-nginx-proxy is stopped + service: + name: matrix-nginx-proxy + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists" + +- name: Ensure matrix-nginx-proxy.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service" + state: absent + when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-nginx-proxy.service removal + service: + daemon_reload: yes + when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists" + +- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_matrix_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for riot domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_jitsi_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for grafana domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" + state: absent + when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool" + +- name: Ensure Matrix nginx-proxy homepage for base domain deleted + file: + path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" + state: absent + when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for base domain deleted + file: + path: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf" + state: absent + when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool" + +- name: Ensure Matrix nginx-proxy configuration for main config override deleted + file: + path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" + state: absent + when: "not matrix_nginx_proxy_enabled|bool" + +- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /_synapse/metrics URI) + file: + path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" + state: absent + when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool or not matrix_nginx_proxy_proxy_synapse_metrics|bool" diff --git a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml new file mode 100644 index 00000000..3e43a8c6 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml @@ -0,0 +1,24 @@ +- set_fact: + matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" + +# We need others to be able to read these directories too, +# so that matrix-nginx-proxy's nginx user can access the files. +# +# For running with another webserver, we recommend being part of the `matrix` group. +- name: Ensure Matrix static-files path exists + file: + path: "{{ item }}" + state: directory + mode: 0755 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_static_files_base_path }}/.well-known/matrix" + +- name: Ensure Matrix /.well-known/matrix/client configured + template: + src: "{{ role_path }}/templates/well-known/matrix-client.j2" + dest: "{{ matrix_static_files_base_path }}/.well-known/matrix" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/matrix-nginx-proxy/tasks/ssl/main.yml new file mode 100644 index 00000000..6c060818 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml @@ -0,0 +1,31 @@ +--- + +- name: Fail if using unsupported SSL certificate retrieval method + fail: + msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value" + when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" + + +# Common tasks, required by almost any method below. + +- name: Ensure SSL certificate paths exists + file: + path: "{{ item }}" + state: directory + mode: 0770 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + recurse: true + with_items: + - "{{ matrix_ssl_log_dir_path }}" + - "{{ matrix_ssl_config_dir_path }}" + when: "matrix_ssl_retrieval_method != 'none'" + + +# Method specific tasks follow + +- import_tasks: tasks/ssl/setup_ssl_lets_encrypt.yml + +- import_tasks: tasks/ssl/setup_ssl_self_signed.yml + +- import_tasks: tasks/ssl/setup_ssl_manually_managed.yml diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml new file mode 100644 index 00000000..bfd25894 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -0,0 +1,64 @@ +--- + +# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name. +# This migration task can be removed some time in the future. +- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew" + - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" + - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" + - "/etc/cron.d/matrix-ssl-lets-encrypt" + +# +# Tasks related to setting up Let's Encrypt's management of certificates +# + +- block: + - name: Ensure certbot Docker image is pulled + docker_image: + name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}" + + - name: Obtain Let's Encrypt certificates + include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" + loop_control: + loop_var: domain_name + + - name: Ensure Let's Encrypt SSL renewal script installed + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" + dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + mode: 0755 + + - name: Ensure SSL renewal systemd units installed + template: + src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2" + dest: "{{ matrix_systemd_path }}/{{ item.name }}" + mode: 0644 + when: "item.applicable|bool" + with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" + when: "matrix_ssl_retrieval_method == 'lets-encrypt'" + +# +# Tasks related to getting rid of Let's Encrypt's management of certificates +# + +- block: + - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed + file: + path: "{{ matrix_systemd_path }}/{{ item.name }}" + state: absent + when: "not item.applicable|bool" + with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" + + - name: Ensure Let's Encrypt SSL renewal script removed + file: + path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + state: absent + when: "matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml new file mode 100644 index 00000000..4639f122 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml @@ -0,0 +1,91 @@ +- debug: + msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}" + +- set_fact: + domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" + +- name: Check if a certificate for the domain already exists + stat: + path: "{{ domain_name_certificate_path }}" + register: domain_name_certificate_path_stat + +- set_fact: + domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" + +- block: + - name: Ensure required service for obtaining is started + service: + name: "{{ matrix_ssl_pre_obtaining_required_service_name }}" + state: started + register: matrix_ssl_pre_obtaining_required_service_start_result + + - name: Wait some time, so that the required service for obtaining can start + wait_for: + timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}" + when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool" + when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''" + +# This will fail if there is something running on port 80 (like matrix-nginx-proxy). +# We suppress the error, as we'll try another method below. +- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly) + shell: >- + {{ matrix_host_command_docker }} run + --rm + --name=matrix-certbot + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080 + --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt + --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt + {{ matrix_ssl_lets_encrypt_certbot_docker_image }} + certonly + --non-interactive + --work-dir=/tmp + --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} + --standalone + --preferred-challenges http + --agree-tos + --email={{ matrix_ssl_lets_encrypt_support_email }} + -d {{ domain_name }} + when: domain_name_needs_cert|bool + register: result_certbot_direct + ignore_errors: true + +# If matrix-nginx-proxy is configured from a previous run of this playbook, +# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`. +- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy) + shell: >- + {{ matrix_host_command_docker }} run + --rm + --name=matrix-certbot + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 + --network={{ matrix_docker_network }} + --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt + --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt + {{ matrix_ssl_lets_encrypt_certbot_docker_image }} + certonly + --non-interactive + --work-dir=/tmp + --http-01-port 8080 + {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} + --standalone + --preferred-challenges http + --agree-tos + --email={{ matrix_ssl_lets_encrypt_support_email }} + -d {{ domain_name }} + when: "domain_name_needs_cert and result_certbot_direct.failed" + register: result_certbot_proxy + ignore_errors: true + +- name: Fail if all SSL certificate retrieval attempts failed + fail: + msg: | + Failed to obtain a certificate directly (by listening on port 80) + and also failed to obtain by relying on the server at port 80 to proxy the request. + See above for details. + You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or, + more easily, stop the server on port 80 while this playbook runs. + when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml new file mode 100644 index 00000000..ea39f5e9 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml @@ -0,0 +1,8 @@ +--- + +- name: Verify certificates + include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" + loop_control: + loop_var: domain_name + when: "matrix_ssl_retrieval_method == 'manually-managed'" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml new file mode 100644 index 00000000..be0444b1 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml @@ -0,0 +1,23 @@ +--- + +- set_fact: + matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" + matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem" + +- name: Check if SSL certificate file exists + stat: + path: "{{ matrix_ssl_certificate_verification_cert_path }}" + register: matrix_ssl_certificate_verification_cert_path_stat_result + +- fail: + msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`" + when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists" + +- name: Check if SSL certificate key file exists + stat: + path: "{{ matrix_ssl_certificate_verification_cert_key_path }}" + register: matrix_ssl_certificate_verification_cert_key_path_stat_result + +- fail: + msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`" + when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml new file mode 100644 index 00000000..8fa316da --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml @@ -0,0 +1,32 @@ +--- + +- name: Ensure OpenSSL installed (RedHat) + yum: + name: + - openssl + state: present + update_cache: no + when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'RedHat'" + +- name: Ensure APT usage dependencies are installed (Debian) + apt: + name: + - openssl + state: present + update_cache: no + when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_os_family == 'Debian'" + +- name: Ensure OpenSSL installed (Archlinux) + pacman: + name: + - openssl + state: latest + update_cache: no + when: "matrix_ssl_retrieval_method == 'self-signed' and ansible_distribution == 'Archlinux'" + +- name: Generate self-signed certificates + include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" + loop_control: + loop_var: domain_name + when: "matrix_ssl_retrieval_method == 'self-signed'" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml new file mode 100644 index 00000000..aea17cc0 --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml @@ -0,0 +1,42 @@ +--- + +- set_fact: + matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr" + matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" + matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem" + +- name: Check if SSL certificate file exists + stat: + path: "{{ matrix_ssl_certificate_cert_path }}" + register: matrix_ssl_certificate_cert_path_stat_result + +# In order to do any sort of generation (below), we need to ensure the directory exists first +- name: Ensure SSL certificate directory exists + file: + path: "{{ matrix_ssl_certificate_csr_path|dirname }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" + +# The proper way to do this is by using a sequence of +# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`. +# +# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work, +# which is not available on CentOS 7 (at least). +# +# We'll do it in a more manual way. +- name: Generate SSL certificate + command: | + openssl req -x509 \ + -sha256 \ + -newkey rsa:4096 \ + -nodes \ + -subj "/CN={{ domain_name }}" \ + -keyout {{ matrix_ssl_certificate_cert_key_path }} \ + -out {{ matrix_ssl_certificate_cert_path }} \ + -days 3650 + become: true + become_user: "{{ matrix_user_username }}" + when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml new file mode 100644 index 00000000..9661ae5e --- /dev/null +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -0,0 +1,47 @@ +--- + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container'} + - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container'} + # People who configured this to disable Riot, would now wish to be disabling Element. + # We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default. + - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'} + - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': ''} + - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} + +- name: Fail on unknown matrix_ssl_retrieval_method + fail: + msg: >- + `matrix_ssl_retrieval_method` needs to be set to a known value. + when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" + +- name: Fail on unknown matrix_nginx_proxy_ssl_config + fail: + msg: >- + `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. + when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" + +- block: + - name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + with_items: + - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} + - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} + when: "item.old in vars" + + - name: Fail if required variables are undefined + fail: + msg: "The `{{ item }}` variable must be defined and have a non-null value" + with_items: + - "matrix_ssl_lets_encrypt_support_email" + when: "vars[item] == '' or vars[item] is none" + when: "matrix_ssl_retrieval_method == 'lets-encrypt'" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 new file mode 100644 index 00000000..37863d73 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -0,0 +1,95 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + root /nginx-data/matrix-domain; + + gzip on; + gzip_types text/plain application/json; + + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + + {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location /.well-known/matrix { + root {{ matrix_static_files_base_path }}; + {# + A somewhat long expires value is used to prevent outages + in case this is unreachable due to network failure. + #} + expires 4h; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_base_domain_hostname }}; + server_tokens off; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_base_domain_hostname }}; + server_tokens off; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 new file mode 100644 index 00000000..6cb5f57a --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -0,0 +1,95 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + +{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-bot-go-neb:4050"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:4050; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 new file mode 100644 index 00000000..2f4f4aa1 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -0,0 +1,104 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'self'"; + + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + + {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-element:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8765; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_element_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_element_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 new file mode 100644 index 00000000..d9a05926 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 @@ -0,0 +1,102 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy "frame-ancestors 'none'"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-client-hydrogen:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8768; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 new file mode 100644 index 00000000..ef8ee972 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -0,0 +1,98 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + +{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-dimension:8184"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8184; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 new file mode 100644 index 00000000..7b26434d --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -0,0 +1,293 @@ +#jinja2: lstrip_blocks: "True" +{% macro render_nginx_status_location_block(addresses) %} + {# Empty first line to make indentation prettier. #} + + location /nginx_status { + stub_status on; + access_log off; + {% for address in addresses %} + allow {{ address }}; + {% endfor %} + deny all; + } +{% endmacro %} + + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json; + + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + + location /.well-known/matrix { + root {{ matrix_static_files_base_path }}; + {# + A somewhat long expires value is used to prevent outages + in case this is unreachable due to network failure or + due to the base domain's server completely dying. + #} + expires 4h; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + + {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} + {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} + {% endif %} + + {% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} + location ^~ /_matrix/corporal { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } + {% endif %} + + {% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %} + location ^~ /_matrix/identity { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } + {% endif %} + + {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} + location ^~ /_matrix/client/r0/user_directory/search { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + {% endif %} + + {% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %} + location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } + {% endif %} + + {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + {# + This handles the Matrix Client API only. + The Matrix Federation API is handled by a separate vhost. + #} + location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } + + {# + We only handle the root URI for this redirect or homepage serving. + Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404, + instead of causing a redirect. + See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058 + #} + location ~* ^/$ { + {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} + return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; + {% else %} + rewrite ^/$ /_matrix/static/ last; + {% endif %} + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} + {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} + {% endif %} + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} + +{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} +{# + This federation vhost is a little special. + It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`. +#} +server { + {% if matrix_nginx_proxy_https_enabled %} + listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; + listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; + {% else %} + listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }}; + {% endif %} + + server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; + server_tokens off; + + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% if matrix_nginx_proxy_https_enabled %} + ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; + ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + {% endif %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 new file mode 100644 index 00000000..0f7c43c5 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -0,0 +1,106 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + # duplicate X-Content-Type-Options & X-Frame-Options header + # Enabled by grafana by default + # add_header X-Content-Type-Options nosniff; + # add_header X-Frame-Options SAMEORIGIN; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + proxy_cookie_path / "/; HTTPOnly; Secure"; + + {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-grafana:3000"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:3000; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != "" %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 new file mode 100644 index 00000000..0ccda7d3 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -0,0 +1,140 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + +{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-jitsi-web:80"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:13080; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # colibri (JVB) websockets + location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) { + {% if matrix_nginx_proxy_enabled %} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-jitsi-jvb:9090"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:13090; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_http_version 1.1; + + tcp_nodelay on; + } + + # XMPP websocket + location = /xmpp-websocket { + {% if matrix_nginx_proxy_enabled %} + resolver 127.0.0.11 valid=5s; + set $backend {{ matrix_jitsi_xmpp_bosh_url_base }}; + proxy_pass $backend/xmpp-websocket; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:5280; + {% endif %} + proxy_set_header Host $host; + + proxy_http_version 1.1; + proxy_read_timeout 900s; + proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + tcp_nodelay on; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 new file mode 100644 index 00000000..d153d5c2 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -0,0 +1,87 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + + {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + location / { + return 301 https://{{ matrix_nginx_proxy_proxy_element_hostname }}$request_uri; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + + server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 new file mode 100644 index 00000000..d5760434 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -0,0 +1,97 @@ +#jinja2: lstrip_blocks: "True" + +{% macro render_vhost_directives() %} + gzip on; + gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + {% if matrix_nginx_proxy_hsts_preload_enabled %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; + +{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-sygnal:6000"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:6000; + {% endif %} + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + } +{% endmacro %} + +server { + listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; + server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; + + server_tokens off; + root /dev/null; + + {% if matrix_nginx_proxy_https_enabled %} + location /.well-known/acme-challenge { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-certbot:8080"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + {% endif %} + } + + location / { + return 301 https://$http_host$request_uri; + } + {% else %} + {{ render_vhost_directives() }} + {% endif %} +} + +{% if matrix_nginx_proxy_https_enabled %} +server { + listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; + + server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; + + server_tokens off; + root /dev/null; + + ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem; + ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem; + + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if matrix_nginx_proxy_ssl_ciphers != '' %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + + {% if matrix_nginx_proxy_ocsp_stapling_enabled %} + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; + {% endif %} + + {% if matrix_nginx_proxy_ssl_session_tickets_off %} + ssl_session_tickets off; + {% endif %} + ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; + ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; + + {{ render_vhost_directives() }} +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 new file mode 100644 index 00000000..db111090 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -0,0 +1,231 @@ +#jinja2: lstrip_blocks: "True" + +{% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %} +{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %} +{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %} +{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %} +{% if matrix_nginx_proxy_synapse_workers_enabled %} + # Round Robin "upstream" pools for workers + + {% if generic_workers %} + upstream generic_worker_upstream { + # ensures that requests from the same client will always be passed + # to the same server (except when this server is unavailable) + hash $http_x_forwarded_for; + + {% for worker in generic_workers %} + {% if matrix_nginx_proxy_enabled %} + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% else %} + server "127.0.0.1:{{ worker.port }}"; + {% endif %} + {% endfor %} + } + {% endif %} + + {% if frontend_proxy_workers %} + upstream frontend_proxy_upstream { + {% for worker in frontend_proxy_workers %} + {% if matrix_nginx_proxy_enabled %} + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% else %} + server "127.0.0.1:{{ worker.port }}"; + {% endif %} + {% endfor %} + } + {% endif %} + + {% if media_repository_workers %} + upstream media_repository_upstream { + {% for worker in media_repository_workers %} + {% if matrix_nginx_proxy_enabled %} + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% else %} + server "127.0.0.1:{{ worker.port }}"; + {% endif %} + {% endfor %} + } + {% endif %} + + {% if user_dir_workers %} + upstream user_dir_upstream { + {% for worker in user_dir_workers %} + {% if matrix_nginx_proxy_enabled %} + server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; + {% else %} + server "127.0.0.1:{{ worker.port }}"; + {% endif %} + {% endfor %} + } + {% endif %} +{% endif %} + +server { + listen 12080; + server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; + + server_tokens off; + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% if matrix_nginx_proxy_synapse_workers_enabled %} + {# Workers redirects BEGIN #} + + {% if generic_workers %} + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker + {% for location in matrix_nginx_proxy_synapse_generic_worker_client_server_locations %} + location ~ {{ location }} { + proxy_pass http://generic_worker_upstream$request_uri; + proxy_set_header Host $host; + } + {% endfor %} + {% endif %} + + {% if media_repository_workers %} + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository + {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} + location ~ {{ location }} { + proxy_pass http://media_repository_upstream$request_uri; + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } + {% endfor %} + {% endif %} + + {% if user_dir_workers %} + # FIXME: obsolete if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled is set + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappuser_dir + {% for location in matrix_nginx_proxy_synapse_user_dir_locations %} + location ~ {{ location }} { + proxy_pass http://user_dir_upstream$request_uri; + proxy_set_header Host $host; + } + {% endfor %} + {% endif %} + + {% if frontend_proxy_workers %} + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfrontend_proxy + {% for location in matrix_nginx_proxy_synapse_frontend_proxy_locations %} + location ~ {{ location }} { + proxy_pass http://frontend_proxy_upstream$request_uri; + proxy_set_header Host $host; + } + {% endfor %} + {% if matrix_nginx_proxy_synapse_presence_disabled %} + # FIXME: keep in sync with synapse workers documentation manually + location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { + proxy_pass http://frontend_proxy_upstream$request_uri; + proxy_set_header Host $host; + } + {% endif %} + {% endif %} + {# Workers redirects END #} + {% endif %} + + + {% for configuration_block in matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks %} + {{- configuration_block }} + {% endfor %} + + {% if matrix_nginx_proxy_proxy_synapse_metrics %} + location /_synapse/metrics { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} + auth_basic "protected"; + auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; + {% endif %} + } + {% endif %} + + {# Everything else just goes to the API server ##} + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} + +{% if matrix_nginx_proxy_proxy_synapse_federation_api_enabled %} +server { + listen 12088; + + server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; + server_tokens off; + + root /dev/null; + + gzip on; + gzip_types text/plain application/json; + + {% if matrix_nginx_proxy_synapse_workers_enabled %} + {% if generic_workers %} + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker + {% for location in matrix_nginx_proxy_synapse_generic_worker_federation_locations %} + location ~ {{ location }} { + proxy_pass http://generic_worker_upstream$request_uri; + proxy_set_header Host $host; + } + {% endfor %} + {% endif %} + {% if media_repository_workers %} + # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository + {% for location in matrix_nginx_proxy_synapse_media_repository_locations %} + location ~ {{ location }} { + proxy_pass http://media_repository_upstream$request_uri; + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } + {% endfor %} + {% endif %} + {% endif %} + + location / { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container }}"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container }}; + {% endif %} + + proxy_set_header Host $host; + + client_body_buffer_size 25M; + client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; + proxy_max_temp_file_size 0; + } +} +{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 new file mode 100644 index 00000000..beea6afa --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 @@ -0,0 +1,14 @@ +#jinja2: lstrip_blocks: "True" +# The default is aligned to the CPU's cache size, +# which can sometimes be too low to handle our 2 vhosts (Synapse and Element). +# +# Thus, we ensure a larger bucket size value is used. +server_names_hash_bucket_size 64; + +{% if matrix_nginx_proxy_http_level_resolver %} + resolver {{ matrix_nginx_proxy_http_level_resolver }}; +{% endif %} + +{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} + {{- configuration_block }} +{% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 new file mode 100644 index 00000000..1a7247ac --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2 @@ -0,0 +1,3 @@ +#jinja2: lstrip_blocks: "True" +# User and password for protecting /_synapse/metrics URI +prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 new file mode 100644 index 00000000..9ec7fa56 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -0,0 +1,61 @@ +#jinja2: lstrip_blocks: "True" +# This is a custom nginx configuration file that we use in the container (instead of the default one), +# because it allows us to run nginx with a non-root user. +# +# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. +# +# The following changes have been done compared to a default nginx configuration file: +# - various temp paths are changed to `/tmp`, so that a non-root user can write to them +# - the `user` directive was removed, as we don't want nginx to switch users + +worker_processes {{ matrix_nginx_proxy_worker_processes }}; +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; +{% for configuration_block in matrix_nginx_proxy_proxy_additional_configuration_blocks %} + {{- configuration_block }} +{% endfor %} + +events { + worker_connections {{ matrix_nginx_proxy_worker_connections }}; +{% for configuration_block in matrix_nginx_proxy_proxy_event_additional_configuration_blocks %} + {{- configuration_block }} +{% endfor %} +} + + +http { + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + {% if matrix_nginx_proxy_access_log_enabled %} + access_log /var/log/nginx/access.log main; + {% else %} + access_log off; + {% endif %} + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + server_tokens off; + + #gzip on; + {# Map directive needed for proxied WebSocket upgrades #} + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include /etc/nginx/conf.d/*.conf; +} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 new file mode 100755 index 00000000..c4000fa9 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -0,0 +1,58 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix nginx-proxy server +{% for service in matrix_nginx_proxy_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_nginx_proxy_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ + --network={{ matrix_docker_network }} \ + {% if matrix_nginx_proxy_container_http_host_bind_port %} + -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \ + {% endif %} + {% if matrix_nginx_proxy_https_enabled and matrix_nginx_proxy_container_https_host_bind_port %} + -p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \ + {% endif %} + {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %} + -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \ + {% endif %} + --mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ + --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \ + --mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ + {% if matrix_ssl_retrieval_method != 'none' %} + --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ + {% endif %} + --mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \ + {% for volume in matrix_nginx_proxy_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} + {% for arg in matrix_nginx_proxy_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_nginx_proxy_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' +ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-nginx-proxy + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 new file mode 100644 index 00000000..c14905ce --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 @@ -0,0 +1,7 @@ +[Unit] +Description=Renews Let's Encrypt SSL certificates + +[Service] +Type=oneshot +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 new file mode 100644 index 00000000..b1e1c21e --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Renews Let's Encrypt SSL certificates periodically + +[Timer] +Unit=matrix-ssl-lets-encrypt-certificates-renew.service +OnCalendar=*-*-* 04:00:00 +RandomizedDelaySec=2h + +[Install] +WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 new file mode 100644 index 00000000..851655ba --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=Reloads matrix-nginx-proxy so that new SSL certificates can kick in + +[Service] +Type=oneshot +ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 new file mode 100644 index 00000000..09cb6dad --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates can kick in + +[Timer] +Unit=matrix-ssl-nginx-proxy-reload.service +OnCalendar=*-*-* 06:30:00 +RandomizedDelaySec=1h + +[Install] +WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 new file mode 100644 index 00000000..bc45e85e --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -0,0 +1,31 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) +# need to forward requests for `/.well-known/acme-challenge` to the certbot container. +# +# This can happen inside the container network by proxying to `http://matrix-certbot:8080` +# or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. + +docker run \ + --rm \ + --name=matrix-certbot \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network="{{ matrix_docker_network }}" \ + -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ + --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \ + --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \ + {{ matrix_ssl_lets_encrypt_certbot_docker_image }} \ + renew \ + --non-interactive \ + --work-dir=/tmp \ + --http-01-port 8080 \ + {% if matrix_ssl_lets_encrypt_staging %} + --staging \ + {% endif %} + --standalone \ + --preferred-challenges http \ + --agree-tos \ + --email={{ matrix_ssl_lets_encrypt_support_email }} \ + --no-random-sleep-on-renew diff --git a/roles/matrix-nginx-proxy/vars/main.yml b/roles/matrix-nginx-proxy/vars/main.yml new file mode 100644 index 00000000..5c51fe5b --- /dev/null +++ b/roles/matrix-nginx-proxy/vars/main.yml @@ -0,0 +1,18 @@ +--- + +# Tells whether this role had executed or not. Toggled to `true` during runtime. +matrix_nginx_proxy_role_executed: false + +matrix_ssl_renewal_systemd_units_list: + - name: matrix-ssl-lets-encrypt-certificates-renew.service + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" + enableable: false + - name: matrix-ssl-lets-encrypt-certificates-renew.timer + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" + enableable: true + - name: matrix-ssl-nginx-proxy-reload.service + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}" + enableable: false + - name: matrix-ssl-nginx-proxy-reload.timer + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}" + enableable: true diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml new file mode 100644 index 00000000..9c1cac9a --- /dev/null +++ b/roles/matrix-postgres/defaults/main.yml @@ -0,0 +1,95 @@ +matrix_postgres_enabled: true + +matrix_postgres_connection_hostname: "matrix-postgres" +matrix_postgres_connection_port: 5432 +matrix_postgres_connection_username: "matrix" +matrix_postgres_connection_password: "" +matrix_postgres_db_name: "matrix" + +matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" +matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" + +matrix_postgres_architecture: amd64 + +# matrix_postgres_docker_image_suffix controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. +# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). +# On ARM32, `-alpine` images fail with the following error: +# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault +matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" + +matrix_postgres_docker_image_v9: "{{ matrix_container_global_registry_prefix }}postgres:9.6.22{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "{{ matrix_container_global_registry_prefix }}postgres:10.17{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "{{ matrix_container_global_registry_prefix }}postgres:11.12{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "{{ matrix_container_global_registry_prefix }}postgres:12.7{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "{{ matrix_container_global_registry_prefix }}postgres:13.3{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" + +# This variable is assigned at runtime. Overriding its value has no effect. +matrix_postgres_docker_image_to_use: '{{ matrix_postgres_docker_image_latest }}' + +matrix_postgres_docker_image_force_pull: "{{ matrix_postgres_docker_image_to_use.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_postgres_container_extra_arguments: [] + +# A list of extra arguments to pass to the postgres process +# e.g. "-c 'max_connections=200'" +matrix_postgres_process_extra_arguments: [] + +# Controls whether the matrix-postgres container exposes a port (tcp/5432 in the +# container) that can be used to access the database from outside the container (e.g. with psql) +# +# psql postgresql://username:password@localhost:/database_name +# +# Takes an ":" or "" value (e.g. "127.0.0.1:5432"), or empty string to not expose. +matrix_postgres_container_postgres_bind_port: "" + +# A list of additional (databases and their credentials) to create. +# +# Example: +# matrix_postgres_additional_databases: +# - name: matrix_appservice_discord +# username: matrix_appservice_discord +# password: some_password +# - name: matrix_appservice_slack +# username: matrix_appservice_slack +# password: some_password +matrix_postgres_additional_databases: [] + +# A list of roles/users to avoid creating when importing (or upgrading) the database. +# If a dump file contains the roles and they've also been created beforehand (see `matrix_postgres_additional_databases`), +# importing would fail. +# We either need to not create them or to ignore the `CREATE ROLE` statements in the dump. +matrix_postgres_import_roles_to_ignore: [matrix_postgres_connection_username] + +matrix_postgres_import_roles_ignore_regex: "^CREATE ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }});" + +# A list of databases to avoid creating when importing (or upgrading) the database. +# If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`), +# importing would fail. +# We either need to not create them or to ignore the `CREATE DATABASE` statements in the dump. +matrix_postgres_import_databases_to_ignore: [matrix_postgres_db_name] + +matrix_postgres_import_databases_ignore_regex: "^CREATE DATABASE ({{ matrix_postgres_import_databases_to_ignore|join('|') }})\\s" + +# The number of seconds to wait after starting `matrix-postgres.service` +# and before trying to run queries for creating additional databases/users against it. +# +# For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all. +# +# On ARM, we wait some more. ARM32 devices are especially known for being slow. +# ARM64 likely don't need such a long delay, but it doesn't hurt too much having it. +matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: "{{ 45 if matrix_postgres_architecture in ['arm32', 'arm64'] else 15 }}" + + +matrix_postgres_pgloader_container_image_self_build: false +matrix_postgres_pgloader_container_image_self_build_repo: "https://github.com/illagrenan/pgloader-docker.git" +matrix_postgres_pgloader_container_image_self_build_repo_branch: "v{{ matrix_postgres_pgloader_docker_image_tag }}" +matrix_postgres_pgloader_container_image_self_build_src_path: "{{ matrix_postgres_base_path }}/pgloader-container-src" + +# We use illagrenan/pgloader, instead of the more official dimitri/pgloader image, +# because the official one only provides a `latest` tag. +matrix_postgres_pgloader_docker_image: "{{ matrix_postgres_pgloader_docker_image_name_prefix }}illagrenan/pgloader:{{ matrix_postgres_pgloader_docker_image_tag }}" +matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_postgres_pgloader_docker_image_tag: "3.6.2" +matrix_postgres_pgloader_docker_image_force_pull: "{{ matrix_postgres_pgloader_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml b/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml new file mode 100644 index 00000000..a42c6f55 --- /dev/null +++ b/roles/matrix-postgres/tasks/import_generic_sqlite_db.yml @@ -0,0 +1,97 @@ +--- + +# Pre-checks + +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." + when: "not matrix_postgres_enabled|bool" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `sqlite_database_path` variable needs to be provided to this playbook, via --extra-vars" + when: "sqlite_database_path is not defined or sqlite_database_path.startswith('<')" + +- name: Check if the provided SQLite database file exists + stat: + path: "{{ sqlite_database_path }}" + register: sqlite_database_path_stat_result + +- name: Fail if provided SQLite database file doesn't exist + fail: + msg: "File cannot be found on the server at {{ sqlite_database_path }}" + when: "not sqlite_database_path_stat_result.stat.exists" + +# We either expect `postgres_db_connection_string` specifying a full Postgres database connection string, +# or `postgres_connection_string_variable_name`, specifying a name of a variable, which contains a valid connection string. + +- block: + - name: Fail if postgres_connection_string_variable_name points to an undefined variable + fail: msg="postgres_connection_string_variable_name is defined, but there is no variable with the name `{{ postgres_connection_string_variable_name }}`" + when: "postgres_connection_string_variable_name not in vars" + + - name: Get Postgres connection string from variable + set_fact: + postgres_db_connection_string: "{{ lookup('vars', postgres_connection_string_variable_name) }}" + when: 'postgres_connection_string_variable_name is defined' + +- name: Fail if playbook called incorrectly + fail: + msg: >- + Either a `postgres_db_connection_string` variable or a `postgres_connection_string_variable_name` needs to be provided to this playbook, via `--extra-vars`. + Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:/database_name"` or `--extra-vars="postgres_connection_string_variable_name=matrix_appservice_discord_database_connString"` + when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')" + + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + + +# Actual import work + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: matrix_postgres_service_start_result + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + when: "matrix_postgres_service_start_result.changed|bool" + +- name: Import SQLite database from {{ sqlite_database_path }} into Postgres + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --mount type=bind,src={{ sqlite_database_path }},dst=/in.db,ro + --entrypoint=/bin/sh + {{ matrix_postgres_pgloader_docker_image }} + -c + 'pgloader /in.db {{ postgres_db_connection_string }}' + +- name: Archive SQLite database ({{ sqlite_database_path }} -> {{ sqlite_database_path }}.backup) + command: + cmd: "mv {{ sqlite_database_path }} {{ sqlite_database_path }}.backup" + +- name: Inject result + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your SQLite database file has been imported into Postgres. The original file has been moved from `{{ sqlite_database_path }}` to `{{ sqlite_database_path }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." + ] + }} diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml new file mode 100644 index 00000000..b8e93219 --- /dev/null +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -0,0 +1,106 @@ +--- + +# Pre-checks + +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." + when: "not matrix_postgres_enabled|bool" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_postgres_dump is not defined or server_path_postgres_dump.startswith('<')" + +- name: Check if the provided Postgres dump file exists + stat: + path: "{{ server_path_postgres_dump }}" + register: result_server_path_postgres_dump_stat + +- name: Fail if provided Postgres dump file doesn't exists + fail: + msg: "File cannot be found on the server at {{ server_path_postgres_dump }}" + when: "not result_server_path_postgres_dump_stat.stat.exists" + + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + +- name: Set postgres_import_wait_time, if not provided + set_fact: + postgres_import_wait_time: "{{ 7 * 86400 }}" + when: "postgres_import_wait_time|default('') == ''" + +# By default, we connect and import into the main (`matrix`) database. +# Single-database dumps for Synapse may wish to import into `synapse` instead. +- name: Set postgres_default_import_database, if not provided + set_fact: + postgres_default_import_database: "{{ matrix_postgres_db_name }}" + when: "postgres_default_import_database|default('') == ''" + +# Actual import work + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + +- import_tasks: tasks/util/detect_existing_postgres_version.yml + +- name: Abort, if no existing Postgres version detected + fail: + msg: "Could not find existing Postgres installation" + when: "not matrix_postgres_detected_existing|bool" + +# Starting the database container had automatically created the default +# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`). +# The dump most likely contains those same entries and would try to re-create them, leading to errors. +# We need to skip over those lines. +- name: Generate Postgres database import command + set_fact: + matrix_postgres_import_command: >- + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import + --log-driver=none + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --mount type=bind,src={{ server_path_postgres_dump }},dst=/{{ server_path_postgres_dump|basename }},ro + --entrypoint=/bin/sh + {{ matrix_postgres_docker_image_latest }} + -c "cat /{{ server_path_postgres_dump|basename }} | + {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} + grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | + grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | + psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname={{ postgres_default_import_database }}" + +# This is a hack. +# See: https://ansibledaily.com/print-to-standard-output-without-escaping/ +# +# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it, +# which ruins the command (`matrix_postgres_import_command`) +- name: Note about Postgres importing alternative + set_fact: + dummy: true + with_items: + - >- + Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. + If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), + delete its existing data (`rm -rf {{ matrix_postgres_data_path }}/*`), start it again (`systemctl start matrix-postgres`) + and manually run the above import command directly on the server. + +- name: Perform Postgres database import + command: "{{ matrix_postgres_import_command }}" + async: "{{ postgres_import_wait_time }}" + poll: 10 diff --git a/roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml b/roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml new file mode 100644 index 00000000..ea15c5a8 --- /dev/null +++ b/roles/matrix-postgres/tasks/import_synapse_sqlite_db.yml @@ -0,0 +1,86 @@ +--- + +# Pre-checks + +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import." + when: "not matrix_postgres_enabled|bool" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_homeserver_db is not defined or server_path_homeserver_db.startswith('<')" + +- name: Check if the provided SQLite homeserver.db file exists + stat: + path: "{{ server_path_homeserver_db }}" + register: result_server_path_homeserver_db_stat + +- name: Fail if provided SQLite homeserver.db file doesn't exist + fail: + msg: "File cannot be found on the server at {{ server_path_homeserver_db }}" + when: "not result_server_path_homeserver_db_stat.stat.exists" + + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + + +# Actual import work + +- name: Ensure matrix-postgres is stopped + service: + name: matrix-postgres + state: stopped + daemon_reload: yes + +- name: Ensure postgres data is wiped out + file: + path: "{{ matrix_postgres_data_path }}" + state: absent + +- name: Ensure postgres data path exists + file: + path: "{{ matrix_postgres_data_path }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: restarted + daemon_reload: yes + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +# +# Also, some old `docker_container` versions were buggy and would leave containers behind +# on failure, which we had to work around to allow retries (by re-running the playbook). +- name: Import SQLite database into Postgres + command: | + docker run + --rm + --name=matrix-synapse-migrate + --log-driver=none + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --entrypoint=python + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/matrix-media-store-parent/media-store + --mount type=bind,src={{ server_path_homeserver_db }},dst=/{{ server_path_homeserver_db|basename }} + {{ matrix_synapse_docker_image }} + /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml diff --git a/roles/matrix-postgres/tasks/init.yml b/roles/matrix-postgres/tasks/init.yml new file mode 100644 index 00000000..a0f2ae60 --- /dev/null +++ b/roles/matrix-postgres/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres.service'] }}" + when: matrix_postgres_enabled|bool diff --git a/roles/matrix-postgres/tasks/main.yml b/roles/matrix-postgres/tasks/main.yml new file mode 100644 index 00000000..b9c2ae7c --- /dev/null +++ b/roles/matrix-postgres/tasks/main.yml @@ -0,0 +1,43 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_postgres_enabled|bool" + tags: + - setup-all + - setup-postgres + +- import_tasks: "{{ role_path }}/tasks/setup_postgres.yml" + when: run_setup|bool + tags: + - setup-all + - setup-postgres + +- import_tasks: "{{ role_path }}/tasks/import_postgres.yml" + when: run_postgres_import|bool + tags: + - import-postgres + +# The `run_postgres_import_sqlite_db` variable had better be renamed to be consistent, +# but that's a breaking change which may cause trouble for people. +- import_tasks: "{{ role_path }}/tasks/import_synapse_sqlite_db.yml" + when: run_postgres_import_sqlite_db|bool + tags: + - import-synapse-sqlite-db + +# Perhaps we need a new variable here, instead of `run_postgres_import_sqlite_db`. +- import_tasks: "{{ role_path }}/tasks/import_generic_sqlite_db.yml" + when: run_postgres_import_sqlite_db|bool + tags: + - import-generic-sqlite-db + +- import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml" + when: run_postgres_upgrade|bool + tags: + - upgrade-postgres + +- import_tasks: "{{ role_path }}/tasks/run_vacuum.yml" + when: run_postgres_vacuum|bool + tags: + - run-postgres-vacuum diff --git a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml new file mode 100644 index 00000000..ef5fbf47 --- /dev/null +++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml @@ -0,0 +1,72 @@ +--- + +# We used to store Postgres data directly under `/matrix/postgres` (what is now considered `matrix_postgres_base_path`). +# +# From now on, we expect to store Postgres data one directory below now (`/matrix/postgres/data` - `matrix_postgres_data_path`). +# We wish to use the base directory for other purposes (storing environment variable files, etc.). +# Mixing those with the Postgres data is no good and it leads to Postgres's `initdb` complaining to initialize +# a database in a non-empty directory. +# +# For this reason, we store the Postgres data in `/matrix/postgres/data` and need to relocate any installations +# which still store it in the parent directory (`/matrix/postgres`). + +- name: Check if old Postgres data directory is used + stat: + path: "{{ matrix_postgres_base_path }}/PG_VERSION" + register: result_pg_old_data_dir_stat + +- name: Warn if old Postgres data directory detected + debug: + msg: > + Found that you have Postgres data in `{{ matrix_postgres_base_path }}`. + From now on, Postgres data is supposed to be stored in `{{ matrix_postgres_data_path }}` instead. + We'll stop Postgres and relocate the files there for you. + when: "result_pg_old_data_dir_stat.stat.exists" + +# We should stop Postgres first, before building a list of files, +# as to ignore any `postmaster.pid` files, etc. +- name: Ensure matrix-postgres is stopped + service: + name: matrix-postgres + state: stopped + daemon_reload: yes + when: "result_pg_old_data_dir_stat.stat.exists" + +- name: Find files and directories in old Postgres data path + find: + paths: "{{ matrix_postgres_base_path }}" + file_type: any + excludes: ["data"] + register: "result_pg_old_data_dir_find" + when: "result_pg_old_data_dir_stat.stat.exists" + +- name: Ensure new Postgres data path exists + file: + path: "{{ matrix_postgres_data_path }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "result_pg_old_data_dir_stat.stat.exists" + +- block: + - name: Relocate Postgres data files from old directory to new + command: "mv {{ item.path }} {{ matrix_postgres_data_path }}/{{ item.path|basename }}" + with_items: "{{ result_pg_old_data_dir_find.files }}" + when: "result_pg_old_data_dir_stat.stat.exists" + +# Intentionally not starting matrix-postgres here. +# It likely needs to be updated to point to the new directory. +# In fact, let's even get rid of the outdated service, to ensure no one will start it +# and have it initialize a new database. + +- name: Ensure outdated matrix-postgres.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-postgres.service" + state: absent + when: "result_pg_old_data_dir_stat.stat.exists" + +- name: Ensure systemd reloaded after getting rid of outdated matrix-postgres.service + service: + daemon_reload: yes + when: "result_pg_old_data_dir_stat.stat.exists" \ No newline at end of file diff --git a/roles/matrix-postgres/tasks/run_vacuum.yml b/roles/matrix-postgres/tasks/run_vacuum.yml new file mode 100644 index 00000000..19a27562 --- /dev/null +++ b/roles/matrix-postgres/tasks/run_vacuum.yml @@ -0,0 +1,90 @@ +--- + +# Pre-checks + +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot run vacuum." + when: "not matrix_postgres_enabled|bool" + + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + +- name: Set postgres_vacuum_wait_time, if not provided + set_fact: + postgres_vacuum_wait_time: "{{ 7 * 86400 }}" + when: "postgres_vacuum_wait_time|default('') == ''" + + +# Actual vacuuming work + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + +- import_tasks: tasks/util/detect_existing_postgres_version.yml + +- name: Abort, if no existing Postgres version detected + fail: + msg: "Could not find existing Postgres installation" + when: "not matrix_postgres_detected_existing|bool" + +- name: Generate Postgres database vacuum command + set_fact: + matrix_postgres_vacuum_command: >- + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-vacuum + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + {{ matrix_postgres_docker_image_latest }} + psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c 'VACUUM FULL VERBOSE' + +- name: Note about Postgres vacuum alternative + debug: + msg: >- + Running vacuum with the following Postgres command: `{{ matrix_postgres_vacuum_command }}`. + If this crashes, you can stop all processes (`systemctl stop matrix-*`), + start Postgres only (`systemctl start matrix-postgres`) + and manually run the above command directly on the server. + +- name: Populate service facts + service_facts: + +- set_fact: + matrix_postgres_synapse_was_running: "{{ ansible_facts.services['matrix-synapse.service']|default(none) is not none and ansible_facts.services['matrix-synapse.service'].state == 'running' }}" + +- name: Ensure matrix-synapse is stopped + service: + name: matrix-synapse + state: stopped + daemon_reload: yes + +- name: Run Postgres vacuum command + command: "{{ matrix_postgres_vacuum_command }}" + async: "{{ postgres_vacuum_wait_time }}" + poll: 10 + register: matrix_postgres_synapse_vacuum_result + +# Intentionally show the results +- debug: var="matrix_postgres_synapse_vacuum_result" + +- name: Ensure matrix-synapse is started, if it previously was + service: + name: matrix-synapse + state: started + daemon_reload: yes + when: "matrix_postgres_synapse_was_running|bool" diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml new file mode 100644 index 00000000..4294bc11 --- /dev/null +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -0,0 +1,197 @@ +--- + +# +# Tasks related to setting up an internal postgres server +# + +- import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml" + when: matrix_postgres_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml" + when: matrix_postgres_enabled|bool + +# If we have found an existing version (installed from before), we use its corresponding Docker image. +# If not, we install using the latest Postgres. +# +# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`). +- set_fact: + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" + when: matrix_postgres_enabled|bool + +- name: Inject warning if on an old version of Postgres + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres" + ] + }} + when: "matrix_postgres_enabled|bool and matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest" + +# Even if we don't run the internal server, we still need this for running the CLI +- name: Ensure postgres Docker image is pulled + docker_image: + name: "{{ matrix_postgres_docker_image_to_use }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_postgres_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_docker_image_force_pull }}" + when: matrix_postgres_enabled|bool + +- name: Ensure Postgres paths exist + file: + path: "{{ item }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_postgres_base_path }}" + - "{{ matrix_postgres_data_path }}" + when: matrix_postgres_enabled|bool + +# We do this as a separate task, because: +# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) +# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true +- name: Ensure Postgres data path ownership is correct + file: + path: "{{ matrix_postgres_data_path }}" + state: directory + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + recurse: yes + when: matrix_postgres_enabled|bool + +- name: Ensure Postgres environment variables file created + template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_postgres_base_path }}/{{ item }}" + mode: 0640 + with_items: + - "env-postgres-psql" + - "env-postgres-server" + when: matrix_postgres_enabled|bool + +- name: Ensure matrix-postgres-cli script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2" + dest: "{{ matrix_local_bin_path }}/matrix-postgres-cli" + mode: 0755 + when: matrix_postgres_enabled|bool + +- name: Ensure matrix-change-user-admin-status script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2" + dest: "{{ matrix_local_bin_path }}/matrix-change-user-admin-status" + mode: 0755 + when: matrix_postgres_enabled|bool + +- name: (Migration) Ensure old matrix-make-user-admin script deleted + file: + path: "{{ matrix_local_bin_path }}/matrix-make-user-admin" + state: absent + when: matrix_postgres_enabled|bool + +- name: Ensure matrix-postgres-update-user-password-hash script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2" + dest: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash" + mode: 0755 + when: matrix_postgres_enabled|bool + +- name: Ensure matrix-postgres.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-postgres.service" + mode: 0644 + register: matrix_postgres_systemd_service_result + when: matrix_postgres_enabled|bool + +- name: Ensure systemd reloaded after matrix-postgres.service installation + service: + daemon_reload: yes + when: "matrix_postgres_enabled|bool and matrix_postgres_systemd_service_result.changed" + +- include_tasks: + file: "{{ role_path }}/tasks/util/create_additional_databases.yml" + apply: + tags: + - always + when: "matrix_postgres_enabled|bool and matrix_postgres_additional_databases|length > 0" + +- name: Check existence of matrix-postgres backup data path + stat: + path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" + register: matrix_postgres_data_backup_path_stat + when: "matrix_postgres_enabled|bool" + +- name: Inject warning if backup data remains + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: You have some Postgres backup data in `{{ matrix_postgres_data_path }}-auto-upgrade-backup`, which was created during the last major Postgres update you ran. If your setup works well after this upgrade, feel free to delete this whole directory." + ] + }} + when: "matrix_postgres_enabled|bool and matrix_postgres_data_backup_path_stat.stat.exists" + + +# +# Tasks related to getting rid of the internal postgres server (if it was previously enabled) +# + +- name: Check existence of matrix-postgres service + stat: + path: "{{ matrix_systemd_path }}/matrix-postgres.service" + register: matrix_postgres_service_stat + when: "not matrix_postgres_enabled|bool" + +- name: Ensure matrix-postgres is stopped + service: + name: matrix-postgres + state: stopped + daemon_reload: yes + when: "not matrix_postgres_enabled|bool and matrix_postgres_service_stat.stat.exists" + +- name: Ensure matrix-postgres.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-postgres.service" + state: absent + when: "not matrix_postgres_enabled|bool and matrix_postgres_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-postgres.service removal + service: + daemon_reload: yes + when: "not matrix_postgres_enabled|bool and matrix_postgres_service_stat.stat.exists" + +- name: Check existence of matrix-postgres local data path + stat: + path: "{{ matrix_postgres_data_path }}" + register: matrix_postgres_data_path_stat + when: "not matrix_postgres_enabled|bool" + +# We just want to notify the user. Deleting data is too destructive. +- name: Inject warning if matrix-postgres local data remains + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." + ] + }} + when: "not matrix_postgres_enabled|bool and matrix_postgres_data_path_stat.stat.exists" + +- name: Remove Postgres scripts + file: + path: "{{ matrix_local_bin_path }}/{{ item }}" + state: absent + with_items: + - matrix-postgres-cli + - matrix-change-user-admin-status + - matrix-postgres-update-user-password-hash + when: "not matrix_postgres_enabled|bool" diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml new file mode 100644 index 00000000..564265d8 --- /dev/null +++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml @@ -0,0 +1,172 @@ +--- + +- name: Set default postgres_dump_dir, if not provided + set_fact: + postgres_dump_dir: "/tmp" + when: "postgres_dump_dir|default('') == ''" + +- name: Set postgres_dump_name, if not provided + set_fact: + postgres_dump_name: "matrix-postgres-dump.sql.gz" + when: "postgres_dump_name|default('') == ''" + +- name: Set postgres_auto_upgrade_backup_data_path, if not provided + set_fact: + postgres_auto_upgrade_backup_data_path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" + when: "postgres_auto_upgrade_backup_data_path|default('') == ''" + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + +- name: Set postgres_force_upgrade, if not provided + set_fact: + postgres_force_upgrade: false + when: "postgres_force_upgrade|default('') == ''" + +- name: Fail, if trying to upgrade external Postgres database + fail: + msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade." + when: "not matrix_postgres_enabled|bool" + +- name: Check Postgres auto-upgrade backup data directory + stat: + path: "{{ postgres_auto_upgrade_backup_data_path }}" + register: result_auto_upgrade_path + +- name: Abort, if existing Postgres auto-upgrade data path detected + fail: + msg: "Detected that a left-over {{ postgres_auto_upgrade_backup_data_path }} exists. You should rename it to {{ matrix_postgres_data_path }} if the previous upgrade went wrong, or delete it if it went well." + when: "result_auto_upgrade_path.stat.exists" + +- import_tasks: tasks/util/detect_existing_postgres_version.yml + +- name: Abort, if no existing Postgres version detected + fail: + msg: "Could not find existing Postgres installation" + when: "not matrix_postgres_detected_existing|bool" + +- name: Abort, if already at latest Postgres version + fail: + msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do" + when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest and not postgres_force_upgrade" + +- debug: + msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}" + +- name: Ensure matrix-synapse is stopped + service: + name: matrix-synapse + state: stopped + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + +# We dump all databases, roles, etc. +# +# Because we'll be importing into a new container which initializes the default +# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`) by itself on startup, +# we need to remove these from the dump, or we'll get errors saying these already exist. +- name: Perform Postgres database dump + command: >- + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-dump + --log-driver=none + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --network={{ matrix_docker_network }} + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --entrypoint=/bin/sh + --mount type=bind,src={{ postgres_dump_dir }},dst=/out + {{ matrix_postgres_detected_version_corresponding_docker_image }} + -c "pg_dumpall -h matrix-postgres + {{ '| gzip -c ' if postgres_dump_name.endswith('.gz') else '' }} + > /out/{{ postgres_dump_name }}" + +- name: Ensure matrix-postgres is stopped + service: + name: matrix-postgres + state: stopped + +- name: Rename existing Postgres data directory + command: "mv {{ matrix_postgres_data_path }} {{ postgres_auto_upgrade_backup_data_path }}" + +- debug: + msg: "NOTE: Your Postgres data directory has been moved from `{{ matrix_postgres_data_path }}` to `{{ postgres_auto_upgrade_backup_data_path }}`. In the event of failure, you can move it back and run the playbook with --tags=setup-postgres to restore operation." + +- import_tasks: tasks/setup_postgres.yml + +- name: Ensure matrix-postgres autoruns and is restarted + service: + name: matrix-postgres + enabled: yes + state: restarted + daemon_reload: yes + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + +# Starting the database container had automatically created the default +# role (`matrix_postgres_connection_username`) and database (`matrix_postgres_db_name`). +# The dump most likely contains those same entries and would try to re-create them, leading to errors. +# We need to skip over those lines. +- name: Generate Postgres database import command + set_fact: + matrix_postgres_import_command: >- + {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import + --log-driver=none + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --entrypoint=/bin/sh + --mount type=bind,src={{ postgres_dump_dir }},dst=/in,ro + {{ matrix_postgres_docker_image_latest }} + -c "cat /in/{{ postgres_dump_name }} | + {{ 'gunzip |' if postgres_dump_name.endswith('.gz') else '' }} + grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | + grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | + psql -v ON_ERROR_STOP=1 -h matrix-postgres" + +# This is a hack. +# See: https://ansibledaily.com/print-to-standard-output-without-escaping/ +# +# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it, +# which ruins the command (`matrix_postgres_import_command`) +- name: Note about Postgres importing + set_fact: + dummy: true + with_items: + - >- + Importing Postgres database using the following command: `{{ matrix_postgres_import_command }}`. + If this crashes, you can stop Postgres (`systemctl stop matrix-postgres`), + delete the new database data (`rm -rf {{ matrix_postgres_data_path }}`) + and restore the automatically-made backup (`mv {{ postgres_auto_upgrade_backup_data_path }} {{ matrix_postgres_data_path }}`). + +- name: Perform Postgres database import + command: "{{ matrix_postgres_import_command }}" + +- name: Delete Postgres database dump file + file: + path: "{{ postgres_dump_dir }}/{{ postgres_dump_name }}" + state: absent + +- name: Ensure matrix-synapse is started + service: + name: matrix-synapse + state: started + daemon_reload: yes + +- debug: + msg: "NOTE: Your old Postgres data directory is preserved at `{{ postgres_auto_upgrade_backup_data_path }}`. You might want to get rid of it once you've confirmed that all is well." diff --git a/roles/matrix-postgres/tasks/util/create_additional_database.yml b/roles/matrix-postgres/tasks/util/create_additional_database.yml new file mode 100644 index 00000000..22b3c9a2 --- /dev/null +++ b/roles/matrix-postgres/tasks/util/create_additional_database.yml @@ -0,0 +1,40 @@ +--- + +# It'd be better if this is belonged to `validate_config.yml`, but it would have to be some loop-within-a-loop there, +# and that's ugly. We also don't expect this to catch errors often. It's more of a defensive last-minute check. +- name: Fail if additional database data appears invalid + fail: + msg: "Additional database definition ({{ additional_db }} lacks a required key: {{ item }}" + when: "item not in additional_db" + with_items: "{{ ['name', 'username', 'password'] }}" + +# The SQL statements that we'll run against Postgres are stored in a file that others can't read. +# This file will be mounted into the container and fed to Postgres. +# This way, we avoid passing sensitive data around in CLI commands that other users on the system can see. +- name: Create additional database initialization SQL file for {{ additional_db.name }} + template: + src: "{{ role_path }}/templates/sql/init-additional-db-user-and-role.sql.j2" + dest: "/tmp/matrix-postgres-init-additional-db-user-and-role.sql" + mode: 0600 + owner: "{{ matrix_user_uid }}" + group: "{{ matrix_user_gid }}" + +- name: Execute Postgres additional database initialization SQL file for {{ additional_db.name }} + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --network {{ matrix_docker_network }} + --mount type=bind,src=/tmp/matrix-postgres-init-additional-db-user-and-role.sql,dst=/matrix-postgres-init-additional-db-user-and-role.sql,ro + --entrypoint=/bin/sh + {{ matrix_postgres_docker_image_to_use }} + -c + 'psql -h {{ matrix_postgres_connection_hostname }} --file=/matrix-postgres-init-additional-db-user-and-role.sql' + +- name: Delete additional database initialization SQL file for {{ additional_db.name }} + file: + path: /tmp/matrix-postgres-init-additional-db-user-and-role.sql + state: absent diff --git a/roles/matrix-postgres/tasks/util/create_additional_databases.yml b/roles/matrix-postgres/tasks/util/create_additional_databases.yml new file mode 100644 index 00000000..0ad460dd --- /dev/null +++ b/roles/matrix-postgres/tasks/util/create_additional_databases.yml @@ -0,0 +1,23 @@ +--- + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: matrix_postgres_service_start_result + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds }}" + delegate_to: 127.0.0.1 + become: false + when: "matrix_postgres_service_start_result.changed|bool" + +- name: Create additional Postgres user and database + include_tasks: "{{ role_path }}/tasks/util/create_additional_database.yml" + with_items: "{{ matrix_postgres_additional_databases }}" + loop_control: + loop_var: additional_db + # Suppress logging to avoid dumping the credentials to the shell + no_log: true diff --git a/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml new file mode 100644 index 00000000..9032c15e --- /dev/null +++ b/roles/matrix-postgres/tasks/util/detect_existing_postgres_version.yml @@ -0,0 +1,56 @@ +--- + +# This utility aims to determine if there is some existing Postgres version in use or not. +# If there is, it also tries to detect the Docker image that corresponds to that version. + +- name: Initialize Postgres version determination variables (default to empty) + set_fact: + matrix_postgres_detection_pg_version_path: "{{ matrix_postgres_data_path }}/PG_VERSION" + matrix_postgres_detected_existing: false + matrix_postgres_detected_version: "" + matrix_postgres_detected_version_corresponding_docker_image: "" + +- name: Determine existing Postgres version (check PG_VERSION file) + stat: + path: "{{ matrix_postgres_detection_pg_version_path }}" + register: result_pg_version_stat + +- set_fact: + matrix_postgres_detected_existing: true + when: "result_pg_version_stat.stat.exists" + +- name: Determine existing Postgres version (read PG_VERSION file) + slurp: + src: "{{ matrix_postgres_detection_pg_version_path }}" + register: result_pg_version + when: matrix_postgres_detected_existing|bool + +- name: Determine existing Postgres version (make sense of PG_VERSION file) + set_fact: + matrix_postgres_detected_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}" + when: matrix_postgres_detected_existing|bool + +- name: Determine corresponding Docker image to detected version (assume default of latest) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_latest }}" + when: "matrix_postgres_detected_version != ''" + +- name: Determine corresponding Docker image to detected version (use 9.x, if detected) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v9 }}" + when: "matrix_postgres_detected_version.startswith('9.')" + +- name: Determine corresponding Docker image to detected version (use 10.x, if detected) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v10 }}" + when: "matrix_postgres_detected_version == '10' or matrix_postgres_detected_version.startswith('10.')" + +- name: Determine corresponding Docker image to detected version (use 11.x, if detected) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v11 }}" + when: "matrix_postgres_detected_version == '11' or matrix_postgres_detected_version.startswith('11.')" + +- name: Determine corresponding Docker image to detected version (use 12.x, if detected) + set_fact: + matrix_postgres_detected_version_corresponding_docker_image: "{{ matrix_postgres_docker_image_v12 }}" + when: "matrix_postgres_detected_version == '12' or matrix_postgres_detected_version.startswith('12.')" diff --git a/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml new file mode 100644 index 00000000..cf595ade --- /dev/null +++ b/roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml @@ -0,0 +1,169 @@ +--- + +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate." + when: "not matrix_postgres_enabled|bool" + +- name: Fail if util called incorrectly (missing matrix_postgres_db_migration_request) + fail: + msg: "The `matrix_postgres_db_migration_request` variable needs to be provided to this util." + when: "matrix_postgres_db_migration_request is not defined" + +- name: Fail if util called incorrectly (invalid matrix_postgres_db_migration_request) + fail: + msg: "The `matrix_postgres_db_migration_request` variable needs to contain `{{ item }}`." + with_items: + - src + - dst + - caller + - engine_variable_name + - systemd_services_to_stop + when: "item not in matrix_postgres_db_migration_request" + +- name: Check if the provided source database file exists + stat: + path: "{{ matrix_postgres_db_migration_request.src }}" + register: matrix_postgres_db_migration_request_src_stat_result + +- name: Fail if provided source database file doesn't exist + fail: + msg: "File cannot be found on the server at {{ matrix_postgres_db_migration_request.src }}" + when: "not matrix_postgres_db_migration_request_src_stat_result.stat.exists" + +- block: + - name: Ensure pgloader repository is present on self-build + git: + repo: "{{ matrix_postgres_pgloader_container_image_self_build_repo }}" + dest: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" + version: "{{ matrix_postgres_pgloader_container_image_self_build_repo_branch }}" + force: "yes" + register: matrix_postgres_pgloader_git_pull_results + + # If `stable` is used, we hit an error when processing /opt/src/pgloader/build/quicklisp/dists/quicklisp/software/uax-15-20201220-git/data/CompositionExclusions.txt: + # > the octet sequence #(194) cannot be decoded + # + # The issue is described here and is not getting fixed for months: https://github.com/dimitri/pgloader/pull/1179 + # + # Although we're not using the dimitri/pgloader image, the one we're using suffers from the same problem. + - name: Switch pgloader base image from Debian stable (likely 10.x/Buster) to Bullseye + lineinfile: + path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}/Dockerfile" + regexp: "{{ item.match }}" + line: "{{ item.replace }}" + with_items: + - match: '^FROM debian:stable-slim as builder$' + replace: 'FROM debian:bullseye-slim as builder' + - match: '^FROM debian:stable-slim$' + replace: 'FROM debian:bullseye-slim' + + - name: Ensure pgloader Docker image is built + docker_image: + name: "{{ matrix_postgres_pgloader_docker_image }}" + source: build + force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}" + pull: yes + when: "matrix_postgres_pgloader_container_image_self_build|bool" + +- name: Ensure pgloader Docker image is pulled + docker_image: + name: "{{ matrix_postgres_pgloader_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_postgres_pgloader_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_docker_image_force_pull }}" + when: "not matrix_postgres_pgloader_container_image_self_build" + +# Defaults + +- name: Set postgres_start_wait_time, if not provided + set_fact: + postgres_start_wait_time: 15 + when: "postgres_start_wait_time|default('') == ''" + +# Actual import work + +# matrix-postgres is most likely started already +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: matrix_postgres_service_start_result + +- name: Wait a bit, so that Postgres can start + wait_for: + timeout: "{{ postgres_start_wait_time }}" + delegate_to: 127.0.0.1 + become: false + when: "matrix_postgres_service_start_result.changed|bool" + +# We only stop services here, leaving it to the caller to start them later. +# +# We can't start them, because they probably need to be reconfigured too (changing the configuration from using SQLite to Postgres, etc.), +# before starting. +# +# Since the caller will be starting them, it might make sense to leave stopping to it as well. +# However, we don't do it, because it's simpler having it here, and it also gets to happen only if we'll be doing an import. +# If we bailed out (somewhere above), nothing would have gotten stopped. It's nice to leave this running in such cases. +- name: Ensure systemd services blocking the database import are stopped + service: + name: "{{ item }}" + state: stopped + failed_when: false + with_items: "{{ matrix_postgres_db_migration_request.systemd_services_to_stop }}" + +- name: Import {{ matrix_postgres_db_migration_request.engine_old }} database from {{ matrix_postgres_db_migration_request.src }} into Postgres + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --mount type=bind,src={{ matrix_postgres_db_migration_request.src }},dst=/in.db,ro + --entrypoint=/bin/sh + {{ matrix_postgres_pgloader_docker_image }} + -c + 'pgloader {{ matrix_postgres_db_migration_request.pgloader_options|default([])|join(' ') }} /in.db {{ matrix_postgres_db_migration_request.dst }}' + +- block: + # We can't use `{{ role_path }}` here, neither with `import_tasks`, nor with `include_tasks`, + # because it refers to the role that included this util, and not to the role this file belongs to. + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/detect_existing_postgres_version.yml" + + - set_fact: + matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}" + + - name: Execute additional Postgres SQL migration statements + command: + cmd: >- + {{ matrix_host_command_docker }} run + --rm + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --network={{ matrix_docker_network }} + {{ matrix_postgres_docker_image_to_use }} + psql --host=matrix-postgres --dbname={{ matrix_postgres_db_migration_request.additional_psql_statements_db_name }} --command='{{ item }}' + with_items: "{{ matrix_postgres_db_migration_request.additional_psql_statements_list }}" + + when: "matrix_postgres_db_migration_request.additional_psql_statements_list|default([])|length > 0" + +- name: Archive {{ matrix_postgres_db_migration_request.engine_old }} database ({{ matrix_postgres_db_migration_request.src }} -> {{ matrix_postgres_db_migration_request.src }}.backup) + command: + cmd: "mv {{ matrix_postgres_db_migration_request.src }} {{ matrix_postgres_db_migration_request.src }}.backup" + +- name: Inject result + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your {{ matrix_postgres_db_migration_request.engine_old }} database file has been imported into Postgres. The original database file has been moved from `{{ matrix_postgres_db_migration_request.src }}` to `{{ matrix_postgres_db_migration_request.src }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file." + ] + }} diff --git a/roles/matrix-postgres/tasks/validate_config.yml b/roles/matrix-postgres/tasks/validate_config.yml new file mode 100644 index 00000000..eac4dd5b --- /dev/null +++ b/roles/matrix-postgres/tasks/validate_config.yml @@ -0,0 +1,39 @@ +--- + +- name: (Deprecation) Warn about matrix_postgres_use_external usage + fail: + msg: > + The `matrix_postgres_use_external` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of using an external Postgres server. + It's a combination of `matrix_postgres_enabled: false` and specifying Postgres connection + details in a few `matrix_postgres_connection_` variables. + See the "Using an external PostgreSQL server (optional)" documentation page. + when: "'matrix_postgres_use_external' in vars" + +# This is separate (from the other required variables below), +# because we'd like to have a friendlier message for our existing users. +- name: Fail if matrix_postgres_connection_password not defined + fail: + msg: >- + The playbook no longer has a default Postgres password defined in the `matrix_postgres_connection_password` variable, among lots of other Postgres changes. + You need to perform multiple manual steps to resolve this. + See our changelog for more details: + https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-postgres-changes-that-require-manual-intervention + when: "matrix_postgres_connection_password == ''" + +- name: Fail if required Postgres settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_postgres_connection_hostname" + - "matrix_postgres_connection_port" + - "matrix_postgres_connection_username" + - "matrix_postgres_connection_password" + - "matrix_postgres_db_name" + +- name: Fail if Postgres password length exceeded + fail: + msg: "The maximum `matrix_postgres_connection_password` length is 99 characters" + when: "matrix_postgres_connection_password|length > 99" diff --git a/roles/matrix-postgres/templates/env-postgres-psql.j2 b/roles/matrix-postgres/templates/env-postgres-psql.j2 new file mode 100644 index 00000000..c61927a3 --- /dev/null +++ b/roles/matrix-postgres/templates/env-postgres-psql.j2 @@ -0,0 +1,4 @@ +#jinja2: lstrip_blocks: "True" +PGUSER={{ matrix_postgres_connection_username }} +PGPASSWORD={{ matrix_postgres_connection_password }} +PGDATABASE={{ matrix_postgres_db_name }} \ No newline at end of file diff --git a/roles/matrix-postgres/templates/env-postgres-server.j2 b/roles/matrix-postgres/templates/env-postgres-server.j2 new file mode 100644 index 00000000..06feb82a --- /dev/null +++ b/roles/matrix-postgres/templates/env-postgres-server.j2 @@ -0,0 +1,7 @@ +#jinja2: lstrip_blocks: "True" +POSTGRES_USER={{ matrix_postgres_connection_username }} +POSTGRES_PASSWORD={{ matrix_postgres_connection_password }} +POSTGRES_DB={{ matrix_postgres_db_name }} +# Synapse refuses to run if collation is not C. +# See https://github.com/matrix-org/synapse/issues/6722 +POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8 diff --git a/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 b/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 new file mode 100644 index 00000000..a5a3385b --- /dev/null +++ b/roles/matrix-postgres/templates/sql/init-additional-db-user-and-role.sql.j2 @@ -0,0 +1,19 @@ +-- `CREATE USER` does not support `IF NOT EXISTS`, so we use this workaround to prevent an error and raise a notice instead. +-- Seen here: https://stackoverflow.com/a/49858797 +DO $$ +BEGIN + CREATE USER "{{ additional_db.username }}"; + EXCEPTION WHEN DUPLICATE_OBJECT THEN + RAISE NOTICE 'not creating user "{{ additional_db.username }}", since it already exists'; +END +$$; + +-- This is useful for initial user creation (since we don't assign a password above) and for handling subsequent password changes +-- TODO - we should escape quotes in the password. +ALTER ROLE "{{ additional_db.username }}" PASSWORD '{{ additional_db.password }}'; + +-- This will generate an error on subsequent execution +CREATE DATABASE "{{ additional_db.name }}" WITH LC_CTYPE 'C' LC_COLLATE 'C' OWNER "{{ additional_db.username }}"; + +-- This is useful for changing the database owner subsequently +ALTER DATABASE "{{ additional_db.name }}" OWNER TO "{{ additional_db.username }}"; diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 new file mode 100644 index 00000000..6d1b1c6f --- /dev/null +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -0,0 +1,41 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Postgres server +After=docker.service +Requires=docker.service +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ + --tmpfs=/run/postgresql:rw,noexec,nosuid,size=100m \ + --network={{ matrix_docker_network }} \ + {% if matrix_postgres_container_postgres_bind_port %} + -p {{ matrix_postgres_container_postgres_bind_port }}:5432 \ + {% endif %} + --env-file={{ matrix_postgres_base_path }}/env-postgres-server \ + --mount type=bind,src={{ matrix_postgres_data_path }},dst=/var/lib/postgresql/data \ + --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ + {% for arg in matrix_postgres_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_postgres_docker_image_to_use }} \ + postgres {{ matrix_postgres_process_extra_arguments|join(' ') }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-postgres 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-postgres 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-postgres + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 new file mode 100644 index 00000000..6c3082ef --- /dev/null +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -0,0 +1,19 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" <0/1>" + echo "Usage: 0 = non-admin" + echo "Usage: 1 = admin" + exit 1 +fi + +docker run \ + -it \ + --rm \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ + --network {{ matrix_docker_network }} \ + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 new file mode 100644 index 00000000..de09a4eb --- /dev/null +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -0,0 +1,13 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +docker run \ + -it \ + --rm \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ + --network {{ matrix_docker_network }} \ + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} \ + "$@" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 new file mode 100644 index 00000000..0fbf4f21 --- /dev/null +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -0,0 +1,16 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 2 ]; then + echo "Usage: "$0" " + exit 1 +fi + +docker run \ + --rm \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ + --network {{ matrix_docker_network }} \ + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml new file mode 100644 index 00000000..492d48b1 --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -0,0 +1,34 @@ +# matrix-prometheus-node-exporter is an Prometheus exporter for machine metrics +# See: https://prometheus.io/docs/guides/node-exporter/ + +matrix_prometheus_node_exporter_enabled: false + +matrix_prometheus_node_exporter_version: v1.1.2 +matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" +matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_prometheus_node_exporter_container_extra_arguments: [] + +# List of systemd services that matrix-prometheus.service depends on +matrix_prometheus_node_exporter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus.service wants +matrix_prometheus_node_exporter_systemd_wanted_services_list: [] + +# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). +# +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# +# Official recommendations are to run this container with `--net=host`, +# but we don't do that, since it: +# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) +# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) +# +# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, +# but that's trickier to accomplish and won't necessarily work (hasn't been tested). +# +# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), +# because node-exporter can't see all interfaces, etc. +# For now, we'll live with that, until someone develops a better solution. +matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/tasks/init.yml b/roles/matrix-prometheus-node-exporter/tasks/init.yml new file mode 100644 index 00000000..2894b717 --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-node-exporter.service'] }}" + when: matrix_prometheus_node_exporter_enabled|bool + + diff --git a/roles/matrix-prometheus-node-exporter/tasks/main.yml b/roles/matrix-prometheus-node-exporter/tasks/main.yml new file mode 100644 index 00000000..172b5721 --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/tasks/main.yml @@ -0,0 +1,8 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-prometheus-node-exporter diff --git a/roles/matrix-prometheus-node-exporter/tasks/setup.yml b/roles/matrix-prometheus-node-exporter/tasks/setup.yml new file mode 100644 index 00000000..34086e6c --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/tasks/setup.yml @@ -0,0 +1,54 @@ +--- + +# +# Tasks related to setting up matrix-prometheus-node-exporter +# + +- name: Ensure matrix-prometheus-node-exporter image is pulled + docker_image: + name: "{{ matrix_prometheus_node_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_node_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_node_exporter_docker_image_force_pull }}" + when: "matrix_prometheus_node_exporter_enabled|bool" + +- name: Ensure matrix-prometheus-node-exporter.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-node-exporter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-prometheus-node-exporter.service" + mode: 0644 + register: matrix_prometheus_node_exporter_systemd_service_result + when: matrix_prometheus_node_exporter_enabled|bool + +- name: Ensure systemd reloaded after matrix-prometheus.service installation + service: + daemon_reload: yes + when: "matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-prometheus-node-exporter (if it was previously enabled) +# + +- name: Check existence of matrix-prometheus-node-exporter service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus-node-exporter.service" + register: matrix_prometheus_node_exporter_service_stat + +- name: Ensure matrix-prometheus-node-exporter is stopped + service: + name: matrix-prometheus-node-exporter + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" + +- name: Ensure matrix-prometheus-node-exporter.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus-node-exporter.service" + state: absent + when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-prometheus-node-exporter.service removal + service: + daemon_reload: yes + when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 new file mode 100644 index 00000000..210a0d97 --- /dev/null +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -0,0 +1,44 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-prometheus-node-exporter +{% for service in matrix_prometheus_node_exporter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_node_exporter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-node-exporter \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ + {% endif %} + --pid=host \ + --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ + {{ matrix_prometheus_node_exporter_docker_image }} \ + --path.rootfs=/host + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-node-exporter 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-prometheus-node-exporter + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-prometheus-postgres-exporter/defaults/main.yml b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml new file mode 100644 index 00000000..8aca4576 --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/defaults/main.yml @@ -0,0 +1,49 @@ +# matrix-prometheus-postgres-exporter is an Prometheus exporter for postgres metrics +# See: https://github.com/prometheus-community/postgres_exporter + +matrix_prometheus_postgres_exporter_enabled: false + +matrix_prometheus_postgres_exporter_version: v0.9.0 +matrix_prometheus_postgres_exporter_port: 9187 + +matrix_prometheus_postgres_exporter_docker_image: "quay.io/prometheuscommunity/postgres-exporter:{{ matrix_prometheus_postgres_exporter_version }}" +matrix_prometheus_postgres_exporter_docker_image_force_pull: "{{ matrix_prometheus_postgres_exporter_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_prometheus_postgres_exporter_container_extra_arguments: ["-e PG_EXPORTER_AUTO_DISCOVER_DATABASES=true", + "-e PG_EXPORTER_WEB_LISTEN_ADDRESS=\":{{matrix_prometheus_postgres_exporter_port}}\"", + "-e DATA_SOURCE_NAME=\"postgresql://{{matrix_prometheus_postgres_exporter_database_username}}:{{matrix_prometheus_postgres_exporter_database_password}}@{{matrix_prometheus_postgres_exporter_database_hostname}}:5432/{{matrix_prometheus_postgres_exporter_database_name}}?sslmode=disable\"" ] + +# List of systemd services that matrix-prometheus-postgres-exporter.service depends on +matrix_prometheus_postgres_exporter_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus-postgres-exporter.service wants +matrix_prometheus_postgres_exporter_systemd_wanted_services_list: [] + +# details for connecting to the database +matrix_prometheus_postgres_exporter_database_username: 'matrix_prometheus_postgres_exporter' +matrix_prometheus_postgres_exporter_database_password: 'some-password' +matrix_prometheus_postgres_exporter_database_hostname: 'matrix-postgres' +matrix_prometheus_postgres_exporter_database_port: 5432 +matrix_prometheus_postgres_exporter_database_name: 'matrix_prometheus_postgres_exporter' + + +# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). +# +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# +# Official recommendations are to run this container with `--net=host`, +# but we don't do that, since it: +# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) +# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) +# +# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, +# but that's trickier to accomplish and won't necessarily work (hasn't been tested). +# +# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), +# because node-exporter can't see all interfaces, etc. +# For now, we'll live with that, until someone develops a better solution. +matrix_prometheus_postgres_exporter_container_http_host_bind_port: '' + +matrix_prometheus_postgres_exporter_dashboard_urls: +- "https://grafana.com/api/dashboards/9628/revisions/7/download" \ No newline at end of file diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/init.yml b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml new file mode 100644 index 00000000..2bd6904e --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus-postgres-exporter.service'] }}" + when: matrix_prometheus_postgres_exporter_enabled|bool + + diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/main.yml b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml new file mode 100644 index 00000000..e3c364fa --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/main.yml @@ -0,0 +1,8 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-prometheus-postgres-exporter diff --git a/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml new file mode 100644 index 00000000..076ece1a --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/tasks/setup.yml @@ -0,0 +1,54 @@ +--- + +# +# Tasks related to setting up matrix-prometheus-postgres-exporter +# + +- name: Ensure matrix-prometheus-postgres-exporter image is pulled + docker_image: + name: "{{ matrix_prometheus_postgres_exporter_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_postgres_exporter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_postgres_exporter_docker_image_force_pull }}" + when: "matrix_prometheus_postgres_exporter_enabled|bool" + +- name: Ensure matrix-prometheus-postgres-exporter.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus-postgres-exporter.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + mode: 0644 + register: matrix_prometheus_postgres_exporter_systemd_service_result + when: matrix_prometheus_postgres_exporter_enabled|bool + +- name: Ensure systemd reloaded after matrix-prometheus.service installation + service: + daemon_reload: yes + when: "matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-prometheus-postgres-exporter (if it was previously enabled) +# + +- name: Check existence of matrix-prometheus-postgres-exporter service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + register: matrix_prometheus_postgres_exporter_service_stat + +- name: Ensure matrix-prometheus-postgres-exporter is stopped + service: + name: matrix-prometheus-postgres-exporter + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure matrix-prometheus-postgres-exporter.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus-postgres-exporter.service" + state: absent + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-prometheus-postgres-exporter.service removal + service: + daemon_reload: yes + when: "not matrix_prometheus_postgres_exporter_enabled|bool and matrix_prometheus_postgres_exporter_service_stat.stat.exists" diff --git a/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 new file mode 100644 index 00000000..b25cb5de --- /dev/null +++ b/roles/matrix-prometheus-postgres-exporter/templates/systemd/matrix-prometheus-postgres-exporter.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-prometheus-postgres-exporter +{% for service in matrix_prometheus_postgres_exporter_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_postgres_exporter_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-postgres-exporter \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + {% for arg in matrix_prometheus_postgres_exporter_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_postgres_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_postgres_exporter_container_http_host_bind_port }}:{{matrix_prometheus_postgres_exporter_port}} \ + {% endif %} + --pid=host \ + {{ matrix_prometheus_postgres_exporter_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-postgres-exporter 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus-postgres-exporter 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-prometheus-postgres-exporter + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml new file mode 100644 index 00000000..3725993c --- /dev/null +++ b/roles/matrix-prometheus/defaults/main.yml @@ -0,0 +1,67 @@ +# matrix-prometheus is an open-source systems monitoring and alerting toolkit +# See: https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md + +matrix_prometheus_enabled: false + +matrix_prometheus_version: v2.28.1 +matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" +matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" + +matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus" +matrix_prometheus_config_path: "{{ matrix_prometheus_base_path }}/config" +matrix_prometheus_data_path: "{{ matrix_prometheus_base_path }}/data" + +# A list of extra arguments to pass to the container +matrix_prometheus_container_extra_arguments: [] + +# List of systemd services that matrix-prometheus.service depends on +matrix_prometheus_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-prometheus.service wants +matrix_prometheus_systemd_wanted_services_list: [] + +# Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9090"), or empty string to not expose. +matrix_prometheus_container_http_host_bind_port: '' + +# Tells whether the "synapse" scraper configuration is enabled. +matrix_prometheus_scraper_synapse_enabled: false + +# Tells whether to download and load a Synapse rules file +matrix_prometheus_scraper_synapse_rules_enabled: "{{ matrix_prometheus_scraper_synapse_enabled }}" +matrix_prometheus_scraper_synapse_rules_synapse_tag: "master" +matrix_prometheus_scraper_synapse_rules_download_url: "https://raw.githubusercontent.com/matrix-org/synapse/{{ matrix_prometheus_scraper_synapse_rules_synapse_tag }}/contrib/prometheus/synapse-v2.rules" + +matrix_prometheus_scraper_synapse_targets: [] +matrix_prometheus_scraper_synapse_workers_enabled_list: [] + +# Tells whether the "node" scraper configuration is enabled. +# This configuration aims to scrape the current node (this server). +matrix_prometheus_scraper_node_enabled: false + +# Target addresses for the "node" scraper configuration. +# Unless you define this as a non-empty list, it gets populated at runtime with the IP address of `matrix-prometheus-node-exporter` and port 9100. +matrix_prometheus_scraper_node_targets: [] + +# Default prometheus configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_prometheus_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_prometheus_configuration_yaml: "{{ lookup('template', 'templates/prometheus.yml.j2') }}" + +matrix_prometheus_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_prometheus_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_prometheus_configuration_yaml`. + +matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_extension_yaml|from_yaml if matrix_prometheus_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`. +matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml|from_yaml|combine(matrix_prometheus_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-prometheus/tasks/init.yml b/roles/matrix-prometheus/tasks/init.yml new file mode 100644 index 00000000..12fae831 --- /dev/null +++ b/roles/matrix-prometheus/tasks/init.yml @@ -0,0 +1,5 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-prometheus.service'] }}" + when: matrix_prometheus_enabled|bool + + diff --git a/roles/matrix-prometheus/tasks/main.yml b/roles/matrix-prometheus/tasks/main.yml new file mode 100644 index 00000000..20f18cc3 --- /dev/null +++ b/roles/matrix-prometheus/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_prometheus_enabled|bool" + tags: + - setup-all + - setup-prometheus + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_prometheus_enabled|bool" + tags: + - setup-all + - setup-prometheus + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_prometheus_enabled|bool" + tags: + - setup-all + - setup-prometheus diff --git a/roles/matrix-prometheus/tasks/setup_install.yml b/roles/matrix-prometheus/tasks/setup_install.yml new file mode 100644 index 00000000..15a69279 --- /dev/null +++ b/roles/matrix-prometheus/tasks/setup_install.yml @@ -0,0 +1,50 @@ +--- + +- name: Ensure matrix-prometheus image is pulled + docker_image: + name: "{{ matrix_prometheus_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_prometheus_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_prometheus_docker_image_force_pull }}" + +- name: Ensure Prometheus paths exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_prometheus_base_path }}" + - "{{ matrix_prometheus_config_path }}" + - "{{ matrix_prometheus_data_path }}" + +- name: Download synapse-v2.rules + get_url: + url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}" + dest: "{{ matrix_prometheus_config_path }}/synapse-v2.rules" + force: true + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "matrix_prometheus_scraper_synapse_rules_enabled|bool" + +- name: Ensure prometheus.yml installed + copy: + content: "{{ matrix_prometheus_configuration|to_nice_yaml }}" + dest: "{{ matrix_prometheus_config_path }}/prometheus.yml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-prometheus.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-prometheus.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-prometheus.service" + mode: 0644 + register: matrix_prometheus_systemd_service_result + +- name: Ensure systemd reloaded after matrix-prometheus.service installation + service: + daemon_reload: yes + when: "matrix_prometheus_systemd_service_result.changed|bool" diff --git a/roles/matrix-prometheus/tasks/setup_uninstall.yml b/roles/matrix-prometheus/tasks/setup_uninstall.yml new file mode 100644 index 00000000..dd46a222 --- /dev/null +++ b/roles/matrix-prometheus/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-prometheus service + stat: + path: "{{ matrix_systemd_path }}/matrix-prometheus.service" + register: matrix_prometheus_service_stat + +- name: Ensure matrix-prometheus is stopped + service: + name: matrix-prometheus + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_prometheus_service_stat.stat.exists|bool" + +- name: Ensure matrix-prometheus.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-prometheus.service" + state: absent + when: "matrix_prometheus_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-prometheus.service removal + service: + daemon_reload: yes + when: "matrix_prometheus_service_stat.stat.exists|bool" diff --git a/roles/matrix-prometheus/tasks/validate_config.yml b/roles/matrix-prometheus/tasks/validate_config.yml new file mode 100644 index 00000000..9fcfe12b --- /dev/null +++ b/roles/matrix-prometheus/tasks/validate_config.yml @@ -0,0 +1,7 @@ +--- + +- name: Fail if Synapse metrics or Prometheus Node Exporter not enabled + fail: + msg: > + You need to enable `matrix_prometheus_scraper_synapse_enabled` and/or `matrix_prometheus_scraper_node_enabled` for Prometheus grab metrics. + when: "not matrix_prometheus_scraper_synapse_enabled and not matrix_prometheus_scraper_node_enabled" diff --git a/roles/matrix-prometheus/templates/prometheus.yml.j2 b/roles/matrix-prometheus/templates/prometheus.yml.j2 new file mode 100644 index 00000000..869b2da8 --- /dev/null +++ b/roles/matrix-prometheus/templates/prometheus.yml.j2 @@ -0,0 +1,59 @@ +#jinja2: lstrip_blocks: "True" +global: + scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. + evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. + # scrape_timeout is set to the global default (10s). + +# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. +rule_files: + {% if matrix_prometheus_scraper_synapse_rules_enabled %} + - 'synapse-v2.rules' + {% endif %} + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + # The job name is added as a label `job=` to any timeseries scraped from this config. + - job_name: 'prometheus' + + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + scrape_timeout: 5s + + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + static_configs: + - targets: ['localhost:9090'] + + {% if matrix_prometheus_scraper_synapse_enabled %} + - job_name: 'synapse' + metrics_path: '/_synapse/metrics' + static_configs: + - targets: {{ matrix_prometheus_scraper_synapse_targets|to_json }} + labels: + instance: {{ matrix_domain }} + job: master + index: 0 + {% for worker in matrix_prometheus_scraper_synapse_workers_enabled_list %} + {% if worker.metrics_port != 0 %} + - targets: ['matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}'] + labels: + instance: {{ matrix_domain }} + job: {{ worker.type }} + index: {{ worker.instanceId }} + {% endif %} + {% endfor %} + {% endif %} + + {% if matrix_prometheus_scraper_node_enabled %} + - job_name: node + static_configs: + - targets: {{ matrix_prometheus_scraper_node_targets|to_json }} + {% endif %} + + {% if matrix_prometheus_scraper_postgres_enabled %} + - job_name: postgres + static_configs: + - targets: {{ matrix_prometheus_scraper_postgres_targets|to_json }} + {% endif %} diff --git a/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 new file mode 100644 index 00000000..ad75d664 --- /dev/null +++ b/roles/matrix-prometheus/templates/systemd/matrix-prometheus.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-prometheus +{% for service in matrix_prometheus_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_prometheus_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' + + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_container_http_host_bind_port %} + -p {{ matrix_prometheus_container_http_host_bind_port }}:9090 \ + {% endif %} + -v {{ matrix_prometheus_config_path }}:/etc/prometheus:z \ + -v {{ matrix_prometheus_data_path }}:/prometheus:z \ + {% for arg in matrix_prometheus_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_prometheus_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-prometheus 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-prometheus + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-redis/defaults/main.yml b/roles/matrix-redis/defaults/main.yml new file mode 100644 index 00000000..409c7926 --- /dev/null +++ b/roles/matrix-redis/defaults/main.yml @@ -0,0 +1,22 @@ +matrix_redis_enabled: true + +matrix_redis_connection_password: "" + +matrix_redis_base_path: "{{ matrix_base_data_path }}/redis" +matrix_redis_data_path: "{{ matrix_redis_base_path }}/data" + +matrix_redis_version: 6.2.4-alpine +matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}" +matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}" +matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}' + +matrix_redis_docker_image_force_pull: "{{ matrix_redis_docker_image_to_use.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_redis_container_extra_arguments: [] + +# Controls whether the matrix-redis container exposes a port (tcp/6379 in the container) +# that can be used to access redis from outside the container +# +# Takes an ":" or "" value (e.g. "127.0.0.1:6379"), or empty string to not expose. +matrix_redis_container_redis_bind_port: "" diff --git a/roles/matrix-redis/tasks/init.yml b/roles/matrix-redis/tasks/init.yml new file mode 100644 index 00000000..49068851 --- /dev/null +++ b/roles/matrix-redis/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-redis'] }}" + when: matrix_redis_enabled|bool diff --git a/roles/matrix-redis/tasks/main.yml b/roles/matrix-redis/tasks/main.yml new file mode 100644 index 00000000..595b09f5 --- /dev/null +++ b/roles/matrix-redis/tasks/main.yml @@ -0,0 +1,9 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/setup_redis.yml" + when: run_setup|bool + tags: + - setup-all + - setup-redis diff --git a/roles/matrix-redis/tasks/setup_redis.yml b/roles/matrix-redis/tasks/setup_redis.yml new file mode 100644 index 00000000..6f00282b --- /dev/null +++ b/roles/matrix-redis/tasks/setup_redis.yml @@ -0,0 +1,99 @@ +--- + +# +# Tasks related to setting up an internal redis server +# + +- name: Ensure redis Docker image is pulled + docker_image: + name: "{{ matrix_redis_docker_image_to_use }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_redis_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_redis_docker_image_force_pull }}" + when: matrix_redis_enabled|bool + +- name: Ensure redis paths exist + file: + path: "{{ item }}" + state: directory + mode: 0700 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_redis_base_path }}" + - "{{ matrix_redis_data_path }}" + when: matrix_redis_enabled|bool + +# We do this as a separate task, because: +# - we'd like to do it for the data path only, not for the base path (which contains root-owned environment variable files we'd like to leave as-is) +# - we need to do it without `mode`, or we risk making certain `.conf` and other files's executable bit to flip to true +- name: Ensure redis data path ownership is correct + file: + path: "{{ matrix_redis_data_path }}" + state: directory + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + recurse: yes + when: matrix_redis_enabled|bool + +- name: Ensure redis environment variables file created + template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_redis_base_path }}/{{ item }}" + mode: 0644 + with_items: + - "redis.conf" + when: matrix_redis_enabled|bool + +- name: Ensure matrix-redis.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-redis.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-redis.service" + mode: 0644 + register: matrix_redis_systemd_service_result + when: matrix_redis_enabled|bool + +- name: Ensure systemd reloaded after matrix-redis.service installation + service: + daemon_reload: yes + when: "matrix_redis_enabled|bool and matrix_redis_systemd_service_result.changed" + +# +# Tasks related to getting rid of the internal redis server (if it was previously enabled) +# + +- name: Check existence of matrix-redis service + stat: + path: "{{ matrix_systemd_path }}/matrix-redis.service" + register: matrix_redis_service_stat + when: "not matrix_redis_enabled|bool" + +- name: Ensure matrix-redis is stopped + service: + name: matrix-redis + state: stopped + daemon_reload: yes + when: "not matrix_redis_enabled|bool and matrix_redis_service_stat.stat.exists" + +- name: Ensure matrix-redis.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-redis.service" + state: absent + when: "not matrix_redis_enabled|bool and matrix_redis_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-redis.service removal + service: + daemon_reload: yes + when: "not matrix_redis_enabled|bool and matrix_redis_service_stat.stat.exists" + +- name: Check existence of matrix-redis local data path + stat: + path: "{{ matrix_redis_data_path }}" + register: matrix_redis_data_path_stat + when: "not matrix_redis_enabled|bool" + +# We just want to notify the user. Deleting data is too destructive. +- name: Notify if matrix-redis local data remains + debug: + msg: "Note: You are not using a local redis instance, but some old data remains from before in `{{ matrix_redis_data_path }}`. Feel free to delete it." + when: "not matrix_redis_enabled|bool and matrix_redis_data_path_stat.stat.exists" diff --git a/roles/matrix-redis/templates/redis.conf.j2 b/roles/matrix-redis/templates/redis.conf.j2 new file mode 100644 index 00000000..34371356 --- /dev/null +++ b/roles/matrix-redis/templates/redis.conf.j2 @@ -0,0 +1,4 @@ +#jinja2: lstrip_blocks: "True" +{% if matrix_redis_connection_password %} +requirepass {{ matrix_redis_connection_password }} +{% endif %} diff --git a/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 new file mode 100644 index 00000000..5f6699f8 --- /dev/null +++ b/roles/matrix-redis/templates/systemd/matrix-redis.service.j2 @@ -0,0 +1,37 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Redis server +After=docker.service +Requires=docker.service + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker stop matrix-redis +ExecStartPre=-/usr/bin/docker rm matrix-redis + +ExecStart=/usr/bin/docker run --rm --name matrix-redis \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size=100m \ + --network={{ matrix_docker_network }} \ + {% if matrix_redis_container_redis_bind_port %} + -p {{ matrix_redis_container_redis_bind_port }}:6379 \ + {% endif %} + --mount type=bind,src={{ matrix_redis_base_path }}/redis.conf,dst=/usr/local/etc/redis/redis.conf,ro \ + --mount type=bind,src={{ matrix_redis_data_path }},dst=/data \ + {% for arg in matrix_redis_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_redis_docker_image_to_use }} \ + redis-server /usr/local/etc/redis/redis.conf + +ExecStop=-/usr/bin/docker stop matrix-redis +ExecStop=-/usr/bin/docker rm matrix-redis +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-redis + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-registration/defaults/main.yml b/roles/matrix-registration/defaults/main.yml new file mode 100644 index 00000000..e03891b2 --- /dev/null +++ b/roles/matrix-registration/defaults/main.yml @@ -0,0 +1,116 @@ +# matrix-registration is a simple python application to have a token based matrix registration +# See: https://zeratax.github.io/matrix-registration/ + +matrix_registration_enabled: true + +matrix_registration_container_image_self_build: false +matrix_registration_container_image_self_build_repo: "https://github.com/ZerataX/matrix-registration" +matrix_registration_container_image_self_build_branch: "{{ 'master' if matrix_registration_version == 'latest' else matrix_registration_version }}" + +matrix_registration_base_path: "{{ matrix_base_data_path }}/matrix-registration" +matrix_registration_config_path: "{{ matrix_registration_base_path }}/config" +matrix_registration_data_path: "{{ matrix_registration_base_path }}/data" +matrix_registration_docker_src_files_path: "{{ matrix_registration_base_path }}/docker-src" + +matrix_registration_version: "v0.7.2" + +matrix_registration_docker_image: "{{ matrix_registration_docker_image_name_prefix }}zeratax/matrix-registration:{{ matrix_registration_version }}" +matrix_registration_docker_image_name_prefix: "{{ 'localhost/' if matrix_registration_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_registration_docker_image_force_pull: "{{ matrix_registration_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_registration_container_extra_arguments: [] + +# List of systemd services that matrix-registration.service depends on +matrix_registration_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-registration.service wants +matrix_registration_systemd_wanted_services_list: [] + +# Controls whether the matrix-registration container exposes its HTTP port (tcp/5000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8767"), or empty string to not expose. +matrix_registration_container_http_host_bind_port: '' + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_registration_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_registration_postgres_*` variables +matrix_registration_database_engine: 'sqlite' + +matrix_registration_sqlite_database_path_local: "{{ matrix_registration_data_path }}/db.sqlite3" +matrix_registration_sqlite_database_path_in_container: "/data/db.sqlite3" + +matrix_registration_database_username: 'matrix_registration' +matrix_registration_database_password: 'some-password' +matrix_registration_database_hostname: 'matrix-postgres' +matrix_registration_database_port: 5432 +matrix_registration_database_name: 'matrix_registration' + +matrix_registration_database_connection_string: 'postgresql://{{ matrix_registration_database_username }}:{{ matrix_registration_database_password }}@{{ matrix_registration_database_hostname }}:{{ matrix_registration_database_port }}/{{ matrix_registration_database_name }}' + +# For some reason, matrix-registraiton expects the `db` field to be like this: `sqlite:////data/db.sqlite3`. +# (seems like one too many slashes, but..) +matrix_registration_db: "{{ + { + 'sqlite': ('sqlite:///' + matrix_registration_sqlite_database_path_in_container), + 'postgres': matrix_registration_database_connection_string, + }[matrix_registration_database_engine] +}}" + + +# The path at which Matrix Registration will be exposed on `matrix.DOMAIN` +# (only applies when matrix-nginx-proxy is used). +matrix_registration_public_endpoint: /matrix-registration + +matrix_registration_base_url: "{{ matrix_registration_public_endpoint }}" + +matrix_registration_api_register_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/register" +matrix_registration_api_token_endpoint: "{{ matrix_homeserver_url }}{{ matrix_registration_public_endpoint }}/token" + +matrix_registration_api_validate_certs: true + +# The URL to your homeserver (e.g.: `https://matrix.DOMAIN`). +# A local (in-container address) is preferable. +matrix_registration_server_location: "" + +matrix_registration_server_name: "{{ matrix_domain }}" + +# matrix_registration_shared_secret needs to match the homeserver's registration secret. +# For Synapse, that's the `registration_shared_secret` setting. +matrix_registration_shared_secret: "" + +# matrix_registration_admin_secret is your own admin secret for using matrix-registration (creating new tokens, etc.) +matrix_registration_admin_secret: "" + +matrix_registration_riot_instance: "https://riot.im/app/" + +# Default matrix-registration configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_registration_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_registration_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" + +matrix_registration_configuration_extension_yaml: | + # Your custom YAML configuration for registration goes here. + # This configuration extends the default starting configuration (`matrix_registration_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_registration_configuration_yaml`. + # + # Example configuration extension follows: + # + # password: + # min_length: 12 + +matrix_registration_configuration_extension: "{{ matrix_registration_configuration_extension_yaml|from_yaml if matrix_registration_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final matrix-registration configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_registration_configuration_yaml`. +matrix_registration_configuration: "{{ matrix_registration_configuration_yaml|from_yaml|combine(matrix_registration_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-registration/tasks/generate_token.yml b/roles/matrix-registration/tasks/generate_token.yml new file mode 100644 index 00000000..ae5bdf4c --- /dev/null +++ b/roles/matrix-registration/tasks/generate_token.yml @@ -0,0 +1,50 @@ +- name: Fail if playbook called incorrectly + fail: + msg: "The `one_time` variable needs to be provided to this playbook, via --extra-vars" + when: "one_time is not defined or one_time not in ['yes', 'no']" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `ex_date` variable (expiration date) needs to be provided to this playbook, via --extra-vars" + when: "ex_date is not defined or ex_date == ''" + +- name: Call matrix-registration token creation API + uri: + url: "{{ matrix_registration_api_token_endpoint }}" + follow_redirects: none + validate_certs: "{{ matrix_registration_api_validate_certs }}" + headers: + Content-Type: application/json + Authorization: "SharedSecret {{ matrix_registration_admin_secret }}" + method: POST + body_format: json + body: | + { + "one_time": {{ 'true' if one_time == 'yes' else 'false' }}, + "ex_date": {{ ex_date|to_json }} + } + check_mode: no + register: matrix_registration_api_result + +- set_fact: + matrix_registration_api_result_message: >- + matrix-registration result: + + Direct registration link (with the token prefilled): + + {{ matrix_registration_api_register_endpoint }}?token={{ matrix_registration_api_result.json.name }} + + Full token details are: + + {{ matrix_registration_api_result.json }} + check_mode: no + +- name: Inject result message into matrix_playbook_runtime_results + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [matrix_registration_api_result_message] + }} + check_mode: no diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml new file mode 100644 index 00000000..32a35c7d --- /dev/null +++ b/roles/matrix-registration/tasks/init.yml @@ -0,0 +1,68 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build and matrix_registration_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" + when: matrix_registration_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append matrix-registration's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-registration role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate matrix-registration proxying configuration for matrix-nginx-proxy + set_fact: + matrix_registration_matrix_nginx_proxy_configuration: | + rewrite ^{{ matrix_registration_public_endpoint }}$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/ permanent; + rewrite ^{{ matrix_registration_public_endpoint }}/$ $scheme://$server_name{{ matrix_registration_public_endpoint }}/register redirect; + + location ~ ^{{ matrix_registration_public_endpoint }}/(.*) { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-registration:5000"; + proxy_pass http://$backend/$1; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8767/$1; + {% endif %} + + {# + Workaround matrix-registration serving the background image at /static + (see https://github.com/ZerataX/matrix-registration/issues/47) + #} + sub_filter_once off; + sub_filter_types text/css; + sub_filter "/static/" "{{ matrix_registration_public_endpoint }}/static/"; + } + + - name: Register matrix-registration proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_registration_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_registration_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the matrix-registration tool but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_registration_public_endpoint }}` + URL endpoint to the matrix-registration container. + You can expose the container's port using the `matrix_registration_container_http_host_bind_port` variable. + when: "matrix_registration_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-registration/tasks/list_tokens.yml b/roles/matrix-registration/tasks/list_tokens.yml new file mode 100644 index 00000000..dea3eb31 --- /dev/null +++ b/roles/matrix-registration/tasks/list_tokens.yml @@ -0,0 +1,29 @@ +- name: Call matrix-registration list all tokens API + uri: + url: "{{ matrix_registration_api_token_endpoint }}" + follow_redirects: none + validate_certs: "{{ matrix_registration_api_validate_certs }}" + headers: + Content-Type: application/json + Authorization: "SharedSecret {{ matrix_registration_admin_secret }}" + method: GET + body_format: json + check_mode: no + register: matrix_registration_api_result + +- set_fact: + matrix_registration_api_result_message: >- + matrix-registration result: + + {{ matrix_registration_api_result.json | to_nice_json }} + check_mode: no + +- name: Inject result message into matrix_playbook_runtime_results + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [matrix_registration_api_result_message] + }} + check_mode: no diff --git a/roles/matrix-registration/tasks/main.yml b/roles/matrix-registration/tasks/main.yml new file mode 100644 index 00000000..3324e083 --- /dev/null +++ b/roles/matrix-registration/tasks/main.yml @@ -0,0 +1,31 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_registration_enabled|bool" + tags: + - setup-all + - setup-matrix-registration + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_registration_enabled|bool" + tags: + - setup-all + - setup-matrix-registration + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_registration_enabled|bool" + tags: + - setup-all + - setup-matrix-registration + +- import_tasks: "{{ role_path }}/tasks/generate_token.yml" + when: "run_setup|bool and matrix_registration_enabled|bool" + tags: + - generate-matrix-registration-token + +- import_tasks: "{{ role_path }}/tasks/list_tokens.yml" + when: "run_setup|bool and matrix_registration_enabled|bool" + tags: + - list-matrix-registration-tokens diff --git a/roles/matrix-registration/tasks/setup_install.yml b/roles/matrix-registration/tasks/setup_install.yml new file mode 100644 index 00000000..0d7da9ce --- /dev/null +++ b/roles/matrix-registration/tasks/setup_install.yml @@ -0,0 +1,101 @@ +--- + +- set_fact: + matrix_registration_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_registration_sqlite_database_path_local }}" + register: matrix_registration_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_registration_sqlite_database_path_local }}" + dst: "{{ matrix_registration_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_registration_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-registration.service'] + # pgloader makes `ex_date` of type `TIMESTAMP WITH TIMEZONE`, + # which makes matrix-registration choke on it later on when comparing dates. + additional_psql_statements_list: + - ALTER TABLE tokens ALTER COLUMN ex_date TYPE TIMESTAMP WITHOUT TIME ZONE; + additional_psql_statements_db_name: "{{ matrix_registration_database_name }}" + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_registration_requires_restart: true + when: "matrix_registration_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_registration_database_engine == 'postgres'" + +- name: Ensure matrix-registration paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_registration_base_path }}", when: true } + - { path: "{{ matrix_registration_config_path }}", when: true } + - { path: "{{ matrix_registration_data_path }}", when: true } + - { path: "{{ matrix_registration_docker_src_files_path }}", when: "{{ matrix_registration_container_image_self_build }}"} + when: "item.when|bool" + +- name: Ensure matrix-registration image is pulled + docker_image: + name: "{{ matrix_registration_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_registration_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_docker_image_force_pull }}" + when: "not matrix_registration_container_image_self_build|bool" + +- name: Ensure matrix-registration repository is present when self-building + git: + repo: "{{ matrix_registration_container_image_self_build_repo }}" + dest: "{{ matrix_registration_docker_src_files_path }}" + version: "{{ matrix_registration_container_image_self_build_branch }}" + force: "yes" + register: matrix_registration_git_pull_results + when: "matrix_registration_container_image_self_build|bool" + +- name: Ensure matrix-registration Docker image is built + docker_image: + name: "{{ matrix_registration_docker_image }}" + source: build + force_source: "{{ matrix_registration_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_registration_docker_src_files_path }}" + pull: yes + when: "matrix_registration_container_image_self_build|bool" + +- name: Ensure matrix-registration config installed + copy: + content: "{{ matrix_registration_configuration|to_nice_yaml }}" + dest: "{{ matrix_registration_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-registration.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-registration.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-registration.service" + mode: 0644 + register: matrix_registration_systemd_service_result + +- name: Ensure systemd reloaded after matrix-registration.service installation + service: + daemon_reload: yes + when: "matrix_registration_systemd_service_result.changed|bool" + +- name: Ensure matrix-registration.service restarted, if necessary + service: + name: "matrix-registration.service" + state: restarted + when: "matrix_registration_requires_restart|bool" diff --git a/roles/matrix-registration/tasks/setup_uninstall.yml b/roles/matrix-registration/tasks/setup_uninstall.yml new file mode 100644 index 00000000..573f8170 --- /dev/null +++ b/roles/matrix-registration/tasks/setup_uninstall.yml @@ -0,0 +1,30 @@ +--- + +- name: Check existence of matrix-registration service + stat: + path: "{{ matrix_systemd_path }}/matrix-registration.service" + register: matrix_registration_service_stat + +- name: Ensure matrix-registration is stopped + service: + name: matrix-registration + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_registration_service_stat.stat.exists|bool" + +- name: Ensure matrix-registration.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-registration.service" + state: absent + when: "matrix_registration_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-registration.service removal + service: + daemon_reload: yes + when: "matrix_registration_service_stat.stat.exists|bool" + +- name: Ensure matrix-registration Docker image doesn't exist + docker_image: + name: "{{ matrix_registration_docker_image }}" + state: absent diff --git a/roles/matrix-registration/tasks/validate_config.yml b/roles/matrix-registration/tasks/validate_config.yml new file mode 100644 index 00000000..90466b46 --- /dev/null +++ b/roles/matrix-registration/tasks/validate_config.yml @@ -0,0 +1,20 @@ +--- + +- name: Fail if required matrix-registration settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using matrix-registration. + when: "vars[item] == ''" + with_items: + - "matrix_registration_shared_secret" + - "matrix_registration_admin_secret" + - "matrix_registration_server_location" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_registration_docker_repo', 'new': 'matrix_registration_container_image_self_build_repo'} diff --git a/roles/matrix-registration/templates/config.yaml.j2 b/roles/matrix-registration/templates/config.yaml.j2 new file mode 100644 index 00000000..39211b24 --- /dev/null +++ b/roles/matrix-registration/templates/config.yaml.j2 @@ -0,0 +1,31 @@ +server_location: {{ matrix_registration_server_location|to_json }} +server_name: {{ matrix_registration_server_name|to_json }} +shared_secret: {{ matrix_registration_shared_secret|to_json }} +admin_secret: {{ matrix_registration_admin_secret|to_json }} +riot_instance: {{ matrix_registration_riot_instance|to_json }} +db: {{ matrix_registration_db|to_json }} +host: '0.0.0.0' +port: 5000 +rate_limit: ["100 per day", "10 per minute"] +allow_cors: false +logging: + disable_existing_loggers: False + version: 1 + root: + level: DEBUG + handlers: [console] + formatters: + brief: + format: '%(name)s - %(levelname)s - %(message)s' + precise: + format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s' + handlers: + console: + class: logging.StreamHandler + level: INFO + formatter: brief + stream: ext://sys.stdout +# password requirements +password: + min_length: 8 +base_url: {{ matrix_registration_base_url|to_json }} diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 new file mode 100644 index 00000000..e73e3e5f --- /dev/null +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-registration +{% for service in matrix_registration_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_registration_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-registration \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + {% if matrix_registration_container_http_host_bind_port %} + -p {{ matrix_registration_container_http_host_bind_port }}:5000 \ + {% endif %} + --mount type=bind,src={{ matrix_registration_config_path }},dst=/config,ro \ + --mount type=bind,src={{ matrix_registration_data_path }},dst=/data \ + {% for arg in matrix_registration_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_registration_docker_image }} \ + serve + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-registration 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-registration 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-registration + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-sygnal/defaults/main.yml b/roles/matrix-sygnal/defaults/main.yml new file mode 100644 index 00000000..476ac2ad --- /dev/null +++ b/roles/matrix-sygnal/defaults/main.yml @@ -0,0 +1,95 @@ +# Sygnal is a reference Push Gateway for Matrix. +# To make use of it for delivering push notificatins, you'll need to develop/build your own Matrix app. +# Learn more here: https://github.com/matrix-org/sygnal +matrix_sygnal_enabled: false + +matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal" +matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config" +matrix_sygnal_data_path: "{{ matrix_sygnal_base_path }}/data" + +matrix_sygnal_version: v0.9.0 +matrix_sygnal_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/sygnal:{{ matrix_sygnal_version }}" +matrix_sygnal_docker_image_force_pull: "{{ matrix_sygnal_docker_image.endswith(':latest') }}" + +# List of systemd services that matrix-sygnal.service depends on. +matrix_sygnal_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-sygnal.service wants +matrix_sygnal_systemd_wanted_services_list: [] + +# Controls whether the matrix-sygnal container exposes its HTTP port (tcp/6000 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:6000"), or empty string to not expose. +matrix_sygnal_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_sygnal_container_extra_arguments: [] + +# Database-related configuration fields. +# +# To use SQLite, stick to these defaults. +# +# To use Postgres: +# - change the engine (`matrix_sygnal_database_engine: 'postgres'`) +# - adjust your database credentials via the `matrix_sygnal_postgres_*` variables +matrix_sygnal_database_engine: 'sqlite' + +matrix_sygnal_sqlite_database_path_local: "{{ matrix_sygnal_data_path }}/sygnal.db" +matrix_sygnal_sqlite_database_path_in_container: "/data/sygnal.db" + +matrix_sygnal_database_username: 'matrix_sygnal' +matrix_sygnal_database_password: 'some-password' +matrix_sygnal_database_hostname: 'matrix-postgres' +matrix_sygnal_database_port: 5432 +matrix_sygnal_database_name: 'matrix_sygnal' + +matrix_sygnal_database_connection_string: 'postgres://{{ matrix_sygnal_database_username }}:{{ matrix_sygnal_database_password }}@{{ matrix_sygnal_database_hostname }}:{{ matrix_sygnal_database_port }}/{{ matrix_sygnal_database_name }}' + +# A map (dictionary) of apps instances that this server works with. +# +# Example configuration: +# +# matrix_sygnal_apps: +# com.example.myapp.ios: +# type: apns +# # .. more configuration .. +# com.example.myapp.android: +# type: gcm +# api_key: your_api_key_for_gcm +# # .. more configuration .. +# +# The APNS configuration needs to reference some certificate files. +# One can put these in the `matrix_sygnal_data_path` directory (`/matrix/sygnal/data`), mounted to `/data` in the container. +# The `matrix_sygnal_apps` paths need to use the in-container path (`/data`). +# To install these files via the playbook, one can use the `matrix-aux` role. +# Examples and more details are available in `docs/configuring-playbook-sygnal.md`. +matrix_sygnal_apps: [] + +matrix_sygnal_metrics_prometheus_enabled: false + +# Default Sygnal configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_sygnal_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_sygnal_configuration_yaml: "{{ lookup('template', 'templates/sygnal.yaml.j2') }}" + +matrix_sygnal_configuration_extension_yaml: | + # Your custom YAML configuration for Sygnal goes here. + # This configuration extends the default starting configuration (`matrix_sygnal_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_sygnal_configuration_yaml`. + # + # Example configuration extension follows: + # metrics: + # opentracing: + # enabled: true + +matrix_sygnal_configuration_extension: "{{ matrix_sygnal_configuration_extension_yaml|from_yaml if matrix_sygnal_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final sygnal configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_sygnal_configuration_yaml`. +matrix_sygnal_configuration: "{{ matrix_sygnal_configuration_yaml|from_yaml|combine(matrix_sygnal_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-sygnal/tasks/init.yml b/roles/matrix-sygnal/tasks/init.yml new file mode 100644 index 00000000..559a3681 --- /dev/null +++ b/roles/matrix-sygnal/tasks/init.yml @@ -0,0 +1,3 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sygnal.service'] }}" + when: matrix_sygnal_enabled|bool diff --git a/roles/matrix-sygnal/tasks/main.yml b/roles/matrix-sygnal/tasks/main.yml new file mode 100644 index 00000000..c00862a4 --- /dev/null +++ b/roles/matrix-sygnal/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-sygnal + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: run_setup|bool and matrix_sygnal_enabled|bool + tags: + - setup-all + - setup-sygnal + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: run_setup|bool and not matrix_sygnal_enabled|bool + tags: + - setup-all + - setup-sygnal diff --git a/roles/matrix-sygnal/tasks/setup_install.yml b/roles/matrix-sygnal/tasks/setup_install.yml new file mode 100644 index 00000000..afac61c4 --- /dev/null +++ b/roles/matrix-sygnal/tasks/setup_install.yml @@ -0,0 +1,73 @@ +--- + +- set_fact: + matrix_sygnal_requires_restart: false + +- block: + - name: Check if an SQLite database already exists + stat: + path: "{{ matrix_sygnal_sqlite_database_path_local }}" + register: matrix_sygnal_sqlite_database_path_local_stat_result + + - block: + - set_fact: + matrix_postgres_db_migration_request: + src: "{{ matrix_sygnal_sqlite_database_path_local }}" + dst: "{{ matrix_sygnal_database_connection_string }}" + caller: "{{ role_path|basename }}" + engine_variable_name: 'matrix_sygnal_database_engine' + engine_old: 'sqlite' + systemd_services_to_stop: ['matrix-sygnal.service'] + pgloader_options: ['--with "quote identifiers"'] + + - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" + + - set_fact: + matrix_sygnal_requires_restart: true + when: "matrix_sygnal_sqlite_database_path_local_stat_result.stat.exists|bool" + when: "matrix_sygnal_database_engine == 'postgres'" + +- name: Ensure Sygnal image is pulled + docker_image: + name: "{{ matrix_sygnal_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_sygnal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_sygnal_docker_image_force_pull }}" + +- name: Ensure Sygnal paths exists + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_sygnal_base_path }}" + - "{{ matrix_sygnal_config_path }}" + - "{{ matrix_sygnal_data_path }}" + +- name: Ensure Sygnal config installed + copy: + content: "{{ matrix_sygnal_configuration|to_nice_yaml }}" + dest: "{{ matrix_sygnal_config_path }}/sygnal.yaml" + mode: 0640 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-sygnal.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-sygnal.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-sygnal.service" + mode: 0644 + register: matrix_sygnal_systemd_service_result + +- name: Ensure systemd reloaded after matrix-sygnal.service installation + service: + daemon_reload: yes + when: "matrix_sygnal_systemd_service_result.changed|bool" + +- name: Ensure matrix-sygnal.service restarted, if necessary + service: + name: "matrix-sygnal.service" + state: restarted + when: "matrix_sygnal_requires_restart|bool" diff --git a/roles/matrix-sygnal/tasks/setup_uninstall.yml b/roles/matrix-sygnal/tasks/setup_uninstall.yml new file mode 100644 index 00000000..dc50078c --- /dev/null +++ b/roles/matrix-sygnal/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-sygnal service + stat: + path: "{{ matrix_systemd_path }}/matrix-sygnal.service" + register: matrix_sygnal_service_stat + +- name: Ensure matrix-sygnal is stopped + service: + name: matrix-sygnal + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_sygnal_service_stat.stat.exists|bool" + +- name: Ensure matrix-sygnal.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-sygnal.service" + state: absent + when: "matrix_sygnal_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-sygnal.service removal + service: + daemon_reload: yes + when: "matrix_sygnal_service_stat.stat.exists|bool" + +- name: Ensure Sygnal base directory doesn't exist + file: + path: "{{ matrix_sygnal_base_path }}" + state: absent + +- name: Ensure Sygnal Docker image doesn't exist + docker_image: + name: "{{ matrix_sygnal_docker_image }}" + state: absent diff --git a/roles/matrix-sygnal/tasks/validate_config.yml b/roles/matrix-sygnal/tasks/validate_config.yml new file mode 100644 index 00000000..efd64104 --- /dev/null +++ b/roles/matrix-sygnal/tasks/validate_config.yml @@ -0,0 +1,13 @@ +- name: Fail if no Sygnal apps defined + fail: + msg: >- + Enabling Sygnal requires that you specify at least one app in `matrix_sygnal_apps` + when: "matrix_sygnal_enabled and matrix_sygnal_apps|length == 0" + +- name: Fail if running on a non-supported architecture + fail: + msg: >- + Sygnal can only be used on the amd64 architecture for now. + Only amd64 container images are pushed for the `docker.io/matrixdotorg/sygnal` container image. + Either use a different image (by redefining `matrix_sygnal_docker_image`) or consider contributing self-building support to this role. + when: "matrix_sygnal_enabled and matrix_architecture != 'amd64' and matrix_sygnal_docker_image.startswith('docker.io/matrixdotorg/sygnal')" diff --git a/roles/matrix-sygnal/templates/sygnal.yaml.j2 b/roles/matrix-sygnal/templates/sygnal.yaml.j2 new file mode 100644 index 00000000..bb8c521d --- /dev/null +++ b/roles/matrix-sygnal/templates/sygnal.yaml.j2 @@ -0,0 +1,288 @@ +## +# This is a configuration for Sygnal, the reference Push Gateway for Matrix +# See: matrix.org +## + +# The 'database' setting defines the database that sygnal uses to store all of +# its data. +# +# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or +# 'psycopg2' (for PostgreSQL). +# +# 'args' gives options which are passed through to the database engine, +# except for options starting 'cp_', which are used to configure the Twisted +# connection pool. For a reference to valid arguments, see: +# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect +# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS +# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ +# +# +# Example SQLite configuration: +# +#database: +# name: sqlite3 +# args: +# dbfile: /path/to/database.db +# +# +# Example Postgres configuration: +# +#database: +# name: psycopg2 +# args: +# host: localhost +# database: sygnal +# user: sygnal +# password: pass +# cp_min: 1 +# cp_max: 5 +# +{% if matrix_sygnal_database_engine == 'sqlite' %} +database: + name: sqlite3 + args: + dbfile: {{ matrix_sygnal_sqlite_database_path_in_container|to_json }} +{% else %} +database: + name: psycopg2 + args: + host: {{ matrix_sygnal_database_hostname|to_json }} + database: {{ matrix_sygnal_database_name|to_json }} + user: {{ matrix_sygnal_database_username|to_json }} + password: {{ matrix_sygnal_database_password|to_json }} + cp_min: 1 + cp_max: 5 +{% endif %} + +## Logging # +# +log: + # Specify a Python logging 'dictConfig', as described at: + # https://docs.python.org/3.7/library/logging.config.html#logging.config.dictConfig + # + setup: + version: 1 + formatters: + normal: + format: "%(asctime)s [%(process)d] %(levelname)-5s %(name)s %(message)s" + handlers: + # This handler prints to Standard Error + # + stderr: + class: "logging.StreamHandler" + formatter: "normal" + stream: "ext://sys.stderr" + + # This handler prints to Standard Output. + # + stdout: + class: "logging.StreamHandler" + formatter: "normal" + stream: "ext://sys.stdout" + + # This handler demonstrates logging to a text file on the filesystem. + # You can use logrotate(8) to perform log rotation. + # + #file: + # class: "logging.handlers.WatchedFileHandler" + # formatter: "normal" + # filename: "./sygnal.log" + loggers: + # sygnal.access contains the access logging lines. + # Comment out this section if you don't want to give access logging + # any special treatment. + # + sygnal.access: + propagate: false + handlers: ["stdout"] + level: "INFO" + + # sygnal contains log lines from Sygnal itself. + # You can comment out this section to fall back to the root logger. + # + sygnal: + propagate: false + handlers: ["stderr"] + + root: + # Specify the handler(s) to send log messages to. + handlers: ["stderr"] + level: "INFO" + + disable_existing_loggers: false + + + access: + # Specify whether or not to trust the IP address in the `X-Forwarded-For` + # header. In general, you want to enable this if and only if you are using a + # reverse proxy which is configured to emit it. + # + x_forwarded_for: true + +## HTTP Server (Matrix Push Gateway API) # +# +http: + # Specify a list of interface addresses to bind to. + # + # This example listens on the IPv4 loopback device: + #bind_addresses: ['127.0.0.1'] + # This example listens on all IPv4 interfaces: + #bind_addresses: ['0.0.0.0'] + # This example listens on all IPv4 and IPv6 interfaces: + #bind_addresses: ['0.0.0.0', '::'] + bind_addresses: ['::'] + + # Specify the port number to listen on. + # + port: 6000 + +## Proxying for outgoing connections # +# +# Specify the URL of a proxy to use for outgoing traffic +# (e.g. to Apple & Google) if desired. +# Currently only HTTP proxies with CONNECT capability are supported. +# +# If you do not specify a value, the `HTTPS_PROXY` environment variable will +# be used if present. Otherwise, no proxy will be used. +# +# Default is unspecified. +# +#proxy: 'http://user:secret@prox:8080' + +## Metrics # +# +metrics: + ## Prometheus # + # + prometheus: + # Specify whether or not to enable Prometheus. + # + enabled: false + + # Specify an address for the Prometheus HTTP Server to listen on. + # + address: '0.0.0.0' + + # Specify a port for the Prometheus HTTP Server to listen on. + # + port: 8000 + + ## OpenTracing # + # + opentracing: + # Specify whether or not to enable OpenTracing. + # + enabled: false + + # Specify an implementation of OpenTracing to use. Currently only 'jaeger' + # is supported. + # + implementation: jaeger + + # Specify the service name to be reported to the tracer. + # + service_name: sygnal + + # Specify configuration values to pass to jaeger_client. + # + jaeger: + sampler: + type: 'const' + param: 1 +# local_agent: +# reporting_host: '127.0.0.1' +# reporting_port: + logging: true + + ## Sentry # + # + sentry: + # Specify whether or not to enable Sentry. + # + enabled: false + + # Specify your Sentry DSN if you enable Sentry + # + #dsn: "https://@sentry.example.org/" + +## Pushkins/Apps # +# +# Add a section for every push application here. +# Specify the pushkey for the application and also the type. +# For the type, you may specify a fully-qualified Python classname if desired. +# +#apps: + # This is an example APNs push configuration + # + #com.example.myapp.ios: + # type: apns + # + # # Authentication + # # + # # Two methods of authentication to APNs are currently supported. + # # + # # You can authenticate using a key: + # keyfile: my_key.p8 + # key_id: MY_KEY_ID + # team_id: MY_TEAM_ID + # topic: MY_TOPIC + # + # # Or, a certificate can be used instead: + # certfile: com.example.myApp_prod_APNS.pem + # + # # This is the maximum number of in-flight requests *for this pushkin* + # # before additional notifications will be failed. + # # (This is a robustness measure to prevent one pushkin stacking up with + # # queued requests and saturating the inbound connection queue of a load + # # balancer or reverse proxy). + # # Defaults to 512 if unset. + # # + # #inflight_request_limit: 512 + # + # # Specifies whether to use the production or sandbox APNs server. Note that + # # sandbox tokens should only be used with the sandbox server and vice versa. + # # + # # Valid options are: + # # * production + # # * sandbox + # # + # # The default is 'production'. Uncomment to use the sandbox instance. + # #platform: sandbox + + # This is an example GCM/FCM push configuration. + # + #com.example.myapp.android: + # type: gcm + # api_key: your_api_key_for_gcm + # + # # This is the maximum number of connections to GCM servers at any one time + # # the default is 20. + # #max_connections: 20 + # + # # This is the maximum number of in-flight requests *for this pushkin* + # # before additional notifications will be failed. + # # (This is a robustness measure to prevent one pushkin stacking up with + # # queued requests and saturating the inbound connection queue of a load + # # balancer or reverse proxy). + # # Defaults to 512 if unset. + # # + # #inflight_request_limit: 512 + # + # # This allows you to specify additional options to send to Firebase. + # # + # # Of particular interest, admins who wish to support iOS apps using Firebase + # # probably wish to set content_available, and may need to set mutable_content. + # # (content_available allows your iOS app to be woken up by data messages, + # # and mutable_content allows your notification to be modified by a + # # Notification Service app extension). + # # + # # See https://firebase.google.com/docs/cloud-messaging/http-server-ref + # # for the exhaustive list of valid options. + # # + # # Do not specify `data`, `priority`, `to` or `registration_ids` as they may + # # be overwritten or lead to an invalid request. + # # + # #fcm_options: + # # content_available: true + # # mutable_content: true +apps: {{ matrix_sygnal_apps|to_json }} diff --git a/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 new file mode 100644 index 00000000..019ab40c --- /dev/null +++ b/roles/matrix-sygnal/templates/systemd/matrix-sygnal.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Sygnal +{% for service in matrix_sygnal_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_sygnal_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-sygnal \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --env=SYGNAL_CONF=/config/sygnal.yaml \ + --network={{ matrix_docker_network }} \ + {% if matrix_sygnal_container_http_host_bind_port %} + -p {{ matrix_sygnal_container_http_host_bind_port }}:6000 \ + {% endif %} + --mount type=bind,src={{ matrix_sygnal_config_path }},dst=/config \ + --mount type=bind,src={{ matrix_sygnal_data_path }},dst=/data \ + {% for arg in matrix_sygnal_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_sygnal_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-sygnal 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-sygnal 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-sygnal + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml new file mode 100644 index 00000000..069b6279 --- /dev/null +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -0,0 +1,32 @@ +# matrix-synapse-admin is a web UI for mananging the Synapse Matrix server +# See: https://github.com/Awesome-Technologies/synapse-admin + +matrix_synapse_admin_enabled: true + +matrix_synapse_admin_container_self_build: false +matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git" + +matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" + +matrix_synapse_admin_version: 0.8.1 +matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" +matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" +matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" + +# A list of extra arguments to pass to the container +matrix_synapse_admin_container_extra_arguments: [] + +# List of systemd services that matrix-synapse-admin.service depends on +matrix_synapse_admin_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-synapse-admin.service wants +matrix_synapse_admin_systemd_wanted_services_list: [] + +# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/80 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8766"), or empty string to not expose. +matrix_synapse_admin_container_http_host_bind_port: '' + +# The path at which Synapse Admin will be exposed on `matrix.DOMAIN` +# (only applies when matrix-nginx-proxy is used). +matrix_synapse_admin_public_endpoint: /synapse-admin diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml new file mode 100644 index 00000000..9e171015 --- /dev/null +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -0,0 +1,59 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build and matrix_synapse_admin_enabled" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" + when: matrix_synapse_admin_enabled|bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + fail: + msg: >- + Trying to append Synapse Admin's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your plabook, + so that the matrix-nginx-proxy role would run after the matrix-synapse-admin role. + when: matrix_nginx_proxy_role_executed|default(False)|bool + + - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy + set_fact: + matrix_synapse_admin_matrix_nginx_proxy_configuration: | + rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ $scheme://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; + + location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { + {% if matrix_nginx_proxy_enabled|default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-synapse-admin:80"; + proxy_pass http://$backend/$1; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:8766/$1; + {% endif %} + } + + - name: Register Synapse Admin proxying configuration with matrix-nginx-proxy + set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([]) + + + [matrix_synapse_admin_matrix_nginx_proxy_configuration] + }} + tags: + - always + when: matrix_synapse_admin_enabled|bool + +- name: Warn about reverse-proxying if matrix-nginx-proxy not used + debug: + msg: >- + NOTE: You've enabled the Synapse Admin tool but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_synapse_admin_public_endpoint }}` + URL endpoint to the matrix-synapse-admin container. + You can expose the container's port using the `matrix_synapse_admin_container_http_host_bind_port` variable. + when: "matrix_synapse_admin_enabled|bool and matrix_nginx_proxy_enabled is not defined" diff --git a/roles/matrix-synapse-admin/tasks/main.yml b/roles/matrix-synapse-admin/tasks/main.yml new file mode 100644 index 00000000..b5cb1689 --- /dev/null +++ b/roles/matrix-synapse-admin/tasks/main.yml @@ -0,0 +1,14 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool + tags: + - setup-all + - setup-synapse-admin + +- import_tasks: "{{ role_path }}/tasks/setup.yml" + tags: + - setup-all + - setup-synapse-admin diff --git a/roles/matrix-synapse-admin/tasks/setup.yml b/roles/matrix-synapse-admin/tasks/setup.yml new file mode 100644 index 00000000..002ff68d --- /dev/null +++ b/roles/matrix-synapse-admin/tasks/setup.yml @@ -0,0 +1,80 @@ +--- + +# +# Tasks related to setting up matrix-synapse-admin +# + +- name: Ensure matrix-synapse-admin image is pulled + docker_image: + name: "{{ matrix_synapse_admin_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_synapse_admin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_docker_image_force_pull }}" + when: "matrix_synapse_admin_enabled|bool and not matrix_synapse_admin_container_self_build|bool" + +- name: Ensure matrix-synapse-admin repository is present when self-building + git: + repo: "{{ matrix_synapse_admin_container_self_build_repo }}" + dest: "{{ matrix_synapse_admin_docker_src_files_path }}" + force: "yes" + register: matrix_synapse_admin_git_pull_results + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + +- name: Ensure matrix-synapse-admin Docker image is built + docker_image: + name: "{{ matrix_synapse_admin_docker_image }}" + source: build + force_source: "{{ matrix_synapse_admin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_synapse_admin_docker_src_files_path }}" + pull: yes + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_container_self_build|bool" + +- name: Ensure matrix-synapse-admin.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-synapse-admin.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-synapse-admin.service" + mode: 0644 + register: matrix_synapse_admin_systemd_service_result + when: matrix_synapse_admin_enabled|bool + +- name: Ensure systemd reloaded after matrix-synapse-admin.service installation + service: + daemon_reload: yes + when: "matrix_synapse_admin_enabled|bool and matrix_synapse_admin_systemd_service_result.changed" + +# +# Tasks related to getting rid of matrix-synapse-admin (if it was previously enabled) +# + +- name: Check existence of matrix-synapse-admin service + stat: + path: "{{ matrix_systemd_path }}/matrix-synapse-admin.service" + register: matrix_synapse_admin_service_stat + +- name: Ensure matrix-synapse-admin is stopped + service: + name: matrix-synapse-admin + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists" + +- name: Ensure matrix-synapse-admin.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-synapse-admin.service" + state: absent + when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-synapse-admin.service removal + service: + daemon_reload: yes + when: "not matrix_synapse_admin_enabled|bool and matrix_synapse_admin_service_stat.stat.exists" + +- name: Ensure matrix-synapse-admin Docker image doesn't exist + docker_image: + name: "{{ matrix_synapse_admin_docker_image }}" + state: absent + when: "not matrix_synapse_admin_enabled|bool" diff --git a/roles/matrix-synapse-admin/tasks/validate_config.yml b/roles/matrix-synapse-admin/tasks/validate_config.yml new file mode 100644 index 00000000..e08680e0 --- /dev/null +++ b/roles/matrix-synapse-admin/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 new file mode 100644 index 00000000..4823d89c --- /dev/null +++ b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix-synapse-admin +{% for service in matrix_synapse_admin_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_synapse_admin_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse-admin \ + --log-driver=none \ + --cap-drop=ALL \ + --cap-add=CHOWN \ + --cap-add=NET_BIND_SERVICE \ + --cap-add=SETUID \ + --cap-add=SETGID \ + --network={{ matrix_docker_network }} \ + {% if matrix_synapse_admin_container_http_host_bind_port %} + -p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \ + {% endif %} + {% for arg in matrix_synapse_admin_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_synapse_admin_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse-admin 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse-admin 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-synapse-admin + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml new file mode 100644 index 00000000..02b8d157 --- /dev/null +++ b/roles/matrix-synapse/defaults/main.yml @@ -0,0 +1,612 @@ +# Synapse is a Matrix homeserver +# See: https://github.com/matrix-org/synapse + +matrix_synapse_enabled: true + +matrix_synapse_container_image_self_build: false +matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git" + +matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}" +matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else matrix_container_global_registry_prefix }}" +# The if statement below may look silly at times (leading to the same version being returned), +# but ARM-compatible container images are only released 1-7 hours after a release, +# so we may often be on different versions for different architectures when new Synapse releases come out. +# +# amd64 gets released first. +# arm32 relies on self-building, so the same version can be built immediately. +# arm64 users need to wait for a prebuilt image to become available. +matrix_synapse_version: v1.38.0 +matrix_synapse_version_arm64: v1.38.0 +matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" +matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" + +matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" +matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src" +matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" +matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" +matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" +matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" + +# Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. +matrix_synapse_container_client_api_host_bind_port: '' + +# Controls whether the matrix-synapse container exposes the plain (unencrypted) Server/Server (Federation) API port (tcp/8048 in the container). +# +# Takes effect only if federation is enabled (matrix_synapse_federation_enabled). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8048"), or empty string to not expose. +matrix_synapse_container_federation_api_plain_host_bind_port: '' + +# Controls whether the matrix-synapse container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container). +# +# Takes effect only if federation is enabled (matrix_synapse_federation_enabled) +# and TLS support is enabled (matrix_synapse_tls_federation_listener_enabled). +# +# Takes an ":" or "" value (e.g. "8448"), or empty string to not expose. +matrix_synapse_container_federation_api_tls_host_bind_port: '' + +# Controls whether the matrix-synapse container exposes the metrics port (tcp/9100 in the container). +# +# Takes effect only if metrics are enabled (matrix_synapse_metrics_enabled). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +matrix_synapse_container_metrics_api_host_bind_port: '' + +# Controls whether the matrix-synapse container exposes the manhole port (tcp/9000 in the container). +# +# Takes effect only if the manhole is enabled (matrix_synapse_manhole_enabled). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +matrix_synapse_container_manhole_api_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_synapse_container_extra_arguments: [] + +# List of systemd services that matrix-synapse.service depends on +matrix_synapse_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-synapse.service wants +matrix_synapse_systemd_wanted_services_list: [] + +matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.8/site-packages" + +# Specifies which template files to use when configuring Synapse. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars//`) +# and then change the specific host's `vars.yaml` file like this: +# matrix_synapse_template_synapse_homeserver: "{{ playbook_dir }}/inventory/host_vars//homeserver.yaml.j2" +matrix_synapse_template_synapse_homeserver: "{{ role_path }}/templates/synapse/homeserver.yaml.j2" +matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.log.config.j2" + +matrix_synapse_macaroon_secret_key: "" +matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" +matrix_synapse_allow_guest_access: false +matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" + +matrix_synapse_max_upload_size_mb: 50 + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}" + +# Log levels +# Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels +# warning: setting log level to DEBUG will make synapse log sensitive information such +# as access tokens. +# +# Increasing verbosity may lead to an excessive amount of log messages being generated, +# some of which may get dropped by systemd-journald on certain distributions (like CentOS 7). +# You can work around it by adding `RateLimitInterval=0` and `RateLimitBurst=0` under `[Storage]` in +# `/etc/systemd/journald.conf` and restarting the logging service (`systemctl restart systemd-journald`). +matrix_synapse_log_level: "WARNING" +matrix_synapse_storage_sql_log_level: "WARNING" +matrix_synapse_root_log_level: "WARNING" + +# Rate limits +matrix_synapse_rc_message: + per_second: 0.2 + burst_count: 10 + +matrix_synapse_rc_registration: + per_second: 0.17 + burst_count: 3 + +matrix_synapse_rc_login: + address: + per_second: 0.17 + burst_count: 3 + account: + per_second: 0.17 + burst_count: 3 + failed_attempts: + per_second: 0.17 + burst_count: 3 + +matrix_synapse_rc_admin_redaction: + per_second: 1 + burst_count: 50 + +matrix_synapse_rc_joins: + local: + per_second: 0.1 + burst_count: 3 + remote: + per_second: 0.01 + burst_count: 3 + +matrix_synapse_rc_federation: + window_size: 1000 + sleep_limit: 10 + sleep_delay: 500 + reject_limit: 50 + concurrent: 3 + +matrix_synapse_federation_rr_transactions_per_room_per_second: 50 + +# Controls whether the TLS federation listener is enabled (tcp/8448). +# Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). +# Note that federation may potentially be enabled as non-TLS on tcp/8048 as well. +# If you're serving Synapse behind an HTTPS-capable reverse-proxy, +# you can disable the TLS listener (`matrix_synapse_tls_federation_listener_enabled: false`). +matrix_synapse_tls_federation_listener_enabled: true +matrix_synapse_tls_certificate_path: "/data/{{ matrix_server_fqn_matrix }}.tls.crt" +matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.key" + +# Resource names used by the unsecure HTTP listener. Here only the Client API +# is defined, see the homeserver config for a full list of valid resource +# names. +matrix_synapse_http_listener_resource_names: ["client"] + +# Resources served on Synapse's federation port. +# When disabling federation, we may wish to serve the `openid` resource here, +# so that services like Dimension and ma1sd can work. +matrix_synapse_federation_listener_resource_names: "{{ ['federation'] if matrix_synapse_federation_enabled else (['openid'] if matrix_synapse_federation_port_openid_resource_required else []) }}" + +# Enable this to allow Synapse to report utilization statistics about your server to matrix.org +# (things like number of users, number of messages sent, uptime, load, etc.) +matrix_synapse_report_stats: false + +# Controls whether the Matrix server will track presence status (online, offline, unavailable) for users. +# If users participate in large rooms with many other servers, +# disabling this will decrease server load significantly. +matrix_synapse_presence_enabled: true + +# Controls whether accessing the server's public rooms directory can be done without authentication. +# For private servers, you most likely wish to require authentication, +# unless you know what list of rooms you're publishing to the world and explicitly want to do it. +matrix_synapse_allow_public_rooms_without_auth: false + +# Controls whether remote servers can fetch this server's public rooms directory via federation. +# For private servers, you most likely wish to forbid it. +matrix_synapse_allow_public_rooms_over_federation: false + +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, so this setting is of limited value if federation is enabled on +# the server. +matrix_synapse_require_auth_for_profile_requests: false + +# Set to true to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false + +# Set to false to prevent a user's profile data from being retrieved and +# displayed in a room until they have joined it. By default, a user's +# profile data is included in an invite event, regardless of the values +# of the above two settings, and whether or not the users share a server. +# Defaults to 'true'. +matrix_synapse_include_profile_data_on_invite: true + +# Controls whether people with access to the homeserver can register by themselves. +matrix_synapse_enable_registration: false + +# reCAPTCHA API for validating registration attempts +matrix_synapse_enable_registration_captcha: false +matrix_synapse_recaptcha_public_key: '' +matrix_synapse_recaptcha_private_key: '' + +# Allows non-server-admin users to create groups on this server +matrix_synapse_enable_group_creation: false + +# A list of 3PID types which users must supply when registering (possible values: email, msisdn). +matrix_synapse_registrations_require_3pid: [] + +# A list of patterns 3pids must match in order to permit registration, e.g.: +# - medium: email +# pattern: '.*@example\.com' +# - medium: msisdn +# pattern: '\+44' +matrix_synapse_allowed_local_3pids: [] + +# The server to use for email threepid validation. When empty, Synapse does it by itself. +# Otherwise, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_email: '' + +# The server to use for phone number threepid validation. When empty, validation cannot happen, as Synapse doesn't support it. +# To make it work, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_msisdn: '' + +# Users who register on this homeserver will automatically be joined to these rooms. +# Rooms are to be specified using addresses (e.g. `#address:example.com`) +matrix_synapse_auto_join_rooms: [] + +# Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created +# automatically if they don't already exist. +matrix_synapse_autocreate_auto_join_rooms: true + +# Controls password-peppering for Synapse. Not to be changed after initial setup. +matrix_synapse_password_config_pepper: "" + +# Controls if Synapse allows people to authenticate against its local database. +# It may be useful to disable this if you've configured additional password providers +# and only wish authentication to happen through them. +matrix_synapse_password_config_localdb_enabled: true + +# Controls the number of events that Synapse caches in memory. +matrix_synapse_event_cache_size: "100K" + +# Controls cache sizes for Synapse. +# Raise this to increase cache sizes or lower it to potentially lower memory use. +# To learn more, see: +# - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram +# - https://github.com/matrix-org/synapse/issues/3939 +matrix_synapse_caches_global_factor: 0.5 + +# Controls whether Synapse will federate at all. +# Disable this to completely isolate your server from the rest of the Matrix network. +# +# Disabling this still keeps the federation port exposed, because it may be used for other services (`openid`). +# +# Also see: +# - `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled, +# but want to stop the TLS listener (port 8448). +# - `matrix_synapse_federation_port_enabled` to avoid exposing the federation ports +matrix_synapse_federation_enabled: true + +# Controls whether the federation ports are used at all. +# One may wish to disable federation (`matrix_synapse_federation_enabled: true`), +# but still run other resources (like `openid`) on the federation port +# by enabling them in `matrix_synapse_federation_listener_resource_names`. +matrix_synapse_federation_port_enabled: "{{ matrix_synapse_federation_enabled or matrix_synapse_federation_port_openid_resource_required }}" + +# Controls whether an `openid` listener is to be enabled. Useful when disabling federation, +# but needing the `openid` APIs for Dimension or an identity server like ma1sd. +matrix_synapse_federation_port_openid_resource_required: false + +# A list of domain names that are allowed to federate with the given Synapse server. +# An empty list value (`[]`) will also effectively stop federation, but if that's the desired +# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. +matrix_synapse_federation_domain_whitelist: ~ + +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +# +# Note: internally, this uses the `-v` flag for mounting the specified volumes. +# It's better (safer) to use the `--mount` flag for mounting volumes. +# To use `--mount`, specify it in `matrix_synapse_container_extra_arguments`. +# Example: `matrix_synapse_container_extra_arguments: ['--mount type=bind,src=/outside,dst=/inside,ro'] +matrix_synapse_container_additional_volumes: [] + +# A list of additional loggers to register in synapse.log.config. +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Contains definition objects like this: `{"name": "..", "level": "DEBUG"} +matrix_synapse_additional_loggers: [] + +# A list of appservice config files (in-container filesystem paths). +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# You may wish to use this together with `matrix_synapse_container_additional_volumes` or `matrix_synapse_container_extra_arguments`. +matrix_synapse_app_service_config_files: [] + +# This is set dynamically during execution depending on whether +# any password providers have been enabled or not. +matrix_synapse_password_providers_enabled: false + +# Whether clients can request to include message content in push notifications +# sent through third party servers. Setting this to false requires mobile clients +# to load message content directly from the homeserver. +matrix_synapse_push_include_content: true + +# If url previews should be generated. This will cause a request from Synapse to +# URLs shared by users. +matrix_synapse_url_preview_enabled: true + +# Enable exposure of metrics to Prometheus +# See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md +matrix_synapse_metrics_enabled: false +matrix_synapse_metrics_port: 9100 + +# Enable the Synapse manhole +# See https://github.com/matrix-org/synapse/blob/master/docs/manhole.md +matrix_synapse_manhole_enabled: false + +# Enable support for Synapse workers +matrix_synapse_workers_enabled: false + +# Specifies worker configuration that should be used when workers are enabled. +# +# The posible values (as seen in `matrix_synapse_workers_presets`) are: +# - "little-federation-helper" - a very minimal worker configuration to improve federation performance +# - "one-of-each" - one worker of each supported type +# +# You can override `matrix_synapse_workers_presets` to define your own presets, which is ill-advised, because it's fragile. +# To use a more custom configuration, start with one of these presets as a base and configure `matrix_synapse_workers_*_count` variables manually, to suit your liking. +matrix_synapse_workers_preset: one-of-each + +matrix_synapse_workers_presets: + little-federation-helper: + generic_workers_count: 0 + pusher_workers_count: 0 + appservice_workers_count: 0 + federation_sender_workers_count: 1 + media_repository_workers_count: 0 + user_dir_workers_count: 0 + frontend_proxy_workers_count: 0 + one-of-each: + generic_workers_count: 1 + pusher_workers_count: 1 + appservice_workers_count: 1 + federation_sender_workers_count: 1 + media_repository_workers_count: 1 + # Disabled until https://github.com/matrix-org/synapse/issues/8787 is resolved. + user_dir_workers_count: 0 + frontend_proxy_workers_count: 1 + +# Controls whether the matrix-synapse container exposes the various worker ports +# (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container. +# +# Takes an "" value (e.g. "127.0.0.1", "0.0.0.0", etc), or empty string to not expose. +# It takes "*" to signify "bind on all interfaces" ("0.0.0.0" is IPv4-only). +matrix_synapse_workers_container_host_bind_address: '' + +matrix_synapse_workers_generic_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['generic_workers_count'] }}" +matrix_synapse_workers_generic_workers_port_range_start: 18111 +matrix_synapse_workers_generic_workers_metrics_range_start: 19111 + +# matrix_synapse_workers_pusher_workers_count can only be 0 or 1 for now. +# More instances are not supported due to a playbook limitation having to do with keeping `pusher_instances` in `homeserver.yaml` updated. +# See https://github.com/matrix-org/synapse/commit/ddfdf945064925eba761ae3748e38f3a1c73c328 +matrix_synapse_workers_pusher_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['pusher_workers_count'] }}" +matrix_synapse_workers_pusher_workers_metrics_range_start: 19200 + +# matrix_synapse_workers_appservice_workers_count can only be 0 or 1. More instances are not supported. +matrix_synapse_workers_appservice_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['appservice_workers_count'] }}" +matrix_synapse_workers_appservice_workers_metrics_range_start: 19300 + +# matrix_synapse_workers_federation_sender_workers_count can only be 0 or 1 for now. +# More instances are not supported due to a playbook limitation having to do with keeping `federation_sender_instances` in `homeserver.yaml` updated. +# See https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfederation_sender +matrix_synapse_workers_federation_sender_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['federation_sender_workers_count'] }}" +matrix_synapse_workers_federation_sender_workers_metrics_range_start: 19400 + +matrix_synapse_workers_media_repository_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['media_repository_workers_count'] }}" +matrix_synapse_workers_media_repository_workers_port_range_start: 18551 +matrix_synapse_workers_media_repository_workers_metrics_range_start: 19551 + +# Disabled until https://github.com/matrix-org/synapse/issues/8787 is resolved. +matrix_synapse_workers_user_dir_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['user_dir_workers_count'] }}" +matrix_synapse_workers_user_dir_workers_port_range_start: 18661 +matrix_synapse_workers_user_dir_workers_metrics_range_start: 19661 + +matrix_synapse_workers_frontend_proxy_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['frontend_proxy_workers_count'] }}" +matrix_synapse_workers_frontend_proxy_workers_port_range_start: 18771 +matrix_synapse_workers_frontend_proxy_workers_metrics_range_start: 19771 + +# Default list of workers to spawn. +# +# Unless you populate this manually, this list is dynamically generated +# based on other variables above: +# - `matrix_synapse_workers_*_workers_count` +# - `matrix_synapse_workers_*_workers_port_range_start` +# - `matrix_synapse_workers_*_workers_port_metrics_range_start` +# +# We advise that you use those variables and let this list be populated dynamically. +# Doing that is simpler and also protects you from shooting yourself in the foot, +# as certain workers can only be spawned just once. +# +# Each worker instance in the list defines the following fields: +# - `type` - the type of worker (`generic_worker`, etc.) +# - `instanceId` - a string that identifies the worker. The combination of (`type` + `instanceId`) represents the name of the worker and must be unique. +# - `port` - an HTTP port where the worker listens for requests (can be `0` for workers that don't do HTTP request processing) +# - `metrics_port` - an HTTP port where the worker exports Prometheus metrics +# +# Example of what this needs to look like, if you're defining it manually: +# matrix_synapse_workers_enabled_list: +# - { type: generic_worker, instanceId: '18111', port: 18111, metrics_port: 19111 } +# - { type: generic_worker, instanceId: '18112', port: 18112, metrics_port: 19112 } +# - { type: generic_worker, instanceId: '18113', port: 18113, metrics_port: 19113 } +# - { type: generic_worker, instanceId: '18114', port: 18114, metrics_port: 19114 } +# - { type: generic_worker, instanceId: '18115', port: 18115, metrics_port: 19115 } +# - { type: generic_worker, instanceId: '18116', port: 18116, metrics_port: 19116 } +# - { type: pusher, instanceId: '0', port: 0, metrics_port: 19200 } +# - { type: appservice, instanceId: '0', port: 0, metrics_port: 19300 } +# - { type: federation_sender, instanceId: '0', port: 0, metrics_port: 19400 } +# - { type: media_repository, instanceId: '18551', port: 18551, metrics_port: 19551 } +matrix_synapse_workers_enabled_list: [] + +# Redis information +matrix_synapse_redis_enabled: false +matrix_synapse_redis_host: "" +matrix_synapse_redis_port: 6379 +matrix_synapse_redis_password: "" + +# Controls whether Synapse starts a replication listener necessary for workers. +# +# If Redis is available, we prefer to use that, instead of talking over Synapse's custom replication protocol. +# +# matrix_synapse_replication_listener_enabled: "{{ matrix_synapse_workers_enabled and not matrix_redis_enabled }}" +# We force-enable this listener for now until we debug why communication via Redis fails. +matrix_synapse_replication_listener_enabled: true + +# Port used for communication between main synapse process and workers. +# Only gets used if `matrix_synapse_replication_listener_enabled: true` +matrix_synapse_replication_http_port: 9093 + +# Send ERROR logs to sentry.io for easier tracking +# To set this up: go to sentry.io, create a python project, and set +# matrix_synapse_sentry_dsn to the URL it gives you. +# See https://github.com/matrix-org/synapse/issues/4632 for important privacy concerns +matrix_synapse_sentry_dsn: "" + +# Postgres database information +matrix_synapse_database_host: "matrix-postgres" +matrix_synapse_database_port: 5432 +matrix_synapse_database_user: "synapse" +matrix_synapse_database_password: "" +matrix_synapse_database_database: "synapse" + +matrix_synapse_turn_uris: [] +matrix_synapse_turn_shared_secret: "" +matrix_synapse_turn_allow_guests: False + +matrix_synapse_email_enabled: false +matrix_synapse_email_smtp_host: "" +matrix_synapse_email_smtp_port: 587 +matrix_synapse_email_smtp_require_transport_security: false +matrix_synapse_email_notif_from: "Matrix " +matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_element }}" + + +# Enable this to activate the REST auth password provider module. +# See: https://github.com/ma1uta/matrix-synapse-rest-password-provider +matrix_synapse_ext_password_provider_rest_auth_enabled: false +matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/ma1uta/matrix-synapse-rest-password-provider/ed377fb70513c2e51b42055eb364195af1ccaf33/rest_auth_provider.py" +matrix_synapse_ext_password_provider_rest_auth_endpoint: "" +matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false +matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true +matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false + +# Enable this to activate the Shared Secret Auth password provider module. +# See: https://github.com/devture/matrix-synapse-shared-secret-auth +matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false +matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.2/shared_secret_authenticator.py" +matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" + +# Enable this to activate LDAP password provider +matrix_synapse_ext_password_provider_ldap_enabled: false +matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" +matrix_synapse_ext_password_provider_ldap_start_tls: true +matrix_synapse_ext_password_provider_ldap_base: "" +matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" +matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" +matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" +matrix_synapse_ext_password_provider_ldap_bind_dn: "" +matrix_synapse_ext_password_provider_ldap_bind_password: "" +matrix_synapse_ext_password_provider_ldap_filter: "" +matrix_synapse_ext_password_provider_ldap_active_directory: false +matrix_synapse_ext_password_provider_ldap_default_domain: "" + +# Enable this to activate the Synapse Antispam spam-checker module. +# See: https://github.com/t2bot/synapse-simple-antispam +matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false +matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam" +matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "923ca5c85b08f157181721abbae50dd89c31e4b5" +matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: [] + +# Enable this to activate the Mjolnir Antispam spam-checker module. +# See: https://github.com/matrix-org/mjolnir#synapse-module +matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir" +matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "70f353fbbad0af469b1001080dea194d512b2815" +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true +# Flag messages sent by servers/users in the ban lists as spam. Currently +# this means that spammy messages will appear as empty to users. Default +# false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages: false +# Remove users from the user directory search by filtering matrix IDs and +# display names by the entries in the user ban list. Default false. +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false +# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir, +# this list cannot be room aliases or permalinks. This server is expected +# to already be joined to the room - Mjolnir will not automatically join +# these rooms. +# ["!roomid:example.org"] +matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: [] + + +matrix_s3_media_store_enabled: false +matrix_s3_media_store_custom_endpoint_enabled: false +matrix_s3_goofys_docker_image: "ewoutp/goofys:latest" +matrix_s3_goofys_docker_image_force_pull: "{{ matrix_s3_goofys_docker_image.endswith(':latest') }}" +matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" +matrix_s3_media_store_bucket_name: "your-bucket-name" +matrix_s3_media_store_aws_access_key: "your-aws-access-key" +matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" +matrix_s3_media_store_region: "eu-central-1" +matrix_s3_media_store_path: "{{ matrix_synapse_media_store_path }}" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_synapse_self_check_validate_certificates: true + +# Controls whether searching the public room list is enabled. +matrix_synapse_enable_room_list_search: true + +# Controls who's allowed to create aliases on this server. +matrix_synapse_alias_creation_rules: + - user_id: "*" + alias: "*" + room_id: "*" + action: allow + +# Controls who can publish and which rooms can be published in the public room list. +matrix_synapse_room_list_publication_rules: + - user_id: "*" + alias: "*" + room_id: "*" + action: allow + +matrix_synapse_default_room_version: "6" + +# Controls the Synapse `spam_checker` setting. +# +# If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime. +# If not, you can also control its value manually. +matrix_synapse_spam_checker: [] + +matrix_synapse_trusted_key_servers: + - server_name: "matrix.org" + +matrix_synapse_redaction_retention_period: 7d + +matrix_synapse_user_ips_max_age: 28d + + +matrix_synapse_rust_synapse_compress_state_docker_image: "devture/rust-synapse-compress-state:v0.1.0" +matrix_synapse_rust_synapse_compress_state_docker_image_force_pull: "{{ matrix_synapse_rust_synapse_compress_state_docker_image.endswith(':latest') }}" + +matrix_synapse_rust_synapse_compress_state_base_path: "{{ matrix_base_data_path }}/rust-synapse-compress-state" + + +# Default Synapse configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_synapse_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_synapse_configuration_yaml: "{{ lookup('template', 'templates/synapse/homeserver.yaml.j2') }}" + +matrix_synapse_configuration_extension_yaml: | + # Your custom YAML configuration for Synapse goes here. + # This configuration extends the default starting configuration (`matrix_synapse_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_synapse_configuration_yaml`. + # + # Example configuration extension follows: + # + # server_notices: + # system_mxid_localpart: notices + # system_mxid_display_name: "Server Notices" + # system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" + # room_name: "Server Notices" + +matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extension_yaml|from_yaml if matrix_synapse_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final Synapse configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`. +matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml|from_yaml|combine(matrix_synapse_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.awk b/roles/matrix-synapse/files/workers-doc-to-yaml.awk new file mode 100755 index 00000000..d9295e32 --- /dev/null +++ b/roles/matrix-synapse/files/workers-doc-to-yaml.awk @@ -0,0 +1,146 @@ +#!/usr/bin/awk +# Hackish approach to get a machine-readable list of current matrix +# synapse REST API endpoints from the official documentation at +# https://github.com/matrix-org/synapse/raw/master/docs/workers.md +# +# invoke in shell with: +# URL=https://github.com/matrix-org/synapse/raw/master/docs/workers.md +# curl -L ${URL} | awk -f workers-doc-to-yaml.awk - + +function worker_stanza_append(string) { + worker_stanza = worker_stanza string +} + +function line_is_endpoint_url(line) { + # probably API endpoint if it starts with white-space and ^ or / + return (line ~ /^ +[\^\/].*\//) +} + +# Put YAML marker at beginning of file. +BEGIN { + print "---" + endpoint_conditional_comment = " # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually\n" +} + +# Enable further processing after the introductory text. +# Read each synapse worker section as record and its lines as fields. +/Available worker applications/ { + enable_parsing = 1 + # set record separator to markdown section header + RS = "\n### " + # set field separator to newline + FS = "\n" +} + +# Once parsing is active, this will process each section as record. +enable_parsing { + # Each worker section starts with a synapse.app.X headline + if ($1 ~ /synapse\.app\./) { + + # get rid of the backticks and extract worker type from headline + gsub("`", "", $1) + gsub("synapse.app.", "", $1) + worker_type = $1 + + # initialize empty worker stanza + worker_stanza = "" + + # track if any endpoints are mentioned in a specific section + worker_has_urls = 0 + + # some endpoint descriptions contain flag terms + endpoints_seem_conditional = 0 + + # also, collect a list of available workers + workers = (workers ? workers "\n" : "") " - " worker_type + + # loop through the lines (2 - number of fields in record) + for (i = 2; i < NF + 1; i++) { + # copy line for gsub replacements + line = $i + + # end all lines but the last with a linefeed + linefeed = (i < NF - 1) ? "\n" : "" + + # line starts with white-space and a hash: endpoint block headline + if (line ~ /^ +#/) { + + # copy to output verbatim, normalizing white-space + gsub(/^ +/, "", line) + worker_stanza_append(" " line linefeed) + + } else if (line_is_endpoint_url(line)) { + + # mark section for special output formatting + worker_has_urls = 1 + + # remove leading white-space + gsub(/^ +/, "", line) + api_endpoint_regex = line + + # FIXME: https://github.com/matrix-org/synapse/issues/new + # munge inconsistent media_repository endpoint notation + if (api_endpoint_regex == "/_matrix/media/") { + api_endpoint_regex = "^" line + } + + # FIXME: https://github.com/matrix-org/synapse/issues/7530 + # https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456#issuecomment-719015911 + if (api_endpoint_regex == "^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$") { + worker_stanza_append(" # FIXME: possible bug with SSO and multiple generic workers\n") + worker_stanza_append(" # see https://github.com/matrix-org/synapse/issues/7530\n") + worker_stanza_append(" # " api_endpoint_regex linefeed) + continue + } + + # disable endpoints which specify complications + if (endpoints_seem_conditional) { + # only add notice if previous line didn't match + if (!line_is_endpoint_url($(i - 1))) { + worker_stanza_append(endpoint_conditional_comment) + } + worker_stanza_append(" # " api_endpoint_regex linefeed) + } else { + # output endpoint regex + worker_stanza_append(" - " api_endpoint_regex linefeed) + } + + # white-space only line? + } else if (line ~ /^ *$/) { + + if (i > 3 && i < NF) { + # print white-space lines unless 1st or last line in section + worker_stanza_append(line linefeed) + } + + # nothing of the above: the line is regular documentation text + } else { + + # include this text line as comment + worker_stanza_append(" # " line linefeed) + + # and take note of words hinting at additional conditions to be met + if (line ~ /(^| )[Ii]f |(^| )[Ff]or /) { + endpoints_seem_conditional = 1 + } + } + } + + if (worker_has_urls) { + print "\nmatrix_synapse_workers_" worker_type "_endpoints:" + print worker_stanza + } else { + # include workers without endpoints as well for reference + print "\n# " worker_type " worker (no API endpoints) [" + print worker_stanza + print "# ]" + } + } +} + +END { + print "\nmatrix_synapse_workers_avail_list:" + print workers | "sort" +} + +# vim: tabstop=4 shiftwidth=4 expandtab autoindent diff --git a/roles/matrix-synapse/files/workers-doc-to-yaml.sh b/roles/matrix-synapse/files/workers-doc-to-yaml.sh new file mode 100755 index 00000000..5981523b --- /dev/null +++ b/roles/matrix-synapse/files/workers-doc-to-yaml.sh @@ -0,0 +1,6 @@ +#!/bin/sh +# Fetch the synapse worker documentation and extract endpoint URLs +# matrix-org/synapse master branch points to current stable release + +URL=https://github.com/matrix-org/synapse/raw/master/docs/workers.md +curl -L ${URL} | awk -f workers-doc-to-yaml.awk > ../vars/workers.yml diff --git a/roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml b/roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml new file mode 100644 index 00000000..e760626d --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/ldap-auth/setup.yml @@ -0,0 +1,8 @@ +- set_fact: + matrix_synapse_password_providers_enabled: true + + matrix_synapse_additional_loggers: > + {{ matrix_synapse_additional_loggers }} + + + {{ [{'name': 'ldap_auth_provider', 'level': 'INFO'}] }} + when: matrix_synapse_ext_password_provider_ldap_enabled|bool diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml new file mode 100644 index 00000000..6c45f469 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" + when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_uninstall.yml" + when: "not matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml new file mode 100644 index 00000000..a416e42b --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_install.yml @@ -0,0 +1,52 @@ +--- + +- name: Ensure git installed (RedHat) + yum: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'RedHat'" + +- name: Ensure git installed (Debian) + apt: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'Debian'" + +- name: Ensure git installed (Archlinux) + pacman: + name: + - git + state: present + update_cache: no + when: "ansible_distribution == 'Archlinux'" + +- name: Clone mjolnir-antispam git repository + git: + repo: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url }}" + version: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version }}" + dest: "{{ matrix_synapse_ext_path }}/mjolnir" + become: true + become_user: "{{ matrix_user_username }}" + +- set_fact: + matrix_synapse_spam_checker: > + {{ matrix_synapse_spam_checker }} + + + [{ + "module": "mjolnir.AntiSpam", + "config": { + "block_invites": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites }}, + "block_messages": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_messages }}, + "block_usernames": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames }}, + "ban_lists": {{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists }} + } + }] + + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/mjolnir/synapse_antispam/mjolnir,dst={{ matrix_synapse_in_container_python_packages_path }}/mjolnir,ro"] diff --git a/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml new file mode 100644 index 00000000..f8439a87 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/mjolnir-antispam/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure mjolnir-antispam doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/mjolnir" + state: absent diff --git a/roles/matrix-synapse/tasks/ext/rest-auth/setup.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup.yml new file mode 100644 index 00000000..0270784a --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/rest-auth/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_install.yml" + when: matrix_synapse_ext_password_provider_rest_auth_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup_uninstall.yml" + when: "not matrix_synapse_ext_password_provider_rest_auth_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml new file mode 100644 index 00000000..634b1ca5 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml @@ -0,0 +1,28 @@ +--- + +- name: Fail if REST Auth endpoint not configured + fail: + msg: "You have enabled the REST Auth password provider, but have not configured its endpoint in the `matrix_synapse_ext_password_provider_rest_auth_endpoint` variable. Consult the documentation." + when: "matrix_synapse_ext_password_provider_rest_auth_endpoint == ''" + +- name: Download matrix-synapse-rest-auth + get_url: + url: "{{ matrix_synapse_ext_password_provider_rest_auth_download_url }}" + dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" + force: true + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- set_fact: + matrix_synapse_password_providers_enabled: true + + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/rest_auth_provider.py,dst={{ matrix_synapse_in_container_python_packages_path }}/rest_auth_provider.py,ro"] + + matrix_synapse_additional_loggers: > + {{ matrix_synapse_additional_loggers }} + + + {{ [{'name': 'rest_auth_provider', 'level': 'INFO'}] }} diff --git a/roles/matrix-synapse/tasks/ext/rest-auth/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/rest-auth/setup_uninstall.yml new file mode 100644 index 00000000..be8ad600 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/rest-auth/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure matrix-synapse-rest-auth doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" + state: absent diff --git a/roles/matrix-synapse/tasks/ext/setup.yml b/roles/matrix-synapse/tasks/ext/setup.yml new file mode 100644 index 00000000..31637fa9 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/setup.yml @@ -0,0 +1,11 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup.yml" diff --git a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml new file mode 100644 index 00000000..ed8d0197 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_install.yml" + when: matrix_synapse_ext_password_provider_shared_secret_auth_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup_uninstall.yml" + when: "not matrix_synapse_ext_password_provider_shared_secret_auth_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml new file mode 100644 index 00000000..af92041d --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml @@ -0,0 +1,28 @@ +--- + +- name: Fail if Shared Secret Auth secret not set + fail: + msg: "Shared Secret Auth is enabled, but no secret has been set in matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret" + when: "matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret == ''" + +- name: Download matrix-synapse-shared-secret-auth + get_url: + url: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_download_url }}" + dest: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py" + force: true + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- set_fact: + matrix_synapse_password_providers_enabled: true + + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/shared_secret_authenticator.py,dst={{ matrix_synapse_in_container_python_packages_path }}/shared_secret_authenticator.py,ro"] + + matrix_synapse_additional_loggers: > + {{ matrix_synapse_additional_loggers }} + + + {{ [{'name': 'shared_secret_authenticator', 'level': 'INFO'}] }} diff --git a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_uninstall.yml new file mode 100644 index 00000000..e564909e --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure matrix-synapse-shared-secret-auth doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py" + state: absent diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml new file mode 100644 index 00000000..efd4a027 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml" + when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml" + when: "not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled|bool" diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml new file mode 100644 index 00000000..2599e7f1 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml @@ -0,0 +1,54 @@ +--- + +- name: Fail if Synapse Simple Antispam blocked homeservers is not set + fail: + msg: "Synapse Simple Antispam is enabled, but no blocked homeservers have been set in matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers" + when: "matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers|length == 0" + +- name: Ensure git installed (RedHat) + yum: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'RedHat'" + +- name: Ensure git installed (Debian) + apt: + name: + - git + state: present + update_cache: no + when: "ansible_os_family == 'Debian'" + +- name: Ensure git installed (Archlinux) + pacman: + name: + - git + state: present + update_cache: no + when: "ansible_distribution == 'Archlinux'" + +- name: Clone synapse-simple-antispam git repository + git: + repo: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url }}" + version: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version }}" + dest: "{{ matrix_synapse_ext_path }}/synapse-simple-antispam" + become: true + become_user: "{{ matrix_user_username }}" + +- set_fact: + matrix_synapse_spam_checker: > + {{ matrix_synapse_spam_checker }} + + + [{ + "module": "synapse_simple_antispam.AntiSpamInvites", + "config": { + "blocked_homeservers": {{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers }} + } + }] + + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/synapse-simple-antispam/synapse_simple_antispam,dst={{ matrix_synapse_in_container_python_packages_path }}/synapse_simple_antispam,ro"] diff --git a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_uninstall.yml b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_uninstall.yml new file mode 100644 index 00000000..14cefc72 --- /dev/null +++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure synapse-simple-antispam doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/synapse-simple-antispam" + state: absent diff --git a/roles/matrix-synapse/tasks/goofys/setup.yml b/roles/matrix-synapse/tasks/goofys/setup.yml new file mode 100644 index 00000000..6370408d --- /dev/null +++ b/roles/matrix-synapse/tasks/goofys/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/goofys/setup_install.yml" + when: matrix_s3_media_store_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/goofys/setup_uninstall.yml" + when: "not matrix_s3_media_store_enabled|bool" diff --git a/roles/matrix-synapse/tasks/goofys/setup_install.yml b/roles/matrix-synapse/tasks/goofys/setup_install.yml new file mode 100644 index 00000000..b5e95614 --- /dev/null +++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml @@ -0,0 +1,41 @@ +- name: Ensure Goofys Docker image is pulled + docker_image: + name: "{{ matrix_s3_goofys_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_s3_goofys_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_docker_image_force_pull }}" + +# This will throw a Permission Denied error if already mounted +- name: Check Matrix Goofys external storage mountpoint path + stat: + path: "{{ matrix_s3_media_store_path }}" + register: local_path_matrix_s3_media_store_path_stat + ignore_errors: yes + +- name: Ensure Matrix Goofys external storage mountpoint exists + file: + path: "{{ matrix_s3_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_matrix_s3_media_store_path_stat.failed and not local_path_matrix_s3_media_store_path_stat.stat.exists" + +- name: Ensure goofys environment variables file created + template: + src: "{{ role_path }}/templates/goofys/env-goofys.j2" + dest: "{{ matrix_synapse_config_dir_path }}/env-goofys" + owner: root + mode: 0600 + +- name: Ensure matrix-goofys.service installed + template: + src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-goofys.service" + mode: 0644 + register: matrix_goofys_systemd_service_result + +- name: Ensure systemd reloaded after matrix-goofys.service installation + service: + daemon_reload: yes + when: "matrix_goofys_systemd_service_result.changed" diff --git a/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml b/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml new file mode 100644 index 00000000..91d43456 --- /dev/null +++ b/roles/matrix-synapse/tasks/goofys/setup_uninstall.yml @@ -0,0 +1,33 @@ +- name: Check existence of matrix-goofys service + stat: + path: "{{ matrix_systemd_path }}/matrix-goofys.service" + register: matrix_goofys_service_stat + +- name: Ensure matrix-goofys is stopped + service: + name: matrix-goofys + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure matrix-goofys.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-goofys.service" + state: absent + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-goofys.service removal + service: + daemon_reload: yes + when: "matrix_goofys_service_stat.stat.exists" + +- name: Ensure goofys environment variables file doesn't exist + file: + path: "{{ matrix_synapse_config_dir_path }}/env-goofys" + state: absent + +- name: Ensure Goofys Docker image doesn't exist + docker_image: + name: "{{ matrix_s3_goofys_docker_image }}" + state: absent diff --git a/roles/matrix-synapse/tasks/import_media_store.yml b/roles/matrix-synapse/tasks/import_media_store.yml new file mode 100644 index 00000000..487bcb35 --- /dev/null +++ b/roles/matrix-synapse/tasks/import_media_store.yml @@ -0,0 +1,83 @@ +--- + +# Pre-checks + +- name: Fail if playbook called incorrectly + fail: + msg: "The `server_path_media_store` variable needs to be provided to this playbook, via --extra-vars" + when: "server_path_media_store is not defined or server_path_media_store.startswith('<')" + +- name: Fail if media store is on Amazon S3 + fail: + msg: "Your media store is on Amazon S3. Due to technical limitations, restoring is not supported." + when: matrix_s3_media_store_enabled|bool + +- name: Check if the provided media store directory exists + stat: + path: "{{ server_path_media_store }}" + register: server_path_media_store_stat + +- name: Fail if provided media store directory doesn't exist on the server + fail: + msg: "{{ server_path_media_store }} cannot be found on the server" + when: "not server_path_media_store_stat.stat.exists or not server_path_media_store_stat.stat.isdir" + +- name: Check if media store contains local_content + stat: + path: "{{ server_path_media_store }}/local_content" + register: server_path_media_store_local_content_stat + +- name: Check if media store contains remote_content + stat: + path: "{{ server_path_media_store }}/remote_content" + register: server_path_media_store_remote_content_stat + +- name: Fail if media store directory doesn't look okay (lacking remote and local content) + fail: + msg: "{{ server_path_media_store }} contains neither local_content nor remote_content directories. It's most likely a mistake and is not a media store directory." + when: "not server_path_media_store_local_content_stat.stat.exists and not server_path_media_store_remote_content_stat.stat.exists" + + +# Actual import work + +- name: Ensure matrix-synapse is stopped + service: + name: matrix-synapse + state: stopped + daemon_reload: yes + register: stopping_result + +# This can only work with local files, not if the media store is on Amazon S3, +# as it won't be accessible in such a case. +- name: Ensure provided media store directory is synchronized + synchronize: + src: "{{ server_path_media_store }}/" + dest: "{{ matrix_synapse_media_store_path }}" + delete: yes + # It's wasteful to preserve owner/group now. We chown below anyway. + owner: no + group: no + times: yes + delegate_to: "{{ inventory_hostname }}" + +# This is for the generic case and fails in other cases (remote file systems), +# because in such cases the base path (matrix_synapse_media_store_path) is a mount point. +- name: Ensure media store permissions are correct (generic case) + file: + path: "{{ matrix_synapse_media_store_path }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + recurse: yes + when: "not matrix_s3_media_store_enabled|bool" + +# We don't chown for Goofys, because due to the way it's mounted, +# all files become owned by whoever needs to own them. + +- name: Ensure Synapse is started (if it previously was) + service: + name: "{{ item }}" + state: started + daemon_reload: yes + when: "stopping_result.changed" + with_items: + - matrix-synapse diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml new file mode 100644 index 00000000..bc23fc86 --- /dev/null +++ b/roles/matrix-synapse/tasks/init.yml @@ -0,0 +1,26 @@ +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + fail: + msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build and matrix_synapse_enabled" + +# Unless `matrix_synapse_workers_enabled_list` is explicitly defined, +# we'll generate it dynamically. +- import_tasks: "{{ role_path }}/tasks/synapse/workers/init.yml" + when: "matrix_synapse_enabled and matrix_synapse_workers_enabled and matrix_synapse_workers_enabled_list|length == 0" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse.service'] }}" + when: matrix_synapse_enabled|bool + +- name: Ensure systemd services for workers are injected + include_tasks: "{{ role_path }}/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml" + with_items: "{{ matrix_synapse_workers_enabled_list }}" + loop_control: + loop_var: matrix_synapse_worker_details + when: matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" + when: matrix_s3_media_store_enabled|bool diff --git a/roles/matrix-synapse/tasks/main.yml b/roles/matrix-synapse/tasks/main.yml new file mode 100644 index 00000000..8bf1c563 --- /dev/null +++ b/roles/matrix-synapse/tasks/main.yml @@ -0,0 +1,55 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: run_setup|bool and matrix_synapse_enabled|bool + tags: + - setup-all + - setup-synapse + +- import_tasks: "{{ role_path }}/tasks/setup_synapse.yml" + when: run_setup|bool + tags: + - setup-all + - setup-synapse + +- import_tasks: "{{ role_path }}/tasks/import_media_store.yml" + when: run_synapse_import_media_store|bool + tags: + - import-synapse-media-store + +- import_tasks: "{{ role_path }}/tasks/register_user.yml" + when: run_synapse_register_user|bool + tags: + - register-user + +- import_tasks: "{{ role_path }}/tasks/self_check_client_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml" + delegate_to: 127.0.0.1 + become: false + when: run_self_check|bool + tags: + - self-check + +- import_tasks: "{{ role_path }}/tasks/update_user_password.yml" + when: run_synapse_update_user_password|bool + tags: + - update-user-password + +- import_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/main.yml" + when: run_synapse_rust_synapse_compress_state|bool + tags: + - rust-synapse-compress-state + +- name: Mark matrix-synapse role as executed + set_fact: + matrix_synapse_role_executed: true + tags: + - always diff --git a/roles/matrix-synapse/tasks/register_user.yml b/roles/matrix-synapse/tasks/register_user.yml new file mode 100644 index 00000000..9c2a3ea0 --- /dev/null +++ b/roles/matrix-synapse/tasks/register_user.yml @@ -0,0 +1,31 @@ +--- + +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `admin` variable needs to be provided to this playbook, via --extra-vars" + when: "admin is not defined or admin not in ['yes', 'no']" + +- name: Ensure matrix-synapse is started + service: + name: matrix-synapse + state: started + daemon_reload: yes + register: start_result + +- name: Wait a while, so that Synapse can manage to start + pause: + seconds: 7 + when: "start_result.changed" + +- name: Register user + command: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username|quote }} {{ password|quote }} {{ '1' if admin == 'yes' else '0' }}" diff --git a/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml b/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml new file mode 100644 index 00000000..46cad808 --- /dev/null +++ b/roles/matrix-synapse/tasks/rust-synapse-compress-state/compress_room.yml @@ -0,0 +1,48 @@ +- debug: + msg: "Compressing room `{{ room_details.room_id }}` having {{ room_details.count }} state group rows" + +- name: Generate rust-synapse-compress-state room compression command + set_fact: + matrix_synapse_rust_synapse_compress_state_compress_room_command: >- + {{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-compress-room + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work + {{ matrix_synapse_rust_synapse_compress_state_docker_image }} + /synapse-compress-state -t -o /work/state-compressor.sql + -p "host={{ matrix_synapse_database_host }} user={{ matrix_synapse_database_user }} password={{ matrix_synapse_database_password }} dbname={{ matrix_synapse_database_database }}" + -r '{{ room_details.room_id }}' + +- name: Run rust-synapse-compress-state room compression command (SQL generation) + command: "{{ matrix_synapse_rust_synapse_compress_state_compress_room_command }}" + async: "{{ matrix_synapse_rust_synapse_compress_state_compress_room_time }}" + poll: 10 + register: matrix_synapse_rust_synapse_compress_state_compress_room_command_result + +- debug: var="matrix_synapse_rust_synapse_compress_state_compress_room_command_result" + +- name: Generate Postgres compression SQL import command + set_fact: + matrix_synapse_rust_synapse_compress_state_psql_import_command: >- + {{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-psql-import + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + --mount type=bind,src={{ matrix_synapse_rust_synapse_compress_state_base_path }},dst=/work,ro + --entrypoint=/bin/sh + {{ matrix_postgres_docker_image_latest }} + -c "cat /work/state-compressor.sql | + psql -v ON_ERROR_STOP=1 -h matrix-postgres -d {{ matrix_synapse_database_database }}" + +- name: Import compression SQL into Postgres + command: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_command }}" + async: "{{ matrix_synapse_rust_synapse_compress_state_psql_import_time }}" + poll: 10 + register: matrix_synapse_rust_synapse_compress_state_psql_import_command_result + +- name: Clean up + file: + path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}/state-compressor.sql" + state: absent diff --git a/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml b/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml new file mode 100644 index 00000000..106c59d5 --- /dev/null +++ b/roles/matrix-synapse/tasks/rust-synapse-compress-state/main.yml @@ -0,0 +1,118 @@ +# Pre-checks + +- name: Fail if Postgres not enabled + fail: + msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot use rust-synapse-compress-state." + when: "not matrix_postgres_enabled|bool" + + +# Defaults + +- name: Set matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time, if not provided + set_fact: + matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time: 300 + when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time|default('') == ''" + +- name: Set matrix_synapse_rust_synapse_compress_state_compress_room_time, if not provided + set_fact: + matrix_synapse_rust_synapse_compress_state_compress_room_time: 1800 + when: "matrix_synapse_rust_synapse_compress_state_compress_room_time|default('') == ''" + +- name: Set matrix_synapse_rust_synapse_compress_state_psql_import_time, if not provided + set_fact: + matrix_synapse_rust_synapse_compress_state_psql_import_time: 1800 + when: "matrix_synapse_rust_synapse_compress_state_psql_import_time|default('') == ''" + +- name: Set matrix_synapse_rust_synapse_compress_state_min_state_groups_required, if not provided + set_fact: + # The minimum number of state groups we're looking for before we consider a room eligible for compression. + # Rooms with a smaller state groups count will not be compressed. + matrix_synapse_rust_synapse_compress_state_min_state_groups_required: 100000 + when: "matrix_synapse_rust_synapse_compress_state_min_state_groups_required|default('') == ''" + + +# Actual compression work + +- name: Ensure rust-synapse-compress-state paths exist + file: + path: "{{ matrix_synapse_rust_synapse_compress_state_base_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure rust-synapse-compress-state image is pulled + docker_image: + name: "{{ matrix_synapse_rust_synapse_compress_state_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_synapse_rust_synapse_compress_state_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_rust_synapse_compress_state_docker_image_force_pull }}" + +- name: Generate rust-synapse-compress-state room find command + set_fact: + matrix_synapse_rust_synapse_compress_state_find_rooms_command: >- + {{ matrix_host_command_docker }} run --rm --name matrix-rust-synapse-compress-state-find-rooms + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --network={{ matrix_docker_network }} + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql + {{ matrix_postgres_docker_image_latest }} + psql -v ON_ERROR_STOP=1 -h matrix-postgres {{ matrix_synapse_database_database }} -c + 'SELECT array_to_json(array_agg(row_to_json (r))) FROM (SELECT room_id, count(*) AS count FROM state_groups_state GROUP BY room_id HAVING count(*) > {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} ORDER BY count DESC) r;' + +- name: Find rooms eligible for compression with rust-synapse-compress-state + command: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command }}" + async: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command_wait_time }}" + poll: 10 + register: matrix_synapse_rust_synapse_compress_state_find_rooms_command_result + +# We expect the output to be like this: +# +# "stdout_lines": [ +# " array_to_json ", +# "----------------------------------------------------------------------------------------------------------------------------", +# " [{\"room_id\":\"!some-id\",\"count\":2461329},{\"room_id\":\"!another-id\",\"count\":512017}]", +# "(1 row)" +# ] +# +# Row 3 (out of 4) contains the actual result. +# +# Row 3 contains a space when there's no result. + +- block: + - debug: var="matrix_synapse_rust_synapse_compress_state_find_rooms_command_result" + + - name: Fail if room find result is not what we expect + fail: + msg: >- + Expecting 4 lines in the "find rooms" result. + when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.failed or matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines|length != 4" + +- block: + # matrix_synapse_rust_synapse_compress_state_eligible_rooms is a list + # of dictionaries like this: {'room_id': '!some-id', 'count': 2461329} + - set_fact: + matrix_synapse_rust_synapse_compress_state_eligible_rooms: "{{ matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] | from_json }}" + + - name: Display rooms that will be compressed + debug: + msg: >- + The following rooms contain more than {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} state group rows + (configurable via `matrix_synapse_rust_synapse_compress_state_min_state_groups_required`) + and will be compressed: + {{ matrix_synapse_rust_synapse_compress_state_eligible_rooms }} + + - name: Compress room state + include_tasks: "{{ role_path }}/tasks/rust-synapse-compress-state/compress_room.yml" + with_items: "{{ matrix_synapse_rust_synapse_compress_state_eligible_rooms }}" + loop_control: + loop_var: room_details + when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] != ' '" + +- name: Show notice about lack of rooms to compress + debug: + msg: >- + No rooms were found to contain more than {{ matrix_synapse_rust_synapse_compress_state_min_state_groups_required }} state group rows + (configurable via `matrix_synapse_rust_synapse_compress_state_min_state_groups_required`), + so there's nothing to compress. + when: "matrix_synapse_rust_synapse_compress_state_find_rooms_command_result.stdout_lines[2] == ' '" diff --git a/roles/matrix-synapse/tasks/self_check_client_api.yml b/roles/matrix-synapse/tasks/self_check_client_api.yml new file mode 100644 index 00000000..30244d50 --- /dev/null +++ b/roles/matrix-synapse/tasks/self_check_client_api.yml @@ -0,0 +1,21 @@ +--- + +- name: Check Matrix Client API + uri: + url: "{{ matrix_synapse_client_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" + register: result_matrix_synapse_client_api + ignore_errors: true + check_mode: no + when: matrix_synapse_enabled|bool + +- name: Fail if Matrix Client API not working + fail: + msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_synapse_client_api }}" + when: "matrix_synapse_enabled|bool and (result_matrix_synapse_client_api.failed or 'json' not in result_matrix_synapse_client_api)" + +- name: Report working Matrix Client API + debug: + msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`) is working" + when: matrix_synapse_enabled|bool diff --git a/roles/matrix-synapse/tasks/self_check_federation_api.yml b/roles/matrix-synapse/tasks/self_check_federation_api.yml new file mode 100644 index 00000000..57c9e56b --- /dev/null +++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml @@ -0,0 +1,26 @@ +--- + +- name: Check Matrix Federation API + uri: + url: "{{ matrix_synapse_federation_api_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}" + register: result_matrix_synapse_federation_api + ignore_errors: true + check_mode: no + when: matrix_synapse_enabled|bool + +- name: Fail if Matrix Federation API not working + fail: + msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}" + when: "matrix_synapse_enabled|bool and matrix_synapse_federation_enabled|bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)" + +- name: Fail if Matrix Federation API unexpectedly enabled + fail: + msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled." + when: "matrix_synapse_enabled|bool and not matrix_synapse_federation_enabled|bool and not result_matrix_synapse_federation_api.failed" + +- name: Report working Matrix Federation API + debug: + msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working" + when: "matrix_synapse_enabled|bool and matrix_synapse_federation_enabled|bool" diff --git a/roles/matrix-synapse/tasks/setup_synapse.yml b/roles/matrix-synapse/tasks/setup_synapse.yml new file mode 100644 index 00000000..f8bc05a1 --- /dev/null +++ b/roles/matrix-synapse/tasks/setup_synapse.yml @@ -0,0 +1,25 @@ +--- + +- name: Ensure Synapse paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_synapse_config_dir_path }}", when: true } + - { path: "{{ matrix_synapse_ext_path }}", when: true } + - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" } + # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml), + # because if it's using Goofys and it's already mounted (from before), + # trying to chown/chmod it here will cause trouble. + when: "(matrix_synapse_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when" + +- import_tasks: "{{ role_path }}/tasks/ext/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/synapse/workers/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/synapse/setup.yml" + +- import_tasks: "{{ role_path }}/tasks/goofys/setup.yml" diff --git a/roles/matrix-synapse/tasks/synapse/setup.yml b/roles/matrix-synapse/tasks/synapse/setup.yml new file mode 100644 index 00000000..b5d27c36 --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/setup.yml @@ -0,0 +1,7 @@ +--- + +- import_tasks: "{{ role_path }}/tasks/synapse/setup_install.yml" + when: matrix_synapse_enabled|bool + +- import_tasks: "{{ role_path }}/tasks/synapse/setup_uninstall.yml" + when: "not matrix_synapse_enabled|bool" diff --git a/roles/matrix-synapse/tasks/synapse/setup_install.yml b/roles/matrix-synapse/tasks/synapse/setup_install.yml new file mode 100644 index 00000000..b658cfff --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml @@ -0,0 +1,109 @@ +--- + +# This will throw a Permission Denied error if already mounted using fuse +- name: Check Synapse media store path + stat: + path: "{{ matrix_synapse_media_store_path }}" + register: local_path_media_store_stat + ignore_errors: yes + +# This is separate and conditional, to ensure we don't execute it +# if the path already exists or we failed to check, because it's mounted using fuse. +- name: Ensure Synapse media store path exists + file: + path: "{{ matrix_synapse_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" + +- name: Ensure Synapse repository is present on self-build + git: + repo: "{{ matrix_synapse_container_image_self_build_repo }}" + dest: "{{ matrix_synapse_docker_src_files_path }}" + version: "{{ matrix_synapse_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_synapse_git_pull_results + when: "matrix_synapse_container_image_self_build|bool" + +- name: Ensure Synapse Docker image is built + docker_image: + name: "{{ matrix_synapse_docker_image }}" + source: build + force_source: "{{ matrix_synapse_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_git_pull_results.changed }}" + build: + dockerfile: docker/Dockerfile + path: "{{ matrix_synapse_docker_src_files_path }}" + pull: yes + when: "matrix_synapse_container_image_self_build|bool" + +- name: Ensure Synapse Docker image is pulled + docker_image: + name: "{{ matrix_synapse_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_synapse_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_docker_image_force_pull }}" + when: "not matrix_synapse_container_image_self_build" + +- name: Check if a Synapse signing key exists + stat: + path: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.signing.key" + register: matrix_synapse_signing_key_stat + +# We do this so that the signing key would get generated. +# +# This will also generate a default homeserver.yaml configuration file and a log configuration file. +# We don't care about those configuraiton files, as we replace them with our own anyway (see below). +# +# We don't use the `docker_container` module, because using it with `cap_drop` requires +# a very recent version, which is not available for a lot of people yet. +- name: Generate initial Synapse config and signing key + command: | + docker run + --rm + --name=matrix-config + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data + -e UID={{ matrix_user_uid }} + -e GID={{ matrix_user_gid }} + -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }} + -e SYNAPSE_REPORT_STATS=no + {{ matrix_synapse_docker_image }} + generate + when: "not matrix_synapse_signing_key_stat.stat.exists" + +- name: Ensure Synapse homeserver config installed + copy: + content: "{{ matrix_synapse_configuration|to_nice_yaml }}" + dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure Synapse log config installed + template: + src: "{{ matrix_synapse_template_synapse_log }}" + dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_server_fqn_matrix }}.log.config" + mode: 0644 + +- name: Ensure matrix-synapse.service installed + template: + src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-synapse.service" + mode: 0644 + register: matrix_synapse_systemd_service_result + +- name: Ensure systemd reloaded after matrix-synapse.service installation + service: + daemon_reload: yes + when: "matrix_synapse_systemd_service_result.changed" + +- name: Ensure matrix-synapse-register-user script created + template: + src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2" + dest: "{{ matrix_local_bin_path }}/matrix-synapse-register-user" + mode: 0755 diff --git a/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml new file mode 100644 index 00000000..f1cdf167 --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/setup_uninstall.yml @@ -0,0 +1,28 @@ +- name: Check existence of matrix-synapse service + stat: + path: "{{ matrix_systemd_path }}/matrix-synapse.service" + register: matrix_synapse_service_stat + +- name: Ensure matrix-synapse is stopped + service: + name: matrix-synapse + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_synapse_service_stat.stat.exists" + +- name: Ensure matrix-synapse.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-synapse.service" + state: absent + when: "matrix_synapse_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-synapse.service removal + service: + daemon_reload: yes + when: "matrix_synapse_service_stat.stat.exists" + +- name: Ensure Synapse Docker image doesn't exist + docker_image: + name: "{{ matrix_synapse_docker_image }}" + state: absent diff --git a/roles/matrix-synapse/tasks/synapse/workers/init.yml b/roles/matrix-synapse/tasks/synapse/workers/init.yml new file mode 100644 index 00000000..c6fc32c3 --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/workers/init.yml @@ -0,0 +1,86 @@ +# Below is a huge hack for dynamically building a list of workers and finally assigning it to `matrix_synapse_workers_enabled_list`. +# +# set_fact within a loop does not work reliably in Ansible (it only executes on the first iteration for some reason), +# so we're forced to do something much uglier. + +- name: Build generic workers + set_fact: + worker: + type: 'generic_worker' + instanceId: "{{ matrix_synapse_workers_generic_workers_port_range_start + item }}" + port: "{{ matrix_synapse_workers_generic_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_generic_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_generic_workers" + loop: "{{ range(0, matrix_synapse_workers_generic_workers_count|int)|list }}" + +- name: Build federation sender workers + set_fact: + worker: + type: 'federation_sender' + instanceId: "{{ item }}" + port: 0 + metrics_port: "{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_federation_sender_workers" + loop: "{{ range(0, matrix_synapse_workers_federation_sender_workers_count|int)|list }}" + +# This type of worker can only have a count of 1, at most +- name: Build pusher workers + set_fact: + worker: + type: 'pusher' + instanceId: "{{ item }}" + port: 0 + metrics_port: "{{ matrix_synapse_workers_pusher_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_pusher_workers" + loop: "{{ range(0, matrix_synapse_workers_pusher_workers_count|int)|list }}" + +# This type of worker can only have a count of 1, at most +- name: Build appservice workers + set_fact: + worker: + type: 'appservice' + instanceId: "{{ item }}" + port: 0 + metrics_port: "{{ matrix_synapse_workers_appservice_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_appservice_workers" + loop: "{{ range(0, matrix_synapse_workers_appservice_workers_count|int)|list }}" + +- name: Build media_repository workers + set_fact: + worker: + type: 'media_repository' + instanceId: "{{ matrix_synapse_workers_media_repository_workers_port_range_start + item }}" + port: "{{ matrix_synapse_workers_media_repository_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_media_repository_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_media_repository_workers" + loop: "{{ range(0, matrix_synapse_workers_media_repository_workers_count|int)|list }}" + +- name: Build frontend_proxy workers + set_fact: + worker: + type: 'frontend_proxy' + instanceId: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" + port: "{{ matrix_synapse_workers_frontend_proxy_workers_port_range_start + item }}" + metrics_port: "{{ matrix_synapse_workers_frontend_proxy_workers_metrics_range_start + item }}" + register: "matrix_synapse_workers_list_results_frontend_proxy_workers" + loop: "{{ range(0, matrix_synapse_workers_frontend_proxy_workers_count|int)|list }}" + +- set_fact: + matrix_synapse_dynamic_workers_list: "{{ matrix_synapse_dynamic_workers_list|default([]) + [item.ansible_facts.worker] }}" + with_items: | + {{ + matrix_synapse_workers_list_results_generic_workers.results + + + matrix_synapse_workers_list_results_federation_sender_workers.results + + + matrix_synapse_workers_list_results_pusher_workers.results + + + matrix_synapse_workers_list_results_appservice_workers.results + + + matrix_synapse_workers_list_results_media_repository_workers.results + + + matrix_synapse_workers_list_results_frontend_proxy_workers.results + }} + +- set_fact: + matrix_synapse_workers_enabled_list: "{{ matrix_synapse_dynamic_workers_list }}" diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup.yml b/roles/matrix-synapse/tasks/synapse/workers/setup.yml new file mode 100644 index 00000000..ce66a2e4 --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/workers/setup.yml @@ -0,0 +1,21 @@ +--- + +# A previous version of the worker setup used this. +# This is a temporary cleanup for people who ran that version. +- name: Ensure old matrix-synapse.service.wants directory is gone + file: + path: "{{ matrix_systemd_path }}/matrix-synapse.service.wants" + state: absent + +# Same. This was part of a previous version of the worker setup. +# No longer necessary. +- name: Ensure matrix-synapse-worker-write-pid script is removed + file: + path: "{{ matrix_local_bin_path }}/matrix-synapse-worker-write-pid" + state: absent + +- include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_install.yml" + when: "matrix_synapse_enabled|bool and matrix_synapse_workers_enabled|bool" + +- include_tasks: "{{ role_path }}/tasks/synapse/workers/setup_uninstall.yml" + when: "not matrix_synapse_workers_enabled|bool" diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup_install.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_install.yml new file mode 100644 index 00000000..983f1876 --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/workers/setup_install.yml @@ -0,0 +1,42 @@ +--- + +- name: Determine current worker configs + find: + path: "{{ matrix_synapse_config_dir_path }}" + patterns: "worker.*.yaml" + use_regex: true + register: matrix_synapse_workers_current_config_files + +# This also deletes some things which we need. They will be recreated below. +- name: Ensure previous worker configs are cleaned + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ matrix_synapse_workers_current_config_files.files }}" + +- name: Determine current worker systemd services + find: + path: "{{ matrix_systemd_path }}" + patterns: "matrix-synapse-worker.*.service" + use_regex: true + register: matrix_synapse_workers_current_systemd_services + +- name: Ensure unnecessary worker systemd services are stopped and disabled + service: + name: "{{ item.path|basename }}" + state: stopped + enabled: false + with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" + when: "not ansible_check_mode and item.path|basename not in matrix_systemd_services_list" + +- name: Ensure unnecessary worker systemd services are cleaned + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" + +- name: Ensure creation of worker systemd service files and configuration files + include_tasks: "{{ role_path }}/tasks/synapse/workers/util/setup_files_for_worker.yml" + with_items: "{{ matrix_synapse_workers_enabled_list }}" + loop_control: + loop_var: matrix_synapse_worker_details diff --git a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml new file mode 100644 index 00000000..4a90bfa6 --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml @@ -0,0 +1,36 @@ +--- + +- name: Populate service facts + service_facts: + +- name: Ensure any worker services are stopped + service: + name: "{{ item.key }}" + state: stopped + with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}" + +- name: Find worker configs to be cleaned + find: + path: "{{ matrix_synapse_config_dir_path }}" + patterns: "worker.*.yaml" + use_regex: true + register: matrix_synapse_workers_current_config_files + +- name: Ensure previous worker configs are cleaned + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ matrix_synapse_workers_current_config_files.files }}" + +- name: Find worker systemd services to be cleaned + find: + path: "{{ matrix_systemd_path }}" + patterns: "matrix-synapse-worker.*.service" + use_regex: true + register: matrix_synapse_workers_current_systemd_services + +- name: Ensure previous worker systemd services are cleaned + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ matrix_synapse_workers_current_systemd_services.files }}" diff --git a/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml b/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml new file mode 100644 index 00000000..62b42625 --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/workers/util/inject_systemd_services_for_worker.yml @@ -0,0 +1,18 @@ +# The tasks below run before `validate_config.yml`. +# To avoid failing with a cryptic error message, we'll do validation here. +# +# This check is mostly relevant to people who explicitly define `matrix_synapse_workers_enabled_list` +# (Synapse Workers users from the earlier days of this PR - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456). +# +# In the future, it should be possible to remove this check. +# Our own code which dynamically builds `matrix_synapse_workers_enabled_list` does things right. +- name: Fail if instanceId not defined for worker + fail: + msg: "Synapse workers (like {{ matrix_synapse_worker_details|to_json }}) need to define an instanceId property (type + instanceId must be unique)" + when: "'instanceId' not in matrix_synapse_worker_details" + +- set_fact: + matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.instanceId }}.service" + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + [matrix_synapse_worker_systemd_service_name] }}" diff --git a/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml b/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml new file mode 100644 index 00000000..93ed6575 --- /dev/null +++ b/roles/matrix-synapse/tasks/synapse/workers/util/setup_files_for_worker.yml @@ -0,0 +1,19 @@ +- set_fact: + matrix_synapse_worker_systemd_service_name: "matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.instanceId }}" + +- set_fact: + matrix_synapse_worker_container_name: "{{ matrix_synapse_worker_systemd_service_name }}" + +- set_fact: + matrix_synapse_worker_config_file_name: "worker.{{ matrix_synapse_worker_details.type }}_{{ matrix_synapse_worker_details.instanceId }}.yaml" + +- name: Ensure configuration exists for {{ matrix_synapse_worker_systemd_service_name }} + template: + src: "{{ role_path }}/templates/synapse/worker.yaml.j2" + dest: "{{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_config_file_name }}" + +- name: Ensure systemd service exists for {{ matrix_synapse_worker_systemd_service_name }} + template: + src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse-worker.service.j2" + dest: "{{ matrix_systemd_path }}/{{ matrix_synapse_worker_systemd_service_name }}.service" + mode: 0644 diff --git a/roles/matrix-synapse/tasks/update_user_password.yml b/roles/matrix-synapse/tasks/update_user_password.yml new file mode 100644 index 00000000..78136785 --- /dev/null +++ b/roles/matrix-synapse/tasks/update_user_password.yml @@ -0,0 +1,43 @@ +--- + +- name: Fail if playbook called incorrectly + fail: + msg: "The `username` variable needs to be provided to this playbook, via --extra-vars" + when: "username is not defined or username == ''" + +- name: Fail if playbook called incorrectly + fail: + msg: "The `password` variable needs to be provided to this playbook, via --extra-vars" + when: "password is not defined or password == ''" + +- name: Fail if not using matrix-postgres container + fail: + msg: "This command is working only when matrix-postgres container is being used" + when: "not matrix_postgres_enabled|bool" + +- name: Ensure matrix-synapse is started + service: + name: matrix-synapse + state: started + daemon_reload: yes + register: start_result + +- name: Ensure matrix-postgres is started + service: + name: matrix-postgres + state: started + daemon_reload: yes + register: postgres_start_result + + +- name: Wait a while, so that Matrix Synapse can manage to start + pause: + seconds: 7 + when: "start_result.changed or postgres_start_result.changed" + +- name: Generate password hash + shell: "{{ matrix_host_command_docker }} exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}" + register: password_hash + +- name: Update user password hash + command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}" diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml new file mode 100644 index 00000000..6dcb50ce --- /dev/null +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -0,0 +1,59 @@ +--- + +- name: Fail if required Synapse settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Synapse. + when: "vars[item] == ''" + with_items: + - "matrix_synapse_macaroon_secret_key" + - "matrix_synapse_database_host" + - "matrix_synapse_database_user" + - "matrix_synapse_database_password" + - "matrix_synapse_database_database" + +- name: Fail if asking for more than 1 instance of single-instance workers + fail: + msg: >- + `{{ item }}` cannot be more than 1. This is a single-instance worker. + when: "vars[item]|int > 1" + with_items: + - "matrix_synapse_workers_appservice_workers_count" + - "matrix_synapse_workers_pusher_workers_count" + - "matrix_synapse_workers_federation_sender_workers_count" + +- name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_synapse_email_riot_base_url', 'new': ''} + - {'old': 'matrix_synapse_container_expose_api_port', 'new': ''} + - {'old': 'matrix_synapse_no_tls', 'new': ''} + - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'} + - {'old': 'matrix_alias_creation_rules', 'new': 'matrix_synapse_alias_creation_rules'} + - {'old': 'matrix_room_list_publication_rules', 'new': 'matrix_synapse_room_list_publication_rules'} + - {'old': 'matrix_synapse_rc_messages_per_second', 'new': ''} + - {'old': 'matrix_synapse_rc_message_burst_count', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_window_size', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_sleep_limit', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_sleep_delay', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_reject_limit', 'new': ''} + - {'old': 'matrix_synapse_federation_rc_concurrent', 'new': ''} + - {'old': 'matrix_synapse_container_expose_client_api_port', 'new': ''} + - {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': ''} + - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} + - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} + - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': ''} + - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'} + +- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml + fail: + msg: >- + Your matrix_synapse_configuration_extension_yaml configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in matrix_synapse_configuration_extension" + with_items: + - {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'} diff --git a/roles/matrix-synapse/templates/goofys/env-goofys.j2 b/roles/matrix-synapse/templates/goofys/env-goofys.j2 new file mode 100644 index 00000000..2955efdd --- /dev/null +++ b/roles/matrix-synapse/templates/goofys/env-goofys.j2 @@ -0,0 +1,3 @@ +#jinja2: lstrip_blocks: "True" +AWS_ACCESS_KEY={{ matrix_s3_media_store_aws_access_key }} +AWS_SECRET_KEY={{ matrix_s3_media_store_aws_secret_key }} diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 new file mode 100644 index 00000000..df4a4f23 --- /dev/null +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -0,0 +1,39 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Goofys media store +After=docker.service +Requires=docker.service +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_docker }} kill %n +ExecStartPre=-{{ matrix_host_command_docker }} rm %n + +ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --mount type=bind,src=/etc/passwd,dst=/etc/passwd,ro \ + --mount type=bind,src=/etc/group,dst=/etc/group,ro \ + --mount type=bind,src={{ matrix_s3_media_store_path }},dst=/s3,bind-propagation=shared \ + --security-opt apparmor:unconfined \ + --cap-add mknod \ + --cap-add sys_admin \ + --device=/dev/fuse \ + --env-file={{ matrix_synapse_config_dir_path }}/env-goofys \ + --entrypoint /bin/sh \ + {{ matrix_s3_goofys_docker_image }} \ + -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' + +TimeoutStartSec=5min +ExecStop=-{{ matrix_host_command_docker }} stop %n +ExecStop=-{{ matrix_host_command_docker }} kill %n +ExecStop=-{{ matrix_host_command_docker }} rm %n +ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_s3_media_store_path }} +Restart=always +RestartSec=5 +SyslogIdentifier=matrix-goofys + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 new file mode 100644 index 00000000..f3d0734b --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -0,0 +1,2937 @@ +#jinja2: lstrip_blocks: "True" +# Configuration file for Synapse. +# +# This is a YAML file: see [1] for a quick introduction. Note in particular +# that *indentation is important*: all the elements of a list or dictionary +# should have the same indentation. +# +# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html + + +## Modules ## + +# Server admins can expand Synapse's functionality with external modules. +# +# See https://matrix-org.github.io/synapse/develop/modules.html for more +# documentation on how to configure or create custom modules for Synapse. +# +modules: + # - module: my_super_module.MySuperClass + # config: + # do_thing: true + # - module: my_other_super_module.SomeClass + # config: {} + + +## Server ## + +# The public-facing domain of the server +# +# The server_name name will appear at the end of usernames and room addresses +# created on this server. For example if the server_name was example.com, +# usernames on this server would be in the format @user:example.com +# +# In most cases you should avoid using a matrix specific subdomain such as +# matrix.example.com or synapse.example.com as the server_name for the same +# reasons you wouldn't use user@email.example.com as your email address. +# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md +# for information on how to host Synapse on a subdomain while preserving +# a clean server_name. +# +# The server_name cannot be changed later so it is important to +# configure this correctly before you start Synapse. It should be all +# lowercase and may contain an explicit port. +# Examples: matrix.org, localhost:8080 +# +server_name: "{{ matrix_domain }}" + +# When running as a daemon, the file to store the pid in +# +pid_file: /homeserver.pid + +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. +# +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ + +# The public-facing base URL that clients use to access this Homeserver (not +# including _matrix/...). This is the same URL a user might enter into the +# 'Custom Homeserver URL' field on their client. If you use Synapse with a +# reverse proxy, this should be the URL to reach Synapse via the proxy. +# Otherwise, it should be the URL to reach Synapse's client HTTP listener (see +# 'listeners' below). +# +public_baseurl: https://{{ matrix_server_fqn_matrix }}/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +# +#soft_file_limit: 0 + +# Presence tracking allows users to see the state (e.g online/offline) +# of other local and remote users. +# +presence: + # Uncomment to disable presence tracking on this homeserver. This option + # replaces the previous top-level 'use_presence' option. + # + enabled: {{ matrix_synapse_presence_enabled|to_json }} + + # Presence routers are third-party modules that can specify additional logic + # to where presence updates from users are routed. + # + presence_router: + # The custom module's class. Uncomment to use a custom presence router module. + # + #module: "my_custom_router.PresenceRouter" + + # Configuration options of the custom module. Refer to your module's + # documentation for available options. + # + #config: + # example_option: 'something' + +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, unless allow_profile_lookup_over_federation is set to false. +# +require_auth_for_profile_requests: {{ matrix_synapse_require_auth_for_profile_requests|to_json }} + +# Uncomment to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +# +limit_profile_requests_to_users_who_share_rooms: {{ matrix_synapse_limit_profile_requests_to_users_who_share_rooms|to_json }} + +# Uncomment to prevent a user's profile data from being retrieved and +# displayed in a room until they have joined it. By default, a user's +# profile data is included in an invite event, regardless of the values +# of the above two settings, and whether or not the users share a server. +# Defaults to 'true'. +# +include_profile_data_on_invite: {{ matrix_synapse_include_profile_data_on_invite|to_json }} + +# If set to 'true', removes the need for authentication to access the server's +# public rooms directory through the client API, meaning that anyone can +# query the room directory. Defaults to 'false'. +# +allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }} + +# If set to 'true', allows any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'false'. +# +allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }} + +# The default room version for newly created rooms. +# +# Known room versions are listed here: +# https://matrix.org/docs/spec/#complete-list-of-room-versions +# +# For example, for room version 1, default_room_version should be set +# to "1". +# +default_room_version: {{ matrix_synapse_default_room_version|to_json }} + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# +#gc_thresholds: [700, 10, 10] + +# The minimum time in seconds between each GC for a generation, regardless of +# the GC thresholds. This ensures that we don't do GC too frequently. +# +# A value of `[1s, 10s, 30s]` indicates that a second must pass between consecutive +# generation 0 GCs, etc. +# +# Defaults to `[1s, 10s, 30s]`. +# +#gc_min_interval: [0.5s, 30s, 1m] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is 100. -1 means no upper limit. +# +# Uncomment the following to increase the limit to 5000. +# +#filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# +#block_non_admin_invites: True + +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# +#enable_search: false + +# Prevent outgoing requests from being sent to the following blacklisted IP address +# CIDR ranges. If this option is not specified then it defaults to private IP +# address ranges (see the example below). +# +# The blacklist applies to the outbound requests for federation, identity servers, +# push servers, and for checking key validity for third-party invite events. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. +# +#ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '192.0.0.0/24' +# - '169.254.0.0/16' +# - '192.88.99.0/24' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' +# - '::1/128' +# - 'fe80::/10' +# - 'fc00::/7' +# - '2001:db8::/32' +# - 'ff00::/8' +# - 'fec0::/10' + +# List of IP address CIDR ranges that should be allowed for federation, +# identity servers, push servers, and for checking key validity for +# third-party invite events. This is useful for specifying exceptions to +# wide-ranging blacklisted target IP ranges - e.g. for communication with +# a push server only visible in your network. +# +# This whitelist overrides ip_range_blacklist and defaults to an empty +# list. +# +#ip_range_whitelist: +# - '192.168.1.1' + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +# +# Options for each listener include: +# +# port: the TCP port to bind to +# +# bind_addresses: a list of local addresses to listen on. The default is +# 'all local interfaces'. +# +# type: the type of listener. Normally 'http', but other valid options are: +# 'manhole' (see docs/manhole.md), +# 'metrics' (see docs/metrics-howto.md), +# 'replication' (see docs/workers.md). +# +# tls: set to true to enable TLS for this listener. Will use the TLS +# key/cert specified in tls_private_key_path / tls_certificate_path. +# +# x_forwarded: Only valid for an 'http' listener. Set to true to use the +# X-Forwarded-For header as the client IP. Useful when Synapse is +# behind a reverse-proxy. +# +# resources: Only valid for an 'http' listener. A list of resources to host +# on this port. Options for each resource are: +# +# names: a list of names of HTTP resources. See below for a list of +# valid resource names. +# +# compress: set to true to enable HTTP compression for this resource. +# +# additional_resources: Only valid for an 'http' listener. A map of +# additional endpoints which should be loaded via dynamic modules. +# +# Valid resource names are: +# +# client: the client-server API (/_matrix/client), and the synapse admin +# API (/_synapse/admin). Also implies 'media' and 'static'. +# +# consent: user consent forms (/_matrix/consent). See +# docs/consent_tracking.md. +# +# federation: the server-server API (/_matrix/federation). Also implies +# 'media', 'keys', 'openid' +# +# keys: the key discovery API (/_matrix/keys). +# +# media: the media API (/_matrix/media). +# +# metrics: the metrics interface. See docs/metrics-howto.md. +# +# openid: OpenID authentication. +# +# replication: the HTTP replication API (/_synapse/replication). See +# docs/workers.md. +# +# static: static resources under synapse/static (/_matrix/static). (Mostly +# useful for 'fallback authentication'.) +# +# webclient: A web client. Requires web_client_location to be set. +# +listeners: +{% if matrix_synapse_metrics_enabled %} + - type: metrics + port: {{ matrix_synapse_metrics_port }} + bind_addresses: + - '0.0.0.0' +{% endif %} + +{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %} + # TLS-enabled listener: for when matrix traffic is sent directly to synapse. + - port: 8448 + tls: true + bind_addresses: ['::'] + type: http + x_forwarded: false + + resources: + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} + compress: false +{% endif %} + + # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + - port: 8008 + tls: false + bind_addresses: ['::'] + type: http + x_forwarded: true + + resources: + - names: {{ matrix_synapse_http_listener_resource_names|to_json }} + compress: false + +{% if matrix_synapse_federation_port_enabled %} + # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + - port: 8048 + tls: false + bind_addresses: ['::'] + type: http + x_forwarded: true + + resources: + - names: {{ matrix_synapse_federation_listener_resource_names|to_json }} + compress: false +{% endif %} + +{% if matrix_synapse_manhole_enabled %} + # Turn on the twisted ssh manhole service on localhost on the given + # port. + - port: 9000 + bind_addresses: ['0.0.0.0'] + type: manhole +{% endif %} + +{% if matrix_synapse_workers_enabled %} + +{% if matrix_synapse_replication_listener_enabled %} + # c.f. https://github.com/matrix-org/synapse/tree/master/docs/workers.md + # HTTP replication: for the workers to send data to the main synapse process + - port: {{ matrix_synapse_replication_http_port }} + bind_addresses: ['0.0.0.0'] + type: http + resources: + - names: [replication] +{% endif %} + +# c.f. https://github.com/matrix-org/synapse/tree/master/contrib/systemd-with-workers/README.md +worker_app: synapse.app.homeserver + +# thx https://oznetnerd.com/2017/04/18/jinja2-selectattr-filter/ +# reduce the main worker's offerings to core homeserver business +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'appservice')|list %} +notify_appservices: false +{% endif %} +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'federation_sender')|list %} +send_federation: false +{% endif %} +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'media_repository')|list %} +enable_media_repo: false +{% endif %} +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'pusher')|list %} +start_pushers: false +{% endif %} +{% if matrix_synapse_workers_enabled_list|selectattr('type', 'equalto', 'user_dir')|list %} +update_user_directory: false +{% endif %} + +daemonize: false +{% endif %} + +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 + + +## Homeserver blocking ## + +# How to reach the server admin, used in ResourceLimitError +# +#admin_contact: 'mailto:admin@server.com' + +# Global blocking +# +#hs_disabled: False +#hs_disabled_message: 'Human readable reason for why the HS is blocked' +#hs_disabled_limit_type: 'error code(str), to help clients decode reason' + +# Monthly Active User Blocking +# +# Used in cases where the admin or server owner wants to limit to the +# number of monthly active users. +# +# 'limit_usage_by_mau' disables/enables monthly active user blocking. When +# enabled and a limit is reached the server returns a 'ResourceLimitError' +# with error type Codes.RESOURCE_LIMIT_EXCEEDED +# +# 'max_mau_value' is the hard limit of monthly active users above which +# the server will start blocking user actions. +# +# 'mau_trial_days' is a means to add a grace period for active users. It +# means that users must be active for this number of days before they +# can be considered active and guards against the case where lots of users +# sign up in a short space of time never to return after their initial +# session. +# +#limit_usage_by_mau: False +#max_mau_value: 50 +#mau_trial_days: 2 + +# If enabled, the metrics for the number of monthly active users will +# be populated, however no one will be limited. If limit_usage_by_mau +# is true, this is implied to be true. +# +#mau_stats_only: False + +# Sometimes the server admin will want to ensure certain accounts are +# never blocked by mau checking. These accounts are specified here. +# +#mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' + +# Used by phonehome stats to group together related servers. +#server_context: context + +# Resource-constrained homeserver settings +# +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. +# +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. +# +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + #enabled: true + + # the limit above which rooms cannot be joined. The default is 1.0. + # + #complexity: 0.5 + + # override the error which is returned when the room is too complex. + # + #complexity_error: "This room is too complex." + + # allow server admins to join complex rooms. Default is false. + # + #admins_can_join: true + +# Whether to require a user to be in the room to add an alias to it. +# Defaults to 'true'. +# +#require_membership_for_aliases: false + +# Whether to allow per-room membership profiles through the send of membership +# events with profile information that differ from the target's global profile. +# Defaults to 'true'. +# +#allow_per_room_profiles: false + +# How long to keep redacted events in unredacted form in the database. After +# this period redacted events get replaced with their redacted form in the DB. +# +# Defaults to `7d`. Set to `null` to disable. +# +#redaction_retention_period: 28d + +redaction_retention_period: {{ matrix_synapse_redaction_retention_period }} + +# How long to track users' last seen time and IPs in the database. +# +# Defaults to `28d`. Set to `null` to disable clearing out of old rows. +# +#user_ips_max_age: 14d + +user_ips_max_age: {{ matrix_synapse_user_ips_max_age }} + +# Message retention policy at the server level. +# +# Room admins and mods can define a retention period for their rooms using the +# 'm.room.retention' state event, and server admins can cap this period by setting +# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. +# +# If this feature is enabled, Synapse will regularly look for and purge events +# which are older than the room's maximum retention period. Synapse will also +# filter events received over federation so that events that should have been +# purged are ignored and not stored again. +# +retention: + # The message retention policies feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # Default retention policy. If set, Synapse will apply it to rooms that lack the + # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't + # matter much because Synapse doesn't take it into account yet. + # + #default_policy: + # min_lifetime: 1d + # max_lifetime: 1y + + # Retention policy limits. If set, and the state of a room contains a + # 'm.room.retention' event in its state which contains a 'min_lifetime' or a + # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy + # to these limits when running purge jobs. + # + #allowed_lifetime_min: 1d + #allowed_lifetime_max: 1y + + # Server admins can define the settings of the background jobs purging the + # events which lifetime has expired under the 'purge_jobs' section. + # + # If no configuration is provided, a single job will be set up to delete expired + # events in every room daily. + # + # Each job's configuration defines which range of message lifetimes the job + # takes care of. For example, if 'shortest_max_lifetime' is '2d' and + # 'longest_max_lifetime' is '3d', the job will handle purging expired events in + # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and + # lower than or equal to 3 days. Both the minimum and the maximum value of a + # range are optional, e.g. a job with no 'shortest_max_lifetime' and a + # 'longest_max_lifetime' of '3d' will handle every room with a retention policy + # which 'max_lifetime' is lower than or equal to three days. + # + # The rationale for this per-job configuration is that some rooms might have a + # retention policy with a low 'max_lifetime', where history needs to be purged + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. + # + # If any purge job is configured, it is strongly recommended to have at least + # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime' + # set, or one job without 'shortest_max_lifetime' and one job without + # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if + # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a + # room's policy to these values is done after the policies are retrieved from + # Synapse's database (which is done using the range specified in a purge job's + # configuration). + # + #purge_jobs: + # - longest_max_lifetime: 3d + # interval: 12h + # - shortest_max_lifetime: 3d + # interval: 1d + +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + +# A list of domains that the domain portion of 'next_link' parameters +# must match. +# +# This parameter is optionally provided by clients while requesting +# validation of an email or phone number, and maps to a link that +# users will be automatically redirected to after validation +# succeeds. Clients can make use this parameter to aid the validation +# process. +# +# The whitelist is applied whether the homeserver or an +# identity server is handling validation. +# +# The default value is no whitelist functionality; all domains are +# allowed. Setting this value to an empty list will instead disallow +# all domains. +# +#next_link_domain_whitelist: ["matrix.org"] + + +## TLS ## + +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# Be sure to use a `.pem` file that includes the full certificate chain including +# any intermediate certificates (for instance, if using certbot, use +# `fullchain.pem` as your certificate, not `cert.pem`). +# +tls_certificate_path: {{ matrix_synapse_tls_certificate_path|to_json }} + +# PEM-encoded private key for TLS +# +tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }} + +# Whether to verify TLS server certificates for outbound federation requests. +# +# Defaults to `true`. To disable certificate verification, uncomment the +# following line. +# +#federation_verify_certificates: false + +# The minimum TLS version that will be used for outbound federation requests. +# +# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note +# that setting this value higher than `1.2` will prevent federation to most +# of the public Matrix network: only configure it to `1.3` if you have an +# entirely private federation setup and you can ensure TLS 1.3 support. +# +#federation_client_minimum_tls_version: 1.2 + +# Skip federation certificate verification on the following whitelist +# of domains. +# +# This setting should only be used in very specific cases, such as +# federation over Tor hidden services and similar. For private networks +# of homeservers, you likely want to use a private CA instead. +# +# Only effective if federation_verify_certicates is `true`. +# +#federation_certificate_verification_whitelist: +# - lon.example.com +# - *.domain.com +# - *.onion + +# List of custom certificate authorities for federation traffic. +# +# This setting should only normally be used within a private network of +# homeservers. +# +# Note that this list will replace those that are provided by your +# operating environment. Certificates must be in PEM format. +# +#federation_custom_ca_list: +# - myCA1.pem +# - myCA2.pem +# - myCA3.pem + + +## Federation ## + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. +# +#federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com +{% if matrix_synapse_federation_domain_whitelist is not none %} +{# Cannot use `|to_nice_yaml` here, as an empty list does not get serialized properly by it. #} +federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} +{% endif %} + +# Report prometheus metrics on the age of PDUs being sent to and received from +# the following domains. This can be used to give an idea of "delay" on inbound +# and outbound federation, though be aware that any delay can be due to problems +# at either end or with the intermediate network. +# +# By default, no domains are monitored in this way. +# +#federation_metrics_domains: +# - matrix.org +# - example.com + +# Uncomment to disable profile lookup over federation. By default, the +# Federation API allows other homeservers to obtain profile data of any user +# on this homeserver. Defaults to 'true'. +# +#allow_profile_lookup_over_federation: false + +# Uncomment to disable device display name lookup over federation. By default, the +# Federation API allows other homeservers to obtain device display names of any user +# on this homeserver. Defaults to 'true'. +# +#allow_device_name_lookup_over_federation: false + + +## Caching ## + +# Caching can be configured through the following options. +# +# A cache 'factor' is a multiplier that can be applied to each of +# Synapse's caches in order to increase or decrease the maximum +# number of entries that can be stored. + +# The number of events to cache in memory. Not affected by +# caches.global_factor. +# +event_cache_size: "{{ matrix_synapse_event_cache_size }}" + +caches: + # Controls the global cache factor, which is the default cache factor + # for all caches if a specific factor for that cache is not otherwise + # set. + # + # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment + # variable. Setting by environment variable takes priority over + # setting through the config file. + # + # Defaults to 0.5, which will half the size of all caches. + # + global_factor: {{ matrix_synapse_caches_global_factor }} + + # A dictionary of cache name to cache factor for that individual + # cache. Overrides the global cache factor for a given cache. + # + # These can also be set through environment variables comprised + # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital + # letters and underscores. Setting by environment variable + # takes priority over setting through the config file. + # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0 + # + # Some caches have '*' and other characters that are not + # alphanumeric or underscores. These caches can be named with or + # without the special characters stripped. For example, to specify + # the cache factor for `*stateGroupCache*` via an environment + # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`. + # + per_cache_factors: + #get_users_who_share_room_with_user: 2.0 + + +## Database ## + +database: + # The database engine name + name: "psycopg2" + args: + user: {{ matrix_synapse_database_user|string|to_json }} + password: {{ matrix_synapse_database_password|string|to_json }} + database: "{{ matrix_synapse_database_database }}" + host: "{{ matrix_synapse_database_host }}" + port: {{ matrix_synapse_database_port }} + cp_min: 5 + cp_max: 10 + + +## Logging ## + +# A yaml python logging config file as described by +# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema +# +log_config: "/data/{{ matrix_server_fqn_matrix }}.log.config" + + +## Ratelimiting ## + +# Ratelimiting settings for client actions (registration, login, messaging). +# +# Each ratelimiting configuration is made of two parameters: +# - per_second: number of requests a client can send per second. +# - burst_count: number of requests a client can send before being throttled. +# +# Synapse currently uses the following configurations: +# - one for messages that ratelimits sending based on the account the client +# is using +# - one for registration that ratelimits registration requests based on the +# client's IP address. +# - one for login that ratelimits login requests based on the client's IP +# address. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into, based on the amount of failed login +# attempts for this account. +# - one for ratelimiting redactions by room admins. If this is not explicitly +# set then it uses the same ratelimiting as per rc_message. This is useful +# to allow room admins to deal with abuse quickly. +# - two for ratelimiting number of rooms a user can join, "local" for when +# users are joining rooms the server is already in (this is cheap) vs +# "remote" for when users are trying to join rooms not on the server (which +# can be more expensive) +# - one for ratelimiting how often a user or IP can attempt to validate a 3PID. +# - two for ratelimiting how often invites can be sent in a room or to a +# specific user. +# +# The defaults are as shown below. +# +#rc_message: +# per_second: 0.2 +# burst_count: 10 +rc_message: {{ matrix_synapse_rc_message|to_json }} +# +#rc_registration: +# per_second: 0.17 +# burst_count: 3 +rc_registration: {{ matrix_synapse_rc_registration|to_json }} +# +#rc_login: +# address: +# per_second: 0.17 +# burst_count: 3 +# account: +# per_second: 0.17 +# burst_count: 3 +# failed_attempts: +# per_second: 0.17 +# burst_count: 3 +rc_login: {{ matrix_synapse_rc_login|to_json }} +# +#rc_admin_redaction: +# per_second: 1 +# burst_count: 50 +rc_admin_redaction: {{ matrix_synapse_rc_admin_redaction|to_json }} +# +#rc_joins: +# local: +# per_second: 0.1 +# burst_count: 10 +# remote: +# per_second: 0.01 +# burst_count: 10 +rc_joins: {{ matrix_synapse_rc_joins|to_json }} +# +#rc_3pid_validation: +# per_second: 0.003 +# burst_count: 5 +# +#rc_invites: +# per_room: +# per_second: 0.3 +# burst_count: 10 +# per_user: +# per_second: 0.003 +# burst_count: 5 + +# Ratelimiting settings for incoming federation +# +# The rc_federation configuration is made up of the following settings: +# - window_size: window size in milliseconds +# - sleep_limit: number of federation requests from a single server in +# a window before the server will delay processing the request. +# - sleep_delay: duration in milliseconds to delay processing events +# from remote servers by if they go over the sleep limit. +# - reject_limit: maximum number of concurrent federation requests +# allowed from a single server +# - concurrent: number of federation requests to concurrently process +# from a single server +# +# The defaults are as shown below. +# +#rc_federation: +# window_size: 1000 +# sleep_limit: 10 +# sleep_delay: 500 +# reject_limit: 50 +# concurrent: 3 +rc_federation: {{ matrix_synapse_rc_federation|to_json }} + +# Target outgoing federation transaction frequency for sending read-receipts, +# per-room. +# +# If we end up trying to send out more read-receipts, they will get buffered up +# into fewer transactions. +# +#federation_rr_transactions_per_room_per_second: 50 +federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }} + + + +## Media Store ## + +# Enable the media store service in the Synapse master. Uncomment the +# following if you are using a separate media store worker. +# +#enable_media_repo: false + +# Directory where uploaded images and attachments are stored. +# +media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}" + +# Media storage providers allow media to be stored in different +# locations. +# +#media_storage_providers: +# - module: file_system +# # Whether to store newly uploaded local files +# store_local: false +# # Whether to store newly downloaded remote files +# store_remote: false +# # Whether to wait for successful storage for local uploads +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +# The largest allowed upload size in bytes +# +# If you are using a reverse proxy you may also need to set this value in +# your reverse proxy's config. Notably Nginx has a small max body size by default. +# See https://matrix-org.github.io/synapse/develop/reverse_proxy.html. +# +max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M" + +# Maximum number of pixels that will be thumbnailed +# +#max_image_pixels: 32M + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +# +#dynamic_thumbnails: false + +# List of thumbnails to precalculate when an image is uploaded. +# +#thumbnail_sizes: +# - width: 32 +# height: 32 +# method: crop +# - width: 96 +# height: 96 +# method: crop +# - width: 320 +# height: 240 +# method: scale +# - width: 640 +# height: 480 +# method: scale +# - width: 800 +# height: 600 +# method: scale + +# Is the preview URL API enabled? +# +# 'false' by default: uncomment the following to enable it (and specify a +# url_preview_ip_range_blacklist blacklist). +# +url_preview_enabled: {{ matrix_synapse_url_preview_enabled|to_json }} + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This must be specified if url_preview_enabled is set. It is recommended that +# you uncomment the following list as a starting point. +# +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '192.88.99.0/24' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' + +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +#url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +#url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +# +max_spider_size: 10M + +# A list of values for the Accept-Language HTTP header used when +# downloading webpages during URL preview generation. This allows +# Synapse to specify the preferred languages that URL previews should +# be in when communicating with remote servers. +# +# Each value is a IETF language tag; a 2-3 letter identifier for a +# language, optionally followed by subtags separated by '-', specifying +# a country or region variant. +# +# Multiple values can be provided, and a weight can be added to each by +# using quality value syntax (;q=). '*' translates to any language. +# +# Defaults to "en". +# +# Example: +# +# url_preview_accept_language: +# - en-UK +# - en-US;q=0.9 +# - fr;q=0.8 +# - *;q=0.7 +# +url_preview_accept_language: +# - en + + +## Captcha ## +# See docs/CAPTCHA_SETUP.md for full details of configuring this. + +# This homeserver's ReCAPTCHA public key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_public_key: {{ matrix_synapse_recaptcha_public_key|to_json }} + +# This homeserver's ReCAPTCHA private key. Must be specified if +# enable_registration_captcha is enabled. +# +recaptcha_private_key: {{ matrix_synapse_recaptcha_private_key|to_json }} + +# Uncomment to enable ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. Defaults to 'false'. +# +enable_registration_captcha: {{ matrix_synapse_enable_registration_captcha|to_json }} + +# The API endpoint to use for verifying m.login.recaptcha responses. +# Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify". +# +#recaptcha_siteverify_api: "https://my.recaptcha.site" + + +## TURN ## + +# The public URIs of the TURN server to give to clients +# +turn_uris: {{ matrix_synapse_turn_uris|to_json }} + +# The shared secret used to compute passwords for the TURN server +# +turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }} + +# The Username and password if the TURN server needs them and +# does not use a token +# +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +# +#turn_user_lifetime: 1h + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +# +turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }} + + +## Registration ## +# +# Registration can be rate-limited using the parameters in the "Ratelimiting" +# section of this file. + +# Enable registration for new users. +# +enable_registration: {{ matrix_synapse_enable_registration|to_json }} + +# Time that a user's session remains valid for, after they log in. +# +# Note that this is not currently compatible with guest logins. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to users who have already logged in. +# +# By default, this is infinite. +# +#session_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. +# +#registrations_require_3pid: +# - email +# - msisdn +{% if matrix_synapse_registrations_require_3pid|length > 0 %} +registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} +{% endif %} + +# Explicitly disable asking for MSISDNs from the registration +# flow (overrides registrations_require_3pid if MSISDNs are set as required) +# +#disable_msisdn_registration: true + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +#allowed_local_3pids: +# - medium: email +# pattern: '^[^@]+@matrix\.org$' +# - medium: email +# pattern: '^[^@]+@vector\.im$' +# - medium: msisdn +# pattern: '\+44' +{% if matrix_synapse_allowed_local_3pids|length > 0 %} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} +{% endif %} + +# Enable 3PIDs lookup requests to identity servers from this server. +# +#enable_3pid_lookup: true + +# If set, allows registration of standard or admin accounts by anyone who +# has the shared secret, even if registration is otherwise disabled. +# +registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|to_json }} + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +# +#bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +# +allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }} + +# The identity server which we suggest that clients should use when users log +# in on this server. +# +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) +# +#default_identity_server: https://matrix.org + +# Handle threepid (email/phone etc) registration and password resets through a set of +# *trusted* identity servers. Note that this allows the configured identity server to +# reset passwords for accounts! +# +# Be aware that if `email` is not set, and SMTP options have not been +# configured in the email config block, registration and user password resets via +# email will be globally disabled. +# +# Additionally, if `msisdn` is not set, registration and password resets via msisdn +# will be disabled regardless, and users will not be able to associate an msisdn +# identifier to their account. This is due to Synapse currently not supporting +# any method of sending SMS messages on its own. +# +# To enable using an identity server for operations regarding a particular third-party +# identifier type, set the value to the URL of that identity server as shown in the +# examples below. +# +# Servers handling the these requests must answer the `/requestToken` endpoints defined +# by the Matrix Identity Service API specification: +# https://matrix.org/docs/spec/identity_service/latest +# +# If a delegate is specified, the config option public_baseurl must also be filled out. +# +account_threepid_delegates: + email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} + msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} + +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + +# Users who register on this homeserver will automatically be joined +# to these rooms. +# +# By default, any room aliases included in this list will be created +# as a publicly joinable room when the first user registers for the +# homeserver. This behaviour can be customised with the settings below. +# If the room already exists, make certain it is a publicly joinable +# room. The join rule of the room must be set to 'public'. +# +#auto_join_rooms: +# - "#example:example.com" +{% if matrix_synapse_auto_join_rooms|length > 0 %} +auto_join_rooms: +{{ matrix_synapse_auto_join_rooms|to_nice_yaml }} +{% endif %} + +# Where auto_join_rooms are specified, setting this flag ensures that the +# the rooms exist by creating them when the first user on the +# homeserver registers. +# +# By default the auto-created rooms are publicly joinable from any federated +# server. Use the autocreate_auto_join_rooms_federated and +# autocreate_auto_join_room_preset settings below to customise this behaviour. +# +# Setting to false means that if the rooms are not manually created, +# users cannot be auto-joined since they do not exist. +# +# Defaults to true. Uncomment the following line to disable automatically +# creating auto-join rooms. +# +autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }} + +# Whether the auto_join_rooms that are auto-created are available via +# federation. Only has an effect if autocreate_auto_join_rooms is true. +# +# Note that whether a room is federated cannot be modified after +# creation. +# +# Defaults to true: the room will be joinable from other servers. +# Uncomment the following to prevent users from other homeservers from +# joining these rooms. +# +#autocreate_auto_join_rooms_federated: false + +# The room preset to use when auto-creating one of auto_join_rooms. Only has an +# effect if autocreate_auto_join_rooms is true. +# +# This can be one of "public_chat", "private_chat", or "trusted_private_chat". +# If a value of "private_chat" or "trusted_private_chat" is used then +# auto_join_mxid_localpart must also be configured. +# +# Defaults to "public_chat", meaning that the room is joinable by anyone, including +# federated servers if autocreate_auto_join_rooms_federated is true (the default). +# Uncomment the following to require an invitation to join these rooms. +# +#autocreate_auto_join_room_preset: private_chat + +# The local part of the user id which is used to create auto_join_rooms if +# autocreate_auto_join_rooms is true. If this is not provided then the +# initial user account that registers will be used to create the rooms. +# +# The user id is also used to invite new users to any auto-join rooms which +# are set to invite-only. +# +# It *must* be configured if autocreate_auto_join_room_preset is set to +# "private_chat" or "trusted_private_chat". +# +# Note that this must be specified in order for new users to be correctly +# invited to any auto-join rooms which have been set to invite-only (either +# at the time of creation or subsequently). +# +# Note that, if the room already exists, this user must be joined and +# have the appropriate permissions to invite new members. +# +#auto_join_mxid_localpart: system + +# When auto_join_rooms is specified, setting this flag to false prevents +# guest accounts from being automatically joined to the rooms. +# +# Defaults to true. +# +#auto_join_rooms_for_guests: false + + +## Account Validity ## + +# Optional account validity configuration. This allows for accounts to be denied +# any request after a given period. +# +# Once this feature is enabled, Synapse will look for registered users without an +# expiration date at startup and will add one to every account it found using the +# current settings at that time. +# This means that, if a validity period is set, and Synapse is restarted (it will +# then derive an expiration date from the current validity period), and some time +# after that the validity period changes and Synapse is restarted, the users' +# expiration dates won't be updated unless their account is manually renewed. This +# date will be randomly selected within a range [now + period - d ; now + period], +# where d is equal to 10% of the validity period. +# +account_validity: + # The account validity feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # The period after which an account is valid after its registration. When + # renewing the account, its validity period will be extended by this amount + # of time. This parameter is required when using the account validity + # feature. + # + #period: 6w + + # The amount of time before an account's expiry date at which Synapse will + # send an email to the account's email address with a renewal link. By + # default, no such emails are sent. + # + # If you enable this setting, you will also need to fill out the 'email' and + # 'public_baseurl' configuration sections. + # + #renew_at: 1w + + # The subject of the email sent out with the renewal link. '%(app)s' can be + # used as a placeholder for the 'app_name' parameter from the 'email' + # section. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + # If this is not set, a default value is used. + # + #renew_email_subject: "Renew your %(app)s account" + + # Directory in which Synapse will try to find templates for the HTML files to + # serve to the user when trying to renew an account. If not set, default + # templates from within the Synapse package will be used. + # + # The currently available templates are: + # + # * account_renewed.html: Displayed to the user after they have successfully + # renewed their account. + # + # * account_previously_renewed.html: Displayed to the user if they attempt to + # renew their account with a token that is valid, but that has already + # been used. In this case the account is not renewed again. + # + # * invalid_token.html: Displayed to the user when they try to renew an account + # with an unknown or invalid renewal token. + # + # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for + # default template contents. + # + # The file name of some of these templates can be configured below for legacy + # reasons. + # + #template_dir: "res/templates" + + # A custom file name for the 'account_renewed.html' template. + # + # If not set, the file is assumed to be named "account_renewed.html". + # + #account_renewed_html_path: "account_renewed.html" + + # A custom file name for the 'invalid_token.html' template. + # + # If not set, the file is assumed to be named "invalid_token.html". + # + #invalid_token_html_path: "invalid_token.html" + + +## Metrics ### + +# Enable collection and rendering of performance metrics +# +enable_metrics: {{ matrix_synapse_metrics_enabled|to_json }} + +# Enable sentry integration +# NOTE: While attempts are made to ensure that the logs don't contain +# any sensitive information, this cannot be guaranteed. By enabling +# this option the sentry server may therefore receive sensitive +# information, and it in turn may then diseminate sensitive information +# through insecure notification channels if so configured. +# +{% if matrix_synapse_sentry_dsn != "" %} +sentry: + dsn: {{ matrix_synapse_sentry_dsn|to_json }} +{% endif %} + +# Flags to enable Prometheus metrics which are not suitable to be +# enabled by default, either for performance reasons or limited use. +# +metrics_flags: + # Publish synapse_federation_known_servers, a gauge of the number of + # servers this homeserver knows about, including itself. May cause + # performance problems on large homeservers. + # + #known_servers: true + +# Whether or not to report anonymized homeserver usage statistics. +# +report_stats: {{ matrix_synapse_report_stats|to_json }} + +# The endpoint to report the anonymized homeserver usage statistics to. +# Defaults to https://matrix.org/report-usage-stats/push +# +#report_stats_endpoint: https://example.com/report-usage-stats/push + + +## API Configuration ## + +# Controls for the state that is shared with users who receive an invite +# to a room +# +room_prejoin_state: + # By default, the following state event types are shared with users who + # receive invites to the room: + # + # - m.room.join_rules + # - m.room.canonical_alias + # - m.room.avatar + # - m.room.encryption + # - m.room.name + # - m.room.create + # + # Uncomment the following to disable these defaults (so that only the event + # types listed in 'additional_event_types' are shared). Defaults to 'false'. + # + #disable_default_event_types: true + + # Additional state event types to share with users when they are invited + # to a room. + # + # By default, this list is empty (so only the default event types are shared). + # + #additional_event_types: + # - org.example.custom.event.type + + +# A list of application service config files to use +# +app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }} + +# Uncomment to enable tracking of application service IP addresses. Implicitly +# enables MAU tracking for application service users. +# +#track_appservice_user_ips: True + + +# a secret which is used to sign access tokens. If none is specified, +# the registration_shared_secret is used, if one is given; otherwise, +# a secret key is derived from the signing key. +# +macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }} + +# a secret which is used to calculate HMACs for form values, to stop +# falsification of values. Must be specified for the User Consent +# forms to work. +# +form_secret: {{ matrix_synapse_form_secret|string|to_json }} + +## Signing Keys ## + +# Path to the signing key to sign messages with +# +signing_key_path: "/data/{{ matrix_server_fqn_matrix }}.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. +# +old_signing_keys: + # For each key, `key` should be the base64-encoded public key, and + # `expired_ts`should be the time (in milliseconds since the unix epoch) that + # it was last used. + # + # It is possible to build an entry from an old signing.key file using the + # `export_signing_key` script which is provided with synapse. + # + # For example: + # + #"ed25519:id": { key: "base64string", expired_ts: 123456789123 } + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +# +#key_refresh_interval: 1d + +# The trusted servers to download signing keys from. +# +# When we need to fetch a signing key, each server is tried in parallel. +# +# Normally, the connection to the key server is validated via TLS certificates. +# Additional security can be provided by configuring a `verify key`, which +# will make synapse check that the response is signed by that key. +# +# This setting supercedes an older setting named `perspectives`. The old format +# is still supported for backwards-compatibility, but it is deprecated. +# +# 'trusted_key_servers' defaults to matrix.org, but using it will generate a +# warning on start-up. To suppress this warning, set +# 'suppress_key_server_warning' to true. +# +# Options for each entry in the list include: +# +# server_name: the name of the server. required. +# +# verify_keys: an optional map from key id to base64-encoded public key. +# If specified, we will check that the response is signed by at least +# one of the given keys. +# +# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, +# and federation_verify_certificates is not `true`, synapse will refuse +# to start, because this would allow anyone who can spoof DNS responses +# to masquerade as the trusted key server. If you know what you are doing +# and are sure that your network environment provides a secure connection +# to the key server, you can set this to `true` to override this +# behaviour. +# +# An example configuration might look like: +# +#trusted_key_servers: +# - server_name: "my_trusted_server.example.com" +# verify_keys: +# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" +# - server_name: "my_other_trusted_server.example.com" +# +trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }} + + +# Uncomment the following to disable the warning that is emitted when the +# trusted_key_servers include 'matrix.org'. See above. +# +#suppress_key_server_warning: true + +# The signing keys to use when acting as a trusted key server. If not specified +# defaults to the server signing key. +# +# Can contain multiple keys, one per line. +# +#key_server_signing_keys_path: "key_server_signing_keys.key" + + +## Single sign-on integration ## + +# The following settings can be used to make Synapse use a single sign-on +# provider for authentication, instead of its internal password database. +# +# You will probably also want to set the following options to `false` to +# disable the regular login/registration flows: +# * enable_registration +# * password_config.enabled +# +# You will also want to investigate the settings under the "sso" configuration +# section below. + +# Enable SAML2 for registration and login. Uses pysaml2. +# +# At least one of `sp_config` or `config_path` must be set in this section to +# enable SAML login. +# +# Once SAML support is enabled, a metadata file will be exposed at +# https://:/_synapse/client/saml2/metadata.xml, which you may be able to +# use to configure your SAML IdP with. Alternatively, you can manually configure +# the IdP to use an ACS location of +# https://:/_synapse/client/saml2/authn_response. +# +saml2_config: + # `sp_config` is the configuration for the pysaml2 Service Provider. + # See pysaml2 docs for format of config. + # + # Default values will be used for the 'entityid' and 'service' settings, + # so it is not normally necessary to specify them unless you need to + # override them. + # + sp_config: + # Point this to the IdP's metadata. You must provide either a local + # file via the `local` attribute or (preferably) a URL via the + # `remote` attribute. + # + #metadata: + # local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + + # Allowed clock difference in seconds between the homeserver and IdP. + # + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # + #accepted_time_diff: 3 + + # By default, the user has to go to our login page first. If you'd like + # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # 'service.sp' section: + # + #service: + # sp: + # allow_unsolicited: true + + # The examples below are just used to generate our metadata xml, and you + # may well not need them, depending on your setup. Alternatively you + # may need a whole lot more detail - see the pysaml2 docs! + + #description: ["My awesome SP", "en"] + #name: ["Test SP", "en"] + + #ui_info: + # display_name: + # - lang: en + # text: "Display Name is the descriptive name of your service." + # description: + # - lang: en + # text: "Description should be a short paragraph explaining the purpose of the service." + # information_url: + # - lang: en + # text: "https://example.com/terms-of-service" + # privacy_statement_url: + # - lang: en + # text: "https://example.com/privacy-policy" + # keywords: + # - lang: en + # text: ["Matrix", "Element"] + # logo: + # - lang: en + # text: "https://example.com/logo.svg" + # width: "200" + # height: "80" + + #organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + + #contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical + + # Instead of putting the config inline as above, you can specify a + # separate pysaml2 configuration file: + # + #config_path: "/data/sp_conf.py" + + # The lifetime of a SAML session. This defines how long a user has to + # complete the authentication process, if allow_unsolicited is unset. + # The default is 15 minutes. + # + #saml_session_lifetime: 5m + + # An external module can be provided here as a custom solution to + # mapping attributes returned from a saml provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # + #module: mapping_provider.SamlMappingProvider + + # Custom configuration values for the module. Below options are + # intended for the built-in provider, they should be changed if + # using a custom module. This section will be passed as a Python + # dictionary to the module's `parse_config` method. + # + config: + # The SAML attribute (after mapping via the attribute maps) to use + # to derive the Matrix ID from. 'uid' by default. + # + # Note: This used to be configured by the + # saml2_config.mxid_source_attribute option. If that is still + # defined, its value will be used instead. + # + #mxid_source_attribute: displayName + + # The mapping system to use for mapping the saml attribute onto a + # matrix ID. + # + # Options include: + # * 'hexencode' (which maps unpermitted characters to '=xx') + # * 'dotreplace' (which replaces unpermitted characters with + # '.'). + # The default is 'hexencode'. + # + # Note: This used to be configured by the + # saml2_config.mxid_mapping option. If that is still defined, its + # value will be used instead. + # + #mxid_mapping: dotreplace + + # In previous versions of synapse, the mapping from SAML attribute to + # MXID was always calculated dynamically rather than stored in a + # table. For backwards- compatibility, we will look for user_ids + # matching such a pattern before creating a new account. + # + # This setting controls the SAML attribute which will be used for this + # backwards-compatibility lookup. Typically it should be 'uid', but if + # the attribute maps are changed, it may be necessary to change it. + # + # The default is 'uid'. + # + #grandfathered_mxid_source_attribute: upn + + # It is possible to configure Synapse to only allow logins if SAML attributes + # match particular values. The requirements can be listed under + # `attribute_requirements` as shown below. All of the listed attributes must + # match for the login to be permitted. + # + #attribute_requirements: + # - attribute: userGroup + # value: "staff" + # - attribute: department + # value: "sales" + + # If the metadata XML contains multiple IdP entities then the `idp_entityid` + # option must be set to the entity to redirect users to. + # + # Most deployments only have a single IdP entity and so should omit this + # option. + # + #idp_entityid: 'https://our_idp/entityid' + + +# List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration +# and login. +# +# Options for each entry include: +# +# idp_id: a unique identifier for this identity provider. Used internally +# by Synapse; should be a single word such as 'github'. +# +# Note that, if this is changed, users authenticating via that provider +# will no longer be recognised as the same user! +# +# (Use "oidc" here if you are migrating from an old "oidc_config" +# configuration.) +# +# idp_name: A user-facing name for this identity provider, which is used to +# offer the user a choice of login mechanisms. +# +# idp_icon: An optional icon for this identity provider, which is presented +# by clients and Synapse's own IdP picker page. If given, must be an +# MXC URI of the format mxc:///. (An easy way to +# obtain such an MXC URI is to upload an image to an (unencrypted) room +# and then copy the "url" from the source of the event.) +# +# idp_brand: An optional brand for this identity provider, allowing clients +# to style the login flow according to the identity provider in question. +# See the spec for possible options here. +# +# discover: set to 'false' to disable the use of the OIDC discovery mechanism +# to discover endpoints. Defaults to true. +# +# issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery +# is enabled) to discover the provider's endpoints. +# +# client_id: Required. oauth2 client id to use. +# +# client_secret: oauth2 client secret to use. May be omitted if +# client_secret_jwt_key is given, or if client_auth_method is 'none'. +# +# client_secret_jwt_key: Alternative to client_secret: details of a key used +# to create a JSON Web Token to be used as an OAuth2 client secret. If +# given, must be a dictionary with the following properties: +# +# key: a pem-encoded signing key. Must be a suitable key for the +# algorithm specified. Required unless 'key_file' is given. +# +# key_file: the path to file containing a pem-encoded signing key file. +# Required unless 'key' is given. +# +# jwt_header: a dictionary giving properties to include in the JWT +# header. Must include the key 'alg', giving the algorithm used to +# sign the JWT, such as "ES256", using the JWA identifiers in +# RFC7518. +# +# jwt_payload: an optional dictionary giving properties to include in +# the JWT payload. Normally this should include an 'iss' key. +# +# client_auth_method: auth method to use when exchanging the token. Valid +# values are 'client_secret_basic' (default), 'client_secret_post' and +# 'none'. +# +# scopes: list of scopes to request. This should normally include the "openid" +# scope. Defaults to ["openid"]. +# +# authorization_endpoint: the oauth2 authorization endpoint. Required if +# provider discovery is disabled. +# +# token_endpoint: the oauth2 token endpoint. Required if provider discovery is +# disabled. +# +# userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is +# disabled and the 'openid' scope is not requested. +# +# jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and +# the 'openid' scope is used. +# +# skip_verification: set to 'true' to skip metadata verification. Use this if +# you are connecting to a provider that is not OpenID Connect compliant. +# Defaults to false. Avoid this in production. +# +# user_profile_method: Whether to fetch the user profile from the userinfo +# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. +# +# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is +# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the +# userinfo endpoint. +# +# allow_existing_users: set to 'true' to allow a user logging in via OIDC to +# match a pre-existing account instead of failing. This could be used if +# switching from password logins to OIDC. Defaults to false. +# +# user_mapping_provider: Configuration for how attributes returned from a OIDC +# provider are mapped onto a matrix user. This setting has the following +# sub-properties: +# +# module: The class name of a custom mapping module. Default is +# 'synapse.handlers.oidc.JinjaOidcMappingProvider'. +# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers +# for information on implementing a custom mapping provider. +# +# config: Configuration for the mapping provider module. This section will +# be passed as a Python dictionary to the user mapping provider +# module's `parse_config` method. +# +# For the default provider, the following settings are available: +# +# subject_claim: name of the claim containing a unique identifier +# for the user. Defaults to 'sub', which OpenID Connect +# compliant providers should provide. +# +# localpart_template: Jinja2 template for the localpart of the MXID. +# If this is not set, the user will be prompted to choose their +# own username (see 'sso_auth_account_details.html' in the 'sso' +# section of this file). +# +# display_name_template: Jinja2 template for the display name to set +# on first login. If unset, no displayname will be set. +# +# email_template: Jinja2 template for the email address of the user. +# If unset, no email address will be added to the account. +# +# extra_attributes: a map of Jinja2 templates for extra attributes +# to send back to the client during login. +# Note that these are non-standard and clients will ignore them +# without modifications. +# +# When rendering, the Jinja2 templates are given a 'user' variable, +# which is set to the claims returned by the UserInfo Endpoint and/or +# in the ID Token. +# +# It is possible to configure Synapse to only allow logins if certain attributes +# match particular values in the OIDC userinfo. The requirements can be listed under +# `attribute_requirements` as shown below. All of the listed attributes must +# match for the login to be permitted. Additional attributes can be added to +# userinfo by expanding the `scopes` section of the OIDC config to retrieve +# additional information from the OIDC provider. +# +# If the OIDC claim is a list, then the attribute must match any value in the list. +# Otherwise, it must exactly match the value of the claim. Using the example +# below, the `family_name` claim MUST be "Stephensson", but the `groups` +# claim MUST contain "admin". +# +# attribute_requirements: +# - attribute: family_name +# value: "Stephensson" +# - attribute: groups +# value: "admin" +# +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md +# for information on how to configure these options. +# +# For backwards compatibility, it is also possible to configure a single OIDC +# provider via an 'oidc_config' setting. This is now deprecated and admins are +# advised to migrate to the 'oidc_providers' format. (When doing that migration, +# use 'oidc' for the idp_id to ensure that existing users continue to be +# recognised.) +# +oidc_providers: + # Generic example + # + #- idp_id: my_idp + # idp_name: "My OpenID provider" + # idp_icon: "mxc://example.com/mediaid" + # discover: false + # issuer: "https://accounts.example.com/" + # client_id: "provided-by-your-issuer" + # client_secret: "provided-by-your-issuer" + # client_auth_method: client_secret_post + # scopes: ["openid", "profile"] + # authorization_endpoint: "https://accounts.example.com/oauth2/auth" + # token_endpoint: "https://accounts.example.com/oauth2/token" + # userinfo_endpoint: "https://accounts.example.com/userinfo" + # jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + # user_mapping_provider: + # config: + # subject_claim: "id" + # localpart_template: "{% raw %}{{ user.login }}{% endraw %}" + # display_name_template: "{% raw %}{{ user.name }}{% endraw %}" + # email_template: "{% raw %}{{ user.email }}{% endraw %}" + # attribute_requirements: + # - attribute: userGroup + # value: "synapseUsers" + + +# Enable Central Authentication Service (CAS) for registration and login. +# +cas_config: + # Uncomment the following to enable authorization against a CAS server. + # Defaults to false. + # + #enabled: true + + # The URL of the CAS authorization endpoint. + # + #server_url: "https://cas-server.com" + + # The attribute of the CAS response to use as the display name. + # + # If unset, no displayname will be set. + # + #displayname_attribute: name + + # It is possible to configure Synapse to only allow logins if CAS attributes + # match particular values. All of the keys in the mapping below must exist + # and the values must match the given value. Alternately if the given value + # is None then any value is allowed (the attribute just must exist). + # All of the listed attributes must match for the login to be permitted. + # + #required_attributes: + # userGroup: "staff" + # department: None + + +# Additional settings to use with single-sign on systems such as OpenID Connect, +# SAML2 and CAS. +# +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + + # Uncomment to keep a user's profile fields in sync with information from + # the identity provider. Currently only syncing the displayname is + # supported. Fields are checked on every SSO login, and are updated + # if necessary. + # + # Note that enabling this option will override user profile information, + # regardless of whether users have opted-out of syncing that + # information when first signing in. Defaults to false. + # + #update_profile_information: true + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page to prompt the user to choose an Identity Provider during + # login: 'sso_login_idp_picker.html'. + # + # This is only used if multiple SSO Identity Providers are configured. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL that the user will be redirected to after + # login. + # + # * server_name: the homeserver's name. + # + # * providers: a list of available Identity Providers. Each element is + # an object with the following attributes: + # + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # * idp_icon: if specified in the IdP config, an MXC URI for an icon + # for the IdP + # * idp_brand: if specified in the IdP config, a textual identifier + # for the brand of the IdP + # + # The rendered HTML page should contain a form which submits its results + # back as a GET request, with the following query parameters: + # + # * redirectUrl: the client redirect URI (ie, the `redirect_url` passed + # to the template) + # + # * idp: the 'idp_id' of the chosen IDP. + # + # * HTML page to prompt new users to enter a userid and confirm other + # details: 'sso_auth_account_details.html'. This is only shown if the + # SSO implementation (with any user_mapping_provider) does not return + # a localpart. + # + # When rendering, this template is given the following variables: + # + # * server_name: the homeserver's name. + # + # * idp: details of the SSO Identity Provider that the user logged in + # with: an object with the following attributes: + # + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # * idp_icon: if specified in the IdP config, an MXC URI for an icon + # for the IdP + # * idp_brand: if specified in the IdP config, a textual identifier + # for the brand of the IdP + # + # * user_attributes: an object containing details about the user that + # we received from the IdP. May have the following attributes: + # + # * display_name: the user's display_name + # * emails: a list of email addresses + # + # The template should render a form which submits the following fields: + # + # * username: the localpart of the user's chosen user id + # + # * HTML page allowing the user to consent to the server's terms and + # conditions. This is only shown for new users, and only if + # `user_consent.require_at_registration` is set. + # + # When rendering, this template is given the following variables: + # + # * server_name: the homeserver's name. + # + # * user_id: the user's matrix proposed ID. + # + # * user_profile.display_name: the user's proposed display name, if any. + # + # * consent_version: the version of the terms that the user will be + # shown + # + # * terms_url: a link to the page showing the terms. + # + # The template should render a form which submits the following fields: + # + # * accepted_version: the version of the terms accepted by the user + # (ie, 'consent_version' from the input variables). + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given the following variables: + # + # * redirect_url: the URL the user is about to be redirected to. + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. + # + # * server_name: the homeserver's name. + # + # * new_user: a boolean indicating whether this is the user's first time + # logging in. + # + # * user_id: the user's matrix ID. + # + # * user_profile.avatar_url: an MXC URI for the user's avatar, if any. + # None if the user has not set an avatar. + # + # * user_profile.display_name: the user's display name. None if the user + # has not set a display name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. + # + # * description: the operation which the user is being asked to confirm + # + # * idp: details of the Identity Provider that we will use to confirm + # the user's identity: an object with the following attributes: + # + # * idp_id: unique identifier for the IdP + # * idp_name: user-facing name for the IdP + # * idp_icon: if specified in the IdP config, an MXC URI for an icon + # for the IdP + # * idp_brand: if specified in the IdP config, a textual identifier + # for the brand of the IdP + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown after a user-interactive authentication session which + # does not map correctly onto the expected user: 'sso_auth_bad_user.html'. + # + # When rendering, this template is given the following variables: + # * server_name: the homeserver's name. + # * user_id_to_verify: the MXID of the user that we are trying to + # validate. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# JSON web token integration. The following settings can be used to make +# Synapse JSON web tokens for authentication, instead of its internal +# password database. +# +# Each JSON Web Token needs to contain a "sub" (subject) claim, which is +# used as the localpart of the mxid. +# +# Additionally, the expiration time ("exp"), not before time ("nbf"), +# and issued at ("iat") claims are validated if present. +# +# Note that this is a non-standard login type and client support is +# expected to be non-existent. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. +# +#jwt_config: + # Uncomment the following to enable authorization using JSON web + # tokens. Defaults to false. + # + #enabled: true + + # This is either the private shared secret or the public key used to + # decode the contents of the JSON web token. + # + # Required if 'enabled' is true. + # + #secret: "provided-by-your-issuer" + + # The algorithm used to sign the JSON web token. + # + # Supported algorithms are listed at + # https://pyjwt.readthedocs.io/en/latest/algorithms.html + # + # Required if 'enabled' is true. + # + #algorithm: "provided-by-your-issuer" + + # The issuer to validate the "iss" claim against. + # + # Optional, if provided the "iss" claim will be required and + # validated for all JSON web tokens. + # + #issuer: "provided-by-your-issuer" + + # A list of audiences to validate the "aud" claim against. + # + # Optional, if provided the "aud" claim will be required and + # validated for all JSON web tokens. + # + # Note that if the "aud" claim is included in a JSON web token then + # validation will fail without configuring audiences. + # + #audiences: + # - "provided-by-your-issuer" + + +password_config: + # Uncomment to disable password login + # + #enabled: false + + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. + # + localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} + + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + # + pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} + + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 15 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + +ui_auth: + # The amount of time to allow a user-interactive authentication session + # to be active. + # + # This defaults to 0, meaning the user is queried for their credentials + # before every action, but this can be overridden to allow a single + # validation to be re-used. This weakens the protections afforded by + # the user-interactive authentication process, by allowing for multiple + # (and potentially different) operations to use the same validation session. + # + # This is ignored for potentially "dangerous" operations (including + # deactivating an account, modifying an account password, and + # adding a 3PID). + # + # Uncomment below to allow for credential validation to last for 15 + # seconds. + # + #session_timeout: "15s" + + +{% if matrix_synapse_email_enabled %} +# Configuration for sending emails from Synapse. +# +email: + # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'. + # + #smtp_host: mail.server + smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }} + + # The port on the mail server for outgoing SMTP. Defaults to 25. + # + #smtp_port: 587 + smtp_port: {{ matrix_synapse_email_smtp_port|to_json }} + + # Username/password for authentication to the SMTP server. By default, no + # authentication is attempted. + # + #smtp_user: "exampleusername" + #smtp_pass: "examplepassword" + + # Uncomment the following to require TLS transport security for SMTP. + # By default, Synapse will connect over plain text, and will then switch to + # TLS via STARTTLS *if the SMTP server supports it*. If this option is set, + # Synapse will refuse to connect unless the server supports STARTTLS. + # + #require_transport_security: true + require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }} + + # Enable sending emails for messages that the user has missed + # + #enable_notifs: false + enable_notifs: true + + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + #notif_from: "Your Friendly %(app)s homeserver " + notif_from: {{ matrix_synapse_email_notif_from|string|to_json }} + + # app_name defines the default value for '%(app)s' in notif_from and email + # subjects. It defaults to 'Matrix'. + # + #app_name: my_branded_matrix_server + app_name: Matrix + + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + #notif_for_new_users: false + notif_for_new_users: True + + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + # + #client_base_url: "http://localhost/riot" + client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }} + + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + #validation_token_lifetime: 15m + + # Directory in which Synapse will try to find the template files below. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * An HTML page that a user will see when they follow the link in the password + # reset email. The user will be asked to confirm the action before their + # password is reset: 'password_reset_confirmation.html' + # + # * HTML pages for success and failure that a user will see when they confirm + # the password reset flow using the page above: 'password_reset_success.html' + # and 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + # Subjects to use when sending emails from Synapse. + # + # The placeholder '%(app)s' will be replaced with the value of the 'app_name' + # setting above, or by a value dictated by the Matrix client application. + # + # If a subject isn't overridden in this configuration file, the value used as + # its example will be used. + # + #subjects: + + # Subjects for notification emails. + # + # On top of the '%(app)s' placeholder, these can use the following + # placeholders: + # + # * '%(person)s', which will be replaced by the display name of the user(s) + # that sent the message(s), e.g. "Alice and Bob". + # * '%(room)s', which will be replaced by the name of the room the + # message(s) have been sent to, e.g. "My super room". + # + # See the example provided for each setting to see which placeholder can be + # used and how to use them. + # + # Subject to use to notify about one message from one or more user(s) in a + # room which has a name. + #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." + # + # Subject to use to notify about one message from one or more user(s) in a + # room which doesn't have a name. + #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages from one or more users in + # a room which doesn't have a name. + #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages in a room which has a + # name. + #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." + # + # Subject to use to notify about multiple messages in multiple rooms. + #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." + # + # Subject to use to notify about multiple messages from multiple persons in + # multiple rooms. This is similar to the setting above except it's used when + # the room in which the notification was triggered has no name. + #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." + # + # Subject to use to notify about an invite to a room which has a name. + #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." + # + # Subject to use to notify about an invite to a room which doesn't have a + # name. + #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." + + # Subject for emails related to account administration. + # + # On top of the '%(app)s' placeholder, these one can use the + # '%(server_name)s' placeholder, which will be replaced by the value of the + # 'server_name' setting in your Synapse configuration. + # + # Subject to use when sending a password reset email. + #password_reset: "[%(server_name)s] Password reset" + # + # Subject to use when sending a verification email to assert an address's + # ownership. + #email_validation: "[%(server_name)s] Validate your email" +{% endif %} + +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +# password_providers: +# # Example config for an LDAP auth provider +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" +{% if matrix_synapse_password_providers_enabled %} +password_providers: +{% if matrix_synapse_ext_password_provider_shared_secret_auth_enabled %} + - module: "shared_secret_authenticator.SharedSecretAuthenticator" + config: + sharedSecret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret|string|to_json }} +{% endif %} +{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} + - module: "rest_auth_provider.RestAuthProvider" + config: + endpoint: {{ matrix_synapse_ext_password_provider_rest_auth_endpoint|string|to_json }} + policy: + registration: + username: + enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} + login: + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} +{% endif %} +{% if matrix_synapse_ext_password_provider_ldap_enabled %} + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: {{ matrix_synapse_ext_password_provider_ldap_uri|string|to_json }} + start_tls: {{ matrix_synapse_ext_password_provider_ldap_start_tls|to_json }} + base: {{ matrix_synapse_ext_password_provider_ldap_base|string|to_json }} + active_directory: {{ matrix_synapse_ext_password_provider_ldap_active_directory|to_json }} + default_domain: {{ matrix_synapse_ext_password_provider_ldap_default_domain|string|to_json }} + attributes: + uid: {{ matrix_synapse_ext_password_provider_ldap_attributes_uid|string|to_json }} + mail: {{ matrix_synapse_ext_password_provider_ldap_attributes_mail|string|to_json }} + name: {{ matrix_synapse_ext_password_provider_ldap_attributes_name|string|to_json }} + bind_dn: {{ matrix_synapse_ext_password_provider_ldap_bind_dn|string|to_json }} + bind_password: {{ matrix_synapse_ext_password_provider_ldap_bind_password|string|to_json }} + filter: {{ matrix_synapse_ext_password_provider_ldap_filter|string|to_json }} +{% endif %} +{% endif %} + + +## Push ## + +push: + # Clients requesting push notifications can either have the body of + # the message sent in the notification poke along with other details + # like the sender, or just the event ID and room ID (`event_id_only`). + # If clients choose the former, this option controls whether the + # notification request includes the content of the event (other details + # like the sender are still included). For `event_id_only` push, it + # has no effect. + # + # For modern android devices the notification content will still appear + # because it is loaded by the app. iPhone, however will send a + # notification saying only that a message arrived and who it came from. + # + # The default value is "true" to include message details. Uncomment to only + # include the event ID and room ID in push notification payloads. + # + include_content: {{ matrix_synapse_push_include_content|to_json }} + + # When a push notification is received, an unread count is also sent. + # This number can either be calculated as the number of unread messages + # for the user, or the number of *rooms* the user has unread messages in. + # + # The default value is "true", meaning push clients will see the number of + # rooms with unread messages in them. Uncomment to instead send the number + # of unread messages. + # + #group_unread_count_by_room: false + + +# Spam checkers are third-party modules that can block specific actions +# of local users, such as creating rooms and registering undesirable +# usernames, as well as remote users by redacting incoming events. +# +# spam_checker: + #- module: "my_custom_project.SuperSpamChecker" + # config: + # example_option: 'things' + #- module: "some_other_project.BadEventStopper" + # config: + # example_stop_events_from: ['@bad:example.com'] +spam_checker: {{ matrix_synapse_spam_checker|to_json }} + + +## Rooms ## + +# Controls whether locally-created rooms should be end-to-end encrypted by +# default. +# +# Possible options are "all", "invite", and "off". They are defined as: +# +# * "all": any locally-created room +# * "invite": any room created with the "private_chat" or "trusted_private_chat" +# room creation presets +# * "off": this option will take no effect +# +# The default value is "off". +# +# Note that this option will only affect rooms created after it is set. It +# will also not affect rooms created by other servers. +# +#encryption_enabled_by_default_for_room_type: invite + + +# Uncomment to allow non-server-admin users to create groups on this server +# +enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# +#group_creation_prefix: "unofficial_" + + + +# User Directory configuration +# +user_directory: + # Defines whether users can search the user directory. If false then + # empty responses are returned to all queries. Defaults to true. + # + # Uncomment to disable the user directory. + # + #enabled: false + + # Defines whether to search all users visible to your HS when searching + # the user directory, rather than limiting to users visible in public + # rooms. Defaults to false. + # + # If you set it true, you'll have to rebuild the user_directory search + # indexes, see: + # https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md + # + # Uncomment to return search results containing all known users, even if that + # user does not share a room with the requester. + # + #search_all_users: true + + # Defines whether to prefer local users in search query results. + # If True, local users are more likely to appear above remote users + # when searching the user directory. Defaults to false. + # + # Uncomment to prefer local over remote users in user directory search + # results. + # + #prefer_local_users: true + + +# User Consent configuration +# +# for detailed instructions, see +# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md +# +# Parts of this section are required if enabling the 'consent' resource under +# 'listeners', in particular 'template_dir' and 'version'. +# +# 'template_dir' gives the location of the templates for the HTML forms. +# This directory should contain one subdirectory per language (eg, 'en', 'fr'), +# and each language directory should contain the policy document (named as +# '.html') and a success page (success.html). +# +# 'version' specifies the 'current' version of the policy document. It defines +# the version to be served by the consent resource if there is no 'v' +# parameter. +# +# 'server_notice_content', if enabled, will send a user a "Server Notice" +# asking them to consent to the privacy policy. The 'server_notices' section +# must also be configured for this to work. Notices will *not* be sent to +# guest users unless 'send_server_notice_to_guests' is set to true. +# +# 'block_events_error', if set, will block any attempts to send events +# until the user consents to the privacy policy. The value of the setting is +# used as the text of the error. +# +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". +# +#user_consent: +# template_dir: res/templates/privacy +# version: 1.0 +# server_notice_content: +# msgtype: m.text +# body: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# send_server_notice_to_guests: True +# block_events_error: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# require_at_registration: False +# policy_name: Privacy Policy +# + + + +# Settings for local room and user statistics collection. See +# docs/room_and_user_statistics.md. +# +stats: + # Uncomment the following to disable room and user statistics. Note that doing + # so may cause certain features (such as the room directory) not to work + # correctly. + # + #enabled: false + + # The size of each timeslice in the room_stats_historical and + # user_stats_historical tables, as a time period. Defaults to "1d". + # + #bucket_size: 1h + + +# Server Notices room configuration +# +# Uncomment this section to enable a room which can be used to send notices +# from the server to users. It is a special room which cannot be left; notices +# come from a special "notices" user id. +# +# If you uncomment this section, you *must* define the system_mxid_localpart +# setting, which defines the id of the user which will be used to send the +# notices. +# +# It's also possible to override the room name, the display name of the +# "notices" user, and the avatar for the user. +# +#server_notices: +# system_mxid_localpart: notices +# system_mxid_display_name: "Server Notices" +# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" +# room_name: "Server Notices" + + + +# Uncomment to disable searching the public room list. When disabled +# blocks searching local and remote room lists for local and remote +# users by always returning an empty list for all queries. +# +#enable_room_list_search: false + +enable_room_list_search: {{ matrix_synapse_enable_room_list_search|to_json }} + +# The `alias_creation` option controls who's allowed to create aliases +# on this server. +# +# The format of this option is a list of rules that contain globs that +# match against user_id, room_id and the new alias (fully qualified with +# server name). The action in the first rule that matches is taken, +# which can currently either be "allow" or "deny". +# +# Missing user_id/room_id/alias fields default to "*". +# +# If no rules match the request is denied. An empty list means no one +# can create aliases. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# alias: Matches against the alias being created +# room_id: Matches against the room ID the alias is being pointed at +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} + +# The `room_list_publication_rules` option controls who can publish and +# which rooms can be published in the public room list. +# +# The format of this option is the same as that for +# `alias_creation_rules`. +# +# If the room has one or more aliases associated with it, only one of +# the aliases needs to match the alias rule. If there are no aliases +# then only rules with `alias: *` match. +# +# If no rules match the request is denied. An empty list means no one +# can publish rooms. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# room_id: Matches against the room ID being published +# alias: Matches against any current local or canonical aliases +# associated with the room +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} + + +# Server admins can define a Python module that implements extra rules for +# allowing or denying incoming events. In order to work, this module needs to +# override the methods defined in synapse/events/third_party_rules.py. +# +# This feature is designed to be used in closed federations only, where each +# participating server enforces the same rules. +# +#third_party_event_rules: +# module: "my_custom_project.SuperRulesSet" +# config: +# example_option: 'things' + + +## Opentracing ## + +# These settings enable opentracing, which implements distributed tracing. +# This allows you to observe the causal chains of events across servers +# including requests, key lookups etc., across any server running +# synapse or any other other services which supports opentracing +# (specifically those implemented with Jaeger). +# +opentracing: + # tracing is disabled by default. Uncomment the following line to enable it. + # + #enabled: true + + # The list of homeservers we wish to send and receive span contexts and span baggage. + # See docs/opentracing.rst. + # + # This is a list of regexes which are matched against the server_name of the + # homeserver. + # + # By default, it is empty, so no servers are matched. + # + #homeserver_whitelist: + # - ".*" + + # A list of the matrix IDs of users whose requests will always be traced, + # even if the tracing system would otherwise drop the traces due to + # probabilistic sampling. + # + # By default, the list is empty. + # + #force_tracing_for_users: + # - "@user1:server_name" + # - "@user2:server_name" + + # Jaeger can be configured to sample traces at different rates. + # All configuration options provided by Jaeger can be set here. + # Jaeger's configuration is mostly related to trace sampling which + # is documented here: + # https://www.jaegertracing.io/docs/latest/sampling/. + # + #jaeger_config: + # sampler: + # type: const + # param: 1 + # logging: + # false + + +## Workers ## + +# Disables sending of outbound federation transactions on the main process. +# Uncomment if using a federation sender worker. +# +#send_federation: false + +# It is possible to run multiple federation sender workers, in which case the +# work is balanced across them. +# +# This configuration must be shared between all federation sender workers, and if +# changed all federation sender workers must be stopped at the same time and then +# started, to ensure that all instances are running with the same config (otherwise +# events may be dropped). +# +#federation_sender_instances: +# - federation_sender1 + +# When using workers this should be a map from `worker_name` to the +# HTTP replication listener of the worker, if configured. +# +#instance_map: +# worker1: +# host: localhost +# port: 8034 + +# Experimental: When using workers you can define which workers should +# handle event persistence and typing notifications. Any worker +# specified here must also be in the `instance_map`. +# +#stream_writers: +# events: worker1 +# typing: worker1 + +# The worker that is used to run background tasks (e.g. cleaning up expired +# data). If not provided this defaults to the main process. +# +#run_background_tasks_on: worker1 + +# A shared secret used by the replication APIs to authenticate HTTP requests +# from workers. +# +# By default this is unused and traffic is not authenticated. +# +#worker_replication_secret: "" + + +# Configuration for Redis when using workers. This *must* be enabled when +# using workers (unless using old style direct TCP configuration). +# +redis: + # Uncomment the below to enable Redis support. + # + enabled: {{ matrix_synapse_redis_enabled }} + + # Optional host and port to use to connect to redis. Defaults to + # localhost and 6379 + # + host: {{ matrix_synapse_redis_host }} + port: {{ matrix_synapse_redis_port }} + + # Optional password if configured on the Redis instance + # + password: {{ matrix_synapse_redis_password }} + + +# vim:ft=yaml diff --git a/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 b/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 new file mode 100644 index 00000000..09f07a2e --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/synapse.log.config.j2 @@ -0,0 +1,36 @@ +#jinja2: lstrip_blocks: "True" + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: {{ matrix_synapse_log_level }} + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: {{ matrix_synapse_storage_sql_log_level }} + +{% for logger in matrix_synapse_additional_loggers %} + {{ logger.name }}: + level: {{ logger.level }} +{% endfor %} + +root: + level: {{ matrix_synapse_root_log_level }} + handlers: [console] diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 new file mode 100644 index 00000000..6c90c9a3 --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2 @@ -0,0 +1,64 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Synapse worker ({{ matrix_synapse_worker_container_name }}) +AssertPathExists={{ matrix_synapse_config_dir_path }}/{{ matrix_synapse_worker_config_file_name }} +After=matrix-synapse.service + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" + +ExecStartPre=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} +ExecStartPre=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} + +# Intentional delay, so that the homeserver can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + -e UID={{ matrix_user_uid }} \ + -e GID={{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ + --network={{ matrix_docker_network }} \ + {% if matrix_synapse_worker_details.port != 0 %} + --health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \ + {% else %} + --no-healthcheck \ + {% endif %} + {% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %} + {% if matrix_synapse_worker_details.port != 0 %} + -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.port }}:{{ matrix_synapse_worker_details.port }} \ + {% endif %} + {% if matrix_synapse_worker_details.metrics_port != 0 %} + -p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.metrics_port }}:{{ matrix_synapse_worker_details.metrics_port }} \ + {% endif %} + {% endif %} + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ + --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ + {% for volume in matrix_synapse_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} + {% for arg in matrix_synapse_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_synapse_docker_image }} \ + run -m synapse.app.{{ matrix_synapse_worker_details.type }} -c /data/homeserver.yaml -c /data/{{ matrix_synapse_worker_config_file_name }} + + +ExecStop=-{{ matrix_host_command_docker }} kill {{ matrix_synapse_worker_container_name }} +ExecStop=-{{ matrix_host_command_docker }} rm {{ matrix_synapse_worker_container_name }} + +ExecReload={{ matrix_host_command_docker }} exec {{ matrix_synapse_worker_container_name }} /bin/sh -c 'kill -HUP 1' +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_synapse_worker_container_name }} + +# Intentionally not making this WantedBy=matrix-synapse.service, +# as matrix.synapse.service already has `Wants=` lines. +# Also, WantedBy will trigger the creation of some `matrix-synapse.service.wants/` directory, +# which we'd have to clean, etc. Better not. +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 new file mode 100644 index 00000000..2fbaac7b --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -0,0 +1,76 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Synapse server +{% for service in matrix_synapse_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} + +{% endfor %} +{% for service in matrix_synapse_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +{% if matrix_synapse_workers_enabled %} +{% for matrix_synapse_worker_details in matrix_synapse_workers_enabled_list %} +Wants=matrix-synapse-worker-{{ matrix_synapse_worker_details.type }}-{{ matrix_synapse_worker_details.port }}.service +{% endfor %} +{% endif %} + +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' +{% if matrix_s3_media_store_enabled %} +# Allow for some time before starting, so that media store can mount. +# Mounting can happen later too, but if we start writing, +# we'd write files to the local filesystem and fusermount will complain. +ExecStartPre={{ matrix_host_command_sleep }} 3 +{% endif %} + +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --env=UID={{ matrix_user_uid }} \ + --env=GID={{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ + --network={{ matrix_docker_network }} \ + {% if matrix_synapse_container_client_api_host_bind_port %} + -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \ + {% endif %} + {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %} + -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:8448 \ + {% endif %} + {% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %} + -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:8048 \ + {% endif %} + {% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %} + -p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \ + {% endif %} + {% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %} + -p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \ + {% endif %} + --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \ + --mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \ + {% for volume in matrix_synapse_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} + {% for arg in matrix_synapse_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_synapse_docker_image }} \ + run -m synapse.app.homeserver -c /data/homeserver.yaml + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-synapse 2>/dev/null' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-synapse 2>/dev/null' +ExecReload={{ matrix_host_command_docker }} exec matrix-synapse /bin/sh -c 'kill -HUP 1' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-synapse + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 new file mode 100644 index 00000000..456c0667 --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2 @@ -0,0 +1,17 @@ +#jinja2: lstrip_blocks: "True" +#!/bin/bash + +if [ $# -ne 3 ]; then + echo "Usage: "$0" " + exit 1 +fi + +user=$1 +password=$2 +admin=$3 + +if [ "$admin" -eq "1" ]; then + docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --admin http://localhost:8008 +else + docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --no-admin http://localhost:8008 +fi diff --git a/roles/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 new file mode 100644 index 00000000..36ae5a7e --- /dev/null +++ b/roles/matrix-synapse/templates/synapse/worker.yaml.j2 @@ -0,0 +1,45 @@ +#jinja2: lstrip_blocks: "True" +worker_app: synapse.app.{{ matrix_synapse_worker_details.type }} +worker_name: {{ matrix_synapse_worker_details.type ~ ':' ~ matrix_synapse_worker_details.port }} + +{% if matrix_synapse_replication_listener_enabled %} +worker_replication_host: matrix-synapse +worker_replication_http_port: {{ matrix_synapse_replication_http_port }} +{% endif %} + +{% set has_listeners = (matrix_synapse_worker_details.type not in [ 'appservice', 'federation_sender', 'pusher' ] or matrix_synapse_metrics_enabled) %} + +{% set http_resources = [] %} + +{% if matrix_synapse_worker_details.type in ['generic_worker', 'frontend_proxy', 'user_dir'] %} + {% set http_resources = http_resources + ['client'] %} +{% endif %} +{% if matrix_synapse_worker_details.type in ['generic_worker'] %} + {% set http_resources = http_resources+ ['federation'] %} +{% endif %} +{% if matrix_synapse_worker_details.type in ['media_repository'] %} + {% set http_resources = http_resources + ['media'] %} +{% endif %} + +{% if http_resources|length > 0 or matrix_synapse_metrics_enabled %} +worker_listeners: +{% if http_resources|length > 0 %} + - type: http + bind_addresses: ['::'] + port: {{ matrix_synapse_worker_details.port }} + resources: + - names: {{ http_resources|to_json }} +{% endif %} +{% if matrix_synapse_metrics_enabled %} + - type: metrics + bind_addresses: ['0.0.0.0'] + port: {{ matrix_synapse_worker_details.metrics_port }} +{% endif %} +{% endif %} + +{% if matrix_synapse_worker_details.type == 'frontend_proxy' %} +worker_main_http_uri: http://matrix-synapse:8008 +{% endif %} + +worker_daemonize: false +worker_log_config: /data/{{ matrix_server_fqn_matrix }}.log.config diff --git a/roles/matrix-synapse/vars/main.yml b/roles/matrix-synapse/vars/main.yml new file mode 100644 index 00000000..5839aa81 --- /dev/null +++ b/roles/matrix-synapse/vars/main.yml @@ -0,0 +1,34 @@ +--- + +matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions" +matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version" + +# Tells whether this role had executed or not. Toggled to `true` during runtime. +matrix_synapse_role_executed: false + +matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}" + +# A Synapse generic worker can handle both federation and client-server API endpoints. +# We wish to split these, as we normally serve federation separately and don't want them mixed up. +# +# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492), +# which takes a list of various strings and removes the ones NOT containing `/_matrix/client` anywhere in them. +# +# We intentionally don't do a diff between everything possible (`matrix_synapse_workers_generic_worker_endpoints`) and `matrix_synapse_workers_generic_worker_federation_endpoints`, +# because `matrix_synapse_workers_generic_worker_endpoints` also contains things like `/_synapse/client/`, etc. +# While /_synapse/client/ endpoints are somewhat client-server API-related, they're: +# - neither part of the client-server API spec (and are thus, different) +# - nor always OK to forward to a worker (we're supposed to obey `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled`) +# +# It's also not too many of these APIs (only `^/_synapse/client/password_reset/email/submit_token$` at the time of this writing / 2021-01-24), +# so it's not that important whether we forward them or not. +# +# Basically, we aim to cover most things. Skipping `/_synapse/client` or a few other minor things doesn't matter too much. +matrix_synapse_workers_generic_worker_client_server_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*/_matrix/client.*')| list | difference([none]) }}" + +# A Synapse generic worker can handle both federation and client-server API endpoints. +# We wish to split these, as we normally serve federation separately and don't want them mixed up. +# +# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492), +# which takes a list of various strings and removes the ones NOT containing `/_matrix/federation` or `/_matrix/key` anywhere in them. +matrix_synapse_workers_generic_worker_federation_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*(/_matrix/federation|/_matrix/key).*')| list | difference([none]) }}" diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml new file mode 100644 index 00000000..1f817c8e --- /dev/null +++ b/roles/matrix-synapse/vars/workers.yml @@ -0,0 +1,322 @@ +--- + +matrix_synapse_workers_generic_worker_endpoints: + # This worker can handle API requests matching the following regular + # expressions: + + # Sync requests + - ^/_matrix/client/(v2_alpha|r0)/sync$ + - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ + - ^/_matrix/client/(api/v1|r0)/initialSync$ + - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ + + # Federation requests + - ^/_matrix/federation/v1/event/ + - ^/_matrix/federation/v1/state/ + - ^/_matrix/federation/v1/state_ids/ + - ^/_matrix/federation/v1/backfill/ + - ^/_matrix/federation/v1/get_missing_events/ + - ^/_matrix/federation/v1/publicRooms + - ^/_matrix/federation/v1/query/ + - ^/_matrix/federation/v1/make_join/ + - ^/_matrix/federation/v1/make_leave/ + - ^/_matrix/federation/v1/send_join/ + - ^/_matrix/federation/v2/send_join/ + - ^/_matrix/federation/v1/send_leave/ + - ^/_matrix/federation/v2/send_leave/ + - ^/_matrix/federation/v1/invite/ + - ^/_matrix/federation/v2/invite/ + - ^/_matrix/federation/v1/query_auth/ + - ^/_matrix/federation/v1/event_auth/ + - ^/_matrix/federation/v1/exchange_third_party_invite/ + - ^/_matrix/federation/v1/user/devices/ + - ^/_matrix/federation/v1/get_groups_publicised$ + - ^/_matrix/key/v2/query + + # Inbound federation transaction request + - ^/_matrix/federation/v1/send/ + + # Client API requests + - ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$ + - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ + - ^/_matrix/client/(api/v1|r0|unstable)/devices$ + - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$ + - ^/_matrix/client/(api/v1|r0|unstable)/keys/changes$ + - ^/_matrix/client/versions$ + - ^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$ + - ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ + - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ + - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/event/ + - ^/_matrix/client/(api/v1|r0|unstable)/joined_rooms$ + - ^/_matrix/client/(api/v1|r0|unstable)/search$ + + # Registration/login requests + - ^/_matrix/client/(api/v1|r0|unstable)/login$ + - ^/_matrix/client/(r0|unstable)/register$ + + # Event sending requests + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/ + - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ + - ^/_matrix/client/(api/v1|r0|unstable)/join/ + - ^/_matrix/client/(api/v1|r0|unstable)/profile/ + + + # Additionally, the following REST endpoints can be handled for GET requests: + + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/federation/v1/groups/ + + # Pagination requests can also be handled, but all requests for a given + # room must be routed to the same instance. Additionally, care must be taken to + # ensure that the purge history admin API is not used while pagination requests + # for the room are in flight: + + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/messages$ + + # Additionally, the following endpoints should be included if Synapse is configured + # to use SSO (you only need to include the ones for whichever SSO provider you're + # using): + + # for all SSO providers + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect + # ^/_synapse/client/pick_idp$ + # ^/_synapse/client/pick_username + # ^/_synapse/client/new_user_consent$ + # ^/_synapse/client/sso_register$ + + # OpenID Connect requests. + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_synapse/client/oidc/callback$ + + # SAML requests. + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_synapse/client/saml2/authn_response$ + + # CAS requests. + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/login/cas/ticket$ + + # Ensure that all SSO logins go to a single process. + # For multiple workers not handling the SSO endpoints properly, see + # [#7530](https://github.com/matrix-org/synapse/issues/7530) and + # [#9427](https://github.com/matrix-org/synapse/issues/9427). + + # Note that a HTTP listener with `client` and `federation` resources must be + # configured in the `worker_listeners` option in the worker config. + + # #### Load balancing + + # It is possible to run multiple instances of this worker app, with incoming requests + # being load-balanced between them by the reverse-proxy. However, different endpoints + # have different characteristics and so admins + # may wish to run multiple groups of workers handling different endpoints so that + # load balancing can be done in different ways. + + # For `/sync` and `/initialSync` requests it will be more efficient if all + # requests from a particular user are routed to a single instance. Extracting a + # user ID from the access token or `Authorization` header is currently left as an + # exercise for the reader. Admins may additionally wish to separate out `/sync` + # requests that have a `since` query parameter from those that don't (and + # `/initialSync`), as requests that don't are known as "initial sync" that happens + # when a user logs in on a new device and can be *very* resource intensive, so + # isolating these requests will stop them from interfering with other users ongoing + # syncs. + + # Federation and client requests can be balanced via simple round robin. + + # The inbound federation transaction request `^/_matrix/federation/v1/send/` + # should be balanced by source IP so that transactions from the same remote server + # go to the same process. + + # Registration/login requests can be handled separately purely to help ensure that + # unexpected load doesn't affect new logins and sign ups. + + # Finally, event sending requests can be balanced by the room ID in the URI (or + # the full URI, or even just round robin), the room ID is the path component after + # `/rooms/`. If there is a large bridge connected that is sending or may send lots + # of events, then a dedicated set of workers can be provisioned to limit the + # effects of bursts of events from that bridge on events sent by normal users. + + # #### Stream writers + + # Additionally, there is *experimental* support for moving writing of specific + # streams (such as events) off of the main process to a particular worker. (This + # is only supported with Redis-based replication.) + + # Currently supported streams are `events` and `typing`. + + # To enable this, the worker must have a HTTP replication listener configured, + # have a `worker_name` and be listed in the `instance_map` config. For example to + # move event persistence off to a dedicated worker, the shared configuration would + # include: + + # ```yaml + # instance_map: + # event_persister1: + # host: localhost + # port: 8034 + + # stream_writers: + # events: event_persister1 + # ``` + + # The `events` stream also experimentally supports having multiple writers, where + # work is sharded between them by room ID. Note that you *must* restart all worker + # instances when adding or removing event persisters. An example `stream_writers` + # configuration with multiple writers: + + # ```yaml + # stream_writers: + # events: + # - event_persister1 + # - event_persister2 + # ``` + + # #### Background tasks + + # There is also *experimental* support for moving background tasks to a separate + # worker. Background tasks are run periodically or started via replication. Exactly + # which tasks are configured to run depends on your Synapse configuration (e.g. if + # stats is enabled). + + # To enable this, the worker must have a `worker_name` and can be configured to run + # background tasks. For example, to move background tasks to a dedicated worker, + # the shared configuration would include: + + # ```yaml + # run_background_tasks_on: background_worker + # ``` + + # You might also wish to investigate the `update_user_directory` and + # `media_instance_running_background_jobs` settings. + +# pusher worker (no API endpoints) [ + # Handles sending push notifications to sygnal and email. Doesn't handle any + # REST endpoints itself, but you should set `start_pushers: False` in the + # shared configuration file to stop the main synapse sending push notifications. + + # To run multiple instances at once the `pusher_instances` option should list all + # pusher instances by their worker name, e.g.: + + # ```yaml + # pusher_instances: + # - pusher_worker1 + # - pusher_worker2 + # ``` + +# ] + +# appservice worker (no API endpoints) [ + # Handles sending output traffic to Application Services. Doesn't handle any + # REST endpoints itself, but you should set `notify_appservices: False` in the + # shared configuration file to stop the main synapse sending appservice notifications. + + # Note this worker cannot be load-balanced: only one instance should be active. + +# ] + +# federation_sender worker (no API endpoints) [ + # Handles sending federation traffic to other servers. Doesn't handle any + # REST endpoints itself, but you should set `send_federation: False` in the + # shared configuration file to stop the main synapse sending this traffic. + + # If running multiple federation senders then you must list each + # instance in the `federation_sender_instances` option by their `worker_name`. + # All instances must be stopped and started when adding or removing instances. + # For example: + + # ```yaml + # federation_sender_instances: + # - federation_sender1 + # - federation_sender2 + # ``` +# ] + +matrix_synapse_workers_media_repository_endpoints: + # Handles the media repository. It can handle all endpoints starting with: + + - ^/_matrix/media/ + + # ... and the following regular expressions matching media-specific administration APIs: + + - ^/_synapse/admin/v1/purge_media_cache$ + - ^/_synapse/admin/v1/room/.*/media.*$ + - ^/_synapse/admin/v1/user/.*/media.*$ + - ^/_synapse/admin/v1/media/.*$ + - ^/_synapse/admin/v1/quarantine_media/.*$ + + # You should also set `enable_media_repo: False` in the shared configuration + # file to stop the main synapse running background jobs related to managing the + # media repository. + + # In the `media_repository` worker configuration file, configure the http listener to + # expose the `media` resource. For example: + + # ```yaml + # worker_listeners: + # - type: http + # port: 8085 + # resources: + # - names: + # - media + # ``` + + # Note that if running multiple media repositories they must be on the same server + # and you must configure a single instance to run the background tasks, e.g.: + + # ```yaml + # media_instance_running_background_jobs: "media-repository-1" + # ``` + + # Note that if a reverse proxy is used , then `/_matrix/media/` must be routed for both inbound client and federation requests (if they are handled separately). + +matrix_synapse_workers_user_dir_endpoints: + # Handles searches in the user directory. It can handle REST endpoints matching + # the following regular expressions: + + - ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ + + # When using this worker you must also set `update_user_directory: False` in the + # shared configuration file to stop the main synapse running background + # jobs related to updating the user directory. + +matrix_synapse_workers_frontend_proxy_endpoints: + # Proxies some frequently-requested client endpoints to add caching and remove + # load from the main synapse. It can handle REST endpoints matching the following + # regular expressions: + + - ^/_matrix/client/(api/v1|r0|unstable)/keys/upload + + # If `use_presence` is False in the homeserver config, it can also handle REST + # endpoints matching the following regular expressions: + + # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually + # ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status + + # This "stub" presence handler will pass through `GET` request but make the + # `PUT` effectively a no-op. + + # It will proxy any requests it cannot handle to the main synapse instance. It + # must therefore be configured with the location of the main instance, via + # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration + # file. For example: + + # worker_main_http_uri: http://127.0.0.1:8008 + +matrix_synapse_workers_avail_list: + - appservice + - federation_sender + - frontend_proxy + - generic_worker + - media_repository + - pusher + - user_dir diff --git a/setup.yml b/setup.yml new file mode 100755 index 00000000..142364c4 --- /dev/null +++ b/setup.yml @@ -0,0 +1,58 @@ +--- +- name: "Set up a Matrix server" + hosts: "{{ target if target is defined else 'matrix_servers' }}" + become: true + + vars_files: + - roles/matrix-synapse/vars/workers.yml + + roles: + - matrix-awx + - matrix-base + - matrix-dynamic-dns + - matrix-mailer + - matrix-postgres + - matrix-redis + - matrix-corporal + - matrix-bridge-appservice-discord + - matrix-bridge-appservice-slack + - matrix-bridge-appservice-webhooks + - matrix-bridge-appservice-irc + - matrix-bridge-mautrix-facebook + - matrix-bridge-mautrix-hangouts + - matrix-bridge-mautrix-instagram + - matrix-bridge-mautrix-signal + - matrix-bridge-mautrix-telegram + - matrix-bridge-mautrix-whatsapp + - matrix-bridge-mx-puppet-discord + - matrix-bridge-mx-puppet-groupme + - matrix-bridge-mx-puppet-steam + - matrix-bridge-mx-puppet-skype + - matrix-bridge-mx-puppet-slack + - matrix-bridge-mx-puppet-twitter + - matrix-bridge-mx-puppet-instagram + - matrix-bridge-sms + - matrix-bridge-heisenbridge + - matrix-bot-matrix-reminder-bot + - matrix-bot-go-neb + - matrix-bot-mjolnir + - matrix-synapse + - matrix-synapse-admin + - matrix-prometheus-node-exporter + - matrix-prometheus + - matrix-grafana + - matrix-registration + - matrix-client-element + - matrix-client-hydrogen + - matrix-jitsi + - matrix-ma1sd + - matrix-dimension + - matrix-etherpad + - matrix-email2matrix + - matrix-sygnal + - matrix-nginx-proxy + - matrix-coturn + - matrix-aux + - matrix-postgres-backup + - matrix-prometheus-postgres-exporter + - matrix-common-after \ No newline at end of file From e90979e91f65018d2614a49a3a031f599748d0e3 Mon Sep 17 00:00:00 2001 From: sakkiii <11132948+sakkiii@users.noreply.github.com> Date: Thu, 15 Jul 2021 23:10:45 +0530 Subject: [PATCH 2335/2384] Upgrade grafana (8.0.5 -> 8.0.6) --- roles/matrix-grafana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 88359fe1..45bd2d91 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 8.0.5 +matrix_grafana_version: 8.0.6 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" From f933ba14aee96be9776b6bbba3ccf071ff88eb12 Mon Sep 17 00:00:00 2001 From: Toorero Date: Fri, 16 Jul 2021 13:27:36 +0200 Subject: [PATCH 2336/2384] Fixed self-build functionality for mautrix-signal and added self-build functionality for signald --- group_vars/matrix_servers | 4 +- .../defaults/main.yml | 6 ++- .../tasks/setup_install.yml | 48 ++++++++++++++----- 3 files changed, 44 insertions(+), 14 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8e151d15..43e4007f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -374,14 +374,14 @@ matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provi matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" +matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" # sadly not automatic detectable because no manifest + ###################################################################### # # /matrix-bridge-mautrix-signal # ###################################################################### -matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" - ###################################################################### # # matrix-bridge-mautrix-telegram diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 8c121c03..7ff450d9 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -3,7 +3,7 @@ matrix_mautrix_signal_enabled: true -matrix_mautrix_signal_self_build: false +matrix_mautrix_signal_container_self_build: false matrix_mautrix_signal_docker_repo: "https://mau.dev/tulir/mautrix-signal.git" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" @@ -13,6 +13,10 @@ matrix_mautrix_signal_daemon_version: latest matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" +matrix_mautrix_signal_daemon_container_self_build: false +matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git" +matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src" + matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}" matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index f90043d8..c890b706 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -8,13 +8,25 @@ The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role. when: "matrix_synapse_role_executed|default(False)" +- name: Ensure Mautrix Signal image is pulled + docker_image: + name: "{{ matrix_mautrix_signal_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" +# pull: +# platform: "{{ matrix_architecture }}" + when: "matrix_mautrix_signal_enabled|bool and not matrix_mautrix_signal_container_self_build|bool" + register: matrix_mautrix_signal_pull_results + ignore_errors: yes + - name: Ensure Mautrix Signal repository is present on self-build git: repo: "{{ matrix_mautrix_signal_docker_repo }}" dest: "{{ matrix_mautrix_signal_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_git_pull_results - when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_enabled|bool and (matrix_mautrix_signal_container_self_build|bool or matrix_mautrix_signal_pull_results is failed)" - name: Ensure Mautrix Signal image is built docker_image: @@ -26,16 +38,8 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_enabled|bool and (matrix_mautrix_signal_container_self_build|bool or matrix_mautrix_signal_pull_results is failed)" -- name: Ensure Mautrix Signal image is pulled - docker_image: - name: "{{ matrix_mautrix_signal_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" - when: "matrix_mautrix_signal_enabled|bool and not matrix_mautrix_signal_container_self_build|bool" - - name: Ensure Mautrix Signal Daemon image is pulled docker_image: @@ -43,7 +47,29 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_docker_image_force_pull }}" - when: matrix_mautrix_signal_enabled|bool + when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_self_build|bool + register: matrix_mautrix_signal_daemon_pull_results + ignore_errors: yes + +- name: Ensure Mautrix Signal Daemon repository is present on self-build + git: + repo: "{{ matrix_mautrix_signal_daemon_docker_repo }}" + dest: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_signal_daemon_git_pull_results + when: "matrix_mautrix_signal_enabled|bool and (matrix_mautrix_signal_daemon_container_self_build|bool or matrix_mautrix_signal_daemon_pull_results is failed)" + +- name: Ensure Mautrix Signal Daemon image is built + docker_image: + name: "{{ matrix_mautrix_signal_daemon_docker_image }}" + source: build + force_source: "{{ matrix_mautrix_signal_daemon_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_signal_enabled|bool and (matrix_mautrix_signal_daemon_container_self_build|bool or matrix_mautrix_signal_daemon_pull_results is failed)" - name: Ensure Mautrix Signal paths exist file: From b5ab31240f9ea36272d4a4a687d7ea63c67e71d4 Mon Sep 17 00:00:00 2001 From: Toorero Date: Fri, 16 Jul 2021 18:28:27 +0200 Subject: [PATCH 2337/2384] Added missing X-Forwarded-Proto header --- examples/apache/matrix-synapse.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index e4266b81..497329de 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -32,6 +32,7 @@ ProxyPreserveHost On ProxyRequests Off ProxyVia On + RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} # Keep some URIs free for different proxy/location ProxyPassMatch ^/.well-known/matrix/client ! @@ -111,6 +112,7 @@ Listen 8448 ProxyPreserveHost On ProxyRequests Off ProxyVia On + RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} # Proxy all remaining traffic to the Synapse port # Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1 From 7f15787d54703a15bfe02989560dbbed42107d89 Mon Sep 17 00:00:00 2001 From: Toorero Date: Fri, 16 Jul 2021 16:08:51 +0200 Subject: [PATCH 2338/2384] Fixed mautrix-telegram selfbuild not working on non amd64 platforms --- group_vars/matrix_servers | 2 ++ .../defaults/main.yml | 6 ++++ .../tasks/setup_install.yml | 32 ++++++++++++++++++- 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8e151d15..e1675b51 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -393,6 +393,8 @@ matrix_mautrix_telegram_enabled: false # Images are multi-arch (amd64 and arm64, but not arm32). matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_lottieconverter_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_lottieconverter_container_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index e4c7696a..934403bb 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -3,6 +3,12 @@ matrix_mautrix_telegram_enabled: true +matrix_lottieconverter_container_self_build: false +matrix_lottieconverter_container_self_build_mask_arch: false +matrix_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" +matrix_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" +matrix_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram + matrix_mautrix_telegram_container_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git" matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 704f0e26..67ab4fe8 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -56,6 +56,26 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" when: "not matrix_mautrix_telegram_container_self_build|bool" +- name: Ensure lottieconverter is present when self-building + git: + repo: "{{ matrix_lottieconverter_docker_repo }}" + dest: "{{ matrix_lottieconverter_docker_src_files_path }}" + force: "yes" + register: matrix_lottieconverter_git_pull_results + when: "matrix_lottieconverter_container_self_build|bool and matrix_mautrix_telegram_container_self_build|bool" + +- name: Ensure lottieconverter Docker image is built + docker_image: + name: "{{ matrix_lottieconverter_docker_image }}" + source: build + force_source: "{{ matrix_lottieconverter_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_lottieconverter_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_lottieconverter_docker_src_files_path }}" + pull: yes + when: "matrix_lottieconverter_container_self_build|bool and matrix_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_self_build|bool" + - name: Ensure matrix-mautrix-telegram repository is present when self-building git: repo: "{{ matrix_mautrix_telegram_docker_repo }}" @@ -63,7 +83,12 @@ force: "yes" register: matrix_mautrix_telegram_git_pull_results when: "matrix_mautrix_telegram_container_self_build|bool" + ignore_errors: yes +- name: Ensure TARGETARCH is beeing masked + command: sed -i "3s/ARG/#ARG/" "{{ matrix_mautrix_telegram_docker_src_files_path }}/Dockerfile" + when: "matrix_lottieconverter_container_self_build_mask_arch|bool" + - name: Ensure matrix-mautrix-telegram Docker image is built docker_image: name: "{{ matrix_mautrix_telegram_docker_image }}" @@ -73,9 +98,14 @@ build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" - pull: yes + pull: "{{ not matrix_lottieconverter_container_self_build_mask_arch|bool }}" when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" +# Unmask so no git changes are beeing detected +- name: Ensure TARGETARCH is beeing unmasked + command: sed -i "3s/#ARG/ARG/" "{{ matrix_mautrix_telegram_docker_src_files_path }}/Dockerfile" + when: "matrix_lottieconverter_container_self_build_mask_arch|bool" + - name: Check if an old database file already exists stat: path: "{{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db" From 5b692b6e766965efcd81ab8ab4dbad1cc475eb38 Mon Sep 17 00:00:00 2001 From: JokerGermany <30293477+JokerGermany@users.noreply.github.com> Date: Fri, 16 Jul 2021 22:15:34 +0200 Subject: [PATCH 2339/2384] Docs --- docs/configuring-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index da2098c7..af2badca 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -68,4 +68,4 @@ This is an optional feature. See [ma1sd's documentation](https://github.com/ma1u Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation. -When you're done with the DNS configuration and ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). +When you're done with the DNS configuration and ready to proceed, continue with [Getting the playbook](getting-the-playbook.md). From 3a2810013146adf4e4d96f28b62ef7d3ca860e79 Mon Sep 17 00:00:00 2001 From: Toorero Date: Sat, 17 Jul 2021 14:05:13 +0200 Subject: [PATCH 2340/2384] Renamed matrix_lottieconverter to matrix_telegram_lottieconverter --- group_vars/matrix_servers | 4 ++-- .../defaults/main.yml | 10 ++++---- .../tasks/setup_install.yml | 24 +++++++++---------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e1675b51..4e9431f0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -393,8 +393,8 @@ matrix_mautrix_telegram_enabled: false # Images are multi-arch (amd64 and arm64, but not arm32). matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_lottieconverter_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_lottieconverter_container_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" +matrix_telegram_lottieconverter_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_telegram_lottieconverter_container_self_build_mask_arch: "{{ matrix_architecture != 'amd64' }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 934403bb..e49de8e3 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -3,11 +3,11 @@ matrix_mautrix_telegram_enabled: true -matrix_lottieconverter_container_self_build: false -matrix_lottieconverter_container_self_build_mask_arch: false -matrix_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" -matrix_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" -matrix_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram +matrix_telegram_lottieconverter_container_self_build: false +matrix_telegram_lottieconverter_container_self_build_mask_arch: false +matrix_telegram_lottieconverter_docker_repo: "https://mau.dev/tulir/lottieconverter.git" +matrix_telegram_lottieconverter_docker_src_files_path: "{{ matrix_base_data_path }}/lotticonverter/docker-src" +matrix_telegram_lottieconverter_docker_image: "dock.mau.dev/tulir/lottieconverter:alpine-3.14" # needs to be ajusted according to FROM clause of Dockerfile of mautrix-telegram matrix_mautrix_telegram_container_self_build: false matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 67ab4fe8..8c86a750 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -58,23 +58,23 @@ - name: Ensure lottieconverter is present when self-building git: - repo: "{{ matrix_lottieconverter_docker_repo }}" - dest: "{{ matrix_lottieconverter_docker_src_files_path }}" + repo: "{{ matrix_telegram_lottieconverter_docker_repo }}" + dest: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" force: "yes" - register: matrix_lottieconverter_git_pull_results - when: "matrix_lottieconverter_container_self_build|bool and matrix_mautrix_telegram_container_self_build|bool" + register: matrix_telegram_lottieconverter_git_pull_results + when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_mautrix_telegram_container_self_build|bool" - name: Ensure lottieconverter Docker image is built docker_image: - name: "{{ matrix_lottieconverter_docker_image }}" + name: "{{ matrix_telegram_lottieconverter_docker_image }}" source: build - force_source: "{{ matrix_lottieconverter_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_lottieconverter_git_pull_results.changed }}" + force_source: "{{ matrix_telegram_lottieconverter_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_telegram_lottieconverter_git_pull_results.changed }}" build: dockerfile: Dockerfile - path: "{{ matrix_lottieconverter_docker_src_files_path }}" + path: "{{ matrix_telegram_lottieconverter_docker_src_files_path }}" pull: yes - when: "matrix_lottieconverter_container_self_build|bool and matrix_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_telegram_lottieconverter_container_self_build|bool and matrix_telegram_lottieconverter_git_pull_results.changed and matrix_mautrix_telegram_container_self_build|bool" - name: Ensure matrix-mautrix-telegram repository is present when self-building git: @@ -87,7 +87,7 @@ - name: Ensure TARGETARCH is beeing masked command: sed -i "3s/ARG/#ARG/" "{{ matrix_mautrix_telegram_docker_src_files_path }}/Dockerfile" - when: "matrix_lottieconverter_container_self_build_mask_arch|bool" + when: "matrix_telegram_lottieconverter_container_self_build_mask_arch|bool" - name: Ensure matrix-mautrix-telegram Docker image is built docker_image: @@ -98,13 +98,13 @@ build: dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" - pull: "{{ not matrix_lottieconverter_container_self_build_mask_arch|bool }}" + pull: "{{ not matrix_telegram_lottieconverter_container_self_build_mask_arch|bool }}" when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" # Unmask so no git changes are beeing detected - name: Ensure TARGETARCH is beeing unmasked command: sed -i "3s/#ARG/ARG/" "{{ matrix_mautrix_telegram_docker_src_files_path }}/Dockerfile" - when: "matrix_lottieconverter_container_self_build_mask_arch|bool" + when: "matrix_telegram_lottieconverter_container_self_build_mask_arch|bool" - name: Check if an old database file already exists stat: From b3793f359533e073b0ee6054ad96ab9e61c64399 Mon Sep 17 00:00:00 2001 From: Toorero Date: Sat, 17 Jul 2021 14:40:21 +0200 Subject: [PATCH 2341/2384] Masked TARGETARCH via docker.build.arg directive --- .../tasks/setup_install.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 8c86a750..fe4ede3d 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -85,10 +85,6 @@ when: "matrix_mautrix_telegram_container_self_build|bool" ignore_errors: yes -- name: Ensure TARGETARCH is beeing masked - command: sed -i "3s/ARG/#ARG/" "{{ matrix_mautrix_telegram_docker_src_files_path }}/Dockerfile" - when: "matrix_telegram_lottieconverter_container_self_build_mask_arch|bool" - - name: Ensure matrix-mautrix-telegram Docker image is built docker_image: name: "{{ matrix_mautrix_telegram_docker_image }}" @@ -99,13 +95,10 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" pull: "{{ not matrix_telegram_lottieconverter_container_self_build_mask_arch|bool }}" + args: + TARGETARCH: "" when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" -# Unmask so no git changes are beeing detected -- name: Ensure TARGETARCH is beeing unmasked - command: sed -i "3s/#ARG/ARG/" "{{ matrix_mautrix_telegram_docker_src_files_path }}/Dockerfile" - when: "matrix_telegram_lottieconverter_container_self_build_mask_arch|bool" - - name: Check if an old database file already exists stat: path: "{{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db" From 70cb27138c78ad1ee9fb49323d7b160c5e5bbe7b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 19 Jul 2021 18:57:19 +0300 Subject: [PATCH 2342/2384] Upgrade Element (1.7.32 -> 1.7.33) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index e83c5717..5cf2e5b0 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.32 +matrix_client_element_version: v1.7.33 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From 8b304445e58fff78dd83740b0e22b92f6cad416a Mon Sep 17 00:00:00 2001 From: sakkiii Date: Mon, 19 Jul 2021 23:31:39 +0530 Subject: [PATCH 2343/2384] Upgrade hydrogen (v0.2.0 -> v0.2.3) --- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index fa2e38fd..e4adb8c0 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.2.0 +matrix_client_hydrogen_version: v0.2.3 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From a8373d6bd4fd4be9ea9da9067b52566498706254 Mon Sep 17 00:00:00 2001 From: Richard Meyer Date: Mon, 19 Jul 2021 19:02:29 -0500 Subject: [PATCH 2344/2384] Update main.yml Fixes an issue related to https://github.com/anoadragon453/matrix-reminder-bot/issues/86 --- roles/matrix-bot-matrix-reminder-bot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 775dadcc..6a5a837e 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -2,7 +2,7 @@ # See: https://github.com/anoadragon453/matrix-reminder-bot matrix_bot_matrix_reminder_bot_enabled: true -matrix_bot_matrix_reminder_bot_version: release-v0.2.0 +matrix_bot_matrix_reminder_bot_version: release-v0.2.1 matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" From 9345d840bee8b5d9a8f0c0762d87b51cfae23878 Mon Sep 17 00:00:00 2001 From: JokerGermany <30293477+JokerGermany@users.noreply.github.com> Date: Tue, 20 Jul 2021 07:48:11 +0200 Subject: [PATCH 2345/2384] root path for the base domain is wrong (#1189) * root path for the base domain * Fix path when running in a container Co-authored-by: Slavi Pantaleev --- .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 37863d73..fc567aa3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -1,7 +1,7 @@ #jinja2: lstrip_blocks: "True" {% macro render_vhost_directives() %} - root /nginx-data/matrix-domain; + root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-domain; gzip on; gzip_types text/plain application/json; From fb221c81793607228a6c420d592b2e3bf0bf23e6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Jul 2021 09:05:13 +0300 Subject: [PATCH 2346/2384] Do not needlessly ignore errors --- roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index fe4ede3d..e2e583f2 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -83,7 +83,6 @@ force: "yes" register: matrix_mautrix_telegram_git_pull_results when: "matrix_mautrix_telegram_container_self_build|bool" - ignore_errors: yes - name: Ensure matrix-mautrix-telegram Docker image is built docker_image: From d08a78ff1f2aa3361304ce8d1208c2af93a6f56a Mon Sep 17 00:00:00 2001 From: sakkiii Date: Tue, 20 Jul 2021 12:09:11 +0530 Subject: [PATCH 2347/2384] remove prosody JICOFO_COMPONENT_SECRET --- roles/matrix-jitsi/templates/prosody/env.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index e733e668..3a91463e 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -28,7 +28,6 @@ XMPP_MUC_MODULES= XMPP_INTERNAL_MUC_MODULES= XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} XMPP_CROSS_DOMAIN=true -JICOFO_COMPONENT_SECRET JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }} JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }} JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }} @@ -49,4 +48,4 @@ JWT_AUTH_TYPE JWT_TOKEN_AUTH_MODULE LOG_LEVEL PUBLIC_URL={{ matrix_jitsi_web_public_url }} -TZ={{ matrix_jitsi_timezone }} \ No newline at end of file +TZ={{ matrix_jitsi_timezone }} From ead4b00c095036664f4bfa2178ad1f4a81fdd926 Mon Sep 17 00:00:00 2001 From: Toorero Date: Wed, 21 Jul 2021 14:05:21 +0200 Subject: [PATCH 2348/2384] Reverted back to manual self-build detection --- group_vars/matrix_servers | 3 ++- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 7 ++----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 43e4007f..fc85cae2 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -374,7 +374,8 @@ matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provi matrix_mautrix_signal_database_engine: 'postgres' matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}" -matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" # sadly not automatic detectable because no manifest +matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" +matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index c890b706..948a84b7 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -14,11 +14,8 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" -# pull: -# platform: "{{ matrix_architecture }}" when: "matrix_mautrix_signal_enabled|bool and not matrix_mautrix_signal_container_self_build|bool" - register: matrix_mautrix_signal_pull_results - ignore_errors: yes + - name: Ensure Mautrix Signal repository is present on self-build git: @@ -26,7 +23,7 @@ dest: "{{ matrix_mautrix_signal_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_git_pull_results - when: "matrix_mautrix_signal_enabled|bool and (matrix_mautrix_signal_container_self_build|bool or matrix_mautrix_signal_pull_results is failed)" + when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool" - name: Ensure Mautrix Signal image is built docker_image: From a21696f68783d861ecd95c9334125852a108a0de Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Jul 2021 15:16:14 +0300 Subject: [PATCH 2349/2384] Fix some if-checks We'd rather not suppress pull errors or run self-build tasks if pulling fails. --- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 948a84b7..f590cdf8 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -46,7 +46,6 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_docker_image_force_pull }}" when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_self_build|bool register: matrix_mautrix_signal_daemon_pull_results - ignore_errors: yes - name: Ensure Mautrix Signal Daemon repository is present on self-build git: @@ -54,7 +53,7 @@ dest: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_daemon_git_pull_results - when: "matrix_mautrix_signal_enabled|bool and (matrix_mautrix_signal_daemon_container_self_build|bool or matrix_mautrix_signal_daemon_pull_results is failed)" + when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_daemon_container_self_build|bool" - name: Ensure Mautrix Signal Daemon image is built docker_image: @@ -66,7 +65,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_enabled|bool and (matrix_mautrix_signal_daemon_container_self_build|bool or matrix_mautrix_signal_daemon_pull_results is failed)" + when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_daemon_container_self_build|bool" - name: Ensure Mautrix Signal paths exist file: From 7d9ee3e2fb3dc3304fbfd6e969f89084d78509cd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 21 Jul 2021 15:17:17 +0300 Subject: [PATCH 2350/2384] Remove unnecessary if-condition --- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index f590cdf8..55109257 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -35,7 +35,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_enabled|bool and (matrix_mautrix_signal_container_self_build|bool or matrix_mautrix_signal_pull_results is failed)" + when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool" - name: Ensure Mautrix Signal Daemon image is pulled From 112d8d82438dced091a744759c0a776bbbb11de9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 22 Jul 2021 19:48:16 +0300 Subject: [PATCH 2351/2384] Upgrade Synapse (1.38.0 -> 1.38.1) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 02b8d157..7b4d8f44 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.38.0 -matrix_synapse_version_arm64: v1.38.0 +matrix_synapse_version: v1.38.1 +matrix_synapse_version_arm64: v1.38.1 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From f4a9c4dff2b52deff94bfe6f698027a65e001092 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 22 Jul 2021 23:29:43 +0530 Subject: [PATCH 2352/2384] Update prometheus node exporter (1.1.2 -> 1.2.0) --- roles/matrix-prometheus-node-exporter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index 492d48b1..5c3a6386 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_version: v1.1.2 +matrix_prometheus_node_exporter_version: v1.2.0 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" From 5ddd7d9ea19f1d4d85767832249fc07c52b8cfc8 Mon Sep 17 00:00:00 2001 From: maximilianschmelzer <24356384+maximilianschmelzer@users.noreply.github.com> Date: Sat, 24 Jul 2021 13:12:32 +0200 Subject: [PATCH 2353/2384] Update configuring-well-known.md --- docs/configuring-well-known.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 2bedaeed..27a4001c 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -69,7 +69,7 @@ It is, however, **a little fragile**, as future updates performed by this playbo If you don't need the base domain (e.g. `example.com`) for anything else (hosting a website, etc.), you can point it to the Matrix server's IP address and tell the playbook to configure it. -This is the easiest way to set up well-known serving -- letting the playbook handle the whole base domain for you (including SSL certificates, etc.). However, if you need to use the base domain for other things (such as hosting some website, etc.), going with Option 1 or Option 2 might be more suitable. +This is the easiest way to set up well-known serving -- letting the playbook handle the whole base domain for you (including SSL certificates, etc.). However, if you need to use the base domain for other things (such as hosting some website, etc.), going with Option 1 or Option 3 might be more suitable. See [Serving the base domain](configuring-playbook-base-domain-serving.md) to learn how the playbook can help you set it up. From 03e8c75a3000faeee0b398a6830cc07a6b6edfa8 Mon Sep 17 00:00:00 2001 From: Hardy Erlinger Date: Sun, 25 Jul 2021 16:23:51 +0200 Subject: [PATCH 2354/2384] Restore authentication for Jitsi Meet. --- docs/configuring-playbook-jitsi.md | 2 +- roles/matrix-jitsi/templates/jicofo/env.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 81ceb9fb..ec3ab416 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -129,7 +129,7 @@ Until this gets integrated into the playbook, we need to register new users / me Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: ```bash -docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register matrix-jitsi-web +docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register meet.jitsi ``` Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. diff --git a/roles/matrix-jitsi/templates/jicofo/env.j2 b/roles/matrix-jitsi/templates/jicofo/env.j2 index 3764d056..687df714 100644 --- a/roles/matrix-jitsi/templates/jicofo/env.j2 +++ b/roles/matrix-jitsi/templates/jicofo/env.j2 @@ -1,7 +1,7 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }} BRIDGE_AVG_PARTICIPANT_STRESS BRIDGE_STRESS_THRESHOLD -ENABLE_AUTH +ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} ENABLE_AUTO_OWNER ENABLE_CODEC_VP8 ENABLE_CODEC_VP9 From 012440c309c18a53dea6b362aea7fb8887bfe8cb Mon Sep 17 00:00:00 2001 From: Nate Date: Sun, 25 Jul 2021 14:16:37 -0700 Subject: [PATCH 2355/2384] Allow for self-building of reminder-bot --- .../defaults/main.yml | 5 +++++ .../tasks/setup_install.yml | 22 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml index 6a5a837e..3e955673 100644 --- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml +++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml @@ -2,6 +2,11 @@ # See: https://github.com/anoadragon453/matrix-reminder-bot matrix_bot_matrix_reminder_bot_enabled: true + +matrix_bot_matrix_reminder_bot_container_self_build: false +matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/matrix-reminder-bot.git" +matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src" + matrix_bot_matrix_reminder_bot_version: release-v0.2.1 matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}" matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index 195485e4..12d38754 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -37,6 +37,7 @@ - { path: "{{ matrix_bot_matrix_reminder_bot_config_path }}", when: true } - { path: "{{ matrix_bot_matrix_reminder_bot_data_path }}", when: true } - { path: "{{ matrix_bot_matrix_reminder_bot_data_store_path }}", when: true } + - { path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}", when: true} when: "item.when|bool" - name: Ensure matrix-reminder-bot image is pulled @@ -45,6 +46,27 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}" + when: "matrix_bot_matrix_reminder_bot_enabled|bool and not matrix_bot_matrix_reminder_bot_container_self_build|bool" + +- name: Ensure matrix-reminder-bot repository is present on self-build + git: + repo: "{{ matrix_bot_matrix_reminder_bot_docker_repo }}" + dest: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" + force: "yes" + register: matrix_bot_matrix_reminder_bot_git_pull_results + when: "matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_container_self_build|bool" + +- name: Ensure matrix-reminder-bot image is built + docker_image: + name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}" + source: build + force_source: "{{ matrix_bot_matrix_reminder_bot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}" + build: + dockerfile: docker/Dockerfile + path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" + pull: yes + when: "matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_container_self_build|bool" - name: Ensure matrix-reminder-bot config installed copy: From f5d6b01b9fc9129b4bffc73fd5a5a3236a32bb1d Mon Sep 17 00:00:00 2001 From: Nate Date: Sun, 25 Jul 2021 14:24:38 -0700 Subject: [PATCH 2356/2384] Updated group_vars to update self_build based on matrix_architecture --- group_vars/matrix_servers | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index be840e23..43cd9b2b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -811,6 +811,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: | # Postgres is the default, except if not using `matrix_postgres` (internal postgres) matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}" +matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}" ###################################################################### # From 49abe66f1dd5c3376324797e36645e32c243d4fc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 26 Jul 2021 08:54:35 +0300 Subject: [PATCH 2357/2384] Remove unnecessary if condition All of `setup_install.yml` only runs if `matrix_bot_matrix_reminder_bot_enabled`, so it's not necessary to add that condition once again. --- .../matrix-bot-matrix-reminder-bot/tasks/setup_install.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml index 12d38754..dada8167 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml @@ -46,7 +46,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}" - when: "matrix_bot_matrix_reminder_bot_enabled|bool and not matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "not matrix_bot_matrix_reminder_bot_container_self_build|bool" - name: Ensure matrix-reminder-bot repository is present on self-build git: @@ -54,7 +54,7 @@ dest: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" force: "yes" register: matrix_bot_matrix_reminder_bot_git_pull_results - when: "matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" - name: Ensure matrix-reminder-bot image is built docker_image: @@ -66,7 +66,7 @@ dockerfile: docker/Dockerfile path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}" pull: yes - when: "matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_container_self_build|bool" + when: "matrix_bot_matrix_reminder_bot_container_self_build|bool" - name: Ensure matrix-reminder-bot config installed copy: From 975a49be54b34aa523b1706bae5be2e3cb0e3f9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 26 Jul 2021 08:56:35 +0300 Subject: [PATCH 2358/2384] Update docs/self-building.md --- docs/self-building.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/self-building.md b/docs/self-building.md index 50fef2a3..3ab743f0 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -25,8 +25,10 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-telegram` +- `matrix-bridge-mautrix-signal` - `matrix-bridge-mx-puppet-skype` - `matrix-bot-mjolnir` +- `matrix-bot-matrix-reminder-bot` Adding self-building support to other roles is welcome. Feel free to contribute! From 67db5a0024aee891a148a096cc960a64d6d9f873 Mon Sep 17 00:00:00 2001 From: Michael Collins Date: Tue, 27 Jul 2021 15:12:03 +0800 Subject: [PATCH 2359/2384] GoMatrixHosting v0.5.5 --- .../matrix-awx/tasks/set_variables_ma1sd.yml | 25 +++++-------------- .../tasks/set_variables_synapse.yml | 25 +++++++++++-------- 2 files changed, 20 insertions(+), 30 deletions(-) diff --git a/roles/matrix-awx/tasks/set_variables_ma1sd.yml b/roles/matrix-awx/tasks/set_variables_ma1sd.yml index 853d8c09..50aea14c 100755 --- a/roles/matrix-awx/tasks/set_variables_ma1sd.yml +++ b/roles/matrix-awx/tasks/set_variables_ma1sd.yml @@ -29,12 +29,7 @@ insertafter: '# Synapse Extension Start' with_dict: 'matrix_synapse_ext_password_provider_rest_auth_enabled': 'true' - 'matrix_synapse_ext_password_provider_rest_auth_endpoint': 'http://matrix-ma1sd:8090' - when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' - -- name: Strip header from ma1sd configuration extension if using internal auth - set_fact: - ext_matrix_ma1sd_configuration_extension_yaml_parsed: "{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | reject('search', '^matrix_client_element_configuration_extension_json:') | list }}" + 'matrix_synapse_ext_password_provider_rest_auth_endpoint': '"http://matrix-ma1sd:8090"' when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' - name: Remove entire ma1sd configuration extension @@ -52,22 +47,13 @@ regexp: '^# Start ma1sd Extension# End ma1sd Extension' replace: '# Start ma1sd Extension\n# End ma1sd Extension' -- name: Insert ma1sd configuration extension header if using external LDAP/AD with ma1sd +- name: Insert/Update ma1sd configuration extension variables delegate_to: 127.0.0.1 - lineinfile: + blockinfile: path: '{{ awx_cached_matrix_vars }}' - line: "matrix_ma1sd_configuration_extension_yaml: |" + marker: "# {mark} ma1sd ANSIBLE MANAGED BLOCK" insertafter: '# Start ma1sd Extension' - when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' - -- name: Set ma1sd configuration extension if using external LDAP/AD with ma1sd - delegate_to: 127.0.0.1 - lineinfile: - path: '{{ awx_cached_matrix_vars }}' - insertbefore: '# End ma1sd Extension' - line: '{{ item }}' - with_items: "{{ ext_matrix_ma1sd_configuration_extension_yaml_parsed }}" - when: ext_matrix_ma1sd_auth_store == 'LDAP/AD' + block: '{{ ext_matrix_ma1sd_configuration_extension_yaml }}' - name: Record ma1sd Custom variables locally on AWX delegate_to: 127.0.0.1 @@ -79,6 +65,7 @@ with_dict: 'ext_matrix_ma1sd_auth_store': '{{ ext_matrix_ma1sd_auth_store }}' 'ext_matrix_ma1sd_configuration_extension_yaml': '{{ ext_matrix_ma1sd_configuration_extension_yaml.splitlines() | to_json }}' + no_log: True - name: Save new 'Configure ma1sd' survey.json to the AWX tower, template delegate_to: 127.0.0.1 diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index cd200f5f..53d78081 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -154,17 +154,6 @@ with_items: "{{ ext_federation_whitelist_raw.splitlines() }}" when: ext_federation_whitelist_raw|length > 0 -- name: Record Synapse Custom variables locally on AWX - delegate_to: 127.0.0.1 - lineinfile: - path: '{{ awx_cached_matrix_vars }}' - regexp: "^#? *{{ item.key | regex_escape() }}:" - line: "{{ item.key }}: {{ item.value }}" - insertafter: '# Custom Settings Start' - with_dict: - 'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}' - 'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}' - - name: Set ext_recaptcha_public_key to a 'public-key' if undefined set_fact: ext_recaptcha_public_key="public-key" when: (ext_recaptcha_public_key is not defined) or (ext_recaptcha_public_key|length == 0) @@ -185,6 +174,20 @@ ' recaptcha_public_key': '{{ ext_recaptcha_public_key }}' ' recaptcha_private_key': '{{ ext_recaptcha_private_key }}' +- name: Record Synapse Custom variables locally on AWX + delegate_to: 127.0.0.1 + lineinfile: + path: '{{ awx_cached_matrix_vars }}' + regexp: "^#? *{{ item.key | regex_escape() }}:" + line: "{{ item.key }}: {{ item.value }}" + insertafter: '# Custom Settings Start' + with_dict: + 'ext_federation_whitelist_raw': '{{ ext_federation_whitelist_raw.splitlines() | to_json }}' + 'ext_url_preview_accept_language_default': '{{ ext_url_preview_accept_language_default.splitlines() | to_json }}' + 'ext_enable_registration_captcha': '{{ ext_enable_registration_captcha }}' + 'ext_recaptcha_public_key': '"{{ ext_recaptcha_public_key }}"' + 'ext_recaptcha_private_key': '"{{ ext_recaptcha_private_key }}"' + - name: Save new 'Configure Synapse' survey.json to the AWX tower, template delegate_to: 127.0.0.1 template: From 676101e9995d57d4c5311f3271ab233733cabec3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 28 Jul 2021 11:08:50 +0300 Subject: [PATCH 2360/2384] Minor fixups for ma1sd 2.5.0 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1171 --- group_vars/matrix_servers | 12 +----------- roles/matrix-ma1sd/defaults/main.yml | 4 +--- roles/matrix-ma1sd/tasks/validate_config.yml | 1 + 3 files changed, 3 insertions(+), 14 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 931207d2..349e1eba 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1117,17 +1117,7 @@ matrix_mailer_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. matrix_ma1sd_enabled: true -# There's no prebuilt ma1sd image for the `arm32` architecture. -# We're relying on self-building there. -matrix_ma1sd_architecture: "{{ - { - 'amd64': 'amd64', - 'arm32': 'arm32', - 'arm64': 'arm64', - }[matrix_architecture] -}}" - -matrix_ma1sd_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" +matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 036db4ca..f91189f5 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -7,11 +7,9 @@ matrix_ma1sd_container_image_self_build: false matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}" -matrix_ma1sd_architecture: "" - matrix_ma1sd_version: "2.5.0" -matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" +matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}" matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 4ca25e7e..4f80b154 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -28,6 +28,7 @@ - 'matrix_ma1sd_ldap_auth_filter' - 'matrix_ma1sd_ldap_directory_filter' - 'matrix_ma1sd_template_config' + - 'matrix_ma1sd_architecture' - name: Ensure ma1sd configuration does not contain any dot-notation keys fail: From 179775b92db59cdde6a87c9944cbe6e58d14acc3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 29 Jul 2021 18:51:22 +0300 Subject: [PATCH 2361/2384] Upgrade Synapse (1.38.1 -> 1.39.0) --- roles/matrix-synapse/defaults/main.yml | 4 +- .../templates/synapse/homeserver.yaml.j2 | 103 ------------------ 2 files changed, 2 insertions(+), 105 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 7b4d8f44..628ea431 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.38.1 -matrix_synapse_version_arm64: v1.38.1 +matrix_synapse_version: v1.39.0 +matrix_synapse_version_arm64: v1.39.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index f3d0734b..f184cc29 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1314,91 +1314,6 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json #auto_join_rooms_for_guests: false -## Account Validity ## - -# Optional account validity configuration. This allows for accounts to be denied -# any request after a given period. -# -# Once this feature is enabled, Synapse will look for registered users without an -# expiration date at startup and will add one to every account it found using the -# current settings at that time. -# This means that, if a validity period is set, and Synapse is restarted (it will -# then derive an expiration date from the current validity period), and some time -# after that the validity period changes and Synapse is restarted, the users' -# expiration dates won't be updated unless their account is manually renewed. This -# date will be randomly selected within a range [now + period - d ; now + period], -# where d is equal to 10% of the validity period. -# -account_validity: - # The account validity feature is disabled by default. Uncomment the - # following line to enable it. - # - #enabled: true - - # The period after which an account is valid after its registration. When - # renewing the account, its validity period will be extended by this amount - # of time. This parameter is required when using the account validity - # feature. - # - #period: 6w - - # The amount of time before an account's expiry date at which Synapse will - # send an email to the account's email address with a renewal link. By - # default, no such emails are sent. - # - # If you enable this setting, you will also need to fill out the 'email' and - # 'public_baseurl' configuration sections. - # - #renew_at: 1w - - # The subject of the email sent out with the renewal link. '%(app)s' can be - # used as a placeholder for the 'app_name' parameter from the 'email' - # section. - # - # Note that the placeholder must be written '%(app)s', including the - # trailing 's'. - # - # If this is not set, a default value is used. - # - #renew_email_subject: "Renew your %(app)s account" - - # Directory in which Synapse will try to find templates for the HTML files to - # serve to the user when trying to renew an account. If not set, default - # templates from within the Synapse package will be used. - # - # The currently available templates are: - # - # * account_renewed.html: Displayed to the user after they have successfully - # renewed their account. - # - # * account_previously_renewed.html: Displayed to the user if they attempt to - # renew their account with a token that is valid, but that has already - # been used. In this case the account is not renewed again. - # - # * invalid_token.html: Displayed to the user when they try to renew an account - # with an unknown or invalid renewal token. - # - # See https://github.com/matrix-org/synapse/tree/master/synapse/res/templates for - # default template contents. - # - # The file name of some of these templates can be configured below for legacy - # reasons. - # - #template_dir: "res/templates" - - # A custom file name for the 'account_renewed.html' template. - # - # If not set, the file is assumed to be named "account_renewed.html". - # - #account_renewed_html_path: "account_renewed.html" - - # A custom file name for the 'invalid_token.html' template. - # - # If not set, the file is assumed to be named "invalid_token.html". - # - #invalid_token_html_path: "invalid_token.html" - - ## Metrics ### # Enable collection and rendering of performance metrics @@ -2710,11 +2625,6 @@ stats: # #enabled: false - # The size of each timeslice in the room_stats_historical and - # user_stats_historical tables, as a time period. Defaults to "1d". - # - #bucket_size: 1h - # Server Notices room configuration # @@ -2807,19 +2717,6 @@ alias_creation_rules: {{ matrix_synapse_alias_creation_rules|to_json }} room_list_publication_rules: {{ matrix_synapse_room_list_publication_rules|to_json }} -# Server admins can define a Python module that implements extra rules for -# allowing or denying incoming events. In order to work, this module needs to -# override the methods defined in synapse/events/third_party_rules.py. -# -# This feature is designed to be used in closed federations only, where each -# participating server enforces the same rules. -# -#third_party_event_rules: -# module: "my_custom_project.SuperRulesSet" -# config: -# example_option: 'things' - - ## Opentracing ## # These settings enable opentracing, which implements distributed tracing. From dca876a8f064d00d8c6235d3eea231f931663483 Mon Sep 17 00:00:00 2001 From: 0xLAITH <61520996+0xLAITH@users.noreply.github.com> Date: Sun, 1 Aug 2021 19:34:54 +0000 Subject: [PATCH 2362/2384] Update howto-server-delegation.md The attached code for the "Serving the Federation API with your certificates and matrix-nginx-proxy" section suggests using the matrix. certificate for the federation API as opposed to the necessary certificate for the federation to work. This can cause some confusion to readers. --- docs/howto-server-delegation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index b89bd2f2..e9ca5bde 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -82,8 +82,8 @@ Based on your setup, you have different ways to go about it: # # NOTE: these are in-container paths. `/matrix/ssl` on the host is mounted into the container # at the same path (`/matrix/ssl`) by default, so if that's the path you need, it would be seamless. -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live/matrix./fullchain.pem -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live/matrix./privkey.pem +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live//fullchain.pem +matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live//privkey.pem ``` If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container: From 519eef9e4b7c33948d070aa8eada3641d53cf911 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 2 Aug 2021 10:08:24 +0300 Subject: [PATCH 2363/2384] Remove unnecessary argument from Postgres import command The default of using the `matrix` database is better anyway. --- docs/importing-postgres.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index b905ba7b..84347b57 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -23,7 +23,7 @@ To import, run this command (make sure to replace ` Date: Wed, 4 Aug 2021 09:09:27 +0300 Subject: [PATCH 2364/2384] Upgrade Element (1.7.33 -> 1.7.34) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index 5cf2e5b0..dd649ffd 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.33 +matrix_client_element_version: v1.7.34 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From a68ac9cb4ff3a5f9da4e844ded4cfa3ebdb0b151 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Aug 2021 14:44:47 +0300 Subject: [PATCH 2365/2384] Split install/uninstall tasks in matrix-email2matrix --- roles/matrix-email2matrix/tasks/main.yml | 10 ++- .../tasks/setup_email2matrix.yml | 88 ------------------- .../tasks/setup_install.yml | 39 ++++++++ .../tasks/setup_uninstall.yml | 35 ++++++++ 4 files changed, 82 insertions(+), 90 deletions(-) delete mode 100644 roles/matrix-email2matrix/tasks/setup_email2matrix.yml create mode 100644 roles/matrix-email2matrix/tasks/setup_install.yml create mode 100644 roles/matrix-email2matrix/tasks/setup_uninstall.yml diff --git a/roles/matrix-email2matrix/tasks/main.yml b/roles/matrix-email2matrix/tasks/main.yml index 23114673..77be7279 100644 --- a/roles/matrix-email2matrix/tasks/main.yml +++ b/roles/matrix-email2matrix/tasks/main.yml @@ -8,8 +8,14 @@ - setup-all - setup-email2matrix -- import_tasks: "{{ role_path }}/tasks/setup_email2matrix.yml" - when: run_setup|bool +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_email2matrix_enabled|bool" + tags: + - setup-all + - setup-email2matrix + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_email2matrix_enabled|bool" tags: - setup-all - setup-email2matrix diff --git a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml deleted file mode 100644 index d5fa73a5..00000000 --- a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- - -# -# Tasks related to setting up Email2Matrix -# - -- name: Ensure Email2Matrix paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_email2matrix_base_path }}" - - "{{ matrix_email2matrix_config_dir_path }}" - when: matrix_email2matrix_enabled|bool - -- name: Ensure Email2Matrix configuration file created - template: - src: "{{ role_path }}/templates/config.json.j2" - dest: "{{ matrix_email2matrix_config_dir_path }}/config.json" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - when: matrix_email2matrix_enabled|bool - -- name: Ensure Email2Matrix image is pulled - docker_image: - name: "{{ matrix_email2matrix_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_email2matrix_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_docker_image_force_pull }}" - when: matrix_email2matrix_enabled|bool - -- name: Ensure matrix-email2matrix.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-email2matrix.service" - mode: 0644 - register: matrix_email2matrix_systemd_service_result - when: matrix_email2matrix_enabled|bool - -- name: Ensure systemd reloaded after matrix-email2matrix.service installation - service: - daemon_reload: yes - when: "matrix_email2matrix_enabled|bool and matrix_email2matrix_systemd_service_result.changed" - -# -# Tasks related to getting rid of the Email2Matrix (if it was previously enabled) -# - -- name: Check existence of matrix-email2matrix service - stat: - path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" - register: matrix_email2matrix_service_stat - when: "not matrix_email2matrix_enabled|bool" - -- name: Ensure matrix-email2matrix is stopped - service: - name: matrix-email2matrix - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" - -- name: Ensure matrix-email2matrix.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" - state: absent - when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-email2matrix.service removal - service: - daemon_reload: yes - when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists" - -- name: Ensure Email2Matrix data path doesn't exist - file: - path: "{{ matrix_email2matrix_base_path }}" - state: absent - when: "not matrix_email2matrix_enabled|bool" - -- name: Ensure Email2Matrix Docker image doesn't exist - docker_image: - name: "{{ matrix_email2matrix_docker_image }}" - state: absent - when: "not matrix_email2matrix_enabled|bool" diff --git a/roles/matrix-email2matrix/tasks/setup_install.yml b/roles/matrix-email2matrix/tasks/setup_install.yml new file mode 100644 index 00000000..a167911f --- /dev/null +++ b/roles/matrix-email2matrix/tasks/setup_install.yml @@ -0,0 +1,39 @@ +--- + +- name: Ensure Email2Matrix paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - "{{ matrix_email2matrix_base_path }}" + - "{{ matrix_email2matrix_config_dir_path }}" + +- name: Ensure Email2Matrix configuration file created + template: + src: "{{ role_path }}/templates/config.json.j2" + dest: "{{ matrix_email2matrix_config_dir_path }}/config.json" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + +- name: Ensure Email2Matrix image is pulled + docker_image: + name: "{{ matrix_email2matrix_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_email2matrix_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_docker_image_force_pull }}" + +- name: Ensure matrix-email2matrix.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-email2matrix.service" + mode: 0644 + register: matrix_email2matrix_systemd_service_result + +- name: Ensure systemd reloaded after matrix-email2matrix.service installation + service: + daemon_reload: yes + when: "matrix_email2matrix_systemd_service_result.changed|bool" diff --git a/roles/matrix-email2matrix/tasks/setup_uninstall.yml b/roles/matrix-email2matrix/tasks/setup_uninstall.yml new file mode 100644 index 00000000..b0b44cca --- /dev/null +++ b/roles/matrix-email2matrix/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-email2matrix service + stat: + path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" + register: matrix_email2matrix_service_stat + +- name: Ensure matrix-email2matrix is stopped + service: + name: matrix-email2matrix + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_email2matrix_service_stat.stat.exists|bool" + +- name: Ensure matrix-email2matrix.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-email2matrix.service" + state: absent + when: "matrix_email2matrix_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-email2matrix.service removal + service: + daemon_reload: yes + when: "matrix_email2matrix_service_stat.stat.exists|bool" + +- name: Ensure Email2Matrix data path doesn't exist + file: + path: "{{ matrix_email2matrix_base_path }}" + state: absent + +- name: Ensure Email2Matrix Docker image doesn't exist + docker_image: + name: "{{ matrix_email2matrix_docker_image }}" + state: absent From 2697590d28c71dfba644b5de8e2141fbd8d00496 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Aug 2021 14:51:15 +0300 Subject: [PATCH 2366/2384] Remove some useless if conditions --- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 8 ++++---- .../tasks/setup_install.yml | 6 +++--- .../tasks/setup_install.yml | 12 ++++++------ 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 4cfbde9e..4f98635d 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -40,7 +40,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}" - when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_container_image_self_build + when: not matrix_mautrix_facebook_container_image_self_build - name: Ensure Mautrix Facebook paths exist file: @@ -63,7 +63,7 @@ # version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" register: matrix_mautrix_facebook_git_pull_results - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" + when: "matrix_mautrix_facebook_container_image_self_build|bool" - name: Ensure Mautrix Facebook Docker image is built docker_image: @@ -75,7 +75,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build|bool" + when: "matrix_mautrix_facebook_container_image_self_build|bool" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index 14ae255f..d5373134 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -40,7 +40,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_hangouts_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_docker_image_force_pull }}" - when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_container_image_self_build + when: not matrix_mautrix_hangouts_container_image_self_build - name: Ensure Mautrix Hangouts paths exist file: @@ -54,7 +54,7 @@ - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true } - { path: "{{ matrix_mautrix_hangouts_data_path }}", when: true } - { path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}", when: "{{ matrix_mautrix_hangouts_container_image_self_build }}" } - when: matrix_mautrix_hangouts_enabled|bool and item.when|bool + when: "item.when|bool" - name: Ensure Mautrix Hangots repository is present on self build git: @@ -62,7 +62,7 @@ dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" force: "yes" register: matrix_mautrix_hangouts_git_pull_results - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build|bool" + when: "matrix_mautrix_hangouts_container_image_self_build|bool" - name: Ensure Mautrix Hangouts Docker image is built docker_image: @@ -74,7 +74,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build|bool" + when: "matrix_mautrix_hangouts_container_image_self_build|bool" - name: Check if an old database file already exists stat: diff --git a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml index 60474230..38a7f62e 100644 --- a/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml @@ -13,7 +13,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_instagram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_docker_image_force_pull }}" - when: matrix_mautrix_instagram_enabled|bool and not matrix_mautrix_instagram_container_image_self_build + when: not matrix_mautrix_instagram_container_image_self_build - name: Ensure Mautrix instagram paths exist file: @@ -38,7 +38,7 @@ dest: "{{ matrix_mautrix_instagram_docker_src_files_path }}" force: "yes" register: matrix_mautrix_instagram_git_pull_results - when: "matrix_mautrix_instagram_enabled|bool and matrix_mautrix_instagram_container_image_self_build" + when: "matrix_mautrix_instagram_container_image_self_build|bool" - name: Ensure Mautrix instagram Docker image is built docker_image: @@ -50,7 +50,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_instagram_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_instagram_enabled|bool and matrix_mautrix_instagram_container_image_self_build|bool" + when: "matrix_mautrix_instagram_container_image_self_build|bool" - name: Ensure mautrix-instagram config.yaml installed copy: diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 55109257..88710868 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -14,7 +14,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" - when: "matrix_mautrix_signal_enabled|bool and not matrix_mautrix_signal_container_self_build|bool" + when: "not matrix_mautrix_signal_container_self_build|bool" - name: Ensure Mautrix Signal repository is present on self-build @@ -23,7 +23,7 @@ dest: "{{ matrix_mautrix_signal_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_git_pull_results - when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool" + when: "matrix_mautrix_signal_container_self_build|bool" - name: Ensure Mautrix Signal image is built docker_image: @@ -35,8 +35,8 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_container_self_build|bool" - + when: "matrix_mautrix_signal_container_self_build|bool" + - name: Ensure Mautrix Signal Daemon image is pulled docker_image: @@ -53,7 +53,7 @@ dest: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" force: "yes" register: matrix_mautrix_signal_daemon_git_pull_results - when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_self_build|bool" - name: Ensure Mautrix Signal Daemon image is built docker_image: @@ -65,7 +65,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_signal_enabled|bool and matrix_mautrix_signal_daemon_container_self_build|bool" + when: "matrix_mautrix_signal_daemon_container_self_build|bool" - name: Ensure Mautrix Signal paths exist file: From 421f85defa089cee619ac779d6f558f3b754cf86 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Aug 2021 15:03:45 +0300 Subject: [PATCH 2367/2384] Add self-building support to matrix-email2matrix --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 ++ roles/matrix-email2matrix/defaults/main.yml | 8 +++++- .../tasks/setup_install.yml | 28 +++++++++++++++++-- 4 files changed, 36 insertions(+), 3 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index 3ab743f0..61f05c48 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -29,6 +29,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-bridge-mx-puppet-skype` - `matrix-bot-mjolnir` - `matrix-bot-matrix-reminder-bot` +- `matrix-email2matrix` Adding self-building support to other roles is welcome. Feel free to contribute! diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a2ccd3f1..cc45042d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1037,6 +1037,8 @@ matrix_dynamic_dns_enabled: false matrix_email2matrix_enabled: false +matrix_email2matrix_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + ###################################################################### # # /matrix-email2matrix diff --git a/roles/matrix-email2matrix/defaults/main.yml b/roles/matrix-email2matrix/defaults/main.yml index e6bfa0fe..3dfabc1a 100644 --- a/roles/matrix-email2matrix/defaults/main.yml +++ b/roles/matrix-email2matrix/defaults/main.yml @@ -2,9 +2,15 @@ matrix_email2matrix_enabled: true matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix" matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config" +matrix_email2matrix_docker_src_files_path: "{{ matrix_email2matrix_base_path }}/docker-src" + +matrix_email2matrix_container_image_self_build: false +matrix_email2matrix_container_image_self_build_repo: "https://github.com/devture/email2matrix.git" +matrix_email2matrix_container_image_self_build_branch: "{{ matrix_email2matrix_version }}" matrix_email2matrix_version: 1.0.1 -matrix_email2matrix_docker_image: "{{ matrix_container_global_registry_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}" +matrix_email2matrix_docker_image_prefix: "{{ 'localhost/' if matrix_email2matrix_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_email2matrix_docker_image: "{{ matrix_email2matrix_docker_image_prefix }}devture/email2matrix:{{ matrix_email2matrix_version }}" matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-email2matrix/tasks/setup_install.yml b/roles/matrix-email2matrix/tasks/setup_install.yml index a167911f..67e4ea5d 100644 --- a/roles/matrix-email2matrix/tasks/setup_install.yml +++ b/roles/matrix-email2matrix/tasks/setup_install.yml @@ -8,8 +8,10 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_email2matrix_base_path }}" - - "{{ matrix_email2matrix_config_dir_path }}" + - { path: "{{ matrix_email2matrix_base_path }}", when: true } + - { path: "{{ matrix_email2matrix_config_dir_path }}", when: true } + - { path: "{{ matrix_email2matrix_docker_src_files_path }}", when: "{{ matrix_email2matrix_container_image_self_build }}"} + when: "item.when|bool" - name: Ensure Email2Matrix configuration file created template: @@ -25,6 +27,28 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_email2matrix_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_docker_image_force_pull }}" + when: "not matrix_email2matrix_container_image_self_build|bool" + +- name: Ensure Email2Matrix repository is present on self-build + git: + repo: "{{ matrix_email2matrix_container_image_self_build_repo }}" + dest: "{{ matrix_email2matrix_docker_src_files_path }}" + version: "{{ matrix_email2matrix_container_image_self_build_branch }}" + force: "yes" + register: matrix_email2matrix_git_pull_results + when: "matrix_email2matrix_container_image_self_build|bool" + +- name: Ensure Email2Matrix Docker image is built + docker_image: + name: "{{ matrix_email2matrix_docker_image }}" + source: build + force_source: "{{ matrix_email2matrix_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_git_pull_results.changed }}" + build: + dockerfile: etc/docker/Dockerfile + path: "{{ matrix_email2matrix_docker_src_files_path }}" + pull: yes + when: "matrix_email2matrix_container_image_self_build|bool" - name: Ensure matrix-email2matrix.service installed template: From 23006fd64e1e3a3c9e6d0486e66ec2c9b550d383 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Aug 2021 17:59:49 +0300 Subject: [PATCH 2368/2384] Fix email2matrix path initialization Regression since 421f85defa089cee --- roles/matrix-email2matrix/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-email2matrix/tasks/setup_install.yml b/roles/matrix-email2matrix/tasks/setup_install.yml index 67e4ea5d..7805c2c1 100644 --- a/roles/matrix-email2matrix/tasks/setup_install.yml +++ b/roles/matrix-email2matrix/tasks/setup_install.yml @@ -2,7 +2,7 @@ - name: Ensure Email2Matrix paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" From f3aae70f70df2bde966f9472008963963377d36f Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 7 Aug 2021 02:47:51 -0500 Subject: [PATCH 2369/2384] Upgrade Hydrogen (0.2.3 -> 0.2.5) --- roles/matrix-client-hydrogen/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-hydrogen/defaults/main.yml b/roles/matrix-client-hydrogen/defaults/main.yml index e4adb8c0..3cc1df2a 100644 --- a/roles/matrix-client-hydrogen/defaults/main.yml +++ b/roles/matrix-client-hydrogen/defaults/main.yml @@ -5,7 +5,7 @@ matrix_client_hydrogen_enabled: true matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" -matrix_client_hydrogen_version: v0.2.3 +matrix_client_hydrogen_version: v0.2.5 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" From d2a1b8b13478680f89a16e719860e39fda5a5369 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 7 Aug 2021 15:47:24 +0200 Subject: [PATCH 2370/2384] whatsapp bridge has new docker image location See https://github.com/mautrix/whatsapp/releases/tag/v0.1.8 --- roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index f8ae7d87..41bfb8be 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -5,7 +5,7 @@ matrix_mautrix_whatsapp_enabled: true matrix_mautrix_whatsapp_version: latest # See: https://mau.dev/tulir/mautrix-whatsapp/container_registry -matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:{{ matrix_mautrix_whatsapp_version }}" +matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" matrix_mautrix_whatsapp_docker_image_force_pull: "{{ matrix_mautrix_whatsapp_docker_image.endswith(':latest') }}" matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp" From d11d6f52ae06d40d8d023a9b4a7b2e785e5f7c1a Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Mon, 9 Aug 2021 10:57:45 +0200 Subject: [PATCH 2371/2384] Update IRC appservice https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.29.0 --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index c351bafa..7ed9ee89 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.27.0 +matrix_appservice_irc_version: release-0.29.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From 6ecfbe98b1c47337be8dfa64fc361d20fa77438b Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Mon, 9 Aug 2021 11:19:12 +0200 Subject: [PATCH 2372/2384] New version of Mautrix Signal bridge version 0.2.0 provided through new GitLab repository location --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 7ff450d9..8ff2fbb6 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -1,16 +1,16 @@ # mautrix-signal is a Matrix <-> Signal bridge -# See: https://github.com/tulir/mautrix-signal +# See: https://github.com/mautrix/signal matrix_mautrix_signal_enabled: true matrix_mautrix_signal_container_self_build: false -matrix_mautrix_signal_docker_repo: "https://mau.dev/tulir/mautrix-signal.git" +matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git" matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src" matrix_mautrix_signal_version: latest matrix_mautrix_signal_daemon_version: latest -# See: https://mau.dev/tulir/mautrix-signal/container_registry -matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:{{ matrix_mautrix_signal_version }}" +# See: https://mau.dev/mautrix/signal/container_registry +matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}" matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" matrix_mautrix_signal_daemon_container_self_build: false From 24589b91f4822fd082f3563da21ccab263b1cd75 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 9 Aug 2021 19:01:51 +0200 Subject: [PATCH 2373/2384] irc appservice image tag has a 'v' now --- roles/matrix-bridge-appservice-irc/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 7ed9ee89..b0f27e65 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,7 +7,7 @@ matrix_appservice_irc_container_self_build: false matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" -matrix_appservice_irc_version: release-0.29.0 +matrix_appservice_irc_version: release-v0.29.0 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" From bfb61e776e817b2219d26b195291ead5d4fd0344 Mon Sep 17 00:00:00 2001 From: Michael Collins Date: Tue, 10 Aug 2021 12:58:10 +0800 Subject: [PATCH 2374/2384] GMH v0.5.7... maybe! --- roles/matrix-common-after/tasks/awx_post.yml | 6 ------ roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 4 ++-- .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 4 ++++ 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index 1e194046..ef12a867 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -62,9 +62,3 @@ group: matrix mode: '0574' when: customise_base_domain_website is defined - -- name: Ensure erroneous /chroot/website/matrix-domain location doesn't exist - file: - path: /chroot/website/matrix-domain - state: absent - when: customise_base_domain_website is defined diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 1d59f567..2f36945d 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -127,7 +127,7 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled|bool + when: matrix_nginx_proxy_base_domain_serving_enabled|bool and not matrix_awx_enabled|bool - name: Ensure Matrix nginx-proxy homepage for base domain exists copy: @@ -136,7 +136,7 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool + when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool and not matrix_awx_enabled|bool - name: Ensure Matrix nginx-proxy configuration for base domain exists template: diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index fc567aa3..a88c6685 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -1,7 +1,11 @@ #jinja2: lstrip_blocks: "True" {% macro render_vhost_directives() %} +{% if matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled %} + root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}; +{% else %} root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-domain; +{% endif %} gzip on; gzip_types text/plain application/json; From 2469ada5204151960365dddf995db7039718c78d Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Tue, 10 Aug 2021 15:32:07 +0200 Subject: [PATCH 2375/2384] Update Synapse (1.39.0 -> 1.40.0) --- roles/matrix-synapse/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 628ea431..d8a93b05 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # amd64 gets released first. # arm32 relies on self-building, so the same version can be built immediately. # arm64 users need to wait for a prebuilt image to become available. -matrix_synapse_version: v1.39.0 -matrix_synapse_version_arm64: v1.39.0 +matrix_synapse_version: v1.40.0 +matrix_synapse_version_arm64: v1.40.0 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" From 05ad62038612aac0299d503546f922a65e16e545 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 10 Aug 2021 17:36:39 +0300 Subject: [PATCH 2376/2384] Update homeserver.yaml to keep up with Synapse v1.40.0 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1225 --- .../templates/synapse/homeserver.yaml.j2 | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index f184cc29..8f0f2eb9 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -732,6 +732,48 @@ caches: ## Database ## +# The 'database' setting defines the database that synapse uses to store all of +# its data. +# +# 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or +# 'psycopg2' (for PostgreSQL). +# +# 'txn_limit' gives the maximum number of transactions to run per connection +# before reconnecting. Defaults to 0, which means no limit. +# +# 'args' gives options which are passed through to the database engine, +# except for options starting 'cp_', which are used to configure the Twisted +# connection pool. For a reference to valid arguments, see: +# * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect +# * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS +# * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ +# +# +# Example SQLite configuration: +# +#database: +# name: sqlite3 +# args: +# database: /path/to/homeserver.db +# +# +# Example Postgres configuration: +# +#database: +# name: psycopg2 +# txn_limit: 10000 +# args: +# user: synapse_user +# password: secretpassword +# database: synapse +# host: localhost +# port: 5432 +# cp_min: 5 +# cp_max: 10 +# +# For more information on using Synapse with Postgres, +# see https://matrix-org.github.io/synapse/latest/postgres.html. +# database: # The database engine name name: "psycopg2" From bce94c5860d645862eb148cfd3788d0f389a7d93 Mon Sep 17 00:00:00 2001 From: Toni Spets Date: Tue, 10 Aug 2021 21:09:28 +0300 Subject: [PATCH 2377/2384] Allow configuring synapse database transaction limit --- roles/matrix-synapse/defaults/main.yml | 1 + roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index d8a93b05..83d2e51d 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -453,6 +453,7 @@ matrix_synapse_replication_http_port: 9093 matrix_synapse_sentry_dsn: "" # Postgres database information +matrix_synapse_database_txn_limit: 0 matrix_synapse_database_host: "matrix-postgres" matrix_synapse_database_port: 5432 matrix_synapse_database_user: "synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 8f0f2eb9..4fd258f1 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -777,6 +777,7 @@ caches: database: # The database engine name name: "psycopg2" + txn_limit: {{ matrix_synapse_database_txn_limit }} args: user: {{ matrix_synapse_database_user|string|to_json }} password: {{ matrix_synapse_database_password|string|to_json }} From 8238d65e5f44d5bd70f860d1e4b189c366ce97d3 Mon Sep 17 00:00:00 2001 From: Michael Collins Date: Wed, 11 Aug 2021 14:19:19 +0800 Subject: [PATCH 2378/2384] simplify template conditional --- .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index a88c6685..78e8a632 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -2,7 +2,7 @@ {% macro render_vhost_directives() %} {% if matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled %} - root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}; + root {{ matrix_nginx_proxy_data_path_in_container }}; {% else %} root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-domain; {% endif %} From 2e30802b87428b4da7afe282a202efa9c0af7691 Mon Sep 17 00:00:00 2001 From: Michael Collins Date: Wed, 11 Aug 2021 15:21:09 +0800 Subject: [PATCH 2379/2384] use group variables instead --- group_vars/matrix_servers | 1 + roles/matrix-nginx-proxy/defaults/main.yml | 1 + .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 6 +----- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cc45042d..667d5a88 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -41,6 +41,7 @@ matrix_awx_enabled: false matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}" matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}" +matrix_nginx_proxy_data_path_extension: "{{ '' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/matrix-domain' }}" ###################################################################### # diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 59dddafb..d8c37806 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -10,6 +10,7 @@ matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image. matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" matrix_nginx_proxy_data_path_in_container: "/nginx-data" +matrix_nginx_proxy_data_path_extension: "/matrix_domain" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" # List of systemd services that matrix-nginx-proxy.service depends on diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 78e8a632..b0294283 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -1,11 +1,7 @@ #jinja2: lstrip_blocks: "True" {% macro render_vhost_directives() %} -{% if matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled %} - root {{ matrix_nginx_proxy_data_path_in_container }}; -{% else %} - root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-domain; -{% endif %} + root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}{{ matrix_nginx_proxy_data_path_extension }}; gzip on; gzip_types text/plain application/json; From 4d57a41b3f6123a06562fdf20cf8451ea48c0897 Mon Sep 17 00:00:00 2001 From: Michael Collins Date: Wed, 11 Aug 2021 17:18:57 +0800 Subject: [PATCH 2380/2384] remove matrix_awx_enabled from these --- group_vars/matrix_servers | 1 + roles/matrix-nginx-proxy/defaults/main.yml | 3 +++ roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 667d5a88..a4e00d41 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -42,6 +42,7 @@ matrix_awx_enabled: false matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}" matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}" matrix_nginx_proxy_data_path_extension: "{{ '' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/matrix-domain' }}" +matrix_nginx_proxy_base_domain_create_directory: "{{ false if matrix_awx_enabled else true }}" ###################################################################### # diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index d8c37806..87cbcde1 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -76,6 +76,9 @@ matrix_nginx_proxy_container_federation_host_bind_port: '8448' # in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory. matrix_nginx_proxy_base_domain_serving_enabled: false +# Controls whether the base domain directory and default index.html file are created. +matrix_nginx_proxy_base_domain_create_directory: true + matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}" # Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file diff --git a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 2f36945d..149fadab 100644 --- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -127,7 +127,7 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled|bool and not matrix_awx_enabled|bool + when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool - name: Ensure Matrix nginx-proxy homepage for base domain exists copy: @@ -136,7 +136,7 @@ mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool and not matrix_awx_enabled|bool + when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool - name: Ensure Matrix nginx-proxy configuration for base domain exists template: From 4c12c1892ca9e153d015a13354f806ae8801659f Mon Sep 17 00:00:00 2001 From: Michael Collins Date: Wed, 11 Aug 2021 17:32:38 +0800 Subject: [PATCH 2381/2384] use saner folder permissions --- roles/matrix-awx/tasks/customise_website_access_export.yml | 2 +- roles/matrix-common-after/tasks/awx_post.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-awx/tasks/customise_website_access_export.yml b/roles/matrix-awx/tasks/customise_website_access_export.yml index 29019766..d4f48f42 100755 --- a/roles/matrix-awx/tasks/customise_website_access_export.yml +++ b/roles/matrix-awx/tasks/customise_website_access_export.yml @@ -176,7 +176,7 @@ state: directory owner: matrix group: matrix - mode: '0574' + mode: '0770' when: customise_base_domain_website is defined - name: Ensure /chroot/export location exists diff --git a/roles/matrix-common-after/tasks/awx_post.yml b/roles/matrix-common-after/tasks/awx_post.yml index ef12a867..b934104b 100644 --- a/roles/matrix-common-after/tasks/awx_post.yml +++ b/roles/matrix-common-after/tasks/awx_post.yml @@ -60,5 +60,5 @@ state: directory owner: matrix group: matrix - mode: '0574' + mode: '0770' when: customise_base_domain_website is defined From e90b33c4e38e68b9001a54330029dafb4b27b3c3 Mon Sep 17 00:00:00 2001 From: Jaffex <31133207+Jaffex@users.noreply.github.com> Date: Thu, 12 Aug 2021 12:43:12 +0200 Subject: [PATCH 2382/2384] Update matrix-mautrix-signal config to 0.2.0 to enable relay mode --- .../templates/config.yaml.j2 | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index ca5060a7..d4f64c79 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -9,6 +9,12 @@ homeserver: # Only applies if address starts with https:// verify_ssl: true asmux: false + # Number of retries for all HTTP requests if the homeserver isn't reachable. + http_retry_count: 4 + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null # Application service host/registration related details # Changing these values requires regeneration of the registration. @@ -80,6 +86,9 @@ signal: avatar_dir: /signald/avatars # Directory where signald stores auth data. Used to delete data when logging out. data_dir: /signald/data + # Whether or not unknown signald accounts should be deleted when the bridge is started. + # When this is enabled, any UserInUse errors should be resolved by restarting the bridge. + delete_unknown_accounts_on_start: false # Whether or not message attachments should be removed from disk after they're bridged. remove_file_after_handling: true @@ -164,12 +173,15 @@ bridge: # This field will automatically be changed back to false after it, # except if the config file is not writable. resend_bridge_info: false + # Interval at which to resync contacts. + periodic_sync: 0 # The prefix for commands. Only required in non-management rooms. command_prefix: "!signal" # Permissions for using the bridge. # Permitted values: + # relay - Allowed to be relayed through the bridge, no access to commands. # user - Use the bridge with puppeting. # admin - Use and administrate the bridge. # Permitted keys: @@ -177,8 +189,30 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: + '{{ matrix_mautrix_signal_homeserver_domain }}': relay '{{ matrix_mautrix_signal_homeserver_domain }}': user + relay: + # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any + # authenticated user into a relaybot for that chat. + enabled: true + # The formats to use when sending messages to Signal via a relay user. + # + # Available variables: + # $sender_displayname - The display name of the sender (e.g. Example User) + # $sender_username - The username (Matrix ID localpart) of the sender (e.g. exampleuser) + # $sender_mxid - The Matrix ID of the sender (e.g. @exampleuser:example.com) + # $message - The message content + message_formats: + m.text: '$sender_displayname: $message' + m.notice: '$sender_displayname: $message' + m.emote: '* $sender_displayname $message' + m.file: '$sender_displayname sent a file' + m.image: '$sender_displayname sent an image' + m.audio: '$sender_displayname sent an audio file' + m.video: '$sender_displayname sent a video' + m.location: '$sender_displayname sent a location' + # Python logging configuration. # From 46340fdf63de3ca28fc731f2fbbc3936d0e03c43 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 15 Aug 2021 08:45:21 +0300 Subject: [PATCH 2383/2384] Simplify if condition --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a4e00d41..a8e39282 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -42,7 +42,7 @@ matrix_awx_enabled: false matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}" matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}" matrix_nginx_proxy_data_path_extension: "{{ '' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/matrix-domain' }}" -matrix_nginx_proxy_base_domain_create_directory: "{{ false if matrix_awx_enabled else true }}" +matrix_nginx_proxy_base_domain_create_directory: "{{ not matrix_awx_enabled }}" ###################################################################### # From 70d412e5236c3fd0a8928bf0d4a05eabcfdeb08b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 16 Aug 2021 18:10:15 +0300 Subject: [PATCH 2384/2384] Upgrade Element (1.7.34 -> 1.8.0) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index dd649ffd..fc1f40bc 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_version: v1.7.34 +matrix_client_element_version: v1.8.0 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"